From: Greg Kroah-Hartman Date: Mon, 24 Jul 2023 16:54:20 +0000 (+0200) Subject: remove some 6.1 and 6.4 patches X-Git-Tag: v6.1.41~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81612ed81090e756e666029f346cb8d9fdbd431e;p=thirdparty%2Fkernel%2Fstable-queue.git remove some 6.1 and 6.4 patches --- diff --git a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch b/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch deleted file mode 100644 index b2ef9946ee4..00000000000 --- a/queue-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 92bf9e7e60ec477f33e9520a2f8ed58c717a4f9b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 20:45:04 +0200 -Subject: ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 - -From: Hans de Goede - -[ Upstream commit 23d28cc0444be3f694eb986cd653b6888b78431d ] - -The Dell Studio 1569 predates Windows 8, so it defaults to using -acpi_video# for backlight control, but this is non functional on -this model. - -Add a DMI quirk to use the native intel_backlight interface which -does work properly. - -Reported-by: raycekarneal -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/video_detect.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -512,6 +512,14 @@ static const struct dmi_system_id video_ - }, - { - .callback = video_detect_force_native, -+ /* Dell Studio 1569 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Studio 1569"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, - /* Acer Aspire 3830TG */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Acer"), diff --git a/queue-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/queue-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch deleted file mode 100644 index 6ea2cf0afbf..00000000000 --- a/queue-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +++ /dev/null @@ -1,150 +0,0 @@ -From af0f59a65f332284ca2bf7579e4158dff37dc62d Mon Sep 17 00:00:00 2001 -From: Oswald Buddenhagen -Date: Wed, 10 May 2023 19:39:05 +0200 -Subject: [PATCH AUTOSEL 4.19 02/11] ALSA: emu10k1: roll up loops in DSP setup - code for Audigy -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] - -There is no apparent reason for the massive code duplication. - -Signed-off-by: Oswald Buddenhagen -Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/emu10k1/emufx.c | 112 +++------------------------------------------- - 1 file changed, 9 insertions(+), 103 deletions(-) - ---- a/sound/pci/emu10k1/emufx.c -+++ b/sound/pci/emu10k1/emufx.c -@@ -1563,14 +1563,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G - gpr += 2; - - /* Master volume (will be renamed later) */ -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); -+ for (z = 0; z < 8; z++) -+ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); - snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); - gpr += 2; - -@@ -1654,102 +1648,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G - dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", - gpr, tmp); - */ -- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ -- /* A_P16VIN(0) is delayed by one sample, -- * so all other A_P16VIN channels will need to also be delayed -- */ -- /* Left ADC in. 1 of 2 */ - snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); -- /* Right ADC in 1 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- /* Delaying by one sample: instead of copying the input -- * value A_P16VIN to output A_FXBUS2 as in the first channel, -- * we use an auxiliary register, delaying the value by one -- * sample -- */ -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); -- /* For 96kHz mode */ -- /* Left ADC in. 2 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); -- /* Right ADC in 2 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); -- /* Pavel Hofman - we still have voices, A_FXBUS2s, and -- * A_P16VINs available - -- * let's add 8 more capture channels - total of 16 -- */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x10)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x12)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x14)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x16)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x18)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1a)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1c)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1e)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), -- A_C_00000000, A_C_00000000); -+ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels -+ * will need to also be delayed; we use an auxiliary register for that. */ -+ for (z = 1; z < 0x10; z++) { -+ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); -+ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); -+ gpr_map[gpr++] = 0x00000000; -+ } - } - - #if 0 diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch deleted file mode 100644 index e6acbcb4f99..00000000000 --- a/queue-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c250ef8954eda2024c8861c36e9fc1b589481fe7 Mon Sep 17 00:00:00 2001 -From: Christoffer Sandberg -Date: Tue, 18 Jul 2023 16:57:22 +0200 -Subject: ALSA: hda/realtek: Add quirk for Clevo NS70AU - -From: Christoffer Sandberg - -commit c250ef8954eda2024c8861c36e9fc1b589481fe7 upstream. - -Fixes headset detection on Clevo NS70AU. - -Co-developed-by: Werner Sembach -Signed-off-by: Werner Sembach -Signed-off-by: Christoffer Sandberg -Cc: -Link: https://lore.kernel.org/r/20230718145722.10592-1-wse@tuxedocomputers.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -9645,6 +9645,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -+ SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch deleted file mode 100644 index d6ee0323806..00000000000 --- a/queue-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 -From: Luka Guzenko -Date: Tue, 18 Jul 2023 18:12:41 +0200 -Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx - -From: Luka Guzenko - -commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. - -The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using -COEF 0x07 index 1. No existing quirk covers this configuration. -Adds a new quirk and enables it for the device. - -Signed-off-by: Luka Guzenko -Cc: -Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4624,6 +4624,21 @@ static void alc236_fixup_hp_mute_led_coe - } - } - -+static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, -+ const struct hda_fixup *fix, int action) -+{ -+ struct alc_spec *spec = codec->spec; -+ -+ if (action == HDA_FIXUP_ACT_PRE_PROBE) { -+ spec->mute_led_polarity = 0; -+ spec->mute_led_coef.idx = 0x07; -+ spec->mute_led_coef.mask = 1; -+ spec->mute_led_coef.on = 1; -+ spec->mute_led_coef.off = 0; -+ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); -+ } -+} -+ - /* turn on/off mic-mute LED per capture hook by coef bit */ - static int coef_micmute_led_set(struct led_classdev *led_cdev, - enum led_brightness brightness) -@@ -7134,6 +7149,7 @@ enum { - ALC285_FIXUP_HP_GPIO_LED, - ALC285_FIXUP_HP_MUTE_LED, - ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, -+ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, - ALC236_FIXUP_HP_GPIO_LED, - ALC236_FIXUP_HP_MUTE_LED, - ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, -@@ -8557,6 +8573,10 @@ static const struct hda_fixup alc269_fix - .type = HDA_FIXUP_FUNC, - .v.func = alc285_fixup_hp_spectre_x360_mute_led, - }, -+ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc236_fixup_hp_mute_led_coefbit2, -+ }, - [ALC236_FIXUP_HP_GPIO_LED] = { - .type = HDA_FIXUP_FUNC, - .v.func = alc236_fixup_hp_gpio_led, -@@ -9441,6 +9461,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), -+ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), - SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), - SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), - SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/queue-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch b/queue-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch deleted file mode 100644 index 3f4c3ac4924..00000000000 --- a/queue-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 3d60fd0a504a6c9938b831d63bf6bc1a74979fdf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 09:20:21 +0100 -Subject: ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp - -From: Vitaly Rodionov - -[ Upstream commit f7b069cf08816252f494d193b9ecdff172bf9aa1 ] - -Generic fixup for CS35L41 amplifies should not have vendor specific -chained fixup. For ThinkPad laptops with led issue, we can just add -specific fixup. - -Fixes: a6ac60b36dade (ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec) -Signed-off-by: Vitaly Rodionov -Link: https://lore.kernel.org/r/20230720082022.13033-1-vitalyr@opensource.cirrus.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 1a8ca119ffe45..cb34a62075b13 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -7220,6 +7220,7 @@ enum { - ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, - ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS, - ALC236_FIXUP_DELL_DUAL_CODECS, -+ ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, - }; - - /* A special fixup for Lenovo C940 and Yoga Duet 7; -@@ -9090,8 +9091,6 @@ static const struct hda_fixup alc269_fixups[] = { - [ALC287_FIXUP_CS35L41_I2C_2] = { - .type = HDA_FIXUP_FUNC, - .v.func = cs35l41_fixup_i2c_two, -- .chained = true, -- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, - }, - [ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED] = { - .type = HDA_FIXUP_FUNC, -@@ -9228,6 +9227,12 @@ static const struct hda_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, - }, -+ [ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = cs35l41_fixup_i2c_two, -+ .chained = true, -+ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -9750,14 +9755,14 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), - SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), - SND_PCI_QUIRK(0x17aa, 0x22c2, "Thinkpad X1 Extreme Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), -- SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -+ SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), - SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), --- -2.39.2 - diff --git a/queue-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/queue-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch deleted file mode 100644 index c1559070c25..00000000000 --- a/queue-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 -From: Kailang Yang -Date: Thu, 13 Jul 2023 15:57:13 +0800 -Subject: ALSA: hda/realtek - remove 3k pull low procedure - -From: Kailang Yang - -commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. - -This was the ALC283 depop procedure. -Maybe this procedure wasn't suitable with new codec. -So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it -reboot with plugged headset, -it will have errors show don't find codec error messages. Run 3k pull -low will solve issues. -So, let AMD chipset will run this for workarround. - -Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") -Signed-off-by: Kailang Yang -Cc: -Reported-by: Joseph C. Sible -Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ -Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -122,6 +122,7 @@ struct alc_spec { - unsigned int ultra_low_power:1; - unsigned int has_hs_key:1; - unsigned int no_internal_mic_pin:1; -+ unsigned int en_3kpull_low:1; - - /* for PLL fix */ - hda_nid_t pll_nid; -@@ -3622,6 +3623,7 @@ static void alc256_shutup(struct hda_cod - if (!hp_pin) - hp_pin = 0x21; - -+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ - hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); - - if (hp_pin_sense) -@@ -3638,8 +3640,7 @@ static void alc256_shutup(struct hda_cod - /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly - * when booting with headset plugged. So skip setting it for the codec alc257 - */ -- if (codec->core.vendor_id != 0x10ec0236 && -- codec->core.vendor_id != 0x10ec0257) -+ if (spec->en_3kpull_low) - alc_update_coef_idx(codec, 0x46, 0, 3 << 12); - - if (!spec->no_shutup_pins) -@@ -10599,6 +10600,8 @@ static int patch_alc269(struct hda_codec - spec->shutup = alc256_shutup; - spec->init_hook = alc256_init; - spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ -+ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) -+ spec->en_3kpull_low = true; - break; - case 0x10ec0257: - spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch b/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch deleted file mode 100644 index 19d5f56cb49..00000000000 --- a/queue-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d4d5be94a87872421ea2569044092535aff0b886 Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Thu, 20 Jul 2023 19:38:58 +0100 -Subject: arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes - -From: Mark Brown - -commit d4d5be94a87872421ea2569044092535aff0b886 upstream. - -When we reconfigure the SVE vector length we discard the backing storage -for the SVE vectors and then reallocate on next SVE use, leaving the SME -specific state alone. This means that we do not enable SME traps if they -were already disabled. That means that userspace code can enter streaming -mode without trapping, putting the task in a state where if we try to save -the state of the task we will fault. - -Since the ABI does not specify that changing the SVE vector length disturbs -SME state, and since SVE code may not be aware of SME code in the process, -we shouldn't simply discard any ZA state. Instead immediately reallocate -the storage for SVE, and disable SME if we change the SVE vector length -while there is no SME state active. - -Disabling SME traps on SVE vector length changes would make the overall -code more complex since we would have a state where we have valid SME state -stored but might get a SME trap. - -Fixes: 9e4ab6c89109 ("arm64/sme: Implement vector length configuration prctl()s") -Reported-by: David Spickett -Signed-off-by: Mark Brown -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.org -Signed-off-by: Will Deacon -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kernel/fpsimd.c | 33 +++++++++++++++++++++++++-------- - 1 file changed, 25 insertions(+), 8 deletions(-) - ---- a/arch/arm64/kernel/fpsimd.c -+++ b/arch/arm64/kernel/fpsimd.c -@@ -803,6 +803,8 @@ void sve_sync_from_fpsimd_zeropad(struct - int vec_set_vector_length(struct task_struct *task, enum vec_type type, - unsigned long vl, unsigned long flags) - { -+ bool free_sme = false; -+ - if (flags & ~(unsigned long)(PR_SVE_VL_INHERIT | - PR_SVE_SET_VL_ONEXEC)) - return -EINVAL; -@@ -851,21 +853,36 @@ int vec_set_vector_length(struct task_st - thread_sm_enabled(&task->thread)) - sve_to_fpsimd(task); - -- if (system_supports_sme() && type == ARM64_VEC_SME) { -- task->thread.svcr &= ~(SVCR_SM_MASK | -- SVCR_ZA_MASK); -- clear_thread_flag(TIF_SME); -+ if (system_supports_sme()) { -+ if (type == ARM64_VEC_SME || -+ !(task->thread.svcr & (SVCR_SM_MASK | SVCR_ZA_MASK))) { -+ /* -+ * We are changing the SME VL or weren't using -+ * SME anyway, discard the state and force a -+ * reallocation. -+ */ -+ task->thread.svcr &= ~(SVCR_SM_MASK | -+ SVCR_ZA_MASK); -+ clear_thread_flag(TIF_SME); -+ free_sme = true; -+ } - } - - if (task == current) - put_cpu_fpsimd_context(); - - /* -- * Force reallocation of task SVE and SME state to the correct -- * size on next use: -+ * Free the changed states if they are not in use, SME will be -+ * reallocated to the correct size on next use and we just -+ * allocate SVE now in case it is needed for use in streaming -+ * mode. - */ -- sve_free(task); -- if (system_supports_sme() && type == ARM64_VEC_SME) -+ if (system_supports_sve()) { -+ sve_free(task); -+ sve_alloc(task, true); -+ } -+ -+ if (free_sme) - sme_free(task); - - task_set_vl(task, type, vl); diff --git a/queue-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch b/queue-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch deleted file mode 100644 index dc7aa29a72f..00000000000 --- a/queue-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 01fe45bc121655c2ea7d823e3442f3c388fb23b1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Jun 2023 16:23:54 +0530 -Subject: ASoC: amd: acp: fix for invalid dai id handling in - acp_get_byte_count() - -From: Vijendar Mukunda - -[ Upstream commit 85aeab362201cf52c34cd429e4f6c75a0b42f9a3 ] - -For invalid dai id, instead of returning -EINVAL -return bytes count as zero in acp_get_byte_count() function. - -Fixes: 623621a9f9e1 ("ASoC: amd: Add common framework to support I2S on ACP SOC") - -Signed-off-by: Vijendar Mukunda -Link: https://lore.kernel.org/r/20230626105356.2580125-6-Vijendar.Mukunda@amd.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/amd/acp/amd.h | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h -index 5f2119f422715..12a176a50fd6e 100644 ---- a/sound/soc/amd/acp/amd.h -+++ b/sound/soc/amd/acp/amd.h -@@ -173,7 +173,7 @@ int snd_amd_acp_find_config(struct pci_dev *pci); - - static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int direction) - { -- u64 byte_count, low = 0, high = 0; -+ u64 byte_count = 0, low = 0, high = 0; - - if (direction == SNDRV_PCM_STREAM_PLAYBACK) { - switch (dai_id) { -@@ -191,7 +191,7 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int - break; - default: - dev_err(adata->dev, "Invalid dai id %x\n", dai_id); -- return -EINVAL; -+ goto POINTER_RETURN_BYTES; - } - } else { - switch (dai_id) { -@@ -213,12 +213,13 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int - break; - default: - dev_err(adata->dev, "Invalid dai id %x\n", dai_id); -- return -EINVAL; -+ goto POINTER_RETURN_BYTES; - } - } - /* Get 64 bit value from two 32 bit registers */ - byte_count = (high << 32) | low; - -+POINTER_RETURN_BYTES: - return byte_count; - } - --- -2.39.2 - diff --git a/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index aabe42628e5..00000000000 --- a/queue-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,157 +0,0 @@ -From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:16 +0200 -Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove - -From: Johan Hovold - -commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. - -The MBHC resources must be released on component probe failure and -removal so can not be tied to the lifetime of the component device. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component: - - snd-sc8280xp sound: ASoC: failed to instantiate card -517 - genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) - wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 - wcd938x_codec audio-codec: mbhc initialization failed - wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 - snd-sc8280xp sound: ASoC: failed to instantiate card -16 - -Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ - 1 file changed, 41 insertions(+), 16 deletions(-) - ---- a/sound/soc/codecs/wcd-mbhc-v2.c -+++ b/sound/soc/codecs/wcd-mbhc-v2.c -@@ -1454,7 +1454,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn - return ERR_PTR(-EINVAL); - } - -- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); -+ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); - if (!mbhc) - return ERR_PTR(-ENOMEM); - -@@ -1474,61 +1474,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn - - INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, - wcd_mbhc_mech_plug_detect_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "mbhc sw intr", mbhc); - if (ret) -- goto err; -+ goto err_free_mbhc; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, - wcd_mbhc_btn_press_handler, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Button Press detect", mbhc); - if (ret) -- goto err; -+ goto err_free_sw_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, - wcd_mbhc_btn_release_handler, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Button Release detect", mbhc); - if (ret) -- goto err; -+ goto err_free_btn_press_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, - wcd_mbhc_adc_hs_ins_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Elect Insert", mbhc); - if (ret) -- goto err; -+ goto err_free_btn_release_intr; - - disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, - wcd_mbhc_adc_hs_rem_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Elect Remove", mbhc); - if (ret) -- goto err; -+ goto err_free_hs_ins_intr; - - disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, - wcd_mbhc_hphl_ocp_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPH_L OCP detect", mbhc); - if (ret) -- goto err; -+ goto err_free_hs_rem_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, - wcd_mbhc_hphr_ocp_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPH_R OCP detect", mbhc); - if (ret) -- goto err; -+ goto err_free_hph_left_ocp; - - return mbhc; --err: -+ -+err_free_hph_left_ocp: -+ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); -+err_free_hs_rem_intr: -+ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); -+err_free_hs_ins_intr: -+ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); -+err_free_btn_release_intr: -+ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); -+err_free_btn_press_intr: -+ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); -+err_free_sw_intr: -+ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); -+err_free_mbhc: -+ kfree(mbhc); -+ - dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); - - return ERR_PTR(ret); -@@ -1537,9 +1552,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); - - void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) - { -+ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); -+ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); -+ - mutex_lock(&mbhc->lock); - wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); - mutex_unlock(&mbhc->lock); -+ -+ kfree(mbhc); - } - EXPORT_SYMBOL(wcd_mbhc_deinit); - diff --git a/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index c86cf2752f1..00000000000 --- a/queue-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:15 +0200 -Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove - -From: Johan Hovold - -commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. - -Make sure to release allocated MBHC resources also on component remove. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component. - -Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd934x.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - ---- a/sound/soc/codecs/wcd934x.c -+++ b/sound/soc/codecs/wcd934x.c -@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ - - return 0; - } -+ -+static void wcd934x_mbhc_deinit(struct snd_soc_component *component) -+{ -+ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); -+ -+ if (!wcd->mbhc) -+ return; -+ -+ wcd_mbhc_deinit(wcd->mbhc); -+} -+ - static int wcd934x_comp_probe(struct snd_soc_component *component) - { - struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); -@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s - { - struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); - -+ wcd934x_mbhc_deinit(comp); - wcd_clsh_ctrl_free(wcd->clsh_ctrl); - } - diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch deleted file mode 100644 index 3e47419b85b..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Fri, 30 Jun 2023 14:03:18 +0200 -Subject: ASoC: codecs: wcd938x: fix codec initialisation race - -From: Johan Hovold - -commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. - -Make sure to resume the codec and soundwire device before trying to read -the codec variant and configure the device during component probe. - -This specifically avoids interpreting (a masked and shifted) -EBUSY -errno as the variant: - - wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 - -when the soundwire device happens to be suspended, which in turn -prevents some headphone controls from being registered. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Reported-by: Steev Klimaszewski -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3095,6 +3095,10 @@ static int wcd938x_soc_codec_probe(struc - - snd_soc_component_init_regmap(component, wcd938x->regmap); - -+ ret = pm_runtime_resume_and_get(dev); -+ if (ret < 0) -+ return ret; -+ - wcd938x->variant = snd_soc_component_read_field(component, - WCD938X_DIGITAL_EFUSE_REG_0, - WCD938X_ID_MASK); -@@ -3112,6 +3116,8 @@ static int wcd938x_soc_codec_probe(struc - (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); - } - -+ pm_runtime_put(dev); -+ - wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, - WCD938X_IRQ_HPHR_PDM_WD_INT); - wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch b/queue-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch deleted file mode 100644 index 2f4c267613e..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8fdb4c209948ee94e6e06e178741f29d84f4e4d5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 13:57:23 +0100 -Subject: ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR - -From: Srinivas Kandagatla - -[ Upstream commit c03226ba15fe3c42d13907ec7d8536396602557b ] - -dB range for HPHL and HPHR gains are from +6dB to -30dB in steps of -1.5dB with register values range from 0 to 24. - -Current code maps these dB ranges incorrectly, fix them to allow proper -volume setting. - -Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") -Signed-off-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705125723.40464-1-srinivas.kandagatla@linaro.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/wcd938x.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c -index 7715040383840..2316481c2541b 100644 ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -210,7 +210,7 @@ struct wcd938x_priv { - }; - - static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(ear_pa_gain, 600, -1800); --static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(line_gain, 600, -3000); -+static const DECLARE_TLV_DB_SCALE(line_gain, -3000, 150, -3000); - static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(analog_gain, 0, 3000); - - struct wcd938x_mbhc_zdet_param { -@@ -2662,8 +2662,8 @@ static const struct snd_kcontrol_new wcd938x_snd_controls[] = { - wcd938x_get_swr_port, wcd938x_set_swr_port), - SOC_SINGLE_EXT("DSD_R Switch", WCD938X_DSD_R, 0, 1, 0, - wcd938x_get_swr_port, wcd938x_set_swr_port), -- SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 0, line_gain), -- SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 0, line_gain), -+ SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 1, line_gain), -+ SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 1, line_gain), - WCD938X_EAR_PA_GAIN_TLV("EAR_PA Volume", WCD938X_ANA_EAR_COMPANDER_CTL, - 2, 0x10, 0, ear_pa_gain), - SOC_SINGLE_EXT("ADC1 Switch", WCD938X_ADC1, 1, 1, 0, --- -2.39.2 - diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch b/queue-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch deleted file mode 100644 index 5a1143b5bf8..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 6837fd2094a0338619e2fbd26039c39ad53d3cf8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 16:27:13 +0200 -Subject: ASoC: codecs: wcd938x: fix mbhc impedance loglevel - -From: Johan Hovold - -[ Upstream commit e5ce198bd5c6923b6a51e1493b1401f84c24b26d ] - -Demote the MBHC impedance measurement printk, which is not an error -message, from error to debug level. - -While at it, fix the capitalisation of "ohm" and add the missing space -before the opening parenthesis. - -Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230630142717.5314-2-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/wcd938x.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c -index df0b3ac7f1321..7715040383840 100644 ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2165,8 +2165,8 @@ static inline void wcd938x_mbhc_get_result_params(struct wcd938x_priv *wcd938x, - else if (x1 < minCode_param[noff]) - *zdet = WCD938X_ZDET_FLOATING_IMPEDANCE; - -- pr_err("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d(milliOhm)\n", -- __func__, d1, c1, x1, *zdet); -+ pr_debug("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d (milliohm)\n", -+ __func__, d1, c1, x1, *zdet); - ramp_down: - i = 0; - while (x1) { --- -2.39.2 - diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch deleted file mode 100644 index a2e1b76ba60..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:13 +0200 -Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling - -From: Johan Hovold - -commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. - -Allocation of the clash control structure may fail so add the missing -error handling to avoid dereferencing an error pointer. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3090,6 +3090,10 @@ static int wcd938x_soc_codec_probe(struc - WCD938X_ID_MASK); - - wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); -+ if (IS_ERR(wcd938x->clsh_info)) { -+ pm_runtime_put(dev); -+ return PTR_ERR(wcd938x->clsh_info); -+ } - - wcd938x_io_init(wcd938x); - /* Set all interrupts as edge triggered */ diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch deleted file mode 100644 index a98d816a471..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 3 Jul 2023 14:47:01 +0200 -Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling - -From: Johan Hovold - -commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. - -MBHC initialisation can fail so add the missing error handling to avoid -dereferencing an error pointer when later configuring the jack: - - Unable to handle kernel paging request at virtual address fffffffffffffff8 - - pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] - lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] - - Call trace: - wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] - wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] - snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] - qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] - sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] - snd_soc_link_init+0x28/0x90 [snd_soc_core] - snd_soc_bind_card+0x628/0xbfc [snd_soc_core] - snd_soc_register_card+0xec/0x104 [snd_soc_core] - devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] - sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] - -Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") -Cc: stable@vger.kernel.org # 5.15 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2625,6 +2625,8 @@ static int wcd938x_mbhc_init(struct snd_ - WCD938X_IRQ_HPHR_OCP_INT); - - wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); -+ if (IS_ERR(wcd938x->wcd_mbhc)) -+ return PTR_ERR(wcd938x->wcd_mbhc); - - snd_soc_add_component_controls(component, impedance_detect_controls, - ARRAY_SIZE(impedance_detect_controls)); diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index 40f70a75c04..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,151 +0,0 @@ -From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:14 +0200 -Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove - -From: Johan Hovold - -commit a3406f87775fee986876e03f93a84385f54d5999 upstream. - -Make sure to release allocated resources on component probe failure and -on remove. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component: - - snd-sc8280xp sound: ASoC: failed to instantiate card -517 - genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) - wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) - genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) - wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) - genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) - wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) - genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) - wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 48 insertions(+), 7 deletions(-) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2633,6 +2633,14 @@ static int wcd938x_mbhc_init(struct snd_ - - return 0; - } -+ -+static void wcd938x_mbhc_deinit(struct snd_soc_component *component) -+{ -+ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ -+ wcd_mbhc_deinit(wcd938x->wcd_mbhc); -+} -+ - /* END MBHC */ - - static const struct snd_kcontrol_new wcd938x_snd_controls[] = { -@@ -3113,20 +3121,26 @@ static int wcd938x_soc_codec_probe(struc - ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPHR PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); -+ goto err_free_clsh_ctrl; -+ } - - ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPHL PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); -+ goto err_free_hphr_pdm_wd_int; -+ } - - ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "AUX PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); -+ goto err_free_hphl_pdm_wd_int; -+ } - - /* Disable watchdog interrupt for HPH and AUX */ - disable_irq_nosync(wcd938x->hphr_pdm_wd_int); -@@ -3141,7 +3155,7 @@ static int wcd938x_soc_codec_probe(struc - dev_err(component->dev, - "%s: Failed to add snd ctrls for variant: %d\n", - __func__, wcd938x->variant); -- goto err; -+ goto err_free_aux_pdm_wd_int; - } - break; - case WCD9385: -@@ -3151,7 +3165,7 @@ static int wcd938x_soc_codec_probe(struc - dev_err(component->dev, - "%s: Failed to add snd ctrls for variant: %d\n", - __func__, wcd938x->variant); -- goto err; -+ goto err_free_aux_pdm_wd_int; - } - break; - default: -@@ -3159,12 +3173,38 @@ static int wcd938x_soc_codec_probe(struc - } - - ret = wcd938x_mbhc_init(component); -- if (ret) -+ if (ret) { - dev_err(component->dev, "mbhc initialization failed\n"); --err: -+ goto err_free_aux_pdm_wd_int; -+ } -+ -+ return 0; -+ -+err_free_aux_pdm_wd_int: -+ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); -+err_free_hphl_pdm_wd_int: -+ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); -+err_free_hphr_pdm_wd_int: -+ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); -+err_free_clsh_ctrl: -+ wcd_clsh_ctrl_free(wcd938x->clsh_info); -+ - return ret; - } - -+static void wcd938x_soc_codec_remove(struct snd_soc_component *component) -+{ -+ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ -+ wcd938x_mbhc_deinit(component); -+ -+ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); -+ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); -+ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); -+ -+ wcd_clsh_ctrl_free(wcd938x->clsh_info); -+} -+ - static int wcd938x_codec_set_jack(struct snd_soc_component *comp, - struct snd_soc_jack *jack, void *data) - { -@@ -3181,6 +3221,7 @@ static int wcd938x_codec_set_jack(struct - static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { - .name = "wcd938x_codec", - .probe = wcd938x_soc_codec_probe, -+ .remove = wcd938x_soc_codec_remove, - .controls = wcd938x_snd_controls, - .num_controls = ARRAY_SIZE(wcd938x_snd_controls), - .dapm_widgets = wcd938x_dapm_widgets, diff --git a/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch deleted file mode 100644 index b36252e567d..00000000000 --- a/queue-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Sat, 1 Jul 2023 11:47:23 +0200 -Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race - -From: Johan Hovold - -commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. - -Make sure that the soundwire device used for register accesses has been -enumerated and initialised before trying to read the codec variant -during component probe. - -This specifically avoids interpreting (a masked and shifted) -EBUSY -errno as the variant: - - wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 - -in case the soundwire device has not yet been initialised, which in turn -prevents some headphone controls from being registered. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Reported-by: Steev Klimaszewski -Signed-off-by: Johan Hovold -Tested-by: Steev Klimaszewski -Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3090,9 +3090,18 @@ static int wcd938x_irq_init(struct wcd93 - static int wcd938x_soc_codec_probe(struct snd_soc_component *component) - { - struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; - struct device *dev = component->dev; -+ unsigned long time_left; - int ret, i; - -+ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, -+ msecs_to_jiffies(2000)); -+ if (!time_left) { -+ dev_err(dev, "soundwire device init timeout\n"); -+ return -ETIMEDOUT; -+ } -+ - snd_soc_component_init_regmap(component, wcd938x->regmap); - - ret = pm_runtime_resume_and_get(dev); diff --git a/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch b/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch deleted file mode 100644 index 6729b149d1e..00000000000 --- a/queue-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch +++ /dev/null @@ -1,86 +0,0 @@ -From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 -From: Thomas Petazzoni -Date: Thu, 13 Jul 2023 13:21:12 +0200 -Subject: ASoC: cs42l51: fix driver to properly autoload with automatic module loading - -From: Thomas Petazzoni - -commit e51df4f81b02bcdd828a04de7c1eb6a92988b61e upstream. - -In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table -pointer"), 9 years ago, some random guy fixed the cs42l51 after it was -split into a core part and an I2C part to properly match based on a -Device Tree compatible string. - -However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, -....) is in the core part of the driver, not the I2C part. Therefore, -automatic module loading based on module.alias, based on matching with -the DT compatible string, loads the core part of the driver, but not -the I2C part. And threfore, the i2c_driver is not registered, and the -codec is not known to the system, nor matched with a DT node with the -corresponding compatible string. - -In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into -the I2C part of the driver. The cs42l51_of_match[] array is also moved -as well, as it is not possible to have this definition in one file, -and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due -to how MODULE_DEVICE_TABLE works. - -Thanks to this commit, the I2C part of the driver now properly -autoloads, and thanks to its dependency on the core part, the core -part gets autoloaded as well, resulting in a functional sound card -without having to manually load kernel modules. - -Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") -Cc: stable@vger.kernel.org -Signed-off-by: Thomas Petazzoni -Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/cs42l51-i2c.c | 6 ++++++ - sound/soc/codecs/cs42l51.c | 7 ------- - sound/soc/codecs/cs42l51.h | 1 - - 3 files changed, 6 insertions(+), 8 deletions(-) - ---- a/sound/soc/codecs/cs42l51-i2c.c -+++ b/sound/soc/codecs/cs42l51-i2c.c -@@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_ - }; - MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); - -+const struct of_device_id cs42l51_of_match[] = { -+ { .compatible = "cirrus,cs42l51", }, -+ { } -+}; -+MODULE_DEVICE_TABLE(of, cs42l51_of_match); -+ - static int cs42l51_i2c_probe(struct i2c_client *i2c) - { - struct regmap_config config; ---- a/sound/soc/codecs/cs42l51.c -+++ b/sound/soc/codecs/cs42l51.c -@@ -826,13 +826,6 @@ int __maybe_unused cs42l51_resume(struct - } - EXPORT_SYMBOL_GPL(cs42l51_resume); - --const struct of_device_id cs42l51_of_match[] = { -- { .compatible = "cirrus,cs42l51", }, -- { } --}; --MODULE_DEVICE_TABLE(of, cs42l51_of_match); --EXPORT_SYMBOL_GPL(cs42l51_of_match); -- - MODULE_AUTHOR("Arnaud Patard "); - MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); - MODULE_LICENSE("GPL"); ---- a/sound/soc/codecs/cs42l51.h -+++ b/sound/soc/codecs/cs42l51.h -@@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, st - void cs42l51_remove(struct device *dev); - int __maybe_unused cs42l51_suspend(struct device *dev); - int __maybe_unused cs42l51_resume(struct device *dev); --extern const struct of_device_id cs42l51_of_match[]; - - #define CS42L51_CHIP_ID 0x1B - #define CS42L51_CHIP_REV_A 0x00 diff --git a/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch deleted file mode 100644 index 6e550a45412..00000000000 --- a/queue-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 -From: Matus Gajdos -Date: Wed, 12 Jul 2023 14:49:33 +0200 -Subject: ASoC: fsl_sai: Disable bit clock with transmitter - -From: Matus Gajdos - -commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. - -Otherwise bit clock remains running writing invalid data to the DAC. - -Signed-off-by: Matus Gajdos -Acked-by: Shengjiu Wang -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/fsl/fsl_sai.c | 2 +- - sound/soc/fsl/fsl_sai.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - ---- a/sound/soc/fsl/fsl_sai.c -+++ b/sound/soc/fsl/fsl_sai.c -@@ -719,7 +719,7 @@ static void fsl_sai_config_disable(struc - u32 xcsr, count = 100; - - regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), -- FSL_SAI_CSR_TERE, 0); -+ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); - - /* TERE will remain set till the end of current frame */ - do { ---- a/sound/soc/fsl/fsl_sai.h -+++ b/sound/soc/fsl/fsl_sai.h -@@ -91,6 +91,7 @@ - /* SAI Transmit/Receive Control Register */ - #define FSL_SAI_CSR_TERE BIT(31) - #define FSL_SAI_CSR_SE BIT(30) -+#define FSL_SAI_CSR_BCE BIT(28) - #define FSL_SAI_CSR_FR BIT(25) - #define FSL_SAI_CSR_SR BIT(24) - #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch b/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch deleted file mode 100644 index a55b0cded21..00000000000 --- a/queue-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 Mon Sep 17 00:00:00 2001 -From: Fabio Estevam -Date: Thu, 6 Jul 2023 19:18:27 -0300 -Subject: ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode" - -From: Fabio Estevam - -commit 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 upstream. - -This reverts commit ff87d619ac180444db297f043962a5c325ded47b. - -Andreas reports that on an i.MX8MP-based system where MCLK needs to be -used as an input, the MCLK pin is actually an output, despite not having -the 'fsl,sai-mclk-direction-output' property present in the devicetree. - -This is caused by commit ff87d619ac18 ("ASoC: fsl_sai: Enable -MCTL_MCLK_EN bit for master mode") that sets FSL_SAI_MCTL_MCLK_EN -unconditionally for imx8mm/8mn/8mp/93, causing the MCLK to always -be configured as output. - -FSL_SAI_MCTL_MCLK_EN corresponds to the MOE (MCLK Output Enable) bit -of register MCR and the drivers sets it when the -'fsl,sai-mclk-direction-output' devicetree property is present. - -Revert the commit to allow SAI to use MCLK as input as well. - -Cc: stable@vger.kernel.org -Fixes: ff87d619ac18 ("ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode") -Reported-by: Andreas Henriksson -Signed-off-by: Fabio Estevam -Acked-by: Shengjiu Wang -Link: https://lore.kernel.org/r/20230706221827.1938990-1-festevam@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/fsl/fsl_sai.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c -index 5e09f634c61b..54b4bf3744c6 100644 ---- a/sound/soc/fsl/fsl_sai.c -+++ b/sound/soc/fsl/fsl_sai.c -@@ -507,12 +507,6 @@ static int fsl_sai_set_bclk(struct snd_soc_dai *dai, bool tx, u32 freq) - savediv / 2 - 1); - } - -- if (sai->soc_data->max_register >= FSL_SAI_MCTL) { -- /* SAI is in master mode at this point, so enable MCLK */ -- regmap_update_bits(sai->regmap, FSL_SAI_MCTL, -- FSL_SAI_MCTL_MCLK_EN, FSL_SAI_MCTL_MCLK_EN); -- } -- - return 0; - } - --- -2.41.0 - diff --git a/queue-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch b/queue-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch deleted file mode 100644 index a14f4ebf759..00000000000 --- a/queue-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4b2b48aa8c43caaeef24802e4265e3ba2daa7ba5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 14:18:42 +0100 -Subject: ASoC: qcom: q6apm: do not close GPR port before closing graph - -From: Srinivas Kandagatla - -[ Upstream commit c1be62923d4d86e7c06b1224626e27eb8d9ab32e ] - -Closing GPR port before graph close can result in un handled notifications -from DSP, this results in spam of errors from GPR driver as there is no -one to handle these notification at that point in time. - -Fix this by closing GPR port after graph close is finished. - -Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") -Signed-off-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705131842.41584-1-srinivas.kandagatla@linaro.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/qcom/qdsp6/q6apm.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c -index 794019286c704..16acdf3a99e1c 100644 ---- a/sound/soc/qcom/qdsp6/q6apm.c -+++ b/sound/soc/qcom/qdsp6/q6apm.c -@@ -515,6 +515,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) - - switch (hdr->opcode) { - case DATA_CMD_RSP_WR_SH_MEM_EP_DATA_BUFFER_DONE_V2: -+ if (!graph->ar_graph) -+ break; - client_event = APM_CLIENT_EVENT_DATA_WRITE_DONE; - mutex_lock(&graph->lock); - token = hdr->token & APM_WRITE_TOKEN_MASK; -@@ -548,6 +550,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) - wake_up(&graph->cmd_wait); - break; - case DATA_CMD_RSP_RD_SH_MEM_EP_DATA_BUFFER_V2: -+ if (!graph->ar_graph) -+ break; - client_event = APM_CLIENT_EVENT_DATA_READ_DONE; - mutex_lock(&graph->lock); - rd_done = data->payload; -@@ -650,8 +654,9 @@ int q6apm_graph_close(struct q6apm_graph *graph) - { - struct audioreach_graph *ar_graph = graph->ar_graph; - -- gpr_free_port(graph->port); -+ graph->ar_graph = NULL; - kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); -+ gpr_free_port(graph->port); - kfree(graph); - - return 0; --- -2.39.2 - diff --git a/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch b/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch deleted file mode 100644 index 05bc39f7c2d..00000000000 --- a/queue-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 46ec420573cefa1fc98025e7e6841bdafd6f1e20 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:12 +0200 -Subject: ASoC: qdsp6: audioreach: fix topology probe deferral - -From: Johan Hovold - -commit 46ec420573cefa1fc98025e7e6841bdafd6f1e20 upstream. - -Propagate errors when failing to load the topology component so that -probe deferrals can be handled. - -Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") -Cc: stable@vger.kernel.org # 5.17 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-3-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/qcom/qdsp6/topology.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/sound/soc/qcom/qdsp6/topology.c -+++ b/sound/soc/qcom/qdsp6/topology.c -@@ -1100,8 +1100,8 @@ int audioreach_tplg_init(struct snd_soc_ - - ret = snd_soc_tplg_component_load(component, &audioreach_tplg_ops, fw); - if (ret < 0) { -- dev_err(dev, "tplg component load failed%d\n", ret); -- ret = -EINVAL; -+ if (ret != -EPROBE_DEFER) -+ dev_err(dev, "tplg component load failed: %d\n", ret); - } - - release_firmware(fw); diff --git a/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch b/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch deleted file mode 100644 index b9768db1672..00000000000 --- a/queue-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 70a6404ff610aa4889d98977da131c37f9ff9d1f Mon Sep 17 00:00:00 2001 -From: Sameer Pujar -Date: Thu, 29 Jun 2023 10:42:15 +0530 -Subject: ASoC: rt5640: Fix sleep in atomic context - -From: Sameer Pujar - -commit 70a6404ff610aa4889d98977da131c37f9ff9d1f upstream. - -Following prints are observed while testing audio on Jetson AGX Orin which -has onboard RT5640 audio codec: - - BUG: sleeping function called from invalid context at kernel/workqueue.c:3027 - in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 - preempt_count: 10001, expected: 0 - RCU nest depth: 0, expected: 0 - ------------[ cut here ]------------ - WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270 - ---[ end trace ad1c64905aac14a6 ]- - -The IRQ handler rt5640_irq() runs in interrupt context and can sleep -during cancel_delayed_work_sync(). - -Fix this by running IRQ handler, rt5640_irq(), in thread context. -Hence replace request_irq() calls with devm_request_threaded_irq(). - -Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2") -Cc: stable@vger.kernel.org -Cc: Oder Chiou -Signed-off-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/rt5640.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/sound/soc/codecs/rt5640.c -+++ b/sound/soc/codecs/rt5640.c -@@ -2562,9 +2562,10 @@ static void rt5640_enable_jack_detect(st - if (jack_data && jack_data->use_platform_clock) - rt5640->use_platform_clock = jack_data->use_platform_clock; - -- ret = request_irq(rt5640->irq, rt5640_irq, -- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, -- "rt5640", rt5640); -+ ret = devm_request_threaded_irq(component->dev, rt5640->irq, -+ NULL, rt5640_irq, -+ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, -+ "rt5640", rt5640); - if (ret) { - dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); - rt5640_disable_jack_detect(component); -@@ -2617,8 +2618,9 @@ static void rt5640_enable_hda_jack_detec - - rt5640->jack = jack; - -- ret = request_irq(rt5640->irq, rt5640_irq, -- IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); -+ ret = devm_request_threaded_irq(component->dev, rt5640->irq, -+ NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, -+ "rt5640", rt5640); - if (ret) { - dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); - rt5640->irq = -ENXIO; diff --git a/queue-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch b/queue-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch deleted file mode 100644 index 15bf7cc98a3..00000000000 --- a/queue-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch +++ /dev/null @@ -1,60 +0,0 @@ -From f51906ec30b0242c56247bae4862008fd7ae2eeb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Jul 2023 14:25:23 +0300 -Subject: ASoC: SOF: ipc3-dtrace: uninitialized data in - dfsentry_trace_filter_write() - -From: Dan Carpenter - -[ Upstream commit 469e2f28c2cbee2430058c1c9bb6d1675d7195fb ] - -This doesn't check how many bytes the simple_write_to_buffer() writes to -the buffer. The only thing that we know is that the first byte is -initialized and the last byte of the buffer is set to NUL. However -the middle bytes could be uninitialized. - -There is no need to use simple_write_to_buffer(). This code does not -support partial writes but instead passes "pos = 0" as the starting -offset regardless of what the user passed as "*ppos". Just use the -copy_from_user() function and initialize the whole buffer. - -Fixes: 671e0b90051e ("ASoC: SOF: Clone the trace code to ipc3-dtrace as fw_tracing implementation") -Signed-off-by: Dan Carpenter -Link: https://lore.kernel.org/r/74148292-ce4d-4e01-a1a7-921e6767da14@moroto.mountain -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/sof/ipc3-dtrace.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c -index b815b0244d9e4..8cf421577378c 100644 ---- a/sound/soc/sof/ipc3-dtrace.c -+++ b/sound/soc/sof/ipc3-dtrace.c -@@ -187,7 +187,6 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user - struct snd_sof_dfsentry *dfse = file->private_data; - struct sof_ipc_trace_filter_elem *elems = NULL; - struct snd_sof_dev *sdev = dfse->sdev; -- loff_t pos = 0; - int num_elems; - char *string; - int ret; -@@ -202,11 +201,11 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user - if (!string) - return -ENOMEM; - -- /* assert null termination */ -- string[count] = 0; -- ret = simple_write_to_buffer(string, count, &pos, from, count); -- if (ret < 0) -+ if (copy_from_user(string, from, count)) { -+ ret = -EFAULT; - goto error; -+ } -+ string[count] = '\0'; - - ret = trace_filter_parse(sdev, string, &num_elems, &elems); - if (ret < 0) --- -2.39.2 - diff --git a/queue-6.1/asoc-tegra-fix-adx-byte-map.patch b/queue-6.1/asoc-tegra-fix-adx-byte-map.patch deleted file mode 100644 index f0550624f34..00000000000 --- a/queue-6.1/asoc-tegra-fix-adx-byte-map.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 6dfe70be0b0dec0f9297811501bec26c05fd96ad Mon Sep 17 00:00:00 2001 -From: Sheetal -Date: Thu, 29 Jun 2023 10:42:14 +0530 -Subject: ASoC: tegra: Fix ADX byte map - -From: Sheetal - -commit 6dfe70be0b0dec0f9297811501bec26c05fd96ad upstream. - -Byte mask for channel-1 of stream-1 is not getting enabled and this -causes failures during ADX use cases. This happens because the byte -map value 0 matches the byte map array and put() callback returns -without enabling the corresponding bits in the byte mask. - -ADX supports 4 output streams and each stream can have a maximum of -16 channels. Each byte in the input frame is uniquely mapped to a -byte in one of these 4 outputs. This mapping is done with the help of -byte map array via user space control setting. The byte map array -size in the driver is 16 and each array element is of size 4 bytes. -This corresponds to 64 byte map values. - -Each byte in the byte map array can have any value between 0 to 255 -to enable the corresponding bits in the byte mask. The value 256 is -used as a way to disable the byte map. However the byte map array -element cannot store this value. The put() callback disables the byte -mask for 256 value and byte map value is reset to 0 for this case. -This causes problems during subsequent runs since put() callback, -for value of 0, just returns without enabling the byte mask. In short, -the problem is coming because 0 and 256 control values are stored as -0 in the byte map array. - -Right now fix the put() callback by actually looking at the byte mask -array state to identify if any change is needed and update the fields -accordingly. The get() callback needs an update as well to return the -correct control value that user has set before. Note that when user -set 256, the value is stored as 0 and byte mask is disabled. So byte -mask state is used to either return 256 or the value from byte map -array. - -Given above, this looks bit complicated and all this happens because -the byte map array is tightly packed and cannot actually store the 256 -value. Right now the priority is to fix the existing failure and a TODO -item is put to improve this logic. - -Fixes: 3c97881b8c8a ("ASoC: tegra: Fix kcontrol put callback in ADX") -Cc: stable@vger.kernel.org -Signed-off-by: Sheetal -Reviewed-by: Mohan Kumar D -Reviewed-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-3-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/tegra/tegra210_adx.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/sound/soc/tegra/tegra210_adx.c b/sound/soc/tegra/tegra210_adx.c -index bd0b10c70c4c..7d003f0c8d0f 100644 ---- a/sound/soc/tegra/tegra210_adx.c -+++ b/sound/soc/tegra/tegra210_adx.c -@@ -2,7 +2,7 @@ - // - // tegra210_adx.c - Tegra210 ADX driver - // --// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. -+// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. - - #include - #include -@@ -175,10 +175,20 @@ static int tegra210_adx_get_byte_map(struct snd_kcontrol *kcontrol, - mc = (struct soc_mixer_control *)kcontrol->private_value; - enabled = adx->byte_mask[mc->reg / 32] & (1 << (mc->reg % 32)); - -+ /* -+ * TODO: Simplify this logic to just return from bytes_map[] -+ * -+ * Presently below is required since bytes_map[] is -+ * tightly packed and cannot store the control value of 256. -+ * Byte mask state is used to know if 256 needs to be returned. -+ * Note that for control value of 256, the put() call stores 0 -+ * in the bytes_map[] and disables the corresponding bit in -+ * byte_mask[]. -+ */ - if (enabled) - ucontrol->value.integer.value[0] = bytes_map[mc->reg]; - else -- ucontrol->value.integer.value[0] = 0; -+ ucontrol->value.integer.value[0] = 256; - - return 0; - } -@@ -192,19 +202,19 @@ static int tegra210_adx_put_byte_map(struct snd_kcontrol *kcontrol, - int value = ucontrol->value.integer.value[0]; - struct soc_mixer_control *mc = - (struct soc_mixer_control *)kcontrol->private_value; -+ unsigned int mask_val = adx->byte_mask[mc->reg / 32]; - -- if (value == bytes_map[mc->reg]) -+ if (value >= 0 && value <= 255) -+ mask_val |= (1 << (mc->reg % 32)); -+ else -+ mask_val &= ~(1 << (mc->reg % 32)); -+ -+ if (mask_val == adx->byte_mask[mc->reg / 32]) - return 0; - -- if (value >= 0 && value <= 255) { -- /* update byte map and enable slot */ -- bytes_map[mc->reg] = value; -- adx->byte_mask[mc->reg / 32] |= (1 << (mc->reg % 32)); -- } else { -- /* reset byte map and disable slot */ -- bytes_map[mc->reg] = 0; -- adx->byte_mask[mc->reg / 32] &= ~(1 << (mc->reg % 32)); -- } -+ /* Update byte map and slot */ -+ bytes_map[mc->reg] = value % 256; -+ adx->byte_mask[mc->reg / 32] = mask_val; - - return 1; - } --- -2.41.0 - diff --git a/queue-6.1/asoc-tegra-fix-amx-byte-map.patch b/queue-6.1/asoc-tegra-fix-amx-byte-map.patch deleted file mode 100644 index c707318c8b8..00000000000 --- a/queue-6.1/asoc-tegra-fix-amx-byte-map.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 49bd7b08149417a30aa7d92c8c85b3518de44a76 Mon Sep 17 00:00:00 2001 -From: Sheetal -Date: Thu, 29 Jun 2023 10:42:13 +0530 -Subject: ASoC: tegra: Fix AMX byte map - -From: Sheetal - -commit 49bd7b08149417a30aa7d92c8c85b3518de44a76 upstream. - -Byte mask for channel-1 of stream-1 is not getting enabled and this -causes failures during AMX use cases. This happens because the byte -map value 0 matches the byte map array and put() callback returns -without enabling the corresponding bits in the byte mask. - -AMX supports 4 input streams and each stream can take a maximum of -16 channels. Each byte in the output frame is uniquely mapped to a -byte in one of these 4 inputs. This mapping is done with the help of -byte map array via user space control setting. The byte map array -size in the driver is 16 and each array element is of size 4 bytes. -This corresponds to 64 byte map values. - -Each byte in the byte map array can have any value between 0 to 255 -to enable the corresponding bits in the byte mask. The value 256 is -used as a way to disable the byte map. However the byte map array -element cannot store this value. The put() callback disables the byte -mask for 256 value and byte map value is reset to 0 for this case. -This causes problems during subsequent runs since put() callback, -for value of 0, just returns without enabling the byte mask. In short, -the problem is coming because 0 and 256 control values are stored as -0 in the byte map array. - -Right now fix the put() callback by actually looking at the byte mask -array state to identify if any change is needed and update the fields -accordingly. The get() callback needs an update as well to return the -correct control value that user has set before. Note that when user -sets 256, the value is stored as 0 and byte mask is disabled. So byte -mask state is used to either return 256 or the value from byte map -array. - -Given above, this looks bit complicated and all this happens because -the byte map array is tightly packed and cannot actually store the 256 -value. Right now the priority is to fix the existing failure and a TODO -item is put to improve this logic. - -Fixes: 8db78ace1ba8 ("ASoC: tegra: Fix kcontrol put callback in AMX") -Cc: stable@vger.kernel.org -Signed-off-by: Sheetal -Reviewed-by: Mohan Kumar D -Reviewed-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-2-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/tegra/tegra210_amx.c | 40 ++++++++++++++++++++++------------------ - 1 file changed, 22 insertions(+), 18 deletions(-) - ---- a/sound/soc/tegra/tegra210_amx.c -+++ b/sound/soc/tegra/tegra210_amx.c -@@ -2,7 +2,7 @@ - // - // tegra210_amx.c - Tegra210 AMX driver - // --// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. -+// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. - - #include - #include -@@ -203,10 +203,20 @@ static int tegra210_amx_get_byte_map(str - else - enabled = amx->byte_mask[0] & (1 << reg); - -+ /* -+ * TODO: Simplify this logic to just return from bytes_map[] -+ * -+ * Presently below is required since bytes_map[] is -+ * tightly packed and cannot store the control value of 256. -+ * Byte mask state is used to know if 256 needs to be returned. -+ * Note that for control value of 256, the put() call stores 0 -+ * in the bytes_map[] and disables the corresponding bit in -+ * byte_mask[]. -+ */ - if (enabled) - ucontrol->value.integer.value[0] = bytes_map[reg]; - else -- ucontrol->value.integer.value[0] = 0; -+ ucontrol->value.integer.value[0] = 256; - - return 0; - } -@@ -221,25 +231,19 @@ static int tegra210_amx_put_byte_map(str - unsigned char *bytes_map = (unsigned char *)&amx->map; - int reg = mc->reg; - int value = ucontrol->value.integer.value[0]; -+ unsigned int mask_val = amx->byte_mask[reg / 32]; - -- if (value == bytes_map[reg]) -+ if (value >= 0 && value <= 255) -+ mask_val |= (1 << (reg % 32)); -+ else -+ mask_val &= ~(1 << (reg % 32)); -+ -+ if (mask_val == amx->byte_mask[reg / 32]) - return 0; - -- if (value >= 0 && value <= 255) { -- /* Update byte map and enable slot */ -- bytes_map[reg] = value; -- if (reg > 31) -- amx->byte_mask[1] |= (1 << (reg - 32)); -- else -- amx->byte_mask[0] |= (1 << reg); -- } else { -- /* Reset byte map and disable slot */ -- bytes_map[reg] = 0; -- if (reg > 31) -- amx->byte_mask[1] &= ~(1 << (reg - 32)); -- else -- amx->byte_mask[0] &= ~(1 << reg); -- } -+ /* Update byte map and slot */ -+ bytes_map[reg] = value % 256; -+ amx->byte_mask[reg / 32] = mask_val; - - return 1; - } diff --git a/queue-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch b/queue-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch deleted file mode 100644 index 625180f5a80..00000000000 --- a/queue-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch +++ /dev/null @@ -1,168 +0,0 @@ -From f56314f8f520be77c9344013ed73653e992d3600 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:32 +0300 -Subject: Bluetooth: hci_event: call disconnect callback before deleting conn - -From: Pauli Virtanen - -[ Upstream commit 7f7cfcb6f0825652973b780f248603e23f16ee90 ] - -In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. - -ISO, L2CAP and SCO connections refer to the hci_conn without -hci_conn_get, so disconn_cfm must be called so they can clean up their -conn, otherwise use-after-free occurs. - -ISO: -========================================================== -iso_sock_connect:880: sk 00000000eabd6557 -iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -... -iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 -hci_dev_put:1487: hci0 orig refcnt 17 -__iso_chan_add:214: conn 00000000b6251073 -iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 -... -hci_rx_work:4085: hci0 Event packet -hci_event_packet:7601: hci0: event 0x0f -hci_cmd_status_evt:4346: hci0: opcode 0x0406 -hci_cs_disconnect:2760: hci0: status 0x0c -hci_sent_cmd_data:3107: hci0 opcode 0x0406 -hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 -hci_conn_unlink:1102: hci0: hcon 000000001696f1fd -hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 -hci_chan_list_flush:2780: hcon 000000001696f1fd -hci_dev_put:1487: hci0 orig refcnt 21 -hci_dev_put:1487: hci0 orig refcnt 20 -hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c -... ... -iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 -BUG: kernel NULL pointer dereference, address: 0000000000000668 -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP PTI -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth -========================================================== - -L2CAP: -================================================================== -hci_cmd_status_evt:4359: hci0: opcode 0x0406 -hci_cs_disconnect:2760: hci0: status 0x0c -hci_sent_cmd_data:3085: hci0 opcode 0x0406 -hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 -hci_conn_unlink:1102: hci0: hcon ffff88800c999000 -hci_chan_list_flush:2780: hcon ffff88800c999000 -hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 -... -BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] -Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 - -CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -Call Trace: - - dump_stack_lvl+0x5b/0x90 - print_report+0xcf/0x670 - ? __virt_addr_valid+0xf8/0x180 - ? hci_send_acl+0x2d/0x540 [bluetooth] - kasan_report+0xa8/0xe0 - ? hci_send_acl+0x2d/0x540 [bluetooth] - hci_send_acl+0x2d/0x540 [bluetooth] - ? __pfx___lock_acquire+0x10/0x10 - l2cap_chan_send+0x1fd/0x1300 [bluetooth] - ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] - ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] - ? lock_release+0x1d5/0x3c0 - ? mark_held_locks+0x1a/0x90 - l2cap_sock_sendmsg+0x100/0x170 [bluetooth] - sock_write_iter+0x275/0x280 - ? __pfx_sock_write_iter+0x10/0x10 - ? __pfx___lock_acquire+0x10/0x10 - do_iter_readv_writev+0x176/0x220 - ? __pfx_do_iter_readv_writev+0x10/0x10 - ? find_held_lock+0x83/0xa0 - ? selinux_file_permission+0x13e/0x210 - do_iter_write+0xda/0x340 - vfs_writev+0x1b4/0x400 - ? __pfx_vfs_writev+0x10/0x10 - ? __seccomp_filter+0x112/0x750 - ? populate_seccomp_data+0x182/0x220 - ? __fget_light+0xdf/0x100 - ? do_writev+0x19d/0x210 - do_writev+0x19d/0x210 - ? __pfx_do_writev+0x10/0x10 - ? mark_held_locks+0x1a/0x90 - do_syscall_64+0x60/0x90 - ? lockdep_hardirqs_on_prepare+0x149/0x210 - ? do_syscall_64+0x6c/0x90 - ? lockdep_hardirqs_on_prepare+0x149/0x210 - entry_SYSCALL_64_after_hwframe+0x72/0xdc -RIP: 0033:0x7ff45cb23e64 -Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 -RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 -RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 -RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 -RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 -R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 -R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 - - -Allocated by task 771: - kasan_save_stack+0x33/0x60 - kasan_set_track+0x25/0x30 - __kasan_kmalloc+0xaa/0xb0 - hci_chan_create+0x67/0x1b0 [bluetooth] - l2cap_conn_add.part.0+0x17/0x590 [bluetooth] - l2cap_connect_cfm+0x266/0x6b0 [bluetooth] - hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] - hci_event_packet+0x38d/0x800 [bluetooth] - hci_rx_work+0x287/0xb20 [bluetooth] - process_one_work+0x4f7/0x970 - worker_thread+0x8f/0x620 - kthread+0x17f/0x1c0 - ret_from_fork+0x2c/0x50 - -Freed by task 771: - kasan_save_stack+0x33/0x60 - kasan_set_track+0x25/0x30 - kasan_save_free_info+0x2e/0x50 - ____kasan_slab_free+0x169/0x1c0 - slab_free_freelist_hook+0x9e/0x1c0 - __kmem_cache_free+0xc0/0x310 - hci_chan_list_flush+0x46/0x90 [bluetooth] - hci_conn_cleanup+0x7d/0x330 [bluetooth] - hci_cs_disconnect+0x35d/0x530 [bluetooth] - hci_cmd_status_evt+0xef/0x2b0 [bluetooth] - hci_event_packet+0x38d/0x800 [bluetooth] - hci_rx_work+0x287/0xb20 [bluetooth] - process_one_work+0x4f7/0x970 - worker_thread+0x8f/0x620 - kthread+0x17f/0x1c0 - ret_from_fork+0x2c/0x50 -================================================================== - -Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/hci_event.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c -index ec9b0612f2761..83eaf25ece465 100644 ---- a/net/bluetooth/hci_event.c -+++ b/net/bluetooth/hci_event.c -@@ -2789,6 +2789,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) - hci_enable_advertising(hdev); - } - -+ /* Inform sockets conn is gone before we delete it */ -+ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); -+ - goto done; - } - --- -2.39.2 - diff --git a/queue-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch b/queue-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch deleted file mode 100644 index f4cce427f91..00000000000 --- a/queue-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 37d8d1ea773870a99ffb70e4fb61facc4b296dfc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 15:33:14 -0700 -Subject: Bluetooth: hci_sync: Avoid use-after-free in dbg for - hci_remove_adv_monitor() - -From: Douglas Anderson - -[ Upstream commit de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 ] - -KASAN reports that there's a use-after-free in -hci_remove_adv_monitor(). Trawling through the disassembly, you can -see that the complaint is from the access in bt_dev_dbg() under the -HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because -msft_remove_monitor() can end up freeing the monitor -structure. Specifically: - hci_remove_adv_monitor() -> - msft_remove_monitor() -> - msft_remove_monitor_sync() -> - msft_le_cancel_monitor_advertisement_cb() -> - hci_free_adv_monitor() - -Let's fix the problem by just stashing the relevant data when it's -still valid. - -Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") -Signed-off-by: Douglas Anderson -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/hci_core.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c -index be0e6865b340f..d034bf2a999e1 100644 ---- a/net/bluetooth/hci_core.c -+++ b/net/bluetooth/hci_core.c -@@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, - struct adv_monitor *monitor) - { - int status = 0; -+ int handle; - - switch (hci_get_adv_monitor_offload_ext(hdev)) { - case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ -@@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, - goto free_monitor; - - case HCI_ADV_MONITOR_EXT_MSFT: -+ handle = monitor->handle; - status = msft_remove_monitor(hdev, monitor); - bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", -- hdev->name, monitor->handle, status); -+ hdev->name, handle, status); - break; - } - --- -2.39.2 - diff --git a/queue-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch b/queue-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch deleted file mode 100644 index 997d943298e..00000000000 --- a/queue-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch +++ /dev/null @@ -1,292 +0,0 @@ -From 1bba473b620234ccdcf3a2b08e021f5b27202ce4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:33 +0300 -Subject: Bluetooth: ISO: fix iso_conn related locking and validity issues - -From: Pauli Virtanen - -[ Upstream commit d40ae85ee62e3666f45bc61864b22121346f88ef ] - -sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations -that check/update sk_state and access conn should hold lock_sock, -otherwise they can race. - -The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, -which is how it is in connect/disconnect_cfm -> iso_conn_del -> -iso_chan_del. - -Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock -around updating sk_state and conn. - -iso_conn_del must not occur during iso_connect_cis/bis, as it frees the -iso_conn. Hold hdev->lock longer to prevent that. - -This should not reintroduce the issue fixed in commit 241f51931c35 -("Bluetooth: ISO: Avoid circular locking dependency"), since the we -acquire locks in order. We retain the fix in iso_sock_connect to release -lock_sock before iso_connect_* acquires hdev->lock. - -Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible -circular locking dependency"). We retain the fix in iso_conn_ready to -not acquire iso_conn_lock before lock_sock. - -iso_conn_add shall return iso_conn with valid hcon. Make it so also when -reusing an old CIS connection waiting for disconnect timeout (see -__iso_sock_close where conn->hcon is set to NULL). - -Trace with iso_conn_del after iso_chan_add in iso_connect_cis: -=============================================================== -iso_sock_create:771: sock 00000000be9b69b7 -iso_sock_init:693: sk 000000004dff667e -iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_connect:875: sk 000000004dff667e -iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da -iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e -__iso_chan_add:214: conn 00000000daf8625e -iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 -iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 -iso_sock_clear_timer:117: sock 000000004dff667e state 3 - -iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 -hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 -hci_conn_unlink:1102: hci0: hcon 000000007b65d182 -hci_chan_list_flush:2780: hcon 000000007b65d182 -iso_sock_getsockopt:1376: sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getsockopt:1376: sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 -__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 - -BUG: kernel NULL pointer dereference, address: 0000000000000000 -PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 -Oops: 0000 [#1] PREEMPT SMP PTI -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth -=============================================================== - -Trace with iso_conn_del before iso_chan_add in iso_connect_cis: -=============================================================== -iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -... -iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 -hci_dev_put:1487: hci0 orig refcnt 21 -hci_event_packet:7607: hci0: event 0x0e -hci_cmd_complete_evt:4231: hci0: opcode 0x2062 -hci_cc_le_set_cig_params:3846: hci0: status 0x07 -hci_sent_cmd_data:3107: hci0 opcode 0x2062 -iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7 -iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12 -hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535 -hci_conn_unlink:1102: hci0: hcon 0000000093bc551f -hci_chan_list_flush:2780: hcon 0000000093bc551f -__iso_chan_add:214: conn 00000000768ae504 - -iso_sock_clear_timer:117: sock 0000000098323f95 state 3 -general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI -CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:detach_if_pending+0x28/0xd0 -Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <> -RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007 -RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000 -RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8 -RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88 -R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80 -R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338 -FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0 -Call Trace: - - timer_delete+0x48/0x80 - try_to_grab_pending+0xdf/0x170 - __cancel_work+0x37/0xb0 - iso_connect_cis+0x141/0x400 [bluetooth] -=============================================================== - -Trace with NULL conn->hcon in state BT_CONNECT: -=============================================================== -__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5 -... -__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5 -iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104 -... -iso_sock_connect:862: sk 00000000129b56c3 -iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a -hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a -hci_dev_hold:1495: hci0 orig refcnt 19 -__iso_chan_add:214: conn 0000000022c03a7e - -iso_sock_clear_timer:117: sock 00000000129b56c3 state 3 -... -iso_sock_ready:1485: sk 00000000129b56c3 -... -iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3 -BUG: kernel NULL pointer dereference, address: 00000000000006a8 -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP PTI -CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth] -=============================================================== - -Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") -Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++------------------- - 1 file changed, 31 insertions(+), 22 deletions(-) - -diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c -index cb959e8eac185..699e4f400df29 100644 ---- a/net/bluetooth/iso.c -+++ b/net/bluetooth/iso.c -@@ -116,8 +116,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) - { - struct iso_conn *conn = hcon->iso_data; - -- if (conn) -+ if (conn) { -+ if (!conn->hcon) -+ conn->hcon = hcon; - return conn; -+ } - - conn = kzalloc(sizeof(*conn), GFP_KERNEL); - if (!conn) -@@ -285,14 +288,13 @@ static int iso_connect_bis(struct sock *sk) - goto unlock; - } - -- hci_dev_unlock(hdev); -- hci_dev_put(hdev); -+ lock_sock(sk); - - err = iso_chan_add(conn, sk, NULL); -- if (err) -- return err; -- -- lock_sock(sk); -+ if (err) { -+ release_sock(sk); -+ goto unlock; -+ } - - /* Update source addr of the socket */ - bacpy(&iso_pi(sk)->src, &hcon->src); -@@ -306,7 +308,6 @@ static int iso_connect_bis(struct sock *sk) - } - - release_sock(sk); -- return err; - - unlock: - hci_dev_unlock(hdev); -@@ -367,14 +368,13 @@ static int iso_connect_cis(struct sock *sk) - goto unlock; - } - -- hci_dev_unlock(hdev); -- hci_dev_put(hdev); -+ lock_sock(sk); - - err = iso_chan_add(conn, sk, NULL); -- if (err) -- return err; -- -- lock_sock(sk); -+ if (err) { -+ release_sock(sk); -+ goto unlock; -+ } - - /* Update source addr of the socket */ - bacpy(&iso_pi(sk)->src, &hcon->src); -@@ -391,7 +391,6 @@ static int iso_connect_cis(struct sock *sk) - } - - release_sock(sk); -- return err; - - unlock: - hci_dev_unlock(hdev); -@@ -1036,8 +1035,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - size_t len) - { - struct sock *sk = sock->sk; -- struct iso_conn *conn = iso_pi(sk)->conn; - struct sk_buff *skb, **frag; -+ size_t mtu; - int err; - - BT_DBG("sock %p, sk %p", sock, sk); -@@ -1049,11 +1048,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - if (msg->msg_flags & MSG_OOB) - return -EOPNOTSUPP; - -- if (sk->sk_state != BT_CONNECTED) -+ lock_sock(sk); -+ -+ if (sk->sk_state != BT_CONNECTED) { -+ release_sock(sk); - return -ENOTCONN; -+ } -+ -+ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu; -+ -+ release_sock(sk); - -- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, -- HCI_ISO_DATA_HDR_SIZE, 0); -+ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); - if (IS_ERR(skb)) - return PTR_ERR(skb); - -@@ -1066,8 +1072,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - while (len) { - struct sk_buff *tmp; - -- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, -- 0, 0); -+ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); - if (IS_ERR(tmp)) { - kfree_skb(skb); - return PTR_ERR(tmp); -@@ -1122,15 +1127,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, - BT_DBG("sk %p", sk); - - if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { -+ lock_sock(sk); - switch (sk->sk_state) { - case BT_CONNECT2: -- lock_sock(sk); - iso_conn_defer_accept(pi->conn->hcon); - sk->sk_state = BT_CONFIG; - release_sock(sk); - return 0; - case BT_CONNECT: -+ release_sock(sk); - return iso_connect_cis(sk); -+ default: -+ release_sock(sk); -+ break; - } - } - --- -2.39.2 - diff --git a/queue-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch b/queue-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch deleted file mode 100644 index 8a341ebde67..00000000000 --- a/queue-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch +++ /dev/null @@ -1,594 +0,0 @@ -From 6fa1ac47040a970b9823dd880eeff4a1f5d2c7a1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:31 +0300 -Subject: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync - -From: Pauli Virtanen - -[ Upstream commit 195ef75e19287b4bc413da3e3e3722b030ac881e ] - -hci_update_accept_list_sync iterates over hdev->pend_le_conns and -hdev->pend_le_reports, and waits for controller events in the loop body, -without holding hdev lock. - -Meanwhile, these lists and the items may be modified e.g. by -le_scan_cleanup. This can invalidate the list cursor or any other item -in the list, resulting to invalid behavior (eg use-after-free). - -Use RCU for the hci_conn_params action lists. Since the loop bodies in -hci_sync block and we cannot use RCU or hdev->lock for the whole loop, -copy list items first and then iterate on the copy. Only the flags field -is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we -read valid values. - -Free params everywhere with hci_conn_params_free so the cleanup is -guaranteed to be done properly. - -This fixes the following, which can be triggered e.g. by BlueZ new -mgmt-tester case "Add + Remove Device Nowait - Success", or by changing -hci_le_set_cig_params to always return false, and running iso-tester: - -================================================================== -BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 - -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -Workqueue: hci0 hci_cmd_sync_work -Call Trace: - -dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) -print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) -? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) -? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -kasan_report (mm/kasan/report.c:538) -? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) -? mutex_lock (kernel/locking/mutex.c:282) -? __pfx_mutex_lock (kernel/locking/mutex.c:282) -? __pfx_mutex_unlock (kernel/locking/mutex.c:538) -? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) -hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) -process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) -worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) -? __pfx_worker_thread (kernel/workqueue.c:2480) -kthread (kernel/kthread.c:376) -? __pfx_kthread (kernel/kthread.c:331) -ret_from_fork (arch/x86/entry/entry_64.S:314) - - -Allocated by task 31: -kasan_save_stack (mm/kasan/common.c:46) -kasan_set_track (mm/kasan/common.c:52) -__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) -hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) -hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) -hci_connect_cis (net/bluetooth/hci_conn.c:2266) -iso_connect_cis (net/bluetooth/iso.c:390) -iso_sock_connect (net/bluetooth/iso.c:899) -__sys_connect (net/socket.c:2003 net/socket.c:2020) -__x64_sys_connect (net/socket.c:2027) -do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) -entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) - -Freed by task 15: -kasan_save_stack (mm/kasan/common.c:46) -kasan_set_track (mm/kasan/common.c:52) -kasan_save_free_info (mm/kasan/generic.c:523) -__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) -__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) -hci_conn_params_del (net/bluetooth/hci_core.c:2323) -le_scan_cleanup (net/bluetooth/hci_conn.c:202) -process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) -worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) -kthread (kernel/kthread.c:376) -ret_from_fork (arch/x86/entry/entry_64.S:314) -================================================================== - -Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - include/net/bluetooth/hci_core.h | 5 ++ - net/bluetooth/hci_conn.c | 10 +-- - net/bluetooth/hci_core.c | 38 ++++++++-- - net/bluetooth/hci_event.c | 12 ++-- - net/bluetooth/hci_sync.c | 117 ++++++++++++++++++++++++++++--- - net/bluetooth/mgmt.c | 26 +++---- - 6 files changed, 164 insertions(+), 44 deletions(-) - -diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h -index 84c5ce57eab69..ddbcbf9ccb2ce 100644 ---- a/include/net/bluetooth/hci_core.h -+++ b/include/net/bluetooth/hci_core.h -@@ -807,6 +807,7 @@ struct hci_conn_params { - - struct hci_conn *conn; - bool explicit_connect; -+ /* Accessed without hdev->lock: */ - hci_conn_flags_t flags; - u8 privacy_mode; - }; -@@ -1536,7 +1537,11 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - bdaddr_t *addr, u8 addr_type); - void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); - void hci_conn_params_clear_disabled(struct hci_dev *hdev); -+void hci_conn_params_free(struct hci_conn_params *param); - -+void hci_pend_le_list_del_init(struct hci_conn_params *param); -+void hci_pend_le_list_add(struct hci_conn_params *param, -+ struct list_head *list); - struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, - bdaddr_t *addr, - u8 addr_type); -diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index fef09d2121384..61059571c8779 100644 ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -117,7 +117,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) - */ - params->explicit_connect = false; - -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - - switch (params->auto_connect) { - case HCI_AUTO_CONN_EXPLICIT: -@@ -126,10 +126,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) - return; - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: -- list_add(¶ms->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(params, &hdev->pend_le_reports); - break; - default: - break; -@@ -1398,8 +1398,8 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev, - if (params->auto_connect == HCI_AUTO_CONN_DISABLED || - params->auto_connect == HCI_AUTO_CONN_REPORT || - params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - } - - params->explicit_connect = true; -diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c -index ca42129f8f91a..be0e6865b340f 100644 ---- a/net/bluetooth/hci_core.c -+++ b/net/bluetooth/hci_core.c -@@ -2249,21 +2249,45 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, - return NULL; - } - --/* This function requires the caller holds hdev->lock */ -+/* This function requires the caller holds hdev->lock or rcu_read_lock */ - struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, - bdaddr_t *addr, u8 addr_type) - { - struct hci_conn_params *param; - -- list_for_each_entry(param, list, action) { -+ rcu_read_lock(); -+ -+ list_for_each_entry_rcu(param, list, action) { - if (bacmp(¶m->addr, addr) == 0 && -- param->addr_type == addr_type) -+ param->addr_type == addr_type) { -+ rcu_read_unlock(); - return param; -+ } - } - -+ rcu_read_unlock(); -+ - return NULL; - } - -+/* This function requires the caller holds hdev->lock */ -+void hci_pend_le_list_del_init(struct hci_conn_params *param) -+{ -+ if (list_empty(¶m->action)) -+ return; -+ -+ list_del_rcu(¶m->action); -+ synchronize_rcu(); -+ INIT_LIST_HEAD(¶m->action); -+} -+ -+/* This function requires the caller holds hdev->lock */ -+void hci_pend_le_list_add(struct hci_conn_params *param, -+ struct list_head *list) -+{ -+ list_add_rcu(¶m->action, list); -+} -+ - /* This function requires the caller holds hdev->lock */ - struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - bdaddr_t *addr, u8 addr_type) -@@ -2297,14 +2321,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - return params; - } - --static void hci_conn_params_free(struct hci_conn_params *params) -+void hci_conn_params_free(struct hci_conn_params *params) - { -+ hci_pend_le_list_del_init(params); -+ - if (params->conn) { - hci_conn_drop(params->conn); - hci_conn_put(params->conn); - } - -- list_del(¶ms->action); - list_del(¶ms->list); - kfree(params); - } -@@ -2342,8 +2367,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev) - continue; - } - -- list_del(¶ms->list); -- kfree(params); -+ hci_conn_params_free(params); - } - - BT_DBG("All LE disabled connection parameters were removed"); -diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c -index b272cc1f36481..ec9b0612f2761 100644 ---- a/net/bluetooth/hci_event.c -+++ b/net/bluetooth/hci_event.c -@@ -1558,7 +1558,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, - - params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); - if (params) -- params->privacy_mode = cp->mode; -+ WRITE_ONCE(params->privacy_mode, cp->mode); - - hci_dev_unlock(hdev); - -@@ -2809,8 +2809,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) - - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - - default: -@@ -3428,8 +3428,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, - - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - hci_update_passive_scan(hdev); - break; - -@@ -5952,7 +5952,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, - params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, - conn->dst_type); - if (params) { -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - if (params->conn) { - hci_conn_drop(params->conn); - hci_conn_put(params->conn); -diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c -index 37131a36700a1..2ae038dfc39f7 100644 ---- a/net/bluetooth/hci_sync.c -+++ b/net/bluetooth/hci_sync.c -@@ -2139,15 +2139,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev, - return 0; - } - -+struct conn_params { -+ bdaddr_t addr; -+ u8 addr_type; -+ hci_conn_flags_t flags; -+ u8 privacy_mode; -+}; -+ - /* Adds connection to resolve list if needed. - * Setting params to NULL programs local hdev->irk - */ - static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, -- struct hci_conn_params *params) -+ struct conn_params *params) - { - struct hci_cp_le_add_to_resolv_list cp; - struct smp_irk *irk; - struct bdaddr_list_with_irk *entry; -+ struct hci_conn_params *p; - - if (!use_ll_privacy(hdev)) - return 0; -@@ -2182,6 +2190,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, - /* Default privacy mode is always Network */ - params->privacy_mode = HCI_NETWORK_PRIVACY; - -+ rcu_read_lock(); -+ p = hci_pend_le_action_lookup(&hdev->pend_le_conns, -+ ¶ms->addr, params->addr_type); -+ if (!p) -+ p = hci_pend_le_action_lookup(&hdev->pend_le_reports, -+ ¶ms->addr, params->addr_type); -+ if (p) -+ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY); -+ rcu_read_unlock(); -+ - done: - if (hci_dev_test_flag(hdev, HCI_PRIVACY)) - memcpy(cp.local_irk, hdev->irk, 16); -@@ -2194,7 +2212,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, - - /* Set Device Privacy Mode. */ - static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, -- struct hci_conn_params *params) -+ struct conn_params *params) - { - struct hci_cp_le_set_privacy_mode cp; - struct smp_irk *irk; -@@ -2219,6 +2237,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, - bacpy(&cp.bdaddr, &irk->bdaddr); - cp.mode = HCI_DEVICE_PRIVACY; - -+ /* Note: params->privacy_mode is not updated since it is a copy */ -+ - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); - } -@@ -2228,7 +2248,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, - * properly set the privacy mode. - */ - static int hci_le_add_accept_list_sync(struct hci_dev *hdev, -- struct hci_conn_params *params, -+ struct conn_params *params, - u8 *num_entries) - { - struct hci_cp_le_add_to_accept_list cp; -@@ -2426,6 +2446,52 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, - return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk); - } - -+static struct conn_params *conn_params_copy(struct list_head *list, size_t *n) -+{ -+ struct hci_conn_params *params; -+ struct conn_params *p; -+ size_t i; -+ -+ rcu_read_lock(); -+ -+ i = 0; -+ list_for_each_entry_rcu(params, list, action) -+ ++i; -+ *n = i; -+ -+ rcu_read_unlock(); -+ -+ p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL); -+ if (!p) -+ return NULL; -+ -+ rcu_read_lock(); -+ -+ i = 0; -+ list_for_each_entry_rcu(params, list, action) { -+ /* Racing adds are handled in next scan update */ -+ if (i >= *n) -+ break; -+ -+ /* No hdev->lock, but: addr, addr_type are immutable. -+ * privacy_mode is only written by us or in -+ * hci_cc_le_set_privacy_mode that we wait for. -+ * We should be idempotent so MGMT updating flags -+ * while we are processing is OK. -+ */ -+ bacpy(&p[i].addr, ¶ms->addr); -+ p[i].addr_type = params->addr_type; -+ p[i].flags = READ_ONCE(params->flags); -+ p[i].privacy_mode = READ_ONCE(params->privacy_mode); -+ ++i; -+ } -+ -+ rcu_read_unlock(); -+ -+ *n = i; -+ return p; -+} -+ - /* Device must not be scanning when updating the accept list. - * - * Update is done using the following sequence: -@@ -2445,11 +2511,12 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, - */ - static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - { -- struct hci_conn_params *params; -+ struct conn_params *params; - struct bdaddr_list *b, *t; - u8 num_entries = 0; - bool pend_conn, pend_report; - u8 filter_policy; -+ size_t i, n; - int err; - - /* Pause advertising if resolving list can be used as controllers -@@ -2483,6 +2550,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) - continue; - -+ /* Pointers not dereferenced, no locks needed */ - pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns, - &b->bdaddr, - b->bdaddr_type); -@@ -2511,23 +2579,50 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - * available accept list entries in the controller, then - * just abort and return filer policy value to not use the - * accept list. -+ * -+ * The list and params may be mutated while we wait for events, -+ * so make a copy and iterate it. - */ -- list_for_each_entry(params, &hdev->pend_le_conns, action) { -- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); -- if (err) -+ -+ params = conn_params_copy(&hdev->pend_le_conns, &n); -+ if (!params) { -+ err = -ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < n; ++i) { -+ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], -+ &num_entries); -+ if (err) { -+ kvfree(params); - goto done; -+ } - } - -+ kvfree(params); -+ - /* After adding all new pending connections, walk through - * the list of pending reports and also add these to the - * accept list if there is still space. Abort if space runs out. - */ -- list_for_each_entry(params, &hdev->pend_le_reports, action) { -- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); -- if (err) -+ -+ params = conn_params_copy(&hdev->pend_le_reports, &n); -+ if (!params) { -+ err = -ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < n; ++i) { -+ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], -+ &num_entries); -+ if (err) { -+ kvfree(params); - goto done; -+ } - } - -+ kvfree(params); -+ - /* Use the allowlist unless the following conditions are all true: - * - We are not currently suspending - * - There are 1 or more ADV monitors registered and it's not offloaded -@@ -4778,12 +4873,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev) - struct hci_conn_params *p; - - list_for_each_entry(p, &hdev->le_conn_params, list) { -+ hci_pend_le_list_del_init(p); - if (p->conn) { - hci_conn_drop(p->conn); - hci_conn_put(p->conn); - p->conn = NULL; - } -- list_del_init(&p->action); - } - - BT_DBG("All LE pending actions cleared"); -diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c -index 815f2abe918ef..89c94f3e96bc3 100644 ---- a/net/bluetooth/mgmt.c -+++ b/net/bluetooth/mgmt.c -@@ -1297,15 +1297,15 @@ static void restart_le_actions(struct hci_dev *hdev) - /* Needed for AUTO_OFF case where might not "really" - * have been powered off. - */ -- list_del_init(&p->action); -+ hci_pend_le_list_del_init(p); - - switch (p->auto_connect) { - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_add(&p->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(p, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: -- list_add(&p->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(p, &hdev->pend_le_reports); - break; - default: - break; -@@ -5161,7 +5161,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, - goto unlock; - } - -- params->flags = current_flags; -+ WRITE_ONCE(params->flags, current_flags); - status = MGMT_STATUS_SUCCESS; - - /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY -@@ -7573,7 +7573,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, - if (params->auto_connect == auto_connect) - return 0; - -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - - switch (auto_connect) { - case HCI_AUTO_CONN_DISABLED: -@@ -7582,18 +7582,18 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, - * connect to device, keep connecting. - */ - if (params->explicit_connect) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: - if (params->explicit_connect) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - else -- list_add(¶ms->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(params, &hdev->pend_le_reports); - break; - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: - if (!is_connected(hdev, addr, addr_type)) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - } - -@@ -7816,9 +7816,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, - goto unlock; - } - -- list_del(¶ms->action); -- list_del(¶ms->list); -- kfree(params); -+ hci_conn_params_free(params); - - device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type); - } else { -@@ -7849,9 +7847,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, - p->auto_connect = HCI_AUTO_CONN_EXPLICIT; - continue; - } -- list_del(&p->action); -- list_del(&p->list); -- kfree(p); -+ hci_conn_params_free(p); - } - - bt_dev_dbg(hdev, "All LE connection parameters were removed"); --- -2.39.2 - diff --git a/queue-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch deleted file mode 100644 index 9da0f1b277e..00000000000 --- a/queue-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch +++ /dev/null @@ -1,177 +0,0 @@ -From ccf4979c64a589eed4428fcc3fc6a92a8627c659 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 May 2023 21:37:48 -0700 -Subject: bpf: Address KCSAN report on bpf_lru_list - -From: Martin KaFai Lau - -[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] - -KCSAN reported a data-race when accessing node->ref. -Although node->ref does not have to be accurate, -take this chance to use a more common READ_ONCE() and WRITE_ONCE() -pattern instead of data_race(). - -There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). -This patch also adds bpf_lru_node_clear_ref() to do the -WRITE_ONCE(node->ref, 0) also. - -================================================================== -BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem - -write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: -__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] -__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] -__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 -bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] -bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] -bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 -prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] -__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: -bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] -__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -value changed: 0x01 -> 0x00 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 -================================================================== - -Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com -Signed-off-by: Martin KaFai Lau -Acked-by: Yonghong Song -Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- - kernel/bpf/bpf_lru_list.h | 7 ++----- - 2 files changed, 15 insertions(+), 13 deletions(-) - -diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c -index d99e89f113c43..3dabdd137d102 100644 ---- a/kernel/bpf/bpf_lru_list.c -+++ b/kernel/bpf/bpf_lru_list.c -@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) - /* bpf_lru_node helpers */ - static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) - { -- return node->ref; -+ return READ_ONCE(node->ref); -+} -+ -+static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) -+{ -+ WRITE_ONCE(node->ref, 0); - } - - static void bpf_lru_list_count_inc(struct bpf_lru_list *l, -@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, - - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, &l->lists[tgt_type]); - } - -@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; - } -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - - /* If the moving node is the next_inactive_rotation candidate, - * move the next_inactive_rotation pointer also. -@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, - *(u32 *)((void *)node + lru->hash_offset) = hash; - node->cpu = cpu; - node->type = BPF_LRU_LOCAL_LIST_T_PENDING; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, local_pending_list(loc_l)); - } - -@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, - if (!list_empty(free_list)) { - node = list_first_entry(free_list, struct bpf_lru_node, list); - *(u32 *)((void *)node + lru->hash_offset) = hash; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); - } - -@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, - } - - node->type = BPF_LRU_LOCAL_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, local_free_list(loc_l)); - - raw_spin_unlock_irqrestore(&loc_l->lock, flags); -@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, - - node = (struct bpf_lru_node *)(buf + node_offset); - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - buf += elem_size; - } -@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, - node = (struct bpf_lru_node *)(buf + node_offset); - node->cpu = cpu; - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - i++; - buf += elem_size; -diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h -index 4ea227c9c1ade..8f3c8b2b4490e 100644 ---- a/kernel/bpf/bpf_lru_list.h -+++ b/kernel/bpf/bpf_lru_list.h -@@ -64,11 +64,8 @@ struct bpf_lru { - - static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) - { -- /* ref is an approximation on access frequency. It does not -- * have to be very accurate. Hence, no protection is used. -- */ -- if (!node->ref) -- node->ref = 1; -+ if (!READ_ONCE(node->ref)) -+ WRITE_ONCE(node->ref, 1); - } - - int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, --- -2.39.2 - diff --git a/queue-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch b/queue-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch deleted file mode 100644 index d3ca2081c08..00000000000 --- a/queue-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch +++ /dev/null @@ -1,128 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:44 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:20 +0300 -Subject: bpf: aggressively forget precise markings during state checkpointing -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman -Message-ID: <20230724124223.1176479-4-eddyz87@gmail.com> - -From: Andrii Nakryiko - -[ Upstream commit 7a830b53c17bbadcf99f778f28aaaa4e6c41df5f ] - -Exploit the property of about-to-be-checkpointed state to be able to -forget all precise markings up to that point even more aggressively. We -now clear all potentially inherited precise markings right before -checkpointing and branching off into child state. If any of children -states require precise knowledge of any SCALAR register, those will be -propagated backwards later on before this state is finalized, preserving -correctness. - -There is a single selftests BPF program change, but tremendous one: 25x -reduction in number of verified instructions and states in -trace_virtqueue_add_sgs. - -Cilium results are more modest, but happen across wider range of programs. - -SELFTESTS RESULTS -================= - -$ ./veristat -C -e file,prog,insns,states ~/imprecise-early-results.csv ~/imprecise-aggressive-results.csv | grep -v '+0' -File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) -------------------- ----------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- -loop6.bpf.linked1.o trace_virtqueue_add_sgs 398057 15114 -382943 (-96.20%) 8717 336 -8381 (-96.15%) -------------------- ----------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- - -CILIUM RESULTS -============== - -$ ./veristat -C -e file,prog,insns,states ~/imprecise-early-results-cilium.csv ~/imprecise-aggressive-results-cilium.csv | grep -v '+0' -File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) -------------- -------------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- -bpf_host.o tail_handle_nat_fwd_ipv4 23426 23221 -205 (-0.88%) 1537 1515 -22 (-1.43%) -bpf_host.o tail_handle_nat_fwd_ipv6 13009 12904 -105 (-0.81%) 719 708 -11 (-1.53%) -bpf_host.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) -bpf_host.o tail_nodeport_nat_ipv6_egress 3446 3406 -40 (-1.16%) 203 198 -5 (-2.46%) -bpf_lxc.o tail_handle_nat_fwd_ipv4 23426 23221 -205 (-0.88%) 1537 1515 -22 (-1.43%) -bpf_lxc.o tail_handle_nat_fwd_ipv6 13009 12904 -105 (-0.81%) 719 708 -11 (-1.53%) -bpf_lxc.o tail_ipv4_ct_egress 5074 4897 -177 (-3.49%) 255 248 -7 (-2.75%) -bpf_lxc.o tail_ipv4_ct_ingress 5100 4923 -177 (-3.47%) 255 248 -7 (-2.75%) -bpf_lxc.o tail_ipv4_ct_ingress_policy_only 5100 4923 -177 (-3.47%) 255 248 -7 (-2.75%) -bpf_lxc.o tail_ipv6_ct_egress 4558 4536 -22 (-0.48%) 188 187 -1 (-0.53%) -bpf_lxc.o tail_ipv6_ct_ingress 4578 4556 -22 (-0.48%) 188 187 -1 (-0.53%) -bpf_lxc.o tail_ipv6_ct_ingress_policy_only 4578 4556 -22 (-0.48%) 188 187 -1 (-0.53%) -bpf_lxc.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) -bpf_overlay.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) -bpf_overlay.o tail_nodeport_nat_ipv6_egress 3482 3442 -40 (-1.15%) 204 201 -3 (-1.47%) -bpf_xdp.o tail_nodeport_nat_egress_ipv4 17200 15619 -1581 (-9.19%) 1111 1010 -101 (-9.09%) -------------- -------------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- - -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/r/20221104163649.121784-6-andrii@kernel.org -Signed-off-by: Alexei Starovoitov -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - kernel/bpf/verifier.c | 37 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 37 insertions(+) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2813,6 +2813,31 @@ static void mark_all_scalars_precise(str - } - } - -+static void mark_all_scalars_imprecise(struct bpf_verifier_env *env, struct bpf_verifier_state *st) -+{ -+ struct bpf_func_state *func; -+ struct bpf_reg_state *reg; -+ int i, j; -+ -+ for (i = 0; i <= st->curframe; i++) { -+ func = st->frame[i]; -+ for (j = 0; j < BPF_REG_FP; j++) { -+ reg = &func->regs[j]; -+ if (reg->type != SCALAR_VALUE) -+ continue; -+ reg->precise = false; -+ } -+ for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) { -+ if (!is_spilled_reg(&func->stack[j])) -+ continue; -+ reg = &func->stack[j].spilled_ptr; -+ if (reg->type != SCALAR_VALUE) -+ continue; -+ reg->precise = false; -+ } -+ } -+} -+ - /* - * __mark_chain_precision() backtracks BPF program instruction sequence and - * chain of verifier states making sure that register *regno* (if regno >= 0) -@@ -2891,6 +2916,14 @@ static void mark_all_scalars_precise(str - * be imprecise. If any child state does require this register to be precise, - * we'll mark it precise later retroactively during precise markings - * propagation from child state to parent states. -+ * -+ * Skipping precise marking setting in current state is a mild version of -+ * relying on the above observation. But we can utilize this property even -+ * more aggressively by proactively forgetting any precise marking in the -+ * current state (which we inherited from the parent state), right before we -+ * checkpoint it and branch off into new child state. This is done by -+ * mark_all_scalars_imprecise() to hopefully get more permissive and generic -+ * finalized states which help in short circuiting more future states. - */ - static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno, - int spi) -@@ -12296,6 +12329,10 @@ next: - env->prev_jmps_processed = env->jmps_processed; - env->prev_insn_processed = env->insn_processed; - -+ /* forget precise markings we inherited, see __mark_chain_precision */ -+ if (env->bpf_capable) -+ mark_all_scalars_imprecise(env, cur); -+ - /* add new state to the head of linked list */ - new = &new_sl->state; - err = copy_verifier_state(new, cur); diff --git a/queue-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch b/queue-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch deleted file mode 100644 index acec2f6d51e..00000000000 --- a/queue-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch +++ /dev/null @@ -1,246 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:40 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:18 +0300 -Subject: bpf: allow precision tracking for programs with subprogs -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman -Message-ID: <20230724124223.1176479-2-eddyz87@gmail.com> - -From: Andrii Nakryiko - -[ Upstream commit be2ef8161572ec1973124ebc50f56dafc2925e07 ] - -Stop forcing precise=true for SCALAR registers when BPF program has any -subprograms. Current restriction means that any BPF program, as soon as -it uses subprograms, will end up not getting any of the precision -tracking benefits in reduction of number of verified states. - -This patch keeps the fallback mark_all_scalars_precise() behavior if -precise marking has to cross function frames. E.g., if subprogram -requires R1 (first input arg) to be marked precise, ideally we'd need to -backtrack to the parent function and keep marking R1 and its -dependencies as precise. But right now we give up and force all the -SCALARs in any of the current and parent states to be forced to -precise=true. We can lift that restriction in the future. - -But this patch fixes two issues identified when trying to enable -precision tracking for subprogs. - -First, prevent "escaping" from top-most state in a global subprog. While -with entry-level BPF program we never end up requesting precision for -R1-R5 registers, because R2-R5 are not initialized (and so not readable -in correct BPF program), and R1 is PTR_TO_CTX, not SCALAR, and so is -implicitly precise. With global subprogs, though, it's different, as -global subprog a) can have up to 5 SCALAR input arguments, which might -get marked as precise=true and b) it is validated in isolation from its -main entry BPF program. b) means that we can end up exhausting parent -state chain and still not mark all registers in reg_mask as precise, -which would lead to verifier bug warning. - -To handle that, we need to consider two cases. First, if the very first -state is not immediately "checkpointed" (i.e., stored in state lookup -hashtable), it will get correct first_insn_idx and last_insn_idx -instruction set during state checkpointing. As such, this case is -already handled and __mark_chain_precision() already handles that by -just doing nothing when we reach to the very first parent state. -st->parent will be NULL and we'll just stop. Perhaps some extra check -for reg_mask and stack_mask is due here, but this patch doesn't address -that issue. - -More problematic second case is when global function's initial state is -immediately checkpointed before we manage to process the very first -instruction. This is happening because when there is a call to global -subprog from the main program the very first subprog's instruction is -marked as pruning point, so before we manage to process first -instruction we have to check and checkpoint state. This patch adds -a special handling for such "empty" state, which is identified by having -st->last_insn_idx set to -1. In such case, we check that we are indeed -validating global subprog, and with some sanity checking we mark input -args as precise if requested. - -Note that we also initialize state->first_insn_idx with correct start -insn_idx offset. For main program zero is correct value, but for any -subprog it's quite confusing to not have first_insn_idx set. This -doesn't have any functional impact, but helps with debugging and state -printing. We also explicitly initialize state->last_insns_idx instead of -relying on is_state_visited() to do this with env->prev_insns_idx, which -will be -1 on the very first instruction. This concludes necessary -changes to handle specifically global subprog's precision tracking. - -Second identified problem was missed handling of BPF helper functions -that call into subprogs (e.g., bpf_loop and few others). From precision -tracking and backtracking logic's standpoint those are effectively calls -into subprogs and should be called as BPF_PSEUDO_CALL calls. - -This patch takes the least intrusive way and just checks against a short -list of current BPF helpers that do call subprogs, encapsulated in -is_callback_calling_function() function. But to prevent accidentally -forgetting to add new BPF helpers to this "list", we also do a sanity -check in __check_func_call, which has to be called for each such special -BPF helper, to validate that BPF helper is indeed recognized as -callback-calling one. This should catch any missed checks in the future. -Adding some special flags to be added in function proto definitions -seemed like an overkill in this case. - -With the above changes, it's possible to remove forceful setting of -reg->precise to true in __mark_reg_unknown, which turns on precision -tracking both inside subprogs and entry progs that have subprogs. No -warnings or errors were detected across all the selftests, but also when -validating with veristat against internal Meta BPF objects and Cilium -objects. Further, in some BPF programs there are noticeable reduction in -number of states and instructions validated due to more effective -precision tracking, especially benefiting syncookie test. - -$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/subprog-precise-results.csv | grep -v '+0' -File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ----------------------------------------- -------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- -pyperf600_bpf_loop.bpf.linked1.o on_event 3966 3678 -288 (-7.26%) 306 276 -30 (-9.80%) -pyperf_global.bpf.linked1.o on_event 7563 7530 -33 (-0.44%) 520 517 -3 (-0.58%) -pyperf_subprogs.bpf.linked1.o on_event 36358 36934 +576 (+1.58%) 2499 2531 +32 (+1.28%) -setget_sockopt.bpf.linked1.o skops_sockopt 3965 4038 +73 (+1.84%) 343 347 +4 (+1.17%) -test_cls_redirect_subprogs.bpf.linked1.o cls_redirect 64965 64901 -64 (-0.10%) 4619 4612 -7 (-0.15%) -test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1491 1307 -184 (-12.34%) 110 100 -10 (-9.09%) -test_pkt_access.bpf.linked1.o test_pkt_access 354 349 -5 (-1.41%) 25 24 -1 (-4.00%) -test_sock_fields.bpf.linked1.o egress_read_sock_fields 435 375 -60 (-13.79%) 22 20 -2 (-9.09%) -test_sysctl_loop2.bpf.linked1.o sysctl_tcp_mem 1508 1501 -7 (-0.46%) 29 28 -1 (-3.45%) -test_tc_dtime.bpf.linked1.o egress_fwdns_prio100 468 435 -33 (-7.05%) 45 41 -4 (-8.89%) -test_tc_dtime.bpf.linked1.o ingress_fwdns_prio100 398 408 +10 (+2.51%) 42 39 -3 (-7.14%) -test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 1096 842 -254 (-23.18%) 97 73 -24 (-24.74%) -test_tcp_hdr_options.bpf.linked1.o estab 2758 2408 -350 (-12.69%) 208 181 -27 (-12.98%) -test_urandom_usdt.bpf.linked1.o urand_read_with_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) -test_urandom_usdt.bpf.linked1.o urand_read_without_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) -test_urandom_usdt.bpf.linked1.o urandlib_read_with_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) -test_urandom_usdt.bpf.linked1.o urandlib_read_without_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) -test_xdp_noinline.bpf.linked1.o balancer_ingress_v6 4302 4294 -8 (-0.19%) 257 256 -1 (-0.39%) -xdp_synproxy_kern.bpf.linked1.o syncookie_tc 583722 405757 -177965 (-30.49%) 35846 25735 -10111 (-28.21%) -xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 609123 479055 -130068 (-21.35%) 35452 29145 -6307 (-17.79%) ----------------------------------------- -------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- - -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/r/20221104163649.121784-4-andrii@kernel.org -Signed-off-by: Alexei Starovoitov -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - kernel/bpf/verifier.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 61 insertions(+), 1 deletion(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -511,6 +511,15 @@ static bool is_dynptr_ref_function(enum - return func_id == BPF_FUNC_dynptr_data; - } - -+static bool is_callback_calling_function(enum bpf_func_id func_id) -+{ -+ return func_id == BPF_FUNC_for_each_map_elem || -+ func_id == BPF_FUNC_timer_set_callback || -+ func_id == BPF_FUNC_find_vma || -+ func_id == BPF_FUNC_loop || -+ func_id == BPF_FUNC_user_ringbuf_drain; -+} -+ - static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id, - const struct bpf_map *map) - { -@@ -1693,7 +1702,7 @@ static void __mark_reg_unknown(const str - reg->type = SCALAR_VALUE; - reg->var_off = tnum_unknown; - reg->frameno = 0; -- reg->precise = env->subprog_cnt > 1 || !env->bpf_capable; -+ reg->precise = !env->bpf_capable; - __mark_reg_unbounded(reg); - } - -@@ -2670,6 +2679,11 @@ static int backtrack_insn(struct bpf_ver - */ - if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL && insn->imm == 0) - return -ENOTSUPP; -+ /* BPF helpers that invoke callback subprogs are -+ * equivalent to BPF_PSEUDO_CALL above -+ */ -+ if (insn->src_reg == 0 && is_callback_calling_function(insn->imm)) -+ return -ENOTSUPP; - /* regular helper call sets R0 */ - *reg_mask &= ~1; - if (*reg_mask & 0x3f) { -@@ -2848,12 +2862,42 @@ static int __mark_chain_precision(struct - return 0; - if (!reg_mask && !stack_mask) - return 0; -+ - for (;;) { - DECLARE_BITMAP(mask, 64); - u32 history = st->jmp_history_cnt; - - if (env->log.level & BPF_LOG_LEVEL2) - verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx); -+ -+ if (last_idx < 0) { -+ /* we are at the entry into subprog, which -+ * is expected for global funcs, but only if -+ * requested precise registers are R1-R5 -+ * (which are global func's input arguments) -+ */ -+ if (st->curframe == 0 && -+ st->frame[0]->subprogno > 0 && -+ st->frame[0]->callsite == BPF_MAIN_FUNC && -+ stack_mask == 0 && (reg_mask & ~0x3e) == 0) { -+ bitmap_from_u64(mask, reg_mask); -+ for_each_set_bit(i, mask, 32) { -+ reg = &st->frame[0]->regs[i]; -+ if (reg->type != SCALAR_VALUE) { -+ reg_mask &= ~(1u << i); -+ continue; -+ } -+ reg->precise = true; -+ } -+ return 0; -+ } -+ -+ verbose(env, "BUG backtracing func entry subprog %d reg_mask %x stack_mask %llx\n", -+ st->frame[0]->subprogno, reg_mask, stack_mask); -+ WARN_ONCE(1, "verifier backtracking bug"); -+ return -EFAULT; -+ } -+ - for (i = last_idx;;) { - if (skip_first) { - err = 0; -@@ -6732,6 +6776,10 @@ typedef int (*set_callee_state_fn)(struc - struct bpf_func_state *callee, - int insn_idx); - -+static int set_callee_state(struct bpf_verifier_env *env, -+ struct bpf_func_state *caller, -+ struct bpf_func_state *callee, int insn_idx); -+ - static int __check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, - int *insn_idx, int subprog, - set_callee_state_fn set_callee_state_cb) -@@ -6782,6 +6830,16 @@ static int __check_func_call(struct bpf_ - } - } - -+ /* set_callee_state is used for direct subprog calls, but we are -+ * interested in validating only BPF helpers that can call subprogs as -+ * callbacks -+ */ -+ if (set_callee_state_cb != set_callee_state && !is_callback_calling_function(insn->imm)) { -+ verbose(env, "verifier bug: helper %s#%d is not marked as callback-calling\n", -+ func_id_name(insn->imm), insn->imm); -+ return -EFAULT; -+ } -+ - if (insn->code == (BPF_JMP | BPF_CALL) && - insn->src_reg == 0 && - insn->imm == BPF_FUNC_timer_set_callback) { -@@ -14713,6 +14771,8 @@ static int do_check_common(struct bpf_ve - BPF_MAIN_FUNC /* callsite */, - 0 /* frameno */, - subprog); -+ state->first_insn_idx = env->subprog_info[subprog].start; -+ state->last_insn_idx = -1; - - regs = state->frame[state->curframe]->regs; - if (subprog || env->prog->type == BPF_PROG_TYPE_EXT) { diff --git a/queue-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch b/queue-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch deleted file mode 100644 index c3a7b30b4e4..00000000000 --- a/queue-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0a9f7c72db338d808de8b35708d487940038ce8f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 09:49:31 -0700 -Subject: bpf, arm64: Fix BTI type used for freplace attached functions - -From: Alexander Duyck - -[ Upstream commit a3f25d614bc73b45e8f02adc6769876dfd16ca84 ] - -When running an freplace attached bpf program on an arm64 system w were -seeing the following issue: - Unhandled 64-bit el1h sync exception on CPU47, ESR 0x0000000036000003 -- BTI - -After a bit of work to track it down I determined that what appeared to be -happening is that the 'bti c' at the start of the program was somehow being -reached after a 'br' instruction. Further digging pointed me toward the -fact that the function was attached via freplace. This in turn led me to -build_plt which I believe is invoking the long jump which is triggering -this error. - -To resolve it we can replace the 'bti c' with 'bti jc' and add a comment -explaining why this has to be modified as such. - -Fixes: b2ad54e1533e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") -Signed-off-by: Alexander Duyck -Acked-by: Xu Kuohai -Link: https://lore.kernel.org/r/168926677665.316237.9953845318337455525.stgit@ahduyck-xeon-server.home.arpa -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - arch/arm64/net/bpf_jit_comp.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c -index 8f16217c111c8..14134fd34ff79 100644 ---- a/arch/arm64/net/bpf_jit_comp.c -+++ b/arch/arm64/net/bpf_jit_comp.c -@@ -322,7 +322,13 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) - * - */ - -- emit_bti(A64_BTI_C, ctx); -+ /* bpf function may be invoked by 3 instruction types: -+ * 1. bl, attached via freplace to bpf prog via short jump -+ * 2. br, attached via freplace to bpf prog via long jump -+ * 3. blr, working as a function pointer, used by emit_call. -+ * So BTI_JC should used here to support both br and blr. -+ */ -+ emit_bti(A64_BTI_JC, ctx); - - emit(A64_MOV(1, A64_R(9), A64_LR), ctx); - emit(A64_NOP, ctx); --- -2.39.2 - diff --git a/queue-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/queue-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch deleted file mode 100644 index fce380e970d..00000000000 --- a/queue-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 6136de53109de1a3979843917ce4f9c78823e3e1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 21:45:28 +0530 -Subject: bpf: Fix subprog idx logic in check_max_stack_depth - -From: Kumar Kartikeya Dwivedi - -[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] - -The assignment to idx in check_max_stack_depth happens once we see a -bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of -the code performs a few checks and then pushes the frame to the frame -stack, except the case of async callbacks. If the async callback case -causes the loop iteration to be skipped, the idx assignment will be -incorrect on the next iteration of the loop. The value stored in the -frame stack (as the subprogno of the current subprog) will be incorrect. - -This leads to incorrect checks and incorrect tail_call_reachable -marking. Save the target subprog in a new variable and only assign to -idx once we are done with the is_async_cb check which may skip pushing -of frame to the frame stack and subsequent stack depth checks and tail -call markings. - -Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") -Signed-off-by: Kumar Kartikeya Dwivedi -Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 8c3ededef3172..fdba4086881b3 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -4336,7 +4336,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - continue_func: - subprog_end = subprog[idx + 1].start; - for (; i < subprog_end; i++) { -- int next_insn; -+ int next_insn, sidx; - - if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) - continue; -@@ -4346,14 +4346,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - - /* find the callee */ - next_insn = i + insn[i].imm + 1; -- idx = find_subprog(env, next_insn); -- if (idx < 0) { -+ sidx = find_subprog(env, next_insn); -+ if (sidx < 0) { - WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", - next_insn); - return -EFAULT; - } -- if (subprog[idx].is_async_cb) { -- if (subprog[idx].has_tail_call) { -+ if (subprog[sidx].is_async_cb) { -+ if (subprog[sidx].has_tail_call) { - verbose(env, "verifier bug. subprog has tail_call and async cb\n"); - return -EFAULT; - } -@@ -4362,6 +4362,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - continue; - } - i = next_insn; -+ idx = sidx; - - if (subprog[idx].has_tail_call) - tail_call_reachable = true; --- -2.39.2 - diff --git a/queue-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch b/queue-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch deleted file mode 100644 index c1133994d09..00000000000 --- a/queue-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch +++ /dev/null @@ -1,47 +0,0 @@ -From cb24f938e033cedcefaf283a9d5f44beb406005c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 May 2023 11:14:18 -0700 -Subject: bpf: Print a warning only if writing to unprivileged_bpf_disabled. - -From: Kui-Feng Lee - -[ Upstream commit fedf99200ab086c42a572fca1d7266b06cdc3e3f ] - -Only print the warning message if you are writing to -"/proc/sys/kernel/unprivileged_bpf_disabled". - -The kernel may print an annoying warning when you read -"/proc/sys/kernel/unprivileged_bpf_disabled" saying - - WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible - via Spectre v2 BHB attacks! - -However, this message is only meaningful when the feature is -disabled or enabled. - -Signed-off-by: Kui-Feng Lee -Signed-off-by: Andrii Nakryiko -Acked-by: Yonghong Song -Link: https://lore.kernel.org/bpf/20230502181418.308479-1-kuifeng@meta.com -Signed-off-by: Sasha Levin ---- - kernel/bpf/syscall.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 8633ec4f92df3..0c44a716f0a24 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -5289,7 +5289,8 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, - *(int *)table->data = unpriv_enable; - } - -- unpriv_ebpf_notify(unpriv_enable); -+ if (write) -+ unpriv_ebpf_notify(unpriv_enable); - - return ret; - } --- -2.39.2 - diff --git a/queue-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch b/queue-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch deleted file mode 100644 index 80144d50777..00000000000 --- a/queue-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 765e8a472e267495e5ef26af7754684c76f6627f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 21:45:29 +0530 -Subject: bpf: Repeat check_max_stack_depth for async callbacks - -From: Kumar Kartikeya Dwivedi - -[ Upstream commit b5e9ad522c4ccd32d322877515cff8d47ed731b9 ] - -While the check_max_stack_depth function explores call chains emanating -from the main prog, which is typically enough to cover all possible call -chains, it doesn't explore those rooted at async callbacks unless the -async callback will have been directly called, since unlike non-async -callbacks it skips their instruction exploration as they don't -contribute to stack depth. - -It could be the case that the async callback leads to a callchain which -exceeds the stack depth, but this is never reachable while only -exploring the entry point from main subprog. Hence, repeat the check for -the main subprog *and* all async callbacks marked by the symbolic -execution pass of the verifier, as execution of the program may begin at -any of them. - -Consider functions with following stack depths: -main: 256 -async: 256 -foo: 256 - -main: - rX = async - bpf_timer_set_callback(...) - -async: - foo() - -Here, async is not descended as it does not contribute to stack depth of -main (since it is referenced using bpf_pseudo_func and not -bpf_pseudo_call). However, when async is invoked asynchronously, it will -end up breaching the MAX_BPF_STACK limit by calling foo. - -Hence, in addition to main, we also need to explore call chains -beginning at all async callback subprogs in a program. - -Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") -Signed-off-by: Kumar Kartikeya Dwivedi -Link: https://lore.kernel.org/r/20230717161530.1238-3-memxor@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index fdba4086881b3..f25ce959fae64 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -4288,16 +4288,17 @@ static int update_stack_depth(struct bpf_verifier_env *env, - * Since recursion is prevented by check_cfg() this algorithm - * only needs a local stack of MAX_CALL_FRAMES to remember callsites - */ --static int check_max_stack_depth(struct bpf_verifier_env *env) -+static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) - { -- int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; - struct bpf_subprog_info *subprog = env->subprog_info; - struct bpf_insn *insn = env->prog->insnsi; -+ int depth = 0, frame = 0, i, subprog_end; - bool tail_call_reachable = false; - int ret_insn[MAX_CALL_FRAMES]; - int ret_prog[MAX_CALL_FRAMES]; - int j; - -+ i = subprog[idx].start; - process_func: - /* protect against potential stack overflow that might happen when - * bpf2bpf calls get combined with tailcalls. Limit the caller's stack -@@ -4398,6 +4399,22 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - goto continue_func; - } - -+static int check_max_stack_depth(struct bpf_verifier_env *env) -+{ -+ struct bpf_subprog_info *si = env->subprog_info; -+ int ret; -+ -+ for (int i = 0; i < env->subprog_cnt; i++) { -+ if (!i || si[i].is_async_cb) { -+ ret = check_max_stack_depth_subprog(env, i); -+ if (ret < 0) -+ return ret; -+ } -+ continue; -+ } -+ return 0; -+} -+ - #ifndef CONFIG_BPF_JIT_ALWAYS_ON - static int get_callee_stack_depth(struct bpf_verifier_env *env, - const struct bpf_insn *insn, int idx) --- -2.39.2 - diff --git a/queue-6.1/bpf-stop-setting-precise-in-current-state.patch b/queue-6.1/bpf-stop-setting-precise-in-current-state.patch deleted file mode 100644 index 0ca70ac779b..00000000000 --- a/queue-6.1/bpf-stop-setting-precise-in-current-state.patch +++ /dev/null @@ -1,234 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:43 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:19 +0300 -Subject: bpf: stop setting precise in current state -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman -Message-ID: <20230724124223.1176479-3-eddyz87@gmail.com> - -From: Andrii Nakryiko - -[ Upstream commit f63181b6ae79fd3b034cde641db774268c2c3acf ] - -Setting reg->precise to true in current state is not necessary from -correctness standpoint, but it does pessimise the whole precision (or -rather "imprecision", because that's what we want to keep as much as -possible) tracking. Why is somewhat subtle and my best attempt to -explain this is recorded in an extensive comment for __mark_chain_precise() -function. Some more careful thinking and code reading is probably required -still to grok this completely, unfortunately. Whiteboarding and a bunch -of extra handwaiving in person would be even more helpful, but is deemed -impractical in Git commit. - -Next patch pushes this imprecision property even further, building on top of -the insights described in this patch. - -End results are pretty nice, we get reduction in number of total instructions -and states verified due to a better states reuse, as some of the states are now -more generic and permissive due to less unnecessary precise=true requirements. - -SELFTESTS RESULTS -================= - -$ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results.csv ~/imprecise-early-results.csv | grep -v '+0' -File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ---------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- -bpf_iter_ksym.bpf.linked1.o dump_ksym 347 285 -62 (-17.87%) 20 19 -1 (-5.00%) -pyperf600_bpf_loop.bpf.linked1.o on_event 3678 3736 +58 (+1.58%) 276 285 +9 (+3.26%) -setget_sockopt.bpf.linked1.o skops_sockopt 4038 3947 -91 (-2.25%) 347 343 -4 (-1.15%) -test_l4lb.bpf.linked1.o balancer_ingress 4559 2611 -1948 (-42.73%) 118 105 -13 (-11.02%) -test_l4lb_noinline.bpf.linked1.o balancer_ingress 6279 6268 -11 (-0.18%) 237 236 -1 (-0.42%) -test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1307 1303 -4 (-0.31%) 100 99 -1 (-1.00%) -test_sk_lookup.bpf.linked1.o ctx_narrow_access 456 447 -9 (-1.97%) 39 38 -1 (-2.56%) -test_sysctl_loop1.bpf.linked1.o sysctl_tcp_mem 1389 1384 -5 (-0.36%) 26 25 -1 (-3.85%) -test_tc_dtime.bpf.linked1.o egress_fwdns_prio101 518 485 -33 (-6.37%) 51 46 -5 (-9.80%) -test_tc_dtime.bpf.linked1.o egress_host 519 468 -51 (-9.83%) 50 44 -6 (-12.00%) -test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 842 1000 +158 (+18.76%) 73 88 +15 (+20.55%) -xdp_synproxy_kern.bpf.linked1.o syncookie_tc 405757 373173 -32584 (-8.03%) 25735 22882 -2853 (-11.09%) -xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 479055 371590 -107465 (-22.43%) 29145 22207 -6938 (-23.81%) ---------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- - -Slight regression in test_tc_dtime.bpf.linked1.o/ingress_fwdns_prio101 -is left for a follow up, there might be some more precision-related bugs -in existing BPF verifier logic. - -CILIUM RESULTS -============== - -$ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results-cilium.csv ~/imprecise-early-results-cilium.csv | grep -v '+0' -File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) -------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- -bpf_host.o cil_from_host 762 556 -206 (-27.03%) 43 37 -6 (-13.95%) -bpf_host.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) -bpf_host.o tail_nodeport_nat_egress_ipv4 33592 33566 -26 (-0.08%) 2163 2161 -2 (-0.09%) -bpf_lxc.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) -bpf_overlay.o tail_nodeport_nat_egress_ipv4 33581 33543 -38 (-0.11%) 2160 2157 -3 (-0.14%) -bpf_xdp.o tail_handle_nat_fwd_ipv4 21659 20920 -739 (-3.41%) 1440 1376 -64 (-4.44%) -bpf_xdp.o tail_handle_nat_fwd_ipv6 17084 17039 -45 (-0.26%) 907 905 -2 (-0.22%) -bpf_xdp.o tail_lb_ipv4 73442 73430 -12 (-0.02%) 4370 4369 -1 (-0.02%) -bpf_xdp.o tail_lb_ipv6 152114 151895 -219 (-0.14%) 6493 6479 -14 (-0.22%) -bpf_xdp.o tail_nodeport_nat_egress_ipv4 17377 17200 -177 (-1.02%) 1125 1111 -14 (-1.24%) -bpf_xdp.o tail_nodeport_nat_ingress_ipv6 6405 6397 -8 (-0.12%) 309 308 -1 (-0.32%) -bpf_xdp.o tail_rev_nodeport_lb4 7126 6934 -192 (-2.69%) 414 402 -12 (-2.90%) -bpf_xdp.o tail_rev_nodeport_lb6 18059 17905 -154 (-0.85%) 1105 1096 -9 (-0.81%) -------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- - -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/r/20221104163649.121784-5-andrii@kernel.org -Signed-off-by: Alexei Starovoitov -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - kernel/bpf/verifier.c | 103 ++++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 91 insertions(+), 12 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2788,8 +2788,11 @@ static void mark_all_scalars_precise(str - - /* big hammer: mark all scalars precise in this path. - * pop_stack may still get !precise scalars. -+ * We also skip current state and go straight to first parent state, -+ * because precision markings in current non-checkpointed state are -+ * not needed. See why in the comment in __mark_chain_precision below. - */ -- for (; st; st = st->parent) -+ for (st = st->parent; st; st = st->parent) { - for (i = 0; i <= st->curframe; i++) { - func = st->frame[i]; - for (j = 0; j < BPF_REG_FP; j++) { -@@ -2807,8 +2810,88 @@ static void mark_all_scalars_precise(str - reg->precise = true; - } - } -+ } - } - -+/* -+ * __mark_chain_precision() backtracks BPF program instruction sequence and -+ * chain of verifier states making sure that register *regno* (if regno >= 0) -+ * and/or stack slot *spi* (if spi >= 0) are marked as precisely tracked -+ * SCALARS, as well as any other registers and slots that contribute to -+ * a tracked state of given registers/stack slots, depending on specific BPF -+ * assembly instructions (see backtrack_insns() for exact instruction handling -+ * logic). This backtracking relies on recorded jmp_history and is able to -+ * traverse entire chain of parent states. This process ends only when all the -+ * necessary registers/slots and their transitive dependencies are marked as -+ * precise. -+ * -+ * One important and subtle aspect is that precise marks *do not matter* in -+ * the currently verified state (current state). It is important to understand -+ * why this is the case. -+ * -+ * First, note that current state is the state that is not yet "checkpointed", -+ * i.e., it is not yet put into env->explored_states, and it has no children -+ * states as well. It's ephemeral, and can end up either a) being discarded if -+ * compatible explored state is found at some point or BPF_EXIT instruction is -+ * reached or b) checkpointed and put into env->explored_states, branching out -+ * into one or more children states. -+ * -+ * In the former case, precise markings in current state are completely -+ * ignored by state comparison code (see regsafe() for details). Only -+ * checkpointed ("old") state precise markings are important, and if old -+ * state's register/slot is precise, regsafe() assumes current state's -+ * register/slot as precise and checks value ranges exactly and precisely. If -+ * states turn out to be compatible, current state's necessary precise -+ * markings and any required parent states' precise markings are enforced -+ * after the fact with propagate_precision() logic, after the fact. But it's -+ * important to realize that in this case, even after marking current state -+ * registers/slots as precise, we immediately discard current state. So what -+ * actually matters is any of the precise markings propagated into current -+ * state's parent states, which are always checkpointed (due to b) case above). -+ * As such, for scenario a) it doesn't matter if current state has precise -+ * markings set or not. -+ * -+ * Now, for the scenario b), checkpointing and forking into child(ren) -+ * state(s). Note that before current state gets to checkpointing step, any -+ * processed instruction always assumes precise SCALAR register/slot -+ * knowledge: if precise value or range is useful to prune jump branch, BPF -+ * verifier takes this opportunity enthusiastically. Similarly, when -+ * register's value is used to calculate offset or memory address, exact -+ * knowledge of SCALAR range is assumed, checked, and enforced. So, similar to -+ * what we mentioned above about state comparison ignoring precise markings -+ * during state comparison, BPF verifier ignores and also assumes precise -+ * markings *at will* during instruction verification process. But as verifier -+ * assumes precision, it also propagates any precision dependencies across -+ * parent states, which are not yet finalized, so can be further restricted -+ * based on new knowledge gained from restrictions enforced by their children -+ * states. This is so that once those parent states are finalized, i.e., when -+ * they have no more active children state, state comparison logic in -+ * is_state_visited() would enforce strict and precise SCALAR ranges, if -+ * required for correctness. -+ * -+ * To build a bit more intuition, note also that once a state is checkpointed, -+ * the path we took to get to that state is not important. This is crucial -+ * property for state pruning. When state is checkpointed and finalized at -+ * some instruction index, it can be correctly and safely used to "short -+ * circuit" any *compatible* state that reaches exactly the same instruction -+ * index. I.e., if we jumped to that instruction from a completely different -+ * code path than original finalized state was derived from, it doesn't -+ * matter, current state can be discarded because from that instruction -+ * forward having a compatible state will ensure we will safely reach the -+ * exit. States describe preconditions for further exploration, but completely -+ * forget the history of how we got here. -+ * -+ * This also means that even if we needed precise SCALAR range to get to -+ * finalized state, but from that point forward *that same* SCALAR register is -+ * never used in a precise context (i.e., it's precise value is not needed for -+ * correctness), it's correct and safe to mark such register as "imprecise" -+ * (i.e., precise marking set to false). This is what we rely on when we do -+ * not set precise marking in current state. If no child state requires -+ * precision for any given SCALAR register, it's safe to dictate that it can -+ * be imprecise. If any child state does require this register to be precise, -+ * we'll mark it precise later retroactively during precise markings -+ * propagation from child state to parent states. -+ */ - static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno, - int spi) - { -@@ -2826,6 +2909,10 @@ static int __mark_chain_precision(struct - if (!env->bpf_capable) - return 0; - -+ /* Do sanity checks against current state of register and/or stack -+ * slot, but don't set precise flag in current state, as precision -+ * tracking in the current state is unnecessary. -+ */ - func = st->frame[frame]; - if (regno >= 0) { - reg = &func->regs[regno]; -@@ -2833,11 +2920,7 @@ static int __mark_chain_precision(struct - WARN_ONCE(1, "backtracing misuse"); - return -EFAULT; - } -- if (!reg->precise) -- new_marks = true; -- else -- reg_mask = 0; -- reg->precise = true; -+ new_marks = true; - } - - while (spi >= 0) { -@@ -2850,11 +2933,7 @@ static int __mark_chain_precision(struct - stack_mask = 0; - break; - } -- if (!reg->precise) -- new_marks = true; -- else -- stack_mask = 0; -- reg->precise = true; -+ new_marks = true; - break; - } - -@@ -11668,7 +11747,7 @@ static bool regsafe(struct bpf_verifier_ - if (env->explore_alu_limits) - return false; - if (rcur->type == SCALAR_VALUE) { -- if (!rold->precise && !rcur->precise) -+ if (!rold->precise) - return true; - /* new val must satisfy old val knowledge */ - return range_within(rold, rcur) && diff --git a/queue-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch b/queue-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch deleted file mode 100644 index 2d88a8a5300..00000000000 --- a/queue-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 76b79c254cf2d798a26a7e99c73226b2df0ff1bb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 22:51:49 +0000 -Subject: bpf: tcp: Avoid taking fast sock lock in iterator - -From: Aditi Ghag - -[ Upstream commit 9378096e8a656fb5c4099b26b1370c56f056eab9 ] - -This is a preparatory commit to replace `lock_sock_fast` with -`lock_sock`,and facilitate BPF programs executed from the TCP sockets -iterator to be able to destroy TCP sockets using the bpf_sock_destroy -kfunc (implemented in follow-up commits). - -Previously, BPF TCP iterator was acquiring the sock lock with BH -disabled. This led to scenarios where the sockets hash table bucket lock -can be acquired with BH enabled in some path versus disabled in other. -In such situation, kernel issued a warning since it thinks that in the -BH enabled path the same bucket lock *might* be acquired again in the -softirq context (BH disabled), which will lead to a potential dead lock. -Since bpf_sock_destroy also happens in a process context, the potential -deadlock warning is likely a false alarm. - -Here is a snippet of annotated stack trace that motivated this change: - -``` - -Possible interrupt unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&h->lhash2[i].lock); - local_bh_disable(); - lock(&h->lhash2[i].lock); -kernel imagined possible scenario: - local_bh_disable(); /* Possible softirq */ - lock(&h->lhash2[i].lock); -*** Potential Deadlock *** - -process context: - -lock_acquire+0xcd/0x330 -_raw_spin_lock+0x33/0x40 -------> Acquire (bucket) lhash2.lock with BH enabled -__inet_hash+0x4b/0x210 -inet_csk_listen_start+0xe6/0x100 -inet_listen+0x95/0x1d0 -__sys_listen+0x69/0xb0 -__x64_sys_listen+0x14/0x20 -do_syscall_64+0x3c/0x90 -entry_SYSCALL_64_after_hwframe+0x72/0xdc - -bpf_sock_destroy run from iterator: - -lock_acquire+0xcd/0x330 -_raw_spin_lock+0x33/0x40 -------> Acquire (bucket) lhash2.lock with BH disabled -inet_unhash+0x9a/0x110 -tcp_set_state+0x6a/0x210 -tcp_abort+0x10d/0x200 -bpf_prog_6793c5ca50c43c0d_iter_tcp6_server+0xa4/0xa9 -bpf_iter_run_prog+0x1ff/0x340 -------> lock_sock_fast that acquires sock lock with BH disabled -bpf_iter_tcp_seq_show+0xca/0x190 -bpf_seq_read+0x177/0x450 - -``` - -Also, Yonghong reported a deadlock for non-listening TCP sockets that -this change resolves. Previously, `lock_sock_fast` held the sock spin -lock with BH which was again being acquired in `tcp_abort`: - -``` -watchdog: BUG: soft lockup - CPU#0 stuck for 86s! [test_progs:2331] -RIP: 0010:queued_spin_lock_slowpath+0xd8/0x500 -Call Trace: - - _raw_spin_lock+0x84/0x90 - tcp_abort+0x13c/0x1f0 - bpf_prog_88539c5453a9dd47_iter_tcp6_client+0x82/0x89 - bpf_iter_run_prog+0x1aa/0x2c0 - ? preempt_count_sub+0x1c/0xd0 - ? from_kuid_munged+0x1c8/0x210 - bpf_iter_tcp_seq_show+0x14e/0x1b0 - bpf_seq_read+0x36c/0x6a0 - -bpf_iter_tcp_seq_show - lock_sock_fast - __lock_sock_fast - spin_lock_bh(&sk->sk_lock.slock); - /* * Fast path return with bottom halves disabled and * sock::sk_lock.slock held.* */ - - ... - tcp_abort - local_bh_disable(); - spin_lock(&((sk)->sk_lock.slock)); // from bh_lock_sock(sk) - -``` - -With the switch to `lock_sock`, it calls `spin_unlock_bh` before returning: - -``` -lock_sock - lock_sock_nested - spin_lock_bh(&sk->sk_lock.slock); - : - spin_unlock_bh(&sk->sk_lock.slock); -``` - -Acked-by: Yonghong Song -Acked-by: Stanislav Fomichev -Signed-off-by: Aditi Ghag -Link: https://lore.kernel.org/r/20230519225157.760788-2-aditi.ghag@isovalent.com -Signed-off-by: Martin KaFai Lau -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index b37c1bcb15097..a7de5ba74e7f7 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -2911,7 +2911,6 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - struct bpf_iter_meta meta; - struct bpf_prog *prog; - struct sock *sk = v; -- bool slow; - uid_t uid; - int ret; - -@@ -2919,7 +2918,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - return 0; - - if (sk_fullsock(sk)) -- slow = lock_sock_fast(sk); -+ lock_sock(sk); - - if (unlikely(sk_unhashed(sk))) { - ret = SEQ_SKIP; -@@ -2943,7 +2942,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - - unlock: - if (sk_fullsock(sk)) -- unlock_sock_fast(sk, slow); -+ release_sock(sk); - return ret; - - } --- -2.39.2 - diff --git a/queue-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/queue-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch deleted file mode 100644 index b6461aa64a5..00000000000 --- a/queue-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 5841124edbf8b166987956c008ec9eafe491d36b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jul 2023 08:44:49 -0700 -Subject: bridge: Add extack warning when enabling STP in netns. - -From: Kuniyuki Iwashima - -[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] - -When we create an L2 loop on a bridge in netns, we will see packets storm -even if STP is enabled. - - # unshare -n - # ip link add br0 type bridge - # ip link add veth0 type veth peer name veth1 - # ip link set veth0 master br0 up - # ip link set veth1 master br0 up - # ip link set br0 type bridge stp_state 1 - # ip link set br0 up - # sleep 30 - # ip -s link show br0 - 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 - link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff - RX: bytes packets errors dropped missed mcast - 956553768 12861249 0 0 0 12861249 <-. Keep - TX: bytes packets errors dropped carrier collsns | increasing - 1027834 11951 0 0 0 0 <-' rapidly - -This is because llc_rcv() drops all packets in non-root netns and BPDU -is dropped. - -Let's add extack warning when enabling STP in netns. - - # unshare -n - # ip link add br0 type bridge - # ip link set br0 type bridge stp_state 1 - Warning: bridge: STP does not work in non-root netns. - -Note this commit will be reverted later when we namespacify the whole LLC -infra. - -Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") -Suggested-by: Harry Coin -Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ -Suggested-by: Ido Schimmel -Signed-off-by: Kuniyuki Iwashima -Acked-by: Nikolay Aleksandrov -Reviewed-by: Ido Schimmel -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/bridge/br_stp_if.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c -index 75204d36d7f90..b65962682771f 100644 ---- a/net/bridge/br_stp_if.c -+++ b/net/bridge/br_stp_if.c -@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, - { - ASSERT_RTNL(); - -+ if (!net_eq(dev_net(br->dev), &init_net)) -+ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); -+ - if (br_mrp_enabled(br)) { - NL_SET_ERR_MSG_MOD(extack, - "STP can't be enabled if MRP is already enabled"); --- -2.39.2 - diff --git a/queue-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch b/queue-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch deleted file mode 100644 index 893e406609d..00000000000 --- a/queue-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 34038040cc781e64ecfa341e776b1d3ca1839d8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Jun 2023 08:13:23 +0200 -Subject: btrfs: be a bit more careful when setting mirror_num_ret in - btrfs_map_block - -From: Christoph Hellwig - -[ Upstream commit 4e7de35eb7d1a1d4f2dda15f39fbedd4798a0b8d ] - -The mirror_num_ret is allowed to be NULL, although it has to be set when -smap is set. Unfortunately that is not a well enough specifiable -invariant for static type checkers, so add a NULL check to make sure they -are fine. - -Fixes: 03793cbbc80f ("btrfs: add fast path for single device io in __btrfs_map_block") -Reported-by: Dan Carpenter -Reviewed-by: Qu Wenruo -Reviewed-by: Johannes Thumshirn -Signed-off-by: Christoph Hellwig -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/volumes.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c -index 7433ae929fdcb..2e0832d70406c 100644 ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -6595,11 +6595,13 @@ static int __btrfs_map_block(struct btrfs_fs_info *fs_info, - if (patch_the_first_stripe_for_dev_replace) { - smap->dev = dev_replace->tgtdev; - smap->physical = physical_to_patch_in_first_stripe; -- *mirror_num_ret = map->num_stripes + 1; -+ if (mirror_num_ret) -+ *mirror_num_ret = map->num_stripes + 1; - } else { - set_io_stripe(smap, map, stripe_index, stripe_offset, - stripe_nr); -- *mirror_num_ret = mirror_num; -+ if (mirror_num_ret) -+ *mirror_num_ret = mirror_num; - } - *bioc_ret = NULL; - ret = 0; --- -2.39.2 - diff --git a/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch b/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch deleted file mode 100644 index 3ed2af4c02b..00000000000 --- a/queue-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch +++ /dev/null @@ -1,96 +0,0 @@ -From b19c98f237cd76981aaded52c258ce93f7daa8cb Mon Sep 17 00:00:00 2001 -From: Josef Bacik -Date: Fri, 23 Jun 2023 01:05:41 -0400 -Subject: btrfs: fix race between balance and cancel/pause - -From: Josef Bacik - -commit b19c98f237cd76981aaded52c258ce93f7daa8cb upstream. - -Syzbot reported a panic that looks like this: - - assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 - ------------[ cut here ]------------ - kernel BUG at fs/btrfs/messages.c:259! - RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 - Call Trace: - - btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] - btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] - btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:870 [inline] - __se_sys_ioctl fs/ioctl.c:856 [inline] - __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -The reproducer is running a balance and a cancel or pause in parallel. -The way balance finishes is a bit wonky, if we were paused we need to -save the balance_ctl in the fs_info, but clear it otherwise and cleanup. -However we rely on the return values being specific errors, or having a -cancel request or no pause request. If balance completes and returns 0, -but we have a pause or cancel request we won't do the appropriate -cleanup, and then the next time we try to start a balance we'll trip -this ASSERT. - -The error handling is just wrong here, we always want to clean up, -unless we got -ECANCELLED and we set the appropriate pause flag in the -exclusive op. With this patch the reproducer ran for an hour without -tripping, previously it would trip in less than a few minutes. - -Reported-by: syzbot+c0f3acf145cb465426d5@syzkaller.appspotmail.com -CC: stable@vger.kernel.org # 6.1+ -Signed-off-by: Josef Bacik -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/volumes.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -4092,14 +4092,6 @@ static int alloc_profile_is_valid(u64 fl - return has_single_bit_set(flags); - } - --static inline int balance_need_close(struct btrfs_fs_info *fs_info) --{ -- /* cancel requested || normal exit path */ -- return atomic_read(&fs_info->balance_cancel_req) || -- (atomic_read(&fs_info->balance_pause_req) == 0 && -- atomic_read(&fs_info->balance_cancel_req) == 0); --} -- - /* - * Validate target profile against allowed profiles and return true if it's OK. - * Otherwise print the error message and return false. -@@ -4289,6 +4281,7 @@ int btrfs_balance(struct btrfs_fs_info * - u64 num_devices; - unsigned seq; - bool reducing_redundancy; -+ bool paused = false; - int i; - - if (btrfs_fs_closing(fs_info) || -@@ -4419,6 +4412,7 @@ int btrfs_balance(struct btrfs_fs_info * - if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { - btrfs_info(fs_info, "balance: paused"); - btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); -+ paused = true; - } - /* - * Balance can be canceled by: -@@ -4447,8 +4441,8 @@ int btrfs_balance(struct btrfs_fs_info * - btrfs_update_ioctl_balance_args(fs_info, bargs); - } - -- if ((ret && ret != -ECANCELED && ret != -ENOSPC) || -- balance_need_close(fs_info)) { -+ /* We didn't pause, we can clean everything up. */ -+ if (!paused) { - reset_balance_state(fs_info); - btrfs_exclop_finish(fs_info); - } diff --git a/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch deleted file mode 100644 index e7d032f0c09..00000000000 --- a/queue-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +++ /dev/null @@ -1,89 +0,0 @@ -From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Fri, 14 Jul 2023 13:42:06 +0100 -Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort - -From: Filipe Manana - -commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. - -If we have a transaction abort with qgroups enabled we get a warning -triggered when doing the final put on the transaction, like this: - - [552.6789] ------------[ cut here ]------------ - [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6817] Modules linked in: btrfs blake2b_generic xor (...) - [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 - [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 - [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6821] Code: bd a0 01 00 (...) - [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 - [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 - [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 - [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 - [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 - [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 - [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 - [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 - [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - [552.6822] Call Trace: - [552.6822] - [552.6822] ? __warn+0x80/0x130 - [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6824] ? report_bug+0x1f4/0x200 - [552.6824] ? handle_bug+0x42/0x70 - [552.6824] ? exc_invalid_op+0x14/0x70 - [552.6824] ? asm_exc_invalid_op+0x16/0x20 - [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] - [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 - [552.6828] ? try_to_wake_up+0x94/0x5e0 - [552.6828] ? __pfx_process_timeout+0x10/0x10 - [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] - [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] - [552.6832] kthread+0xee/0x120 - [552.6832] ? __pfx_kthread+0x10/0x10 - [552.6832] ret_from_fork+0x29/0x50 - [552.6832] - [552.6832] ---[ end trace 0000000000000000 ]--- - -This corresponds to this line of code: - - void btrfs_put_transaction(struct btrfs_transaction *transaction) - { - (...) - WARN_ON(!RB_EMPTY_ROOT( - &transaction->delayed_refs.dirty_extent_root)); - (...) - } - -The warning happens because btrfs_qgroup_destroy_extent_records(), called -in the transaction abort path, we free all entries from the rbtree -"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we -don't actually empty the rbtree - it's still pointing to nodes that were -freed. - -So set the rbtree's root node to NULL to avoid this warning (assign -RB_ROOT). - -Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") -CC: stable@vger.kernel.org # 5.10+ -Reviewed-by: Josef Bacik -Reviewed-by: Qu Wenruo -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/qgroup.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/qgroup.c -+++ b/fs/btrfs/qgroup.c -@@ -4410,4 +4410,5 @@ void btrfs_qgroup_destroy_extent_records - ulist_free(entry->old_roots); - kfree(entry); - } -+ *root = RB_ROOT; - } diff --git a/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch b/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch deleted file mode 100644 index 73ba6f451c7..00000000000 --- a/queue-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 17b17fcd6d446b95904a6929c40012ee7f0afc0c Mon Sep 17 00:00:00 2001 -From: Josef Bacik -Date: Wed, 12 Jul 2023 12:44:12 -0400 -Subject: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand - -From: Josef Bacik - -commit 17b17fcd6d446b95904a6929c40012ee7f0afc0c upstream. - -While trying to get the subpage blocksize tests running, I hit the -following panic on generic/476 - - assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 - kernel BUG at fs/btrfs/subpage.c:229! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 - Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 - pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : btrfs_subpage_assert+0xbc/0xf0 - lr : btrfs_subpage_assert+0xbc/0xf0 - Call trace: - btrfs_subpage_assert+0xbc/0xf0 - btrfs_subpage_clear_checked+0x38/0xc0 - btrfs_page_clear_checked+0x48/0x98 - btrfs_truncate_block+0x5d0/0x6a8 - btrfs_cont_expand+0x5c/0x528 - btrfs_write_check.isra.0+0xf8/0x150 - btrfs_buffered_write+0xb4/0x760 - btrfs_do_write_iter+0x2f8/0x4b0 - btrfs_file_write_iter+0x1c/0x30 - do_iter_readv_writev+0xc8/0x158 - do_iter_write+0x9c/0x210 - vfs_iter_write+0x24/0x40 - iter_file_splice_write+0x224/0x390 - direct_splice_actor+0x38/0x68 - splice_direct_to_actor+0x12c/0x260 - do_splice_direct+0x90/0xe8 - generic_copy_file_range+0x50/0x90 - vfs_copy_file_range+0x29c/0x470 - __arm64_sys_copy_file_range+0xcc/0x498 - invoke_syscall.constprop.0+0x80/0xd8 - do_el0_svc+0x6c/0x168 - el0_svc+0x50/0x1b0 - el0t_64_sync_handler+0x114/0x120 - el0t_64_sync+0x194/0x198 - -This happens because during btrfs_cont_expand we'll get a page, set it -as mapped, and if it's not Uptodate we'll read it. However between the -read and re-locking the page we could have called release_folio() on the -page, but left the page in the file mapping. release_folio() can clear -the page private, and thus further down we blow up when we go to modify -the subpage bits. - -Fix this by putting the set_page_extent_mapped() after the read. This -is safe because read_folio() will call set_page_extent_mapped() before -it does the read, and then if we clear page private but leave it on the -mapping we're completely safe re-setting set_page_extent_mapped(). With -this patch I can now run generic/476 without panicing. - -CC: stable@vger.kernel.org # 6.1+ -Reviewed-by: Christoph Hellwig -Signed-off-by: Josef Bacik -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/inode.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -4913,9 +4913,6 @@ again: - ret = -ENOMEM; - goto out; - } -- ret = set_page_extent_mapped(page); -- if (ret < 0) -- goto out_unlock; - - if (!PageUptodate(page)) { - ret = btrfs_read_folio(NULL, page_folio(page)); -@@ -4930,6 +4927,17 @@ again: - goto out_unlock; - } - } -+ -+ /* -+ * We unlock the page after the io is completed and then re-lock it -+ * above. release_folio() could have come in between that and cleared -+ * PagePrivate(), but left the page in the mapping. Set the page mapped -+ * here to make sure it's properly set for the subpage stuff. -+ */ -+ ret = set_page_extent_mapped(page); -+ if (ret < 0) -+ goto out_unlock; -+ - wait_on_page_writeback(page); - - lock_extent(io_tree, block_start, block_end, &cached_state); diff --git a/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch deleted file mode 100644 index e720c66d9df..00000000000 --- a/queue-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Mon, 3 Jul 2023 12:03:21 +0100 -Subject: btrfs: zoned: fix memory leak after finding block group with super blocks - -From: Filipe Manana - -commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. - -At exclude_super_stripes(), if we happen to find a block group that has -super blocks mapped to it and we are on a zoned filesystem, we error out -as this is not supposed to happen, indicating either a bug or maybe some -memory corruption for example. However we are exiting the function without -freeing the memory allocated for the logical address of the super blocks. -Fix this by freeing the logical address. - -Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") -CC: stable@vger.kernel.org # 5.10+ -Reviewed-by: Johannes Thumshirn -Reviewed-by: Anand Jain -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/block-group.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/block-group.c -+++ b/fs/btrfs/block-group.c -@@ -1894,6 +1894,7 @@ static int exclude_super_stripes(struct - - /* Shouldn't have super stripes in sequential zones */ - if (zoned && nr) { -+ kfree(logical); - btrfs_err(fs_info, - "zoned: block group %llu must not contain super block", - cache->start); diff --git a/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch b/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch deleted file mode 100644 index 5aad27d3ae2..00000000000 --- a/queue-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 -From: YueHaibing -Date: Sat, 15 Jul 2023 17:25:43 +0800 -Subject: can: bcm: Fix UAF in bcm_proc_show() - -From: YueHaibing - -commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. - -BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 -Read of size 8 at addr ffff888155846230 by task cat/7862 - -CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 -Call Trace: - - dump_stack_lvl+0xd5/0x150 - print_report+0xc1/0x5e0 - kasan_report+0xba/0xf0 - bcm_proc_show+0x969/0xa80 - seq_read_iter+0x4f6/0x1260 - seq_read+0x165/0x210 - proc_reg_read+0x227/0x300 - vfs_read+0x1d5/0x8d0 - ksys_read+0x11e/0x240 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Allocated by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - __kasan_kmalloc+0x9e/0xa0 - bcm_sendmsg+0x264b/0x44e0 - sock_sendmsg+0xda/0x180 - ____sys_sendmsg+0x735/0x920 - ___sys_sendmsg+0x11d/0x1b0 - __sys_sendmsg+0xfa/0x1d0 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Freed by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - kasan_save_free_info+0x27/0x40 - ____kasan_slab_free+0x161/0x1c0 - slab_free_freelist_hook+0x119/0x220 - __kmem_cache_free+0xb4/0x2e0 - rcu_core+0x809/0x1bd0 - -bcm_op is freed before procfs entry be removed in bcm_release(), -this lead to bcm_proc_show() may read the freed bcm_op. - -Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") -Signed-off-by: YueHaibing -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/bcm.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -1526,6 +1526,12 @@ static int bcm_release(struct socket *so - - lock_sock(sk); - -+#if IS_ENABLED(CONFIG_PROC_FS) -+ /* remove procfs entry */ -+ if (net->can.bcmproc_dir && bo->bcm_proc_read) -+ remove_proc_entry(bo->procname, net->can.bcmproc_dir); -+#endif /* CONFIG_PROC_FS */ -+ - list_for_each_entry_safe(op, next, &bo->tx_ops, list) - bcm_remove_op(op); - -@@ -1561,12 +1567,6 @@ static int bcm_release(struct socket *so - list_for_each_entry_safe(op, next, &bo->rx_ops, list) - bcm_remove_op(op); - --#if IS_ENABLED(CONFIG_PROC_FS) -- /* remove procfs entry */ -- if (net->can.bcmproc_dir && bo->bcm_proc_read) -- remove_proc_entry(bo->procname, net->can.bcmproc_dir); --#endif /* CONFIG_PROC_FS */ -- - /* remove device reference */ - if (bo->bound) { - bo->bound = 0; diff --git a/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch b/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch deleted file mode 100644 index 81c130c4563..00000000000 --- a/queue-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 2603be9e8167ddc7bea95dcfab9ffc33414215aa Mon Sep 17 00:00:00 2001 -From: Marc Kleine-Budde -Date: Fri, 7 Jul 2023 13:43:10 +0200 -Subject: can: gs_usb: gs_can_open(): improve error handling - -From: Marc Kleine-Budde - -commit 2603be9e8167ddc7bea95dcfab9ffc33414215aa upstream. - -The gs_usb driver handles USB devices with more than 1 CAN channel. -The RX path for all channels share the same bulk endpoint (the -transmitted bulk data encodes the channel number). These per-device -resources are allocated and submitted by the first opened channel. - -During this allocation, the resources are either released immediately -in case of a failure or the URBs are anchored. All anchored URBs are -finally killed with gs_usb_disconnect(). - -Currently, gs_can_open() returns with an error if the allocation of a -URB or a buffer fails. However, if usb_submit_urb() fails, the driver -continues with the URBs submitted so far, even if no URBs were -successfully submitted. - -Treat every error as fatal and free all allocated resources -immediately. - -Switch to goto-style error handling, to prepare the driver for more -per-device resource allocation. - -Cc: stable@vger.kernel.org -Cc: John Whittington -Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-1-9017cefcd9d5@pengutronix.de -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/can/usb/gs_usb.c | 31 ++++++++++++++++++++++--------- - 1 file changed, 22 insertions(+), 9 deletions(-) - ---- a/drivers/net/can/usb/gs_usb.c -+++ b/drivers/net/can/usb/gs_usb.c -@@ -833,6 +833,7 @@ static int gs_can_open(struct net_device - .mode = cpu_to_le32(GS_CAN_MODE_START), - }; - struct gs_host_frame *hf; -+ struct urb *urb = NULL; - u32 ctrlmode; - u32 flags = 0; - int rc, i; -@@ -858,13 +859,14 @@ static int gs_can_open(struct net_device - - if (!parent->active_channels) { - for (i = 0; i < GS_MAX_RX_URBS; i++) { -- struct urb *urb; - u8 *buf; - - /* alloc rx urb */ - urb = usb_alloc_urb(0, GFP_KERNEL); -- if (!urb) -- return -ENOMEM; -+ if (!urb) { -+ rc = -ENOMEM; -+ goto out_usb_kill_anchored_urbs; -+ } - - /* alloc rx buffer */ - buf = kmalloc(dev->parent->hf_size_rx, -@@ -872,8 +874,8 @@ static int gs_can_open(struct net_device - if (!buf) { - netdev_err(netdev, - "No memory left for USB buffer\n"); -- usb_free_urb(urb); -- return -ENOMEM; -+ rc = -ENOMEM; -+ goto out_usb_free_urb; - } - - /* fill, anchor, and submit rx urb */ -@@ -896,9 +898,7 @@ static int gs_can_open(struct net_device - netdev_err(netdev, - "usb_submit failed (err=%d)\n", rc); - -- usb_unanchor_urb(urb); -- usb_free_urb(urb); -- break; -+ goto out_usb_unanchor_urb; - } - - /* Drop reference, -@@ -944,7 +944,8 @@ static int gs_can_open(struct net_device - if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) - gs_usb_timestamp_stop(dev); - dev->can.state = CAN_STATE_STOPPED; -- return rc; -+ -+ goto out_usb_kill_anchored_urbs; - } - - parent->active_channels++; -@@ -952,6 +953,18 @@ static int gs_can_open(struct net_device - netif_start_queue(netdev); - - return 0; -+ -+out_usb_unanchor_urb: -+ usb_unanchor_urb(urb); -+out_usb_free_urb: -+ usb_free_urb(urb); -+out_usb_kill_anchored_urbs: -+ if (!parent->active_channels) -+ usb_kill_anchored_urbs(&dev->tx_submitted); -+ -+ close_candev(netdev); -+ -+ return rc; - } - - static int gs_can_close(struct net_device *netdev) diff --git a/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch b/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch deleted file mode 100644 index e554d4718c6..00000000000 --- a/queue-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 9efa1a5407e81265ea502cab83be4de503decc49 Mon Sep 17 00:00:00 2001 -From: Fedor Ross -Date: Thu, 4 May 2023 21:50:59 +0200 -Subject: can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout - -From: Fedor Ross - -commit 9efa1a5407e81265ea502cab83be4de503decc49 upstream. - -The mcp251xfd controller needs an idle bus to enter 'Normal CAN 2.0 -mode' or . The maximum length of a CAN frame is 736 bits (64 data -bytes, CAN-FD, EFF mode, worst case bit stuffing and interframe -spacing). For low bit rates like 10 kbit/s the arbitrarily chosen -MCP251XFD_POLL_TIMEOUT_US of 1 ms is too small. - -Otherwise during polling for the CAN controller to enter 'Normal CAN -2.0 mode' the timeout limit is exceeded and the configuration fails -with: - -| $ ip link set dev can1 up type can bitrate 10000 -| [ 731.911072] mcp251xfd spi2.1 can1: Controller failed to enter mode CAN 2.0 Mode (6) and stays in Configuration Mode (4) (con=0x068b0760, osc=0x00000468). -| [ 731.927192] mcp251xfd spi2.1 can1: CRC read error at address 0x0e0c (length=4, data=00 00 00 00, CRC=0x0000) retrying. -| [ 731.938101] A link change request failed with some changes committed already. Interface can1 may have been left with an inconsistent configuration, please check. -| RTNETLINK answers: Connection timed out - -Make MCP251XFD_POLL_TIMEOUT_US timeout calculation dynamic. Use -maximum of 1ms and bit time of 1 full 64 data bytes CAN-FD frame in -EFF mode, worst case bit stuffing and interframe spacing at the -current bit rate. - -For easier backporting define the macro MCP251XFD_FRAME_LEN_MAX_BITS -that holds the max frame length in bits, which is 736. This can be -replaced by can_frame_bits(true, true, true, true, CANFD_MAX_DLEN) in -a cleanup patch later. - -Fixes: 55e5b97f003e8 ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") -Signed-off-by: Fedor Ross -Signed-off-by: Marek Vasut -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/all/20230717-mcp251xfd-fix-increase-poll-timeout-v5-1-06600f34c684@pengutronix.de -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 10 ++++++++-- - drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 1 + - 2 files changed, 9 insertions(+), 2 deletions(-) - ---- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c -+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c -@@ -227,6 +227,8 @@ static int - __mcp251xfd_chip_set_mode(const struct mcp251xfd_priv *priv, - const u8 mode_req, bool nowait) - { -+ const struct can_bittiming *bt = &priv->can.bittiming; -+ unsigned long timeout_us = MCP251XFD_POLL_TIMEOUT_US; - u32 con = 0, con_reqop, osc = 0; - u8 mode; - int err; -@@ -246,12 +248,16 @@ __mcp251xfd_chip_set_mode(const struct m - if (mode_req == MCP251XFD_REG_CON_MODE_SLEEP || nowait) - return 0; - -+ if (bt->bitrate) -+ timeout_us = max_t(unsigned long, timeout_us, -+ MCP251XFD_FRAME_LEN_MAX_BITS * USEC_PER_SEC / -+ bt->bitrate); -+ - err = regmap_read_poll_timeout(priv->map_reg, MCP251XFD_REG_CON, con, - !mcp251xfd_reg_invalid(con) && - FIELD_GET(MCP251XFD_REG_CON_OPMOD_MASK, - con) == mode_req, -- MCP251XFD_POLL_SLEEP_US, -- MCP251XFD_POLL_TIMEOUT_US); -+ MCP251XFD_POLL_SLEEP_US, timeout_us); - if (err != -ETIMEDOUT && err != -EBADMSG) - return err; - ---- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h -+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h -@@ -387,6 +387,7 @@ static_assert(MCP251XFD_TIMESTAMP_WORK_D - #define MCP251XFD_OSC_STAB_TIMEOUT_US (10 * MCP251XFD_OSC_STAB_SLEEP_US) - #define MCP251XFD_POLL_SLEEP_US (10) - #define MCP251XFD_POLL_TIMEOUT_US (USEC_PER_MSEC) -+#define MCP251XFD_FRAME_LEN_MAX_BITS (736) - - /* Misc */ - #define MCP251XFD_NAPI_WEIGHT 32 diff --git a/queue-6.1/can-raw-fix-receiver-memory-leak.patch b/queue-6.1/can-raw-fix-receiver-memory-leak.patch deleted file mode 100644 index 26a08c5711e..00000000000 --- a/queue-6.1/can-raw-fix-receiver-memory-leak.patch +++ /dev/null @@ -1,233 +0,0 @@ -From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 -From: Ziyang Xuan -Date: Tue, 11 Jul 2023 09:17:37 +0800 -Subject: can: raw: fix receiver memory leak - -From: Ziyang Xuan - -commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. - -Got kmemleak errors with the following ltp can_filter testcase: - -for ((i=1; i<=100; i++)) -do - ./can_filter & - sleep 0.1 -done - -============================================================== -[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] -[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] -[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 -[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 -[<00000000fd468496>] do_syscall_64+0x33/0x40 -[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -It's a bug in the concurrent scenario of unregister_netdevice_many() -and raw_release() as following: - - cpu0 cpu1 -unregister_netdevice_many(can_dev) - unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this - net_set_todo(can_dev) - raw_release(can_socket) - dev = dev_get_by_index(, ro->ifindex); // dev == NULL - if (dev) { // receivers in dev_rcv_lists not free because dev is NULL - raw_disable_allfilters(, dev, ); - dev_put(dev); - } - ... - ro->bound = 0; - ... - -call_netdevice_notifiers(NETDEV_UNREGISTER, ) - raw_notify(, NETDEV_UNREGISTER, ) - if (ro->bound) // invalid because ro->bound has been set 0 - raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed - -Add a net_device pointer member in struct raw_sock to record bound -can_dev, and use rtnl_lock to serialize raw_socket members between -raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use -ro->dev to decide whether to free receivers in dev_rcv_lists. - -Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Signed-off-by: Ziyang Xuan -Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- - 1 file changed, 24 insertions(+), 33 deletions(-) - ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -84,6 +84,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -+ struct net_device *dev; - struct list_head notifier; - int loopback; - int recv_own_msgs; -@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * - if (!net_eq(dev_net(dev), sock_net(sk))) - return; - -- if (ro->ifindex != dev->ifindex) -+ if (ro->dev != dev) - return; - - switch (msg) { -@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - release_sock(sk); - -@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) - - ro->bound = 0; - ro->ifindex = 0; -+ ro->dev = NULL; - - /* set default filter to single entry dfilter */ - ro->dfilter.can_id = 0; -@@ -385,19 +388,13 @@ static int raw_release(struct socket *so - - lock_sock(sk); - -+ rtnl_lock(); - /* remove current filters & unregister */ - if (ro->bound) { -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - - if (ro->count > 1) -@@ -405,8 +402,10 @@ static int raw_release(struct socket *so - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - free_percpu(ro->uniq); -+ rtnl_unlock(); - - sock_orphan(sk); - sock->sk = NULL; -@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, - struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; - struct sock *sk = sock->sk; - struct raw_sock *ro = raw_sk(sk); -+ struct net_device *dev = NULL; - int ifindex; - int err = 0; - int notify_enetdown = 0; -@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, - if (addr->can_family != AF_CAN) - return -EINVAL; - -+ rtnl_lock(); - lock_sock(sk); - - if (ro->bound && addr->can_ifindex == ro->ifindex) - goto out; - - if (addr->can_ifindex) { -- struct net_device *dev; -- - dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); - if (!dev) { - err = -ENODEV; -@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, - if (!err) { - if (ro->bound) { - /* unregister old filters */ -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), -- ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), -- dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), -+ ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - ro->ifindex = ifindex; - ro->bound = 1; -+ ro->dev = dev; - } - - out: - release_sock(sk); -+ rtnl_unlock(); - - if (notify_enetdown) { - sk->sk_err = ENETDOWN; -@@ -552,9 +545,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - if (count > 1) - kfree(filter); - err = -ENODEV; -@@ -595,7 +588,6 @@ static int raw_setsockopt(struct socket - ro->count = count; - - out_fil: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - -@@ -613,9 +605,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - err = -ENODEV; - goto out_err; - } -@@ -639,7 +631,6 @@ static int raw_setsockopt(struct socket - ro->err_mask = err_mask; - - out_err: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - diff --git a/queue-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch b/queue-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch deleted file mode 100644 index 7a2c897f51d..00000000000 --- a/queue-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 7a8eaa17077746c57f6fa160701348e82e480ae9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Jul 2023 08:56:33 +0000 -Subject: cifs: fix mid leak during reconnection after timeout threshold - -From: Shyam Prasad N - -[ Upstream commit 69cba9d3c1284e0838ae408830a02c4a063104bc ] - -When the number of responses with status of STATUS_IO_TIMEOUT -exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect -the connection. But we do not return the mid, or the credits -returned for the mid, or reduce the number of in-flight requests. - -This bug could result in the server->in_flight count to go bad, -and also cause a leak in the mids. - -This change moves the check to a few lines below where the -response is decrypted, even of the response is read from the -transform header. This way, the code for returning the mids -can be reused. - -Also, the cifs_reconnect was reconnecting just the transport -connection before. In case of multi-channel, this may not be -what we want to do after several timeouts. Changed that to -reconnect the session and the tree too. - -Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name -MAX_STATUS_IO_TIMEOUT. - -Fixes: 8e670f77c4a5 ("Handle STATUS_IO_TIMEOUT gracefully") -Signed-off-by: Shyam Prasad N -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/smb/client/connect.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c -index 935fe198a4baf..cbe08948baf4a 100644 ---- a/fs/smb/client/connect.c -+++ b/fs/smb/client/connect.c -@@ -59,7 +59,7 @@ extern bool disable_legacy_dialects; - #define TLINK_IDLE_EXPIRE (600 * HZ) - - /* Drop the connection to not overload the server */ --#define NUM_STATUS_IO_TIMEOUT 5 -+#define MAX_STATUS_IO_TIMEOUT 5 - - struct mount_ctx { - struct cifs_sb_info *cifs_sb; -@@ -1162,6 +1162,7 @@ cifs_demultiplex_thread(void *p) - struct mid_q_entry *mids[MAX_COMPOUND]; - char *bufs[MAX_COMPOUND]; - unsigned int noreclaim_flag, num_io_timeout = 0; -+ bool pending_reconnect = false; - - noreclaim_flag = memalloc_noreclaim_save(); - cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); -@@ -1201,6 +1202,8 @@ cifs_demultiplex_thread(void *p) - cifs_dbg(FYI, "RFC1002 header 0x%x\n", pdu_length); - if (!is_smb_response(server, buf[0])) - continue; -+ -+ pending_reconnect = false; - next_pdu: - server->pdu_size = pdu_length; - -@@ -1258,10 +1261,13 @@ cifs_demultiplex_thread(void *p) - if (server->ops->is_status_io_timeout && - server->ops->is_status_io_timeout(buf)) { - num_io_timeout++; -- if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { -- cifs_reconnect(server, false); -+ if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { -+ cifs_server_dbg(VFS, -+ "Number of request timeouts exceeded %d. Reconnecting", -+ MAX_STATUS_IO_TIMEOUT); -+ -+ pending_reconnect = true; - num_io_timeout = 0; -- continue; - } - } - -@@ -1308,6 +1314,11 @@ cifs_demultiplex_thread(void *p) - buf = server->smallbuf; - goto next_pdu; - } -+ -+ /* do this reconnect at the very end after processing all MIDs */ -+ if (pending_reconnect) -+ cifs_reconnect(server, true); -+ - } /* end while !EXITING */ - - /* buffer usually freed in free_mid - need to free it here on exit */ --- -2.39.2 - diff --git a/queue-6.1/devlink-report-devlink_port_type_warn-source-device.patch b/queue-6.1/devlink-report-devlink_port_type_warn-source-device.patch deleted file mode 100644 index d6552021503..00000000000 --- a/queue-6.1/devlink-report-devlink_port_type_warn-source-device.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 4aca3a9686777cc7cbeeafbea29e9349e546bc92 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 11:54:47 +0200 -Subject: devlink: report devlink_port_type_warn source device - -From: Petr Oros - -[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] - -devlink_port_type_warn is scheduled for port devlink and warning -when the port type is not set. But from this warning it is not easy -found out which device (driver) has no devlink port set. - -[ 3709.975552] Type was not set for devlink port. -[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 -[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm -[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse -[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 -[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 -[ 3710.108437] Workqueue: events devlink_port_type_warn -[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 -[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 -[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 -[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 -[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 -[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 -[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 -[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 -[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 -[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 -[ 3710.108456] PKRU: 55555554 -[ 3710.108457] Call Trace: -[ 3710.108458] -[ 3710.108459] process_one_work+0x1e2/0x3b0 -[ 3710.108466] ? rescuer_thread+0x390/0x390 -[ 3710.108468] worker_thread+0x50/0x3a0 -[ 3710.108471] ? rescuer_thread+0x390/0x390 -[ 3710.108473] kthread+0xdd/0x100 -[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 -[ 3710.108479] ret_from_fork+0x1f/0x30 -[ 3710.108485] -[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- - -After patch: -[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. -[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. - -Signed-off-by: Petr Oros -Reviewed-by: Pavan Chebbi -Reviewed-by: Jakub Kicinski -Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/core/devlink.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/core/devlink.c b/net/core/devlink.c -index 2aa77d4b80d0a..5a4a4b34ac15c 100644 ---- a/net/core/devlink.c -+++ b/net/core/devlink.c -@@ -9826,7 +9826,10 @@ EXPORT_SYMBOL_GPL(devlink_free); - - static void devlink_port_type_warn(struct work_struct *work) - { -- WARN(true, "Type was not set for devlink port."); -+ struct devlink_port *port = container_of(to_delayed_work(work), -+ struct devlink_port, -+ type_warn_dw); -+ dev_warn(port->devlink->dev, "Type was not set for devlink port."); - } - - static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) --- -2.39.2 - diff --git a/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch b/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch deleted file mode 100644 index 2fa44ff85d9..00000000000 --- a/queue-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 05abb3be91d8788328231ee02973ab3d47f5e3d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= -Date: Thu, 13 Jul 2023 22:47:45 +0300 -Subject: dma-buf/dma-resv: Stop leaking on krealloc() failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ville Syrjälä - -commit 05abb3be91d8788328231ee02973ab3d47f5e3d2 upstream. - -Currently dma_resv_get_fences() will leak the previously -allocated array if the fence iteration got restarted and -the krealloc_array() fails. - -Free the old array by hand, and make sure we still clear -the returned *fences so the caller won't end up accessing -freed memory. Some (but not all) of the callers of -dma_resv_get_fences() seem to still trawl through the -array even when dma_resv_get_fences() failed. And let's -zero out *num_fences as well for good measure. - -Cc: Sumit Semwal -Cc: Christian König -Cc: linux-media@vger.kernel.org -Cc: dri-devel@lists.freedesktop.org -Cc: linaro-mm-sig@lists.linaro.org -Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3") -Signed-off-by: Ville Syrjälä -Reviewed-by: Christian König -Cc: stable@vger.kernel.org -Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.com -Signed-off-by: Christian König -Signed-off-by: Greg Kroah-Hartman ---- - drivers/dma-buf/dma-resv.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/drivers/dma-buf/dma-resv.c -+++ b/drivers/dma-buf/dma-resv.c -@@ -566,6 +566,7 @@ int dma_resv_get_fences(struct dma_resv - dma_resv_for_each_fence_unlocked(&cursor, fence) { - - if (dma_resv_iter_is_restarted(&cursor)) { -+ struct dma_fence **new_fences; - unsigned int count; - - while (*num_fences) -@@ -574,13 +575,17 @@ int dma_resv_get_fences(struct dma_resv - count = cursor.num_fences + 1; - - /* Eventually re-allocate the array */ -- *fences = krealloc_array(*fences, count, -- sizeof(void *), -- GFP_KERNEL); -- if (count && !*fences) { -+ new_fences = krealloc_array(*fences, count, -+ sizeof(void *), -+ GFP_KERNEL); -+ if (count && !new_fences) { -+ kfree(*fences); -+ *fences = NULL; -+ *num_fences = 0; - dma_resv_iter_end(&cursor); - return -ENOMEM; - } -+ *fences = new_fences; - } - - (*fences)[(*num_fences)++] = dma_fence_get(fence); diff --git a/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch b/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch deleted file mode 100644 index b1ab441d828..00000000000 --- a/queue-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5a25cefc0920088bb9afafeb80ad3dcd84fe278b Mon Sep 17 00:00:00 2001 -From: Taimur Hassan -Date: Tue, 20 Jun 2023 17:00:28 -0400 -Subject: drm/amd/display: check TG is non-null before checking if enabled - -From: Taimur Hassan - -commit 5a25cefc0920088bb9afafeb80ad3dcd84fe278b upstream. - -[Why & How] -If there is no TG allocation we can dereference a NULL pointer when -checking if the TG is enabled. - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Nicholas Kazlauskas -Acked-by: Alan Liu -Signed-off-by: Taimur Hassan -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c -@@ -3293,7 +3293,8 @@ void dcn10_wait_for_mpcc_disconnect( - if (pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst]) { - struct hubp *hubp = get_hubp_by_inst(res_pool, mpcc_inst); - -- if (pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) -+ if (pipe_ctx->stream_res.tg && -+ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) - res_pool->mpc->funcs->wait_for_idle(res_pool->mpc, mpcc_inst); - pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst] = false; - hubp->funcs->set_blank(hubp, true); diff --git a/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch deleted file mode 100644 index 6b589736210..00000000000 --- a/queue-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 -From: Zhikai Zhai -Date: Fri, 30 Jun 2023 11:35:14 +0800 -Subject: drm/amd/display: Disable MPC split by default on special asic - -From: Zhikai Zhai - -commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. - -[WHY] -All of pipes will be used when the MPC split enable on the dcn -which just has 2 pipes. Then MPO enter will trigger the minimal -transition which need programe dcn from 2 pipes MPC split to 2 -pipes MPO. This action will cause lag if happen frequently. - -[HOW] -Disable the MPC split for the platform which dcn resource is limited - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Alvin Lee -Acked-by: Alan Liu -Signed-off-by: Zhikai Zhai -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c -@@ -65,7 +65,7 @@ static const struct dc_debug_options deb - .timing_trace = false, - .clock_trace = true, - .disable_pplib_clock_request = true, -- .pipe_split_policy = MPC_SPLIT_DYNAMIC, -+ .pipe_split_policy = MPC_SPLIT_AVOID, - .force_single_disp_pipe_split = false, - .disable_dcc = DCC_ENABLE, - .vsr_support = true, diff --git a/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch deleted file mode 100644 index 587a6956896..00000000000 --- a/queue-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 -From: Nicholas Kazlauskas -Date: Thu, 29 Jun 2023 10:35:59 -0400 -Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 - -From: Nicholas Kazlauskas - -commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. - -[Why & How] -Port of a change that went into DCN314 to keep the PHY enabled -when we have a connected and active DP display. - -The PHY can hang if PHY refclk is disabled inadvertently. - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Josip Pavic -Acked-by: Alan Liu -Signed-off-by: Nicholas Kazlauskas -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c -+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c -@@ -86,6 +86,11 @@ static int dcn31_get_active_display_cnt_ - stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || - stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) - tmds_present = true; -+ -+ /* Checking stream / link detection ensuring that PHY is active*/ -+ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) -+ display_count++; -+ - } - - for (i = 0; i < dc->link_count; i++) { diff --git a/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch b/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch deleted file mode 100644 index b66e30d5918..00000000000 --- a/queue-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1ca67aba8d11c2849d395013e1fdce02918d5657 Mon Sep 17 00:00:00 2001 -From: Simon Ser -Date: Wed, 21 Jun 2023 17:24:59 -0300 -Subject: drm/amd/display: only accept async flips for fast updates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Simon Ser - -commit 1ca67aba8d11c2849d395013e1fdce02918d5657 upstream. - -Up until now, amdgpu was silently degrading to vsync when -user-space requested an async flip but the hardware didn't support -it. - -The hardware doesn't support immediate flips when the update changes -the FB pitch, the DCC state, the rotation, enables or disables CRTCs -or planes, etc. This is reflected in the dm_crtc_state.update_type -field: UPDATE_TYPE_FAST means that immediate flip is supported. - -Silently degrading async flips to vsync is not the expected behavior -from a uAPI point-of-view. Xorg expects async flips to fail if -unsupported, to be able to fall back to a blit. i915 already behaves -this way. - -This patch aligns amdgpu with uAPI expectations and returns a failure -when an async flip is not possible. - -Signed-off-by: Simon Ser -Reviewed-by: André Almeida -Reviewed-by: Alex Deucher -Reviewed-by: Harry Wentland -Signed-off-by: André Almeida -Signed-off-by: Hamza Mahfooz -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++++ - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 12 ++++++++++++ - 2 files changed, 20 insertions(+) - ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -@@ -7757,7 +7757,15 @@ static void amdgpu_dm_commit_planes(stru - * Only allow immediate flips for fast updates that don't - * change memory domain, FB pitch, DCC state, rotation or - * mirroring. -+ * -+ * dm_crtc_helper_atomic_check() only accepts async flips with -+ * fast updates. - */ -+ if (crtc->state->async_flip && -+ acrtc_state->update_type != UPDATE_TYPE_FAST) -+ drm_warn_once(state->dev, -+ "[PLANE:%d:%s] async flip with non-fast update\n", -+ plane->base.id, plane->name); - bundle->flip_addrs[planes_count].flip_immediate = - crtc->state->async_flip && - acrtc_state->update_type == UPDATE_TYPE_FAST && ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c -@@ -406,6 +406,18 @@ static int dm_crtc_helper_atomic_check(s - return -EINVAL; - } - -+ /* -+ * Only allow async flips for fast updates that don't change the FB -+ * pitch, the DCC state, rotation, etc. -+ */ -+ if (crtc_state->async_flip && -+ dm_crtc_state->update_type != UPDATE_TYPE_FAST) { -+ drm_dbg_atomic(crtc->dev, -+ "[CRTC:%d:%s] async flips are only supported for fast updates\n", -+ crtc->base.id, crtc->name); -+ return -EINVAL; -+ } -+ - /* In some use cases, like reset, no stream is attached */ - if (!dm_crtc_state->stream) - return 0; diff --git a/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch b/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch deleted file mode 100644 index b8fd75b4f0b..00000000000 --- a/queue-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a4eb11824170d742531998f4ebd1c6a18b63db47 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Tue, 13 Jun 2023 12:15:38 -0400 -Subject: drm/amdgpu/pm: make gfxclock consistent for sienna cichlid - -From: Alex Deucher - -commit a4eb11824170d742531998f4ebd1c6a18b63db47 upstream. - -Use average gfxclock for consistency with other dGPUs. - -Reviewed-by: Kenneth Feng -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org # 6.1.x -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c -index f6599c00a6fd..0cda3b276f61 100644 ---- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c -+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c -@@ -1927,12 +1927,16 @@ static int sienna_cichlid_read_sensor(struct smu_context *smu, - *size = 4; - break; - case AMDGPU_PP_SENSOR_GFX_MCLK: -- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_UCLK, (uint32_t *)data); -+ ret = sienna_cichlid_get_smu_metrics_data(smu, -+ METRICS_CURR_UCLK, -+ (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; - break; - case AMDGPU_PP_SENSOR_GFX_SCLK: -- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_GFXCLK, (uint32_t *)data); -+ ret = sienna_cichlid_get_smu_metrics_data(smu, -+ METRICS_AVERAGE_GFXCLK, -+ (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; - break; --- -2.41.0 - diff --git a/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch b/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch deleted file mode 100644 index 27426d1dce5..00000000000 --- a/queue-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Tue, 13 Jun 2023 12:36:17 -0400 -Subject: drm/amdgpu/pm: make mclk consistent for smu 13.0.7 - -From: Alex Deucher - -commit 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 upstream. - -Use current uclk to be consistent with other dGPUs. - -Reviewed-by: Kenneth Feng -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org # 6.1.x -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c -+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c -@@ -940,7 +940,7 @@ static int smu_v13_0_7_read_sensor(struc - break; - case AMDGPU_PP_SENSOR_GFX_MCLK: - ret = smu_v13_0_7_get_smu_metrics_data(smu, -- METRICS_AVERAGE_UCLK, -+ METRICS_CURR_UCLK, - (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; diff --git a/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch b/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch deleted file mode 100644 index d26cdf175ba..00000000000 --- a/queue-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch +++ /dev/null @@ -1,101 +0,0 @@ -From b42ae87a7b3878afaf4c3852ca66c025a5b996e0 Mon Sep 17 00:00:00 2001 -From: Guchun Chen -Date: Thu, 6 Jul 2023 15:57:21 +0800 -Subject: drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Guchun Chen - -commit b42ae87a7b3878afaf4c3852ca66c025a5b996e0 upstream. - -In below thousands of screen rotation loop tests with virtual display -enabled, a CPU hard lockup issue may happen, leading system to unresponsive -and crash. - -do { - xrandr --output Virtual --rotate inverted - xrandr --output Virtual --rotate right - xrandr --output Virtual --rotate left - xrandr --output Virtual --rotate normal -} while (1); - -NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 - -? hrtimer_run_softirq+0x140/0x140 -? store_vblank+0xe0/0xe0 [drm] -hrtimer_cancel+0x15/0x30 -amdgpu_vkms_disable_vblank+0x15/0x30 [amdgpu] -drm_vblank_disable_and_save+0x185/0x1f0 [drm] -drm_crtc_vblank_off+0x159/0x4c0 [drm] -? record_print_text.cold+0x11/0x11 -? wait_for_completion_timeout+0x232/0x280 -? drm_crtc_wait_one_vblank+0x40/0x40 [drm] -? bit_wait_io_timeout+0xe0/0xe0 -? wait_for_completion_interruptible+0x1d7/0x320 -? mutex_unlock+0x81/0xd0 -amdgpu_vkms_crtc_atomic_disable - -It's caused by a stuck in lock dependency in such scenario on different -CPUs. - -CPU1 CPU2 -drm_crtc_vblank_off hrtimer_interrupt - grab event_lock (irq disabled) __hrtimer_run_queues - grab vbl_lock/vblank_time_block amdgpu_vkms_vblank_simulate - amdgpu_vkms_disable_vblank drm_handle_vblank - hrtimer_cancel grab dev->event_lock - -So CPU1 stucks in hrtimer_cancel as timer callback is running endless on -current clock base, as that timer queue on CPU2 has no chance to finish it -because of failing to hold the lock. So NMI watchdog will throw the errors -after its threshold, and all later CPUs are impacted/blocked. - -So use hrtimer_try_to_cancel to fix this, as disable_vblank callback -does not need to wait the handler to finish. And also it's not necessary -to check the return value of hrtimer_try_to_cancel, because even if it's --1 which means current timer callback is running, it will be reprogrammed -in hrtimer_start with calling enable_vblank to make it works. - -v2: only re-arm timer when vblank is enabled (Christian) and add a Fixes -tag as well - -v3: drop warn printing (Christian) - -v4: drop superfluous check of blank->enabled in timer function, as it's -guaranteed in drm_handle_vblank (Christian) - -Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)") -Cc: stable@vger.kernel.org -Suggested-by: Christian König -Signed-off-by: Guchun Chen -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c -@@ -55,8 +55,9 @@ static enum hrtimer_restart amdgpu_vkms_ - DRM_WARN("%s: vblank timer overrun\n", __func__); - - ret = drm_crtc_handle_vblank(crtc); -+ /* Don't queue timer again when vblank is disabled. */ - if (!ret) -- DRM_ERROR("amdgpu_vkms failure on handling vblank"); -+ return HRTIMER_NORESTART; - - return HRTIMER_RESTART; - } -@@ -81,7 +82,7 @@ static void amdgpu_vkms_disable_vblank(s - { - struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); - -- hrtimer_cancel(&amdgpu_crtc->vblank_timer); -+ hrtimer_try_to_cancel(&amdgpu_crtc->vblank_timer); - } - - static bool amdgpu_vkms_get_vblank_timestamp(struct drm_crtc *crtc, diff --git a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch deleted file mode 100644 index d3db537579d..00000000000 --- a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 -From: Jocelyn Falempe -Date: Tue, 11 Jul 2023 11:20:44 +0200 -Subject: drm/client: Fix memory leak in drm_client_modeset_probe - -From: Jocelyn Falempe - -commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. - -When a new mode is set to modeset->mode, the previous mode should be freed. -This fixes the following kmemleak report: - -drm_mode_duplicate+0x45/0x220 [drm] -drm_client_modeset_probe+0x944/0xf50 [drm] -__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] -drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] -drm_client_register+0x169/0x240 [drm] -ast_pci_probe+0x142/0x190 [ast] -local_pci_probe+0xdc/0x180 -work_for_cpu_fn+0x4e/0xa0 -process_one_work+0x8b7/0x1540 -worker_thread+0x70a/0xed0 -kthread+0x29f/0x340 -ret_from_fork+0x1f/0x30 - -cc: -Reported-by: Zhang Yi -Signed-off-by: Jocelyn Falempe -Reviewed-by: Javier Martinez Canillas -Reviewed-by: Thomas Zimmermann -Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_client_modeset.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/gpu/drm/drm_client_modeset.c -+++ b/drivers/gpu/drm/drm_client_modeset.c -@@ -871,6 +871,7 @@ int drm_client_modeset_probe(struct drm_ - break; - } - -+ kfree(modeset->mode); - modeset->mode = drm_mode_duplicate(dev, mode); - drm_connector_get(connector); - modeset->connectors[modeset->num_connectors++] = connector; diff --git a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch deleted file mode 100644 index 5e8d014937f..00000000000 --- a/queue-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +++ /dev/null @@ -1,68 +0,0 @@ -From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 -From: Jocelyn Falempe -Date: Tue, 11 Jul 2023 11:20:43 +0200 -Subject: drm/client: Fix memory leak in drm_client_target_cloned - -From: Jocelyn Falempe - -commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. - -dmt_mode is allocated and never freed in this function. -It was found with the ast driver, but most drivers using generic fbdev -setup are probably affected. - -This fixes the following kmemleak report: - backtrace: - [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] - [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] - [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] - [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] - [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] - [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] - [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] - [<00000000987f19bb>] local_pci_probe+0xdc/0x180 - [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 - [<0000000000b85301>] process_one_work+0x8b7/0x1540 - [<000000003375b17c>] worker_thread+0x70a/0xed0 - [<00000000b0d43cd9>] kthread+0x29f/0x340 - [<000000008d770833>] ret_from_fork+0x1f/0x30 -unreferenced object 0xff11000333089a00 (size 128): - -cc: -Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") -Reported-by: Zhang Yi -Signed-off-by: Jocelyn Falempe -Reviewed-by: Javier Martinez Canillas -Reviewed-by: Thomas Zimmermann -Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_client_modeset.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/gpu/drm/drm_client_modeset.c -+++ b/drivers/gpu/drm/drm_client_modeset.c -@@ -315,6 +315,9 @@ static bool drm_client_target_cloned(str - can_clone = true; - dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); - -+ if (!dmt_mode) -+ goto fail; -+ - for (i = 0; i < connector_count; i++) { - if (!enabled[i]) - continue; -@@ -330,11 +333,13 @@ static bool drm_client_target_cloned(str - if (!modes[i]) - can_clone = false; - } -+ kfree(dmt_mode); - - if (can_clone) { - DRM_DEBUG_KMS("can clone using 1024x768\n"); - return true; - } -+fail: - DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); - return false; - } diff --git a/queue-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/queue-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch deleted file mode 100644 index 0ff32277d59..00000000000 --- a/queue-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 20d5e3268aeb5cd2827f61521d33a0203f680509 Mon Sep 17 00:00:00 2001 -From: hackyzh002 -Date: Wed, 19 Apr 2023 20:20:58 +0800 -Subject: [PATCH AUTOSEL 4.19 01/11] drm/radeon: Fix integer overflow in - radeon_cs_parser_init -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] - -The type of size is unsigned, if size is 0x40000000, there will be an -integer overflow, size will be zero after size *= sizeof(uint32_t), -will cause uninitialized memory to be referenced later - -Reviewed-by: Christian König -Signed-off-by: hackyzh002 -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/radeon/radeon_cs.c -+++ b/drivers/gpu/drm/radeon/radeon_cs.c -@@ -270,7 +270,8 @@ int radeon_cs_parser_init(struct radeon_ - { - struct drm_radeon_cs *cs = data; - uint64_t *chunk_array_ptr; -- unsigned size, i; -+ u64 size; -+ unsigned i; - u32 ring = RADEON_CS_RING_GFX; - s32 priority = 0; - diff --git a/queue-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch b/queue-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch deleted file mode 100644 index af369b38cef..00000000000 --- a/queue-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4481913607e58196c48a4fef5e6f45350684ec3c Mon Sep 17 00:00:00 2001 -From: Yunxiang Li -Date: Thu, 22 Jun 2023 10:18:03 -0400 -Subject: drm/ttm: fix bulk_move corruption when adding a entry -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Yunxiang Li - -commit 4481913607e58196c48a4fef5e6f45350684ec3c upstream. - -When the resource is the first in the bulk_move range, adding it again -(thus moving it to the tail) will corrupt the list since the first -pointer is not moved. This eventually lead to null pointer deref in -ttm_lru_bulk_move_del() - -Fixes: fee2ede15542 ("drm/ttm: rework bulk move handling v5") -Signed-off-by: Yunxiang Li -Reviewed-by: Christian König -CC: stable@vger.kernel.org -Link: https://patchwork.freedesktop.org/patch/msgid/20230622141902.28718-3-Yunxiang.Li@amd.com -Signed-off-by: Christian König -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/ttm/ttm_resource.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/ttm/ttm_resource.c -+++ b/drivers/gpu/drm/ttm/ttm_resource.c -@@ -85,6 +85,8 @@ static void ttm_lru_bulk_move_pos_tail(s - struct ttm_resource *res) - { - if (pos->last != res) { -+ if (pos->first == res) -+ pos->first = list_next_entry(res, lru); - list_move(&res->lru, &pos->last->lru); - pos->last = res; - } -@@ -110,7 +112,8 @@ static void ttm_lru_bulk_move_del(struct - { - struct ttm_lru_bulk_move_pos *pos = ttm_lru_bulk_move_pos(bulk, res); - -- if (unlikely(pos->first == res && pos->last == res)) { -+ if (unlikely(WARN_ON(!pos->first || !pos->last) || -+ (pos->first == res && pos->last == res))) { - pos->first = NULL; - pos->last = NULL; - } else if (pos->first == res) { diff --git a/queue-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch b/queue-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch deleted file mode 100644 index 70d64a56f2e..00000000000 --- a/queue-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 9bbaa84ecaeca40ae4d2d1cd4ab363546113da7a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 00:34:05 +0200 -Subject: dsa: mv88e6xxx: Do a final check before timing out - -From: Linus Walleij - -[ Upstream commit 95ce158b6c93b28842b54b42ad1cb221b9844062 ] - -I get sporadic timeouts from the driver when using the -MV88E6352. Reading the status again after the loop fixes the -problem: the operation is successful but goes undetected. - -Some added prints show things like this: - -[ 58.356209] mv88e6085 mdio_mux-0.1:00: Timeout while waiting - for switch, addr 1b reg 0b, mask 8000, val 0000, data c000 -[ 58.367487] mv88e6085 mdio_mux-0.1:00: Timeout waiting for - ATU op 4000, fid 0001 -(...) -[ 61.826293] mv88e6085 mdio_mux-0.1:00: Timeout while waiting - for switch, addr 1c reg 18, mask 8000, val 0000, data 9860 -[ 61.837560] mv88e6085 mdio_mux-0.1:00: Timeout waiting - for PHY command 1860 to complete - -The reason is probably not the commands: I think those are -mostly fine with the 50+50ms timeout, but the problem -appears when OpenWrt brings up several interfaces in -parallel on a system with 7 populated ports: if one of -them take more than 50 ms and waits one or more of the -others can get stuck on the mutex for the switch and then -this can easily multiply. - -As we sleep and wait, the function loop needs a final -check after exiting the loop if we were successful. - -Suggested-by: Andrew Lunn -Cc: Tobias Waldekranz -Fixes: 35da1dfd9484 ("net: dsa: mv88e6xxx: Improve performance of busy bit polling") -Signed-off-by: Linus Walleij -Reviewed-by: Andrew Lunn -Link: https://lore.kernel.org/r/20230712223405.861899-1-linus.walleij@linaro.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c -index 4db1652015d1d..b69bd44ada1f2 100644 ---- a/drivers/net/dsa/mv88e6xxx/chip.c -+++ b/drivers/net/dsa/mv88e6xxx/chip.c -@@ -109,6 +109,13 @@ int mv88e6xxx_wait_mask(struct mv88e6xxx_chip *chip, int addr, int reg, - usleep_range(1000, 2000); - } - -+ err = mv88e6xxx_read(chip, addr, reg, &data); -+ if (err) -+ return err; -+ -+ if ((data & mask) == val) -+ return 0; -+ - dev_err(chip->dev, "Timeout while waiting for switch\n"); - return -ETIMEDOUT; - } --- -2.39.2 - diff --git a/queue-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/queue-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch deleted file mode 100644 index ba80a2d73bc..00000000000 --- a/queue-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 -From: Eric Whitney -Date: Mon, 22 May 2023 14:15:20 -0400 -Subject: ext4: correct inline offset when handling xattrs in inode body - -From: Eric Whitney - -commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. - -When run on a file system where the inline_data feature has been -enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 -to emit error messages indicating that inline directory entries are -corrupted. This occurs because the inline offset used to locate -inline directory entries in the inode body is not updated when an -xattr in that shared region is deleted and the region is shifted in -memory to recover the space it occupied. If the deleted xattr precedes -the system.data attribute, which points to the inline directory entries, -that attribute will be moved further up in the region. The inline -offset continues to point to whatever is located in system.data's former -location, with unfortunate effects when used to access directory entries -or (presumably) inline data in the inode body. - -Cc: stable@kernel.org -Signed-off-by: Eric Whitney -Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/xattr.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1732,6 +1732,20 @@ static int ext4_xattr_set_entry(struct e - memmove(here, (void *)here + size, - (void *)last - (void *)here + sizeof(__u32)); - memset(last, 0, size); -+ -+ /* -+ * Update i_inline_off - moved ibody region might contain -+ * system.data attribute. Handling a failure here won't -+ * cause other complications for setting an xattr. -+ */ -+ if (!is_block && ext4_has_inline_data(inode)) { -+ ret = ext4_find_inline_data_nolock(inode); -+ if (ret) { -+ ext4_warning_inode(inode, -+ "unable to update i_inline_off"); -+ goto out; -+ } -+ } - } else if (s->not_found) { - /* Insert new name. */ - size_t size = EXT4_XATTR_LEN(name_len); diff --git a/queue-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch deleted file mode 100644 index 0e0a727fd33..00000000000 --- a/queue-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3f351b5e8558e6d06eb00f3a0b3ce2ac4d1bd613 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 15 Jul 2023 16:16:56 +0800 -Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe - -From: Zhang Shurong - -[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] - -This func misses checking for platform_get_irq()'s call and may passes the -negative error codes to request_irq(), which takes unsigned IRQ #, -causing it to fail with -EINVAL, overriding an original error code. - -Fix this by stop calling request_irq() with invalid IRQ #s. - -Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") -Signed-off-by: Zhang Shurong -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/au1200fb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c -index b6b22fa4a8a01..fd3ff398d234a 100644 ---- a/drivers/video/fbdev/au1200fb.c -+++ b/drivers/video/fbdev/au1200fb.c -@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) - - /* Now hook interrupt too */ - irq = platform_get_irq(dev, 0); -+ if (irq < 0) -+ return irq; -+ - ret = request_irq(irq, au1200fb_handle_irq, - IRQF_SHARED, "lcd", (void *)dev); - if (ret) { --- -2.39.2 - diff --git a/queue-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch b/queue-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch deleted file mode 100644 index 4ced25e8975..00000000000 --- a/queue-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 37392063869cec1e0f260e3d3edc86270b958c95 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jul 2023 21:19:58 +0800 -Subject: fbdev: imxfb: Removed unneeded release_mem_region - -From: Yangtao Li - -[ Upstream commit 45fcc058a75bf5d65cf4c32da44a252fbe873cd4 ] - -Remove unnecessary release_mem_region from the error path to prevent -mem region from being released twice, which could avoid resource leak -or other unexpected issues. - -Fixes: b083c22d5114 ("video: fbdev: imxfb: Convert request_mem_region + ioremap to devm_ioremap_resource") -Signed-off-by: Yangtao Li -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/imxfb.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c -index 61731921011d5..36ada87b49a49 100644 ---- a/drivers/video/fbdev/imxfb.c -+++ b/drivers/video/fbdev/imxfb.c -@@ -1043,7 +1043,6 @@ static int imxfb_probe(struct platform_device *pdev) - failed_map: - failed_ioremap: - failed_getclock: -- release_mem_region(res->start, resource_size(res)); - failed_of_parse: - kfree(info->pseudo_palette); - failed_init: --- -2.39.2 - diff --git a/queue-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch deleted file mode 100644 index 5efab428be1..00000000000 --- a/queue-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c6e2909b7334117823ea14b1738ea3584813e756 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 15:24:37 +0200 -Subject: fbdev: imxfb: warn about invalid left/right margin - -From: Martin Kaiser - -[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] - -Warn about invalid var->left_margin or var->right_margin. Their values -are read from the device tree. - -We store var->left_margin-3 and var->right_margin-1 in register -fields. These fields should be >= 0. - -Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") -Signed-off-by: Martin Kaiser -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/imxfb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c -index 51fde1b2a7938..61731921011d5 100644 ---- a/drivers/video/fbdev/imxfb.c -+++ b/drivers/video/fbdev/imxfb.c -@@ -613,10 +613,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf - if (var->hsync_len < 1 || var->hsync_len > 64) - printk(KERN_ERR "%s: invalid hsync_len %d\n", - info->fix.id, var->hsync_len); -- if (var->left_margin > 255) -+ if (var->left_margin < 3 || var->left_margin > 255) - printk(KERN_ERR "%s: invalid left_margin %d\n", - info->fix.id, var->left_margin); -- if (var->right_margin > 255) -+ if (var->right_margin < 1 || var->right_margin > 255) - printk(KERN_ERR "%s: invalid right_margin %d\n", - info->fix.id, var->right_margin); - if (var->yres < 1 || var->yres > ymax_mask) --- -2.39.2 - diff --git a/queue-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/queue-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch deleted file mode 100644 index 15831506415..00000000000 --- a/queue-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ffb509c36e5b36da98c9fb1f8f539f0cbf606665 Mon Sep 17 00:00:00 2001 -From: Immad Mir -Date: Fri, 23 Jun 2023 19:17:08 +0530 -Subject: [PATCH AUTOSEL 4.19 11/11] FS: JFS: Check for read-only mounted - filesystem in txBegin -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] - - This patch adds a check for read-only mounted filesystem - in txBegin before starting a transaction potentially saving - from NULL pointer deref. - -Signed-off-by: Immad Mir -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/jfs_txnmgr.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/jfs/jfs_txnmgr.c -+++ b/fs/jfs/jfs_txnmgr.c -@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, in - jfs_info("txBegin: flag = 0x%x", flag); - log = JFS_SBI(sb)->log; - -+ if (!log) { -+ jfs_error(sb, "read-only filesystem\n"); -+ return 0; -+ } -+ - TXN_LOCK(); - - INCREMENT(TxStat.txBegin); diff --git a/queue-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/queue-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch deleted file mode 100644 index e3aeaa1be9e..00000000000 --- a/queue-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ced92b3b30ff868a14d5763842e5299bdad70edb Mon Sep 17 00:00:00 2001 -From: Immad Mir -Date: Fri, 23 Jun 2023 19:14:01 +0530 -Subject: [PATCH AUTOSEL 4.19 10/11] FS: JFS: Fix null-ptr-deref Read in - txBegin -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] - - Syzkaller reported an issue where txBegin may be called - on a superblock in a read-only mounted filesystem which leads - to NULL pointer deref. This could be solved by checking if - the filesystem is read-only before calling txBegin, and returning - with appropiate error code. - -Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 - -Signed-off-by: Immad Mir -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/namei.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/jfs/namei.c -+++ b/fs/jfs/namei.c -@@ -799,6 +799,11 @@ static int jfs_link(struct dentry *old_d - if (rc) - goto out; - -+ if (isReadOnly(ip)) { -+ jfs_error(ip->i_sb, "read-only filesystem\n"); -+ return -EROFS; -+ } -+ - tid = txBegin(ip->i_sb, 0); - - mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); diff --git a/queue-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/queue-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch deleted file mode 100644 index bc29fa87225..00000000000 --- a/queue-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 35a29fcb694a5f3ee27d66f57f19795b367fd883 Mon Sep 17 00:00:00 2001 -From: Yogesh -Date: Thu, 22 Jun 2023 00:07:03 +0530 -Subject: [PATCH AUTOSEL 4.19 08/11] fs: jfs: Fix UBSAN: - array-index-out-of-bounds in dbAllocDmapLev -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] - -Syzkaller reported the following issue: - -UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 -index -84 is out of range for type 's8[341]' (aka 'signed char[341]') -CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 - ubsan_epilogue lib/ubsan.c:217 [inline] - __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 - dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 - dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 - dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 - dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 - dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] - dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 - jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 - lookup_open fs/namei.c:3492 [inline] - open_last_lookups fs/namei.c:3560 [inline] - path_openat+0x13df/0x3170 fs/namei.c:3788 - do_filp_open+0x234/0x490 fs/namei.c:3818 - do_sys_openat2+0x13f/0x500 fs/open.c:1356 - do_sys_open fs/open.c:1372 [inline] - __do_sys_openat fs/open.c:1388 [inline] - __se_sys_openat fs/open.c:1383 [inline] - __x64_sys_openat+0x247/0x290 fs/open.c:1383 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd -RIP: 0033:0x7f1f4e33f7e9 -Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 -RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c -RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 -R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - - -The bug occurs when the dbAllocDmapLev()function attempts to access -dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. - -To rectify this, the patch introduces a safeguard within the -dbAllocDmapLev() function. A check has been added to verify if leafidx is -negative. If it is, the function immediately returns an I/O error, preventing -any further execution that could potentially cause harm. - -Tested via syzbot. - -Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 -Signed-off-by: Yogesh -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/jfs_dmap.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/jfs/jfs_dmap.c -+++ b/fs/jfs/jfs_dmap.c -@@ -1959,6 +1959,9 @@ dbAllocDmapLev(struct bmap * bmp, - if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) - return -ENOSPC; - -+ if (leafidx < 0) -+ return -EIO; -+ - /* determine the block number within the file system corresponding - * to the leaf at which free space was found. - */ diff --git a/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch b/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch deleted file mode 100644 index a4291d7d271..00000000000 --- a/queue-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 3066ff93476c35679cb07a97cce37d9bb07632ff Mon Sep 17 00:00:00 2001 -From: Bernd Schubert -Date: Fri, 15 Apr 2022 13:53:56 +0200 -Subject: fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT - -From: Bernd Schubert - -commit 3066ff93476c35679cb07a97cce37d9bb07632ff upstream. - -This is just a safety precaution to avoid checking flags on memory that was -initialized on the user space side. libfuse zeroes struct fuse_init_out -outarg, but this is not guranteed to be done in all implementations. -Better is to act on flags and to only apply flags2 when FUSE_INIT_EXT is -set. - -There is a risk with this change, though - it might break existing user -space libraries, which are already using flags2 without setting -FUSE_INIT_EXT. - -The corresponding libfuse patch is here -https://github.com/libfuse/libfuse/pull/662 - -Signed-off-by: Bernd Schubert -Fixes: 53db28933e95 ("fuse: extend init flags") -Cc: # v5.17 -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/inode.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -1127,7 +1127,10 @@ static void process_init_reply(struct fu - process_init_limits(fc, arg); - - if (arg->minor >= 6) { -- u64 flags = arg->flags | (u64) arg->flags2 << 32; -+ u64 flags = arg->flags; -+ -+ if (flags & FUSE_INIT_EXT) -+ flags |= (u64) arg->flags2 << 32; - - ra_pages = arg->max_readahead / PAGE_SIZE; - if (flags & FUSE_ASYNC_READ) diff --git a/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch b/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch deleted file mode 100644 index ffa3f307976..00000000000 --- a/queue-6.1/fuse-ioctl-translate-enosys-in-outarg.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Wed, 7 Jun 2023 17:49:21 +0200 -Subject: fuse: ioctl: translate ENOSYS in outarg - -From: Miklos Szeredi - -commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. - -Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace -responds with ENOSYS it should be translated to ENOTTY. - -There are two ways to return an error from the IOCTL request: - - - fuse_out_header.error - - fuse_ioctl_out.result - -Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this -issue for the first case, but missed the second case. This patch fixes the -second case. - -Reported-by: Jonathan Katz -Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ -Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/ioctl.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - ---- a/fs/fuse/ioctl.c -+++ b/fs/fuse/ioctl.c -@@ -9,14 +9,23 @@ - #include - #include - --static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) -+static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, -+ struct fuse_ioctl_out *outarg) - { -- ssize_t ret = fuse_simple_request(fm, args); -+ ssize_t ret; -+ -+ args->out_args[0].size = sizeof(*outarg); -+ args->out_args[0].value = outarg; -+ -+ ret = fuse_simple_request(fm, args); - - /* Translate ENOSYS, which shouldn't be returned from fs */ - if (ret == -ENOSYS) - ret = -ENOTTY; - -+ if (ret >= 0 && outarg->result == -ENOSYS) -+ outarg->result = -ENOTTY; -+ - return ret; - } - -@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un - } - - ap.args.out_numargs = 2; -- ap.args.out_args[0].size = sizeof(outarg); -- ap.args.out_args[0].value = &outarg; - ap.args.out_args[1].size = out_size; - ap.args.out_pages = true; - ap.args.out_argvar = true; - -- transferred = fuse_send_ioctl(fm, &ap.args); -+ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); - err = transferred; - if (transferred < 0) - goto out; -@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode - args.in_args[1].size = inarg.in_size; - args.in_args[1].value = ptr; - args.out_numargs = 2; -- args.out_args[0].size = sizeof(outarg); -- args.out_args[0].value = &outarg; - args.out_args[1].size = inarg.out_size; - args.out_args[1].value = ptr; - -- err = fuse_send_ioctl(fm, &args); -+ err = fuse_send_ioctl(fm, &args, &outarg); - if (!err) { - if (outarg.result < 0) - err = outarg.result; diff --git a/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch deleted file mode 100644 index 46e5be8f3be..00000000000 --- a/queue-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Wed, 7 Jun 2023 17:49:20 +0200 -Subject: fuse: revalidate: don't invalidate if interrupted - -From: Miklos Szeredi - -commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. - -If the LOOKUP request triggered from fuse_dentry_revalidate() is -interrupted, then the dentry will be invalidated, possibly resulting in -submounts being unmounted. - -Reported-by: Xu Rongbo -Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ -Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -258,7 +258,7 @@ static int fuse_dentry_revalidate(struct - spin_unlock(&fi->lock); - } - kfree(forget); -- if (ret == -ENOMEM) -+ if (ret == -ENOMEM || ret == -EINTR) - goto out; - if (ret || fuse_invalid_attr(&outarg.attr) || - fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/queue-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch b/queue-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch deleted file mode 100644 index ca1753e2552..00000000000 --- a/queue-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch +++ /dev/null @@ -1,49 +0,0 @@ -From dc3ca84683c4bb50761998adaf575f383748ba73 Mon Sep 17 00:00:00 2001 -From: Marco Morandini -Date: Tue, 30 May 2023 15:40:08 +0200 -Subject: [PATCH AUTOSEL 4.19 05/11] HID: add quirk for 03f0:464a HP Elite - Presenter Mouse -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 0db117359e47750d8bd310d19f13e1c4ef7fc26a ] - -HP Elite Presenter Mouse HID Record Descriptor shows -two mouses (Repord ID 0x1 and 0x2), one keypad (Report ID 0x5), -two Consumer Controls (Report IDs 0x6 and 0x3). -Previous to this commit it registers one mouse, one keypad -and one Consumer Control, and it was usable only as a -digitl laser pointer (one of the two mouses). This patch defines -the 464a USB device ID and enables the HID_QUIRK_MULTI_INPUT -quirk for it, allowing to use the device both as a mouse -and a digital laser pointer. - -Signed-off-by: Marco Morandini -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-ids.h | 1 + - drivers/hid/hid-quirks.c | 1 + - 2 files changed, 2 insertions(+) - ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -614,6 +614,7 @@ - #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 - - #define USB_VENDOR_ID_HP 0x03f0 -+#define USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A 0x464a - #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a - #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a - #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a ---- a/drivers/hid/hid-quirks.c -+++ b/drivers/hid/hid-quirks.c -@@ -96,6 +96,7 @@ static const struct hid_device_id hid_qu - { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096), HID_QUIRK_NO_INIT_REPORTS }, - { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A293), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A), HID_QUIRK_ALWAYS_POLL }, -+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A), HID_QUIRK_MULTI_INPUT }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch b/queue-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch deleted file mode 100644 index 85904bae1b5..00000000000 --- a/queue-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch +++ /dev/null @@ -1,342 +0,0 @@ -From d67f7140ec52c786fa3e1e17d5a41330d5965e52 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:25 -0400 -Subject: iavf: fix a deadlock caused by rtnl and driver's lock circular - dependencies - -From: Ahmed Zaki - -[ Upstream commit d1639a17319ba78a018280cd2df6577a7e5d9fab ] - -A driver's lock (crit_lock) is used to serialize all the driver's tasks. -Lockdep, however, shows a circular dependency between rtnl and -crit_lock. This happens when an ndo that already holds the rtnl requests -the driver to reset, since the reset task (in some paths) tries to grab -rtnl to either change real number of queues of update netdev features. - - [566.241851] ====================================================== - [566.241893] WARNING: possible circular locking dependency detected - [566.241936] 6.2.14-100.fc36.x86_64+debug #1 Tainted: G OE - [566.241984] ------------------------------------------------------ - [566.242025] repro.sh/2604 is trying to acquire lock: - [566.242061] ffff9280fc5ceee8 (&adapter->crit_lock){+.+.}-{3:3}, at: iavf_close+0x3c/0x240 [iavf] - [566.242167] - but task is already holding lock: - [566.242209] ffffffff9976d350 (rtnl_mutex){+.+.}-{3:3}, at: iavf_remove+0x6b5/0x730 [iavf] - [566.242300] - which lock already depends on the new lock. - - [566.242353] - the existing dependency chain (in reverse order) is: - [566.242401] - -> #1 (rtnl_mutex){+.+.}-{3:3}: - [566.242451] __mutex_lock+0xc1/0xbb0 - [566.242489] iavf_init_interrupt_scheme+0x179/0x440 [iavf] - [566.242560] iavf_watchdog_task+0x80b/0x1400 [iavf] - [566.242627] process_one_work+0x2b3/0x560 - [566.242663] worker_thread+0x4f/0x3a0 - [566.242696] kthread+0xf2/0x120 - [566.242730] ret_from_fork+0x29/0x50 - [566.242763] - -> #0 (&adapter->crit_lock){+.+.}-{3:3}: - [566.242815] __lock_acquire+0x15ff/0x22b0 - [566.242869] lock_acquire+0xd2/0x2c0 - [566.242901] __mutex_lock+0xc1/0xbb0 - [566.242934] iavf_close+0x3c/0x240 [iavf] - [566.242997] __dev_close_many+0xac/0x120 - [566.243036] dev_close_many+0x8b/0x140 - [566.243071] unregister_netdevice_many_notify+0x165/0x7c0 - [566.243116] unregister_netdevice_queue+0xd3/0x110 - [566.243157] iavf_remove+0x6c1/0x730 [iavf] - [566.243217] pci_device_remove+0x33/0xa0 - [566.243257] device_release_driver_internal+0x1bc/0x240 - [566.243299] pci_stop_bus_device+0x6c/0x90 - [566.243338] pci_stop_and_remove_bus_device+0xe/0x20 - [566.243380] pci_iov_remove_virtfn+0xd1/0x130 - [566.243417] sriov_disable+0x34/0xe0 - [566.243448] ice_free_vfs+0x2da/0x330 [ice] - [566.244383] ice_sriov_configure+0x88/0xad0 [ice] - [566.245353] sriov_numvfs_store+0xde/0x1d0 - [566.246156] kernfs_fop_write_iter+0x15e/0x210 - [566.246921] vfs_write+0x288/0x530 - [566.247671] ksys_write+0x74/0xf0 - [566.248408] do_syscall_64+0x58/0x80 - [566.249145] entry_SYSCALL_64_after_hwframe+0x72/0xdc - [566.249886] - other info that might help us debug this: - - [566.252014] Possible unsafe locking scenario: - - [566.253432] CPU0 CPU1 - [566.254118] ---- ---- - [566.254800] lock(rtnl_mutex); - [566.255514] lock(&adapter->crit_lock); - [566.256233] lock(rtnl_mutex); - [566.256897] lock(&adapter->crit_lock); - [566.257388] - *** DEADLOCK *** - -The deadlock can be triggered by a script that is continuously resetting -the VF adapter while doing other operations requiring RTNL, e.g: - - while :; do - ip link set $VF up - ethtool --set-channels $VF combined 2 - ip link set $VF down - ip link set $VF up - ethtool --set-channels $VF combined 4 - ip link set $VF down - done - -Any operation that triggers a reset can substitute "ethtool --set-channles" - -As a fix, add a new task "finish_config" that do all the work which -needs rtnl lock. With the exception of iavf_remove(), all work that -require rtnl should be called from this task. - -As for iavf_remove(), at the point where we need to call -unregister_netdevice() (and grab rtnl_lock), we make sure the finish_config -task is not running (cancel_work_sync()) to safely grab rtnl. Subsequent -finish_config work cannot restart after that since the task is guarded -by the __IAVF_IN_REMOVE_TASK bit in iavf_schedule_finish_config(). - -Fixes: 5ac49f3c2702 ("iavf: use mutexes for locking of critical sections") -Signed-off-by: Ahmed Zaki -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 + - drivers/net/ethernet/intel/iavf/iavf_main.c | 114 +++++++++++++----- - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + - 3 files changed, 85 insertions(+), 32 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index 2fe44e865d0a2..305675042fe55 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -255,6 +255,7 @@ struct iavf_adapter { - struct workqueue_struct *wq; - struct work_struct reset_task; - struct work_struct adminq_task; -+ struct work_struct finish_config; - struct delayed_work client_task; - wait_queue_head_t down_waitqueue; - wait_queue_head_t reset_waitqueue; -@@ -521,6 +522,7 @@ int iavf_process_config(struct iavf_adapter *adapter); - int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); - void iavf_schedule_reset(struct iavf_adapter *adapter); - void iavf_schedule_request_stats(struct iavf_adapter *adapter); -+void iavf_schedule_finish_config(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); - void iavf_set_ethtool_ops(struct net_device *netdev); - void iavf_update_stats(struct iavf_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index c2739071149de..0e201d690f0dd 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1702,10 +1702,10 @@ static int iavf_set_interrupt_capability(struct iavf_adapter *adapter) - adapter->msix_entries[vector].entry = vector; - - err = iavf_acquire_msix_vectors(adapter, v_budget); -+ if (!err) -+ iavf_schedule_finish_config(adapter); - - out: -- netif_set_real_num_rx_queues(adapter->netdev, pairs); -- netif_set_real_num_tx_queues(adapter->netdev, pairs); - return err; - } - -@@ -1925,9 +1925,7 @@ static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) - goto err_alloc_queues; - } - -- rtnl_lock(); - err = iavf_set_interrupt_capability(adapter); -- rtnl_unlock(); - if (err) { - dev_err(&adapter->pdev->dev, - "Unable to setup interrupt capabilities\n"); -@@ -2013,6 +2011,78 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool runni - return err; - } - -+/** -+ * iavf_finish_config - do all netdev work that needs RTNL -+ * @work: our work_struct -+ * -+ * Do work that needs both RTNL and crit_lock. -+ **/ -+static void iavf_finish_config(struct work_struct *work) -+{ -+ struct iavf_adapter *adapter; -+ int pairs, err; -+ -+ adapter = container_of(work, struct iavf_adapter, finish_config); -+ -+ /* Always take RTNL first to prevent circular lock dependency */ -+ rtnl_lock(); -+ mutex_lock(&adapter->crit_lock); -+ -+ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && -+ adapter->netdev_registered && -+ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { -+ netdev_update_features(adapter->netdev); -+ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ } -+ -+ switch (adapter->state) { -+ case __IAVF_DOWN: -+ if (!adapter->netdev_registered) { -+ err = register_netdevice(adapter->netdev); -+ if (err) { -+ dev_err(&adapter->pdev->dev, "Unable to register netdev (%d)\n", -+ err); -+ -+ /* go back and try again.*/ -+ iavf_free_rss(adapter); -+ iavf_free_misc_irq(adapter); -+ iavf_reset_interrupt_capability(adapter); -+ iavf_change_state(adapter, -+ __IAVF_INIT_CONFIG_ADAPTER); -+ goto out; -+ } -+ adapter->netdev_registered = true; -+ } -+ -+ /* Set the real number of queues when reset occurs while -+ * state == __IAVF_DOWN -+ */ -+ fallthrough; -+ case __IAVF_RUNNING: -+ pairs = adapter->num_active_queues; -+ netif_set_real_num_rx_queues(adapter->netdev, pairs); -+ netif_set_real_num_tx_queues(adapter->netdev, pairs); -+ break; -+ -+ default: -+ break; -+ } -+ -+out: -+ mutex_unlock(&adapter->crit_lock); -+ rtnl_unlock(); -+} -+ -+/** -+ * iavf_schedule_finish_config - Set the flags and schedule a reset event -+ * @adapter: board private structure -+ **/ -+void iavf_schedule_finish_config(struct iavf_adapter *adapter) -+{ -+ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) -+ queue_work(adapter->wq, &adapter->finish_config); -+} -+ - /** - * iavf_process_aq_command - process aq_required flags - * and sends aq command -@@ -2650,22 +2720,8 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - - netif_carrier_off(netdev); - adapter->link_up = false; -- -- /* set the semaphore to prevent any callbacks after device registration -- * up to time when state of driver will be set to __IAVF_DOWN -- */ -- rtnl_lock(); -- if (!adapter->netdev_registered) { -- err = register_netdevice(netdev); -- if (err) { -- rtnl_unlock(); -- goto err_register; -- } -- } -- -- adapter->netdev_registered = true; -- - netif_tx_stop_all_queues(netdev); -+ - if (CLIENT_ALLOWED(adapter)) { - err = iavf_lan_add_device(adapter); - if (err) -@@ -2678,7 +2734,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - - iavf_change_state(adapter, __IAVF_DOWN); - set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); -- rtnl_unlock(); - - iavf_misc_irq_enable(adapter); - wake_up(&adapter->down_waitqueue); -@@ -2698,10 +2753,11 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - /* request initial VLAN offload settings */ - iavf_set_vlan_offload_features(adapter, 0, netdev->features); - -+ iavf_schedule_finish_config(adapter); - return; -+ - err_mem: - iavf_free_rss(adapter); --err_register: - iavf_free_misc_irq(adapter); - err_sw_init: - iavf_reset_interrupt_capability(adapter); -@@ -2728,15 +2784,6 @@ static void iavf_watchdog_task(struct work_struct *work) - goto restart_watchdog; - } - -- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && -- adapter->netdev_registered && -- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && -- rtnl_trylock()) { -- netdev_update_features(adapter->netdev); -- rtnl_unlock(); -- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -- } -- - if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) - iavf_change_state(adapter, __IAVF_COMM_FAILED); - -@@ -4980,6 +5027,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - INIT_WORK(&adapter->reset_task, iavf_reset_task); - INIT_WORK(&adapter->adminq_task, iavf_adminq_task); -+ INIT_WORK(&adapter->finish_config, iavf_finish_config); - INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); - INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); - queue_delayed_work(adapter->wq, &adapter->watchdog_task, -@@ -5123,13 +5171,15 @@ static void iavf_remove(struct pci_dev *pdev) - usleep_range(500, 1000); - } - cancel_delayed_work_sync(&adapter->watchdog_task); -+ cancel_work_sync(&adapter->finish_config); - -+ rtnl_lock(); - if (adapter->netdev_registered) { -- rtnl_lock(); - unregister_netdevice(netdev); - adapter->netdev_registered = false; -- rtnl_unlock(); - } -+ rtnl_unlock(); -+ - if (CLIENT_ALLOWED(adapter)) { - err = iavf_lan_del_device(adapter); - if (err) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index eec7ac3b7f6ee..35419673b6987 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2237,6 +2237,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - - iavf_process_config(adapter); - adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ iavf_schedule_finish_config(adapter); - - iavf_set_queue_vlan_tag_loc(adapter); - --- -2.39.2 - diff --git a/queue-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/queue-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch deleted file mode 100644 index ce0bd2c31df..00000000000 --- a/queue-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +++ /dev/null @@ -1,160 +0,0 @@ -From cc55115bcb0aa7ee5bb38c780a6de7795ff2f2b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 May 2023 19:11:48 +0800 -Subject: iavf: Fix out-of-bounds when setting channels on remove - -From: Ding Hui - -[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] - -If we set channels greater during iavf_remove(), and waiting reset done -would be timeout, then returned with error but changed num_active_queues -directly, that will lead to OOB like the following logs. Because the -num_active_queues is greater than tx/rx_rings[] allocated actually. - -Reproducer: - - [root@host ~]# cat repro.sh - #!/bin/bash - - pf_dbsf="0000:41:00.0" - vf0_dbsf="0000:41:02.0" - g_pids=() - - function do_set_numvf() - { - echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - } - - function do_set_channel() - { - local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) - [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } - ifconfig $nic 192.168.18.5 netmask 255.255.255.0 - ifconfig $nic up - ethtool -L $nic combined 1 - ethtool -L $nic combined 4 - sleep $((RANDOM%3)) - } - - function on_exit() - { - local pid - for pid in "${g_pids[@]}"; do - kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null - done - g_pids=() - } - - trap "on_exit; exit" EXIT - - while :; do do_set_numvf ; done & - g_pids+=($!) - while :; do do_set_channel ; done & - g_pids+=($!) - - wait - -Result: - -[ 3506.152887] iavf 0000:41:02.0: Removing device -[ 3510.400799] ================================================================== -[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 -[ 3510.400823] -[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 -[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 -[ 3510.400835] Call Trace: -[ 3510.400851] dump_stack+0x71/0xab -[ 3510.400860] print_address_description+0x6b/0x290 -[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400868] kasan_report+0x14a/0x2b0 -[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] -[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] -[ 3510.400891] ? wait_woken+0x1d0/0x1d0 -[ 3510.400895] ? notifier_call_chain+0xc1/0x130 -[ 3510.400903] pci_device_remove+0xa8/0x1f0 -[ 3510.400910] device_release_driver_internal+0x1c6/0x460 -[ 3510.400916] pci_stop_bus_device+0x101/0x150 -[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 -[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 -[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 -[ 3510.400929] ? pci_get_subsys+0x90/0x90 -[ 3510.400932] sriov_disable+0xed/0x3e0 -[ 3510.400936] ? bus_find_device+0x12d/0x1a0 -[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] -[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] -[ 3510.400968] ? pci_get_device+0x7c/0x90 -[ 3510.400970] ? pci_get_subsys+0x90/0x90 -[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 -[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 -[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 3510.401001] sriov_numvfs_store+0x214/0x290 -[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 -[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 -[ 3510.401011] ? __check_object_size+0x15a/0x350 -[ 3510.401018] kernfs_fop_write+0x280/0x3f0 -[ 3510.401022] vfs_write+0x145/0x440 -[ 3510.401025] ksys_write+0xab/0x160 -[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 -[ 3510.401031] ? fput_many+0x1a/0x120 -[ 3510.401032] ? filp_close+0xf0/0x130 -[ 3510.401038] do_syscall_64+0xa0/0x370 -[ 3510.401041] ? page_fault+0x8/0x30 -[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 -[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 -[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 -[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 -[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 -[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 -[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 -[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 -[ 3510.401090] -[ 3510.401093] Allocated by task 76795: -[ 3510.401098] kasan_kmalloc+0xa6/0xd0 -[ 3510.401099] __kmalloc+0xfb/0x200 -[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] -[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] -[ 3510.401114] process_one_work+0x56a/0x11f0 -[ 3510.401115] worker_thread+0x8f/0xf40 -[ 3510.401117] kthread+0x2a0/0x390 -[ 3510.401119] ret_from_fork+0x1f/0x40 -[ 3510.401122] 0xffffffffffffffff -[ 3510.401123] - -In timeout handling, we should keep the original num_active_queues -and reset num_req_queues to 0. - -Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") -Signed-off-by: Ding Hui -Cc: Donglin Peng -Cc: Huang Cun -Reviewed-by: Leon Romanovsky -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index 83cfc54a47062..4746ee517c75a 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -1863,7 +1863,7 @@ static int iavf_set_channels(struct net_device *netdev, - } - if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { - adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; -- adapter->num_active_queues = num_req; -+ adapter->num_req_queues = 0; - return -EOPNOTSUPP; - } - --- -2.39.2 - diff --git a/queue-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch b/queue-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch deleted file mode 100644 index 0e837151f9f..00000000000 --- a/queue-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 045d5f68bcd8b2284e19c86bfd77bc8ae236d467 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:26 -0400 -Subject: iavf: fix reset task race with iavf_remove() - -From: Ahmed Zaki - -[ Upstream commit c34743daca0eb1dc855831a5210f0800a850088e ] - -The reset task is currently scheduled from the watchdog or adminq tasks. -First, all direct calls to schedule the reset task are replaced with the -iavf_schedule_reset(), which is modified to accept the flag showing the -type of reset. - -To prevent the reset task from starting once iavf_remove() starts, we need -to check the __IAVF_IN_REMOVE_TASK bit before we schedule it. This is now -easily added to iavf_schedule_reset(). - -Finally, remove the check for IAVF_FLAG_RESET_NEEDED in the watchdog task. -It is redundant since all callers who set the flag immediately schedules -the reset task. - -Fixes: 3ccd54ef44eb ("iavf: Fix init state closure on remove") -Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") -Signed-off-by: Ahmed Zaki -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 +- - .../net/ethernet/intel/iavf/iavf_ethtool.c | 8 ++--- - drivers/net/ethernet/intel/iavf/iavf_main.c | 32 +++++++------------ - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 3 +- - 4 files changed, 16 insertions(+), 29 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index 305675042fe55..543931c06bb17 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -520,7 +520,7 @@ int iavf_up(struct iavf_adapter *adapter); - void iavf_down(struct iavf_adapter *adapter); - int iavf_process_config(struct iavf_adapter *adapter); - int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); --void iavf_schedule_reset(struct iavf_adapter *adapter); -+void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); - void iavf_schedule_request_stats(struct iavf_adapter *adapter); - void iavf_schedule_finish_config(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index 73219c5069290..fd6d6f6263f66 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -532,8 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - /* issue a reset to force legacy-rx change to take effect */ - if (changed_flags & IAVF_FLAG_LEGACY_RX) { - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret) - netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); -@@ -676,8 +675,7 @@ static int iavf_set_ringparam(struct net_device *netdev, - } - - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret) - netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); -@@ -1860,7 +1858,7 @@ static int iavf_set_channels(struct net_device *netdev, - - adapter->num_req_queues = num_req; - adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - - ret = iavf_wait_for_reset(adapter); - if (ret) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 0e201d690f0dd..c1f91c55e1ca7 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -309,12 +309,14 @@ static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) - /** - * iavf_schedule_reset - Set the flags and schedule a reset event - * @adapter: board private structure -+ * @flags: IAVF_FLAG_RESET_PENDING or IAVF_FLAG_RESET_NEEDED - **/ --void iavf_schedule_reset(struct iavf_adapter *adapter) -+void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) - { -- if (!(adapter->flags & -- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -+ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && -+ !(adapter->flags & -+ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { -+ adapter->flags |= flags; - queue_work(adapter->wq, &adapter->reset_task); - } - } -@@ -342,7 +344,7 @@ static void iavf_tx_timeout(struct net_device *netdev, unsigned int txqueue) - struct iavf_adapter *adapter = netdev_priv(netdev); - - adapter->tx_timeout_count++; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - } - - /** -@@ -2490,7 +2492,7 @@ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter) - adapter->vsi_res->num_queue_pairs); - adapter->flags |= IAVF_FLAG_REINIT_MSIX_NEEDED; - adapter->num_req_queues = adapter->vsi_res->num_queue_pairs; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - - return -EAGAIN; - } -@@ -2787,14 +2789,6 @@ static void iavf_watchdog_task(struct work_struct *work) - if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) - iavf_change_state(adapter, __IAVF_COMM_FAILED); - -- if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { -- adapter->aq_required = 0; -- adapter->current_op = VIRTCHNL_OP_UNKNOWN; -- mutex_unlock(&adapter->crit_lock); -- queue_work(adapter->wq, &adapter->reset_task); -- return; -- } -- - switch (adapter->state) { - case __IAVF_STARTUP: - iavf_startup(adapter); -@@ -2922,11 +2916,10 @@ static void iavf_watchdog_task(struct work_struct *work) - /* check for hw reset */ - reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK; - if (!reg_val) { -- adapter->flags |= IAVF_FLAG_RESET_PENDING; - adapter->aq_required = 0; - adapter->current_op = VIRTCHNL_OP_UNKNOWN; - dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); - mutex_unlock(&adapter->crit_lock); - queue_delayed_work(adapter->wq, - &adapter->watchdog_task, HZ * 2); -@@ -3324,9 +3317,7 @@ static void iavf_adminq_task(struct work_struct *work) - } while (pending); - mutex_unlock(&adapter->crit_lock); - -- if ((adapter->flags & -- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || -- adapter->state == __IAVF_RESETTING) -+ if (iavf_is_reset_in_progress(adapter)) - goto freedom; - - /* check for error indications */ -@@ -4423,8 +4414,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - } - - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret < 0) - netdev_warn(netdev, "MTU change interrupted waiting for reset"); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 35419673b6987..2fc8e60ef6afb 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -1961,9 +1961,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - case VIRTCHNL_EVENT_RESET_IMPENDING: - dev_info(&adapter->pdev->dev, "Reset indication received from the PF\n"); - if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { -- adapter->flags |= IAVF_FLAG_RESET_PENDING; - dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); - } - break; - default: --- -2.39.2 - diff --git a/queue-6.1/iavf-fix-use-after-free-in-free_netdev.patch b/queue-6.1/iavf-fix-use-after-free-in-free_netdev.patch deleted file mode 100644 index 4191b7d0987..00000000000 --- a/queue-6.1/iavf-fix-use-after-free-in-free_netdev.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 65df986e4dd0e7534d9caca118a4603cfb45336b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 May 2023 19:11:47 +0800 -Subject: iavf: Fix use-after-free in free_netdev - -From: Ding Hui - -[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] - -We do netif_napi_add() for all allocated q_vectors[], but potentially -do netif_napi_del() for part of them, then kfree q_vectors and leave -invalid pointers at dev->napi_list. - -Reproducer: - - [root@host ~]# cat repro.sh - #!/bin/bash - - pf_dbsf="0000:41:00.0" - vf0_dbsf="0000:41:02.0" - g_pids=() - - function do_set_numvf() - { - echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - } - - function do_set_channel() - { - local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) - [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } - ifconfig $nic 192.168.18.5 netmask 255.255.255.0 - ifconfig $nic up - ethtool -L $nic combined 1 - ethtool -L $nic combined 4 - sleep $((RANDOM%3)) - } - - function on_exit() - { - local pid - for pid in "${g_pids[@]}"; do - kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null - done - g_pids=() - } - - trap "on_exit; exit" EXIT - - while :; do do_set_numvf ; done & - g_pids+=($!) - while :; do do_set_channel ; done & - g_pids+=($!) - - wait - -Result: - -[ 4093.900222] ================================================================== -[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 -[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 -[ 4093.900233] -[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 -[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 -[ 4093.900239] Call Trace: -[ 4093.900244] dump_stack+0x71/0xab -[ 4093.900249] print_address_description+0x6b/0x290 -[ 4093.900251] ? free_netdev+0x308/0x390 -[ 4093.900252] kasan_report+0x14a/0x2b0 -[ 4093.900254] free_netdev+0x308/0x390 -[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] -[ 4093.900265] pci_device_remove+0xa8/0x1f0 -[ 4093.900268] device_release_driver_internal+0x1c6/0x460 -[ 4093.900271] pci_stop_bus_device+0x101/0x150 -[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 -[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 -[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 -[ 4093.900278] ? pci_get_subsys+0x90/0x90 -[ 4093.900280] sriov_disable+0xed/0x3e0 -[ 4093.900282] ? bus_find_device+0x12d/0x1a0 -[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] -[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] -[ 4093.900299] ? pci_get_device+0x7c/0x90 -[ 4093.900300] ? pci_get_subsys+0x90/0x90 -[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 -[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 -[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 4093.900318] sriov_numvfs_store+0x214/0x290 -[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 -[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 -[ 4093.900323] ? __check_object_size+0x15a/0x350 -[ 4093.900326] kernfs_fop_write+0x280/0x3f0 -[ 4093.900329] vfs_write+0x145/0x440 -[ 4093.900330] ksys_write+0xab/0x160 -[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 -[ 4093.900334] ? fput_many+0x1a/0x120 -[ 4093.900335] ? filp_close+0xf0/0x130 -[ 4093.900338] do_syscall_64+0xa0/0x370 -[ 4093.900339] ? page_fault+0x8/0x30 -[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 -[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 -[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 -[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 -[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 -[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 -[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 -[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 -[ 4093.900367] -[ 4093.900368] Allocated by task 820: -[ 4093.900371] kasan_kmalloc+0xa6/0xd0 -[ 4093.900373] __kmalloc+0xfb/0x200 -[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] -[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] -[ 4093.900382] process_one_work+0x56a/0x11f0 -[ 4093.900383] worker_thread+0x8f/0xf40 -[ 4093.900384] kthread+0x2a0/0x390 -[ 4093.900385] ret_from_fork+0x1f/0x40 -[ 4093.900387] 0xffffffffffffffff -[ 4093.900387] -[ 4093.900388] Freed by task 6699: -[ 4093.900390] __kasan_slab_free+0x137/0x190 -[ 4093.900391] kfree+0x8b/0x1b0 -[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] -[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] -[ 4093.900399] pci_device_remove+0xa8/0x1f0 -[ 4093.900400] device_release_driver_internal+0x1c6/0x460 -[ 4093.900401] pci_stop_bus_device+0x101/0x150 -[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 -[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 -[ 4093.900404] sriov_disable+0xed/0x3e0 -[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] -[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 4093.900416] sriov_numvfs_store+0x214/0x290 -[ 4093.900417] kernfs_fop_write+0x280/0x3f0 -[ 4093.900418] vfs_write+0x145/0x440 -[ 4093.900419] ksys_write+0xab/0x160 -[ 4093.900420] do_syscall_64+0xa0/0x370 -[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 4093.900422] 0xffffffffffffffff -[ 4093.900422] -[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 - which belongs to the cache kmalloc-8k of size 8192 -[ 4093.900425] The buggy address is located 5184 bytes inside of - 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) -[ 4093.900425] The buggy address belongs to the page: -[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 -[ 4093.900430] flags: 0x10000000008100(slab|head) -[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 -[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 -[ 4093.900434] page dumped because: kasan: bad access detected -[ 4093.900435] -[ 4093.900435] Memory state around the buggy address: -[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900438] ^ -[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900440] ================================================================== - -Although the patch #2 (of 2) can avoid the issue triggered by this -repro.sh, there still are other potential risks that if num_active_queues -is changed to less than allocated q_vectors[] by unexpected, the -mismatched netif_napi_add/del() can also cause UAF. - -Since we actually call netif_napi_add() for all allocated q_vectors -unconditionally in iavf_alloc_q_vectors(), so we should fix it by -letting netif_napi_del() match to netif_napi_add(). - -Fixes: 5eae00c57f5e ("i40evf: main driver core") -Signed-off-by: Ding Hui -Cc: Donglin Peng -Cc: Huang Cun -Reviewed-by: Simon Horman -Reviewed-by: Madhu Chittim -Reviewed-by: Leon Romanovsky -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 965d02d7ff80f..81676c3af4b36 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1840,19 +1840,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) - static void iavf_free_q_vectors(struct iavf_adapter *adapter) - { - int q_idx, num_q_vectors; -- int napi_vectors; - - if (!adapter->q_vectors) - return; - - num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; -- napi_vectors = adapter->num_active_queues; - - for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { - struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; - -- if (q_idx < napi_vectors) -- netif_napi_del(&q_vector->napi); -+ netif_napi_del(&q_vector->napi); - } - kfree(adapter->q_vectors); - adapter->q_vectors = NULL; --- -2.39.2 - diff --git a/queue-6.1/iavf-make-functions-static-where-possible.patch b/queue-6.1/iavf-make-functions-static-where-possible.patch deleted file mode 100644 index 4105b0d4bab..00000000000 --- a/queue-6.1/iavf-make-functions-static-where-possible.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 97d8a9e529256a00151bc682e79efba868de17a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 08:54:05 -0700 -Subject: iavf: make functions static where possible - -From: Przemek Kitszel - -[ Upstream commit a4aadf0f5905661cd25c366b96cc1c840f05b756 ] - -Make all possible functions static. - -Move iavf_force_wb() up to avoid forward declaration. - -Suggested-by: Maciej Fijalkowski -Reviewed-by: Maciej Fijalkowski -Signed-off-by: Przemek Kitszel -Signed-off-by: Tony Nguyen -Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 10 ----- - drivers/net/ethernet/intel/iavf/iavf_main.c | 14 +++---- - drivers/net/ethernet/intel/iavf/iavf_txrx.c | 43 ++++++++++----------- - drivers/net/ethernet/intel/iavf/iavf_txrx.h | 4 -- - 4 files changed, 28 insertions(+), 43 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index 6625625f91e47..a716ed6bb787d 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -523,9 +523,6 @@ void iavf_schedule_request_stats(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); - void iavf_set_ethtool_ops(struct net_device *netdev); - void iavf_update_stats(struct iavf_adapter *adapter); --void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); --int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); --void iavf_irq_enable_queues(struct iavf_adapter *adapter); - void iavf_free_all_tx_resources(struct iavf_adapter *adapter); - void iavf_free_all_rx_resources(struct iavf_adapter *adapter); - -@@ -579,17 +576,10 @@ void iavf_enable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_disable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_enable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_disable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); --int iavf_replace_primary_mac(struct iavf_adapter *adapter, -- const u8 *new_mac); --void --iavf_set_vlan_offload_features(struct iavf_adapter *adapter, -- netdev_features_t prev_features, -- netdev_features_t features); - void iavf_add_fdir_filter(struct iavf_adapter *adapter); - void iavf_del_fdir_filter(struct iavf_adapter *adapter); - void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); - void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); - struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - const u8 *macaddr); --int iavf_lock_timeout(struct mutex *lock, unsigned int msecs); - #endif /* _IAVF_H_ */ -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 68e951fe5e210..d5b1dcfe0ccdd 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -253,7 +253,7 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw, - * - * Returns 0 on success, negative on failure - **/ --int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) -+static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) - { - unsigned int wait, delay = 10; - -@@ -362,7 +362,7 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) - * iavf_irq_enable_queues - Enable interrupt for all queues - * @adapter: board private structure - **/ --void iavf_irq_enable_queues(struct iavf_adapter *adapter) -+static void iavf_irq_enable_queues(struct iavf_adapter *adapter) - { - struct iavf_hw *hw = &adapter->hw; - int i; -@@ -1003,8 +1003,8 @@ struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - * - * Do not call this with mac_vlan_list_lock! - **/ --int iavf_replace_primary_mac(struct iavf_adapter *adapter, -- const u8 *new_mac) -+static int iavf_replace_primary_mac(struct iavf_adapter *adapter, -+ const u8 *new_mac) - { - struct iavf_hw *hw = &adapter->hw; - struct iavf_mac_filter *f; -@@ -1860,7 +1860,7 @@ static void iavf_free_q_vectors(struct iavf_adapter *adapter) - * @adapter: board private structure - * - **/ --void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) -+static void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) - { - if (!adapter->msix_entries) - return; -@@ -1875,7 +1875,7 @@ void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) - * @adapter: board private structure to initialize - * - **/ --int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) -+static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) - { - int err; - -@@ -2174,7 +2174,7 @@ static int iavf_process_aq_command(struct iavf_adapter *adapter) - * the watchdog if any changes are requested to expedite the request via - * virtchnl. - **/ --void -+static void - iavf_set_vlan_offload_features(struct iavf_adapter *adapter, - netdev_features_t prev_features, - netdev_features_t features) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c -index e989feda133c1..8c5f6096b0022 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c -@@ -54,7 +54,7 @@ static void iavf_unmap_and_free_tx_resource(struct iavf_ring *ring, - * iavf_clean_tx_ring - Free any empty Tx buffers - * @tx_ring: ring to be cleaned - **/ --void iavf_clean_tx_ring(struct iavf_ring *tx_ring) -+static void iavf_clean_tx_ring(struct iavf_ring *tx_ring) - { - unsigned long bi_size; - u16 i; -@@ -110,7 +110,7 @@ void iavf_free_tx_resources(struct iavf_ring *tx_ring) - * Since there is no access to the ring head register - * in XL710, we need to use our local copies - **/ --u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) -+static u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) - { - u32 head, tail; - -@@ -127,6 +127,24 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) - return 0; - } - -+/** -+ * iavf_force_wb - Issue SW Interrupt so HW does a wb -+ * @vsi: the VSI we care about -+ * @q_vector: the vector on which to force writeback -+ **/ -+static void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) -+{ -+ u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | -+ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ -+ IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | -+ IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK -+ /* allow 00 to be written to the index */; -+ -+ wr32(&vsi->back->hw, -+ IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), -+ val); -+} -+ - /** - * iavf_detect_recover_hung - Function to detect and recover hung_queues - * @vsi: pointer to vsi struct with tx queues -@@ -352,25 +370,6 @@ static void iavf_enable_wb_on_itr(struct iavf_vsi *vsi, - q_vector->arm_wb_state = true; - } - --/** -- * iavf_force_wb - Issue SW Interrupt so HW does a wb -- * @vsi: the VSI we care about -- * @q_vector: the vector on which to force writeback -- * -- **/ --void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) --{ -- u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | -- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ -- IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | -- IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK -- /* allow 00 to be written to the index */; -- -- wr32(&vsi->back->hw, -- IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), -- val); --} -- - static inline bool iavf_container_is_rx(struct iavf_q_vector *q_vector, - struct iavf_ring_container *rc) - { -@@ -687,7 +686,7 @@ int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring) - * iavf_clean_rx_ring - Free Rx buffers - * @rx_ring: ring to be cleaned - **/ --void iavf_clean_rx_ring(struct iavf_ring *rx_ring) -+static void iavf_clean_rx_ring(struct iavf_ring *rx_ring) - { - unsigned long bi_size; - u16 i; -diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h -index 2624bf6d009e3..7e6ee32d19b69 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h -+++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h -@@ -442,15 +442,11 @@ static inline unsigned int iavf_rx_pg_order(struct iavf_ring *ring) - - bool iavf_alloc_rx_buffers(struct iavf_ring *rxr, u16 cleaned_count); - netdev_tx_t iavf_xmit_frame(struct sk_buff *skb, struct net_device *netdev); --void iavf_clean_tx_ring(struct iavf_ring *tx_ring); --void iavf_clean_rx_ring(struct iavf_ring *rx_ring); - int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring); - int iavf_setup_rx_descriptors(struct iavf_ring *rx_ring); - void iavf_free_tx_resources(struct iavf_ring *tx_ring); - void iavf_free_rx_resources(struct iavf_ring *rx_ring); - int iavf_napi_poll(struct napi_struct *napi, int budget); --void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector); --u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw); - void iavf_detect_recover_hung(struct iavf_vsi *vsi); - int __iavf_maybe_stop_tx(struct iavf_ring *tx_ring, int size); - bool __iavf_chk_linearize(struct sk_buff *skb); --- -2.39.2 - diff --git a/queue-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch b/queue-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch deleted file mode 100644 index 8927af5c4e9..00000000000 --- a/queue-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 5491562d5578b2fc118790482f43fbde751e023f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 3 Jan 2023 17:42:27 +0100 -Subject: iavf: Move netdev_update_features() into watchdog task - -From: Marcin Szycik - -[ Upstream commit 7598f4b40bd60e4a4280de645eb2893eea80b59d ] - -Remove netdev_update_features() from iavf_adminq_task(), as it can cause -deadlocks due to needing rtnl_lock. Instead use the -IAVF_FLAG_SETUP_NETDEV_FEATURES flag to indicate that netdev features need -to be updated in the watchdog task. iavf_set_vlan_offload_features() -and iavf_set_queue_vlan_tag_loc() can be called directly from -iavf_virtchnl_completion(). - -Suggested-by: Phani Burra -Signed-off-by: Marcin Szycik -Reviewed-by: Alexander Lobakin -Tested-by: Marek Szlosek -Signed-off-by: Tony Nguyen -Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_main.c | 27 +++++++------------ - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 8 ++++++ - 2 files changed, 17 insertions(+), 18 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 104de9a071449..68e951fe5e210 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -2689,6 +2689,15 @@ static void iavf_watchdog_task(struct work_struct *work) - goto restart_watchdog; - } - -+ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && -+ adapter->netdev_registered && -+ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && -+ rtnl_trylock()) { -+ netdev_update_features(adapter->netdev); -+ rtnl_unlock(); -+ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ } -+ - if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) - iavf_change_state(adapter, __IAVF_COMM_FAILED); - -@@ -3228,24 +3237,6 @@ static void iavf_adminq_task(struct work_struct *work) - } while (pending); - mutex_unlock(&adapter->crit_lock); - -- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES)) { -- if (adapter->netdev_registered || -- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { -- struct net_device *netdev = adapter->netdev; -- -- rtnl_lock(); -- netdev_update_features(netdev); -- rtnl_unlock(); -- /* Request VLAN offload settings */ -- if (VLAN_V2_ALLOWED(adapter)) -- iavf_set_vlan_offload_features -- (adapter, 0, netdev->features); -- -- iavf_set_queue_vlan_tag_loc(adapter); -- } -- -- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -- } - if ((adapter->flags & - (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || - adapter->state == __IAVF_RESETTING) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 00dccdd290dce..07d37402a0df5 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2237,6 +2237,14 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - - iavf_process_config(adapter); - adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ -+ /* Request VLAN offload settings */ -+ if (VLAN_V2_ALLOWED(adapter)) -+ iavf_set_vlan_offload_features(adapter, 0, -+ netdev->features); -+ -+ iavf_set_queue_vlan_tag_loc(adapter); -+ - was_mac_changed = !ether_addr_equal(netdev->dev_addr, - adapter->hw.mac.addr); - --- -2.39.2 - diff --git a/queue-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch b/queue-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch deleted file mode 100644 index 1ee405d4c13..00000000000 --- a/queue-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch +++ /dev/null @@ -1,66 +0,0 @@ -From c45878593282d7f12a92cae3b219aeb3889e32f7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Apr 2023 12:09:39 -0600 -Subject: iavf: send VLAN offloading caps once after VFR - -From: Ahmed Zaki - -[ Upstream commit 7dcbdf29282fbcdb646dc785e8a57ed2c2fec8ba ] - -When the user disables rxvlan offloading and then changes the number of -channels, all VLAN ports are unable to receive traffic. - -Changing the number of channels triggers a VFR reset. During re-init, when -VIRTCHNL_OP_GET_OFFLOAD_VLAN_V2_CAPS is received, we do: -1 - set the IAVF_FLAG_SETUP_NETDEV_FEATURES flag -2 - call - iavf_set_vlan_offload_features(adapter, 0, netdev->features); - -The second step sends to the PF the __default__ features, in this case -aq_required |= IAVF_FLAG_AQ_ENABLE_CTAG_VLAN_STRIPPING - -While the first step forces the watchdog task to call -netdev_update_features() -> iavf_set_features() -> -iavf_set_vlan_offload_features(adapter, netdev->features, features). -Since the user disabled the "rxvlan", this sets: -aq_required |= IAVF_FLAG_AQ_DISABLE_CTAG_VLAN_STRIPPING - -When we start processing the AQ commands, both flags are enabled. Since we -process DISABLE_XTAG first then ENABLE_XTAG, this results in the PF -enabling the rxvlan offload. This breaks all communications on the VLAN -net devices. - -Fix by removing the call to iavf_set_vlan_offload_features() (second -step). Calling netdev_update_features() from watchdog task is enough for -both init and reset paths. - -Fixes: 7598f4b40bd6 ("iavf: Move netdev_update_features() into watchdog task") -Signed-off-by: Ahmed Zaki -Tested-by: Rafal Romanowski -Reviewed-by: Leon Romanovsky -Signed-off-by: Tony Nguyen -Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 07d37402a0df5..7b34111fd4eb1 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2238,11 +2238,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - iavf_process_config(adapter); - adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; - -- /* Request VLAN offload settings */ -- if (VLAN_V2_ALLOWED(adapter)) -- iavf_set_vlan_offload_features(adapter, 0, -- netdev->features); -- - iavf_set_queue_vlan_tag_loc(adapter); - - was_mac_changed = !ether_addr_equal(netdev->dev_addr, --- -2.39.2 - diff --git a/queue-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch b/queue-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch deleted file mode 100644 index a24bcc616ba..00000000000 --- a/queue-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 7af6ff049c18a0c4e3e4a80b523c331617b48a6f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 15:46:02 -0600 -Subject: iavf: use internal state to free traffic IRQs - -From: Ahmed Zaki - -[ Upstream commit a77ed5c5b768e9649be240a2d864e5cd9c6a2015 ] - -If the system tries to close the netdev while iavf_reset_task() is -running, __LINK_STATE_START will be cleared and netif_running() will -return false in iavf_reinit_interrupt_scheme(). This will result in -iavf_free_traffic_irqs() not being called and a leak as follows: - - [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' - [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 - -is shown when pci_disable_msix() is later called. Fix by using the -internal adapter state. The traffic IRQs will always exist if -state == __IAVF_RUNNING. - -Fixes: 5b36e8d04b44 ("i40evf: Enable VF to request an alternate queue allocation") -Signed-off-by: Ahmed Zaki -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 81676c3af4b36..104de9a071449 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1941,15 +1941,16 @@ static void iavf_free_rss(struct iavf_adapter *adapter) - /** - * iavf_reinit_interrupt_scheme - Reallocate queues and vectors - * @adapter: board private structure -+ * @running: true if adapter->state == __IAVF_RUNNING - * - * Returns 0 on success, negative on failure - **/ --static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) -+static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool running) - { - struct net_device *netdev = adapter->netdev; - int err; - -- if (netif_running(netdev)) -+ if (running) - iavf_free_traffic_irqs(adapter); - iavf_free_misc_irq(adapter); - iavf_reset_interrupt_capability(adapter); -@@ -3056,7 +3057,7 @@ static void iavf_reset_task(struct work_struct *work) - - if ((adapter->flags & IAVF_FLAG_REINIT_MSIX_NEEDED) || - (adapter->flags & IAVF_FLAG_REINIT_ITR_NEEDED)) { -- err = iavf_reinit_interrupt_scheme(adapter); -+ err = iavf_reinit_interrupt_scheme(adapter, running); - if (err) - goto reset_err; - } --- -2.39.2 - diff --git a/queue-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch b/queue-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch deleted file mode 100644 index 4ff53643af2..00000000000 --- a/queue-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch +++ /dev/null @@ -1,253 +0,0 @@ -From 666e6a1e4dfcf28dffd3be1e4128f2dde21ee8cb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:22 -0400 -Subject: iavf: Wait for reset in callbacks which trigger it - -From: Marcin Szycik - -[ Upstream commit c2ed2403f12c74a74a0091ed5d830e72c58406e8 ] - -There was a fail when trying to add the interface to bonding -right after changing the MTU on the interface. It was caused -by bonding interface unable to open the interface due to -interface being in __RESETTING state because of MTU change. - -Add new reset_waitqueue to indicate that reset has finished. - -Add waiting for reset to finish in callbacks which trigger hw reset: -iavf_set_priv_flags(), iavf_change_mtu() and iavf_set_ringparam(). -We use a 5000ms timeout period because on Hyper-V based systems, -this operation takes around 3000-4000ms. In normal circumstances, -it doesn't take more than 500ms to complete. - -Add a function iavf_wait_for_reset() to reuse waiting for reset code and -use it also in iavf_set_channels(), which already waits for reset. -We don't use error handling in iavf_set_channels() as this could -cause the device to be in incorrect state if the reset was scheduled -but hit timeout or the waitng function was interrupted by a signal. - -Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") -Signed-off-by: Marcin Szycik -Co-developed-by: Dawid Wesierski -Signed-off-by: Dawid Wesierski -Signed-off-by: Sylwester Dziedziuch -Signed-off-by: Kamil Maziarz -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 + - .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 ++++++----- - drivers/net/ethernet/intel/iavf/iavf_main.c | 51 ++++++++++++++++++- - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + - 4 files changed, 68 insertions(+), 17 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index a716ed6bb787d..2fe44e865d0a2 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -257,6 +257,7 @@ struct iavf_adapter { - struct work_struct adminq_task; - struct delayed_work client_task; - wait_queue_head_t down_waitqueue; -+ wait_queue_head_t reset_waitqueue; - wait_queue_head_t vc_waitqueue; - struct iavf_q_vector *q_vectors; - struct list_head vlan_filter_list; -@@ -582,4 +583,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); - void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); - struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - const u8 *macaddr); -+int iavf_wait_for_reset(struct iavf_adapter *adapter); - #endif /* _IAVF_H_ */ -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index 4746ee517c75a..73219c5069290 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -484,6 +484,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 orig_flags, new_flags, changed_flags; -+ int ret = 0; - u32 i; - - orig_flags = READ_ONCE(adapter->flags); -@@ -533,10 +534,13 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); - } - } - -- return 0; -+ return ret; - } - - /** -@@ -627,6 +631,7 @@ static int iavf_set_ringparam(struct net_device *netdev, - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 new_rx_count, new_tx_count; -+ int ret = 0; - - if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) - return -EINVAL; -@@ -673,9 +678,12 @@ static int iavf_set_ringparam(struct net_device *netdev, - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); - } - -- return 0; -+ return ret; - } - - /** -@@ -1830,7 +1838,7 @@ static int iavf_set_channels(struct net_device *netdev, - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 num_req = ch->combined_count; -- int i; -+ int ret = 0; - - if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && - adapter->num_tc) { -@@ -1854,20 +1862,11 @@ static int iavf_set_channels(struct net_device *netdev, - adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; - iavf_schedule_reset(adapter); - -- /* wait for the reset is done */ -- for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { -- msleep(IAVF_RESET_WAIT_MS); -- if (adapter->flags & IAVF_FLAG_RESET_PENDING) -- continue; -- break; -- } -- if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { -- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; -- adapter->num_req_queues = 0; -- return -EOPNOTSUPP; -- } -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); - -- return 0; -+ return ret; - } - - /** -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index d5b1dcfe0ccdd..c2739071149de 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -166,6 +166,45 @@ static struct iavf_adapter *iavf_pdev_to_adapter(struct pci_dev *pdev) - return netdev_priv(pci_get_drvdata(pdev)); - } - -+/** -+ * iavf_is_reset_in_progress - Check if a reset is in progress -+ * @adapter: board private structure -+ */ -+static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) -+{ -+ if (adapter->state == __IAVF_RESETTING || -+ adapter->flags & (IAVF_FLAG_RESET_PENDING | -+ IAVF_FLAG_RESET_NEEDED)) -+ return true; -+ -+ return false; -+} -+ -+/** -+ * iavf_wait_for_reset - Wait for reset to finish. -+ * @adapter: board private structure -+ * -+ * Returns 0 if reset finished successfully, negative on timeout or interrupt. -+ */ -+int iavf_wait_for_reset(struct iavf_adapter *adapter) -+{ -+ int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, -+ !iavf_is_reset_in_progress(adapter), -+ msecs_to_jiffies(5000)); -+ -+ /* If ret < 0 then it means wait was interrupted. -+ * If ret == 0 then it means we got a timeout while waiting -+ * for reset to finish. -+ * If ret > 0 it means reset has finished. -+ */ -+ if (ret > 0) -+ return 0; -+ else if (ret < 0) -+ return -EINTR; -+ else -+ return -EBUSY; -+} -+ - /** - * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code - * @hw: pointer to the HW structure -@@ -3161,6 +3200,7 @@ static void iavf_reset_task(struct work_struct *work) - - adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; - -+ wake_up(&adapter->reset_waitqueue); - mutex_unlock(&adapter->client_lock); - mutex_unlock(&adapter->crit_lock); - -@@ -4325,6 +4365,7 @@ static int iavf_close(struct net_device *netdev) - static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - { - struct iavf_adapter *adapter = netdev_priv(netdev); -+ int ret = 0; - - netdev_dbg(netdev, "changing MTU from %d to %d\n", - netdev->mtu, new_mtu); -@@ -4337,9 +4378,14 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret < 0) -+ netdev_warn(netdev, "MTU change interrupted waiting for reset"); -+ else if (ret) -+ netdev_warn(netdev, "MTU change timed out waiting for reset"); - } - -- return 0; -+ return ret; - } - - #define NETIF_VLAN_OFFLOAD_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ -@@ -4942,6 +4988,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - /* Setup the wait queue for indicating transition to down status */ - init_waitqueue_head(&adapter->down_waitqueue); - -+ /* Setup the wait queue for indicating transition to running state */ -+ init_waitqueue_head(&adapter->reset_waitqueue); -+ - /* Setup the wait queue for indicating virtchannel events */ - init_waitqueue_head(&adapter->vc_waitqueue); - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 7b34111fd4eb1..eec7ac3b7f6ee 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2285,6 +2285,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - case VIRTCHNL_OP_ENABLE_QUEUES: - /* enable transmits */ - iavf_irq_enable(adapter, true); -+ wake_up(&adapter->reset_waitqueue); - adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; - break; - case VIRTCHNL_OP_DISABLE_QUEUES: --- -2.39.2 - diff --git a/queue-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch deleted file mode 100644 index 0017c58f975..00000000000 --- a/queue-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 1fce30757b3c297f96e47f71e0c036d447f63664 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 10:47:32 -0700 -Subject: igb: Fix igb_down hung on surprise removal - -From: Ying Hsu - -[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] - -In a setup where a Thunderbolt hub connects to Ethernet and a display -through USB Type-C, users may experience a hung task timeout when they -remove the cable between the PC and the Thunderbolt hub. -This is because the igb_down function is called multiple times when -the Thunderbolt hub is unplugged. For example, the igb_io_error_detected -triggers the first call, and the igb_remove triggers the second call. -The second call to igb_down will block at napi_synchronize. -Here's the call trace: - __schedule+0x3b0/0xddb - ? __mod_timer+0x164/0x5d3 - schedule+0x44/0xa8 - schedule_timeout+0xb2/0x2a4 - ? run_local_timers+0x4e/0x4e - msleep+0x31/0x38 - igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] - __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] - igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] - __dev_close_many+0x95/0xec - dev_close_many+0x6e/0x103 - unregister_netdevice_many+0x105/0x5b1 - unregister_netdevice_queue+0xc2/0x10d - unregister_netdev+0x1c/0x23 - igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] - pci_device_remove+0x3f/0x9c - device_release_driver_internal+0xfe/0x1b4 - pci_stop_bus_device+0x5b/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_and_remove_bus_device+0x12/0x19 - pciehp_unconfigure_device+0x76/0xe9 - pciehp_disable_slot+0x6e/0x131 - pciehp_handle_presence_or_link_change+0x7a/0x3f7 - pciehp_ist+0xbe/0x194 - irq_thread_fn+0x22/0x4d - ? irq_thread+0x1fd/0x1fd - irq_thread+0x17b/0x1fd - ? irq_forced_thread_fn+0x5f/0x5f - kthread+0x142/0x153 - ? __irq_get_irqchip_state+0x46/0x46 - ? kthread_associate_blkcg+0x71/0x71 - ret_from_fork+0x1f/0x30 - -In this case, igb_io_error_detected detaches the network interface -and requests a PCIE slot reset, however, the PCIE reset callback is -not being invoked and thus the Ethernet connection breaks down. -As the PCIE error in this case is a non-fatal one, requesting a -slot reset can be avoided. -This patch fixes the task hung issue and preserves Ethernet -connection by ignoring non-fatal PCIE errors. - -Signed-off-by: Ying Hsu -Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) -Signed-off-by: Tony Nguyen -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c -index 18ffbc892f86c..3e0444354632d 100644 ---- a/drivers/net/ethernet/intel/igb/igb_main.c -+++ b/drivers/net/ethernet/intel/igb/igb_main.c -@@ -9585,6 +9585,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, - struct net_device *netdev = pci_get_drvdata(pdev); - struct igb_adapter *adapter = netdev_priv(netdev); - -+ if (state == pci_channel_io_normal) { -+ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); -+ return PCI_ERS_RESULT_CAN_RECOVER; -+ } -+ - netif_device_detach(netdev); - - if (state == pci_channel_io_perm_failure) --- -2.39.2 - diff --git a/queue-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch b/queue-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch deleted file mode 100644 index 5aadd1a85b6..00000000000 --- a/queue-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch +++ /dev/null @@ -1,61 +0,0 @@ -From c01002df2d8dadbc072d6f4a641153969ae81dc1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Apr 2023 09:36:11 +0200 -Subject: igc: Avoid transmit queue timeout for XDP - -From: Kurt Kanzenbach - -[ Upstream commit 95b681485563c64585de78662ee52d06b7fa47d9 ] - -High XDP load triggers the netdev watchdog: - -|NETDEV WATCHDOG: enp3s0 (igc): transmit queue 2 timed out - -The reason is the Tx queue transmission start (txq->trans_start) is not updated -in XDP code path. Therefore, add it for all XDP transmission functions. - -Signed-off-by: Kurt Kanzenbach -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Stable-dep-of: 78adb4bcf99e ("igc: Prevent garbled TX queue with XDP ZEROCOPY") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index 273941f90f066..ade4bde47c65a 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -2402,6 +2402,8 @@ static int igc_xdp_xmit_back(struct igc_adapter *adapter, struct xdp_buff *xdp) - nq = txring_txq(ring); - - __netif_tx_lock(nq, cpu); -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); - res = igc_xdp_init_tx_descriptor(ring, xdpf); - __netif_tx_unlock(nq); - return res; -@@ -2804,6 +2806,9 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - - __netif_tx_lock(nq, cpu); - -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); -+ - budget = igc_desc_unused(ring); - - while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { -@@ -6297,6 +6302,9 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, - - __netif_tx_lock(nq, cpu); - -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); -+ - drops = 0; - for (i = 0; i < num_frames; i++) { - int err; --- -2.39.2 - diff --git a/queue-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/queue-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch deleted file mode 100644 index 4254f230b5d..00000000000 --- a/queue-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +++ /dev/null @@ -1,79 +0,0 @@ -From d6a3517285a333ba4076b9e7721da2053a4d7dd2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 10:54:44 -0700 -Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY - -From: Florian Kauer - -[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] - -In normal operation, each populated queue item has -next_to_watch pointing to the last TX desc of the packet, -while each cleaned item has it set to 0. In particular, -next_to_use that points to the next (necessarily clean) -item to use has next_to_watch set to 0. - -When the TX queue is used both by an application using -AF_XDP with ZEROCOPY as well as a second non-XDP application -generating high traffic, the queue pointers can get in -an invalid state where next_to_use points to an item -where next_to_watch is NOT set to 0. - -However, the implementation assumes at several places -that this is never the case, so if it does hold, -bad things happen. In particular, within the loop inside -of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. -Finally, this prevents any further transmission via -this queue and it never gets unblocked or signaled. -Secondly, if the queue is in this garbled state, -the inner loop of igc_clean_tx_ring() will never terminate, -completely hogging a CPU core. - -The reason is that igc_xdp_xmit_zc() reads next_to_use -before acquiring the lock, and writing it back -(potentially unmodified) later. If it got modified -before locking, the outdated next_to_use is written -pointing to an item that was already used elsewhere -(and thus next_to_watch got written). - -Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") -Signed-off-by: Florian Kauer -Reviewed-by: Kurt Kanzenbach -Tested-by: Kurt Kanzenbach -Acked-by: Vinicius Costa Gomes -Reviewed-by: Simon Horman -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index ade4bde47c65a..2e091a4a065e7 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -2797,9 +2797,8 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - struct netdev_queue *nq = txring_txq(ring); - union igc_adv_tx_desc *tx_desc = NULL; - int cpu = smp_processor_id(); -- u16 ntu = ring->next_to_use; - struct xdp_desc xdp_desc; -- u16 budget; -+ u16 budget, ntu; - - if (!netif_carrier_ok(ring->netdev)) - return; -@@ -2809,6 +2808,7 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - /* Avoid transmit queue timeout since we share it with the slow path */ - txq_trans_cond_update(nq); - -+ ntu = ring->next_to_use; - budget = igc_desc_unused(ring); - - while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { --- -2.39.2 - diff --git a/queue-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch b/queue-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch deleted file mode 100644 index c6b43d83427..00000000000 --- a/queue-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a9be202269580ca611c6cebac90eaf1795497800 Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Thu, 20 Jul 2023 13:16:53 -0600 -Subject: io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq - -From: Jens Axboe - -commit a9be202269580ca611c6cebac90eaf1795497800 upstream. - -io-wq assumes that an issue is blocking, but it may not be if the -request type has asked for a non-blocking attempt. If we get --EAGAIN for that case, then we need to treat it as a final result -and not retry or arm poll for it. - -Cc: stable@vger.kernel.org # 5.10+ -Link: https://github.com/axboe/liburing/issues/897 -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - io_uring/io_uring.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/io_uring/io_uring.c -+++ b/io_uring/io_uring.c -@@ -1803,6 +1803,14 @@ fail: - ret = io_issue_sqe(req, issue_flags); - if (ret != -EAGAIN) - break; -+ -+ /* -+ * If REQ_F_NOWAIT is set, then don't wait or retry with -+ * poll. -EAGAIN is final for that case. -+ */ -+ if (req->flags & REQ_F_NOWAIT) -+ break; -+ - /* - * We can get EAGAIN for iopolled IO even though we're - * forcing a sync submission from here, since we can't diff --git a/queue-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch b/queue-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch deleted file mode 100644 index 2cd2baafb78..00000000000 --- a/queue-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch +++ /dev/null @@ -1,191 +0,0 @@ -From c2d6fd9d6f35079f1669f0100f05b46708c74b7f Mon Sep 17 00:00:00 2001 -From: Zhang Yi -Date: Tue, 6 Jun 2023 21:59:23 +0800 -Subject: jbd2: recheck chechpointing non-dirty buffer - -From: Zhang Yi - -commit c2d6fd9d6f35079f1669f0100f05b46708c74b7f upstream. - -There is a long-standing metadata corruption issue that happens from -time to time, but it's very difficult to reproduce and analyse, benefit -from the JBD2_CYCLE_RECORD option, we found out that the problem is the -checkpointing process miss to write out some buffers which are raced by -another do_get_write_access(). Looks below for detail. - -jbd2_log_do_checkpoint() //transaction X - //buffer A is dirty and not belones to any transaction - __buffer_relink_io() //move it to the IO list - __flush_batch() - write_dirty_buffer() - do_get_write_access() - clear_buffer_dirty - __jbd2_journal_file_buffer() - //add buffer A to a new transaction Y - lock_buffer(bh) - //doesn't write out - __jbd2_journal_remove_checkpoint() - //finish checkpoint except buffer A - //filesystem corrupt if the new transaction Y isn't fully write out. - -Due to the t_checkpoint_list walking loop in jbd2_log_do_checkpoint() -have already handles waiting for buffers under IO and re-added new -transaction to complete commit, and it also removing cleaned buffers, -this makes sure the list will eventually get empty. So it's fine to -leave buffers on the t_checkpoint_list while flushing out and completely -stop using the t_checkpoint_io_list. - -Cc: stable@vger.kernel.org -Suggested-by: Jan Kara -Signed-off-by: Zhang Yi -Tested-by: Zhihao Cheng -Reviewed-by: Jan Kara -Link: https://lore.kernel.org/r/20230606135928.434610-2-yi.zhang@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/jbd2/checkpoint.c | 102 ++++++++++++++------------------------------------- - 1 file changed, 29 insertions(+), 73 deletions(-) - ---- a/fs/jbd2/checkpoint.c -+++ b/fs/jbd2/checkpoint.c -@@ -58,28 +58,6 @@ static inline void __buffer_unlink(struc - } - - /* -- * Move a buffer from the checkpoint list to the checkpoint io list -- * -- * Called with j_list_lock held -- */ --static inline void __buffer_relink_io(struct journal_head *jh) --{ -- transaction_t *transaction = jh->b_cp_transaction; -- -- __buffer_unlink_first(jh); -- -- if (!transaction->t_checkpoint_io_list) { -- jh->b_cpnext = jh->b_cpprev = jh; -- } else { -- jh->b_cpnext = transaction->t_checkpoint_io_list; -- jh->b_cpprev = transaction->t_checkpoint_io_list->b_cpprev; -- jh->b_cpprev->b_cpnext = jh; -- jh->b_cpnext->b_cpprev = jh; -- } -- transaction->t_checkpoint_io_list = jh; --} -- --/* - * Check a checkpoint buffer could be release or not. - * - * Requires j_list_lock -@@ -183,6 +161,7 @@ __flush_batch(journal_t *journal, int *b - struct buffer_head *bh = journal->j_chkpt_bhs[i]; - BUFFER_TRACE(bh, "brelse"); - __brelse(bh); -+ journal->j_chkpt_bhs[i] = NULL; - } - *batch_count = 0; - } -@@ -242,6 +221,11 @@ restart: - jh = transaction->t_checkpoint_list; - bh = jh2bh(jh); - -+ /* -+ * The buffer may be writing back, or flushing out in the -+ * last couple of cycles, or re-adding into a new transaction, -+ * need to check it again until it's unlocked. -+ */ - if (buffer_locked(bh)) { - get_bh(bh); - spin_unlock(&journal->j_list_lock); -@@ -287,28 +271,32 @@ restart: - } - if (!buffer_dirty(bh)) { - BUFFER_TRACE(bh, "remove from checkpoint"); -- if (__jbd2_journal_remove_checkpoint(jh)) -- /* The transaction was released; we're done */ -+ /* -+ * If the transaction was released or the checkpoint -+ * list was empty, we're done. -+ */ -+ if (__jbd2_journal_remove_checkpoint(jh) || -+ !transaction->t_checkpoint_list) - goto out; -- continue; -+ } else { -+ /* -+ * We are about to write the buffer, it could be -+ * raced by some other transaction shrink or buffer -+ * re-log logic once we release the j_list_lock, -+ * leave it on the checkpoint list and check status -+ * again to make sure it's clean. -+ */ -+ BUFFER_TRACE(bh, "queue"); -+ get_bh(bh); -+ J_ASSERT_BH(bh, !buffer_jwrite(bh)); -+ journal->j_chkpt_bhs[batch_count++] = bh; -+ transaction->t_chp_stats.cs_written++; -+ transaction->t_checkpoint_list = jh->b_cpnext; - } -- /* -- * Important: we are about to write the buffer, and -- * possibly block, while still holding the journal -- * lock. We cannot afford to let the transaction -- * logic start messing around with this buffer before -- * we write it to disk, as that would break -- * recoverability. -- */ -- BUFFER_TRACE(bh, "queue"); -- get_bh(bh); -- J_ASSERT_BH(bh, !buffer_jwrite(bh)); -- journal->j_chkpt_bhs[batch_count++] = bh; -- __buffer_relink_io(jh); -- transaction->t_chp_stats.cs_written++; -+ - if ((batch_count == JBD2_NR_BATCH) || -- need_resched() || -- spin_needbreak(&journal->j_list_lock)) -+ need_resched() || spin_needbreak(&journal->j_list_lock) || -+ jh2bh(transaction->t_checkpoint_list) == journal->j_chkpt_bhs[0]) - goto unlock_and_flush; - } - -@@ -322,38 +310,6 @@ restart: - goto restart; - } - -- /* -- * Now we issued all of the transaction's buffers, let's deal -- * with the buffers that are out for I/O. -- */ --restart2: -- /* Did somebody clean up the transaction in the meanwhile? */ -- if (journal->j_checkpoint_transactions != transaction || -- transaction->t_tid != this_tid) -- goto out; -- -- while (transaction->t_checkpoint_io_list) { -- jh = transaction->t_checkpoint_io_list; -- bh = jh2bh(jh); -- if (buffer_locked(bh)) { -- get_bh(bh); -- spin_unlock(&journal->j_list_lock); -- wait_on_buffer(bh); -- /* the journal_head may have gone by now */ -- BUFFER_TRACE(bh, "brelse"); -- __brelse(bh); -- spin_lock(&journal->j_list_lock); -- goto restart2; -- } -- -- /* -- * Now in whatever state the buffer currently is, we -- * know that it has been written out and so we can -- * drop it from the list -- */ -- if (__jbd2_journal_remove_checkpoint(jh)) -- break; -- } - out: - spin_unlock(&journal->j_list_lock); - result = jbd2_cleanup_journal_tail(journal); diff --git a/queue-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch b/queue-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch deleted file mode 100644 index 9d63e2e6348..00000000000 --- a/queue-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ced0f245ed951e2b8bd68f79c15238d7dd253662 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Mon, 6 Mar 2023 11:14:50 +0100 -Subject: kallsyms: add kallsyms_seqs_of_names to list of special symbols - -From: Arnd Bergmann - -commit ced0f245ed951e2b8bd68f79c15238d7dd253662 upstream. - -My randconfig build setup ran into another kallsyms warning: - -Inconsistent kallsyms data -Try make KALLSYMS_EXTRA_PASS=1 as a workaround - -After adding some debugging code to kallsyms.c, I saw that the recently -added kallsyms_seqs_of_names symbol can sometimes cause the second stage -table to be slightly longer than the first stage, which makes the -build inconsistent. - -Add it to the exception table that contains all other kallsyms-generated -symbols. - -Fixes: 60443c88f3a8 ("kallsyms: Improve the performance of kallsyms_lookup_name()") -Signed-off-by: Arnd Bergmann -Reviewed-by: Zhen Lei -Signed-off-by: Masahiro Yamada -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kallsyms.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -118,6 +118,7 @@ static bool is_ignored_symbol(const char - "kallsyms_markers", - "kallsyms_token_table", - "kallsyms_token_index", -+ "kallsyms_seqs_of_names", - /* Exclude linker generated symbols which vary between passes */ - "_SDA_BASE_", /* ppc */ - "_SDA2_BASE_", /* ppc */ diff --git a/queue-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch b/queue-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch deleted file mode 100644 index 5ee0e2c26ff..00000000000 --- a/queue-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 84ac2024e94e7308d618a49933dee91acc662e7c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 2 Nov 2022 16:49:15 +0800 -Subject: kallsyms: Correctly sequence symbols when CONFIG_LTO_CLANG=y - -From: Zhen Lei - -[ Upstream commit 010a0aad39fccceba4a07d30d163158a39c704f3 ] - -LLVM appends various suffixes for local functions and variables, suffixes -observed: - - foo.llvm.[0-9a-f]+ - - foo.[0-9a-f]+ - -Therefore, when CONFIG_LTO_CLANG=y, kallsyms_lookup_name() needs to -truncate the suffix of the symbol name before comparing the local function -or variable name. - -Old implementation code: -- if (strcmp(namebuf, name) == 0) -- return kallsyms_sym_address(i); -- if (cleanup_symbol_name(namebuf) && strcmp(namebuf, name) == 0) -- return kallsyms_sym_address(i); - -The preceding process is traversed by address from low to high. That is, -for those with the same name after the suffix is removed, the one with -the smallest address is returned first. Therefore, when sorting in the -tool, if the raw names are the same, they should be sorted by address in -ascending order. - -ASCII[.] = 2e -ASCII[0-9] = 30,39 -ASCII[A-Z] = 41,5a -ASCII[_] = 5f -ASCII[a-z] = 61,7a - -According to the preceding ASCII code values, the following sorting result -is strictly followed. - --------------------------------- -| main-key | sub-key | -|---------------------------------| -| | addr_lowest | -| | ... | -| . | ... | -| | addr_highest | -|---------------------------------| -| ? | | //? is [_A-Za-z0-9] - --------------------------------- - -Signed-off-by: Zhen Lei -Signed-off-by: Luis Chamberlain -Stable-dep-of: 8cc32a9bbf29 ("kallsyms: strip LTO-only suffixes from promoted global functions") -Signed-off-by: Sasha Levin ---- - scripts/kallsyms.c | 36 ++++++++++++++++++++++++++++++++++-- - scripts/link-vmlinux.sh | 4 ++++ - 2 files changed, 38 insertions(+), 2 deletions(-) - -diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c -index dcb744a067e5e..67ef9aa14a770 100644 ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -78,6 +78,7 @@ static unsigned int table_size, table_cnt; - static int all_symbols; - static int absolute_percpu; - static int base_relative; -+static int lto_clang; - - static int token_profit[0x10000]; - -@@ -89,7 +90,7 @@ static unsigned char best_table_len[256]; - static void usage(void) - { - fprintf(stderr, "Usage: kallsyms [--all-symbols] [--absolute-percpu] " -- "[--base-relative] in.map > out.S\n"); -+ "[--base-relative] [--lto-clang] in.map > out.S\n"); - exit(1); - } - -@@ -411,6 +412,34 @@ static int symbol_absolute(const struct sym_entry *s) - return s->percpu_absolute; - } - -+static char * s_name(char *buf) -+{ -+ /* Skip the symbol type */ -+ return buf + 1; -+} -+ -+static void cleanup_symbol_name(char *s) -+{ -+ char *p; -+ -+ if (!lto_clang) -+ return; -+ -+ /* -+ * ASCII[.] = 2e -+ * ASCII[0-9] = 30,39 -+ * ASCII[A-Z] = 41,5a -+ * ASCII[_] = 5f -+ * ASCII[a-z] = 61,7a -+ * -+ * As above, replacing '.' with '\0' does not affect the main sorting, -+ * but it helps us with subsorting. -+ */ -+ p = strchr(s, '.'); -+ if (p) -+ *p = '\0'; -+} -+ - static int compare_names(const void *a, const void *b) - { - int ret; -@@ -421,7 +450,9 @@ static int compare_names(const void *a, const void *b) - - expand_symbol(sa->sym, sa->len, sa_namebuf); - expand_symbol(sb->sym, sb->len, sb_namebuf); -- ret = strcmp(&sa_namebuf[1], &sb_namebuf[1]); -+ cleanup_symbol_name(s_name(sa_namebuf)); -+ cleanup_symbol_name(s_name(sb_namebuf)); -+ ret = strcmp(s_name(sa_namebuf), s_name(sb_namebuf)); - if (!ret) { - if (sa->addr > sb->addr) - return 1; -@@ -855,6 +886,7 @@ int main(int argc, char **argv) - {"all-symbols", no_argument, &all_symbols, 1}, - {"absolute-percpu", no_argument, &absolute_percpu, 1}, - {"base-relative", no_argument, &base_relative, 1}, -+ {"lto-clang", no_argument, <o_clang, 1}, - {}, - }; - -diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh -index 918470d768e9c..32e573943cf03 100755 ---- a/scripts/link-vmlinux.sh -+++ b/scripts/link-vmlinux.sh -@@ -156,6 +156,10 @@ kallsyms() - kallsymopt="${kallsymopt} --base-relative" - fi - -+ if is_enabled CONFIG_LTO_CLANG; then -+ kallsymopt="${kallsymopt} --lto-clang" -+ fi -+ - info KSYMS ${2} - scripts/kallsyms ${kallsymopt} ${1} > ${2} - } --- -2.39.2 - diff --git a/queue-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch b/queue-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch deleted file mode 100644 index 9b63380a315..00000000000 --- a/queue-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch +++ /dev/null @@ -1,241 +0,0 @@ -From 0abbf42237e70e5ca1bdbcd75de6eed8c1bd4077 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 2 Nov 2022 16:49:14 +0800 -Subject: kallsyms: Improve the performance of kallsyms_lookup_name() - -From: Zhen Lei - -[ Upstream commit 60443c88f3a89fd303a9e8c0e84895910675c316 ] - -Currently, to search for a symbol, we need to expand the symbols in -'kallsyms_names' one by one, and then use the expanded string for -comparison. It's O(n). - -If we sort names in ascending order like addresses, we can also use -binary search. It's O(log(n)). - -In order not to change the implementation of "/proc/kallsyms", the table -kallsyms_names[] is still stored in a one-to-one correspondence with the -address in ascending order. - -Add array kallsyms_seqs_of_names[], it's indexed by the sequence number -of the sorted names, and the corresponding content is the sequence number -of the sorted addresses. For example: -Assume that the index of NameX in array kallsyms_seqs_of_names[] is 'i', -the content of kallsyms_seqs_of_names[i] is 'k', then the corresponding -address of NameX is kallsyms_addresses[k]. The offset in kallsyms_names[] -is get_symbol_offset(k). - -Note that the memory usage will increase by (4 * kallsyms_num_syms) -bytes, the next two patches will reduce (1 * kallsyms_num_syms) bytes -and properly handle the case CONFIG_LTO_CLANG=y. - -Performance test results: (x86) -Before: -min=234, max=10364402, avg=5206926 -min=267, max=11168517, avg=5207587 -After: -min=1016, max=90894, avg=7272 -min=1014, max=93470, avg=7293 - -The average lookup performance of kallsyms_lookup_name() improved 715x. - -Signed-off-by: Zhen Lei -Signed-off-by: Luis Chamberlain -Stable-dep-of: 8cc32a9bbf29 ("kallsyms: strip LTO-only suffixes from promoted global functions") -Signed-off-by: Sasha Levin ---- - kernel/kallsyms.c | 86 +++++++++++++++++++++++++++++++++----- - kernel/kallsyms_internal.h | 1 + - scripts/kallsyms.c | 37 ++++++++++++++++ - 3 files changed, 113 insertions(+), 11 deletions(-) - -diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c -index 60c20f301a6ba..ba351dfa109b6 100644 ---- a/kernel/kallsyms.c -+++ b/kernel/kallsyms.c -@@ -187,26 +187,90 @@ static bool cleanup_symbol_name(char *s) - return false; - } - -+static int compare_symbol_name(const char *name, char *namebuf) -+{ -+ int ret; -+ -+ ret = strcmp(name, namebuf); -+ if (!ret) -+ return ret; -+ -+ if (cleanup_symbol_name(namebuf) && !strcmp(name, namebuf)) -+ return 0; -+ -+ return ret; -+} -+ -+static int kallsyms_lookup_names(const char *name, -+ unsigned int *start, -+ unsigned int *end) -+{ -+ int ret; -+ int low, mid, high; -+ unsigned int seq, off; -+ char namebuf[KSYM_NAME_LEN]; -+ -+ low = 0; -+ high = kallsyms_num_syms - 1; -+ -+ while (low <= high) { -+ mid = low + (high - low) / 2; -+ seq = kallsyms_seqs_of_names[mid]; -+ off = get_symbol_offset(seq); -+ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); -+ ret = compare_symbol_name(name, namebuf); -+ if (ret > 0) -+ low = mid + 1; -+ else if (ret < 0) -+ high = mid - 1; -+ else -+ break; -+ } -+ -+ if (low > high) -+ return -ESRCH; -+ -+ low = mid; -+ while (low) { -+ seq = kallsyms_seqs_of_names[low - 1]; -+ off = get_symbol_offset(seq); -+ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); -+ if (compare_symbol_name(name, namebuf)) -+ break; -+ low--; -+ } -+ *start = low; -+ -+ if (end) { -+ high = mid; -+ while (high < kallsyms_num_syms - 1) { -+ seq = kallsyms_seqs_of_names[high + 1]; -+ off = get_symbol_offset(seq); -+ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); -+ if (compare_symbol_name(name, namebuf)) -+ break; -+ high++; -+ } -+ *end = high; -+ } -+ -+ return 0; -+} -+ - /* Lookup the address for this symbol. Returns 0 if not found. */ - unsigned long kallsyms_lookup_name(const char *name) - { -- char namebuf[KSYM_NAME_LEN]; -- unsigned long i; -- unsigned int off; -+ int ret; -+ unsigned int i; - - /* Skip the search for empty string. */ - if (!*name) - return 0; - -- for (i = 0, off = 0; i < kallsyms_num_syms; i++) { -- off = kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); -- -- if (strcmp(namebuf, name) == 0) -- return kallsyms_sym_address(i); -+ ret = kallsyms_lookup_names(name, &i, NULL); -+ if (!ret) -+ return kallsyms_sym_address(kallsyms_seqs_of_names[i]); - -- if (cleanup_symbol_name(namebuf) && strcmp(namebuf, name) == 0) -- return kallsyms_sym_address(i); -- } - return module_kallsyms_lookup_name(name); - } - -diff --git a/kernel/kallsyms_internal.h b/kernel/kallsyms_internal.h -index 2d0c6f2f0243a..a04b7a5cb1e3e 100644 ---- a/kernel/kallsyms_internal.h -+++ b/kernel/kallsyms_internal.h -@@ -26,5 +26,6 @@ extern const char kallsyms_token_table[] __weak; - extern const u16 kallsyms_token_index[] __weak; - - extern const unsigned int kallsyms_markers[] __weak; -+extern const unsigned int kallsyms_seqs_of_names[] __weak; - - #endif // LINUX_KALLSYMS_INTERNAL_H_ -diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c -index 03fa07ad45d95..dcb744a067e5e 100644 ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -49,6 +49,7 @@ _Static_assert( - struct sym_entry { - unsigned long long addr; - unsigned int len; -+ unsigned int seq; - unsigned int start_pos; - unsigned int percpu_absolute; - unsigned char sym[]; -@@ -410,6 +411,35 @@ static int symbol_absolute(const struct sym_entry *s) - return s->percpu_absolute; - } - -+static int compare_names(const void *a, const void *b) -+{ -+ int ret; -+ char sa_namebuf[KSYM_NAME_LEN]; -+ char sb_namebuf[KSYM_NAME_LEN]; -+ const struct sym_entry *sa = *(const struct sym_entry **)a; -+ const struct sym_entry *sb = *(const struct sym_entry **)b; -+ -+ expand_symbol(sa->sym, sa->len, sa_namebuf); -+ expand_symbol(sb->sym, sb->len, sb_namebuf); -+ ret = strcmp(&sa_namebuf[1], &sb_namebuf[1]); -+ if (!ret) { -+ if (sa->addr > sb->addr) -+ return 1; -+ else if (sa->addr < sb->addr) -+ return -1; -+ -+ /* keep old order */ -+ return (int)(sa->seq - sb->seq); -+ } -+ -+ return ret; -+} -+ -+static void sort_symbols_by_name(void) -+{ -+ qsort(table, table_cnt, sizeof(table[0]), compare_names); -+} -+ - static void write_src(void) - { - unsigned int i, k, off; -@@ -495,6 +525,7 @@ static void write_src(void) - for (i = 0; i < table_cnt; i++) { - if ((i & 0xFF) == 0) - markers[i >> 8] = off; -+ table[i]->seq = i; - - /* There cannot be any symbol of length zero. */ - if (table[i]->len == 0) { -@@ -535,6 +566,12 @@ static void write_src(void) - - free(markers); - -+ sort_symbols_by_name(); -+ output_label("kallsyms_seqs_of_names"); -+ for (i = 0; i < table_cnt; i++) -+ printf("\t.long\t%u\n", table[i]->seq); -+ printf("\n"); -+ - output_label("kallsyms_token_table"); - off = 0; - for (i = 0; i < 256; i++) { --- -2.39.2 - diff --git a/queue-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch b/queue-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch deleted file mode 100644 index e74c07b91eb..00000000000 --- a/queue-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 8ed9d429c7185d4b3fe9ef6360e3f9e6f63265c1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 11:19:26 -0700 -Subject: kallsyms: strip LTO-only suffixes from promoted global functions - -From: Yonghong Song - -[ Upstream commit 8cc32a9bbf2934d90762d9de0187adcb5ad46a11 ] - -Commit 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") -stripped all function/variable suffixes started with '.' regardless -of whether those suffixes are generated at LTO mode or not. In fact, -as far as I know, in LTO mode, when a static function/variable is -promoted to the global scope, '.llvm.<...>' suffix is added. - -The existing mechanism breaks live patch for a LTO kernel even if -no .llvm.<...> symbols are involved. For example, for the following -kernel symbols: - $ grep bpf_verifier_vlog /proc/kallsyms - ffffffff81549f60 t bpf_verifier_vlog - ffffffff8268b430 d bpf_verifier_vlog._entry - ffffffff8282a958 d bpf_verifier_vlog._entry_ptr - ffffffff82e12a1f d bpf_verifier_vlog.__already_done -'bpf_verifier_vlog' is a static function. '_entry', '_entry_ptr' and -'__already_done' are static variables used inside 'bpf_verifier_vlog', -so llvm promotes them to file-level static with prefix 'bpf_verifier_vlog.'. -Note that the func-level to file-level static function promotion also -happens without LTO. - -Given a symbol name 'bpf_verifier_vlog', with LTO kernel, current mechanism will -return 4 symbols to live patch subsystem which current live patching -subsystem cannot handle it. With non-LTO kernel, only one symbol -is returned. - -In [1], we have a lengthy discussion, the suggestion is to separate two -cases: - (1). new symbols with suffix which are generated regardless of whether - LTO is enabled or not, and - (2). new symbols with suffix generated only when LTO is enabled. - -The cleanup_symbol_name() should only remove suffixes for case (2). -Case (1) should not be changed so it can work uniformly with or without LTO. - -This patch removed LTO-only suffix '.llvm.<...>' so live patching and -tracing should work the same way for non-LTO kernel. -The cleanup_symbol_name() in scripts/kallsyms.c is also changed to have the same -filtering pattern so both kernel and kallsyms tool have the same -expectation on the order of symbols. - - [1] https://lore.kernel.org/live-patching/20230615170048.2382735-1-song@kernel.org/T/#u - -Fixes: 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") -Reported-by: Song Liu -Signed-off-by: Yonghong Song -Reviewed-by: Zhen Lei -Reviewed-by: Nick Desaulniers -Acked-by: Song Liu -Link: https://lore.kernel.org/r/20230628181926.4102448-1-yhs@fb.com -Signed-off-by: Kees Cook -Signed-off-by: Sasha Levin ---- - kernel/kallsyms.c | 5 ++--- - scripts/kallsyms.c | 6 +++--- - 2 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c -index ba351dfa109b6..676328a7c8c75 100644 ---- a/kernel/kallsyms.c -+++ b/kernel/kallsyms.c -@@ -174,11 +174,10 @@ static bool cleanup_symbol_name(char *s) - * LLVM appends various suffixes for local functions and variables that - * must be promoted to global scope as part of LTO. This can break - * hooking of static functions with kprobes. '.' is not a valid -- * character in an identifier in C. Suffixes observed: -+ * character in an identifier in C. Suffixes only in LLVM LTO observed: - * - foo.llvm.[0-9a-f]+ -- * - foo.[0-9a-f]+ - */ -- res = strchr(s, '.'); -+ res = strstr(s, ".llvm."); - if (res) { - *res = '\0'; - return true; -diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c -index 67ef9aa14a770..51edc73e2ebf8 100644 ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -432,10 +432,10 @@ static void cleanup_symbol_name(char *s) - * ASCII[_] = 5f - * ASCII[a-z] = 61,7a - * -- * As above, replacing '.' with '\0' does not affect the main sorting, -- * but it helps us with subsorting. -+ * As above, replacing the first '.' in ".llvm." with '\0' does not -+ * affect the main sorting, but it helps us with subsorting. - */ -- p = strchr(s, '.'); -+ p = strstr(s, ".llvm."); - if (p) - *p = '\0'; - } --- -2.39.2 - diff --git a/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch deleted file mode 100644 index 75ed3459f73..00000000000 --- a/queue-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +++ /dev/null @@ -1,177 +0,0 @@ -From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 -From: Petr Pavlu -Date: Thu, 23 Mar 2023 14:04:12 +0100 -Subject: keys: Fix linking a duplicate key to a keyring's assoc_array - -From: Petr Pavlu - -commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. - -When making a DNS query inside the kernel using dns_query(), the request -code can in rare cases end up creating a duplicate index key in the -assoc_array of the destination keyring. It is eventually found by -a BUG_ON() check in the assoc_array implementation and results in -a crash. - -Example report: -[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! -[2158499.700039] invalid opcode: 0000 [#1] SMP PTI -[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 -[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 -[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] -[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 -[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f -[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 -[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 -[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 -[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 -[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 -[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 -[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 -[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 -[2158499.700702] Call Trace: -[2158499.700741] ? key_alloc+0x447/0x4b0 -[2158499.700768] ? __key_link_begin+0x43/0xa0 -[2158499.700790] __key_link_begin+0x43/0xa0 -[2158499.700814] request_key_and_link+0x2c7/0x730 -[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] -[2158499.700873] ? key_default_cmp+0x20/0x20 -[2158499.700898] request_key_tag+0x43/0xa0 -[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] -[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] -[2158499.701164] ? scnprintf+0x49/0x90 -[2158499.701190] ? __switch_to_asm+0x40/0x70 -[2158499.701211] ? __switch_to_asm+0x34/0x70 -[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] -[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] -[2158499.701632] process_one_work+0x1f8/0x3e0 -[2158499.701658] worker_thread+0x2d/0x3f0 -[2158499.701682] ? process_one_work+0x3e0/0x3e0 -[2158499.701703] kthread+0x10d/0x130 -[2158499.701723] ? kthread_park+0xb0/0xb0 -[2158499.701746] ret_from_fork+0x1f/0x40 - -The situation occurs as follows: -* Some kernel facility invokes dns_query() to resolve a hostname, for - example, "abcdef". The function registers its global DNS resolver - cache as current->cred.thread_keyring and passes the query to - request_key_net() -> request_key_tag() -> request_key_and_link(). -* Function request_key_and_link() creates a keyring_search_context - object. Its match_data.cmp method gets set via a call to - type->match_preparse() (resolves to dns_resolver_match_preparse()) to - dns_resolver_cmp(). -* Function request_key_and_link() continues and invokes - search_process_keyrings_rcu() which returns that a given key was not - found. The control is then passed to request_key_and_link() -> - construct_alloc_key(). -* Concurrently to that, a second task similarly makes a DNS query for - "abcdef." and its result gets inserted into the DNS resolver cache. -* Back on the first task, function construct_alloc_key() first runs - __key_link_begin() to determine an assoc_array_edit operation to - insert a new key. Index keys in the array are compared exactly as-is, - using keyring_compare_object(). The operation finds that "abcdef" is - not yet present in the destination keyring. -* Function construct_alloc_key() continues and checks if a given key is - already present on some keyring by again calling - search_process_keyrings_rcu(). This search is done using - dns_resolver_cmp() and "abcdef" gets matched with now present key - "abcdef.". -* The found key is linked on the destination keyring by calling - __key_link() and using the previously calculated assoc_array_edit - operation. This inserts the "abcdef." key in the array but creates - a duplicity because the same index key is already present. - -Fix the problem by postponing __key_link_begin() in -construct_alloc_key() until an actual key which should be linked into -the destination keyring is determined. - -[jarkko@kernel.org: added a fixes tag and cc to stable] -Cc: stable@vger.kernel.org # v5.3+ -Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") -Signed-off-by: Petr Pavlu -Reviewed-by: Joey Lee -Reviewed-by: Jarkko Sakkinen -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Greg Kroah-Hartman ---- - security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- - 1 file changed, 24 insertions(+), 11 deletions(-) - ---- a/security/keys/request_key.c -+++ b/security/keys/request_key.c -@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke - set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); - - if (dest_keyring) { -- ret = __key_link_lock(dest_keyring, &ctx->index_key); -+ ret = __key_link_lock(dest_keyring, &key->index_key); - if (ret < 0) - goto link_lock_failed; -- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); -- if (ret < 0) -- goto link_prealloc_failed; - } - -- /* attach the key to the destination keyring under lock, but we do need -+ /* -+ * Attach the key to the destination keyring under lock, but we do need - * to do another check just in case someone beat us to it whilst we -- * waited for locks */ -+ * waited for locks. -+ * -+ * The caller might specify a comparison function which looks for keys -+ * that do not exactly match but are still equivalent from the caller's -+ * perspective. The __key_link_begin() operation must be done only after -+ * an actual key is determined. -+ */ - mutex_lock(&key_construction_mutex); - - rcu_read_lock(); -@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke - if (!IS_ERR(key_ref)) - goto key_already_present; - -- if (dest_keyring) -+ if (dest_keyring) { -+ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); -+ if (ret < 0) -+ goto link_alloc_failed; - __key_link(dest_keyring, key, &edit); -+ } - - mutex_unlock(&key_construction_mutex); - if (dest_keyring) -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+ __key_link_end(dest_keyring, &key->index_key, edit); - mutex_unlock(&user->cons_lock); - *_key = key; - kleave(" = 0 [%d]", key_serial(key)); -@@ -438,10 +446,13 @@ key_already_present: - mutex_unlock(&key_construction_mutex); - key = key_ref_to_ptr(key_ref); - if (dest_keyring) { -+ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); -+ if (ret < 0) -+ goto link_alloc_failed_unlocked; - ret = __key_link_check_live_key(dest_keyring, key); - if (ret == 0) - __key_link(dest_keyring, key, &edit); -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+ __key_link_end(dest_keyring, &key->index_key, edit); - if (ret < 0) - goto link_check_failed; - } -@@ -456,8 +467,10 @@ link_check_failed: - kleave(" = %d [linkcheck]", ret); - return ret; - --link_prealloc_failed: -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+link_alloc_failed: -+ mutex_unlock(&key_construction_mutex); -+link_alloc_failed_unlocked: -+ __key_link_end(dest_keyring, &key->index_key, edit); - link_lock_failed: - mutex_unlock(&user->cons_lock); - key_put(key); diff --git a/queue-6.1/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-6.1/llc-don-t-drop-packet-from-non-root-netns.patch deleted file mode 100644 index f12f3fb002b..00000000000 --- a/queue-6.1/llc-don-t-drop-packet-from-non-root-netns.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e9fa3eef2ea63154cf4655e320d9deee9b91fb21 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 10:41:51 -0700 -Subject: llc: Don't drop packet from non-root netns. - -From: Kuniyuki Iwashima - -[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] - -Now these upper layer protocol handlers can be called from llc_rcv() -as sap->rcv_func(), which is registered by llc_sap_open(). - - * function which is passed to register_8022_client() - -> no in-kernel user calls register_8022_client(). - - * snap_rcv() - `- proto->rcvfunc() : registered by register_snap_client() - -> aarp_rcv() and atalk_rcv() drop packets from non-root netns - - * stp_pdu_rcv() - `- garp_protos[]->rcv() : registered by stp_proto_register() - -> garp_pdu_rcv() and br_stp_rcv() are netns-aware - -So, we can safely remove the netns restriction in llc_rcv(). - -Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/llc/llc_input.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c -index c309b72a58779..7cac441862e21 100644 ---- a/net/llc/llc_input.c -+++ b/net/llc/llc_input.c -@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, - void (*sta_handler)(struct sk_buff *skb); - void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); - -- if (!net_eq(dev_net(dev), &init_net)) -- goto drop; -- - /* - * When the interface is in promisc. mode, drop all the crap that it - * receives, do not try to analyse it. --- -2.39.2 - diff --git a/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch b/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch deleted file mode 100644 index 3ca068f24d3..00000000000 --- a/queue-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd Mon Sep 17 00:00:00 2001 -From: "Liam R. Howlett" -Date: Wed, 12 Jul 2023 13:39:16 -0400 -Subject: maple_tree: fix node allocation testing on 32 bit - -From: Liam R. Howlett - -commit ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd upstream. - -Internal node counting was altered and the 64 bit test was updated, -however the 32bit test was missed. - -Restore the 32bit test to a functional state. - -Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ -Link: https://lkml.kernel.org/r/20230712173916.168805-2-Liam.Howlett@oracle.com -Fixes: 541e06b772c1 ("maple_tree: remove GFP_ZERO from kmem_cache_alloc() and kmem_cache_alloc_bulk()") -Signed-off-by: Liam R. Howlett -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/radix-tree/maple.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/tools/testing/radix-tree/maple.c -+++ b/tools/testing/radix-tree/maple.c -@@ -181,9 +181,9 @@ static noinline void check_new_node(stru - e = i - 1; - } else { - if (i >= 4) -- e = i - 4; -- else if (i == 3) -- e = i - 2; -+ e = i - 3; -+ else if (i >= 1) -+ e = i - 1; - else - e = 0; - } diff --git a/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch b/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch deleted file mode 100644 index b8ab8e3199a..00000000000 --- a/queue-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c769fd88b9742954763a968e84de09f7ad78cfe Mon Sep 17 00:00:00 2001 -From: Peng Zhang -Date: Tue, 11 Jul 2023 11:54:37 +0800 -Subject: maple_tree: set the node limit when creating a new root node - -From: Peng Zhang - -commit 3c769fd88b9742954763a968e84de09f7ad78cfe upstream. - -Set the node limit of the root node so that the last pivot of all nodes is -the node limit (if the node is not full). - -This patch also fixes a bug in mas_rev_awalk(). Effectively, always -setting a maximum makes mas_logical_pivot() behave as mas_safe_pivot(). -Without this fix, it is possible that very small tasks would fail to find -the correct gap. Although this has not been observed with real tasks, it -has been reported to happen in m68k nommu running the maple tree tests. - -Link: https://lkml.kernel.org/r/20230711035444.526-1-zhangpeng.00@bytedance.com -Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ -Link: https://lkml.kernel.org/r/20230711035444.526-2-zhangpeng.00@bytedance.com -Fixes: 54a611b60590 ("Maple Tree: add new data structure") -Signed-off-by: Peng Zhang -Reviewed-by: Liam R. Howlett -Tested-by: Geert Uytterhoeven -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - lib/maple_tree.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/lib/maple_tree.c -+++ b/lib/maple_tree.c -@@ -3711,7 +3711,8 @@ static inline int mas_root_expand(struct - mas->offset = slot; - pivots[slot] = mas->last; - if (mas->last != ULONG_MAX) -- slot++; -+ pivots[++slot] = ULONG_MAX; -+ - mas->depth = 1; - mas_set_height(mas); - ma_set_meta(node, maple_leaf_64, 0, slot); diff --git a/queue-6.1/mips-dec-prom-address-warray-bounds-warning.patch b/queue-6.1/mips-dec-prom-address-warray-bounds-warning.patch deleted file mode 100644 index 1231ca4bcc6..00000000000 --- a/queue-6.1/mips-dec-prom-address-warray-bounds-warning.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ef01382e1c734299b56bde7f6a5678e14939f8a4 Mon Sep 17 00:00:00 2001 -From: "Gustavo A. R. Silva" -Date: Thu, 22 Jun 2023 17:43:57 -0600 -Subject: [PATCH AUTOSEL 4.19 09/11] MIPS: dec: prom: Address -Warray-bounds - warning -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] - -Zero-length arrays are deprecated, and we are replacing them with flexible -array members instead. So, replace zero-length array with flexible-array -member in struct memmap. - -Address the following warning found after building (with GCC-13) mips64 -with decstation_64_defconfig: -In function 'rex_setup_memory_region', - inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: -arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] - 72 | if (bm->bitmap[i] == 0xff) - | ~~~~~~~~~~^~~ -In file included from arch/mips/dec/prom/memory.c:16: -./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': -./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' - 73 | unsigned char bitmap[0]; - -This helps with the ongoing efforts to globally enable -Warray-bounds. - -This results in no differences in binary output. - -Link: https://github.com/KSPP/linux/issues/79 -Link: https://github.com/KSPP/linux/issues/323 -Signed-off-by: Gustavo A. R. Silva -Signed-off-by: Thomas Bogendoerfer -Signed-off-by: Sasha Levin ---- - arch/mips/include/asm/dec/prom.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/mips/include/asm/dec/prom.h -+++ b/arch/mips/include/asm/dec/prom.h -@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic - */ - typedef struct { - int pagesize; -- unsigned char bitmap[0]; -+ unsigned char bitmap[]; - } memmap; - - diff --git a/queue-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch b/queue-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch deleted file mode 100644 index a4550bdb088..00000000000 --- a/queue-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 2ad98a4006851a288ac932c2345ea6a91933390c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 17:46:22 -0700 -Subject: net: dsa: microchip: correct KSZ8795 static MAC table access - -From: Tristram Ha - -[ Upstream commit 4bdf79d686b49ac49373b36466acfb93972c7d7c ] - -The KSZ8795 driver code was modified to use on KSZ8863/73, which has -different register definitions. Some of the new KSZ8795 register -information are wrong compared to previous code. - -KSZ8795 also behaves differently in that the STATIC_MAC_TABLE_USE_FID -and STATIC_MAC_TABLE_FID bits are off by 1 when doing MAC table reading -than writing. To compensate that a special code was added to shift the -register value by 1 before applying those bits. This is wrong when the -code is running on KSZ8863, so this special code is only executed when -KSZ8795 is detected. - -Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") -Signed-off-by: Tristram Ha -Reviewed-by: Horatiu Vultur -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/microchip/ksz8795.c | 8 +++++++- - drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- - drivers/net/dsa/microchip/ksz_common.h | 7 +++++++ - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c -index 6639fae56da7f..c63e082dc57dc 100644 ---- a/drivers/net/dsa/microchip/ksz8795.c -+++ b/drivers/net/dsa/microchip/ksz8795.c -@@ -437,7 +437,13 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, - (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> - shifts[STATIC_MAC_FWD_PORTS]; - alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; -- data_hi >>= 1; -+ -+ /* KSZ8795 family switches have STATIC_MAC_TABLE_USE_FID and -+ * STATIC_MAC_TABLE_FID definitions off by 1 when doing read on the -+ * static MAC table compared to doing write. -+ */ -+ if (ksz_is_ksz87xx(dev)) -+ data_hi >>= 1; - alu->is_static = true; - alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; - alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> -diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c -index 3d59298eaa5cf..8c492d56d2c36 100644 ---- a/drivers/net/dsa/microchip/ksz_common.c -+++ b/drivers/net/dsa/microchip/ksz_common.c -@@ -286,13 +286,13 @@ static const u32 ksz8795_masks[] = { - [STATIC_MAC_TABLE_VALID] = BIT(21), - [STATIC_MAC_TABLE_USE_FID] = BIT(23), - [STATIC_MAC_TABLE_FID] = GENMASK(30, 24), -- [STATIC_MAC_TABLE_OVERRIDE] = BIT(26), -- [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(24, 20), -+ [STATIC_MAC_TABLE_OVERRIDE] = BIT(22), -+ [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(20, 16), - [DYNAMIC_MAC_TABLE_ENTRIES_H] = GENMASK(6, 0), -- [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(8), -+ [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(7), - [DYNAMIC_MAC_TABLE_NOT_READY] = BIT(7), - [DYNAMIC_MAC_TABLE_ENTRIES] = GENMASK(31, 29), -- [DYNAMIC_MAC_TABLE_FID] = GENMASK(26, 20), -+ [DYNAMIC_MAC_TABLE_FID] = GENMASK(22, 16), - [DYNAMIC_MAC_TABLE_SRC_PORT] = GENMASK(26, 24), - [DYNAMIC_MAC_TABLE_TIMESTAMP] = GENMASK(28, 27), - [P_MII_TX_FLOW_CTRL] = BIT(5), -diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h -index 9cfa179575ce8..d1b2db8e65331 100644 ---- a/drivers/net/dsa/microchip/ksz_common.h -+++ b/drivers/net/dsa/microchip/ksz_common.h -@@ -512,6 +512,13 @@ static inline void ksz_regmap_unlock(void *__mtx) - mutex_unlock(mtx); - } - -+static inline bool ksz_is_ksz87xx(struct ksz_device *dev) -+{ -+ return dev->chip_id == KSZ8795_CHIP_ID || -+ dev->chip_id == KSZ8794_CHIP_ID || -+ dev->chip_id == KSZ8765_CHIP_ID; -+} -+ - static inline bool ksz_is_ksz88x3(struct ksz_device *dev) - { - return dev->chip_id == KSZ8830_CHIP_ID; --- -2.39.2 - diff --git a/queue-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch b/queue-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch deleted file mode 100644 index 394b25198f6..00000000000 --- a/queue-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 25ba53cf4a6b0cb809c74f265b2e1cd0d00ea850 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Apr 2023 12:18:38 +0200 -Subject: net: dsa: microchip: ksz8: Make ksz8_r_sta_mac_table() static - -From: Oleksij Rempel - -[ Upstream commit b5751cdd7dbe618a03951bdd4c982a71ba448b1b ] - -As ksz8_r_sta_mac_table() is only used within ksz8795.c, there is no need -to export it. Make the function static for better encapsulation. - -Signed-off-by: Oleksij Rempel -Reviewed-by: Vladimir Oltean -Acked-by: Arun Ramadoss -Signed-off-by: Paolo Abeni -Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/microchip/ksz8.h | 2 -- - drivers/net/dsa/microchip/ksz8795.c | 4 ++-- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/dsa/microchip/ksz8.h b/drivers/net/dsa/microchip/ksz8.h -index 8582b4b67d989..28137c4bf2928 100644 ---- a/drivers/net/dsa/microchip/ksz8.h -+++ b/drivers/net/dsa/microchip/ksz8.h -@@ -21,8 +21,6 @@ int ksz8_r_phy(struct ksz_device *dev, u16 phy, u16 reg, u16 *val); - int ksz8_w_phy(struct ksz_device *dev, u16 phy, u16 reg, u16 val); - int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, - u8 *fid, u8 *src_port, u8 *timestamp, u16 *entries); --int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, -- struct alu_struct *alu); - void ksz8_w_sta_mac_table(struct ksz_device *dev, u16 addr, - struct alu_struct *alu); - void ksz8_r_mib_cnt(struct ksz_device *dev, int port, u16 addr, u64 *cnt); -diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c -index 38fd9b8e0287a..a2f67be66b97d 100644 ---- a/drivers/net/dsa/microchip/ksz8795.c -+++ b/drivers/net/dsa/microchip/ksz8795.c -@@ -406,8 +406,8 @@ int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, - return rc; - } - --int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, -- struct alu_struct *alu) -+static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, -+ struct alu_struct *alu) - { - u32 data_hi, data_lo; - const u8 *shifts; --- -2.39.2 - diff --git a/queue-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch b/queue-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch deleted file mode 100644 index 61558ee997e..00000000000 --- a/queue-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 07866a478229526bd65ea5676f89ffc143c3e040 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Apr 2023 12:18:36 +0200 -Subject: net: dsa: microchip: ksz8: Separate static MAC table operations for - code reuse - -From: Oleksij Rempel - -[ Upstream commit f6636ff69ec4f2c94a5ee1d032b21cfe1e0a5678 ] - -Move static MAC table operations to separate functions in order to reuse -the code for add/del_fdb. This is needed to address kernel warnings -caused by the lack of fdb add function support in the current driver. - -Signed-off-by: Oleksij Rempel -Reviewed-by: Vladimir Oltean -Signed-off-by: Paolo Abeni -Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/microchip/ksz8795.c | 34 +++++++++++++++++++---------- - 1 file changed, 23 insertions(+), 11 deletions(-) - -diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c -index 22250ae222b5b..38fd9b8e0287a 100644 ---- a/drivers/net/dsa/microchip/ksz8795.c -+++ b/drivers/net/dsa/microchip/ksz8795.c -@@ -926,8 +926,8 @@ int ksz8_fdb_dump(struct ksz_device *dev, int port, - return ret; - } - --int ksz8_mdb_add(struct ksz_device *dev, int port, -- const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) -+static int ksz8_add_sta_mac(struct ksz_device *dev, int port, -+ const unsigned char *addr, u16 vid) - { - struct alu_struct alu; - int index; -@@ -937,8 +937,8 @@ int ksz8_mdb_add(struct ksz_device *dev, int port, - for (index = 0; index < dev->info->num_statics; index++) { - if (!ksz8_r_sta_mac_table(dev, index, &alu)) { - /* Found one already in static MAC table. */ -- if (!memcmp(alu.mac, mdb->addr, ETH_ALEN) && -- alu.fid == mdb->vid) -+ if (!memcmp(alu.mac, addr, ETH_ALEN) && -+ alu.fid == vid) - break; - /* Remember the first empty entry. */ - } else if (!empty) { -@@ -954,23 +954,23 @@ int ksz8_mdb_add(struct ksz_device *dev, int port, - if (index == dev->info->num_statics) { - index = empty - 1; - memset(&alu, 0, sizeof(alu)); -- memcpy(alu.mac, mdb->addr, ETH_ALEN); -+ memcpy(alu.mac, addr, ETH_ALEN); - alu.is_static = true; - } - alu.port_forward |= BIT(port); -- if (mdb->vid) { -+ if (vid) { - alu.is_use_fid = true; - - /* Need a way to map VID to FID. */ -- alu.fid = mdb->vid; -+ alu.fid = vid; - } - ksz8_w_sta_mac_table(dev, index, &alu); - - return 0; - } - --int ksz8_mdb_del(struct ksz_device *dev, int port, -- const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) -+static int ksz8_del_sta_mac(struct ksz_device *dev, int port, -+ const unsigned char *addr, u16 vid) - { - struct alu_struct alu; - int index; -@@ -978,8 +978,8 @@ int ksz8_mdb_del(struct ksz_device *dev, int port, - for (index = 0; index < dev->info->num_statics; index++) { - if (!ksz8_r_sta_mac_table(dev, index, &alu)) { - /* Found one already in static MAC table. */ -- if (!memcmp(alu.mac, mdb->addr, ETH_ALEN) && -- alu.fid == mdb->vid) -+ if (!memcmp(alu.mac, addr, ETH_ALEN) && -+ alu.fid == vid) - break; - } - } -@@ -998,6 +998,18 @@ int ksz8_mdb_del(struct ksz_device *dev, int port, - return 0; - } - -+int ksz8_mdb_add(struct ksz_device *dev, int port, -+ const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) -+{ -+ return ksz8_add_sta_mac(dev, port, mdb->addr, mdb->vid); -+} -+ -+int ksz8_mdb_del(struct ksz_device *dev, int port, -+ const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) -+{ -+ return ksz8_del_sta_mac(dev, port, mdb->addr, mdb->vid); -+} -+ - int ksz8_port_vlan_filtering(struct ksz_device *dev, int port, bool flag, - struct netlink_ext_ack *extack) - { --- -2.39.2 - diff --git a/queue-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch b/queue-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch deleted file mode 100644 index 7ffbd3f1702..00000000000 --- a/queue-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch +++ /dev/null @@ -1,154 +0,0 @@ -From fe300e7a9fd658eb7004931d40d174aea1c803a0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Apr 2023 12:18:39 +0200 -Subject: net: dsa: microchip: ksz8_r_sta_mac_table(): Avoid using error code - for empty entries - -From: Oleksij Rempel - -[ Upstream commit 559901b46810e82ba5321a5e789f994b65d3bc3d ] - -Prepare for the next patch by ensuring that ksz8_r_sta_mac_table() does -not use error codes for empty entries. This change will enable better -handling of read/write errors in the upcoming patch. - -Signed-off-by: Oleksij Rempel -Reviewed-by: Vladimir Oltean -Signed-off-by: Paolo Abeni -Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/microchip/ksz8795.c | 87 +++++++++++++++++------------ - 1 file changed, 50 insertions(+), 37 deletions(-) - -diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c -index a2f67be66b97d..6639fae56da7f 100644 ---- a/drivers/net/dsa/microchip/ksz8795.c -+++ b/drivers/net/dsa/microchip/ksz8795.c -@@ -407,7 +407,7 @@ int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, - } - - static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, -- struct alu_struct *alu) -+ struct alu_struct *alu, bool *valid) - { - u32 data_hi, data_lo; - const u8 *shifts; -@@ -420,28 +420,32 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, - ksz8_r_table(dev, TABLE_STATIC_MAC, addr, &data); - data_hi = data >> 32; - data_lo = (u32)data; -- if (data_hi & (masks[STATIC_MAC_TABLE_VALID] | -- masks[STATIC_MAC_TABLE_OVERRIDE])) { -- alu->mac[5] = (u8)data_lo; -- alu->mac[4] = (u8)(data_lo >> 8); -- alu->mac[3] = (u8)(data_lo >> 16); -- alu->mac[2] = (u8)(data_lo >> 24); -- alu->mac[1] = (u8)data_hi; -- alu->mac[0] = (u8)(data_hi >> 8); -- alu->port_forward = -- (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> -- shifts[STATIC_MAC_FWD_PORTS]; -- alu->is_override = -- (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; -- data_hi >>= 1; -- alu->is_static = true; -- alu->is_use_fid = -- (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; -- alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> -- shifts[STATIC_MAC_FID]; -+ -+ if (!(data_hi & (masks[STATIC_MAC_TABLE_VALID] | -+ masks[STATIC_MAC_TABLE_OVERRIDE]))) { -+ *valid = false; - return 0; - } -- return -ENXIO; -+ -+ alu->mac[5] = (u8)data_lo; -+ alu->mac[4] = (u8)(data_lo >> 8); -+ alu->mac[3] = (u8)(data_lo >> 16); -+ alu->mac[2] = (u8)(data_lo >> 24); -+ alu->mac[1] = (u8)data_hi; -+ alu->mac[0] = (u8)(data_hi >> 8); -+ alu->port_forward = -+ (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> -+ shifts[STATIC_MAC_FWD_PORTS]; -+ alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; -+ data_hi >>= 1; -+ alu->is_static = true; -+ alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; -+ alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> -+ shifts[STATIC_MAC_FID]; -+ -+ *valid = true; -+ -+ return 0; - } - - void ksz8_w_sta_mac_table(struct ksz_device *dev, u16 addr, -@@ -930,20 +934,25 @@ static int ksz8_add_sta_mac(struct ksz_device *dev, int port, - const unsigned char *addr, u16 vid) - { - struct alu_struct alu; -- int index; -+ int index, ret; - int empty = 0; - - alu.port_forward = 0; - for (index = 0; index < dev->info->num_statics; index++) { -- if (!ksz8_r_sta_mac_table(dev, index, &alu)) { -- /* Found one already in static MAC table. */ -- if (!memcmp(alu.mac, addr, ETH_ALEN) && -- alu.fid == vid) -- break; -- /* Remember the first empty entry. */ -- } else if (!empty) { -- empty = index + 1; -+ bool valid; -+ -+ ret = ksz8_r_sta_mac_table(dev, index, &alu, &valid); -+ if (ret) -+ return ret; -+ if (!valid) { -+ /* Remember the first empty entry. */ -+ if (!empty) -+ empty = index + 1; -+ continue; - } -+ -+ if (!memcmp(alu.mac, addr, ETH_ALEN) && alu.fid == vid) -+ break; - } - - /* no available entry */ -@@ -973,15 +982,19 @@ static int ksz8_del_sta_mac(struct ksz_device *dev, int port, - const unsigned char *addr, u16 vid) - { - struct alu_struct alu; -- int index; -+ int index, ret; - - for (index = 0; index < dev->info->num_statics; index++) { -- if (!ksz8_r_sta_mac_table(dev, index, &alu)) { -- /* Found one already in static MAC table. */ -- if (!memcmp(alu.mac, addr, ETH_ALEN) && -- alu.fid == vid) -- break; -- } -+ bool valid; -+ -+ ret = ksz8_r_sta_mac_table(dev, index, &alu, &valid); -+ if (ret) -+ return ret; -+ if (!valid) -+ continue; -+ -+ if (!memcmp(alu.mac, addr, ETH_ALEN) && alu.fid == vid) -+ break; - } - - /* no available entry */ --- -2.39.2 - diff --git a/queue-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch b/queue-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch deleted file mode 100644 index a4b0da3e2df..00000000000 --- a/queue-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d4038c95e83f7d2c42f76634c0bd1e407d38b652 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 00:20:35 +0800 -Subject: net: ethernet: litex: add support for 64 bit stats - -From: Jisheng Zhang - -[ Upstream commit 18da174d865a87d47d2f33f5b0a322efcf067728 ] - -Implement 64 bit per cpu stats to fix the overflow of netdev->stats -on 32 bit platforms. To simplify the code, we use net core -pcpu_sw_netstats infrastructure. One small drawback is some memory -overhead because litex uses just one queue, but we allocate the -counters per cpu. - -Signed-off-by: Jisheng Zhang -Reviewed-by: Simon Horman -Acked-by: Gabriel Somlo -Link: https://lore.kernel.org/r/20230614162035.300-1-jszhang@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/litex/litex_liteeth.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c -index 35f24e0f09349..ffa96059079c6 100644 ---- a/drivers/net/ethernet/litex/litex_liteeth.c -+++ b/drivers/net/ethernet/litex/litex_liteeth.c -@@ -78,8 +78,7 @@ static int liteeth_rx(struct net_device *netdev) - memcpy_fromio(data, priv->rx_base + rx_slot * priv->slot_size, len); - skb->protocol = eth_type_trans(skb, netdev); - -- netdev->stats.rx_packets++; -- netdev->stats.rx_bytes += len; -+ dev_sw_netstats_rx_add(netdev, len); - - return netif_rx(skb); - -@@ -185,8 +184,7 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, - litex_write16(priv->base + LITEETH_READER_LENGTH, skb->len); - litex_write8(priv->base + LITEETH_READER_START, 1); - -- netdev->stats.tx_bytes += skb->len; -- netdev->stats.tx_packets++; -+ dev_sw_netstats_tx_add(netdev, 1, skb->len); - - priv->tx_slot = (priv->tx_slot + 1) % priv->num_tx_slots; - dev_kfree_skb_any(skb); -@@ -194,9 +192,17 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, - return NETDEV_TX_OK; - } - -+static void -+liteeth_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats) -+{ -+ netdev_stats_to_stats64(stats, &netdev->stats); -+ dev_fetch_sw_netstats(stats, netdev->tstats); -+} -+ - static const struct net_device_ops liteeth_netdev_ops = { - .ndo_open = liteeth_open, - .ndo_stop = liteeth_stop, -+ .ndo_get_stats64 = liteeth_get_stats64, - .ndo_start_xmit = liteeth_start_xmit, - }; - -@@ -242,6 +248,11 @@ static int liteeth_probe(struct platform_device *pdev) - priv->netdev = netdev; - priv->dev = &pdev->dev; - -+ netdev->tstats = devm_netdev_alloc_pcpu_stats(&pdev->dev, -+ struct pcpu_sw_netstats); -+ if (!netdev->tstats) -+ return -ENOMEM; -+ - irq = platform_get_irq(pdev, 0); - if (irq < 0) - return irq; --- -2.39.2 - diff --git a/queue-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/queue-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch deleted file mode 100644 index 418095fc532..00000000000 --- a/queue-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +++ /dev/null @@ -1,86 +0,0 @@ -From c3465911da1e9d1a7b64a1ed1f446f1ef9666ff2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 03:42:29 +0100 -Subject: net: ethernet: mtk_eth_soc: handle probe deferral - -From: Daniel Golle - -[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] - -Move the call to of_get_ethdev_address to mtk_add_mac which is part of -the probe function and can hence itself return -EPROBE_DEFER should -of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely -get rid of the mtk_init function. - -The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced -in situations in which the NVMEM provider holding the MAC address has -not yet be loaded at the time mtk_eth_soc is initially probed. In this -case probing of mtk_eth_soc should be deferred instead of falling back -to use a random MAC address, so once the NVMEM provider becomes -available probing can be repeated. - -Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") -Signed-off-by: Daniel Golle -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- - 1 file changed, 11 insertions(+), 18 deletions(-) - -diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c -index 49975924e2426..7e318133423a9 100644 ---- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c -+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c -@@ -3425,23 +3425,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) - return 0; - } - --static int __init mtk_init(struct net_device *dev) --{ -- struct mtk_mac *mac = netdev_priv(dev); -- struct mtk_eth *eth = mac->hw; -- int ret; -- -- ret = of_get_ethdev_address(mac->of_node, dev); -- if (ret) { -- /* If the mac address is invalid, use random mac address */ -- eth_hw_addr_random(dev); -- dev_err(eth->dev, "generated random MAC address %pM\n", -- dev->dev_addr); -- } -- -- return 0; --} -- - static void mtk_uninit(struct net_device *dev) - { - struct mtk_mac *mac = netdev_priv(dev); -@@ -3789,7 +3772,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { - }; - - static const struct net_device_ops mtk_netdev_ops = { -- .ndo_init = mtk_init, - .ndo_uninit = mtk_uninit, - .ndo_open = mtk_open, - .ndo_stop = mtk_stop, -@@ -3845,6 +3827,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) - mac->hw = eth; - mac->of_node = np; - -+ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); -+ if (err == -EPROBE_DEFER) -+ return err; -+ -+ if (err) { -+ /* If the mac address is invalid, use random mac address */ -+ eth_hw_addr_random(eth->netdev[id]); -+ dev_err(eth->dev, "generated random MAC address %pM\n", -+ eth->netdev[id]->dev_addr); -+ } -+ - memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); - mac->hwlro_ip_cnt = 0; - --- -2.39.2 - diff --git a/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch deleted file mode 100644 index 52f517cfd5f..00000000000 --- a/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +++ /dev/null @@ -1,78 +0,0 @@ -From c809a11a4b6d3cfd988c7fb48576f8544d3b1d7e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jul 2023 16:36:57 +0530 -Subject: net: ethernet: ti: cpsw_ale: Fix - cpsw_ale_get_field()/cpsw_ale_set_field() - -From: Tanmay Patil - -[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] - -CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. -The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the -field will be strictly contained within one word. However, this is not -guaranteed to be the case and it is possible for ALE field entries to span -across up to two words at the most. - -Fix the methods to handle getting/setting fields spanning up to two words. - -Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") -Signed-off-by: Tanmay Patil -[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] -Signed-off-by: Siddharth Vadapalli -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c -index 231370e9a8017..2647c18d40d95 100644 ---- a/drivers/net/ethernet/ti/cpsw_ale.c -+++ b/drivers/net/ethernet/ti/cpsw_ale.c -@@ -106,23 +106,37 @@ struct cpsw_ale_dev_id { - - static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) - { -- int idx; -+ int idx, idx2; -+ u32 hi_val = 0; - - idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be fetched exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); -+ } - start -= idx * 32; - idx = 2 - idx; /* flip */ -- return (ale_entry[idx] >> start) & BITMASK(bits); -+ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); - } - - static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, - u32 value) - { -- int idx; -+ int idx, idx2; - - value &= BITMASK(bits); -- idx = start / 32; -+ idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be set exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); -+ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); -+ } - start -= idx * 32; -- idx = 2 - idx; /* flip */ -+ idx = 2 - idx; /* flip */ - ale_entry[idx] &= ~(BITMASK(bits) << start); - ale_entry[idx] |= (value << start); - } --- -2.39.2 - diff --git a/queue-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch b/queue-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch deleted file mode 100644 index 1779fb5be73..00000000000 --- a/queue-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch +++ /dev/null @@ -1,140 +0,0 @@ -From c7bac058c0b91ef65d58a3020117d8bad2853616 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 20:33:08 +0800 -Subject: net: hns3: fix strncpy() not using dest-buf length as length issue - -From: Hao Chen - -[ Upstream commit 1cf3d5567f273a8746d1bade00633a93204f80f0 ] - -Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length, -it may result in dest-buf overflow. - -This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0 -compiler. - -The warning reports as below: - -hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on -the length of the source argument [-Wstringop-truncation] - -strncpy(pos, items[i].name, strlen(items[i].name)); - -hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before -terminating nul copying as many bytes from a string as its length -[-Wstringop-truncation] - -strncpy(pos, result[i], strlen(result[i])); - -strncpy() use src-length as copy-length, it may result in -dest-buf overflow. - -So,this patch add some values check to avoid this issue. - -Signed-off-by: Hao Chen -Reported-by: kernel test robot -Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/ -Signed-off-by: Hao Lan -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++----- - .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++--- - 2 files changed, 48 insertions(+), 12 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -index bcccd82a2620f..f6ededec5a4fa 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -@@ -435,19 +435,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, - const struct hns3_dbg_item *items, - const char **result, u16 size) - { -+#define HNS3_DBG_LINE_END_LEN 2 - char *pos = content; -+ u16 item_len; - u16 i; - -+ if (!len) { -+ return; -+ } else if (len <= HNS3_DBG_LINE_END_LEN) { -+ *pos++ = '\0'; -+ return; -+ } -+ - memset(content, ' ', len); -- for (i = 0; i < size; i++) { -- if (result) -- strncpy(pos, result[i], strlen(result[i])); -- else -- strncpy(pos, items[i].name, strlen(items[i].name)); -+ len -= HNS3_DBG_LINE_END_LEN; - -- pos += strlen(items[i].name) + items[i].interval; -+ for (i = 0; i < size; i++) { -+ item_len = strlen(items[i].name) + items[i].interval; -+ if (len < item_len) -+ break; -+ -+ if (result) { -+ if (item_len < strlen(result[i])) -+ break; -+ strscpy(pos, result[i], strlen(result[i])); -+ } else { -+ strscpy(pos, items[i].name, strlen(items[i].name)); -+ } -+ pos += item_len; -+ len -= item_len; - } -- - *pos++ = '\n'; - *pos++ = '\0'; - } -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -index 142415c84c6b2..0ebc21401b7c2 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -@@ -87,16 +87,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, - const struct hclge_dbg_item *items, - const char **result, u16 size) - { -+#define HCLGE_DBG_LINE_END_LEN 2 - char *pos = content; -+ u16 item_len; - u16 i; - -+ if (!len) { -+ return; -+ } else if (len <= HCLGE_DBG_LINE_END_LEN) { -+ *pos++ = '\0'; -+ return; -+ } -+ - memset(content, ' ', len); -+ len -= HCLGE_DBG_LINE_END_LEN; -+ - for (i = 0; i < size; i++) { -- if (result) -- strncpy(pos, result[i], strlen(result[i])); -- else -- strncpy(pos, items[i].name, strlen(items[i].name)); -- pos += strlen(items[i].name) + items[i].interval; -+ item_len = strlen(items[i].name) + items[i].interval; -+ if (len < item_len) -+ break; -+ -+ if (result) { -+ if (item_len < strlen(result[i])) -+ break; -+ strscpy(pos, result[i], strlen(result[i])); -+ } else { -+ strscpy(pos, items[i].name, strlen(items[i].name)); -+ } -+ pos += item_len; -+ len -= item_len; - } - *pos++ = '\n'; - *pos++ = '\0'; --- -2.39.2 - diff --git a/queue-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch b/queue-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch deleted file mode 100644 index 3645eb7a502..00000000000 --- a/queue-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch +++ /dev/null @@ -1,134 +0,0 @@ -From d2d9a97443c3d363ac55a22c42cc9e677b12faa3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 May 2023 18:14:52 +0200 -Subject: net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV - -From: Antoine Tenart - -[ Upstream commit c0a8966e2bc7d31f77a7246947ebc09c1ff06066 ] - -When using IPv4/TCP, skb->hash comes from sk->sk_txhash except in -TIME_WAIT and SYN_RECV where it's not set in the reply skb from -ip_send_unicast_reply. Those packets will have a mismatched hash with -others from the same flow as their hashes will be 0. IPv6 does not have -the same issue as the hash is set from the socket txhash in those cases. - -This commits sets the hash in the reply skb from ip_send_unicast_reply, -which makes the IPv4 code behaving like IPv6. - -Signed-off-by: Antoine Tenart -Reviewed-by: Eric Dumazet -Signed-off-by: Paolo Abeni -Stable-dep-of: 5e5265522a9a ("tcp: annotate data-races around tcp_rsk(req)->txhash") -Signed-off-by: Sasha Levin ---- - include/net/ip.h | 2 +- - net/ipv4/ip_output.c | 4 +++- - net/ipv4/tcp_ipv4.c | 14 +++++++++----- - 3 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index acec504c469a0..83a1a9bc3ceb1 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -282,7 +282,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - const struct ip_options *sopt, - __be32 daddr, __be32 saddr, - const struct ip_reply_arg *arg, -- unsigned int len, u64 transmit_time); -+ unsigned int len, u64 transmit_time, u32 txhash); - - #define IP_INC_STATS(net, field) SNMP_INC_STATS64((net)->mib.ip_statistics, field) - #define __IP_INC_STATS(net, field) __SNMP_INC_STATS64((net)->mib.ip_statistics, field) -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 2a07588265c70..7b4ab545c06e0 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1691,7 +1691,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - const struct ip_options *sopt, - __be32 daddr, __be32 saddr, - const struct ip_reply_arg *arg, -- unsigned int len, u64 transmit_time) -+ unsigned int len, u64 transmit_time, u32 txhash) - { - struct ip_options_data replyopts; - struct ipcm_cookie ipc; -@@ -1754,6 +1754,8 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - arg->csum)); - nskb->ip_summed = CHECKSUM_NONE; - nskb->mono_delivery_time = !!transmit_time; -+ if (txhash) -+ skb_set_hash(nskb, txhash, PKT_HASH_TYPE_L4); - ip_push_pending_frames(sk, &fl4); - } - out: -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a7de5ba74e7f7..ef740983a1222 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -692,6 +692,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - u64 transmit_time = 0; - struct sock *ctl_sk; - struct net *net; -+ u32 txhash = 0; - - /* Never send a reset in response to a reset. */ - if (th->rst) -@@ -829,6 +830,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - inet_twsk(sk)->tw_priority : sk->sk_priority; - transmit_time = tcp_transmit_time(sk); - xfrm_sk_clone_policy(ctl_sk, sk); -+ txhash = (sk->sk_state == TCP_TIME_WAIT) ? -+ inet_twsk(sk)->tw_txhash : sk->sk_txhash; - } else { - ctl_sk->sk_mark = 0; - ctl_sk->sk_priority = 0; -@@ -837,7 +840,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - skb, &TCP_SKB_CB(skb)->header.h4.opt, - ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, - &arg, arg.iov[0].iov_len, -- transmit_time); -+ transmit_time, txhash); - - xfrm_sk_free_policy(ctl_sk); - sock_net_set(ctl_sk, &init_net); -@@ -859,7 +862,7 @@ static void tcp_v4_send_ack(const struct sock *sk, - struct sk_buff *skb, u32 seq, u32 ack, - u32 win, u32 tsval, u32 tsecr, int oif, - struct tcp_md5sig_key *key, -- int reply_flags, u8 tos) -+ int reply_flags, u8 tos, u32 txhash) - { - const struct tcphdr *th = tcp_hdr(skb); - struct { -@@ -935,7 +938,7 @@ static void tcp_v4_send_ack(const struct sock *sk, - skb, &TCP_SKB_CB(skb)->header.h4.opt, - ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, - &arg, arg.iov[0].iov_len, -- transmit_time); -+ transmit_time, txhash); - - sock_net_set(ctl_sk, &init_net); - __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); -@@ -955,7 +958,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) - tw->tw_bound_dev_if, - tcp_twsk_md5_key(tcptw), - tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, -- tw->tw_tos -+ tw->tw_tos, -+ tw->tw_txhash - ); - - inet_twsk_put(tw); -@@ -988,7 +992,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -- ip_hdr(skb)->tos); -+ ip_hdr(skb)->tos, tcp_rsk(req)->txhash); - } - - /* --- -2.39.2 - diff --git a/queue-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/queue-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch deleted file mode 100644 index db0b541de2a..00000000000 --- a/queue-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 9ba17b30e66744d6805871a41ff330f6594f1806 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 17:59:19 +0800 -Subject: net: ipv4: Use kfree_sensitive instead of kfree - -From: Wang Ming - -[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] - -key might contain private part of the key, so better use -kfree_sensitive to free it. - -Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") -Signed-off-by: Wang Ming -Reviewed-by: Tariq Toukan -Reviewed-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/esp4.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c -index 52c8047efedbb..2d094d417ecae 100644 ---- a/net/ipv4/esp4.c -+++ b/net/ipv4/esp4.c -@@ -1132,7 +1132,7 @@ static int esp_init_authenc(struct xfrm_state *x, - err = crypto_aead_setkey(aead, key, keylen); - - free_key: -- kfree(key); -+ kfree_sensitive(key); - - error: - return err; --- -2.39.2 - diff --git a/queue-6.1/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-6.1/net-ipv6-check-return-value-of-pskb_trim.patch deleted file mode 100644 index 21fad0bb8fb..00000000000 --- a/queue-6.1/net-ipv6-check-return-value-of-pskb_trim.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d40157f8faa30cf97d32dde6d80704d5d0898f75 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 22:45:19 +0800 -Subject: net:ipv6: check return value of pskb_trim() - -From: Yuanjun Gong - -[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] - -goto tx_err if an unexpected result is returned by pskb_tirm() -in ip6erspan_tunnel_xmit(). - -Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") -Signed-off-by: Yuanjun Gong -Reviewed-by: David Ahern -Reviewed-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/ip6_gre.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 216b40ccadae0..d3fba7d8dec4e 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -977,7 +977,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, - goto tx_err; - - if (skb->len > dev->mtu + dev->hard_header_len) { -- pskb_trim(skb, dev->mtu + dev->hard_header_len); -+ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) -+ goto tx_err; - truncate = true; - } - --- -2.39.2 - diff --git a/queue-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/queue-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch deleted file mode 100644 index 45e4500a7d9..00000000000 --- a/queue-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 5cd4f073ef92600361ab34604f85b132f284a528 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 03:02:31 +0300 -Subject: net: phy: prevent stale pointer dereference in phy_init() - -From: Vladimir Oltean - -[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] - -mdio_bus_init() and phy_driver_register() both have error paths, and if -those are ever hit, ethtool will have a stale pointer to the -phy_ethtool_phy_ops stub structure, which references memory from a -module that failed to load (phylib). - -It is probably hard to force an error in this code path even manually, -but the error teardown path of phy_init() should be the same as -phy_exit(), which is now simply not the case. - -Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") -Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ -Suggested-by: Russell King (Oracle) -Signed-off-by: Vladimir Oltean -Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/phy/phy_device.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c -index 7fbb0904b3c0f..82f74f96eba29 100644 ---- a/drivers/net/phy/phy_device.c -+++ b/drivers/net/phy/phy_device.c -@@ -3252,23 +3252,30 @@ static int __init phy_init(void) - { - int rc; - -+ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); -+ - rc = mdio_bus_init(); - if (rc) -- return rc; -+ goto err_ethtool_phy_ops; - -- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); - features_init(); - - rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); - if (rc) -- goto err_c45; -+ goto err_mdio_bus; - - rc = phy_driver_register(&genphy_driver, THIS_MODULE); -- if (rc) { -- phy_driver_unregister(&genphy_c45_driver); -+ if (rc) -+ goto err_c45; -+ -+ return 0; -+ - err_c45: -- mdio_bus_exit(); -- } -+ phy_driver_unregister(&genphy_c45_driver); -+err_mdio_bus: -+ mdio_bus_exit(); -+err_ethtool_phy_ops: -+ ethtool_set_ethtool_phy_ops(NULL); - - return rc; - } --- -2.39.2 - diff --git a/queue-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/queue-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch deleted file mode 100644 index fca333f2ee6..00000000000 --- a/queue-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 80ba7d3f04c1dd00e5a8cdab662fc9acf1a3b2b6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:13 -0300 -Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error - -From: Victor Nogueira - -[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] - -If cls_bpf_offload errors out, we must also undo tcf_bind_filter that -was done before the error. - -Fix that by calling tcf_unbind_filter in errout_parms. - -Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ - 1 file changed, 47 insertions(+), 52 deletions(-) - -diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c -index bc317b3eac124..0320e11eb248b 100644 ---- a/net/sched/cls_bpf.c -+++ b/net/sched/cls_bpf.c -@@ -404,56 +404,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, - return 0; - } - --static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, -- struct cls_bpf_prog *prog, unsigned long base, -- struct nlattr **tb, struct nlattr *est, u32 flags, -- struct netlink_ext_ack *extack) --{ -- bool is_bpf, is_ebpf, have_exts = false; -- u32 gen_flags = 0; -- int ret; -- -- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; -- is_ebpf = tb[TCA_BPF_FD]; -- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) -- return -EINVAL; -- -- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, -- extack); -- if (ret < 0) -- return ret; -- -- if (tb[TCA_BPF_FLAGS]) { -- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); -- -- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) -- return -EINVAL; -- -- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; -- } -- if (tb[TCA_BPF_FLAGS_GEN]) { -- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); -- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || -- !tc_flags_valid(gen_flags)) -- return -EINVAL; -- } -- -- prog->exts_integrated = have_exts; -- prog->gen_flags = gen_flags; -- -- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : -- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); -- if (ret < 0) -- return ret; -- -- if (tb[TCA_BPF_CLASSID]) { -- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); -- tcf_bind_filter(tp, &prog->res, base); -- } -- -- return 0; --} -- - static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - struct tcf_proto *tp, unsigned long base, - u32 handle, struct nlattr **tca, -@@ -461,9 +411,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - struct netlink_ext_ack *extack) - { - struct cls_bpf_head *head = rtnl_dereference(tp->root); -+ bool is_bpf, is_ebpf, have_exts = false; - struct cls_bpf_prog *oldprog = *arg; - struct nlattr *tb[TCA_BPF_MAX + 1]; -+ bool bound_to_filter = false; - struct cls_bpf_prog *prog; -+ u32 gen_flags = 0; - int ret; - - if (tca[TCA_OPTIONS] == NULL) -@@ -502,11 +455,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - goto errout; - prog->handle = handle; - -- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, -- extack); -+ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; -+ is_ebpf = tb[TCA_BPF_FD]; -+ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ -+ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, -+ flags, extack); -+ if (ret < 0) -+ goto errout_idr; -+ -+ if (tb[TCA_BPF_FLAGS]) { -+ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); -+ -+ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ -+ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; -+ } -+ if (tb[TCA_BPF_FLAGS_GEN]) { -+ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); -+ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || -+ !tc_flags_valid(gen_flags)) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ } -+ -+ prog->exts_integrated = have_exts; -+ prog->gen_flags = gen_flags; -+ -+ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : -+ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); - if (ret < 0) - goto errout_idr; - -+ if (tb[TCA_BPF_CLASSID]) { -+ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); -+ tcf_bind_filter(tp, &prog->res, base); -+ bound_to_filter = true; -+ } -+ - ret = cls_bpf_offload(tp, prog, oldprog, extack); - if (ret) - goto errout_parms; -@@ -528,6 +521,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - return 0; - - errout_parms: -+ if (bound_to_filter) -+ tcf_unbind_filter(tp, &prog->res); - cls_bpf_free_parms(prog); - errout_idr: - if (!oldprog) --- -2.39.2 - diff --git a/queue-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch b/queue-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch deleted file mode 100644 index 892c64519e3..00000000000 --- a/queue-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From df17b2737c98c54588b1108cd709109a4a053d7e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:10 -0300 -Subject: net: sched: cls_matchall: Undo tcf_bind_filter in case of failure - after mall_set_parms - -From: Victor Nogueira - -[ Upstream commit b3d0e0489430735e2e7626aa37e6462cdd136e9d ] - -In case an error occurred after mall_set_parms executed successfully, we -must undo the tcf_bind_filter call it issues. - -Fix that by calling tcf_unbind_filter in err_replace_hw_filter label. - -Fixes: ec2507d2a306 ("net/sched: cls_matchall: Fix error path") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_matchall.c | 35 ++++++++++++----------------------- - 1 file changed, 12 insertions(+), 23 deletions(-) - -diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c -index 39a5d9c170def..43f8df5847414 100644 ---- a/net/sched/cls_matchall.c -+++ b/net/sched/cls_matchall.c -@@ -157,26 +157,6 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { - [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, - }; - --static int mall_set_parms(struct net *net, struct tcf_proto *tp, -- struct cls_mall_head *head, -- unsigned long base, struct nlattr **tb, -- struct nlattr *est, u32 flags, u32 fl_flags, -- struct netlink_ext_ack *extack) --{ -- int err; -- -- err = tcf_exts_validate_ex(net, tp, tb, est, &head->exts, flags, -- fl_flags, extack); -- if (err < 0) -- return err; -- -- if (tb[TCA_MATCHALL_CLASSID]) { -- head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -- tcf_bind_filter(tp, &head->res, base); -- } -- return 0; --} -- - static int mall_change(struct net *net, struct sk_buff *in_skb, - struct tcf_proto *tp, unsigned long base, - u32 handle, struct nlattr **tca, -@@ -185,6 +165,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - { - struct cls_mall_head *head = rtnl_dereference(tp->root); - struct nlattr *tb[TCA_MATCHALL_MAX + 1]; -+ bool bound_to_filter = false; - struct cls_mall_head *new; - u32 userflags = 0; - int err; -@@ -224,11 +205,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - goto err_alloc_percpu; - } - -- err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], -- flags, new->flags, extack); -- if (err) -+ err = tcf_exts_validate_ex(net, tp, tb, tca[TCA_RATE], -+ &new->exts, flags, new->flags, extack); -+ if (err < 0) - goto err_set_parms; - -+ if (tb[TCA_MATCHALL_CLASSID]) { -+ new->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -+ tcf_bind_filter(tp, &new->res, base); -+ bound_to_filter = true; -+ } -+ - if (!tc_skip_hw(new->flags)) { - err = mall_replace_hw_filter(tp, new, (unsigned long)new, - extack); -@@ -244,6 +231,8 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - return 0; - - err_replace_hw_filter: -+ if (bound_to_filter) -+ tcf_unbind_filter(tp, &new->res); - err_set_parms: - free_percpu(new->pf); - err_alloc_percpu: --- -2.39.2 - diff --git a/queue-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch b/queue-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch deleted file mode 100644 index 644fb9b107b..00000000000 --- a/queue-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2565a1a811821f66ba1cd9a3bb9496fbecdc80e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:12 -0300 -Subject: net: sched: cls_u32: Undo refcount decrement in case update failed - -From: Victor Nogueira - -[ Upstream commit e8d3d78c19be0264a5692bed477c303523aead31 ] - -In the case of an update, when TCA_U32_LINK is set, u32_set_parms will -decrement the refcount of the ht_down (struct tc_u_hnode) pointer -present in the older u32 filter which we are replacing. However, if -u32_replace_hw_knode errors out, the update command fails and that -ht_down pointer continues decremented. To fix that, when -u32_replace_hw_knode fails, check if ht_down's refcount was decremented -and undo the decrement. - -Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_u32.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c -index 7cfbcd5180841..1280736a7b92e 100644 ---- a/net/sched/cls_u32.c -+++ b/net/sched/cls_u32.c -@@ -926,6 +926,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - if (err) { - u32_unbind_filter(tp, new, tb); - -+ if (tb[TCA_U32_LINK]) { -+ struct tc_u_hnode *ht_old; -+ -+ ht_old = rtnl_dereference(n->ht_down); -+ if (ht_old) -+ ht_old->refcnt++; -+ } - __u32_destroy_key(new); - return err; - } --- -2.39.2 - diff --git a/queue-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch b/queue-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch deleted file mode 100644 index b118e643cf0..00000000000 --- a/queue-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 66d4c485e832ee7c6d50709763bfdf4c14e821d0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:11 -0300 -Subject: net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode - -From: Victor Nogueira - -[ Upstream commit 9cb36faedeafb9720ac236aeae2ea57091d90a09 ] - -When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter -operation done at u32_set_parms. - -Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_u32.c | 41 ++++++++++++++++++++++++++++++----------- - 1 file changed, 30 insertions(+), 11 deletions(-) - -diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c -index a3477537c102b..7cfbcd5180841 100644 ---- a/net/sched/cls_u32.c -+++ b/net/sched/cls_u32.c -@@ -710,8 +710,23 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = { - [TCA_U32_FLAGS] = { .type = NLA_U32 }, - }; - -+static void u32_unbind_filter(struct tcf_proto *tp, struct tc_u_knode *n, -+ struct nlattr **tb) -+{ -+ if (tb[TCA_U32_CLASSID]) -+ tcf_unbind_filter(tp, &n->res); -+} -+ -+static void u32_bind_filter(struct tcf_proto *tp, struct tc_u_knode *n, -+ unsigned long base, struct nlattr **tb) -+{ -+ if (tb[TCA_U32_CLASSID]) { -+ n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); -+ tcf_bind_filter(tp, &n->res, base); -+ } -+} -+ - static int u32_set_parms(struct net *net, struct tcf_proto *tp, -- unsigned long base, - struct tc_u_knode *n, struct nlattr **tb, - struct nlattr *est, u32 flags, u32 fl_flags, - struct netlink_ext_ack *extack) -@@ -758,10 +773,6 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, - if (ht_old) - ht_old->refcnt--; - } -- if (tb[TCA_U32_CLASSID]) { -- n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); -- tcf_bind_filter(tp, &n->res, base); -- } - - if (ifindex >= 0) - n->ifindex = ifindex; -@@ -901,17 +912,20 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - if (!new) - return -ENOMEM; - -- err = u32_set_parms(net, tp, base, new, tb, -- tca[TCA_RATE], flags, new->flags, -- extack); -+ err = u32_set_parms(net, tp, new, tb, tca[TCA_RATE], -+ flags, new->flags, extack); - - if (err) { - __u32_destroy_key(new); - return err; - } - -+ u32_bind_filter(tp, new, base, tb); -+ - err = u32_replace_hw_knode(tp, new, flags, extack); - if (err) { -+ u32_unbind_filter(tp, new, tb); -+ - __u32_destroy_key(new); - return err; - } -@@ -1072,15 +1086,18 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - } - #endif - -- err = u32_set_parms(net, tp, base, n, tb, tca[TCA_RATE], -+ err = u32_set_parms(net, tp, n, tb, tca[TCA_RATE], - flags, n->flags, extack); -+ -+ u32_bind_filter(tp, n, base, tb); -+ - if (err == 0) { - struct tc_u_knode __rcu **ins; - struct tc_u_knode *pins; - - err = u32_replace_hw_knode(tp, n, flags, extack); - if (err) -- goto errhw; -+ goto errunbind; - - if (!tc_in_hw(n->flags)) - n->flags |= TCA_CLS_FLAGS_NOT_IN_HW; -@@ -1098,7 +1115,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - return 0; - } - --errhw: -+errunbind: -+ u32_unbind_filter(tp, n, tb); -+ - #ifdef CONFIG_CLS_U32_MARK - free_percpu(n->pcpu_success); - #endif --- -2.39.2 - diff --git a/queue-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch deleted file mode 100644 index e9e644e643b..00000000000 --- a/queue-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 93023625146793635d96beb87c81594cb326e47c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 01:30:33 +0200 -Subject: netfilter: nf_tables: can't schedule in nft_chain_validate - -From: Florian Westphal - -[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] - -Can be called via nft set element list iteration, which may acquire -rcu and/or bh read lock (depends on set type). - -BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 -in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft -preempt_count: 0, expected: 0 -RCU nest depth: 1, expected: 0 -2 locks held by nft/1232: - #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid - #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire -Call Trace: - nft_chain_validate - nft_lookup_validate_setelem - nft_pipapo_walk - nft_lookup_validate - nft_chain_validate - nft_immediate_validate - nft_chain_validate - nf_tables_validate - nf_tables_abort - -No choice but to move it to nf_tables_validate(). - -Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 58f14e4ef63d4..0bb1cc7ed5e99 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -3500,8 +3500,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) - if (err < 0) - return err; - } -- -- cond_resched(); - } - - return 0; -@@ -3525,6 +3523,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) - err = nft_chain_validate(&ctx, chain); - if (err < 0) - return err; -+ -+ cond_resched(); - } - - return 0; --- -2.39.2 - diff --git a/queue-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch deleted file mode 100644 index d9dbd340acc..00000000000 --- a/queue-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 447b7e2bbc060e4f8293f9e084a379b95e8bf78b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 00:29:58 +0200 -Subject: netfilter: nf_tables: fix spurious set element insertion failure - -From: Florian Westphal - -[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] - -On some platforms there is a padding hole in the nft_verdict -structure, between the verdict code and the chain pointer. - -On element insertion, if the new element clashes with an existing one and -NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as -the data associated with duplicated element is the same as the existing -one. The data equality check uses memcmp. - -For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT -padding area leads to spurious failure even if the verdict data is the -same. - -This then makes the insertion fail with 'already exists' error, even -though the new "key : data" matches an existing entry and userspace -told the kernel that it doesn't want to receive an error indication. - -Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 938cfa9a3adb6..58f14e4ef63d4 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -10114,6 +10114,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, - - if (!tb[NFTA_VERDICT_CODE]) - return -EINVAL; -+ -+ /* zero padding hole for memcmp */ -+ memset(data, 0, sizeof(*data)); - data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); - - switch (data->verdict.code) { --- -2.39.2 - diff --git a/queue-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/queue-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch deleted file mode 100644 index 240214ec93d..00000000000 --- a/queue-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2de006dd895fa8e0d71406e0293e4e0caa40e552 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 20:19:43 +0200 -Subject: netfilter: nf_tables: skip bound chain in netns release path - -From: Pablo Neira Ayuso - -[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] - -Skip bound chain from netns release path, the rule that owns this chain -releases these objects. - -Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 0bb1cc7ed5e99..f621c5e48747b 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -10398,6 +10398,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) - ctx.family = table->family; - ctx.table = table; - list_for_each_entry(chain, &table->chains, list) { -+ if (nft_chain_is_bound(chain)) -+ continue; -+ - ctx.chain = chain; - list_for_each_entry_safe(rule, nr, &chain->rules, list) { - list_del(&rule->list); --- -2.39.2 - diff --git a/queue-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/queue-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch deleted file mode 100644 index 9aff1bc6b86..00000000000 --- a/queue-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 00af5d0ed7436d8d334b78b70165969fd0c0dde3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 09:17:21 +0200 -Subject: netfilter: nf_tables: skip bound chain on rule flush - -From: Pablo Neira Ayuso - -[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] - -Skip bound chain when flushing table rules, the rule that owns this -chain releases these objects. - -Otherwise, the following warning is triggered: - - WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] - CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 - RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] - -Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") -Reported-by: Kevin Rich -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index f621c5e48747b..ecde497368ec4 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -3892,6 +3892,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, - list_for_each_entry(chain, &table->chains, list) { - if (!nft_is_active_next(net, chain)) - continue; -+ if (nft_chain_is_bound(chain)) -+ continue; - - ctx.chain = chain; - err = nft_delrule_by_chain(&ctx); --- -2.39.2 - diff --git a/queue-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/queue-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch deleted file mode 100644 index 91dcec1dda0..00000000000 --- a/queue-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 83c0d8d2e1df2dea06f0b2bf34a73af311411a76 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:08:21 +0200 -Subject: netfilter: nft_set_pipapo: fix improper element removal - -From: Florian Westphal - -[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] - -end key should be equal to start unless NFT_SET_EXT_KEY_END is present. - -Its possible to add elements that only have a start key -("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. - -Insertion treats this via: - -if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) - end = (const u8 *)nft_set_ext_key_end(ext)->data; -else - end = start; - -but removal side always uses nft_set_ext_key_end(). -This is wrong and leads to garbage remaining in the set after removal -next lookup/insert attempt will give: - -BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 -Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 -Call Trace: - kasan_report+0x105/0x140 - pipapo_get+0x8eb/0xb90 - nft_pipapo_insert+0x1dc/0x1710 - nf_tables_newsetelem+0x31f5/0x4e00 - .. - -Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") -Reported-by: lonial con -Reviewed-by: Stefano Brivio -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nft_set_pipapo.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c -index 0452ee586c1cc..a81829c10feab 100644 ---- a/net/netfilter/nft_set_pipapo.c -+++ b/net/netfilter/nft_set_pipapo.c -@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, - int i, start, rules_fx; - - match_start = data; -- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ -+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) -+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ else -+ match_end = data; - - start = first_rule; - rules_fx = rules_f0; --- -2.39.2 - diff --git a/queue-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/queue-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch deleted file mode 100644 index 27c97b9ed07..00000000000 --- a/queue-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +++ /dev/null @@ -1,43 +0,0 @@ -From b8bfbeb43ba95b6189f76448167e05a0545f9706 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jul 2023 15:07:41 +0530 -Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces - -From: Geetha sowjanya - -[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] - -Current driver enables backpressure for LBK interfaces. -But these interfaces do not support this feature. -Hence, this patch fixes the issue by skipping the -backpressure configuration for these interfaces. - -Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). -Signed-off-by: Geetha sowjanya -Signed-off-by: Sunil Goutham -Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -index ed911d9946277..c236dba80ff1a 100644 ---- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -@@ -1452,8 +1452,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) - if (err) - goto err_free_npa_lf; - -- /* Enable backpressure */ -- otx2_nix_config_bp(pf, true); -+ /* Enable backpressure for CGX mapped PF/VFs */ -+ if (!is_otx2_lbkvf(pf->pdev)) -+ otx2_nix_config_bp(pf, true); - - /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ - err = otx2_rq_aura_pool_init(pf); --- -2.39.2 - diff --git a/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch b/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch deleted file mode 100644 index 825e32fdd09..00000000000 --- a/queue-6.1/of-preserve-of-display-device-name-for-compatibility.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 Mon Sep 17 00:00:00 2001 -From: Rob Herring -Date: Mon, 10 Jul 2023 11:40:07 -0600 -Subject: of: Preserve "of-display" device name for compatibility -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Rob Herring - -commit 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 upstream. - -Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"), -as spotted by Frédéric Bonnard, the historical "of-display" device is -gone: the updated logic creates "of-display.0" instead, then as many -"of-display.N" as required. - -This means that offb no longer finds the expected device, which prevents -the Debian Installer from setting up its interface, at least on ppc64el. - -Fix this by keeping "of-display" for the first device and "of-display.N" -for subsequent devices. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328 -Link: https://bugs.debian.org/1033058 -Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique") -Cc: stable@vger.kernel.org -Cc: Cyril Brulebois -Cc: Thomas Zimmermann -Cc: Helge Deller -Acked-by: Helge Deller -Acked-by: Thomas Zimmermann -Reviewed-by: Michal Suchánek -Link: https://lore.kernel.org/r/20230710174007.2291013-1-robh@kernel.org -Signed-off-by: Rob Herring -Signed-off-by: Greg Kroah-Hartman ---- - drivers/of/platform.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/of/platform.c -+++ b/drivers/of/platform.c -@@ -557,7 +557,7 @@ static int __init of_platform_default_po - if (!of_get_property(node, "linux,opened", NULL) || - !of_get_property(node, "linux,boot-display", NULL)) - continue; -- dev = of_platform_device_create(node, "of-display.0", NULL); -+ dev = of_platform_device_create(node, "of-display", NULL); - of_node_put(node); - if (WARN_ON(!dev)) - return -ENOMEM; diff --git a/queue-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch b/queue-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch deleted file mode 100644 index 298e882552a..00000000000 --- a/queue-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2c90078841a0854ee8bf4c7fa749f54fbd044f83 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Tue, 13 Jun 2023 10:13:37 +0200 -Subject: [PATCH AUTOSEL 4.19 06/11] ovl: check type and offset of struct - vfsmount in ovl_entry -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] - -Porting overlayfs to the new amount api I started experiencing random -crashes that couldn't be explained easily. So after much debugging and -reasoning it became clear that struct ovl_entry requires the point to -struct vfsmount to be the first member and of type struct vfsmount. - -During the port I added a new member at the beginning of struct -ovl_entry which broke all over the place in the form of random crashes -and cache corruptions. While there's a comment in ovl_free_fs() to the -effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing -it" there's no such comment on struct ovl_entry which makes this easy to -trip over. - -Add a comment and two static asserts for both the offset and the type of -pointer in struct ovl_entry. - -Signed-off-by: Christian Brauner -Signed-off-by: Amir Goldstein -Signed-off-by: Sasha Levin ---- - fs/overlayfs/ovl_entry.h | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/fs/overlayfs/ovl_entry.h -+++ b/fs/overlayfs/ovl_entry.h -@@ -32,6 +32,7 @@ struct ovl_sb { - }; - - struct ovl_layer { -+ /* ovl_free_fs() relies on @mnt being the first member! */ - struct vfsmount *mnt; - /* Trap in ovl inode cache */ - struct inode *trap; -@@ -42,6 +43,14 @@ struct ovl_layer { - int fsid; - }; - -+/* -+ * ovl_free_fs() relies on @mnt being the first member when unmounting -+ * the private mounts created for each layer. Let's check both the -+ * offset and type. -+ */ -+static_assert(offsetof(struct ovl_layer, mnt) == 0); -+static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); -+ - struct ovl_path { - const struct ovl_layer *layer; - struct dentry *dentry; diff --git a/queue-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch b/queue-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch deleted file mode 100644 index 985a8b231b1..00000000000 --- a/queue-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 680f36a4f5e7d831b67c91dafe4f6c7797e53475 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Jul 2023 16:45:46 +0100 -Subject: perf build: Fix library not found error when using CSLIBS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: James Clark - -[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] - --L only specifies the search path for libraries directly provided in the -link line with -l. Because -lopencsd isn't specified, it's only linked -because it's a dependency of -lopencsd_c_api. Dependencies like this are -resolved using the default system search paths or -rpath-link=... rather -than -L. This means that compilation only works if OpenCSD is installed -to the system rather than provided with the CSLIBS (-L) option. - -This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less -conventional than just adding -lopencsd to the link line so that it uses --L. -lopencsd seems to have been removed in commit ed17b1914978eddb -("perf tools: Drop requirement for libstdc++.so for libopencsd check") -because it was thought that there was a chance compilation would work -even if it didn't exist, but I think that only applies to libstdc++ so -there is no harm to add it back. libopencsd.so and libopencsd_c_api.so -would always exist together. - -Testing -======= - -The following scenarios now all work: - - * Cross build with OpenCSD installed - * Cross build using CSLIBS=... - * Native build with OpenCSD installed - * Native build using CSLIBS=... - * Static cross build with OpenCSD installed - * Static cross build with CSLIBS=... - -Committer testing: - - ⬢[acme@toolbox perf-tools]$ alias m - alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' - ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd - libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) - libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) - ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release - Fedora release 36 (Thirty Six) - ⬢[acme@toolbox perf-tools]$ - -Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") -Reported-by: Radhey Shyam Pandey -Signed-off-by: James Clark -Tested-by: Arnaldo Carvalho de Melo -Tested-by: Radhey Shyam Pandey -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: Uwe Kleine-König -Cc: coresight@lists.linaro.org -Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ -Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ -Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/Makefile.config | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config -index 898226ea8cadc..fac6ba07eacdb 100644 ---- a/tools/perf/Makefile.config -+++ b/tools/perf/Makefile.config -@@ -149,9 +149,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto - ifdef CSINCLUDES - LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) - endif --OPENCSDLIBS := -lopencsd_c_api -+OPENCSDLIBS := -lopencsd_c_api -lopencsd - ifeq ($(findstring -static,${LDFLAGS}),-static) -- OPENCSDLIBS += -lopencsd -lstdc++ -+ OPENCSDLIBS += -lstdc++ - endif - ifdef CSLIBS - LIBOPENCSD_LDFLAGS := -L$(CSLIBS) --- -2.39.2 - diff --git a/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch deleted file mode 100644 index ac282bd2634..00000000000 --- a/queue-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Georg=20M=C3=BCller?= -Date: Wed, 28 Jun 2023 10:45:50 +0200 -Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Georg Müller - -commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. - -This patch adds a test to validate that 'perf probe' works for binaries -where DWARF info is split into multiple CUs - -Signed-off-by: Georg Müller -Acked-by: Masami Hiramatsu (Google) -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: regressions@lists.linux.dev -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ - 1 file changed, 77 insertions(+) - create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh - ---- /dev/null -+++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh -@@ -0,0 +1,77 @@ -+#!/bin/bash -+# test perf probe of function from different CU -+# SPDX-License-Identifier: GPL-2.0 -+ -+set -e -+ -+temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) -+ -+cleanup() -+{ -+ trap - EXIT TERM INT -+ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then -+ echo "--- Cleaning up ---" -+ perf probe -x ${temp_dir}/testfile -d foo -+ rm -f "${temp_dir}/"* -+ rmdir "${temp_dir}" -+ fi -+} -+ -+trap_cleanup() -+{ -+ cleanup -+ exit 1 -+} -+ -+trap trap_cleanup EXIT TERM INT -+ -+cat > ${temp_dir}/testfile-foo.h << EOF -+struct t -+{ -+ int *p; -+ int c; -+}; -+ -+extern int foo (int i, struct t *t); -+EOF -+ -+cat > ${temp_dir}/testfile-foo.c << EOF -+#include "testfile-foo.h" -+ -+int -+foo (int i, struct t *t) -+{ -+ int j, res = 0; -+ for (j = 0; j < i && j < t->c; j++) -+ res += t->p[j]; -+ -+ return res; -+} -+EOF -+ -+cat > ${temp_dir}/testfile-main.c << EOF -+#include "testfile-foo.h" -+ -+static struct t g; -+ -+int -+main (int argc, char **argv) -+{ -+ int i; -+ int j[argc]; -+ g.c = argc; -+ g.p = j; -+ for (i = 0; i < argc; i++) -+ j[i] = (int) argv[i][0]; -+ return foo (3, &g); -+} -+EOF -+ -+gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o -+gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o -+gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o -+ -+perf probe -x ${temp_dir}/testfile --funcs foo -+perf probe -x ${temp_dir}/testfile foo -+ -+cleanup diff --git a/queue-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch b/queue-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch deleted file mode 100644 index 51b77397bbf..00000000000 --- a/queue-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 726cf612acdfe280e96ebb1977b1ec50b8c6ec28 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jul 2023 12:18:58 +0100 -Subject: pinctrl: renesas: rzg2l: Handle non-unique subnode names - -From: Biju Das - -[ Upstream commit bfc374a145ae133613e05b9b89be561f169cb58d ] - -Currently, sd1 and sd0 have unique subnode names 'sd1_mux' and 'sd0_mux'. -If we change these to non-unique subnode names such as 'mux' this can -lead to the below conflict as the RZ/G2L pin control driver considers -only the names of the subnodes. - - pinctrl-rzg2l 11030000.pinctrl: pin P47_0 already requested by 11c00000.mmc; cannot claim for 11c10000.mmc - pinctrl-rzg2l 11030000.pinctrl: pin-376 (11c10000.mmc) status -22 - pinctrl-rzg2l 11030000.pinctrl: could not request pin 376 (P47_0) from group mux on device pinctrl-rzg2l - renesas_sdhi_internal_dmac 11c10000.mmc: Error applying setting, reverse things back - -Fix this by constructing unique names from the node names of both the -pin control configuration node and its child node, where appropriate. - -Based on the work done by Geert for the RZ/V2M pinctrl driver. - -Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") -Signed-off-by: Biju Das -Reviewed-by: Geert Uytterhoeven -Link: https://lore.kernel.org/r/20230704111858.215278-1-biju.das.jz@bp.renesas.com -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/renesas/pinctrl-rzg2l.c | 28 ++++++++++++++++++------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c -index ca6303fc41f98..fd11d28e5a1e4 100644 ---- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c -+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c -@@ -246,6 +246,7 @@ static int rzg2l_map_add_config(struct pinctrl_map *map, - - static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct device_node *np, -+ struct device_node *parent, - struct pinctrl_map **map, - unsigned int *num_maps, - unsigned int *index) -@@ -263,6 +264,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct property *prop; - int ret, gsel, fsel; - const char **pin_fn; -+ const char *name; - const char *pin; - - pinmux = of_find_property(np, "pinmux", NULL); -@@ -346,8 +348,19 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - psel_val[i] = MUX_FUNC(value); - } - -+ if (parent) { -+ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", -+ parent, np); -+ if (!name) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ } else { -+ name = np->name; -+ } -+ - /* Register a single pin group listing all the pins we read from DT */ -- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); -+ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); - if (gsel < 0) { - ret = gsel; - goto done; -@@ -357,17 +370,16 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - * Register a single group function where the 'data' is an array PSEL - * register values read from DT. - */ -- pin_fn[0] = np->name; -- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, -- psel_val); -+ pin_fn[0] = name; -+ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); - if (fsel < 0) { - ret = fsel; - goto remove_group; - } - - maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; -- maps[idx].data.mux.group = np->name; -- maps[idx].data.mux.function = np->name; -+ maps[idx].data.mux.group = name; -+ maps[idx].data.mux.function = name; - idx++; - - dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); -@@ -414,7 +426,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, - index = 0; - - for_each_child_of_node(np, child) { -- ret = rzg2l_dt_subnode_to_map(pctldev, child, map, -+ ret = rzg2l_dt_subnode_to_map(pctldev, child, np, map, - num_maps, &index); - if (ret < 0) { - of_node_put(child); -@@ -423,7 +435,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, - } - - if (*num_maps == 0) { -- ret = rzg2l_dt_subnode_to_map(pctldev, np, map, -+ ret = rzg2l_dt_subnode_to_map(pctldev, np, NULL, map, - num_maps, &index); - if (ret < 0) - goto done; --- -2.39.2 - diff --git a/queue-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch b/queue-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch deleted file mode 100644 index b84aa528fc0..00000000000 --- a/queue-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 825d0cfe089333f10e47c7657c16035ce33865d3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jul 2023 17:07:06 +0200 -Subject: pinctrl: renesas: rzv2m: Handle non-unique subnode names - -From: Geert Uytterhoeven - -[ Upstream commit f46a0b47cc0829acd050213194c5a77351e619b2 ] - -The eMMC and SDHI pin control configuration nodes in DT have subnodes -with the same names ("data" and "ctrl"). As the RZ/V2M pin control -driver considers only the names of the subnodes, this leads to -conflicts: - - pinctrl-rzv2m b6250000.pinctrl: pin P8_2 already requested by 85000000.mmc; cannot claim for 85020000.mmc - pinctrl-rzv2m b6250000.pinctrl: pin-130 (85020000.mmc) status -22 - renesas_sdhi_internal_dmac 85020000.mmc: Error applying setting, reverse things back - -Fix this by constructing unique names from the node names of both the -pin control configuration node and its child node, where appropriate. - -Reported by: Fabrizio Castro - -Fixes: 92a9b825257614af ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") -Signed-off-by: Geert Uytterhoeven -Tested-by: Fabrizio Castro -Link: https://lore.kernel.org/r/607bd6ab4905b0b1b119a06ef953fa1184505777.1688396717.git.geert+renesas@glider.be -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/renesas/pinctrl-rzv2m.c | 28 ++++++++++++++++++------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c -index e8c18198bebd2..35f382b055e83 100644 ---- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c -+++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c -@@ -207,6 +207,7 @@ static int rzv2m_map_add_config(struct pinctrl_map *map, - - static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct device_node *np, -+ struct device_node *parent, - struct pinctrl_map **map, - unsigned int *num_maps, - unsigned int *index) -@@ -224,6 +225,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct property *prop; - int ret, gsel, fsel; - const char **pin_fn; -+ const char *name; - const char *pin; - - pinmux = of_find_property(np, "pinmux", NULL); -@@ -307,8 +309,19 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - psel_val[i] = MUX_FUNC(value); - } - -+ if (parent) { -+ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", -+ parent, np); -+ if (!name) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ } else { -+ name = np->name; -+ } -+ - /* Register a single pin group listing all the pins we read from DT */ -- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); -+ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); - if (gsel < 0) { - ret = gsel; - goto done; -@@ -318,17 +331,16 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - * Register a single group function where the 'data' is an array PSEL - * register values read from DT. - */ -- pin_fn[0] = np->name; -- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, -- psel_val); -+ pin_fn[0] = name; -+ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); - if (fsel < 0) { - ret = fsel; - goto remove_group; - } - - maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; -- maps[idx].data.mux.group = np->name; -- maps[idx].data.mux.function = np->name; -+ maps[idx].data.mux.group = name; -+ maps[idx].data.mux.function = name; - idx++; - - dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); -@@ -375,7 +387,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, - index = 0; - - for_each_child_of_node(np, child) { -- ret = rzv2m_dt_subnode_to_map(pctldev, child, map, -+ ret = rzv2m_dt_subnode_to_map(pctldev, child, np, map, - num_maps, &index); - if (ret < 0) { - of_node_put(child); -@@ -384,7 +396,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, - } - - if (*num_maps == 0) { -- ret = rzv2m_dt_subnode_to_map(pctldev, np, map, -+ ret = rzv2m_dt_subnode_to_map(pctldev, np, NULL, map, - num_maps, &index); - if (ret < 0) - goto done; --- -2.39.2 - diff --git a/queue-6.1/quota-fix-warning-in-dqgrab.patch b/queue-6.1/quota-fix-warning-in-dqgrab.patch deleted file mode 100644 index b0a2273830e..00000000000 --- a/queue-6.1/quota-fix-warning-in-dqgrab.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 1da38321c1da0aea4122e574000e2a97ee3d2378 Mon Sep 17 00:00:00 2001 -From: Ye Bin -Date: Mon, 5 Jun 2023 22:07:31 +0800 -Subject: [PATCH AUTOSEL 4.19 04/11] quota: fix warning in dqgrab() -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] - -There's issue as follows when do fault injection: -WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 -Modules linked in: -CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 -RIP: 0010:dquot_disable+0x13b7/0x18c0 -RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 -RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 -RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 -RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 -R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 -R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 -FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - dquot_load_quota_sb+0xd53/0x1060 - dquot_resume+0x172/0x230 - ext4_reconfigure+0x1dc6/0x27b0 - reconfigure_super+0x515/0xa90 - __x64_sys_fsconfig+0xb19/0xd20 - do_syscall_64+0x39/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Above issue may happens as follows: -ProcessA ProcessB ProcessC -sys_fsconfig - vfs_fsconfig_locked - reconfigure_super - ext4_remount - dquot_suspend -> suspend all type quota - - sys_fsconfig - vfs_fsconfig_locked - reconfigure_super - ext4_remount - dquot_resume - ret = dquot_load_quota_sb - add_dquot_ref - do_open -> open file O_RDWR - vfs_open - do_dentry_open - get_write_access - atomic_inc_unless_negative(&inode->i_writecount) - ext4_file_open - dquot_file_open - dquot_initialize - __dquot_initialize - dqget - atomic_inc(&dquot->dq_count); - - __dquot_initialize - __dquot_initialize - dqget - if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) - ext4_acquire_dquot - -> Return error DQ_ACTIVE_B flag isn't set - dquot_disable - invalidate_dquots - if (atomic_read(&dquot->dq_count)) - dqgrab - WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) - -> Trigger warning - -In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when -dqgrab(). -To solve above issue just replace the dqgrab() use in invalidate_dquots() with -atomic_inc(&dquot->dq_count). - -Signed-off-by: Ye Bin -Signed-off-by: Jan Kara -Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> -Signed-off-by: Sasha Levin ---- - fs/quota/dquot.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -555,7 +555,7 @@ restart: - continue; - /* Wait for dquot users */ - if (atomic_read(&dquot->dq_count)) { -- dqgrab(dquot); -+ atomic_inc(&dquot->dq_count); - spin_unlock(&dq_list_lock); - /* - * Once dqput() wakes us up, we know it's time to free diff --git a/queue-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/queue-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch deleted file mode 100644 index 1bd0a1ec80a..00000000000 --- a/queue-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3e9e30aa708b3b8cb0485725964206a7b72d1f9b Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Mon, 5 Jun 2023 22:07:30 +0800 -Subject: [PATCH AUTOSEL 4.19 03/11] quota: Properly disable quotas when - add_dquot_ref() fails -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] - -When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want -to disable quotas we are trying to enable. However dquot_disable() call -was passed just the flags we are enabling so in case flags == -DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL -instead of properly disabling quotas. Fix the problem by always passing -DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this -case. - -Reported-and-tested-by: Ye Bin -Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com -Signed-off-by: Jan Kara -Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> -Signed-off-by: Sasha Levin ---- - fs/quota/dquot.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -2420,7 +2420,8 @@ int dquot_load_quota_sb(struct super_blo - - error = add_dquot_ref(sb, type); - if (error) -- dquot_disable(sb, type, flags); -+ dquot_disable(sb, type, -+ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); - - return error; - out_fmt: diff --git a/queue-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch b/queue-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch deleted file mode 100644 index 7735a7471ff..00000000000 --- a/queue-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 4d3360fe4eb403c4add5725291d2c102bad4db73 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Apr 2023 16:05:38 -0700 -Subject: rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp - -From: Paul E. McKenney - -[ Upstream commit 9146eb25495ea8bfb5010192e61e3ed5805ce9ef ] - -The per-CPU rcu_data structure's ->cpu_no_qs.b.exp field is updated -only on the instance corresponding to the current CPU, but can be read -more widely. Unmarked accesses are OK from the corresponding CPU, but -only if interrupts are disabled, given that interrupt handlers can and -do modify this field. - -Unfortunately, although the load from rcu_preempt_deferred_qs() is always -carried out from the corresponding CPU, interrupts are not necessarily -disabled. This commit therefore upgrades this load to READ_ONCE. - -Similarly, the diagnostic access from synchronize_rcu_expedited_wait() -might run with interrupts disabled and from some other CPU. This commit -therefore marks this load with data_race(). - -Finally, the C-language access in rcu_preempt_ctxt_queue() is OK as -is because interrupts are disabled and this load is always from the -corresponding CPU. This commit adds a comment giving the rationale for -this access being safe. - -This data race was reported by KCSAN. Not appropriate for backporting -due to failure being unlikely. - -Signed-off-by: Paul E. McKenney -Signed-off-by: Sasha Levin ---- - kernel/rcu/tree_exp.h | 2 +- - kernel/rcu/tree_plugin.h | 4 +++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h -index e25321dbb068e..aa3ec3c3b9f75 100644 ---- a/kernel/rcu/tree_exp.h -+++ b/kernel/rcu/tree_exp.h -@@ -641,7 +641,7 @@ static void synchronize_rcu_expedited_wait(void) - "O."[!!cpu_online(cpu)], - "o."[!!(rdp->grpmask & rnp->expmaskinit)], - "N."[!!(rdp->grpmask & rnp->expmaskinitnext)], -- "D."[!!(rdp->cpu_no_qs.b.exp)]); -+ "D."[!!data_race(rdp->cpu_no_qs.b.exp)]); - } - } - pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", -diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h -index e3142ee35fc6a..044026abfdd7f 100644 ---- a/kernel/rcu/tree_plugin.h -+++ b/kernel/rcu/tree_plugin.h -@@ -257,6 +257,8 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp) - * GP should not be able to end until we report, so there should be - * no need to check for a subsequent expedited GP. (Though we are - * still in a quiescent state in any case.) -+ * -+ * Interrupts are disabled, so ->cpu_no_qs.b.exp cannot change. - */ - if (blkd_state & RCU_EXP_BLKD && rdp->cpu_no_qs.b.exp) - rcu_report_exp_rdp(rdp); -@@ -941,7 +943,7 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) - { - struct rcu_data *rdp = this_cpu_ptr(&rcu_data); - -- if (rdp->cpu_no_qs.b.exp) -+ if (READ_ONCE(rdp->cpu_no_qs.b.exp)) - rcu_report_exp_rdp(rdp); - } - --- -2.39.2 - diff --git a/queue-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch b/queue-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch deleted file mode 100644 index a6c062917c4..00000000000 --- a/queue-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch +++ /dev/null @@ -1,91 +0,0 @@ -From aef95e1bb3b2e697dd8a92a4b03466862cd224fd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Aug 2022 01:22:05 +0900 -Subject: rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic() - -From: Shigeru Yoshida - -[ Upstream commit 5fc8cbe4cf0fd34ded8045c385790c3bf04f6785 ] - -pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because -pr_info() calls printk() that might sleep, this will result in BUG -like below: - -[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues. -[ 0.206463] -[ 0.206464] ============================= -[ 0.206464] [ BUG: Invalid wait context ] -[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted -[ 0.206466] ----------------------------- -[ 0.206466] swapper/0/1 is trying to lock: -[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0 -[ 0.206473] other info that might help us debug this: -[ 0.206473] context-{5:5} -[ 0.206474] 3 locks held by swapper/0/1: -[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0 -[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e -[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330 -[ 0.206485] stack backtrace: -[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5 -[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 -[ 0.206489] Call Trace: -[ 0.206490] -[ 0.206491] dump_stack_lvl+0x6a/0x9f -[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe -[ 0.206496] ? stack_trace_save+0x46/0x70 -[ 0.206497] lock_acquire+0xd1/0x2f0 -[ 0.206499] ? serial8250_console_write+0x327/0x4a0 -[ 0.206500] ? __lock_acquire+0x5c7/0x2720 -[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90 -[ 0.206504] ? serial8250_console_write+0x327/0x4a0 -[ 0.206506] serial8250_console_write+0x327/0x4a0 -[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330 -[ 0.206511] console_unlock+0xf7/0x1f0 -[ 0.206512] vprintk_emit+0xf7/0x330 -[ 0.206514] _printk+0x63/0x7e -[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32 -[ 0.206518] rcu_init_tasks_generic+0x5/0xd9 -[ 0.206522] kernel_init_freeable+0x15b/0x2a2 -[ 0.206523] ? rest_init+0x160/0x160 -[ 0.206526] kernel_init+0x11/0x120 -[ 0.206527] ret_from_fork+0x1f/0x30 -[ 0.206530] -[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1. - -This patch moves pr_info() so that it is called without -rtp->cbs_gbl_lock locked. - -Signed-off-by: Shigeru Yoshida -Tested-by: "Zhang, Qiang1" -Signed-off-by: Paul E. McKenney -Signed-off-by: Sasha Levin ---- - kernel/rcu/tasks.h | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h -index df968321feada..c1f18c63b9b14 100644 ---- a/kernel/rcu/tasks.h -+++ b/kernel/rcu/tasks.h -@@ -233,7 +233,6 @@ static void cblist_init_generic(struct rcu_tasks *rtp) - if (rcu_task_enqueue_lim < 0) { - rcu_task_enqueue_lim = 1; - rcu_task_cb_adjust = true; -- pr_info("%s: Setting adjustable number of callback queues.\n", __func__); - } else if (rcu_task_enqueue_lim == 0) { - rcu_task_enqueue_lim = 1; - } -@@ -264,6 +263,10 @@ static void cblist_init_generic(struct rcu_tasks *rtp) - raw_spin_unlock_rcu_node(rtpcp); // irqs remain disabled. - } - raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); -+ -+ if (rcu_task_cb_adjust) -+ pr_info("%s: Setting adjustable number of callback queues.\n", __func__); -+ - pr_info("%s: Setting shift to %d and lim to %d.\n", __func__, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim)); - } - --- -2.39.2 - diff --git a/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch deleted file mode 100644 index b920fc52b6d..00000000000 --- a/queue-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Wed, 12 Jul 2023 12:16:40 +0100 -Subject: regmap: Account for register length in SMBus I/O limits - -From: Mark Brown - -commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. - -The SMBus I2C buses have limits on the size of transfers they can do but -do not factor in the register length meaning we may try to do a transfer -longer than our length limit, the core will not take care of this. -Future changes will factor this out into the core but there are a number -of users that assume current behaviour so let's just do something -conservative here. - -This does not take account padding bits but practically speaking these -are very rarely if ever used on I2C buses given that they generally run -slowly enough to mean there's no issue. - -Cc: stable@kernel.org -Signed-off-by: Mark Brown -Reviewed-by: Xu Yilun -Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/regmap/regmap-i2c.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/base/regmap/regmap-i2c.c -+++ b/drivers/base/regmap/regmap-i2c.c -@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi - static const struct regmap_bus regmap_i2c_smbus_i2c_block = { - .write = regmap_i2c_smbus_i2c_write, - .read = regmap_i2c_smbus_i2c_read, -- .max_raw_read = I2C_SMBUS_BLOCK_MAX, -- .max_raw_write = I2C_SMBUS_BLOCK_MAX, -+ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, -+ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, - }; - - static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, -@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg - static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { - .write = regmap_i2c_smbus_i2c_write_reg16, - .read = regmap_i2c_smbus_i2c_read_reg16, -- .max_raw_read = I2C_SMBUS_BLOCK_MAX, -- .max_raw_write = I2C_SMBUS_BLOCK_MAX, -+ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, -+ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, - }; - - static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch deleted file mode 100644 index c84dadbe2f9..00000000000 --- a/queue-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +++ /dev/null @@ -1,64 +0,0 @@ -From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Wed, 12 Jul 2023 12:16:39 +0100 -Subject: regmap: Drop initial version of maximum transfer length fixes - -From: Mark Brown - -commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. - -When problems were noticed with the register address not being taken -into account when limiting raw transfers with I2C devices we fixed this -in the core. Unfortunately it has subsequently been realised that a lot -of buses were relying on the prior behaviour, partly due to unclear -documentation not making it obvious what was intended in the core. This -is all more involved to fix than is sensible for a fix commit so let's -just drop the original fixes, a separate commit will fix the originally -observed problem in an I2C specific way - -Fixes: 3981514180c9 ("regmap: Account for register length when chunking") -Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") -Signed-off-by: Mark Brown -Reviewed-by: Xu Yilun -Cc: stable@kernel.org -Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/regmap/regmap-spi-avmm.c | 2 +- - drivers/base/regmap/regmap.c | 6 ++---- - 2 files changed, 3 insertions(+), 5 deletions(-) - ---- a/drivers/base/regmap/regmap-spi-avmm.c -+++ b/drivers/base/regmap/regmap-spi-avmm.c -@@ -660,7 +660,7 @@ static const struct regmap_bus regmap_sp - .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, - .val_format_endian_default = REGMAP_ENDIAN_NATIVE, - .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, -- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, -+ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, - .free_context = spi_avmm_bridge_ctx_free, - }; - ---- a/drivers/base/regmap/regmap.c -+++ b/drivers/base/regmap/regmap.c -@@ -2064,8 +2064,6 @@ int _regmap_raw_write(struct regmap *map - size_t val_count = val_len / val_bytes; - size_t chunk_count, chunk_bytes; - size_t chunk_regs = val_count; -- size_t max_data = map->max_raw_write - map->format.reg_bytes - -- map->format.pad_bytes; - int ret, i; - - if (!val_count) -@@ -2073,8 +2071,8 @@ int _regmap_raw_write(struct regmap *map - - if (map->use_single_write) - chunk_regs = 1; -- else if (map->max_raw_write && val_len > max_data) -- chunk_regs = max_data / val_bytes; -+ else if (map->max_raw_write && val_len > map->max_raw_write) -+ chunk_regs = map->max_raw_write / val_bytes; - - chunk_count = val_count / chunk_regs; - chunk_bytes = chunk_regs * val_bytes; diff --git a/queue-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch deleted file mode 100644 index 8812a74d9c6..00000000000 --- a/queue-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 242c82c4047048b1d67da8284935b57fc6abaa12 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:59:18 -0700 -Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash - table" - -From: Kuniyuki Iwashima - -[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] - -This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. - -Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in -ehash table") reversed the order in how a socket is inserted into ehash -to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are -swapped. However, it introduced another lookup failure. - -The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU -and does not have SOCK_RCU_FREE, so the socket could be reused even while -it is being referenced on another CPU doing RCU lookup. - -Let's say a socket is reused and inserted into the same hash bucket during -lookup. After the blamed commit, a new socket is inserted at the end of -the list. If that happens, we will skip sockets placed after the previous -position of the reused socket, resulting in ehash lookup failure. - -As described in Documentation/RCU/rculist_nulls.rst, we should insert a -new socket at the head of the list to avoid such an issue. - -This issue, the swap-lookup-failure, and another variant reported in [0] -can all be handled properly by adding a locked ehash lookup suggested by -Eric Dumazet [1]. - -However, this issue could occur for every packet, thus more likely than -the other two races, so let's revert the change for now. - -Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] -Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] -Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") -Signed-off-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/inet_hashtables.c | 17 ++--------------- - net/ipv4/inet_timewait_sock.c | 8 ++++---- - 2 files changed, 6 insertions(+), 19 deletions(-) - -diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index e8734ffca85a8..c19b462662ad0 100644 ---- a/net/ipv4/inet_hashtables.c -+++ b/net/ipv4/inet_hashtables.c -@@ -650,20 +650,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - spin_lock(lock); - if (osk) { - WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); -- ret = sk_hashed(osk); -- if (ret) { -- /* Before deleting the node, we insert a new one to make -- * sure that the look-up-sk process would not miss either -- * of them and that at least one node would exist in ehash -- * table all the time. Otherwise there's a tiny chance -- * that lookup process could find nothing in ehash table. -- */ -- __sk_nulls_add_node_tail_rcu(sk, list); -- sk_nulls_del_node_init_rcu(osk); -- } -- goto unlock; -- } -- if (found_dup_sk) { -+ ret = sk_nulls_del_node_init_rcu(osk); -+ } else if (found_dup_sk) { - *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); - if (*found_dup_sk) - ret = false; -@@ -672,7 +660,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - if (ret) - __sk_nulls_add_node_rcu(sk, list); - --unlock: - spin_unlock(lock); - - return ret; -diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c -index beed32fff4841..1d77d992e6e77 100644 ---- a/net/ipv4/inet_timewait_sock.c -+++ b/net/ipv4/inet_timewait_sock.c -@@ -91,10 +91,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) - } - EXPORT_SYMBOL_GPL(inet_twsk_put); - --static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, -- struct hlist_nulls_head *list) -+static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, -+ struct hlist_nulls_head *list) - { -- hlist_nulls_add_tail_rcu(&tw->tw_node, list); -+ hlist_nulls_add_head_rcu(&tw->tw_node, list); - } - - static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, -@@ -147,7 +147,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, - - spin_lock(lock); - -- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); -+ inet_twsk_add_node_rcu(tw, &ehead->chain); - - /* Step 3: Remove SK from hash chain */ - if (__sk_nulls_del_node_init_rcu(sk)) --- -2.39.2 - diff --git a/queue-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch deleted file mode 100644 index 7ea3c58721b..00000000000 --- a/queue-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 8455627afba0715ac09ca4e31fd0ca55986494f2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 16:25:07 +0800 -Subject: sched/fair: Don't balance task to its current running CPU - -From: Yicong Yang - -[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] - -We've run into the case that the balancer tries to balance a migration -disabled task and trigger the warning in set_task_cpu() like below: - - ------------[ cut here ]------------ - WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 - Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> - CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 - Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 - pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : set_task_cpu+0x188/0x240 - lr : load_balance+0x5d0/0xc60 - sp : ffff80000803bc70 - x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 - x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 - x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 - x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 - x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 - x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 - x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e - x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a - x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 - Call trace: - set_task_cpu+0x188/0x240 - load_balance+0x5d0/0xc60 - rebalance_domains+0x26c/0x380 - _nohz_idle_balance.isra.0+0x1e0/0x370 - run_rebalance_domains+0x6c/0x80 - __do_softirq+0x128/0x3d8 - ____do_softirq+0x18/0x24 - call_on_irq_stack+0x2c/0x38 - do_softirq_own_stack+0x24/0x3c - __irq_exit_rcu+0xcc/0xf4 - irq_exit_rcu+0x18/0x24 - el1_interrupt+0x4c/0xe4 - el1h_64_irq_handler+0x18/0x2c - el1h_64_irq+0x74/0x78 - arch_cpu_idle+0x18/0x4c - default_idle_call+0x58/0x194 - do_idle+0x244/0x2b0 - cpu_startup_entry+0x30/0x3c - secondary_start_kernel+0x14c/0x190 - __secondary_switched+0xb0/0xb4 - ---[ end trace 0000000000000000 ]--- - -Further investigation shows that the warning is superfluous, the migration -disabled task is just going to be migrated to its current running CPU. -This is because that on load balance if the dst_cpu is not allowed by the -task, we'll re-select a new_dst_cpu as a candidate. If no task can be -balanced to dst_cpu we'll try to balance the task to the new_dst_cpu -instead. In this case when the migration disabled task is not on CPU it -only allows to run on its current CPU, load balance will select its -current CPU as new_dst_cpu and later triggers the warning above. - -The new_dst_cpu is chosen from the env->dst_grpmask. Currently it -contains CPUs in sched_group_span() and if we have overlapped groups it's -possible to run into this case. This patch makes env->dst_grpmask of -group_balance_mask() which exclude any CPUs from the busiest group and -solve the issue. For balancing in a domain with no overlapped groups -the behaviour keeps same as before. - -Suggested-by: Vincent Guittot -Signed-off-by: Yicong Yang -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Vincent Guittot -Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com -Signed-off-by: Sasha Levin ---- - kernel/sched/fair.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index fa33c441ae867..57d39de0962d7 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -10556,7 +10556,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, - .sd = sd, - .dst_cpu = this_cpu, - .dst_rq = this_rq, -- .dst_grpmask = sched_group_span(sd->groups), -+ .dst_grpmask = group_balance_mask(sd->groups), - .idle = idle, - .loop_break = SCHED_NR_MIGRATE_BREAK, - .cpus = cpus, --- -2.39.2 - diff --git a/queue-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch b/queue-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch deleted file mode 100644 index 9b8cfc75250..00000000000 --- a/queue-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 87c0b2894b5bff97a3b231e21a5467e96e6ba324 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 16:07:47 +0800 -Subject: sched/fair: Use recent_used_cpu to test p->cpus_ptr - -From: Miaohe Lin - -[ Upstream commit ae2ad293d6be143ad223f5f947cca07bcbe42595 ] - -When checking whether a recently used CPU can be a potential idle -candidate, recent_used_cpu should be used to test p->cpus_ptr as -p->recent_used_cpu is not equal to recent_used_cpu and candidate -decision is made based on recent_used_cpu here. - -Fixes: 89aafd67f28c ("sched/fair: Use prev instead of new target as recent_used_cpu") -Signed-off-by: Miaohe Lin -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Phil Auld -Acked-by: Mel Gorman -Link: https://lore.kernel.org/r/20230620080747.359122-1-linmiaohe@huawei.com -Signed-off-by: Sasha Levin ---- - kernel/sched/fair.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 57d39de0962d7..5e5aea2360a87 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -6935,7 +6935,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) - recent_used_cpu != target && - cpus_share_cache(recent_used_cpu, target) && - (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) && -- cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) && -+ cpumask_test_cpu(recent_used_cpu, p->cpus_ptr) && - asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) { - return recent_used_cpu; - } --- -2.39.2 - diff --git a/queue-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch b/queue-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch deleted file mode 100644 index 71bccffd238..00000000000 --- a/queue-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch +++ /dev/null @@ -1,434 +0,0 @@ -From 24ad138c2ace2a7a5bc0ceccb0055be994ccc3ad Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 30 Mar 2023 12:54:18 +0200 -Subject: sched/psi: Allow unprivileged polling of N*2s period - -From: Domenico Cerasuolo - -[ Upstream commit d82caa273565b45fcf103148950549af76c314b0 ] - -PSI offers 2 mechanisms to get information about a specific resource -pressure. One is reading from /proc/pressure/, which gives -average pressures aggregated every 2s. The other is creating a pollable -fd for a specific resource and cgroup. - -The trigger creation requires CAP_SYS_RESOURCE, and gives the -possibility to pick specific time window and threshold, spawing an RT -thread to aggregate the data. - -Systemd would like to provide containers the option to monitor pressure -on their own cgroup and sub-cgroups. For example, if systemd launches a -container that itself then launches services, the container should have -the ability to poll() for pressure in individual services. But neither -the container nor the services are privileged. - -This patch implements a mechanism to allow unprivileged users to create -pressure triggers. The difference with privileged triggers creation is -that unprivileged ones must have a time window that's a multiple of 2s. -This is so that we can avoid unrestricted spawning of rt threads, and -use instead the same aggregation mechanism done for the averages, which -runs independently of any triggers. - -Suggested-by: Johannes Weiner -Signed-off-by: Domenico Cerasuolo -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Johannes Weiner -Link: https://lore.kernel.org/r/20230330105418.77061-5-cerasuolodomenico@gmail.com -Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") -Signed-off-by: Sasha Levin ---- - Documentation/accounting/psi.rst | 4 + - include/linux/psi.h | 2 +- - include/linux/psi_types.h | 7 ++ - kernel/cgroup/cgroup.c | 2 +- - kernel/sched/psi.c | 175 +++++++++++++++++++------------ - 5 files changed, 121 insertions(+), 69 deletions(-) - -diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst -index 5e40b3f437f90..df6062eb3abbc 100644 ---- a/Documentation/accounting/psi.rst -+++ b/Documentation/accounting/psi.rst -@@ -105,6 +105,10 @@ prevent overly frequent polling. Max limit is chosen as a high enough number - after which monitors are most likely not needed and psi averages can be used - instead. - -+Unprivileged users can also create monitors, with the only limitation that the -+window size must be a multiple of 2s, in order to prevent excessive resource -+usage. -+ - When activated, psi monitor stays active for at least the duration of one - tracking window to avoid repeated activations/deactivations when system is - bouncing in and out of the stall state. -diff --git a/include/linux/psi.h b/include/linux/psi.h -index b029a847def1e..ab26200c28033 100644 ---- a/include/linux/psi.h -+++ b/include/linux/psi.h -@@ -24,7 +24,7 @@ void psi_memstall_leave(unsigned long *flags); - - int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); - struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res); -+ char *buf, enum psi_res res, struct file *file); - void psi_trigger_destroy(struct psi_trigger *t); - - __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, -diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h -index 1819afa8b1987..040c089581c6c 100644 ---- a/include/linux/psi_types.h -+++ b/include/linux/psi_types.h -@@ -151,6 +151,9 @@ struct psi_trigger { - - /* Deferred event(s) from previous ratelimit window */ - bool pending_event; -+ -+ /* Trigger type - PSI_AVGS for unprivileged, PSI_POLL for RT */ -+ enum psi_aggregators aggregator; - }; - - struct psi_group { -@@ -171,6 +174,10 @@ struct psi_group { - /* Aggregator work control */ - struct delayed_work avgs_work; - -+ /* Unprivileged triggers against N*PSI_FREQ windows */ -+ struct list_head avg_triggers; -+ u32 avg_nr_triggers[NR_PSI_STATES - 1]; -+ - /* Total stall times and sampled pressure averages */ - u64 total[NR_PSI_AGGREGATORS][NR_PSI_STATES - 1]; - unsigned long avg[NR_PSI_STATES - 1][3]; -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 2380c4daef33d..c35efae566a4b 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3771,7 +3771,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - } - - psi = cgroup_psi(cgrp); -- new = psi_trigger_create(psi, buf, res); -+ new = psi_trigger_create(psi, buf, res, of->file); - if (IS_ERR(new)) { - cgroup_put(cgrp); - return PTR_ERR(new); -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index f3df6a8ff493c..e072f6b31bf30 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -186,9 +186,14 @@ static void group_init(struct psi_group *group) - seqcount_init(&per_cpu_ptr(group->pcpu, cpu)->seq); - group->avg_last_update = sched_clock(); - group->avg_next_update = group->avg_last_update + psi_period; -- INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); - mutex_init(&group->avgs_lock); -- /* Init trigger-related members */ -+ -+ /* Init avg trigger-related members */ -+ INIT_LIST_HEAD(&group->avg_triggers); -+ memset(group->avg_nr_triggers, 0, sizeof(group->avg_nr_triggers)); -+ INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); -+ -+ /* Init rtpoll trigger-related members */ - atomic_set(&group->rtpoll_scheduled, 0); - mutex_init(&group->rtpoll_trigger_lock); - INIT_LIST_HEAD(&group->rtpoll_triggers); -@@ -430,21 +435,32 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) - return growth; - } - --static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total) -+static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, -+ enum psi_aggregators aggregator) - { - struct psi_trigger *t; -- u64 *total = group->total[PSI_POLL]; -+ u64 *total = group->total[aggregator]; -+ struct list_head *triggers; -+ u64 *aggregator_total; - *update_total = false; - -+ if (aggregator == PSI_AVGS) { -+ triggers = &group->avg_triggers; -+ aggregator_total = group->avg_total; -+ } else { -+ triggers = &group->rtpoll_triggers; -+ aggregator_total = group->rtpoll_total; -+ } -+ - /* - * On subsequent updates, calculate growth deltas and let - * watchers know when their specified thresholds are exceeded. - */ -- list_for_each_entry(t, &group->rtpoll_triggers, node) { -+ list_for_each_entry(t, triggers, node) { - u64 growth; - bool new_stall; - -- new_stall = group->rtpoll_total[t->state] != total[t->state]; -+ new_stall = aggregator_total[t->state] != total[t->state]; - - /* Check for stall activity or a previous threshold breach */ - if (!new_stall && !t->pending_event) -@@ -546,6 +562,7 @@ static void psi_avgs_work(struct work_struct *work) - struct delayed_work *dwork; - struct psi_group *group; - u32 changed_states; -+ bool update_total; - u64 now; - - dwork = to_delayed_work(work); -@@ -563,8 +580,10 @@ static void psi_avgs_work(struct work_struct *work) - * Once restarted, we'll catch up the running averages in one - * go - see calc_avgs() and missed_periods. - */ -- if (now >= group->avg_next_update) -+ if (now >= group->avg_next_update) { -+ update_triggers(group, now, &update_total, PSI_AVGS); - group->avg_next_update = update_averages(group, now); -+ } - - if (changed_states & PSI_STATE_RESCHEDULE) { - schedule_delayed_work(dwork, nsecs_to_jiffies( -@@ -574,7 +593,7 @@ static void psi_avgs_work(struct work_struct *work) - mutex_unlock(&group->avgs_lock); - } - --static void init_triggers(struct psi_group *group, u64 now) -+static void init_rtpoll_triggers(struct psi_group *group, u64 now) - { - struct psi_trigger *t; - -@@ -667,7 +686,7 @@ static void psi_rtpoll_work(struct psi_group *group) - if (changed_states & group->rtpoll_states) { - /* Initialize trigger windows when entering polling mode */ - if (now > group->rtpoll_until) -- init_triggers(group, now); -+ init_rtpoll_triggers(group, now); - - /* - * Keep the monitor active for at least the duration of the -@@ -684,7 +703,7 @@ static void psi_rtpoll_work(struct psi_group *group) - } - - if (now >= group->rtpoll_next_update) { -- group->rtpoll_next_update = update_triggers(group, now, &update_total); -+ group->rtpoll_next_update = update_triggers(group, now, &update_total, PSI_POLL); - if (update_total) - memcpy(group->rtpoll_total, group->total[PSI_POLL], - sizeof(group->rtpoll_total)); -@@ -1254,16 +1273,23 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) - } - - struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res) -+ char *buf, enum psi_res res, struct file *file) - { - struct psi_trigger *t; - enum psi_states state; - u32 threshold_us; -+ bool privileged; - u32 window_us; - - if (static_branch_likely(&psi_disabled)) - return ERR_PTR(-EOPNOTSUPP); - -+ /* -+ * Checking the privilege here on file->f_cred implies that a privileged user -+ * could open the file and delegate the write to an unprivileged one. -+ */ -+ privileged = cap_raised(file->f_cred->cap_effective, CAP_SYS_RESOURCE); -+ - if (sscanf(buf, "some %u %u", &threshold_us, &window_us) == 2) - state = PSI_IO_SOME + res * 2; - else if (sscanf(buf, "full %u %u", &threshold_us, &window_us) == 2) -@@ -1283,6 +1309,13 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, - window_us > WINDOW_MAX_US) - return ERR_PTR(-EINVAL); - -+ /* -+ * Unprivileged users can only use 2s windows so that averages aggregation -+ * work is used, and no RT threads need to be spawned. -+ */ -+ if (!privileged && window_us % 2000000) -+ return ERR_PTR(-EINVAL); -+ - /* Check threshold */ - if (threshold_us == 0 || threshold_us > window_us) - return ERR_PTR(-EINVAL); -@@ -1302,31 +1335,40 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, - t->last_event_time = 0; - init_waitqueue_head(&t->event_wait); - t->pending_event = false; -+ t->aggregator = privileged ? PSI_POLL : PSI_AVGS; - -- mutex_lock(&group->rtpoll_trigger_lock); -+ if (privileged) { -+ mutex_lock(&group->rtpoll_trigger_lock); - -- if (!rcu_access_pointer(group->rtpoll_task)) { -- struct task_struct *task; -+ if (!rcu_access_pointer(group->rtpoll_task)) { -+ struct task_struct *task; - -- task = kthread_create(psi_rtpoll_worker, group, "psimon"); -- if (IS_ERR(task)) { -- kfree(t); -- mutex_unlock(&group->rtpoll_trigger_lock); -- return ERR_CAST(task); -+ task = kthread_create(psi_rtpoll_worker, group, "psimon"); -+ if (IS_ERR(task)) { -+ kfree(t); -+ mutex_unlock(&group->rtpoll_trigger_lock); -+ return ERR_CAST(task); -+ } -+ atomic_set(&group->rtpoll_wakeup, 0); -+ wake_up_process(task); -+ rcu_assign_pointer(group->rtpoll_task, task); - } -- atomic_set(&group->rtpoll_wakeup, 0); -- wake_up_process(task); -- rcu_assign_pointer(group->rtpoll_task, task); -- } - -- list_add(&t->node, &group->rtpoll_triggers); -- group->rtpoll_min_period = min(group->rtpoll_min_period, -- div_u64(t->win.size, UPDATES_PER_WINDOW)); -- group->rtpoll_nr_triggers[t->state]++; -- group->rtpoll_states |= (1 << t->state); -+ list_add(&t->node, &group->rtpoll_triggers); -+ group->rtpoll_min_period = min(group->rtpoll_min_period, -+ div_u64(t->win.size, UPDATES_PER_WINDOW)); -+ group->rtpoll_nr_triggers[t->state]++; -+ group->rtpoll_states |= (1 << t->state); - -- mutex_unlock(&group->rtpoll_trigger_lock); -+ mutex_unlock(&group->rtpoll_trigger_lock); -+ } else { -+ mutex_lock(&group->avgs_lock); -+ -+ list_add(&t->node, &group->avg_triggers); -+ group->avg_nr_triggers[t->state]++; - -+ mutex_unlock(&group->avgs_lock); -+ } - return t; - } - -@@ -1350,34 +1392,41 @@ void psi_trigger_destroy(struct psi_trigger *t) - */ - wake_up_pollfree(&t->event_wait); - -- mutex_lock(&group->rtpoll_trigger_lock); -- -- if (!list_empty(&t->node)) { -- struct psi_trigger *tmp; -- u64 period = ULLONG_MAX; -- -- list_del(&t->node); -- group->rtpoll_nr_triggers[t->state]--; -- if (!group->rtpoll_nr_triggers[t->state]) -- group->rtpoll_states &= ~(1 << t->state); -- /* reset min update period for the remaining triggers */ -- list_for_each_entry(tmp, &group->rtpoll_triggers, node) -- period = min(period, div_u64(tmp->win.size, -- UPDATES_PER_WINDOW)); -- group->rtpoll_min_period = period; -- /* Destroy rtpoll_task when the last trigger is destroyed */ -- if (group->rtpoll_states == 0) { -- group->rtpoll_until = 0; -- task_to_destroy = rcu_dereference_protected( -- group->rtpoll_task, -- lockdep_is_held(&group->rtpoll_trigger_lock)); -- rcu_assign_pointer(group->rtpoll_task, NULL); -- del_timer(&group->rtpoll_timer); -+ if (t->aggregator == PSI_AVGS) { -+ mutex_lock(&group->avgs_lock); -+ if (!list_empty(&t->node)) { -+ list_del(&t->node); -+ group->avg_nr_triggers[t->state]--; - } -+ mutex_unlock(&group->avgs_lock); -+ } else { -+ mutex_lock(&group->rtpoll_trigger_lock); -+ if (!list_empty(&t->node)) { -+ struct psi_trigger *tmp; -+ u64 period = ULLONG_MAX; -+ -+ list_del(&t->node); -+ group->rtpoll_nr_triggers[t->state]--; -+ if (!group->rtpoll_nr_triggers[t->state]) -+ group->rtpoll_states &= ~(1 << t->state); -+ /* reset min update period for the remaining triggers */ -+ list_for_each_entry(tmp, &group->rtpoll_triggers, node) -+ period = min(period, div_u64(tmp->win.size, -+ UPDATES_PER_WINDOW)); -+ group->rtpoll_min_period = period; -+ /* Destroy rtpoll_task when the last trigger is destroyed */ -+ if (group->rtpoll_states == 0) { -+ group->rtpoll_until = 0; -+ task_to_destroy = rcu_dereference_protected( -+ group->rtpoll_task, -+ lockdep_is_held(&group->rtpoll_trigger_lock)); -+ rcu_assign_pointer(group->rtpoll_task, NULL); -+ del_timer(&group->rtpoll_timer); -+ } -+ } -+ mutex_unlock(&group->rtpoll_trigger_lock); - } - -- mutex_unlock(&group->rtpoll_trigger_lock); -- - /* - * Wait for psi_schedule_rtpoll_work RCU to complete its read-side - * critical section before destroying the trigger and optionally the -@@ -1437,27 +1486,19 @@ static int psi_cpu_show(struct seq_file *m, void *v) - return psi_show(m, &psi_system, PSI_CPU); - } - --static int psi_open(struct file *file, int (*psi_show)(struct seq_file *, void *)) --{ -- if (file->f_mode & FMODE_WRITE && !capable(CAP_SYS_RESOURCE)) -- return -EPERM; -- -- return single_open(file, psi_show, NULL); --} -- - static int psi_io_open(struct inode *inode, struct file *file) - { -- return psi_open(file, psi_io_show); -+ return single_open(file, psi_io_show, NULL); - } - - static int psi_memory_open(struct inode *inode, struct file *file) - { -- return psi_open(file, psi_memory_show); -+ return single_open(file, psi_memory_show, NULL); - } - - static int psi_cpu_open(struct inode *inode, struct file *file) - { -- return psi_open(file, psi_cpu_show); -+ return single_open(file, psi_cpu_show, NULL); - } - - static ssize_t psi_write(struct file *file, const char __user *user_buf, -@@ -1491,7 +1532,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, - return -EBUSY; - } - -- new = psi_trigger_create(&psi_system, buf, res); -+ new = psi_trigger_create(&psi_system, buf, res, file); - if (IS_ERR(new)) { - mutex_unlock(&seq->lock); - return PTR_ERR(new); -@@ -1571,7 +1612,7 @@ static int psi_irq_show(struct seq_file *m, void *v) - - static int psi_irq_open(struct inode *inode, struct file *file) - { -- return psi_open(file, psi_irq_show); -+ return single_open(file, psi_irq_show, NULL); - } - - static ssize_t psi_irq_write(struct file *file, const char __user *user_buf, --- -2.39.2 - diff --git a/queue-6.1/sched-psi-extract-update_triggers-side-effect.patch b/queue-6.1/sched-psi-extract-update_triggers-side-effect.patch deleted file mode 100644 index 8244dd63ad8..00000000000 --- a/queue-6.1/sched-psi-extract-update_triggers-side-effect.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 3d78ff2fdc7f963507676dadc4a58e7433f61819 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 30 Mar 2023 12:54:17 +0200 -Subject: sched/psi: Extract update_triggers side effect - -From: Domenico Cerasuolo - -[ Upstream commit 4468fcae49f08e88fbbffe05b29496192df89991 ] - -This change moves update_total flag out of update_triggers function, -currently called only in psi_poll_work. -In the next patch, update_triggers will be called also in psi_avgs_work, -but the total update information is specific to psi_poll_work. -Returning update_total value to the caller let us avoid differentiating -the implementation of update_triggers for different aggregators. - -Suggested-by: Johannes Weiner -Signed-off-by: Domenico Cerasuolo -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Johannes Weiner -Link: https://lore.kernel.org/r/20230330105418.77061-4-cerasuolodomenico@gmail.com -Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") -Signed-off-by: Sasha Levin ---- - kernel/sched/psi.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index a3d0b5cf797ab..f3df6a8ff493c 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -430,11 +430,11 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) - return growth; - } - --static u64 update_triggers(struct psi_group *group, u64 now) -+static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total) - { - struct psi_trigger *t; -- bool update_total = false; - u64 *total = group->total[PSI_POLL]; -+ *update_total = false; - - /* - * On subsequent updates, calculate growth deltas and let -@@ -462,7 +462,7 @@ static u64 update_triggers(struct psi_group *group, u64 now) - * been through all of them. Also remember to extend the - * polling time if we see new stall activity. - */ -- update_total = true; -+ *update_total = true; - - /* Calculate growth since last update */ - growth = window_update(&t->win, now, total[t->state]); -@@ -485,10 +485,6 @@ static u64 update_triggers(struct psi_group *group, u64 now) - t->pending_event = false; - } - -- if (update_total) -- memcpy(group->rtpoll_total, total, -- sizeof(group->rtpoll_total)); -- - return now + group->rtpoll_min_period; - } - -@@ -622,6 +618,7 @@ static void psi_rtpoll_work(struct psi_group *group) - { - bool force_reschedule = false; - u32 changed_states; -+ bool update_total; - u64 now; - - mutex_lock(&group->rtpoll_trigger_lock); -@@ -686,8 +683,12 @@ static void psi_rtpoll_work(struct psi_group *group) - goto out; - } - -- if (now >= group->rtpoll_next_update) -- group->rtpoll_next_update = update_triggers(group, now); -+ if (now >= group->rtpoll_next_update) { -+ group->rtpoll_next_update = update_triggers(group, now, &update_total); -+ if (update_total) -+ memcpy(group->rtpoll_total, group->total[PSI_POLL], -+ sizeof(group->rtpoll_total)); -+ } - - psi_schedule_rtpoll_work(group, - nsecs_to_jiffies(group->rtpoll_next_update - now) + 1, --- -2.39.2 - diff --git a/queue-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch b/queue-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch deleted file mode 100644 index 811894df2de..00000000000 --- a/queue-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch +++ /dev/null @@ -1,141 +0,0 @@ -From cd6a5ae395de7987446d45c2944bc8de4a8917f7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Oct 2022 19:05:51 +0800 -Subject: sched/psi: Fix avgs_work re-arm in psi_avgs_work() - -From: Chengming Zhou - -[ Upstream commit 2fcd7bbae90a6d844da8660a9d27079281dfbba2 ] - -Pavan reported a problem that PSI avgs_work idle shutoff is not -working at all. Because PSI_NONIDLE condition would be observed in -psi_avgs_work()->collect_percpu_times()->get_recent_times() even if -only the kworker running avgs_work on the CPU. - -Although commit 1b69ac6b40eb ("psi: fix aggregation idle shut-off") -avoided the ping-pong wake problem when the worker sleep, psi_avgs_work() -still will always re-arm the avgs_work, so shutoff is not working. - -This patch changes to use PSI_STATE_RESCHEDULE to flag whether to -re-arm avgs_work in get_recent_times(). For the current CPU, we re-arm -avgs_work only when (NR_RUNNING > 1 || NR_IOWAIT > 0 || NR_MEMSTALL > 0), -for other CPUs we can just check PSI_NONIDLE delta. The new flag -is only used in psi_avgs_work(), so we check in get_recent_times() -that current_work() is avgs_work. - -One potential problem is that the brief period of non-idle time -incurred between the aggregation run and the kworker's dequeue will -be stranded in the per-cpu buckets until avgs_work run next time. -The buckets can hold 4s worth of time, and future activity will wake -the avgs_work with a 2s delay, giving us 2s worth of data we can leave -behind when shut off the avgs_work. If the kworker run other works after -avgs_work shut off and doesn't have any scheduler activities for 2s, -this maybe a problem. - -Reported-by: Pavan Kondeti -Signed-off-by: Chengming Zhou -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Johannes Weiner -Acked-by: Suren Baghdasaryan -Tested-by: Chengming Zhou -Link: https://lore.kernel.org/r/20221014110551.22695-1-zhouchengming@bytedance.com -Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") -Signed-off-by: Sasha Levin ---- - include/linux/psi_types.h | 3 +++ - kernel/sched/psi.c | 30 +++++++++++++++++++++++++++--- - 2 files changed, 30 insertions(+), 3 deletions(-) - -diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h -index 14a1ebb74e11f..1e0a0d7ace3af 100644 ---- a/include/linux/psi_types.h -+++ b/include/linux/psi_types.h -@@ -72,6 +72,9 @@ enum psi_states { - /* Use one bit in the state mask to track TSK_ONCPU */ - #define PSI_ONCPU (1 << NR_PSI_STATES) - -+/* Flag whether to re-arm avgs_work, see details in get_recent_times() */ -+#define PSI_STATE_RESCHEDULE (1 << (NR_PSI_STATES + 1)) -+ - enum psi_aggregators { - PSI_AVGS = 0, - PSI_POLL, -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index e83c321461cf4..02e011cabe917 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -243,6 +243,8 @@ static void get_recent_times(struct psi_group *group, int cpu, - u32 *pchanged_states) - { - struct psi_group_cpu *groupc = per_cpu_ptr(group->pcpu, cpu); -+ int current_cpu = raw_smp_processor_id(); -+ unsigned int tasks[NR_PSI_TASK_COUNTS]; - u64 now, state_start; - enum psi_states s; - unsigned int seq; -@@ -257,6 +259,8 @@ static void get_recent_times(struct psi_group *group, int cpu, - memcpy(times, groupc->times, sizeof(groupc->times)); - state_mask = groupc->state_mask; - state_start = groupc->state_start; -+ if (cpu == current_cpu) -+ memcpy(tasks, groupc->tasks, sizeof(groupc->tasks)); - } while (read_seqcount_retry(&groupc->seq, seq)); - - /* Calculate state time deltas against the previous snapshot */ -@@ -281,6 +285,28 @@ static void get_recent_times(struct psi_group *group, int cpu, - if (delta) - *pchanged_states |= (1 << s); - } -+ -+ /* -+ * When collect_percpu_times() from the avgs_work, we don't want to -+ * re-arm avgs_work when all CPUs are IDLE. But the current CPU running -+ * this avgs_work is never IDLE, cause avgs_work can't be shut off. -+ * So for the current CPU, we need to re-arm avgs_work only when -+ * (NR_RUNNING > 1 || NR_IOWAIT > 0 || NR_MEMSTALL > 0), for other CPUs -+ * we can just check PSI_NONIDLE delta. -+ */ -+ if (current_work() == &group->avgs_work.work) { -+ bool reschedule; -+ -+ if (cpu == current_cpu) -+ reschedule = tasks[NR_RUNNING] + -+ tasks[NR_IOWAIT] + -+ tasks[NR_MEMSTALL] > 1; -+ else -+ reschedule = *pchanged_states & (1 << PSI_NONIDLE); -+ -+ if (reschedule) -+ *pchanged_states |= PSI_STATE_RESCHEDULE; -+ } - } - - static void calc_avgs(unsigned long avg[3], int missed_periods, -@@ -416,7 +442,6 @@ static void psi_avgs_work(struct work_struct *work) - struct delayed_work *dwork; - struct psi_group *group; - u32 changed_states; -- bool nonidle; - u64 now; - - dwork = to_delayed_work(work); -@@ -427,7 +452,6 @@ static void psi_avgs_work(struct work_struct *work) - now = sched_clock(); - - collect_percpu_times(group, PSI_AVGS, &changed_states); -- nonidle = changed_states & (1 << PSI_NONIDLE); - /* - * If there is task activity, periodically fold the per-cpu - * times and feed samples into the running averages. If things -@@ -438,7 +462,7 @@ static void psi_avgs_work(struct work_struct *work) - if (now >= group->avg_next_update) - group->avg_next_update = update_averages(group, now); - -- if (nonidle) { -+ if (changed_states & PSI_STATE_RESCHEDULE) { - schedule_delayed_work(dwork, nsecs_to_jiffies( - group->avg_next_update - now) + 1); - } --- -2.39.2 - diff --git a/queue-6.1/sched-psi-rearrange-polling-code-in-preparation.patch b/queue-6.1/sched-psi-rearrange-polling-code-in-preparation.patch deleted file mode 100644 index 2763aad0412..00000000000 --- a/queue-6.1/sched-psi-rearrange-polling-code-in-preparation.patch +++ /dev/null @@ -1,247 +0,0 @@ -From c64ea43f91987426ad1c79576bec5a3f7421d28d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 30 Mar 2023 12:54:15 +0200 -Subject: sched/psi: Rearrange polling code in preparation - -From: Domenico Cerasuolo - -[ Upstream commit 7fab21fa0d000a0ea32d73ce8eec68557c6c268b ] - -Move a few functions up in the file to avoid forward declaration needed -in the patch implementing unprivileged PSI triggers. - -Suggested-by: Johannes Weiner -Signed-off-by: Domenico Cerasuolo -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Johannes Weiner -Link: https://lore.kernel.org/r/20230330105418.77061-2-cerasuolodomenico@gmail.com -Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") -Signed-off-by: Sasha Levin ---- - kernel/sched/psi.c | 196 ++++++++++++++++++++++----------------------- - 1 file changed, 98 insertions(+), 98 deletions(-) - -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index 02e011cabe917..fe9269f1d2a46 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -384,92 +384,6 @@ static void collect_percpu_times(struct psi_group *group, - *pchanged_states = changed_states; - } - --static u64 update_averages(struct psi_group *group, u64 now) --{ -- unsigned long missed_periods = 0; -- u64 expires, period; -- u64 avg_next_update; -- int s; -- -- /* avgX= */ -- expires = group->avg_next_update; -- if (now - expires >= psi_period) -- missed_periods = div_u64(now - expires, psi_period); -- -- /* -- * The periodic clock tick can get delayed for various -- * reasons, especially on loaded systems. To avoid clock -- * drift, we schedule the clock in fixed psi_period intervals. -- * But the deltas we sample out of the per-cpu buckets above -- * are based on the actual time elapsing between clock ticks. -- */ -- avg_next_update = expires + ((1 + missed_periods) * psi_period); -- period = now - (group->avg_last_update + (missed_periods * psi_period)); -- group->avg_last_update = now; -- -- for (s = 0; s < NR_PSI_STATES - 1; s++) { -- u32 sample; -- -- sample = group->total[PSI_AVGS][s] - group->avg_total[s]; -- /* -- * Due to the lockless sampling of the time buckets, -- * recorded time deltas can slip into the next period, -- * which under full pressure can result in samples in -- * excess of the period length. -- * -- * We don't want to report non-sensical pressures in -- * excess of 100%, nor do we want to drop such events -- * on the floor. Instead we punt any overage into the -- * future until pressure subsides. By doing this we -- * don't underreport the occurring pressure curve, we -- * just report it delayed by one period length. -- * -- * The error isn't cumulative. As soon as another -- * delta slips from a period P to P+1, by definition -- * it frees up its time T in P. -- */ -- if (sample > period) -- sample = period; -- group->avg_total[s] += sample; -- calc_avgs(group->avg[s], missed_periods, sample, period); -- } -- -- return avg_next_update; --} -- --static void psi_avgs_work(struct work_struct *work) --{ -- struct delayed_work *dwork; -- struct psi_group *group; -- u32 changed_states; -- u64 now; -- -- dwork = to_delayed_work(work); -- group = container_of(dwork, struct psi_group, avgs_work); -- -- mutex_lock(&group->avgs_lock); -- -- now = sched_clock(); -- -- collect_percpu_times(group, PSI_AVGS, &changed_states); -- /* -- * If there is task activity, periodically fold the per-cpu -- * times and feed samples into the running averages. If things -- * are idle and there is no data to process, stop the clock. -- * Once restarted, we'll catch up the running averages in one -- * go - see calc_avgs() and missed_periods. -- */ -- if (now >= group->avg_next_update) -- group->avg_next_update = update_averages(group, now); -- -- if (changed_states & PSI_STATE_RESCHEDULE) { -- schedule_delayed_work(dwork, nsecs_to_jiffies( -- group->avg_next_update - now) + 1); -- } -- -- mutex_unlock(&group->avgs_lock); --} -- - /* Trigger tracking window manipulations */ - static void window_reset(struct psi_window *win, u64 now, u64 value, - u64 prev_growth) -@@ -516,18 +430,6 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) - return growth; - } - --static void init_triggers(struct psi_group *group, u64 now) --{ -- struct psi_trigger *t; -- -- list_for_each_entry(t, &group->triggers, node) -- window_reset(&t->win, now, -- group->total[PSI_POLL][t->state], 0); -- memcpy(group->polling_total, group->total[PSI_POLL], -- sizeof(group->polling_total)); -- group->polling_next_update = now + group->poll_min_period; --} -- - static u64 update_triggers(struct psi_group *group, u64 now) - { - struct psi_trigger *t; -@@ -590,6 +492,104 @@ static u64 update_triggers(struct psi_group *group, u64 now) - return now + group->poll_min_period; - } - -+static u64 update_averages(struct psi_group *group, u64 now) -+{ -+ unsigned long missed_periods = 0; -+ u64 expires, period; -+ u64 avg_next_update; -+ int s; -+ -+ /* avgX= */ -+ expires = group->avg_next_update; -+ if (now - expires >= psi_period) -+ missed_periods = div_u64(now - expires, psi_period); -+ -+ /* -+ * The periodic clock tick can get delayed for various -+ * reasons, especially on loaded systems. To avoid clock -+ * drift, we schedule the clock in fixed psi_period intervals. -+ * But the deltas we sample out of the per-cpu buckets above -+ * are based on the actual time elapsing between clock ticks. -+ */ -+ avg_next_update = expires + ((1 + missed_periods) * psi_period); -+ period = now - (group->avg_last_update + (missed_periods * psi_period)); -+ group->avg_last_update = now; -+ -+ for (s = 0; s < NR_PSI_STATES - 1; s++) { -+ u32 sample; -+ -+ sample = group->total[PSI_AVGS][s] - group->avg_total[s]; -+ /* -+ * Due to the lockless sampling of the time buckets, -+ * recorded time deltas can slip into the next period, -+ * which under full pressure can result in samples in -+ * excess of the period length. -+ * -+ * We don't want to report non-sensical pressures in -+ * excess of 100%, nor do we want to drop such events -+ * on the floor. Instead we punt any overage into the -+ * future until pressure subsides. By doing this we -+ * don't underreport the occurring pressure curve, we -+ * just report it delayed by one period length. -+ * -+ * The error isn't cumulative. As soon as another -+ * delta slips from a period P to P+1, by definition -+ * it frees up its time T in P. -+ */ -+ if (sample > period) -+ sample = period; -+ group->avg_total[s] += sample; -+ calc_avgs(group->avg[s], missed_periods, sample, period); -+ } -+ -+ return avg_next_update; -+} -+ -+static void psi_avgs_work(struct work_struct *work) -+{ -+ struct delayed_work *dwork; -+ struct psi_group *group; -+ u32 changed_states; -+ u64 now; -+ -+ dwork = to_delayed_work(work); -+ group = container_of(dwork, struct psi_group, avgs_work); -+ -+ mutex_lock(&group->avgs_lock); -+ -+ now = sched_clock(); -+ -+ collect_percpu_times(group, PSI_AVGS, &changed_states); -+ /* -+ * If there is task activity, periodically fold the per-cpu -+ * times and feed samples into the running averages. If things -+ * are idle and there is no data to process, stop the clock. -+ * Once restarted, we'll catch up the running averages in one -+ * go - see calc_avgs() and missed_periods. -+ */ -+ if (now >= group->avg_next_update) -+ group->avg_next_update = update_averages(group, now); -+ -+ if (changed_states & PSI_STATE_RESCHEDULE) { -+ schedule_delayed_work(dwork, nsecs_to_jiffies( -+ group->avg_next_update - now) + 1); -+ } -+ -+ mutex_unlock(&group->avgs_lock); -+} -+ -+static void init_triggers(struct psi_group *group, u64 now) -+{ -+ struct psi_trigger *t; -+ -+ list_for_each_entry(t, &group->triggers, node) -+ window_reset(&t->win, now, -+ group->total[PSI_POLL][t->state], 0); -+ memcpy(group->polling_total, group->total[PSI_POLL], -+ sizeof(group->polling_total)); -+ group->polling_next_update = now + group->poll_min_period; -+} -+ - /* Schedule polling if it's not already scheduled or forced. */ - static void psi_schedule_poll_work(struct psi_group *group, unsigned long delay, - bool force) --- -2.39.2 - diff --git a/queue-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch b/queue-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch deleted file mode 100644 index 63cf15f6166..00000000000 --- a/queue-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch +++ /dev/null @@ -1,432 +0,0 @@ -From 0970d615d9b33fac51e3ce6bebe313abcf75dfe9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 30 Mar 2023 12:54:16 +0200 -Subject: sched/psi: Rename existing poll members in preparation - -From: Domenico Cerasuolo - -[ Upstream commit 65457b74aa9437418e552e8d52d7112d4f9901a6 ] - -Renaming in PSI implementation to make a clear distinction between -privileged and unprivileged triggers code to be implemented in the -next patch. - -Suggested-by: Johannes Weiner -Signed-off-by: Domenico Cerasuolo -Signed-off-by: Peter Zijlstra (Intel) -Acked-by: Johannes Weiner -Link: https://lore.kernel.org/r/20230330105418.77061-3-cerasuolodomenico@gmail.com -Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") -Signed-off-by: Sasha Levin ---- - include/linux/psi_types.h | 36 ++++----- - kernel/sched/psi.c | 163 +++++++++++++++++++------------------- - 2 files changed, 100 insertions(+), 99 deletions(-) - -diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h -index 1e0a0d7ace3af..1819afa8b1987 100644 ---- a/include/linux/psi_types.h -+++ b/include/linux/psi_types.h -@@ -175,26 +175,26 @@ struct psi_group { - u64 total[NR_PSI_AGGREGATORS][NR_PSI_STATES - 1]; - unsigned long avg[NR_PSI_STATES - 1][3]; - -- /* Monitor work control */ -- struct task_struct __rcu *poll_task; -- struct timer_list poll_timer; -- wait_queue_head_t poll_wait; -- atomic_t poll_wakeup; -- atomic_t poll_scheduled; -+ /* Monitor RT polling work control */ -+ struct task_struct __rcu *rtpoll_task; -+ struct timer_list rtpoll_timer; -+ wait_queue_head_t rtpoll_wait; -+ atomic_t rtpoll_wakeup; -+ atomic_t rtpoll_scheduled; - - /* Protects data used by the monitor */ -- struct mutex trigger_lock; -- -- /* Configured polling triggers */ -- struct list_head triggers; -- u32 nr_triggers[NR_PSI_STATES - 1]; -- u32 poll_states; -- u64 poll_min_period; -- -- /* Total stall times at the start of monitor activation */ -- u64 polling_total[NR_PSI_STATES - 1]; -- u64 polling_next_update; -- u64 polling_until; -+ struct mutex rtpoll_trigger_lock; -+ -+ /* Configured RT polling triggers */ -+ struct list_head rtpoll_triggers; -+ u32 rtpoll_nr_triggers[NR_PSI_STATES - 1]; -+ u32 rtpoll_states; -+ u64 rtpoll_min_period; -+ -+ /* Total stall times at the start of RT polling monitor activation */ -+ u64 rtpoll_total[NR_PSI_STATES - 1]; -+ u64 rtpoll_next_update; -+ u64 rtpoll_until; - }; - - #else /* CONFIG_PSI */ -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index fe9269f1d2a46..a3d0b5cf797ab 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -189,14 +189,14 @@ static void group_init(struct psi_group *group) - INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); - mutex_init(&group->avgs_lock); - /* Init trigger-related members */ -- atomic_set(&group->poll_scheduled, 0); -- mutex_init(&group->trigger_lock); -- INIT_LIST_HEAD(&group->triggers); -- group->poll_min_period = U32_MAX; -- group->polling_next_update = ULLONG_MAX; -- init_waitqueue_head(&group->poll_wait); -- timer_setup(&group->poll_timer, poll_timer_fn, 0); -- rcu_assign_pointer(group->poll_task, NULL); -+ atomic_set(&group->rtpoll_scheduled, 0); -+ mutex_init(&group->rtpoll_trigger_lock); -+ INIT_LIST_HEAD(&group->rtpoll_triggers); -+ group->rtpoll_min_period = U32_MAX; -+ group->rtpoll_next_update = ULLONG_MAX; -+ init_waitqueue_head(&group->rtpoll_wait); -+ timer_setup(&group->rtpoll_timer, poll_timer_fn, 0); -+ rcu_assign_pointer(group->rtpoll_task, NULL); - } - - void __init psi_init(void) -@@ -440,11 +440,11 @@ static u64 update_triggers(struct psi_group *group, u64 now) - * On subsequent updates, calculate growth deltas and let - * watchers know when their specified thresholds are exceeded. - */ -- list_for_each_entry(t, &group->triggers, node) { -+ list_for_each_entry(t, &group->rtpoll_triggers, node) { - u64 growth; - bool new_stall; - -- new_stall = group->polling_total[t->state] != total[t->state]; -+ new_stall = group->rtpoll_total[t->state] != total[t->state]; - - /* Check for stall activity or a previous threshold breach */ - if (!new_stall && !t->pending_event) -@@ -486,10 +486,10 @@ static u64 update_triggers(struct psi_group *group, u64 now) - } - - if (update_total) -- memcpy(group->polling_total, total, -- sizeof(group->polling_total)); -+ memcpy(group->rtpoll_total, total, -+ sizeof(group->rtpoll_total)); - -- return now + group->poll_min_period; -+ return now + group->rtpoll_min_period; - } - - static u64 update_averages(struct psi_group *group, u64 now) -@@ -582,53 +582,53 @@ static void init_triggers(struct psi_group *group, u64 now) - { - struct psi_trigger *t; - -- list_for_each_entry(t, &group->triggers, node) -+ list_for_each_entry(t, &group->rtpoll_triggers, node) - window_reset(&t->win, now, - group->total[PSI_POLL][t->state], 0); -- memcpy(group->polling_total, group->total[PSI_POLL], -- sizeof(group->polling_total)); -- group->polling_next_update = now + group->poll_min_period; -+ memcpy(group->rtpoll_total, group->total[PSI_POLL], -+ sizeof(group->rtpoll_total)); -+ group->rtpoll_next_update = now + group->rtpoll_min_period; - } - - /* Schedule polling if it's not already scheduled or forced. */ --static void psi_schedule_poll_work(struct psi_group *group, unsigned long delay, -+static void psi_schedule_rtpoll_work(struct psi_group *group, unsigned long delay, - bool force) - { - struct task_struct *task; - - /* - * atomic_xchg should be called even when !force to provide a -- * full memory barrier (see the comment inside psi_poll_work). -+ * full memory barrier (see the comment inside psi_rtpoll_work). - */ -- if (atomic_xchg(&group->poll_scheduled, 1) && !force) -+ if (atomic_xchg(&group->rtpoll_scheduled, 1) && !force) - return; - - rcu_read_lock(); - -- task = rcu_dereference(group->poll_task); -+ task = rcu_dereference(group->rtpoll_task); - /* - * kworker might be NULL in case psi_trigger_destroy races with - * psi_task_change (hotpath) which can't use locks - */ - if (likely(task)) -- mod_timer(&group->poll_timer, jiffies + delay); -+ mod_timer(&group->rtpoll_timer, jiffies + delay); - else -- atomic_set(&group->poll_scheduled, 0); -+ atomic_set(&group->rtpoll_scheduled, 0); - - rcu_read_unlock(); - } - --static void psi_poll_work(struct psi_group *group) -+static void psi_rtpoll_work(struct psi_group *group) - { - bool force_reschedule = false; - u32 changed_states; - u64 now; - -- mutex_lock(&group->trigger_lock); -+ mutex_lock(&group->rtpoll_trigger_lock); - - now = sched_clock(); - -- if (now > group->polling_until) { -+ if (now > group->rtpoll_until) { - /* - * We are either about to start or might stop polling if no - * state change was recorded. Resetting poll_scheduled leaves -@@ -638,7 +638,7 @@ static void psi_poll_work(struct psi_group *group) - * should be negligible and polling_next_update still keeps - * updates correctly on schedule. - */ -- atomic_set(&group->poll_scheduled, 0); -+ atomic_set(&group->rtpoll_scheduled, 0); - /* - * A task change can race with the poll worker that is supposed to - * report on it. To avoid missing events, ensure ordering between -@@ -667,9 +667,9 @@ static void psi_poll_work(struct psi_group *group) - - collect_percpu_times(group, PSI_POLL, &changed_states); - -- if (changed_states & group->poll_states) { -+ if (changed_states & group->rtpoll_states) { - /* Initialize trigger windows when entering polling mode */ -- if (now > group->polling_until) -+ if (now > group->rtpoll_until) - init_triggers(group, now); - - /* -@@ -677,50 +677,50 @@ static void psi_poll_work(struct psi_group *group) - * minimum tracking window as long as monitor states are - * changing. - */ -- group->polling_until = now + -- group->poll_min_period * UPDATES_PER_WINDOW; -+ group->rtpoll_until = now + -+ group->rtpoll_min_period * UPDATES_PER_WINDOW; - } - -- if (now > group->polling_until) { -- group->polling_next_update = ULLONG_MAX; -+ if (now > group->rtpoll_until) { -+ group->rtpoll_next_update = ULLONG_MAX; - goto out; - } - -- if (now >= group->polling_next_update) -- group->polling_next_update = update_triggers(group, now); -+ if (now >= group->rtpoll_next_update) -+ group->rtpoll_next_update = update_triggers(group, now); - -- psi_schedule_poll_work(group, -- nsecs_to_jiffies(group->polling_next_update - now) + 1, -+ psi_schedule_rtpoll_work(group, -+ nsecs_to_jiffies(group->rtpoll_next_update - now) + 1, - force_reschedule); - - out: -- mutex_unlock(&group->trigger_lock); -+ mutex_unlock(&group->rtpoll_trigger_lock); - } - --static int psi_poll_worker(void *data) -+static int psi_rtpoll_worker(void *data) - { - struct psi_group *group = (struct psi_group *)data; - - sched_set_fifo_low(current); - - while (true) { -- wait_event_interruptible(group->poll_wait, -- atomic_cmpxchg(&group->poll_wakeup, 1, 0) || -+ wait_event_interruptible(group->rtpoll_wait, -+ atomic_cmpxchg(&group->rtpoll_wakeup, 1, 0) || - kthread_should_stop()); - if (kthread_should_stop()) - break; - -- psi_poll_work(group); -+ psi_rtpoll_work(group); - } - return 0; - } - - static void poll_timer_fn(struct timer_list *t) - { -- struct psi_group *group = from_timer(group, t, poll_timer); -+ struct psi_group *group = from_timer(group, t, rtpoll_timer); - -- atomic_set(&group->poll_wakeup, 1); -- wake_up_interruptible(&group->poll_wait); -+ atomic_set(&group->rtpoll_wakeup, 1); -+ wake_up_interruptible(&group->rtpoll_wait); - } - - static void record_times(struct psi_group_cpu *groupc, u64 now) -@@ -851,8 +851,8 @@ static void psi_group_change(struct psi_group *group, int cpu, - - write_seqcount_end(&groupc->seq); - -- if (state_mask & group->poll_states) -- psi_schedule_poll_work(group, 1, false); -+ if (state_mask & group->rtpoll_states) -+ psi_schedule_rtpoll_work(group, 1, false); - - if (wake_clock && !delayed_work_pending(&group->avgs_work)) - schedule_delayed_work(&group->avgs_work, PSI_FREQ); -@@ -1005,8 +1005,8 @@ void psi_account_irqtime(struct task_struct *task, u32 delta) - - write_seqcount_end(&groupc->seq); - -- if (group->poll_states & (1 << PSI_IRQ_FULL)) -- psi_schedule_poll_work(group, 1, false); -+ if (group->rtpoll_states & (1 << PSI_IRQ_FULL)) -+ psi_schedule_rtpoll_work(group, 1, false); - } while ((group = group->parent)); - } - #endif -@@ -1101,7 +1101,7 @@ void psi_cgroup_free(struct cgroup *cgroup) - cancel_delayed_work_sync(&cgroup->psi->avgs_work); - free_percpu(cgroup->psi->pcpu); - /* All triggers must be removed by now */ -- WARN_ONCE(cgroup->psi->poll_states, "psi: trigger leak\n"); -+ WARN_ONCE(cgroup->psi->rtpoll_states, "psi: trigger leak\n"); - kfree(cgroup->psi); - } - -@@ -1302,29 +1302,29 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, - init_waitqueue_head(&t->event_wait); - t->pending_event = false; - -- mutex_lock(&group->trigger_lock); -+ mutex_lock(&group->rtpoll_trigger_lock); - -- if (!rcu_access_pointer(group->poll_task)) { -+ if (!rcu_access_pointer(group->rtpoll_task)) { - struct task_struct *task; - -- task = kthread_create(psi_poll_worker, group, "psimon"); -+ task = kthread_create(psi_rtpoll_worker, group, "psimon"); - if (IS_ERR(task)) { - kfree(t); -- mutex_unlock(&group->trigger_lock); -+ mutex_unlock(&group->rtpoll_trigger_lock); - return ERR_CAST(task); - } -- atomic_set(&group->poll_wakeup, 0); -+ atomic_set(&group->rtpoll_wakeup, 0); - wake_up_process(task); -- rcu_assign_pointer(group->poll_task, task); -+ rcu_assign_pointer(group->rtpoll_task, task); - } - -- list_add(&t->node, &group->triggers); -- group->poll_min_period = min(group->poll_min_period, -+ list_add(&t->node, &group->rtpoll_triggers); -+ group->rtpoll_min_period = min(group->rtpoll_min_period, - div_u64(t->win.size, UPDATES_PER_WINDOW)); -- group->nr_triggers[t->state]++; -- group->poll_states |= (1 << t->state); -+ group->rtpoll_nr_triggers[t->state]++; -+ group->rtpoll_states |= (1 << t->state); - -- mutex_unlock(&group->trigger_lock); -+ mutex_unlock(&group->rtpoll_trigger_lock); - - return t; - } -@@ -1349,51 +1349,52 @@ void psi_trigger_destroy(struct psi_trigger *t) - */ - wake_up_pollfree(&t->event_wait); - -- mutex_lock(&group->trigger_lock); -+ mutex_lock(&group->rtpoll_trigger_lock); - - if (!list_empty(&t->node)) { - struct psi_trigger *tmp; - u64 period = ULLONG_MAX; - - list_del(&t->node); -- group->nr_triggers[t->state]--; -- if (!group->nr_triggers[t->state]) -- group->poll_states &= ~(1 << t->state); -+ group->rtpoll_nr_triggers[t->state]--; -+ if (!group->rtpoll_nr_triggers[t->state]) -+ group->rtpoll_states &= ~(1 << t->state); - /* reset min update period for the remaining triggers */ -- list_for_each_entry(tmp, &group->triggers, node) -+ list_for_each_entry(tmp, &group->rtpoll_triggers, node) - period = min(period, div_u64(tmp->win.size, - UPDATES_PER_WINDOW)); -- group->poll_min_period = period; -- /* Destroy poll_task when the last trigger is destroyed */ -- if (group->poll_states == 0) { -- group->polling_until = 0; -+ group->rtpoll_min_period = period; -+ /* Destroy rtpoll_task when the last trigger is destroyed */ -+ if (group->rtpoll_states == 0) { -+ group->rtpoll_until = 0; - task_to_destroy = rcu_dereference_protected( -- group->poll_task, -- lockdep_is_held(&group->trigger_lock)); -- rcu_assign_pointer(group->poll_task, NULL); -- del_timer(&group->poll_timer); -+ group->rtpoll_task, -+ lockdep_is_held(&group->rtpoll_trigger_lock)); -+ rcu_assign_pointer(group->rtpoll_task, NULL); -+ del_timer(&group->rtpoll_timer); - } - } - -- mutex_unlock(&group->trigger_lock); -+ mutex_unlock(&group->rtpoll_trigger_lock); - - /* -- * Wait for psi_schedule_poll_work RCU to complete its read-side -+ * Wait for psi_schedule_rtpoll_work RCU to complete its read-side - * critical section before destroying the trigger and optionally the -- * poll_task. -+ * rtpoll_task. - */ - synchronize_rcu(); - /* -- * Stop kthread 'psimon' after releasing trigger_lock to prevent a -- * deadlock while waiting for psi_poll_work to acquire trigger_lock -+ * Stop kthread 'psimon' after releasing rtpoll_trigger_lock to prevent -+ * a deadlock while waiting for psi_rtpoll_work to acquire -+ * rtpoll_trigger_lock - */ - if (task_to_destroy) { - /* - * After the RCU grace period has expired, the worker -- * can no longer be found through group->poll_task. -+ * can no longer be found through group->rtpoll_task. - */ - kthread_stop(task_to_destroy); -- atomic_set(&group->poll_scheduled, 0); -+ atomic_set(&group->rtpoll_scheduled, 0); - } - kfree(t); - } --- -2.39.2 - diff --git a/queue-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch b/queue-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch deleted file mode 100644 index 2f9c6baea91..00000000000 --- a/queue-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch +++ /dev/null @@ -1,176 +0,0 @@ -From cc4a5d27580aad5472ec624bab19f12d4556982c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 17:56:12 -0700 -Subject: sched/psi: use kernfs polling functions for PSI trigger polling - -From: Suren Baghdasaryan - -[ Upstream commit aff037078ecaecf34a7c2afab1341815f90fba5e ] - -Destroying psi trigger in cgroup_file_release causes UAF issues when -a cgroup is removed from under a polling process. This is happening -because cgroup removal causes a call to cgroup_file_release while the -actual file is still alive. Destroying the trigger at this point would -also destroy its waitqueue head and if there is still a polling process -on that file accessing the waitqueue, it will step on the freed pointer: - -do_select - vfs_poll - do_rmdir - cgroup_rmdir - kernfs_drain_open_files - cgroup_file_release - cgroup_pressure_release - psi_trigger_destroy - wake_up_pollfree(&t->event_wait) -// vfs_poll is unblocked - synchronize_rcu - kfree(t) - poll_freewait -> UAF access to the trigger's waitqueue head - -Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), -however the same issue exists for synchronous poll() case. -The root cause of this issue is that the lifecycles of the psi trigger's -waitqueue and of the file associated with the trigger are different. Fix -this by using kernfs_generic_poll function when polling on cgroup-specific -psi triggers. It internally uses kernfs_open_node->poll waitqueue head -with its lifecycle tied to the file's lifecycle. This also renders the -fix in [1] obsolete, so revert it. - -[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Closes: https://lore.kernel.org/all/20230613062306.101831-1-lujialin4@huawei.com/ -Reported-by: Lu Jialin -Signed-off-by: Suren Baghdasaryan -Signed-off-by: Peter Zijlstra (Intel) -Link: https://lkml.kernel.org/r/20230630005612.1014540-1-surenb@google.com -Signed-off-by: Sasha Levin ---- - include/linux/psi.h | 5 +++-- - include/linux/psi_types.h | 3 +++ - kernel/cgroup/cgroup.c | 2 +- - kernel/sched/psi.c | 29 +++++++++++++++++++++-------- - 4 files changed, 28 insertions(+), 11 deletions(-) - -diff --git a/include/linux/psi.h b/include/linux/psi.h -index ab26200c28033..e0745873e3f26 100644 ---- a/include/linux/psi.h -+++ b/include/linux/psi.h -@@ -23,8 +23,9 @@ void psi_memstall_enter(unsigned long *flags); - void psi_memstall_leave(unsigned long *flags); - - int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); --struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res, struct file *file); -+struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, -+ enum psi_res res, struct file *file, -+ struct kernfs_open_file *of); - void psi_trigger_destroy(struct psi_trigger *t); - - __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, -diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h -index 040c089581c6c..f1fd3a8044e0e 100644 ---- a/include/linux/psi_types.h -+++ b/include/linux/psi_types.h -@@ -137,6 +137,9 @@ struct psi_trigger { - /* Wait queue for polling */ - wait_queue_head_t event_wait; - -+ /* Kernfs file for cgroup triggers */ -+ struct kernfs_open_file *of; -+ - /* Pending event flag */ - int event; - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index c35efae566a4b..73f11e4db3a4d 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3771,7 +3771,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - } - - psi = cgroup_psi(cgrp); -- new = psi_trigger_create(psi, buf, res, of->file); -+ new = psi_trigger_create(psi, buf, res, of->file, of); - if (IS_ERR(new)) { - cgroup_put(cgrp); - return PTR_ERR(new); -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index e072f6b31bf30..80d8c10e93638 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -494,8 +494,12 @@ static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, - continue; - - /* Generate an event */ -- if (cmpxchg(&t->event, 0, 1) == 0) -- wake_up_interruptible(&t->event_wait); -+ if (cmpxchg(&t->event, 0, 1) == 0) { -+ if (t->of) -+ kernfs_notify(t->of->kn); -+ else -+ wake_up_interruptible(&t->event_wait); -+ } - t->last_event_time = now; - /* Reset threshold breach flag once event got generated */ - t->pending_event = false; -@@ -1272,8 +1276,9 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) - return 0; - } - --struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res, struct file *file) -+struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, -+ enum psi_res res, struct file *file, -+ struct kernfs_open_file *of) - { - struct psi_trigger *t; - enum psi_states state; -@@ -1333,7 +1338,9 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, - - t->event = 0; - t->last_event_time = 0; -- init_waitqueue_head(&t->event_wait); -+ t->of = of; -+ if (!of) -+ init_waitqueue_head(&t->event_wait); - t->pending_event = false; - t->aggregator = privileged ? PSI_POLL : PSI_AVGS; - -@@ -1390,7 +1397,10 @@ void psi_trigger_destroy(struct psi_trigger *t) - * being accessed later. Can happen if cgroup is deleted from under a - * polling process. - */ -- wake_up_pollfree(&t->event_wait); -+ if (t->of) -+ kernfs_notify(t->of->kn); -+ else -+ wake_up_interruptible(&t->event_wait); - - if (t->aggregator == PSI_AVGS) { - mutex_lock(&group->avgs_lock); -@@ -1462,7 +1472,10 @@ __poll_t psi_trigger_poll(void **trigger_ptr, - if (!t) - return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; - -- poll_wait(file, &t->event_wait, wait); -+ if (t->of) -+ kernfs_generic_poll(t->of, wait); -+ else -+ poll_wait(file, &t->event_wait, wait); - - if (cmpxchg(&t->event, 1, 0) == 1) - ret |= EPOLLPRI; -@@ -1532,7 +1545,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, - return -EBUSY; - } - -- new = psi_trigger_create(&psi_system, buf, res, file); -+ new = psi_trigger_create(&psi_system, buf, res, file, NULL); - if (IS_ERR(new)) { - mutex_unlock(&seq->lock); - return PTR_ERR(new); --- -2.39.2 - diff --git a/queue-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch b/queue-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch deleted file mode 100644 index 73a6e73e44a..00000000000 --- a/queue-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 79549da691edd4874c19d99c578a134471817c47 Mon Sep 17 00:00:00 2001 -From: Masahiro Yamada -Date: Wed, 8 Mar 2023 20:52:43 +0900 -Subject: scripts/kallsyms: update the usage in the comment block - -From: Masahiro Yamada - -commit 79549da691edd4874c19d99c578a134471817c47 upstream. - -Commit 010a0aad39fc ("kallsyms: Correctly sequence symbols when -CONFIG_LTO_CLANG=y") added --lto-clang, and updated the usage() -function, but not the comment. Update it in the same way. - -Signed-off-by: Masahiro Yamada -Reviewed-by: Nick Desaulniers -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kallsyms.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -6,7 +6,7 @@ - * of the GNU General Public License, incorporated herein by reference. - * - * Usage: kallsyms [--all-symbols] [--absolute-percpu] -- * [--base-relative] in.map > out.S -+ * [--base-relative] [--lto-clang] in.map > out.S - * - * Table compression uses all the unused char codes on the symbols and - * maps these to the most used substrings (tokens). For instance, it might diff --git a/queue-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch b/queue-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch deleted file mode 100644 index c80419e2947..00000000000 --- a/queue-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch +++ /dev/null @@ -1,34 +0,0 @@ -From adc40221bf676f3e722d135889a7b913b4162dc2 Mon Sep 17 00:00:00 2001 -From: Yuma Ueda -Date: Fri, 18 Nov 2022 22:36:31 +0900 -Subject: scripts/kallsyms.c Make the comment up-to-date with current implementation - -From: Yuma Ueda - -commit adc40221bf676f3e722d135889a7b913b4162dc2 upstream. - -The comment in scripts/kallsyms.c describing the usage of -scripts/kallsyms does not reflect the latest implementation. -Fix the comment to be equivalent to what the usage() function prints. - -Signed-off-by: Yuma Ueda -Reviewed-by: Miguel Ojeda -Link: https://lore.kernel.org/r/20221118133631.4554-1-cyan@0x00a1e9.dev -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kallsyms.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -5,7 +5,8 @@ - * This software may be used and distributed according to the terms - * of the GNU General Public License, incorporated herein by reference. - * -- * Usage: nm -n vmlinux | scripts/kallsyms [--all-symbols] > symbols.S -+ * Usage: kallsyms [--all-symbols] [--absolute-percpu] -+ * [--base-relative] in.map > out.S - * - * Table compression uses all the unused char codes on the symbols and - * maps these to the most used substrings (tokens). For instance, it might diff --git a/queue-6.1/security-keys-modify-mismatched-function-name.patch b/queue-6.1/security-keys-modify-mismatched-function-name.patch deleted file mode 100644 index 964df76e0b9..00000000000 --- a/queue-6.1/security-keys-modify-mismatched-function-name.patch +++ /dev/null @@ -1,40 +0,0 @@ -From d5bcc1aba8ad5267a2fd8d1da3794a97630d9c16 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Jun 2023 10:18:25 +0800 -Subject: security: keys: Modify mismatched function name - -From: Jiapeng Chong - -[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] - -No functional modification involved. - -security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. - -Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") -Reported-by: Abaci Robot -Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 -Signed-off-by: Jiapeng Chong -Reviewed-by: Paul Moore -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Sasha Levin ---- - security/keys/trusted-keys/trusted_tpm2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c -index 2b2c8eb258d5b..bc700f85f80be 100644 ---- a/security/keys/trusted-keys/trusted_tpm2.c -+++ b/security/keys/trusted-keys/trusted_tpm2.c -@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, - } - - /** -- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. -+ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. - * - * @buf: an allocated tpm_buf instance - * @session_handle: session handle --- -2.39.2 - diff --git a/queue-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch b/queue-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch deleted file mode 100644 index 2fe7e9f37a4..00000000000 --- a/queue-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch +++ /dev/null @@ -1,123 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:47 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:23 +0300 -Subject: selftests/bpf: Fix sk_assign on s390x -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Ilya Leoshkevich , Eduard Zingerman -Message-ID: <20230724124223.1176479-7-eddyz87@gmail.com> - -From: Ilya Leoshkevich - -[ Upstream commit 7ce878ca81bca7811e669db4c394b86780e0dbe4 ] - -sk_assign is failing on an s390x machine running Debian "bookworm" for -2 reasons: legacy server_map definition and uninitialized addrlen in -recvfrom() call. - -Fix by adding a new-style server_map definition and dropping addrlen -(recvfrom() allows NULL values for src_addr and addrlen). - -Since the test should support tc built without libbpf, build the prog -twice: with the old-style definition and with the new-style definition, -then select the right one at runtime. This could be done at compile -time too, but this would not be cross-compilation friendly. - -Signed-off-by: Ilya Leoshkevich -Link: https://lore.kernel.org/r/20230129190501.1624747-2-iii@linux.ibm.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/bpf/prog_tests/sk_assign.c | 25 ++++++++++---- - tools/testing/selftests/bpf/progs/test_sk_assign.c | 11 ++++++ - tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c | 3 + - 3 files changed, 33 insertions(+), 6 deletions(-) - create mode 100644 tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c - ---- a/tools/testing/selftests/bpf/prog_tests/sk_assign.c -+++ b/tools/testing/selftests/bpf/prog_tests/sk_assign.c -@@ -29,7 +29,23 @@ static int stop, duration; - static bool - configure_stack(void) - { -+ char tc_version[128]; - char tc_cmd[BUFSIZ]; -+ char *prog; -+ FILE *tc; -+ -+ /* Check whether tc is built with libbpf. */ -+ tc = popen("tc -V", "r"); -+ if (CHECK_FAIL(!tc)) -+ return false; -+ if (CHECK_FAIL(!fgets(tc_version, sizeof(tc_version), tc))) -+ return false; -+ if (strstr(tc_version, ", libbpf ")) -+ prog = "test_sk_assign_libbpf.bpf.o"; -+ else -+ prog = "test_sk_assign.bpf.o"; -+ if (CHECK_FAIL(pclose(tc))) -+ return false; - - /* Move to a new networking namespace */ - if (CHECK_FAIL(unshare(CLONE_NEWNET))) -@@ -46,8 +62,8 @@ configure_stack(void) - /* Load qdisc, BPF program */ - if (CHECK_FAIL(system("tc qdisc add dev lo clsact"))) - return false; -- sprintf(tc_cmd, "%s %s %s %s", "tc filter add dev lo ingress bpf", -- "direct-action object-file ./test_sk_assign.bpf.o", -+ sprintf(tc_cmd, "%s %s %s %s %s", "tc filter add dev lo ingress bpf", -+ "direct-action object-file", prog, - "section tc", - (env.verbosity < VERBOSE_VERY) ? " 2>/dev/null" : "verbose"); - if (CHECK(system(tc_cmd), "BPF load failed;", -@@ -129,15 +145,12 @@ get_port(int fd) - static ssize_t - rcv_msg(int srv_client, int type) - { -- struct sockaddr_storage ss; - char buf[BUFSIZ]; -- socklen_t slen; - - if (type == SOCK_STREAM) - return read(srv_client, &buf, sizeof(buf)); - else -- return recvfrom(srv_client, &buf, sizeof(buf), 0, -- (struct sockaddr *)&ss, &slen); -+ return recvfrom(srv_client, &buf, sizeof(buf), 0, NULL, NULL); - } - - static int ---- a/tools/testing/selftests/bpf/progs/test_sk_assign.c -+++ b/tools/testing/selftests/bpf/progs/test_sk_assign.c -@@ -16,6 +16,16 @@ - #include - #include - -+#if defined(IPROUTE2_HAVE_LIBBPF) -+/* Use a new-style map definition. */ -+struct { -+ __uint(type, BPF_MAP_TYPE_SOCKMAP); -+ __type(key, int); -+ __type(value, __u64); -+ __uint(pinning, LIBBPF_PIN_BY_NAME); -+ __uint(max_entries, 1); -+} server_map SEC(".maps"); -+#else - /* Pin map under /sys/fs/bpf/tc/globals/ */ - #define PIN_GLOBAL_NS 2 - -@@ -35,6 +45,7 @@ struct { - .max_elem = 1, - .pinning = PIN_GLOBAL_NS, - }; -+#endif - - char _license[] SEC("license") = "GPL"; - ---- /dev/null -+++ b/tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c -@@ -0,0 +1,3 @@ -+// SPDX-License-Identifier: GPL-2.0 -+#define IPROUTE2_HAVE_LIBBPF -+#include "test_sk_assign.c" diff --git a/queue-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch b/queue-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch deleted file mode 100644 index 44b87fce809..00000000000 --- a/queue-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch +++ /dev/null @@ -1,134 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:45 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:21 +0300 -Subject: selftests/bpf: make test_align selftest more robust -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman -Message-ID: <20230724124223.1176479-5-eddyz87@gmail.com> - -From: Andrii Nakryiko - -[ Upstream commit 4f999b767769b76378c3616c624afd6f4bb0d99f ] - -test_align selftest relies on BPF verifier log emitting register states -for specific instructions in expected format. Unfortunately, BPF -verifier precision backtracking log interferes with such expectations. -And instruction on which precision propagation happens sometimes don't -output full expected register states. This does indeed look like -something to be improved in BPF verifier, but is beyond the scope of -this patch set. - -So to make test_align a bit more robust, inject few dummy R4 = R5 -instructions which capture desired state of R5 and won't have precision -tracking logs on them. This fixes tests until we can improve BPF -verifier output in the presence of precision tracking. - -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/r/20221104163649.121784-7-andrii@kernel.org -Signed-off-by: Alexei Starovoitov -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/bpf/prog_tests/align.c | 38 +++++++++++++++---------- - 1 file changed, 24 insertions(+), 14 deletions(-) - ---- a/tools/testing/selftests/bpf/prog_tests/align.c -+++ b/tools/testing/selftests/bpf/prog_tests/align.c -@@ -2,7 +2,7 @@ - #include - - #define MAX_INSNS 512 --#define MAX_MATCHES 16 -+#define MAX_MATCHES 24 - - struct bpf_reg_match { - unsigned int line; -@@ -267,6 +267,7 @@ static struct bpf_align_test tests[] = { - */ - BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), - BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), -+ BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), - BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), -@@ -280,6 +281,7 @@ static struct bpf_align_test tests[] = { - BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), - BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), -+ BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 4), - BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), - BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), -@@ -311,44 +313,52 @@ static struct bpf_align_test tests[] = { - {15, "R4=pkt(id=1,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, - {15, "R5=pkt(id=1,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, - /* Variable offset is added to R5 packet pointer, -- * resulting in auxiliary alignment of 4. -+ * resulting in auxiliary alignment of 4. To avoid BPF -+ * verifier's precision backtracking logging -+ * interfering we also have a no-op R4 = R5 -+ * instruction to validate R5 state. We also check -+ * that R4 is what it should be in such case. - */ -- {17, "R5_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {18, "R4_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {18, "R5_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, - /* Constant offset is added to R5, resulting in - * reg->off of 14. - */ -- {18, "R5_w=pkt(id=2,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {19, "R5_w=pkt(id=2,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, - /* At the time the word size load is performed from R5, - * its total fixed offset is NET_IP_ALIGN + reg->off - * (14) which is 16. Then the variable offset is 4-byte - * aligned, so the total offset is 4-byte aligned and - * meets the load's requirements. - */ -- {23, "R4=pkt(id=2,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, -- {23, "R5=pkt(id=2,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {24, "R4=pkt(id=2,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {24, "R5=pkt(id=2,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, - /* Constant offset is added to R5 packet pointer, - * resulting in reg->off value of 14. - */ -- {25, "R5_w=pkt(off=14,r=8"}, -+ {26, "R5_w=pkt(off=14,r=8"}, - /* Variable offset is added to R5, resulting in a -- * variable offset of (4n). -+ * variable offset of (4n). See comment for insn #18 -+ * for R4 = R5 trick. - */ -- {26, "R5_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {28, "R4_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {28, "R5_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, - /* Constant is added to R5 again, setting reg->off to 18. */ -- {27, "R5_w=pkt(id=3,off=18,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, -+ {29, "R5_w=pkt(id=3,off=18,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, - /* And once more we add a variable; resulting var_off - * is still (4n), fixed offset is not changed. - * Also, we create a new reg->id. - */ -- {28, "R5_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, -+ {31, "R4_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, -+ {31, "R5_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, - /* At the time the word size load is performed from R5, - * its total fixed offset is NET_IP_ALIGN + reg->off (18) - * which is 20. Then the variable offset is (4n), so - * the total offset is 4-byte aligned and meets the - * load's requirements. - */ -- {33, "R4=pkt(id=4,off=22,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, -- {33, "R5=pkt(id=4,off=18,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, -+ {35, "R4=pkt(id=4,off=22,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, -+ {35, "R5=pkt(id=4,off=18,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, - }, - }, - { -@@ -681,6 +691,6 @@ void test_align(void) - if (!test__start_subtest(test->descr)) - continue; - -- CHECK_FAIL(do_test_single(test)); -+ ASSERT_OK(do_test_single(test), test->descr); - } - } diff --git a/queue-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch b/queue-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch deleted file mode 100644 index ebb5dddeacc..00000000000 --- a/queue-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch +++ /dev/null @@ -1,95 +0,0 @@ -From stable-owner@vger.kernel.org Mon Jul 24 14:42:44 2023 -From: Eduard Zingerman -Date: Mon, 24 Jul 2023 15:42:22 +0300 -Subject: selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code -To: stable@vger.kernel.org, ast@kernel.org -Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman -Message-ID: <20230724124223.1176479-6-eddyz87@gmail.com> - -From: Yonghong Song - -[ Upstream commit 63d78b7e8ca2d0eb8c687a355fa19d01b6fcc723 ] - -With latest llvm17, selftest fexit_bpf2bpf/func_replace_return_code -has the following verification failure: - - 0: R1=ctx(off=0,imm=0) R10=fp0 - ; int connect_v4_prog(struct bpf_sock_addr *ctx) - 0: (bf) r7 = r1 ; R1=ctx(off=0,imm=0) R7_w=ctx(off=0,imm=0) - 1: (b4) w6 = 0 ; R6_w=0 - ; memset(&tuple.ipv4.saddr, 0, sizeof(tuple.ipv4.saddr)); - ... - ; return do_bind(ctx) ? 1 : 0; - 179: (bf) r1 = r7 ; R1=ctx(off=0,imm=0) R7=ctx(off=0,imm=0) - 180: (85) call pc+147 - Func#3 is global and valid. Skipping. - 181: R0_w=scalar() - 181: (bc) w6 = w0 ; R0_w=scalar() R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) - 182: (05) goto pc-129 - ; } - 54: (bc) w0 = w6 ; R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) - 55: (95) exit - At program exit the register R0 has value (0x0; 0xffffffff) should have been in (0x0; 0x1) - processed 281 insns (limit 1000000) max_states_per_insn 1 total_states 26 peak_states 26 mark_read 13 - -- END PROG LOAD LOG -- - libbpf: prog 'connect_v4_prog': failed to load: -22 - -The corresponding source code: - - __attribute__ ((noinline)) - int do_bind(struct bpf_sock_addr *ctx) - { - struct sockaddr_in sa = {}; - - sa.sin_family = AF_INET; - sa.sin_port = bpf_htons(0); - sa.sin_addr.s_addr = bpf_htonl(SRC_REWRITE_IP4); - - if (bpf_bind(ctx, (struct sockaddr *)&sa, sizeof(sa)) != 0) - return 0; - - return 1; - } - ... - SEC("cgroup/connect4") - int connect_v4_prog(struct bpf_sock_addr *ctx) - { - ... - return do_bind(ctx) ? 1 : 0; - } - -Insn 180 is a call to 'do_bind'. The call's return value is also the return value -for the program. Since do_bind() returns 0/1, so it is legitimate for compiler to -optimize 'return do_bind(ctx) ? 1 : 0' to 'return do_bind(ctx)'. However, such -optimization breaks verifier as the return value of 'do_bind()' is marked as any -scalar which violates the requirement of prog return value 0/1. - -There are two ways to fix this problem, (1) changing 'return 1' in do_bind() to -e.g. 'return 10' so the compiler has to do 'do_bind(ctx) ? 1 :0', or (2) -suggested by Andrii, marking do_bind() with __weak attribute so the compiler -cannot make any assumption on do_bind() return value. - -This patch adopted adding __weak approach which is simpler and more resistant -to potential compiler optimizations. - -Suggested-by: Andrii Nakryiko -Signed-off-by: Yonghong Song -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/bpf/20230310012410.2920570-1-yhs@fb.com -Signed-off-by: Eduard Zingerman -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/bpf/progs/connect4_prog.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/testing/selftests/bpf/progs/connect4_prog.c -+++ b/tools/testing/selftests/bpf/progs/connect4_prog.c -@@ -32,7 +32,7 @@ - #define IFNAMSIZ 16 - #endif - --__attribute__ ((noinline)) -+__attribute__ ((noinline)) __weak - int do_bind(struct bpf_sock_addr *ctx) - { - struct sockaddr_in sa = {}; diff --git a/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch b/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch deleted file mode 100644 index cdab180886e..00000000000 --- a/queue-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:46 +0200 -Subject: selftests: tc: add ConnTrack procfs kconfig - -From: Matthieu Baerts - -commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. - -When looking at the TC selftest reports, I noticed one test was failing -because /proc/net/nf_conntrack was not available. - - not ok 373 3992 - Add ct action triggering DNAT tuple conflict - Could not match regex pattern. Verify command output: - cat: /proc/net/nf_conntrack: No such file or directory - -It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue -can be fixed simply by adding it to the list of required kconfig. - -Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] -Signed-off-by: Matthieu Baerts -Tested-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/config | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/testing/selftests/tc-testing/config -+++ b/tools/testing/selftests/tc-testing/config -@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_MARK=y - CONFIG_NF_CONNTRACK_ZONES=y - CONFIG_NF_CONNTRACK_LABELS=y -+CONFIG_NF_CONNTRACK_PROCFS=y - CONFIG_NF_FLOW_TABLE=m - CONFIG_NF_NAT=m - CONFIG_NETFILTER_XT_TARGET_LOG=m diff --git a/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch b/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch deleted file mode 100644 index 07859eec8d1..00000000000 --- a/queue-6.1/selftests-tc-add-ct-action-kconfig-dep.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:45 +0200 -Subject: selftests: tc: add 'ct' action kconfig dep - -From: Matthieu Baerts - -commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. - -When looking for something else in LKFT reports [1], I noticed most of -the tests were skipped because the "teardown stage" did not complete -successfully. - -Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required -but not listed in the 'config' file. Adding it to the list fixes the -issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final -kconfig. - -Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") -Cc: stable@vger.kernel.org -Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] -Suggested-by: Pedro Tammela -Signed-off-by: Matthieu Baerts -Tested-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/config | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/testing/selftests/tc-testing/config -+++ b/tools/testing/selftests/tc-testing/config -@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_MARK=y - CONFIG_NF_CONNTRACK_ZONES=y - CONFIG_NF_CONNTRACK_LABELS=y -+CONFIG_NF_FLOW_TABLE=m - CONFIG_NF_NAT=m - CONFIG_NETFILTER_XT_TARGET_LOG=m - diff --git a/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch b/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch deleted file mode 100644 index ea00bbfff7d..00000000000 --- a/queue-6.1/selftests-tc-set-timeout-to-15-minutes.patch +++ /dev/null @@ -1,43 +0,0 @@ -From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:44 +0200 -Subject: selftests: tc: set timeout to 15 minutes - -From: Matthieu Baerts - -commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. - -When looking for something else in LKFT reports [1], I noticed that the -TC selftest ended with a timeout error: - - not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds - -The timeout had been introduced 3 years ago, see the Fixes commit below. - -This timeout is only in place when executing the selftests via the -kselftests runner scripts. I guess this is not what most TC devs are -using and nobody noticed the issue before. - -The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks -like it is plenty more time than what it takes in "normal" conditions. - -Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") -Cc: stable@vger.kernel.org -Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] -Suggested-by: Pedro Tammela -Signed-off-by: Matthieu Baerts -Reviewed-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/settings | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 tools/testing/selftests/tc-testing/settings - ---- /dev/null -+++ b/tools/testing/selftests/tc-testing/settings -@@ -0,0 +1 @@ -+timeout=900 diff --git a/queue-6.1/series b/queue-6.1/series index 7fc065207a5..64ecbc6dba5 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -1,179 +1,2 @@ -io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch -alsa-hda-realtek-remove-3k-pull-low-procedure.patch -alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch -alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch -maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch -maple_tree-fix-node-allocation-testing-on-32-bit.patch -keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch -perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch -btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch -fuse-revalidate-don-t-invalidate-if-interrupted.patch -fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch -btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch -btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch -fuse-ioctl-translate-enosys-in-outarg.patch -btrfs-fix-race-between-balance-and-cancel-pause.patch -selftests-tc-set-timeout-to-15-minutes.patch -selftests-tc-add-ct-action-kconfig-dep.patch -regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch -of-preserve-of-display-device-name-for-compatibility.patch -regmap-account-for-register-length-in-smbus-i-o-limits.patch -arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch -can-raw-fix-receiver-memory-leak.patch -can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch -can-bcm-fix-uaf-in-bcm_proc_show.patch -can-gs_usb-gs_can_open-improve-error-handling.patch -selftests-tc-add-conntrack-procfs-kconfig.patch -dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch -drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch -drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch -drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch -drm-client-fix-memory-leak-in-drm_client_target_cloned.patch -drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch -drm-amd-display-only-accept-async-flips-for-fast-updates.patch -drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch -drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch -drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch -asoc-fsl_sai-disable-bit-clock-with-transmitter.patch -asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch -asoc-tegra-fix-adx-byte-map.patch -asoc-rt5640-fix-sleep-in-atomic-context.patch -asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch -asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch -asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch -asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch -asoc-tegra-fix-amx-byte-map.patch -asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch -asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch -asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch -asoc-codecs-wcd938x-fix-codec-initialisation-race.patch -asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch -ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch -drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch -alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch -quota-properly-disable-quotas-when-add_dquot_ref-fai.patch -quota-fix-warning-in-dqgrab.patch -hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch -ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch -udf-fix-uninitialized-array-access-for-some-pathname.patch -fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch -mips-dec-prom-address-warray-bounds-warning.patch -fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch -fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch -acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch -rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch -rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch -sched-fair-don-t-balance-task-to-its-current-running.patch -wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch -bpf-print-a-warning-only-if-writing-to-unprivileged_.patch -bpf-address-kcsan-report-on-bpf_lru_list.patch -bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch -wifi-ath11k-add-support-default-regdb-while-searchin.patch -wifi-mac80211_hwsim-fix-possible-null-dereference.patch -spi-dw-add-compatible-for-intel-mount-evans-soc.patch -wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch -net-ethernet-litex-add-support-for-64-bit-stats.patch -devlink-report-devlink_port_type_warn-source-device.patch -wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch -wifi-iwlwifi-add-support-for-new-pci-id.patch -wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch -wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch -igb-fix-igb_down-hung-on-surprise-removal.patch -net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch -asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch -asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch -asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch -asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch -sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch -sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch -sched-psi-rearrange-polling-code-in-preparation.patch -sched-psi-rename-existing-poll-members-in-preparatio.patch -sched-psi-extract-update_triggers-side-effect.patch -sched-psi-allow-unprivileged-polling-of-n-2s-period.patch -sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch -pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch -pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch -spi-bcm63xx-fix-max-prepend-length.patch -fbdev-imxfb-warn-about-invalid-left-right-margin.patch -fbdev-imxfb-removed-unneeded-release_mem_region.patch -perf-build-fix-library-not-found-error-when-using-cs.patch -btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch -spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch -kallsyms-improve-the-performance-of-kallsyms_lookup_.patch -kallsyms-correctly-sequence-symbols-when-config_lto_.patch -kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch -dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch -net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch -bridge-add-extack-warning-when-enabling-stp-in-netns.patch -net-ethernet-mtk_eth_soc-handle-probe-deferral.patch -cifs-fix-mid-leak-during-reconnection-after-timeout-.patch -asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch -net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch -net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch -net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch -net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch -net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch -net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch -net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch -net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch -iavf-fix-use-after-free-in-free_netdev.patch -iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch -iavf-use-internal-state-to-free-traffic-irqs.patch -iavf-move-netdev_update_features-into-watchdog-task.patch -iavf-send-vlan-offloading-caps-once-after-vfr.patch -iavf-make-functions-static-where-possible.patch -iavf-wait-for-reset-in-callbacks-which-trigger-it.patch -iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch -iavf-fix-reset-task-race-with-iavf_remove.patch -security-keys-modify-mismatched-function-name.patch -octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch -bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch -bpf-repeat-check_max_stack_depth-for-async-callbacks.patch -bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch -igc-avoid-transmit-queue-timeout-for-xdp.patch -igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch -net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch -tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch -tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch -net-ipv4-use-kfree_sensitive-instead-of-kfree.patch -net-ipv6-check-return-value-of-pskb_trim.patch -revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch -fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch -llc-don-t-drop-packet-from-non-root-netns.patch -alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch -netfilter-nf_tables-fix-spurious-set-element-inserti.patch -netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch -netfilter-nft_set_pipapo-fix-improper-element-remova.patch -netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch -netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch -bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch -bluetooth-hci_event-call-disconnect-callback-before-.patch -bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch -bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch -tcp-annotate-data-races-around-tp-tcp_tx_delay.patch -tcp-annotate-data-races-around-tp-tsoffset.patch -tcp-annotate-data-races-around-tp-keepalive_time.patch -tcp-annotate-data-races-around-tp-keepalive_intvl.patch -tcp-annotate-data-races-around-tp-keepalive_probes.patch -tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch -tcp-annotate-data-races-around-tp-linger2.patch -tcp-annotate-data-races-around-rskq_defer_accept.patch -tcp-annotate-data-races-around-tp-notsent_lowat.patch -tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch -tcp-annotate-data-races-around-fastopenq.max_qlen.patch -net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch -jbd2-recheck-chechpointing-non-dirty-buffer.patch -tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch -drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch -spi-dw-remove-misleading-comment-for-mount-evans-soc.patch -kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch -scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch -scripts-kallsyms-update-the-usage-in-the-comment-block.patch -bpf-allow-precision-tracking-for-programs-with-subprogs.patch -bpf-stop-setting-precise-in-current-state.patch -bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch -selftests-bpf-make-test_align-selftest-more-robust.patch -selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch -selftests-bpf-fix-sk_assign-on-s390x.patch x86-cpu-amd-move-the-errata-checking-functionality-up.patch x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/queue-6.1/spi-bcm63xx-fix-max-prepend-length.patch b/queue-6.1/spi-bcm63xx-fix-max-prepend-length.patch deleted file mode 100644 index 378e34a46b9..00000000000 --- a/queue-6.1/spi-bcm63xx-fix-max-prepend-length.patch +++ /dev/null @@ -1,47 +0,0 @@ -From cf5e36388cb882c6653cd3159ae15b19b12d882e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 09:14:52 +0200 -Subject: spi: bcm63xx: fix max prepend length - -From: Jonas Gorski - -[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] - -The command word is defined as following: - - /* Command */ - #define SPI_CMD_COMMAND_SHIFT 0 - #define SPI_CMD_DEVICE_ID_SHIFT 4 - #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 - #define SPI_CMD_ONE_BYTE_SHIFT 11 - #define SPI_CMD_ONE_WIRE_SHIFT 12 - -If the prepend byte count field starts at bit 8, and the next defined -bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and -thus the max value is 7, not 15. - -Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") -Signed-off-by: Jonas Gorski -Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-bcm63xx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c -index 80fa0ef8909ca..147199002df1e 100644 ---- a/drivers/spi/spi-bcm63xx.c -+++ b/drivers/spi/spi-bcm63xx.c -@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { - SPI_MSG_DATA_SIZE, - }; - --#define BCM63XX_SPI_MAX_PREPEND 15 -+#define BCM63XX_SPI_MAX_PREPEND 7 - - #define BCM63XX_SPI_MAX_CS 8 - #define BCM63XX_SPI_BUS_NUM 0 --- -2.39.2 - diff --git a/queue-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch b/queue-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch deleted file mode 100644 index 26ebd33b46c..00000000000 --- a/queue-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch +++ /dev/null @@ -1,81 +0,0 @@ -From a47a909fedf766372d2d6e58a2e2e2694d9e1dfe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Jun 2023 07:54:01 -0700 -Subject: spi: dw: Add compatible for Intel Mount Evans SoC - -From: Abe Kohandel - -[ Upstream commit 0760d5d0e9f0c0e2200a0323a61d1995bb745dee ] - -The Intel Mount Evans SoC's Integrated Management Complex uses the SPI -controller for access to a NOR SPI FLASH. However, the SoC doesn't -provide a mechanism to override the native chip select signal. - -This driver doesn't use DMA for memory operations when a chip select -override is not provided due to the native chip select timing behavior. -As a result no DMA configuration is done for the controller and this -configuration is not tested. - -The controller also has an errata where a full TX FIFO can result in -data corruption. The suggested workaround is to never completely fill -the FIFO. The TX FIFO has a size of 32 so the fifo_len is set to 31. - -Signed-off-by: Abe Kohandel -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20230606145402.474866-2-abe.kohandel@intel.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-dw-mmio.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c -index 26c40ea6dd129..7e8478ad74e55 100644 ---- a/drivers/spi/spi-dw-mmio.c -+++ b/drivers/spi/spi-dw-mmio.c -@@ -222,6 +222,31 @@ static int dw_spi_intel_init(struct platform_device *pdev, - return 0; - } - -+/* -+ * The Intel Mount Evans SoC's Integrated Management Complex uses the -+ * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't -+ * provide a mechanism to override the native chip select signal. -+ * -+ * This driver doesn't use DMA for memory operations when a chip select -+ * override is not provided due to the native chip select timing behavior. -+ * As a result no DMA configuration is done for the controller and this -+ * configuration is not tested. -+ */ -+static int dw_spi_mountevans_imc_init(struct platform_device *pdev, -+ struct dw_spi_mmio *dwsmmio) -+{ -+ /* -+ * The Intel Mount Evans SoC's Integrated Management Complex DW -+ * apb_ssi_v4.02a controller has an errata where a full TX FIFO can -+ * result in data corruption. The suggested workaround is to never -+ * completely fill the FIFO. The TX FIFO has a size of 32 so the -+ * fifo_len is set to 31. -+ */ -+ dwsmmio->dws.fifo_len = 31; -+ -+ return 0; -+} -+ - static int dw_spi_canaan_k210_init(struct platform_device *pdev, - struct dw_spi_mmio *dwsmmio) - { -@@ -350,6 +375,10 @@ static const struct of_device_id dw_spi_mmio_of_match[] = { - { .compatible = "snps,dwc-ssi-1.01a", .data = dw_spi_hssi_init}, - { .compatible = "intel,keembay-ssi", .data = dw_spi_intel_init}, - { .compatible = "intel,thunderbay-ssi", .data = dw_spi_intel_init}, -+ { -+ .compatible = "intel,mountevans-imc-ssi", -+ .data = dw_spi_mountevans_imc_init, -+ }, - { .compatible = "microchip,sparx5-spi", dw_spi_mscc_sparx5_init}, - { .compatible = "canaan,k210-spi", dw_spi_canaan_k210_init}, - { /* end of table */} --- -2.39.2 - diff --git a/queue-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch b/queue-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch deleted file mode 100644 index 1d70675f708..00000000000 --- a/queue-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 Mon Sep 17 00:00:00 2001 -From: Abe Kohandel -Date: Tue, 6 Jun 2023 16:18:44 -0700 -Subject: spi: dw: Remove misleading comment for Mount Evans SoC - -From: Abe Kohandel - -commit 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 upstream. - -Remove a misleading comment about the DMA operations of the Intel Mount -Evans SoC's SPI Controller as requested by Serge. - -Signed-off-by: Abe Kohandel -Link: https://lore.kernel.org/linux-spi/20230606191333.247ucbf7h3tlooxf@mobilestation/ -Fixes: 0760d5d0e9f0 ("spi: dw: Add compatible for Intel Mount Evans SoC") -Reviewed-by: Serge Semin -Link: https://lore.kernel.org/r/20230606231844.726272-1-abe.kohandel@intel.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/spi/spi-dw-mmio.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - ---- a/drivers/spi/spi-dw-mmio.c -+++ b/drivers/spi/spi-dw-mmio.c -@@ -223,14 +223,7 @@ static int dw_spi_intel_init(struct plat - } - - /* -- * The Intel Mount Evans SoC's Integrated Management Complex uses the -- * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't -- * provide a mechanism to override the native chip select signal. -- * -- * This driver doesn't use DMA for memory operations when a chip select -- * override is not provided due to the native chip select timing behavior. -- * As a result no DMA configuration is done for the controller and this -- * configuration is not tested. -+ * DMA-based mem ops are not configured for this device and are not tested. - */ - static int dw_spi_mountevans_imc_init(struct platform_device *pdev, - struct dw_spi_mmio *dwsmmio) diff --git a/queue-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch b/queue-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch deleted file mode 100644 index 8843429f8cc..00000000000 --- a/queue-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f832b5453eead49443949271d5828c464703455b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jul 2023 17:20:20 +0900 -Subject: spi: s3c64xx: clear loopback bit after loopback test - -From: Jaewon Kim - -[ Upstream commit 9ec3c5517e22a12d2ff1b71e844f7913641460c6 ] - -When SPI loopback transfer is performed, S3C64XX_SPI_MODE_SELF_LOOPBACK -bit still remained. It works as loopback even if the next transfer is -not spi loopback mode. -If not SPI_LOOP, needs to clear S3C64XX_SPI_MODE_SELF_LOOPBACK bit. - -Signed-off-by: Jaewon Kim -Fixes: ffb7bcd3b27e ("spi: s3c64xx: support loopback mode") -Reviewed-by: Chanho Park -Link: https://lore.kernel.org/r/20230711082020.138165-1-jaewon02.kim@samsung.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-s3c64xx.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c -index 71d324ec9a70a..1480df7b43b3f 100644 ---- a/drivers/spi/spi-s3c64xx.c -+++ b/drivers/spi/spi-s3c64xx.c -@@ -668,6 +668,8 @@ static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) - - if ((sdd->cur_mode & SPI_LOOP) && sdd->port_conf->has_loopback) - val |= S3C64XX_SPI_MODE_SELF_LOOPBACK; -+ else -+ val &= ~S3C64XX_SPI_MODE_SELF_LOOPBACK; - - writel(val, regs + S3C64XX_SPI_MODE_CFG); - --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch deleted file mode 100644 index 8d091d79b80..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 7035bedf31a88876c025d69b93d6ebb0256f36f7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:57 +0000 -Subject: tcp: annotate data-races around fastopenq.max_qlen - -From: Eric Dumazet - -[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] - -This field can be read locklessly. - -Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/linux/tcp.h | 2 +- - net/ipv4/tcp.c | 2 +- - net/ipv4/tcp_fastopen.c | 6 ++++-- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/include/linux/tcp.h b/include/linux/tcp.h -index 41b1da621a458..9cd289ad3f5b5 100644 ---- a/include/linux/tcp.h -+++ b/include/linux/tcp.h -@@ -510,7 +510,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) - struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; - int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); - -- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); -+ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); - } - - static inline void tcp_move_syn(struct tcp_sock *tp, -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index b3a5ff311567b..fab25d4f3a6f1 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -4247,7 +4247,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_FASTOPEN: -- val = icsk->icsk_accept_queue.fastopenq.max_qlen; -+ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); - break; - - case TCP_FASTOPEN_CONNECT: -diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c -index 45cc7f1ca2961..85e4953f11821 100644 ---- a/net/ipv4/tcp_fastopen.c -+++ b/net/ipv4/tcp_fastopen.c -@@ -296,6 +296,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, - static bool tcp_fastopen_queue_check(struct sock *sk) - { - struct fastopen_queue *fastopenq; -+ int max_qlen; - - /* Make sure the listener has enabled fastopen, and we don't - * exceed the max # of pending TFO requests allowed before trying -@@ -308,10 +309,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) - * temporarily vs a server not supporting Fast Open at all. - */ - fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; -- if (fastopenq->max_qlen == 0) -+ max_qlen = READ_ONCE(fastopenq->max_qlen); -+ if (max_qlen == 0) - return false; - -- if (fastopenq->qlen >= fastopenq->max_qlen) { -+ if (fastopenq->qlen >= max_qlen) { - struct request_sock *req1; - spin_lock(&fastopenq->lock); - req1 = fastopenq->rskq_rst_head; --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch deleted file mode 100644 index abaaf2ef0ca..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +++ /dev/null @@ -1,69 +0,0 @@ -From ae744dd736807b48f042d785128b2d771387f69c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:52 +0000 -Subject: tcp: annotate data-races around icsk->icsk_syn_retries - -From: Eric Dumazet - -[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] - -do_tcp_getsockopt() and reqsk_timer_handler() read -icsk->icsk_syn_retries while another cpu might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/inet_connection_sock.c | 2 +- - net/ipv4/tcp.c | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 8e35ea66d930a..62a3b103f258a 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -1016,7 +1016,7 @@ static void reqsk_timer_handler(struct timer_list *t) - - icsk = inet_csk(sk_listener); - net = sock_net(sk_listener); -- max_syn_ack_retries = icsk->icsk_syn_retries ? : -+ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : - READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); - /* Normally all the openreqs are young and become mature - * (i.e. converted to established socket) for first timeout. -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 7d75928ea0f9c..ffa9717293358 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3397,7 +3397,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- inet_csk(sk)->icsk_syn_retries = val; -+ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); - release_sock(sk); - return 0; - } -@@ -3678,7 +3678,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_SYNCNT) - err = -EINVAL; - else -- icsk->icsk_syn_retries = val; -+ WRITE_ONCE(icsk->icsk_syn_retries, val); - break; - - case TCP_SAVE_SYN: -@@ -4095,7 +4095,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = keepalive_probes(tp); - break; - case TCP_SYNCNT: -- val = icsk->icsk_syn_retries ? : -+ val = READ_ONCE(icsk->icsk_syn_retries) ? : - READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); - break; - case TCP_LINGER2: --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch deleted file mode 100644 index 1840f3aa1b1..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7efbdf0a8a4d26103224e8eb9779b4b5c48a11c6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:56 +0000 -Subject: tcp: annotate data-races around icsk->icsk_user_timeout - -From: Eric Dumazet - -[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] - -This field can be read locklessly from do_tcp_getsockopt() - -Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 6f3a494b965ae..b3a5ff311567b 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3406,7 +3406,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); - void tcp_sock_set_user_timeout(struct sock *sk, u32 val) - { - lock_sock(sk); -- inet_csk(sk)->icsk_user_timeout = val; -+ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); - release_sock(sk); - } - EXPORT_SYMBOL(tcp_sock_set_user_timeout); -@@ -3726,7 +3726,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 0) - err = -EINVAL; - else -- icsk->icsk_user_timeout = val; -+ WRITE_ONCE(icsk->icsk_user_timeout, val); - break; - - case TCP_FASTOPEN: -@@ -4243,7 +4243,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_USER_TIMEOUT: -- val = icsk->icsk_user_timeout; -+ val = READ_ONCE(icsk->icsk_user_timeout); - break; - - case TCP_FASTOPEN: --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch deleted file mode 100644 index 11e7afc0472..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7cb1fa4e8fc2528b3c95ebf4367b85eaf269c0e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:54 +0000 -Subject: tcp: annotate data-races around rskq_defer_accept - -From: Eric Dumazet - -[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] - -do_tcp_getsockopt() reads rskq_defer_accept while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 363535b6ece83..bc3ad48f92389 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3700,9 +3700,9 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - - case TCP_DEFER_ACCEPT: - /* Translate value in seconds to number of retransmits */ -- icsk->icsk_accept_queue.rskq_defer_accept = -- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -- TCP_RTO_MAX / HZ); -+ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, -+ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ)); - break; - - case TCP_WINDOW_CLAMP: -@@ -4104,8 +4104,9 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; - case TCP_DEFER_ACCEPT: -- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, -- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); -+ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); -+ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ); - break; - case TCP_WINDOW_CLAMP: - val = tp->window_clamp; --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch deleted file mode 100644 index ec6abdae945..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 2a19bb80f620e9115ee081f89944c9fc3882cceb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:44:45 +0000 -Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent - -From: Eric Dumazet - -[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] - -TCP request sockets are lockless, tcp_rsk(req)->ts_recent -can change while being read by another cpu as syzbot noticed. - -This is harmless, but we should annotate the known races. - -Note that tcp_check_req() changes req->ts_recent a bit early, -we might change this in the future. - -BUG: KCSAN: data-race in tcp_check_req / tcp_check_req - -write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: -tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 -tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 -ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 -ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 -dst_input include/net/dst.h:468 [inline] -ip_rcv_finish net/ipv4/ip_input.c:449 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 -__netif_receive_skb_one_core net/core/dev.c:5493 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 -process_backlog+0x21f/0x380 net/core/dev.c:5935 -__napi_poll+0x60/0x3b0 net/core/dev.c:6498 -napi_poll net/core/dev.c:6565 [inline] -net_rx_action+0x32b/0x750 net/core/dev.c:6698 -__do_softirq+0xc1/0x265 kernel/softirq.c:571 -do_softirq+0x7e/0xb0 kernel/softirq.c:472 -__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 -local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 -rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] -__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 -dev_queue_xmit include/linux/netdevice.h:3088 [inline] -neigh_hh_output include/net/neighbour.h:528 [inline] -neigh_output include/net/neighbour.h:542 [inline] -ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 -ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 -NF_HOOK_COND include/linux/netfilter.h:292 [inline] -ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 -dst_output include/net/dst.h:458 [inline] -ip_local_out net/ipv4/ip_output.c:126 [inline] -__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 -ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 -__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 -tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] -tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 -__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 -tcp_push_pending_frames include/net/tcp.h:1952 [inline] -__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] -tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 -rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 -rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 -rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 -process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 -worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 -kthread+0x1d7/0x210 kernel/kthread.c:379 -ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 - -read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: -tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 -tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 -ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 -ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 -dst_input include/net/dst.h:468 [inline] -ip_rcv_finish net/ipv4/ip_input.c:449 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 -__netif_receive_skb_one_core net/core/dev.c:5493 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 -process_backlog+0x21f/0x380 net/core/dev.c:5935 -__napi_poll+0x60/0x3b0 net/core/dev.c:6498 -napi_poll net/core/dev.c:6565 [inline] -net_rx_action+0x32b/0x750 net/core/dev.c:6698 -__do_softirq+0xc1/0x265 kernel/softirq.c:571 -run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 -smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 -kthread+0x1d7/0x210 kernel/kthread.c:379 -ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 - -value changed: 0x1cd237f1 -> 0x1cd237f2 - -Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Reviewed-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 2 +- - net/ipv4/tcp_minisocks.c | 9 ++++++--- - net/ipv4/tcp_output.c | 2 +- - net/ipv6/tcp_ipv6.c | 2 +- - 4 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index e5df50b3e23a0..d49a66b271d52 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -988,7 +988,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - tcp_rsk(req)->rcv_nxt, - req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, - tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, -- req->ts_recent, -+ READ_ONCE(req->ts_recent), - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index f281eab7fd125..42844d20da020 100644 ---- a/net/ipv4/tcp_minisocks.c -+++ b/net/ipv4/tcp_minisocks.c -@@ -537,7 +537,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, - newtp->max_window = newtp->snd_wnd; - - if (newtp->rx_opt.tstamp_ok) { -- newtp->rx_opt.ts_recent = req->ts_recent; -+ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); - newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); - newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; - } else { -@@ -601,7 +601,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, - tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); - - if (tmp_opt.saw_tstamp) { -- tmp_opt.ts_recent = req->ts_recent; -+ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); - if (tmp_opt.rcv_tsecr) - tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; - /* We do not store true stamp, but it is not required, -@@ -740,8 +740,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, - - /* In sequence, PAWS is OK. */ - -+ /* TODO: We probably should defer ts_recent change once -+ * we take ownership of @req. -+ */ - if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) -- req->ts_recent = tmp_opt.rcv_tsval; -+ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); - - if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { - /* Truncate SYN, it is out of window starting -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 693a29d3f43bd..26bd039f9296f 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -876,7 +876,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, - if (likely(ireq->tstamp_ok)) { - opts->options |= OPTION_TS; - opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; -- opts->tsecr = req->ts_recent; -+ opts->tsecr = READ_ONCE(req->ts_recent); - remaining -= TCPOLEN_TSTAMP_ALIGNED; - } - if (likely(ireq->sack_ok)) { -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 0dcb06a1fe044..d9253aa764fae 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1130,7 +1130,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - tcp_rsk(req)->rcv_nxt, - req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, - tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, -- req->ts_recent, sk->sk_bound_dev_if, -+ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), - ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, - READ_ONCE(tcp_rsk(req)->txhash)); --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch b/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch deleted file mode 100644 index 7cee347686d..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch +++ /dev/null @@ -1,170 +0,0 @@ -From d29e41820d443947afb2314e6e9891e047903726 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:44:44 +0000 -Subject: tcp: annotate data-races around tcp_rsk(req)->txhash - -From: Eric Dumazet - -[ Upstream commit 5e5265522a9a7f91d1b0bd411d634bdaf16c80cd ] - -TCP request sockets are lockless, some of their fields -can change while being read by another cpu as syzbot noticed. - -This is usually harmless, but we should annotate the known -races. - -This patch takes care of tcp_rsk(req)->txhash, -a separate one is needed for tcp_rsk(req)->ts_recent. - -BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack - -write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1: -tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213 -inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880 -tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665 -tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673 -ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 -ip6_input_finish net/ipv6/ip6_input.c:482 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 -dst_input include/net/dst.h:468 [inline] -ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 -NF_HOOK include/linux/netfilter.h:303 [inline] -ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 -__netif_receive_skb_one_core net/core/dev.c:5452 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 -netif_receive_skb_internal net/core/dev.c:5652 [inline] -netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 -tun_rx_batched+0x3bf/0x400 -tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 -tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 -call_write_iter include/linux/fs.h:1871 [inline] -new_sync_write fs/read_write.c:491 [inline] -vfs_write+0x4ab/0x7d0 fs/read_write.c:584 -ksys_write+0xeb/0x1a0 fs/read_write.c:637 -__do_sys_write fs/read_write.c:649 [inline] -__se_sys_write fs/read_write.c:646 [inline] -__x64_sys_write+0x42/0x50 fs/read_write.c:646 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0: -tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663 -tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544 -tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059 -tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175 -tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494 -tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509 -tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735 -ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 -ip6_input_finish net/ipv6/ip6_input.c:482 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 -dst_input include/net/dst.h:468 [inline] -ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 -NF_HOOK include/linux/netfilter.h:303 [inline] -ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 -__netif_receive_skb_one_core net/core/dev.c:5452 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 -netif_receive_skb_internal net/core/dev.c:5652 [inline] -netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 -tun_rx_batched+0x3bf/0x400 -tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 -tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 -call_write_iter include/linux/fs.h:1871 [inline] -new_sync_write fs/read_write.c:491 [inline] -vfs_write+0x4ab/0x7d0 fs/read_write.c:584 -ksys_write+0xeb/0x1a0 fs/read_write.c:637 -__do_sys_write fs/read_write.c:649 [inline] -__se_sys_write fs/read_write.c:646 [inline] -__x64_sys_write+0x42/0x50 fs/read_write.c:646 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -value changed: 0x91d25731 -> 0xe79325cd - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1a754 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 - -Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Reviewed-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 3 ++- - net/ipv4/tcp_minisocks.c | 2 +- - net/ipv4/tcp_output.c | 4 ++-- - net/ipv6/tcp_ipv6.c | 2 +- - 4 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index ef740983a1222..e5df50b3e23a0 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -992,7 +992,8 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -- ip_hdr(skb)->tos, tcp_rsk(req)->txhash); -+ ip_hdr(skb)->tos, -+ READ_ONCE(tcp_rsk(req)->txhash)); - } - - /* -diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index 7f37e7da64671..f281eab7fd125 100644 ---- a/net/ipv4/tcp_minisocks.c -+++ b/net/ipv4/tcp_minisocks.c -@@ -510,7 +510,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, - newicsk->icsk_ack.lrcvtime = tcp_jiffies32; - - newtp->lsndtime = tcp_jiffies32; -- newsk->sk_txhash = treq->txhash; -+ newsk->sk_txhash = READ_ONCE(treq->txhash); - newtp->total_retrans = req->num_retrans; - - tcp_init_xmit_timers(newsk); -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 925594dbeb929..693a29d3f43bd 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -3581,7 +3581,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, - rcu_read_lock(); - md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); - #endif -- skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); -+ skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); - /* bpf program will be interested in the tcp_flags */ - TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK; - tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5, -@@ -4124,7 +4124,7 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) - - /* Paired with WRITE_ONCE() in sock_setsockopt() */ - if (READ_ONCE(sk->sk_txrehash) == SOCK_TXREHASH_ENABLED) -- tcp_rsk(req)->txhash = net_tx_rndhash(); -+ WRITE_ONCE(tcp_rsk(req)->txhash, net_tx_rndhash()); - res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, - NULL); - if (!res) { -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 8d61efeab9c99..0dcb06a1fe044 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1133,7 +1133,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - req->ts_recent, sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), - ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, -- tcp_rsk(req)->txhash); -+ READ_ONCE(tcp_rsk(req)->txhash)); - } - - --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch deleted file mode 100644 index 5dfc88a4ed2..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 078902bb3940caf45e1f58470e88e8184a16486d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:50 +0000 -Subject: tcp: annotate data-races around tp->keepalive_intvl - -From: Eric Dumazet - -[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] - -do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 9 +++++++-- - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 397c248102415..f39c44cbdfe62 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1511,9 +1511,14 @@ void tcp_leave_memory_pressure(struct sock *sk); - static inline int keepalive_intvl_when(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; -+ -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() -+ * and do_tcp_setsockopt(). -+ */ -+ val = READ_ONCE(tp->keepalive_intvl); - -- return tp->keepalive_intvl ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); - } - - static inline int keepalive_time_when(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c0d7b226bca1a..d19cfeb78392d 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3451,7 +3451,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- tcp_sk(sk)->keepalive_intvl = val * HZ; -+ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); - release_sock(sk); - return 0; - } -@@ -3665,7 +3665,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_KEEPINTVL) - err = -EINVAL; - else -- tp->keepalive_intvl = val * HZ; -+ WRITE_ONCE(tp->keepalive_intvl, val * HZ); - break; - case TCP_KEEPCNT: - if (val < 1 || val > MAX_TCP_KEEPCNT) --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch deleted file mode 100644 index 8df99735c91..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8b50db4f550c9b4fa395cb961dd7c9ab6b4ac010 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:51 +0000 -Subject: tcp: annotate data-races around tp->keepalive_probes - -From: Eric Dumazet - -[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] - -do_tcp_getsockopt() reads tp->keepalive_probes while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 9 +++++++-- - net/ipv4/tcp.c | 5 +++-- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index f39c44cbdfe62..9733d8e4f10af 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1535,9 +1535,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) - static inline int keepalive_probes(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; -+ -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() -+ * and do_tcp_setsockopt(). -+ */ -+ val = READ_ONCE(tp->keepalive_probes); - -- return tp->keepalive_probes ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); - } - - static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index d19cfeb78392d..7d75928ea0f9c 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3463,7 +3463,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- tcp_sk(sk)->keepalive_probes = val; -+ /* Paired with READ_ONCE() in keepalive_probes() */ -+ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); - release_sock(sk); - return 0; - } -@@ -3671,7 +3672,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_KEEPCNT) - err = -EINVAL; - else -- tp->keepalive_probes = val; -+ WRITE_ONCE(tp->keepalive_probes, val); - break; - case TCP_SYNCNT: - if (val < 1 || val > MAX_TCP_SYNCNT) --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch b/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch deleted file mode 100644 index 5c5aa55e06b..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9121aedbe1355d93c6f3ab514d0878a9099021f0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:49 +0000 -Subject: tcp: annotate data-races around tp->keepalive_time - -From: Eric Dumazet - -[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] - -do_tcp_getsockopt() reads tp->keepalive_time while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 7 +++++-- - net/ipv4/tcp.c | 3 ++- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 5eedd476a38d7..397c248102415 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1519,9 +1519,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) - static inline int keepalive_time_when(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; - -- return tp->keepalive_time ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ -+ val = READ_ONCE(tp->keepalive_time); -+ -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); - } - - static inline int keepalive_probes(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 3edf7a1c5cbd2..c0d7b226bca1a 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3418,7 +3418,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) - if (val < 1 || val > MAX_TCP_KEEPIDLE) - return -EINVAL; - -- tp->keepalive_time = val * HZ; -+ /* Paired with WRITE_ONCE() in keepalive_time_when() */ -+ WRITE_ONCE(tp->keepalive_time, val * HZ); - if (sock_flag(sk, SOCK_KEEPOPEN) && - !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { - u32 elapsed = keepalive_time_elapsed(tp); --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-linger2.patch b/queue-6.1/tcp-annotate-data-races-around-tp-linger2.patch deleted file mode 100644 index 4c9751d2f34..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-linger2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 3d98c816d1920605a924d0ead6bf2be144e81749 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:53 +0000 -Subject: tcp: annotate data-races around tp->linger2 - -From: Eric Dumazet - -[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] - -do_tcp_getsockopt() reads tp->linger2 while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index ffa9717293358..363535b6ece83 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3691,11 +3691,11 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - - case TCP_LINGER2: - if (val < 0) -- tp->linger2 = -1; -+ WRITE_ONCE(tp->linger2, -1); - else if (val > TCP_FIN_TIMEOUT_MAX / HZ) -- tp->linger2 = TCP_FIN_TIMEOUT_MAX; -+ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); - else -- tp->linger2 = val * HZ; -+ WRITE_ONCE(tp->linger2, val * HZ); - break; - - case TCP_DEFER_ACCEPT: -@@ -4099,7 +4099,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); - break; - case TCP_LINGER2: -- val = tp->linger2; -+ val = READ_ONCE(tp->linger2); - if (val >= 0) - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch deleted file mode 100644 index 76a913e6334..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e13aeaa389758176f64c75eeb7dd1bf6ebee1871 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:55 +0000 -Subject: tcp: annotate data-races around tp->notsent_lowat - -From: Eric Dumazet - -[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] - -tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() -and tcp_poll(). - -Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 6 +++++- - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 9733d8e4f10af..e9c8f88f47696 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -2059,7 +2059,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); - static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); -+ u32 val; -+ -+ val = READ_ONCE(tp->notsent_lowat); -+ -+ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); - } - - bool tcp_stream_memory_free(const struct sock *sk, int wake); -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index bc3ad48f92389..6f3a494b965ae 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3770,7 +3770,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - err = tcp_repair_set_window(tp, optval, optlen); - break; - case TCP_NOTSENT_LOWAT: -- tp->notsent_lowat = val; -+ WRITE_ONCE(tp->notsent_lowat, val); - sk->sk_write_space(sk); - break; - case TCP_INQ: -@@ -4266,7 +4266,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); - break; - case TCP_NOTSENT_LOWAT: -- val = tp->notsent_lowat; -+ val = READ_ONCE(tp->notsent_lowat); - break; - case TCP_INQ: - val = tp->recvmsg_inq; --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/queue-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch deleted file mode 100644 index 89755e23176..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +++ /dev/null @@ -1,46 +0,0 @@ -From acc05127977764c50f101313e03fed5dd0b7728e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:47 +0000 -Subject: tcp: annotate data-races around tp->tcp_tx_delay - -From: Eric Dumazet - -[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] - -do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu -might change its value. - -Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 0bd0be3c63d22..5e4bc80dc0ae5 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3780,7 +3780,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - case TCP_TX_DELAY: - if (val) - tcp_enable_tx_delay(); -- tp->tcp_tx_delay = val; -+ WRITE_ONCE(tp->tcp_tx_delay, val); - break; - default: - err = -ENOPROTOOPT; -@@ -4256,7 +4256,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_TX_DELAY: -- val = tp->tcp_tx_delay; -+ val = READ_ONCE(tp->tcp_tx_delay); - break; - - case TCP_TIMESTAMP: --- -2.39.2 - diff --git a/queue-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch b/queue-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch deleted file mode 100644 index b1de5b67a70..00000000000 --- a/queue-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5cb5df7c5c218e8bc062747711555eb97a17ceb0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:48 +0000 -Subject: tcp: annotate data-races around tp->tsoffset - -From: Eric Dumazet - -[ Upstream commit dd23c9f1e8d5c1d2e3d29393412385ccb9c7a948 ] - -do_tcp_getsockopt() reads tp->tsoffset while another cpu -might change its value. - -Fixes: 93be6ce0e91b ("tcp: set and get per-socket timestamp") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 4 ++-- - net/ipv4/tcp_ipv4.c | 5 +++-- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 5e4bc80dc0ae5..3edf7a1c5cbd2 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3762,7 +3762,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (!tp->repair) - err = -EPERM; - else -- tp->tsoffset = val - tcp_time_stamp_raw(); -+ WRITE_ONCE(tp->tsoffset, val - tcp_time_stamp_raw()); - break; - case TCP_REPAIR_WINDOW: - err = tcp_repair_set_window(tp, optval, optlen); -@@ -4260,7 +4260,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_TIMESTAMP: -- val = tcp_time_stamp_raw() + tp->tsoffset; -+ val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); - break; - case TCP_NOTSENT_LOWAT: - val = tp->notsent_lowat; -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index d49a66b271d52..9a8d59e9303a0 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -307,8 +307,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - inet->inet_daddr, - inet->inet_sport, - usin->sin_port)); -- tp->tsoffset = secure_tcp_ts_off(net, inet->inet_saddr, -- inet->inet_daddr); -+ WRITE_ONCE(tp->tsoffset, -+ secure_tcp_ts_off(net, inet->inet_saddr, -+ inet->inet_daddr)); - } - - inet->inet_id = get_random_u16(); --- -2.39.2 - diff --git a/queue-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/queue-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch deleted file mode 100644 index 59cc678e6f6..00000000000 --- a/queue-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 -From: Mohamed Khalfella -Date: Fri, 14 Jul 2023 20:33:41 +0000 -Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list - -From: Mohamed Khalfella - -commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. - -Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if -they have referenced variables") added a check to fail histogram creation -if save_hist_vars() failed to add histogram to hist_vars list. But the -commit failed to set ret to failed return code before jumping to -unregister histogram, fix it. - -Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com - -Cc: stable@vger.kernel.org -Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") -Signed-off-by: Mohamed Khalfella -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_hist.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/kernel/trace/trace_events_hist.c -+++ b/kernel/trace/trace_events_hist.c -@@ -6560,7 +6560,8 @@ static int event_hist_trigger_parse(stru - goto out_unreg; - - if (has_hist_vars(hist_data) || hist_data->n_var_refs) { -- if (save_hist_vars(hist_data)) -+ ret = save_hist_vars(hist_data); -+ if (ret) - goto out_unreg; - } - diff --git a/queue-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch b/queue-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch deleted file mode 100644 index c51ebdbd8e4..00000000000 --- a/queue-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3af33ea1ad72a1fc6ed5074f0ce9e16cc52c818e Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Wed, 21 Jun 2023 11:32:35 +0200 -Subject: [PATCH AUTOSEL 4.19 07/11] udf: Fix uninitialized array access for - some pathnames -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 4.19.288 - -[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] - -For filenames that begin with . and are between 2 and 5 characters long, -UDF charset conversion code would read uninitialized memory in the -output buffer. The only practical impact is that the name may be prepended a -"unification hash" when it is not actually needed but still it is good -to fix this. - -Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com -Signed-off-by: Jan Kara -Signed-off-by: Sasha Levin ---- - fs/udf/unicode.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c -index 5fcfa96463ebb..85521d6b02370 100644 ---- a/fs/udf/unicode.c -+++ b/fs/udf/unicode.c -@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct super_block *sb, - } - - if (translate) { -- if (str_o_len <= 2 && str_o[0] == '.' && -+ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && - (str_o_len == 1 || str_o[1] == '.')) - needsCRC = 1; - if (needsCRC) { --- -2.39.2 - diff --git a/queue-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch b/queue-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch deleted file mode 100644 index 0a2b80985d3..00000000000 --- a/queue-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 1c0a043a5b5d55b841bdb8e72a4e7dbded64e33b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 26 May 2023 12:41:06 +0300 -Subject: wifi: ath11k: add support default regdb while searching board-2.bin - for WCN6855 - -From: Wen Gong - -[ Upstream commit 88ca89202f8e8afb5225eb5244d79cd67c15d744 ] - -Sometimes board-2.bin does not have the regdb data which matched the -parameters such as vendor, device, subsystem-vendor, subsystem-device -and etc. Add default regdb data with 'bus=%s' into board-2.bin for -WCN6855, then ath11k use 'bus=pci' to search regdb data in board-2.bin -for WCN6855. - -kernel: [ 122.515808] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262' -kernel: [ 122.517240] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 -kernel: [ 122.517280] ath11k_pci 0000:03:00.0: failed to fetch regdb data for bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262 from ath11k/WCN6855/hw2.0/board-2.bin -kernel: [ 122.517464] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci' -kernel: [ 122.518901] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 -kernel: [ 122.518915] ath11k_pci 0000:03:00.0: board name -kernel: [ 122.518917] ath11k_pci 0000:03:00.0: 00000000: 62 75 73 3d 70 63 69 bus=pci -kernel: [ 122.518918] ath11k_pci 0000:03:00.0: boot found match regdb data for name 'bus=pci' -kernel: [ 122.518920] ath11k_pci 0000:03:00.0: boot found regdb data for 'bus=pci' -kernel: [ 122.518921] ath11k_pci 0000:03:00.0: fetched regdb - -Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 - -Signed-off-by: Wen Gong -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230517133959.8224-1-quic_wgong@quicinc.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/core.c | 53 +++++++++++++++++++------- - 1 file changed, 40 insertions(+), 13 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c -index b99180bc81723..893fefadbba96 100644 ---- a/drivers/net/wireless/ath/ath11k/core.c -+++ b/drivers/net/wireless/ath/ath11k/core.c -@@ -870,7 +870,8 @@ int ath11k_core_check_dt(struct ath11k_base *ab) - } - - static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, -- size_t name_len, bool with_variant) -+ size_t name_len, bool with_variant, -+ bool bus_type_mode) - { - /* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */ - char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 }; -@@ -881,15 +882,20 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - - switch (ab->id.bdf_search) { - case ATH11K_BDF_SEARCH_BUS_AND_BOARD: -- scnprintf(name, name_len, -- "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", -- ath11k_bus_str(ab->hif.bus), -- ab->id.vendor, ab->id.device, -- ab->id.subsystem_vendor, -- ab->id.subsystem_device, -- ab->qmi.target.chip_id, -- ab->qmi.target.board_id, -- variant); -+ if (bus_type_mode) -+ scnprintf(name, name_len, -+ "bus=%s", -+ ath11k_bus_str(ab->hif.bus)); -+ else -+ scnprintf(name, name_len, -+ "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", -+ ath11k_bus_str(ab->hif.bus), -+ ab->id.vendor, ab->id.device, -+ ab->id.subsystem_vendor, -+ ab->id.subsystem_device, -+ ab->qmi.target.chip_id, -+ ab->qmi.target.board_id, -+ variant); - break; - default: - scnprintf(name, name_len, -@@ -908,13 +914,19 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - static int ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - size_t name_len) - { -- return __ath11k_core_create_board_name(ab, name, name_len, true); -+ return __ath11k_core_create_board_name(ab, name, name_len, true, false); - } - - static int ath11k_core_create_fallback_board_name(struct ath11k_base *ab, char *name, - size_t name_len) - { -- return __ath11k_core_create_board_name(ab, name, name_len, false); -+ return __ath11k_core_create_board_name(ab, name, name_len, false, false); -+} -+ -+static int ath11k_core_create_bus_type_board_name(struct ath11k_base *ab, char *name, -+ size_t name_len) -+{ -+ return __ath11k_core_create_board_name(ab, name, name_len, false, true); - } - - const struct firmware *ath11k_core_firmware_request(struct ath11k_base *ab, -@@ -1218,7 +1230,7 @@ int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd) - - int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd) - { -- char boardname[BOARD_NAME_SIZE]; -+ char boardname[BOARD_NAME_SIZE], default_boardname[BOARD_NAME_SIZE]; - int ret; - - ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE); -@@ -1235,6 +1247,21 @@ int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd - if (!ret) - goto exit; - -+ ret = ath11k_core_create_bus_type_board_name(ab, default_boardname, -+ BOARD_NAME_SIZE); -+ if (ret) { -+ ath11k_dbg(ab, ATH11K_DBG_BOOT, -+ "failed to create default board name for regdb: %d", ret); -+ goto exit; -+ } -+ -+ ret = ath11k_core_fetch_board_data_api_n(ab, bd, default_boardname, -+ ATH11K_BD_IE_REGDB, -+ ATH11K_BD_IE_REGDB_NAME, -+ ATH11K_BD_IE_REGDB_DATA); -+ if (!ret) -+ goto exit; -+ - ret = ath11k_core_fetch_board_data_api_1(ab, bd, ATH11K_REGDB_FILE_NAME); - if (ret) - ath11k_dbg(ab, ATH11K_DBG_BOOT, "failed to fetch %s from %s\n", --- -2.39.2 - diff --git a/queue-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch b/queue-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch deleted file mode 100644 index 94851f54743..00000000000 --- a/queue-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d4bcf71d3c456ca0656ec111454eda83581a3d2c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Jun 2023 14:41:28 +0530 -Subject: wifi: ath11k: fix memory leak in WMI firmware stats - -From: P Praneesh - -[ Upstream commit 6aafa1c2d3e3fea2ebe84c018003f2a91722e607 ] - -Memory allocated for firmware pdev, vdev and beacon statistics -are not released during rmmod. - -Fix it by calling ath11k_fw_stats_free() function before hardware -unregister. - -While at it, avoid calling ath11k_fw_stats_free() while processing -the firmware stats received in the WMI event because the local list -is getting spliced and reinitialised and hence there are no elements -in the list after splicing. - -Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 - -Signed-off-by: P Praneesh -Signed-off-by: Aditya Kumar Singh -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230606091128.14202-1-quic_adisi@quicinc.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/mac.c | 1 + - drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++ - 2 files changed, 6 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c -index b19d44b3f5dfb..cb77dd6ce9665 100644 ---- a/drivers/net/wireless/ath/ath11k/mac.c -+++ b/drivers/net/wireless/ath/ath11k/mac.c -@@ -9279,6 +9279,7 @@ void ath11k_mac_destroy(struct ath11k_base *ab) - if (!ar) - continue; - -+ ath11k_fw_stats_free(&ar->fw_stats); - ieee80211_free_hw(ar->hw); - pdev->ar = NULL; - } -diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c -index fad9f8d308a20..3e0a47f4a3ebd 100644 ---- a/drivers/net/wireless/ath/ath11k/wmi.c -+++ b/drivers/net/wireless/ath/ath11k/wmi.c -@@ -7590,6 +7590,11 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk - rcu_read_unlock(); - spin_unlock_bh(&ar->data_lock); - -+ /* Since the stats's pdev, vdev and beacon list are spliced and reinitialised -+ * at this point, no need to free the individual list. -+ */ -+ return; -+ - free: - ath11k_fw_stats_free(&stats); - } --- -2.39.2 - diff --git a/queue-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/queue-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch deleted file mode 100644 index 38a06246e6d..00000000000 --- a/queue-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 885bcbfa0c9659fa068668223c2f45c63640b4c2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Apr 2023 16:54:45 +0200 -Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full - channel range - -From: Maxime Bizon - -[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] - -Because of what seems to be a typo, a 6Ghz-only phy for which the BDF -does not allow the 7115Mhz channel will fail to register: - - WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 - Modules linked in: ath11k_pci sbsa_gwdt - CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 - Hardware name: Freebox V7R Board (DT) - Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work - pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : wiphy_register+0x914/0x954 - lr : ieee80211_register_hw+0x67c/0xc10 - sp : ffffff800b123aa0 - x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 - x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 - x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 - x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 - x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f - x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd - x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 - x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 - x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 - x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 - Call trace: - wiphy_register+0x914/0x954 - ieee80211_register_hw+0x67c/0xc10 - ath11k_mac_register+0x7c4/0xe10 - ath11k_core_qmi_firmware_ready+0x1f4/0x570 - ath11k_qmi_driver_event_work+0x198/0x590 - process_one_work+0x1b8/0x328 - worker_thread+0x6c/0x414 - kthread+0x100/0x104 - ret_from_fork+0x10/0x20 - ---[ end trace 0000000000000000 ]--- - ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 - ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 - ath11k_pci 0002:01:00.0: failed to create pdev core: -22 - -Signed-off-by: Maxime Bizon -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/mac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c -index ef7617802491e..b19d44b3f5dfb 100644 ---- a/drivers/net/wireless/ath/ath11k/mac.c -+++ b/drivers/net/wireless/ath/ath11k/mac.c -@@ -8715,7 +8715,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, - } - - if (supported_bands & WMI_HOST_WLAN_5G_CAP) { -- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { -+ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { - channels = kmemdup(ath11k_6ghz_channels, - sizeof(ath11k_6ghz_channels), GFP_KERNEL); - if (!channels) { --- -2.39.2 - diff --git a/queue-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch b/queue-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch deleted file mode 100644 index f23938ad5d1..00000000000 --- a/queue-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1a37162f09f199864048ac62ae05cc6310aef58f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 13:03:59 +0300 -Subject: wifi: iwlwifi: Add support for new PCI Id - -From: Mukesh Sisodiya - -[ Upstream commit 35bd6f1d043d089fcb60450e1287cc65f0095787 ] - -Add support for the PCI Id 51F1 without IMR support. - -Signed-off-by: Mukesh Sisodiya -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230620125813.9800e652e789.Ic06a085832ac3f988c8ef07d856c8e281563295d@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -index f6872b2a0d9d0..d5bd869086458 100644 ---- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -@@ -495,6 +495,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { - {IWL_PCI_DEVICE(0x7AF0, PCI_ANY_ID, iwl_so_trans_cfg)}, - {IWL_PCI_DEVICE(0x51F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_imr_trans_cfg)}, -+ {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x54F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x7F70, PCI_ANY_ID, iwl_so_trans_cfg)}, - -@@ -543,6 +544,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { - IWL_DEV_INFO(0x51F0, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_160_name), - IWL_DEV_INFO(0x51F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), - IWL_DEV_INFO(0x51F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), -+ IWL_DEV_INFO(0x51F1, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), - IWL_DEV_INFO(0x54F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), - IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), - IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), --- -2.39.2 - diff --git a/queue-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch deleted file mode 100644 index bbc97894d10..00000000000 --- a/queue-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +++ /dev/null @@ -1,47 +0,0 @@ -From dd01d6d149a5c58b8f2f7d9e9211ce28c8befd64 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 13:04:02 +0300 -Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow - -From: Johannes Berg - -[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] - -Roee reported various hard-to-debug crashes with pings in -EHT aggregation scenarios. Enabling KASAN showed that we -access the BAID allocation out of bounds, and looking at -the code a bit shows that since the reorder buffer entry -(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug -such as lockdep is enabled, then staring from an agg size -512 we overflow the size calculation, and allocate a much -smaller structure than we should, causing slab corruption -once we initialize this. - -Fix this by simply using u32 instead of u16. - -Reported-by: Roee Goldfiner -Signed-off-by: Johannes Berg -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -index 013aca70c3d3b..6b52afcf02721 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -@@ -2738,7 +2738,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, - } - - if (iwl_mvm_has_new_rx_api(mvm) && start) { -- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); -+ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); - - /* sparse doesn't like the __align() so don't check */ - #ifndef __CHECKER__ --- -2.39.2 - diff --git a/queue-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch b/queue-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch deleted file mode 100644 index 5b4e16636a3..00000000000 --- a/queue-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 80c181a4bc2b86eb00ab6e09dcbcdda26aa6fc13 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 13:12:20 +0300 -Subject: wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 - -From: Yi Kuo - -[ Upstream commit f4daceae4087bbb3e9a56044b44601d520d009d2 ] - -Intel Killer AX1675i/s with device id 51f1 would show -"No config found for PCI dev 51f1/1672" in dmesg and refuse to work. -Add the new device id 51F1 for 1675i/s to fix the issue. - -Signed-off-by: Yi Kuo -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230621130444.ee224675380b.I921c905e21e8d041ad808def8f454f27b5ebcd8b@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -index d5bd869086458..4d4db5f6836be 100644 ---- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -@@ -683,6 +683,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { - IWL_DEV_INFO(0x2726, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x51F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), - IWL_DEV_INFO(0x51F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), -+ IWL_DEV_INFO(0x51F1, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), -+ IWL_DEV_INFO(0x51F1, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x54F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), - IWL_DEV_INFO(0x54F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x7A70, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), --- -2.39.2 - diff --git a/queue-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch b/queue-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch deleted file mode 100644 index 3a94dfeda97..00000000000 --- a/queue-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a7163d690f5af8b426d97da0807e07b334cb5bdb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Jun 2023 12:11:27 +0300 -Subject: wifi: mac80211_hwsim: Fix possible NULL dereference - -From: Ilan Peer - -[ Upstream commit 0cc80943ef518a1c51a1111e9346d1daf11dd545 ] - -In a call to mac80211_hwsim_select_tx_link() the sta pointer might -be NULL, thus need to check that it is not NULL before accessing it. - -Signed-off-by: Ilan Peer -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230604120651.f4d889fc98c4.Iae85f527ed245a37637a874bb8b8c83d79812512@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mac80211_hwsim.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c -index 0d81098c7b45c..da5c355405f68 100644 ---- a/drivers/net/wireless/mac80211_hwsim.c -+++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -4,7 +4,7 @@ - * Copyright (c) 2008, Jouni Malinen - * Copyright (c) 2011, Javier Lopez - * Copyright (c) 2016 - 2017 Intel Deutschland GmbH -- * Copyright (C) 2018 - 2022 Intel Corporation -+ * Copyright (C) 2018 - 2023 Intel Corporation - */ - - /* -@@ -1753,7 +1753,7 @@ mac80211_hwsim_select_tx_link(struct mac80211_hwsim_data *data, - - WARN_ON(is_multicast_ether_addr(hdr->addr1)); - -- if (WARN_ON_ONCE(!sta->valid_links)) -+ if (WARN_ON_ONCE(!sta || !sta->valid_links)) - return &vif->bss_conf; - - for (i = 0; i < ARRAY_SIZE(vif->link_conf); i++) { --- -2.39.2 - diff --git a/queue-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch deleted file mode 100644 index 2ed2e2602ab..00000000000 --- a/queue-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 683ebdf526ff6b7d1a58030e79ed32ee6779a0ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 12:04:07 -0600 -Subject: wifi: wext-core: Fix -Wstringop-overflow warning in - ioctl_standard_iw_point() - -From: Gustavo A. R. Silva - -[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] - --Wstringop-overflow is legitimately warning us about extra_size -pontentially being zero at some point, hence potenially ending -up _allocating_ zero bytes of memory for extra pointer and then -trying to access such object in a call to copy_from_user(). - -Fix this by adding a sanity check to ensure we never end up -trying to allocate zero bytes of data for extra pointer, before -continue executing the rest of the code in the function. - -Address the following -Wstringop-overflow warning seen when built -m68k architecture with allyesconfig configuration: - from net/wireless/wext-core.c:11: -In function '_copy_from_user', - inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: -arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] - 48 | #define memset(d, c, n) __builtin_memset(d, c, n) - | ^~~~~~~~~~~~~~~~~~~~~~~~~ -include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' - 153 | memset(to + (n - res), 0, res); - | ^~~~~~ -In function 'kmalloc', - inlined from 'kzalloc' at include/linux/slab.h:694:9, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: -include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' - 577 | return __kmalloc(size, flags); - | ^~~~~~~~~~~~~~~~~~~~~~ - -This help with the ongoing efforts to globally enable --Wstringop-overflow. - -Link: https://github.com/KSPP/linux/issues/315 -Signed-off-by: Gustavo A. R. Silva -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/wext-core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index fe8765c4075d3..8a4b85f96a13a 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -799,6 +799,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, - } - } - -+ /* Sanity-check to ensure we never end up _allocating_ zero -+ * bytes of data for extra. -+ */ -+ if (extra_size <= 0) -+ return -EFAULT; -+ - /* kzalloc() ensures NULL-termination for essid_compat. */ - extra = kzalloc(extra_size, GFP_KERNEL); - if (!extra) --- -2.39.2 - diff --git a/queue-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch b/queue-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch deleted file mode 100644 index c18b81f7fbd..00000000000 --- a/queue-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 47d87f71d00b7091b43a56f608f7151b33e5772e Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Tue, 11 Jul 2023 11:21:00 +0300 -Subject: accel/qaic: Add consistent integer overflow checks - -From: Dan Carpenter - -commit 47d87f71d00b7091b43a56f608f7151b33e5772e upstream. - -The encode_dma() function has integer overflow checks. The -encode_passthrough(), encode_activate() and encode_status() functions -did not. I added integer overflow checking everywhere. I also -updated the integer overflow checking in encode_dma() to use size_add() -so everything is consistent. - -Fixes: 129776ac2e38 ("accel/qaic: Add control path") -Signed-off-by: Dan Carpenter -Reviewed-by: Pranjal Ramajor Asha Kanojiya -Reviewed-by: Jeffrey Hugo -Cc: stable@vger.kernel.org # 6.4.x -[jhugo: tweak if in encode_dma() to match existing style] -Signed-off-by: Jeffrey Hugo -Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto -Signed-off-by: Greg Kroah-Hartman ---- - drivers/accel/qaic/qaic_control.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - ---- a/drivers/accel/qaic/qaic_control.c -+++ b/drivers/accel/qaic/qaic_control.c -@@ -367,7 +367,7 @@ static int encode_passthrough(struct qai - if (in_trans->hdr.len % 8 != 0) - return -EINVAL; - -- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_EXT_MSG_LENGTH) -+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_EXT_MSG_LENGTH) - return -ENOSPC; - - trans_wrapper = add_wrapper(wrappers, -@@ -561,11 +561,8 @@ static int encode_dma(struct qaic_device - msg = &wrapper->msg; - msg_hdr_len = le32_to_cpu(msg->hdr.len); - -- if (msg_hdr_len > (UINT_MAX - QAIC_MANAGE_EXT_MSG_LENGTH)) -- return -EINVAL; -- - /* There should be enough space to hold at least one ASP entry. */ -- if (msg_hdr_len + sizeof(*out_trans) + sizeof(struct wire_addr_size_pair) > -+ if (size_add(msg_hdr_len, sizeof(*out_trans) + sizeof(struct wire_addr_size_pair)) > - QAIC_MANAGE_EXT_MSG_LENGTH) - return -ENOMEM; - -@@ -638,7 +635,7 @@ static int encode_activate(struct qaic_d - msg = &wrapper->msg; - msg_hdr_len = le32_to_cpu(msg->hdr.len); - -- if (msg_hdr_len + sizeof(*out_trans) > QAIC_MANAGE_MAX_MSG_LENGTH) -+ if (size_add(msg_hdr_len, sizeof(*out_trans)) > QAIC_MANAGE_MAX_MSG_LENGTH) - return -ENOSPC; - - if (!in_trans->queue_size) -@@ -722,7 +719,7 @@ static int encode_status(struct qaic_dev - msg = &wrapper->msg; - msg_hdr_len = le32_to_cpu(msg->hdr.len); - -- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_MAX_MSG_LENGTH) -+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_MAX_MSG_LENGTH) - return -ENOSPC; - - trans_wrapper = add_wrapper(wrappers, sizeof(*trans_wrapper)); diff --git a/queue-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch b/queue-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch deleted file mode 100644 index 0c67f9f16c0..00000000000 --- a/queue-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Tue, 11 Jul 2023 11:21:13 +0300 -Subject: accel/qaic: Fix a leak in map_user_pages() - -From: Dan Carpenter - -commit 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 upstream. - -If get_user_pages_fast() allocates some pages but not as many as we -wanted, then the current code leaks those pages. Call put_page() on -the pages before returning. - -Fixes: 129776ac2e38 ("accel/qaic: Add control path") -Signed-off-by: Dan Carpenter -Reviewed-by: Pranjal Ramajor Asha Kanojiya -Reviewed-by: Jeffrey Hugo -Reviewed-by: Dafna Hirschfeld -Cc: stable@vger.kernel.org # 6.4.x -Signed-off-by: Jeffrey Hugo -Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto -Signed-off-by: Greg Kroah-Hartman ---- - drivers/accel/qaic/qaic_control.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/drivers/accel/qaic/qaic_control.c -+++ b/drivers/accel/qaic/qaic_control.c -@@ -418,9 +418,12 @@ static int find_and_map_user_pages(struc - } - - ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list); -- if (ret < 0 || ret != nr_pages) { -- ret = -EFAULT; -+ if (ret < 0) - goto free_page_list; -+ if (ret != nr_pages) { -+ nr_pages = ret; -+ ret = -EFAULT; -+ goto put_pages; - } - - sgt = kmalloc(sizeof(*sgt), GFP_KERNEL); diff --git a/queue-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch b/queue-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch deleted file mode 100644 index 430e82f4685..00000000000 --- a/queue-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 51b56382ed2a2b03347372272362b3baa623ed1e Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Tue, 11 Jul 2023 11:20:54 +0300 -Subject: accel/qaic: tighten bounds checking in decode_message() - -From: Dan Carpenter - -commit 51b56382ed2a2b03347372272362b3baa623ed1e upstream. - -Copy the bounds checking from encode_message() to decode_message(). - -This patch addresses the following concerns. Ensure that there is -enough space for at least one header so that we don't have a negative -size later. - - if (msg_hdr_len < sizeof(*trans_hdr)) - -Ensure that we have enough space to read the next header from the -msg->data. - - if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) - return -EINVAL; - -Check that the trans_hdr->len is not below the minimum size: - - if (hdr_len < sizeof(*trans_hdr)) - -This minimum check ensures that we don't corrupt memory in -decode_passthrough() when we do. - - memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr)); - -And finally, use size_add() to prevent an integer overflow: - - if (size_add(msg_len, hdr_len) > msg_hdr_len) - -Fixes: 129776ac2e38 ("accel/qaic: Add control path") -Signed-off-by: Dan Carpenter -Reviewed-by: Pranjal Ramajor Asha Kanojiya -Reviewed-by: Jeffrey Hugo -Cc: stable@vger.kernel.org # 6.4.x -Signed-off-by: Jeffrey Hugo -Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto -Signed-off-by: Greg Kroah-Hartman ---- - drivers/accel/qaic/qaic_control.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/drivers/accel/qaic/qaic_control.c -+++ b/drivers/accel/qaic/qaic_control.c -@@ -959,15 +959,23 @@ static int decode_message(struct qaic_de - int ret; - int i; - -- if (msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) -+ if (msg_hdr_len < sizeof(*trans_hdr) || -+ msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) - return -EINVAL; - - user_msg->len = 0; - user_msg->count = le32_to_cpu(msg->hdr.count); - - for (i = 0; i < user_msg->count; ++i) { -+ u32 hdr_len; -+ -+ if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) -+ return -EINVAL; -+ - trans_hdr = (struct wire_trans_hdr *)(msg->data + msg_len); -- if (msg_len + le32_to_cpu(trans_hdr->len) > msg_hdr_len) -+ hdr_len = le32_to_cpu(trans_hdr->len); -+ if (hdr_len < sizeof(*trans_hdr) || -+ size_add(msg_len, hdr_len) > msg_hdr_len) - return -EINVAL; - - switch (le32_to_cpu(trans_hdr->type)) { diff --git a/queue-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch b/queue-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch deleted file mode 100644 index 5c73af354f4..00000000000 --- a/queue-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch +++ /dev/null @@ -1,88 +0,0 @@ -From ea33cb6fc2788f9fe248d49e1c0b2553a58436ef Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Tue, 11 Jul 2023 11:20:44 +0300 -Subject: accel/qaic: tighten bounds checking in encode_message() - -From: Dan Carpenter - -commit ea33cb6fc2788f9fe248d49e1c0b2553a58436ef upstream. - -There are several issues in this code. The check at the start of the -loop: - - if (user_len >= user_msg->len) { - -This check does not ensure that we have enough space for the trans_hdr -(8 bytes). Instead the check needs to be: - - if (user_len > user_msg->len - sizeof(*trans_hdr)) { - -That subtraction is done as an unsigned long we want to avoid -negatives. Add a lower bound to the start of the function. - - if (user_msg->len < sizeof(*trans_hdr)) - -There is a second integer underflow which can happen if -trans_hdr->len is zero inside the encode_passthrough() function. - - memcpy(out_trans->data, in_trans->data, in_trans->hdr.len - sizeof(in_trans->hdr)); - -Instead of adding a check to encode_passthrough() it's better to check -in this central place. Add that check: - - if (trans_hdr->len < sizeof(trans_hdr) - -The final concern is that the "user_len + trans_hdr->len" might have an -integer overflow bug. Use size_add() to prevent that. - -- if (user_len + trans_hdr->len > user_msg->len) { -+ if (size_add(user_len, trans_hdr->len) > user_msg->len) { - -Fixes: 129776ac2e38 ("accel/qaic: Add control path") -Signed-off-by: Dan Carpenter -Reviewed-by: Pranjal Ramajor Asha Kanojiya -Reviewed-by: Jeffrey Hugo -Cc: stable@vger.kernel.org # 6.4.x -Signed-off-by: Jeffrey Hugo -Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain -Signed-off-by: Greg Kroah-Hartman ---- - drivers/accel/qaic/qaic_control.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - ---- a/drivers/accel/qaic/qaic_control.c -+++ b/drivers/accel/qaic/qaic_control.c -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -751,7 +752,8 @@ static int encode_message(struct qaic_de - int ret; - int i; - -- if (!user_msg->count) { -+ if (!user_msg->count || -+ user_msg->len < sizeof(*trans_hdr)) { - ret = -EINVAL; - goto out; - } -@@ -768,12 +770,13 @@ static int encode_message(struct qaic_de - } - - for (i = 0; i < user_msg->count; ++i) { -- if (user_len >= user_msg->len) { -+ if (user_len > user_msg->len - sizeof(*trans_hdr)) { - ret = -EINVAL; - break; - } - trans_hdr = (struct qaic_manage_trans_hdr *)(user_msg->data + user_len); -- if (user_len + trans_hdr->len > user_msg->len) { -+ if (trans_hdr->len < sizeof(trans_hdr) || -+ size_add(user_len, trans_hdr->len) > user_msg->len) { - ret = -EINVAL; - break; - } diff --git a/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch b/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch deleted file mode 100644 index 69ae7db9737..00000000000 --- a/queue-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch +++ /dev/null @@ -1,45 +0,0 @@ -From e1d24d33287f1adda81c70da6e6f8e45fd5a44f6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 29 Apr 2023 12:38:41 +0200 -Subject: ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A - -From: Hans de Goede - -[ Upstream commit 4fd5556608bfa9c2bf276fc115ef04288331aded ] - -The LID0 device on the Nextbook Ares 8A tablet always reports lid -closed causing userspace to suspend the device as soon as booting -is complete. - -Add a DMI quirk to disable the broken lid functionality. - -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/button.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c -index 475e1eddfa3b4..ef77c14c72a92 100644 ---- a/drivers/acpi/button.c -+++ b/drivers/acpi/button.c -@@ -77,6 +77,15 @@ static const struct dmi_system_id dmi_lid_quirks[] = { - }, - .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, - }, -+ { -+ /* Nextbook Ares 8A tablet, _LID device always reports lid closed */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), -+ DMI_MATCH(DMI_BIOS_VERSION, "M882"), -+ }, -+ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, -+ }, - { - /* - * Lenovo Yoga 9 14ITL5, initial notification of the LID device --- -2.39.2 - diff --git a/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch b/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch deleted file mode 100644 index b5aac4c0b74..00000000000 --- a/queue-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 6654fc24fbbfdc2d4d6c7ea35340711638cc5280 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 17:11:51 -0500 -Subject: ACPI: resource: Remove "Zen" specific match and quirks - -From: Mario Limonciello - -[ Upstream commit a9c4a912b7dc7ff922d4b9261160c001558f9755 ] - -commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on -AMD Zen platforms") attempted to overhaul the override logic so it -didn't apply on X86 AMD Zen systems. This was intentional so that -systems would prefer DSDT values instead of default MADT value for -IRQ 1 on Ryzen 6000 systems which typically uses ActiveLow for IRQ1. - -This turned out to be a bad assumption because several vendors -add Interrupt Source Override but don't fix the DSDT. A pile of -quirks was collecting that proved this wasn't sustaintable. - -Furthermore some vendors have used ActiveHigh for IRQ1. -To solve this problem revert the following commits: -* commit 17bb7046e7ce ("ACPI: resource: Do IRQ override on all TongFang -GMxRGxx") -* commit f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") -* commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad") -* commit 7592b79ba4a9 ("ACPI: resource: do IRQ override on XMG Core 15") -* commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen -platforms") - -Reported-by: evilsnoo@proton.me -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217394 -Reported-by: ruinairas1992@gmail.com -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217406 -Reported-by: nmschulte@gmail.com -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217336 -Signed-off-by: Mario Limonciello -Tested-by: Werner Sembach -Tested-by: Chuanhong Guo -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/resource.c | 60 ----------------------------------------- - 1 file changed, 60 deletions(-) - -diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c -index 0800a9d775580..1dd8d5aebf678 100644 ---- a/drivers/acpi/resource.c -+++ b/drivers/acpi/resource.c -@@ -470,52 +470,6 @@ static const struct dmi_system_id asus_laptop[] = { - { } - }; - --static const struct dmi_system_id lenovo_laptop[] = { -- { -- .ident = "LENOVO IdeaPad Flex 5 14ALC7", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -- DMI_MATCH(DMI_PRODUCT_NAME, "82R9"), -- }, -- }, -- { -- .ident = "LENOVO IdeaPad Flex 5 16ALC7", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -- DMI_MATCH(DMI_PRODUCT_NAME, "82RA"), -- }, -- }, -- { } --}; -- --static const struct dmi_system_id tongfang_gm_rg[] = { -- { -- .ident = "TongFang GMxRGxx/XMG CORE 15 (M22)/TUXEDO Stellaris 15 Gen4 AMD", -- .matches = { -- DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), -- }, -- }, -- { } --}; -- --static const struct dmi_system_id maingear_laptop[] = { -- { -- .ident = "MAINGEAR Vector Pro 2 15", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), -- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-15A3070T"), -- } -- }, -- { -- .ident = "MAINGEAR Vector Pro 2 17", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), -- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-17A3070T"), -- }, -- }, -- { } --}; -- - static const struct dmi_system_id lg_laptop[] = { - { - .ident = "LG Electronics 17U70P", -@@ -539,10 +493,6 @@ struct irq_override_cmp { - static const struct irq_override_cmp override_table[] = { - { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, - { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, -- { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, -- { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, -- { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, -- { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, - { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, - }; - -@@ -562,16 +512,6 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, - return entry->override; - } - --#ifdef CONFIG_X86 -- /* -- * IRQ override isn't needed on modern AMD Zen systems and -- * this override breaks active low IRQs on AMD Ryzen 6000 and -- * newer systems. Skip it. -- */ -- if (boot_cpu_has(X86_FEATURE_ZEN)) -- return false; --#endif -- - return true; - } - --- -2.39.2 - diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch deleted file mode 100644 index 07f521f00dc..00000000000 --- a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8b6923caebc9b56559f29a510d3eff108ca92f30 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 May 2023 11:23:58 +0200 -Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3 - -From: Hans de Goede - -[ Upstream commit 48436f2e9834b46b47b038b605c8142a1c07bc85 ] - -Linux defaults to picking the non-working ACPI video backlight interface -on the Apple iMac11,3 . - -Add a DMI quirk to pick the working native radeon_bl0 interface instead. - -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/video_detect.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c -index bcc25d457581d..61586caebb01b 100644 ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), - }, - }, -+ { -+ .callback = video_detect_force_native, -+ /* Apple iMac11,3 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), -+ }, -+ }, - { - /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ - .callback = video_detect_force_native, --- -2.39.2 - diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch deleted file mode 100644 index 9a6b9740eb4..00000000000 --- a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1a7dbae44c18d67dbeb0322fe85f0807b54971c4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 20:45:04 +0200 -Subject: ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 - -From: Hans de Goede - -[ Upstream commit 23d28cc0444be3f694eb986cd653b6888b78431d ] - -The Dell Studio 1569 predates Windows 8, so it defaults to using -acpi_video# for backlight control, but this is non functional on -this model. - -Add a DMI quirk to use the native intel_backlight interface which -does work properly. - -Reported-by: raycekarneal -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/video_detect.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c -index b87783c5872dd..e7d04ab864a16 100644 ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -528,6 +528,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"), - }, - }, -+ { -+ .callback = video_detect_force_native, -+ /* Dell Studio 1569 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Studio 1569"), -+ }, -+ }, - { - .callback = video_detect_force_native, - /* Acer Aspire 3830TG */ --- -2.39.2 - diff --git a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch deleted file mode 100644 index b0083e9d84b..00000000000 --- a/queue-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b98db95eaf63bbc74bbfc6f5b4fb9e491f4beeba Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 May 2023 11:23:59 +0200 -Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e - (3371 AMD version) - -From: Hans de Goede - -[ Upstream commit bd5d93df86a7ddf98a2a37e9c3751e3cb334a66c ] - -Linux defaults to picking the non-working ACPI video backlight interface -on the Lenovo ThinkPad X131e (3371 AMD version). - -Add a DMI quirk to pick the working native radeon_bl0 interface instead. - -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/video_detect.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c -index 61586caebb01b..b87783c5872dd 100644 ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), - }, - }, -+ { -+ .callback = video_detect_force_native, -+ /* Lenovo ThinkPad X131e (3371 AMD version) */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "3371"), -+ }, -+ }, - { - .callback = video_detect_force_native, - /* Apple iMac11,3 */ --- -2.39.2 - diff --git a/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch b/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch deleted file mode 100644 index 970e0160842..00000000000 --- a/queue-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch +++ /dev/null @@ -1,79 +0,0 @@ -From d9933c3669189d43374498be603032780fa8f7ae Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 29 Apr 2023 18:34:58 +0200 -Subject: ACPI: x86: Add ACPI_QUIRK_UART1_SKIP for Lenovo Yoga Book yb1-x90f/l - -From: Hans de Goede - -[ Upstream commit f91280f35895d6dcb53f504968fafd1da0b00397 ] - -The Lenovo Yoga Book yb1-x90f/l 2-in-1 which ships with Android as -Factory OS has (another) bug in its DSDT where the UART resource for -the BTH0 ACPI device contains "\\_SB.PCIO.URT1" as path to the UART. - -Note that is with a letter 'O' instead of the number '0' which is wrong. - -This causes Linux to instantiate a standard /dev/ttyS? device for -the UART instead of a /sys/bus/serial device, which in turn causes -bluetooth to not work. - -Similar DSDT bugs have been encountered before and to work around those -the acpi_quirk_skip_serdev_enumeration() helper exists. - -Previous devices had the broken resource pointing to the first UART, while -the BT HCI was on the second UART, which ACPI_QUIRK_UART1_TTY_UART2_SKIP -deals with. Add a new ACPI_QUIRK_UART1_SKIP quirk for skipping enumeration -of UART1 instead for the Yoga Book case and add this quirk to the -existing DMI quirk table entry for the yb1-x90f/l . - -This leaves the UART1 controller unbound allowing the x86-android-tablets -module to manually instantiate a serdev for it fixing bluetooth. - -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/x86/utils.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c -index 4cfee2da06756..c2b925f8cd4e4 100644 ---- a/drivers/acpi/x86/utils.c -+++ b/drivers/acpi/x86/utils.c -@@ -259,10 +259,11 @@ bool force_storage_d3(void) - * drivers/platform/x86/x86-android-tablets.c kernel module. - */ - #define ACPI_QUIRK_SKIP_I2C_CLIENTS BIT(0) --#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(1) --#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(2) --#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(3) --#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(4) -+#define ACPI_QUIRK_UART1_SKIP BIT(1) -+#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(2) -+#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(3) -+#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(4) -+#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(5) - - static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { - /* -@@ -319,6 +320,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { - DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), - }, - .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | -+ ACPI_QUIRK_UART1_SKIP | - ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | - ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), - }, -@@ -449,6 +451,9 @@ int acpi_quirk_skip_serdev_enumeration(struct device *controller_parent, bool *s - if (dmi_id) - quirks = (unsigned long)dmi_id->driver_data; - -+ if ((quirks & ACPI_QUIRK_UART1_SKIP) && uid == 1) -+ *skip = true; -+ - if (quirks & ACPI_QUIRK_UART1_TTY_UART2_SKIP) { - if (uid == 1) - return -ENODEV; /* Create tty cdev instead of serdev */ --- -2.39.2 - diff --git a/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch b/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch deleted file mode 100644 index d6ae42af596..00000000000 --- a/queue-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 062a6ebd2cfb57009d32e38904579308537f3b03 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 29 Apr 2023 12:38:40 +0200 -Subject: ACPI: x86: Add skip i2c clients quirk for Nextbook Ares 8A - -From: Hans de Goede - -[ Upstream commit 69d6b37695c1f2320cfa330e1e1636d50dd5040a ] - -The Nextbook Ares 8A is a x86 ACPI tablet which ships with Android x86 -as factory OS. Its DSDT contains a bunch of I2C devices which are not -actually there (the Android x86 kernel fork ignores I2C devices described -in the DSDT). - -On this specific model this just not cause resource conflicts, one of -the probe() calls for the non existing i2c_clients actually ends up -toggling a GPIO or executing a _PS3 after a failed probe which turns -the tablet off. - -Add a ACPI_QUIRK_SKIP_I2C_CLIENTS for the Nextbook Ares 8 to the -acpi_quirk_skip_dmi_ids table to avoid the bogus i2c_clients and -to fix the tablet turning off during boot because of this. - -Also add the "10EC5651" HID for the RealTek ALC5651 codec used -in this tablet to the list of HIDs for which not to skipi2c_client -instantiation, since the Intel SST sound driver relies on -the codec being instantiated through ACPI. - -Signed-off-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/x86/utils.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c -index 9c2d6f35f88a0..4cfee2da06756 100644 ---- a/drivers/acpi/x86/utils.c -+++ b/drivers/acpi/x86/utils.c -@@ -365,7 +365,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { - ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), - }, - { -- /* Nextbook Ares 8 */ -+ /* Nextbook Ares 8 (BYT version)*/ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), - DMI_MATCH(DMI_PRODUCT_NAME, "M890BAP"), -@@ -374,6 +374,16 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { - ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | - ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), - }, -+ { -+ /* Nextbook Ares 8A (CHT version)*/ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), -+ DMI_MATCH(DMI_BIOS_VERSION, "M882"), -+ }, -+ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | -+ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), -+ }, - { - /* Whitelabel (sold as various brands) TM800A550L */ - .matches = { -@@ -392,6 +402,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { - #if IS_ENABLED(CONFIG_X86_ANDROID_TABLETS) - static const struct acpi_device_id i2c_acpi_known_good_ids[] = { - { "10EC5640", 0 }, /* RealTek ALC5640 audio codec */ -+ { "10EC5651", 0 }, /* RealTek ALC5651 audio codec */ - { "INT33F4", 0 }, /* X-Powers AXP288 PMIC */ - { "INT33FD", 0 }, /* Intel Crystal Cove PMIC */ - { "INT34D3", 0 }, /* Intel Whiskey Cove PMIC */ --- -2.39.2 - diff --git a/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch deleted file mode 100644 index 2de6a82aaab..00000000000 --- a/queue-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 46f526e1c50701c973165f628afa55ea934c6c78 Mon Sep 17 00:00:00 2001 -From: Oswald Buddenhagen -Date: Wed, 10 May 2023 19:39:05 +0200 -Subject: [PATCH AUTOSEL 5.4 02/12] ALSA: emu10k1: roll up loops in DSP setup - code for Audigy -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] - -There is no apparent reason for the massive code duplication. - -Signed-off-by: Oswald Buddenhagen -Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/emu10k1/emufx.c | 112 +++------------------------------------------- - 1 file changed, 9 insertions(+), 103 deletions(-) - ---- a/sound/pci/emu10k1/emufx.c -+++ b/sound/pci/emu10k1/emufx.c -@@ -1559,14 +1559,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G - gpr += 2; - - /* Master volume (will be renamed later) */ -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); -- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); -+ for (z = 0; z < 8; z++) -+ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); - snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); - gpr += 2; - -@@ -1653,102 +1647,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G - dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", - gpr, tmp); - */ -- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ -- /* A_P16VIN(0) is delayed by one sample, -- * so all other A_P16VIN channels will need to also be delayed -- */ -- /* Left ADC in. 1 of 2 */ - snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); -- /* Right ADC in 1 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- /* Delaying by one sample: instead of copying the input -- * value A_P16VIN to output A_FXBUS2 as in the first channel, -- * we use an auxiliary register, delaying the value by one -- * sample -- */ -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); -- /* For 96kHz mode */ -- /* Left ADC in. 2 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); -- /* Right ADC in 2 of 2 */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); -- /* Pavel Hofman - we still have voices, A_FXBUS2s, and -- * A_P16VINs available - -- * let's add 8 more capture channels - total of 16 -- */ -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x10)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x12)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x14)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x16)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x18)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1a)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1c)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), -- A_C_00000000, A_C_00000000); -- gpr_map[gpr++] = 0x00000000; -- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, -- bit_shifter16, -- A_GPR(gpr - 1), -- A_FXBUS2(0x1e)); -- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), -- A_C_00000000, A_C_00000000); -+ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels -+ * will need to also be delayed; we use an auxiliary register for that. */ -+ for (z = 1; z < 0x10; z++) { -+ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); -+ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); -+ gpr_map[gpr++] = 0x00000000; -+ } - } - - #if 0 diff --git a/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch b/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch deleted file mode 100644 index 0eeb168cc86..00000000000 --- a/queue-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c250ef8954eda2024c8861c36e9fc1b589481fe7 Mon Sep 17 00:00:00 2001 -From: Christoffer Sandberg -Date: Tue, 18 Jul 2023 16:57:22 +0200 -Subject: ALSA: hda/realtek: Add quirk for Clevo NS70AU - -From: Christoffer Sandberg - -commit c250ef8954eda2024c8861c36e9fc1b589481fe7 upstream. - -Fixes headset detection on Clevo NS70AU. - -Co-developed-by: Werner Sembach -Signed-off-by: Werner Sembach -Signed-off-by: Christoffer Sandberg -Cc: -Link: https://lore.kernel.org/r/20230718145722.10592-1-wse@tuxedocomputers.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -9647,6 +9647,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -+ SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch b/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch deleted file mode 100644 index cb6bbf38727..00000000000 --- a/queue-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3596f6ed73f677798fb279436169502cb7306491 Mon Sep 17 00:00:00 2001 -From: Matthew Anderson -Date: Wed, 21 Jun 2023 11:17:14 -0500 -Subject: [PATCH AUTOSEL 5.4 08/12] ALSA: hda/realtek: Add quirks for ROG ALLY - CS35l41 audio -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 724418b84e6248cd27599607b7e5fac365b8e3f5 ] - -This requires a patched ACPI table or a firmware from ASUS to work because -the system does not come with the _DSD field for the CSC3551. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217550 -Signed-off-by: Matthew Anderson -Tested-by: Philip Mueller -Link: https://lore.kernel.org/r/20230621161714.9442-1-ruinairas1992@gmail.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 46 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 46 insertions(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -7136,6 +7136,10 @@ enum { - ALC294_FIXUP_ASUS_DUAL_SPK, - ALC285_FIXUP_THINKPAD_X1_GEN7, - ALC285_FIXUP_THINKPAD_HEADSET_JACK, -+ ALC294_FIXUP_ASUS_ALLY, -+ ALC294_FIXUP_ASUS_ALLY_PINS, -+ ALC294_FIXUP_ASUS_ALLY_VERBS, -+ ALC294_FIXUP_ASUS_ALLY_SPEAKER, - ALC294_FIXUP_ASUS_HPE, - ALC294_FIXUP_ASUS_COEF_1B, - ALC294_FIXUP_ASUS_GX502_HP, -@@ -8449,6 +8453,47 @@ static const struct hda_fixup alc269_fix - .chained = true, - .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 - }, -+ [ALC294_FIXUP_ASUS_ALLY] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = cs35l41_fixup_i2c_two, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_ASUS_ALLY_PINS -+ }, -+ [ALC294_FIXUP_ASUS_ALLY_PINS] = { -+ .type = HDA_FIXUP_PINS, -+ .v.pins = (const struct hda_pintbl[]) { -+ { 0x19, 0x03a11050 }, -+ { 0x1a, 0x03a11c30 }, -+ { 0x21, 0x03211420 }, -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_ASUS_ALLY_VERBS -+ }, -+ [ALC294_FIXUP_ASUS_ALLY_VERBS] = { -+ .type = HDA_FIXUP_VERBS, -+ .v.verbs = (const struct hda_verb[]) { -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 }, -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x46 }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x0004 }, -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x47 }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0xa47a }, -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x49 }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x0049}, -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x4a }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x201b }, -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x6b }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x4278}, -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_ASUS_ALLY_SPEAKER -+ }, -+ [ALC294_FIXUP_ASUS_ALLY_SPEAKER] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc285_fixup_speaker2_to_dac1, -+ }, - [ALC285_FIXUP_THINKPAD_X1_GEN7] = { - .type = HDA_FIXUP_FUNC, - .v.func = alc285_fixup_thinkpad_x1_gen7, -@@ -9557,6 +9602,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x1043, 0x1740, "ASUS UX430UA", ALC295_FIXUP_ASUS_DACS), - SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), -+ SND_PCI_QUIRK(0x1043, 0x17f3, "ROG Ally RC71L_RC71L", ALC294_FIXUP_ASUS_ALLY), - SND_PCI_QUIRK(0x1043, 0x1881, "ASUS Zephyrus S/M", ALC294_FIXUP_ASUS_GX502_PINS), - SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), - SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), diff --git a/queue-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/queue-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch deleted file mode 100644 index d6ee0323806..00000000000 --- a/queue-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 -From: Luka Guzenko -Date: Tue, 18 Jul 2023 18:12:41 +0200 -Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx - -From: Luka Guzenko - -commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. - -The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using -COEF 0x07 index 1. No existing quirk covers this configuration. -Adds a new quirk and enables it for the device. - -Signed-off-by: Luka Guzenko -Cc: -Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4624,6 +4624,21 @@ static void alc236_fixup_hp_mute_led_coe - } - } - -+static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, -+ const struct hda_fixup *fix, int action) -+{ -+ struct alc_spec *spec = codec->spec; -+ -+ if (action == HDA_FIXUP_ACT_PRE_PROBE) { -+ spec->mute_led_polarity = 0; -+ spec->mute_led_coef.idx = 0x07; -+ spec->mute_led_coef.mask = 1; -+ spec->mute_led_coef.on = 1; -+ spec->mute_led_coef.off = 0; -+ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); -+ } -+} -+ - /* turn on/off mic-mute LED per capture hook by coef bit */ - static int coef_micmute_led_set(struct led_classdev *led_cdev, - enum led_brightness brightness) -@@ -7134,6 +7149,7 @@ enum { - ALC285_FIXUP_HP_GPIO_LED, - ALC285_FIXUP_HP_MUTE_LED, - ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, -+ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, - ALC236_FIXUP_HP_GPIO_LED, - ALC236_FIXUP_HP_MUTE_LED, - ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, -@@ -8557,6 +8573,10 @@ static const struct hda_fixup alc269_fix - .type = HDA_FIXUP_FUNC, - .v.func = alc285_fixup_hp_spectre_x360_mute_led, - }, -+ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc236_fixup_hp_mute_led_coefbit2, -+ }, - [ALC236_FIXUP_HP_GPIO_LED] = { - .type = HDA_FIXUP_FUNC, - .v.func = alc236_fixup_hp_gpio_led, -@@ -9441,6 +9461,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), -+ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), - SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), - SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), - SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch b/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch deleted file mode 100644 index 3a3d716a368..00000000000 --- a/queue-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch +++ /dev/null @@ -1,77 +0,0 @@ -From e259b1a010e4ccaf284d9f7ae2bb75d19a1c05e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 09:20:21 +0100 -Subject: ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp - -From: Vitaly Rodionov - -[ Upstream commit f7b069cf08816252f494d193b9ecdff172bf9aa1 ] - -Generic fixup for CS35L41 amplifies should not have vendor specific -chained fixup. For ThinkPad laptops with led issue, we can just add -specific fixup. - -Fixes: a6ac60b36dade (ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec) -Signed-off-by: Vitaly Rodionov -Link: https://lore.kernel.org/r/20230720082022.13033-1-vitalyr@opensource.cirrus.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -7224,6 +7224,7 @@ enum { - ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, - ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS, - ALC236_FIXUP_DELL_DUAL_CODECS, -+ ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, - }; - - /* A special fixup for Lenovo C940 and Yoga Duet 7; -@@ -9135,8 +9136,6 @@ static const struct hda_fixup alc269_fix - [ALC287_FIXUP_CS35L41_I2C_2] = { - .type = HDA_FIXUP_FUNC, - .v.func = cs35l41_fixup_i2c_two, -- .chained = true, -- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, - }, - [ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED] = { - .type = HDA_FIXUP_FUNC, -@@ -9273,6 +9272,12 @@ static const struct hda_fixup alc269_fix - .chained = true, - .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, - }, -+ [ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = cs35l41_fixup_i2c_two, -+ .chained = true, -+ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -9798,14 +9803,14 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), - SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), - SND_PCI_QUIRK(0x17aa, 0x22c2, "Thinkpad X1 Extreme Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), -- SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -- SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), -+ SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), -+ SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), - SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), diff --git a/queue-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/queue-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch deleted file mode 100644 index 3eb0d006519..00000000000 --- a/queue-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 -From: Kailang Yang -Date: Thu, 13 Jul 2023 15:57:13 +0800 -Subject: ALSA: hda/realtek - remove 3k pull low procedure - -From: Kailang Yang - -commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. - -This was the ALC283 depop procedure. -Maybe this procedure wasn't suitable with new codec. -So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it -reboot with plugged headset, -it will have errors show don't find codec error messages. Run 3k pull -low will solve issues. -So, let AMD chipset will run this for workarround. - -Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") -Signed-off-by: Kailang Yang -Cc: -Reported-by: Joseph C. Sible -Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ -Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -122,6 +122,7 @@ struct alc_spec { - unsigned int ultra_low_power:1; - unsigned int has_hs_key:1; - unsigned int no_internal_mic_pin:1; -+ unsigned int en_3kpull_low:1; - - /* for PLL fix */ - hda_nid_t pll_nid; -@@ -3622,6 +3623,7 @@ static void alc256_shutup(struct hda_cod - if (!hp_pin) - hp_pin = 0x21; - -+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ - hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); - - if (hp_pin_sense) -@@ -3638,8 +3640,7 @@ static void alc256_shutup(struct hda_cod - /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly - * when booting with headset plugged. So skip setting it for the codec alc257 - */ -- if (codec->core.vendor_id != 0x10ec0236 && -- codec->core.vendor_id != 0x10ec0257) -+ if (spec->en_3kpull_low) - alc_update_coef_idx(codec, 0x46, 0, 3 << 12); - - if (!spec->no_shutup_pins) -@@ -10601,6 +10602,8 @@ static int patch_alc269(struct hda_codec - spec->shutup = alc256_shutup; - spec->init_hook = alc256_init; - spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ -+ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) -+ spec->en_3kpull_low = true; - break; - case 0x10ec0257: - spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch b/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch deleted file mode 100644 index 7a19b485c5d..00000000000 --- a/queue-6.4/arm64-fix-hfgxtr_el2-field-naming.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 667906b10bb674bbc572a57580f37bf28ae76808 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jul 2023 14:04:16 +0100 -Subject: arm64: Fix HFGxTR_EL2 field naming - -From: Marc Zyngier - -[ Upstream commit 55b87b74996383230586f4f9f801ae304c70e649 ] - -The HFGxTR_EL2 fields do not always follow the naming described -in the spec, nor do they match the name of the register they trap -in the rest of the kernel. - -It is a bit sad that they were written by hand despite the availability -of a machine readable version... - -Fixes: cc077e7facbe ("arm64/sysreg: Convert HFG[RW]TR_EL2 to automatic generation") -Signed-off-by: Marc Zyngier -Cc: Mark Brown -Cc: Will Deacon -Cc: Catalin Marinas -Cc: Mark Rutland -Reviewed-by: Mark Brown -Link: https://lore.kernel.org/r/20230703130416.1495307-1-maz@kernel.org -Signed-off-by: Will Deacon -Signed-off-by: Sasha Levin ---- - arch/arm64/tools/sysreg | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg -index c9a0d1fa32090..930c8cc0812fc 100644 ---- a/arch/arm64/tools/sysreg -+++ b/arch/arm64/tools/sysreg -@@ -1890,7 +1890,7 @@ Field 0 SM - EndSysreg - - SysregFields HFGxTR_EL2 --Field 63 nAMIAIR2_EL1 -+Field 63 nAMAIR2_EL1 - Field 62 nMAIR2_EL1 - Field 61 nS2POR_EL1 - Field 60 nPOR_EL1 -@@ -1905,9 +1905,9 @@ Field 52 nGCS_EL0 - Res0 51 - Field 50 nACCDATA_EL1 - Field 49 ERXADDR_EL1 --Field 48 EXRPFGCDN_EL1 --Field 47 EXPFGCTL_EL1 --Field 46 EXPFGF_EL1 -+Field 48 ERXPFGCDN_EL1 -+Field 47 ERXPFGCTL_EL1 -+Field 46 ERXPFGF_EL1 - Field 45 ERXMISCn_EL1 - Field 44 ERXSTATUS_EL1 - Field 43 ERXCTLR_EL1 -@@ -1922,8 +1922,8 @@ Field 35 TPIDR_EL0 - Field 34 TPIDRRO_EL0 - Field 33 TPIDR_EL1 - Field 32 TCR_EL1 --Field 31 SCTXNUM_EL0 --Field 30 SCTXNUM_EL1 -+Field 31 SCXTNUM_EL0 -+Field 30 SCXTNUM_EL1 - Field 29 SCTLR_EL1 - Field 28 REVIDR_EL1 - Field 27 PAR_EL1 --- -2.39.2 - diff --git a/queue-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch b/queue-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch deleted file mode 100644 index 0287ad8628b..00000000000 --- a/queue-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d4d5be94a87872421ea2569044092535aff0b886 Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Thu, 20 Jul 2023 19:38:58 +0100 -Subject: arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes - -From: Mark Brown - -commit d4d5be94a87872421ea2569044092535aff0b886 upstream. - -When we reconfigure the SVE vector length we discard the backing storage -for the SVE vectors and then reallocate on next SVE use, leaving the SME -specific state alone. This means that we do not enable SME traps if they -were already disabled. That means that userspace code can enter streaming -mode without trapping, putting the task in a state where if we try to save -the state of the task we will fault. - -Since the ABI does not specify that changing the SVE vector length disturbs -SME state, and since SVE code may not be aware of SME code in the process, -we shouldn't simply discard any ZA state. Instead immediately reallocate -the storage for SVE, and disable SME if we change the SVE vector length -while there is no SME state active. - -Disabling SME traps on SVE vector length changes would make the overall -code more complex since we would have a state where we have valid SME state -stored but might get a SME trap. - -Fixes: 9e4ab6c89109 ("arm64/sme: Implement vector length configuration prctl()s") -Reported-by: David Spickett -Signed-off-by: Mark Brown -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.org -Signed-off-by: Will Deacon -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kernel/fpsimd.c | 33 +++++++++++++++++++++++++-------- - 1 file changed, 25 insertions(+), 8 deletions(-) - ---- a/arch/arm64/kernel/fpsimd.c -+++ b/arch/arm64/kernel/fpsimd.c -@@ -847,6 +847,8 @@ void sve_sync_from_fpsimd_zeropad(struct - int vec_set_vector_length(struct task_struct *task, enum vec_type type, - unsigned long vl, unsigned long flags) - { -+ bool free_sme = false; -+ - if (flags & ~(unsigned long)(PR_SVE_VL_INHERIT | - PR_SVE_SET_VL_ONEXEC)) - return -EINVAL; -@@ -897,21 +899,36 @@ int vec_set_vector_length(struct task_st - task->thread.fp_type = FP_STATE_FPSIMD; - } - -- if (system_supports_sme() && type == ARM64_VEC_SME) { -- task->thread.svcr &= ~(SVCR_SM_MASK | -- SVCR_ZA_MASK); -- clear_thread_flag(TIF_SME); -+ if (system_supports_sme()) { -+ if (type == ARM64_VEC_SME || -+ !(task->thread.svcr & (SVCR_SM_MASK | SVCR_ZA_MASK))) { -+ /* -+ * We are changing the SME VL or weren't using -+ * SME anyway, discard the state and force a -+ * reallocation. -+ */ -+ task->thread.svcr &= ~(SVCR_SM_MASK | -+ SVCR_ZA_MASK); -+ clear_thread_flag(TIF_SME); -+ free_sme = true; -+ } - } - - if (task == current) - put_cpu_fpsimd_context(); - - /* -- * Force reallocation of task SVE and SME state to the correct -- * size on next use: -+ * Free the changed states if they are not in use, SME will be -+ * reallocated to the correct size on next use and we just -+ * allocate SVE now in case it is needed for use in streaming -+ * mode. - */ -- sve_free(task); -- if (system_supports_sme() && type == ARM64_VEC_SME) -+ if (system_supports_sve()) { -+ sve_free(task); -+ sve_alloc(task, true); -+ } -+ -+ if (free_sme) - sme_free(task); - - task_set_vl(task, type, vl); diff --git a/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch b/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch deleted file mode 100644 index 16f8dba9c8c..00000000000 --- a/queue-6.4/arm64-mm-fix-va-range-sanity-check.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 0cd9b6e992630a33f8c353758f2c3ff22b1c97cd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 11:26:28 +0100 -Subject: arm64: mm: fix VA-range sanity check - -From: Mark Rutland - -[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] - -Both create_mapping_noalloc() and update_mapping_prot() sanity-check -their 'virt' parameter, but the check itself doesn't make much sense. -The condition used today appears to be a historical accident. - -The sanity-check condition: - - if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { - [ ... warning here ... ] - return; - } - -... can only be true for the KASAN shadow region or the module region, -and there's no reason to exclude these specifically for creating and -updateing mappings. - -When arm64 support was first upstreamed in commit: - - c1cc1552616d0f35 ("arm64: MMU initialisation") - -... the condition was: - - if (virt < VMALLOC_START) { - [ ... warning here ... ] - return; - } - -At the time, VMALLOC_START was the lowest kernel address, and this was -checking whether 'virt' would be translated via TTBR1. - -Subsequently in commit: - - 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") - -... the condition was changed to: - - if ((virt >= VA_START) && (virt < VMALLOC_START)) { - [ ... warning here ... ] - return; - } - -This appear to have been a thinko. The commit moved the linear map to -the bottom of the kernel address space, with VMALLOC_START being at the -halfway point. The old condition would warn for changes to the linear -map below this, and at the time VA_START was the end of the linear map. - -Subsequently we cleaned up the naming of VA_START in commit: - - 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") - -... keeping the erroneous condition as: - - if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { - [ ... warning here ... ] - return; - } - -Correct the condition to check against the start of the TTBR1 address -space, which is currently PAGE_OFFSET. This simplifies the logic, and -more clearly matches the "outside kernel range" message in the warning. - -Signed-off-by: Mark Rutland -Cc: Russell King -Cc: Steve Capper -Cc: Will Deacon -Reviewed-by: Russell King (Oracle) -Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com -Signed-off-by: Catalin Marinas -Signed-off-by: Sasha Levin ---- - arch/arm64/mm/mmu.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c -index af6bc8403ee46..72b3c21820b96 100644 ---- a/arch/arm64/mm/mmu.c -+++ b/arch/arm64/mm/mmu.c -@@ -451,7 +451,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) - void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, - phys_addr_t size, pgprot_t prot) - { -- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { -+ if (virt < PAGE_OFFSET) { - pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", - &phys, virt); - return; -@@ -478,7 +478,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, - static void update_mapping_prot(phys_addr_t phys, unsigned long virt, - phys_addr_t size, pgprot_t prot) - { -- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { -+ if (virt < PAGE_OFFSET) { - pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", - &phys, virt); - return; --- -2.39.2 - diff --git a/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch b/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch deleted file mode 100644 index 759d221f4c0..00000000000 --- a/queue-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 9df981ec0bf465d0a6cb8bc5909b0f4cb31b2887 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 24 Apr 2023 10:04:36 +0900 -Subject: arm64: set __exception_irq_entry with __irq_entry as a default - -From: Youngmin Nam - -[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ] - -filter_irq_stacks() is supposed to cut entries which are related irq entries -from its call stack. -And in_irqentry_text() which is called by filter_irq_stacks() -uses __irqentry_text_start/end symbol to find irq entries in callstack. - -But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", -arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq -between __irqentry_text_start and __irqentry_text_end as we discussed in below link. -https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t - -This problem can makes unintentional deep call stack entries especially -in KASAN enabled situation as below. - -[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity -[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c -[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) -[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c -[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c -[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 -[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 -[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd -[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 -[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 -[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 -[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 -[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 -[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 -[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c -[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 -[ 2479.386231]I[0:launcher-loader: 1719] Call trace: -[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c -[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 -[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 -[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 -[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 -[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 -[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c -[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 -[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 -[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 -[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 -[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c -[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 -[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 -[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c -[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 -[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 -[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 -[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c -[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 -[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 -[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 -[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158 -[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c -[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0 -[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20 -[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c -[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150 -[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c -[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348 -[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74 -[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0 -[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240 -[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0 -[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28 -[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158 -[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54 -[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0 -[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68 -[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24 -[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c -[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170 -[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98 -[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40 -[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138 -[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0 -[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804 -[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180 -[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4 -[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c -[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c -[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac -[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288 -[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c -[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364 -[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8 -[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8 -[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24 -[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c -[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c -[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0 -[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54 -[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158 -[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134 -[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114 -[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80 -[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114 -[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194 -[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ... - -So let's set __exception_irq_entry with __irq_entry as a default. -Applying this patch, we can see gic_hande_irq is included in Systemp.map as below. - -* Before -ffffffc008010000 T __do_softirq -ffffffc008010000 T __irqentry_text_end -ffffffc008010000 T __irqentry_text_start -ffffffc008010000 T __softirqentry_text_start -ffffffc008010000 T _stext -ffffffc00801066c T __softirqentry_text_end -ffffffc008010670 T __entry_text_start - -* After -ffffffc008010000 T __irqentry_text_start -ffffffc008010000 T _stext -ffffffc008010000 t gic_handle_irq -ffffffc00801013c t gic_handle_irq -ffffffc008010294 T __irqentry_text_end -ffffffc008010298 T __do_softirq -ffffffc008010298 T __softirqentry_text_start -ffffffc008010904 T __softirqentry_text_end -ffffffc008010908 T __entry_text_start - -Signed-off-by: Youngmin Nam -Signed-off-by: SEO HOYOUNG -Reviewed-by: Mark Rutland -Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com -Signed-off-by: Catalin Marinas -Signed-off-by: Sasha Levin ---- - arch/arm64/include/asm/exception.h | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h -index e73af709cb7ad..88d8dfeed0db6 100644 ---- a/arch/arm64/include/asm/exception.h -+++ b/arch/arm64/include/asm/exception.h -@@ -8,16 +8,11 @@ - #define __ASM_EXCEPTION_H - - #include --#include - #include - - #include - --#ifdef CONFIG_FUNCTION_GRAPH_TRACER - #define __exception_irq_entry __irq_entry --#else --#define __exception_irq_entry __kprobes --#endif - - static inline unsigned long disr_to_esr(u64 disr) - { --- -2.39.2 - diff --git a/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch b/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch deleted file mode 100644 index 6befb371d5b..00000000000 --- a/queue-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch +++ /dev/null @@ -1,63 +0,0 @@ -From edd80e3e2cea3bed041663831aa8125704b574db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Jun 2023 16:23:54 +0530 -Subject: ASoC: amd: acp: fix for invalid dai id handling in - acp_get_byte_count() - -From: Vijendar Mukunda - -[ Upstream commit 85aeab362201cf52c34cd429e4f6c75a0b42f9a3 ] - -For invalid dai id, instead of returning -EINVAL -return bytes count as zero in acp_get_byte_count() function. - -Fixes: 623621a9f9e1 ("ASoC: amd: Add common framework to support I2S on ACP SOC") - -Signed-off-by: Vijendar Mukunda -Link: https://lore.kernel.org/r/20230626105356.2580125-6-Vijendar.Mukunda@amd.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/amd/acp/amd.h | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h -index 5f2119f422715..12a176a50fd6e 100644 ---- a/sound/soc/amd/acp/amd.h -+++ b/sound/soc/amd/acp/amd.h -@@ -173,7 +173,7 @@ int snd_amd_acp_find_config(struct pci_dev *pci); - - static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int direction) - { -- u64 byte_count, low = 0, high = 0; -+ u64 byte_count = 0, low = 0, high = 0; - - if (direction == SNDRV_PCM_STREAM_PLAYBACK) { - switch (dai_id) { -@@ -191,7 +191,7 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int - break; - default: - dev_err(adata->dev, "Invalid dai id %x\n", dai_id); -- return -EINVAL; -+ goto POINTER_RETURN_BYTES; - } - } else { - switch (dai_id) { -@@ -213,12 +213,13 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int - break; - default: - dev_err(adata->dev, "Invalid dai id %x\n", dai_id); -- return -EINVAL; -+ goto POINTER_RETURN_BYTES; - } - } - /* Get 64 bit value from two 32 bit registers */ - byte_count = (high << 32) | low; - -+POINTER_RETURN_BYTES: - return byte_count; - } - --- -2.39.2 - diff --git a/queue-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/queue-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index aabe42628e5..00000000000 --- a/queue-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,157 +0,0 @@ -From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:16 +0200 -Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove - -From: Johan Hovold - -commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. - -The MBHC resources must be released on component probe failure and -removal so can not be tied to the lifetime of the component device. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component: - - snd-sc8280xp sound: ASoC: failed to instantiate card -517 - genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) - wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 - wcd938x_codec audio-codec: mbhc initialization failed - wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 - snd-sc8280xp sound: ASoC: failed to instantiate card -16 - -Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ - 1 file changed, 41 insertions(+), 16 deletions(-) - ---- a/sound/soc/codecs/wcd-mbhc-v2.c -+++ b/sound/soc/codecs/wcd-mbhc-v2.c -@@ -1454,7 +1454,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn - return ERR_PTR(-EINVAL); - } - -- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); -+ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); - if (!mbhc) - return ERR_PTR(-ENOMEM); - -@@ -1474,61 +1474,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn - - INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, - wcd_mbhc_mech_plug_detect_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "mbhc sw intr", mbhc); - if (ret) -- goto err; -+ goto err_free_mbhc; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, - wcd_mbhc_btn_press_handler, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Button Press detect", mbhc); - if (ret) -- goto err; -+ goto err_free_sw_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, - wcd_mbhc_btn_release_handler, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Button Release detect", mbhc); - if (ret) -- goto err; -+ goto err_free_btn_press_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, - wcd_mbhc_adc_hs_ins_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Elect Insert", mbhc); - if (ret) -- goto err; -+ goto err_free_btn_release_intr; - - disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, - wcd_mbhc_adc_hs_rem_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "Elect Remove", mbhc); - if (ret) -- goto err; -+ goto err_free_hs_ins_intr; - - disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, - wcd_mbhc_hphl_ocp_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPH_L OCP detect", mbhc); - if (ret) -- goto err; -+ goto err_free_hs_rem_intr; - -- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, -+ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, - wcd_mbhc_hphr_ocp_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPH_R OCP detect", mbhc); - if (ret) -- goto err; -+ goto err_free_hph_left_ocp; - - return mbhc; --err: -+ -+err_free_hph_left_ocp: -+ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); -+err_free_hs_rem_intr: -+ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); -+err_free_hs_ins_intr: -+ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); -+err_free_btn_release_intr: -+ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); -+err_free_btn_press_intr: -+ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); -+err_free_sw_intr: -+ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); -+err_free_mbhc: -+ kfree(mbhc); -+ - dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); - - return ERR_PTR(ret); -@@ -1537,9 +1552,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); - - void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) - { -+ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); -+ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); -+ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); -+ - mutex_lock(&mbhc->lock); - wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); - mutex_unlock(&mbhc->lock); -+ -+ kfree(mbhc); - } - EXPORT_SYMBOL(wcd_mbhc_deinit); - diff --git a/queue-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/queue-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index c86cf2752f1..00000000000 --- a/queue-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:15 +0200 -Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove - -From: Johan Hovold - -commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. - -Make sure to release allocated MBHC resources also on component remove. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component. - -Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd934x.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - ---- a/sound/soc/codecs/wcd934x.c -+++ b/sound/soc/codecs/wcd934x.c -@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ - - return 0; - } -+ -+static void wcd934x_mbhc_deinit(struct snd_soc_component *component) -+{ -+ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); -+ -+ if (!wcd->mbhc) -+ return; -+ -+ wcd_mbhc_deinit(wcd->mbhc); -+} -+ - static int wcd934x_comp_probe(struct snd_soc_component *component) - { - struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); -@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s - { - struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); - -+ wcd934x_mbhc_deinit(comp); - wcd_clsh_ctrl_free(wcd->clsh_ctrl); - } - diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/queue-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch deleted file mode 100644 index 3e47419b85b..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Fri, 30 Jun 2023 14:03:18 +0200 -Subject: ASoC: codecs: wcd938x: fix codec initialisation race - -From: Johan Hovold - -commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. - -Make sure to resume the codec and soundwire device before trying to read -the codec variant and configure the device during component probe. - -This specifically avoids interpreting (a masked and shifted) -EBUSY -errno as the variant: - - wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 - -when the soundwire device happens to be suspended, which in turn -prevents some headphone controls from being registered. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Reported-by: Steev Klimaszewski -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3095,6 +3095,10 @@ static int wcd938x_soc_codec_probe(struc - - snd_soc_component_init_regmap(component, wcd938x->regmap); - -+ ret = pm_runtime_resume_and_get(dev); -+ if (ret < 0) -+ return ret; -+ - wcd938x->variant = snd_soc_component_read_field(component, - WCD938X_DIGITAL_EFUSE_REG_0, - WCD938X_ID_MASK); -@@ -3112,6 +3116,8 @@ static int wcd938x_soc_codec_probe(struc - (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); - } - -+ pm_runtime_put(dev); -+ - wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, - WCD938X_IRQ_HPHR_PDM_WD_INT); - wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch b/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch deleted file mode 100644 index 40da9bf5384..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From d0035014b8bfd8c7e5845573b7e9f5b4db95cb74 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 13:57:23 +0100 -Subject: ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR - -From: Srinivas Kandagatla - -[ Upstream commit c03226ba15fe3c42d13907ec7d8536396602557b ] - -dB range for HPHL and HPHR gains are from +6dB to -30dB in steps of -1.5dB with register values range from 0 to 24. - -Current code maps these dB ranges incorrectly, fix them to allow proper -volume setting. - -Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") -Signed-off-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705125723.40464-1-srinivas.kandagatla@linaro.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/wcd938x.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c -index 8bb6a5ff7b0f6..4a0b990f56e12 100644 ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -210,7 +210,7 @@ struct wcd938x_priv { - }; - - static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(ear_pa_gain, 600, -1800); --static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(line_gain, 600, -3000); -+static const DECLARE_TLV_DB_SCALE(line_gain, -3000, 150, -3000); - static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(analog_gain, 0, 3000); - - struct wcd938x_mbhc_zdet_param { -@@ -2662,8 +2662,8 @@ static const struct snd_kcontrol_new wcd938x_snd_controls[] = { - wcd938x_get_swr_port, wcd938x_set_swr_port), - SOC_SINGLE_EXT("DSD_R Switch", WCD938X_DSD_R, 0, 1, 0, - wcd938x_get_swr_port, wcd938x_set_swr_port), -- SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 0, line_gain), -- SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 0, line_gain), -+ SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 1, line_gain), -+ SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 1, line_gain), - WCD938X_EAR_PA_GAIN_TLV("EAR_PA Volume", WCD938X_ANA_EAR_COMPANDER_CTL, - 2, 0x10, 0, ear_pa_gain), - SOC_SINGLE_EXT("ADC1 Switch", WCD938X_ADC1, 1, 1, 0, --- -2.39.2 - diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch b/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch deleted file mode 100644 index 4830220c4a0..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 272677a7d51d5f30b931b0981c50a2b2cff55289 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 16:27:13 +0200 -Subject: ASoC: codecs: wcd938x: fix mbhc impedance loglevel - -From: Johan Hovold - -[ Upstream commit e5ce198bd5c6923b6a51e1493b1401f84c24b26d ] - -Demote the MBHC impedance measurement printk, which is not an error -message, from error to debug level. - -While at it, fix the capitalisation of "ohm" and add the missing space -before the opening parenthesis. - -Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230630142717.5314-2-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/wcd938x.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c -index 0ff8f784b5eca..8bb6a5ff7b0f6 100644 ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2165,8 +2165,8 @@ static inline void wcd938x_mbhc_get_result_params(struct wcd938x_priv *wcd938x, - else if (x1 < minCode_param[noff]) - *zdet = WCD938X_ZDET_FLOATING_IMPEDANCE; - -- pr_err("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d(milliOhm)\n", -- __func__, d1, c1, x1, *zdet); -+ pr_debug("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d (milliohm)\n", -+ __func__, d1, c1, x1, *zdet); - ramp_down: - i = 0; - while (x1) { --- -2.39.2 - diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/queue-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch deleted file mode 100644 index a2e1b76ba60..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:13 +0200 -Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling - -From: Johan Hovold - -commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. - -Allocation of the clash control structure may fail so add the missing -error handling to avoid dereferencing an error pointer. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3090,6 +3090,10 @@ static int wcd938x_soc_codec_probe(struc - WCD938X_ID_MASK); - - wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); -+ if (IS_ERR(wcd938x->clsh_info)) { -+ pm_runtime_put(dev); -+ return PTR_ERR(wcd938x->clsh_info); -+ } - - wcd938x_io_init(wcd938x); - /* Set all interrupts as edge triggered */ diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/queue-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch deleted file mode 100644 index a98d816a471..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 3 Jul 2023 14:47:01 +0200 -Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling - -From: Johan Hovold - -commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. - -MBHC initialisation can fail so add the missing error handling to avoid -dereferencing an error pointer when later configuring the jack: - - Unable to handle kernel paging request at virtual address fffffffffffffff8 - - pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] - lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] - - Call trace: - wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] - wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] - snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] - qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] - sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] - snd_soc_link_init+0x28/0x90 [snd_soc_core] - snd_soc_bind_card+0x628/0xbfc [snd_soc_core] - snd_soc_register_card+0xec/0x104 [snd_soc_core] - devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] - sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] - -Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") -Cc: stable@vger.kernel.org # 5.15 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2625,6 +2625,8 @@ static int wcd938x_mbhc_init(struct snd_ - WCD938X_IRQ_HPHR_OCP_INT); - - wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); -+ if (IS_ERR(wcd938x->wcd_mbhc)) -+ return PTR_ERR(wcd938x->wcd_mbhc); - - snd_soc_add_component_controls(component, impedance_detect_controls, - ARRAY_SIZE(impedance_detect_controls)); diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/queue-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch deleted file mode 100644 index 40f70a75c04..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +++ /dev/null @@ -1,151 +0,0 @@ -From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:14 +0200 -Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove - -From: Johan Hovold - -commit a3406f87775fee986876e03f93a84385f54d5999 upstream. - -Make sure to release allocated resources on component probe failure and -on remove. - -This is specifically needed to allow probe deferrals of the sound card -which otherwise fails when reprobing the codec component: - - snd-sc8280xp sound: ASoC: failed to instantiate card -517 - genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) - wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) - genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) - wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) - genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) - wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) - genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) - wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 48 insertions(+), 7 deletions(-) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -2633,6 +2633,14 @@ static int wcd938x_mbhc_init(struct snd_ - - return 0; - } -+ -+static void wcd938x_mbhc_deinit(struct snd_soc_component *component) -+{ -+ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ -+ wcd_mbhc_deinit(wcd938x->wcd_mbhc); -+} -+ - /* END MBHC */ - - static const struct snd_kcontrol_new wcd938x_snd_controls[] = { -@@ -3113,20 +3121,26 @@ static int wcd938x_soc_codec_probe(struc - ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPHR PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); -+ goto err_free_clsh_ctrl; -+ } - - ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "HPHL PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); -+ goto err_free_hphr_pdm_wd_int; -+ } - - ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, - IRQF_ONESHOT | IRQF_TRIGGER_RISING, - "AUX PDM WD INT", wcd938x); -- if (ret) -+ if (ret) { - dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); -+ goto err_free_hphl_pdm_wd_int; -+ } - - /* Disable watchdog interrupt for HPH and AUX */ - disable_irq_nosync(wcd938x->hphr_pdm_wd_int); -@@ -3141,7 +3155,7 @@ static int wcd938x_soc_codec_probe(struc - dev_err(component->dev, - "%s: Failed to add snd ctrls for variant: %d\n", - __func__, wcd938x->variant); -- goto err; -+ goto err_free_aux_pdm_wd_int; - } - break; - case WCD9385: -@@ -3151,7 +3165,7 @@ static int wcd938x_soc_codec_probe(struc - dev_err(component->dev, - "%s: Failed to add snd ctrls for variant: %d\n", - __func__, wcd938x->variant); -- goto err; -+ goto err_free_aux_pdm_wd_int; - } - break; - default: -@@ -3159,12 +3173,38 @@ static int wcd938x_soc_codec_probe(struc - } - - ret = wcd938x_mbhc_init(component); -- if (ret) -+ if (ret) { - dev_err(component->dev, "mbhc initialization failed\n"); --err: -+ goto err_free_aux_pdm_wd_int; -+ } -+ -+ return 0; -+ -+err_free_aux_pdm_wd_int: -+ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); -+err_free_hphl_pdm_wd_int: -+ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); -+err_free_hphr_pdm_wd_int: -+ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); -+err_free_clsh_ctrl: -+ wcd_clsh_ctrl_free(wcd938x->clsh_info); -+ - return ret; - } - -+static void wcd938x_soc_codec_remove(struct snd_soc_component *component) -+{ -+ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ -+ wcd938x_mbhc_deinit(component); -+ -+ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); -+ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); -+ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); -+ -+ wcd_clsh_ctrl_free(wcd938x->clsh_info); -+} -+ - static int wcd938x_codec_set_jack(struct snd_soc_component *comp, - struct snd_soc_jack *jack, void *data) - { -@@ -3181,6 +3221,7 @@ static int wcd938x_codec_set_jack(struct - static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { - .name = "wcd938x_codec", - .probe = wcd938x_soc_codec_probe, -+ .remove = wcd938x_soc_codec_remove, - .controls = wcd938x_snd_controls, - .num_controls = ARRAY_SIZE(wcd938x_snd_controls), - .dapm_widgets = wcd938x_dapm_widgets, diff --git a/queue-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/queue-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch deleted file mode 100644 index b36252e567d..00000000000 --- a/queue-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Sat, 1 Jul 2023 11:47:23 +0200 -Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race - -From: Johan Hovold - -commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. - -Make sure that the soundwire device used for register accesses has been -enumerated and initialised before trying to read the codec variant -during component probe. - -This specifically avoids interpreting (a masked and shifted) -EBUSY -errno as the variant: - - wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 - -in case the soundwire device has not yet been initialised, which in turn -prevents some headphone controls from being registered. - -Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") -Cc: stable@vger.kernel.org # 5.14 -Cc: Srinivas Kandagatla -Reported-by: Steev Klimaszewski -Signed-off-by: Johan Hovold -Tested-by: Steev Klimaszewski -Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/wcd938x.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/sound/soc/codecs/wcd938x.c -+++ b/sound/soc/codecs/wcd938x.c -@@ -3090,9 +3090,18 @@ static int wcd938x_irq_init(struct wcd93 - static int wcd938x_soc_codec_probe(struct snd_soc_component *component) - { - struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); -+ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; - struct device *dev = component->dev; -+ unsigned long time_left; - int ret, i; - -+ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, -+ msecs_to_jiffies(2000)); -+ if (!time_left) { -+ dev_err(dev, "soundwire device init timeout\n"); -+ return -ETIMEDOUT; -+ } -+ - snd_soc_component_init_regmap(component, wcd938x->regmap); - - ret = pm_runtime_resume_and_get(dev); diff --git a/queue-6.4/asoc-cs35l45-select-regmap_irq.patch b/queue-6.4/asoc-cs35l45-select-regmap_irq.patch deleted file mode 100644 index 160366ec5f8..00000000000 --- a/queue-6.4/asoc-cs35l45-select-regmap_irq.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d9ba2975e98a4bec0a9f8d4be4c1de8883fccb71 Mon Sep 17 00:00:00 2001 -From: Nathan Chancellor -Date: Mon, 3 Jul 2023 14:43:15 -0700 -Subject: ASoC: cs35l45: Select REGMAP_IRQ - -From: Nathan Chancellor - -commit d9ba2975e98a4bec0a9f8d4be4c1de8883fccb71 upstream. - -After commit 6085f9e6dc19 ("ASoC: cs35l45: IRQ support"), without any -other configuration that selects CONFIG_REGMAP_IRQ, modpost errors out -with: - - ERROR: modpost: "regmap_irq_get_virq" [sound/soc/codecs/snd-soc-cs35l45.ko] undefined! - ERROR: modpost: "devm_regmap_add_irq_chip" [sound/soc/codecs/snd-soc-cs35l45.ko] undefined! - -Add the Kconfig selection to ensure these functions get built and -included, which resolves the build failure. - -Cc: stable@vger.kernel.org -Fixes: 6085f9e6dc19 ("ASoC: cs35l45: IRQ support") -Reported-by: Marcus Seyfarth -Closes: https://github.com/ClangBuiltLinux/linux/issues/1882 -Signed-off-by: Nathan Chancellor -Link: https://lore.kernel.org/r/20230703-cs35l45-select-regmap_irq-v1-1-37d7e838b614@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/Kconfig | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/soc/codecs/Kconfig -+++ b/sound/soc/codecs/Kconfig -@@ -701,6 +701,7 @@ config SND_SOC_CS35L41_I2C - - config SND_SOC_CS35L45 - tristate -+ select REGMAP_IRQ - - config SND_SOC_CS35L45_SPI - tristate "Cirrus Logic CS35L45 CODEC (SPI)" diff --git a/queue-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch b/queue-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch deleted file mode 100644 index 6729b149d1e..00000000000 --- a/queue-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch +++ /dev/null @@ -1,86 +0,0 @@ -From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 -From: Thomas Petazzoni -Date: Thu, 13 Jul 2023 13:21:12 +0200 -Subject: ASoC: cs42l51: fix driver to properly autoload with automatic module loading - -From: Thomas Petazzoni - -commit e51df4f81b02bcdd828a04de7c1eb6a92988b61e upstream. - -In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table -pointer"), 9 years ago, some random guy fixed the cs42l51 after it was -split into a core part and an I2C part to properly match based on a -Device Tree compatible string. - -However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, -....) is in the core part of the driver, not the I2C part. Therefore, -automatic module loading based on module.alias, based on matching with -the DT compatible string, loads the core part of the driver, but not -the I2C part. And threfore, the i2c_driver is not registered, and the -codec is not known to the system, nor matched with a DT node with the -corresponding compatible string. - -In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into -the I2C part of the driver. The cs42l51_of_match[] array is also moved -as well, as it is not possible to have this definition in one file, -and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due -to how MODULE_DEVICE_TABLE works. - -Thanks to this commit, the I2C part of the driver now properly -autoloads, and thanks to its dependency on the core part, the core -part gets autoloaded as well, resulting in a functional sound card -without having to manually load kernel modules. - -Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") -Cc: stable@vger.kernel.org -Signed-off-by: Thomas Petazzoni -Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/cs42l51-i2c.c | 6 ++++++ - sound/soc/codecs/cs42l51.c | 7 ------- - sound/soc/codecs/cs42l51.h | 1 - - 3 files changed, 6 insertions(+), 8 deletions(-) - ---- a/sound/soc/codecs/cs42l51-i2c.c -+++ b/sound/soc/codecs/cs42l51-i2c.c -@@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_ - }; - MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); - -+const struct of_device_id cs42l51_of_match[] = { -+ { .compatible = "cirrus,cs42l51", }, -+ { } -+}; -+MODULE_DEVICE_TABLE(of, cs42l51_of_match); -+ - static int cs42l51_i2c_probe(struct i2c_client *i2c) - { - struct regmap_config config; ---- a/sound/soc/codecs/cs42l51.c -+++ b/sound/soc/codecs/cs42l51.c -@@ -826,13 +826,6 @@ int __maybe_unused cs42l51_resume(struct - } - EXPORT_SYMBOL_GPL(cs42l51_resume); - --const struct of_device_id cs42l51_of_match[] = { -- { .compatible = "cirrus,cs42l51", }, -- { } --}; --MODULE_DEVICE_TABLE(of, cs42l51_of_match); --EXPORT_SYMBOL_GPL(cs42l51_of_match); -- - MODULE_AUTHOR("Arnaud Patard "); - MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); - MODULE_LICENSE("GPL"); ---- a/sound/soc/codecs/cs42l51.h -+++ b/sound/soc/codecs/cs42l51.h -@@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, st - void cs42l51_remove(struct device *dev); - int __maybe_unused cs42l51_suspend(struct device *dev); - int __maybe_unused cs42l51_resume(struct device *dev); --extern const struct of_device_id cs42l51_of_match[]; - - #define CS42L51_CHIP_ID 0x1B - #define CS42L51_CHIP_REV_A 0x00 diff --git a/queue-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/queue-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch deleted file mode 100644 index 6e550a45412..00000000000 --- a/queue-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 -From: Matus Gajdos -Date: Wed, 12 Jul 2023 14:49:33 +0200 -Subject: ASoC: fsl_sai: Disable bit clock with transmitter - -From: Matus Gajdos - -commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. - -Otherwise bit clock remains running writing invalid data to the DAC. - -Signed-off-by: Matus Gajdos -Acked-by: Shengjiu Wang -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/fsl/fsl_sai.c | 2 +- - sound/soc/fsl/fsl_sai.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - ---- a/sound/soc/fsl/fsl_sai.c -+++ b/sound/soc/fsl/fsl_sai.c -@@ -719,7 +719,7 @@ static void fsl_sai_config_disable(struc - u32 xcsr, count = 100; - - regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), -- FSL_SAI_CSR_TERE, 0); -+ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); - - /* TERE will remain set till the end of current frame */ - do { ---- a/sound/soc/fsl/fsl_sai.h -+++ b/sound/soc/fsl/fsl_sai.h -@@ -91,6 +91,7 @@ - /* SAI Transmit/Receive Control Register */ - #define FSL_SAI_CSR_TERE BIT(31) - #define FSL_SAI_CSR_SE BIT(30) -+#define FSL_SAI_CSR_BCE BIT(28) - #define FSL_SAI_CSR_FR BIT(25) - #define FSL_SAI_CSR_SR BIT(24) - #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/queue-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch b/queue-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch deleted file mode 100644 index 63bc90993fa..00000000000 --- a/queue-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 Mon Sep 17 00:00:00 2001 -From: Fabio Estevam -Date: Thu, 6 Jul 2023 19:18:27 -0300 -Subject: ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode" - -From: Fabio Estevam - -commit 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 upstream. - -This reverts commit ff87d619ac180444db297f043962a5c325ded47b. - -Andreas reports that on an i.MX8MP-based system where MCLK needs to be -used as an input, the MCLK pin is actually an output, despite not having -the 'fsl,sai-mclk-direction-output' property present in the devicetree. - -This is caused by commit ff87d619ac18 ("ASoC: fsl_sai: Enable -MCTL_MCLK_EN bit for master mode") that sets FSL_SAI_MCTL_MCLK_EN -unconditionally for imx8mm/8mn/8mp/93, causing the MCLK to always -be configured as output. - -FSL_SAI_MCTL_MCLK_EN corresponds to the MOE (MCLK Output Enable) bit -of register MCR and the drivers sets it when the -'fsl,sai-mclk-direction-output' devicetree property is present. - -Revert the commit to allow SAI to use MCLK as input as well. - -Cc: stable@vger.kernel.org -Fixes: ff87d619ac18 ("ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode") -Reported-by: Andreas Henriksson -Signed-off-by: Fabio Estevam -Acked-by: Shengjiu Wang -Link: https://lore.kernel.org/r/20230706221827.1938990-1-festevam@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/fsl/fsl_sai.c | 6 ------ - 1 file changed, 6 deletions(-) - ---- a/sound/soc/fsl/fsl_sai.c -+++ b/sound/soc/fsl/fsl_sai.c -@@ -507,12 +507,6 @@ static int fsl_sai_set_bclk(struct snd_s - savediv / 2 - 1); - } - -- if (sai->soc_data->max_register >= FSL_SAI_MCTL) { -- /* SAI is in master mode at this point, so enable MCLK */ -- regmap_update_bits(sai->regmap, FSL_SAI_MCTL, -- FSL_SAI_MCTL_MCLK_EN, FSL_SAI_MCTL_MCLK_EN); -- } -- - return 0; - } - diff --git a/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch b/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch deleted file mode 100644 index 91e7129bc73..00000000000 --- a/queue-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 922473de77853fe08b1fd0ab538d820d97b554dc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 14:18:42 +0100 -Subject: ASoC: qcom: q6apm: do not close GPR port before closing graph - -From: Srinivas Kandagatla - -[ Upstream commit c1be62923d4d86e7c06b1224626e27eb8d9ab32e ] - -Closing GPR port before graph close can result in un handled notifications -from DSP, this results in spam of errors from GPR driver as there is no -one to handle these notification at that point in time. - -Fix this by closing GPR port after graph close is finished. - -Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") -Signed-off-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705131842.41584-1-srinivas.kandagatla@linaro.org -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/qcom/qdsp6/q6apm.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c -index a7a3f973eb6d5..cdebf209c8a55 100644 ---- a/sound/soc/qcom/qdsp6/q6apm.c -+++ b/sound/soc/qcom/qdsp6/q6apm.c -@@ -446,6 +446,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) - - switch (hdr->opcode) { - case DATA_CMD_RSP_WR_SH_MEM_EP_DATA_BUFFER_DONE_V2: -+ if (!graph->ar_graph) -+ break; - client_event = APM_CLIENT_EVENT_DATA_WRITE_DONE; - mutex_lock(&graph->lock); - token = hdr->token & APM_WRITE_TOKEN_MASK; -@@ -479,6 +481,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) - wake_up(&graph->cmd_wait); - break; - case DATA_CMD_RSP_RD_SH_MEM_EP_DATA_BUFFER_V2: -+ if (!graph->ar_graph) -+ break; - client_event = APM_CLIENT_EVENT_DATA_READ_DONE; - mutex_lock(&graph->lock); - rd_done = data->payload; -@@ -581,8 +585,9 @@ int q6apm_graph_close(struct q6apm_graph *graph) - { - struct audioreach_graph *ar_graph = graph->ar_graph; - -- gpr_free_port(graph->port); -+ graph->ar_graph = NULL; - kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); -+ gpr_free_port(graph->port); - kfree(graph); - - return 0; --- -2.39.2 - diff --git a/queue-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch b/queue-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch deleted file mode 100644 index 8ccedcb8812..00000000000 --- a/queue-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 46ec420573cefa1fc98025e7e6841bdafd6f1e20 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 5 Jul 2023 14:30:12 +0200 -Subject: ASoC: qdsp6: audioreach: fix topology probe deferral - -From: Johan Hovold - -commit 46ec420573cefa1fc98025e7e6841bdafd6f1e20 upstream. - -Propagate errors when failing to load the topology component so that -probe deferrals can be handled. - -Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") -Cc: stable@vger.kernel.org # 5.17 -Cc: Srinivas Kandagatla -Signed-off-by: Johan Hovold -Reviewed-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20230705123018.30903-3-johan+linaro@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/qcom/qdsp6/topology.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/sound/soc/qcom/qdsp6/topology.c -+++ b/sound/soc/qcom/qdsp6/topology.c -@@ -1277,8 +1277,8 @@ int audioreach_tplg_init(struct snd_soc_ - - ret = snd_soc_tplg_component_load(component, &audioreach_tplg_ops, fw); - if (ret < 0) { -- dev_err(dev, "tplg component load failed%d\n", ret); -- ret = -EINVAL; -+ if (ret != -EPROBE_DEFER) -+ dev_err(dev, "tplg component load failed: %d\n", ret); - } - - release_firmware(fw); diff --git a/queue-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch b/queue-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch deleted file mode 100644 index 6098e4ece7e..00000000000 --- a/queue-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 70a6404ff610aa4889d98977da131c37f9ff9d1f Mon Sep 17 00:00:00 2001 -From: Sameer Pujar -Date: Thu, 29 Jun 2023 10:42:15 +0530 -Subject: ASoC: rt5640: Fix sleep in atomic context - -From: Sameer Pujar - -commit 70a6404ff610aa4889d98977da131c37f9ff9d1f upstream. - -Following prints are observed while testing audio on Jetson AGX Orin which -has onboard RT5640 audio codec: - - BUG: sleeping function called from invalid context at kernel/workqueue.c:3027 - in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 - preempt_count: 10001, expected: 0 - RCU nest depth: 0, expected: 0 - ------------[ cut here ]------------ - WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270 - ---[ end trace ad1c64905aac14a6 ]- - -The IRQ handler rt5640_irq() runs in interrupt context and can sleep -during cancel_delayed_work_sync(). - -Fix this by running IRQ handler, rt5640_irq(), in thread context. -Hence replace request_irq() calls with devm_request_threaded_irq(). - -Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2") -Cc: stable@vger.kernel.org -Cc: Oder Chiou -Signed-off-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/codecs/rt5640.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/sound/soc/codecs/rt5640.c -+++ b/sound/soc/codecs/rt5640.c -@@ -2567,9 +2567,10 @@ static void rt5640_enable_jack_detect(st - if (jack_data && jack_data->use_platform_clock) - rt5640->use_platform_clock = jack_data->use_platform_clock; - -- ret = request_irq(rt5640->irq, rt5640_irq, -- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, -- "rt5640", rt5640); -+ ret = devm_request_threaded_irq(component->dev, rt5640->irq, -+ NULL, rt5640_irq, -+ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, -+ "rt5640", rt5640); - if (ret) { - dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); - rt5640_disable_jack_detect(component); -@@ -2622,8 +2623,9 @@ static void rt5640_enable_hda_jack_detec - - rt5640->jack = jack; - -- ret = request_irq(rt5640->irq, rt5640_irq, -- IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); -+ ret = devm_request_threaded_irq(component->dev, rt5640->irq, -+ NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, -+ "rt5640", rt5640); - if (ret) { - dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); - rt5640->irq = -ENXIO; diff --git a/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch b/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch deleted file mode 100644 index 835740abdb0..00000000000 --- a/queue-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4d081eb7ade047c783eff167d9362c5a23f905d4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Jul 2023 14:25:23 +0300 -Subject: ASoC: SOF: ipc3-dtrace: uninitialized data in - dfsentry_trace_filter_write() - -From: Dan Carpenter - -[ Upstream commit 469e2f28c2cbee2430058c1c9bb6d1675d7195fb ] - -This doesn't check how many bytes the simple_write_to_buffer() writes to -the buffer. The only thing that we know is that the first byte is -initialized and the last byte of the buffer is set to NUL. However -the middle bytes could be uninitialized. - -There is no need to use simple_write_to_buffer(). This code does not -support partial writes but instead passes "pos = 0" as the starting -offset regardless of what the user passed as "*ppos". Just use the -copy_from_user() function and initialize the whole buffer. - -Fixes: 671e0b90051e ("ASoC: SOF: Clone the trace code to ipc3-dtrace as fw_tracing implementation") -Signed-off-by: Dan Carpenter -Link: https://lore.kernel.org/r/74148292-ce4d-4e01-a1a7-921e6767da14@moroto.mountain -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/sof/ipc3-dtrace.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c -index 1d3bca2d28dd6..35da85a45a9ae 100644 ---- a/sound/soc/sof/ipc3-dtrace.c -+++ b/sound/soc/sof/ipc3-dtrace.c -@@ -186,7 +186,6 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user - struct snd_sof_dfsentry *dfse = file->private_data; - struct sof_ipc_trace_filter_elem *elems = NULL; - struct snd_sof_dev *sdev = dfse->sdev; -- loff_t pos = 0; - int num_elems; - char *string; - int ret; -@@ -201,11 +200,11 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user - if (!string) - return -ENOMEM; - -- /* assert null termination */ -- string[count] = 0; -- ret = simple_write_to_buffer(string, count, &pos, from, count); -- if (ret < 0) -+ if (copy_from_user(string, from, count)) { -+ ret = -EFAULT; - goto error; -+ } -+ string[count] = '\0'; - - ret = trace_filter_parse(sdev, string, &num_elems, &elems); - if (ret < 0) --- -2.39.2 - diff --git a/queue-6.4/asoc-tegra-fix-adx-byte-map.patch b/queue-6.4/asoc-tegra-fix-adx-byte-map.patch deleted file mode 100644 index a047668f933..00000000000 --- a/queue-6.4/asoc-tegra-fix-adx-byte-map.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 6dfe70be0b0dec0f9297811501bec26c05fd96ad Mon Sep 17 00:00:00 2001 -From: Sheetal -Date: Thu, 29 Jun 2023 10:42:14 +0530 -Subject: ASoC: tegra: Fix ADX byte map - -From: Sheetal - -commit 6dfe70be0b0dec0f9297811501bec26c05fd96ad upstream. - -Byte mask for channel-1 of stream-1 is not getting enabled and this -causes failures during ADX use cases. This happens because the byte -map value 0 matches the byte map array and put() callback returns -without enabling the corresponding bits in the byte mask. - -ADX supports 4 output streams and each stream can have a maximum of -16 channels. Each byte in the input frame is uniquely mapped to a -byte in one of these 4 outputs. This mapping is done with the help of -byte map array via user space control setting. The byte map array -size in the driver is 16 and each array element is of size 4 bytes. -This corresponds to 64 byte map values. - -Each byte in the byte map array can have any value between 0 to 255 -to enable the corresponding bits in the byte mask. The value 256 is -used as a way to disable the byte map. However the byte map array -element cannot store this value. The put() callback disables the byte -mask for 256 value and byte map value is reset to 0 for this case. -This causes problems during subsequent runs since put() callback, -for value of 0, just returns without enabling the byte mask. In short, -the problem is coming because 0 and 256 control values are stored as -0 in the byte map array. - -Right now fix the put() callback by actually looking at the byte mask -array state to identify if any change is needed and update the fields -accordingly. The get() callback needs an update as well to return the -correct control value that user has set before. Note that when user -set 256, the value is stored as 0 and byte mask is disabled. So byte -mask state is used to either return 256 or the value from byte map -array. - -Given above, this looks bit complicated and all this happens because -the byte map array is tightly packed and cannot actually store the 256 -value. Right now the priority is to fix the existing failure and a TODO -item is put to improve this logic. - -Fixes: 3c97881b8c8a ("ASoC: tegra: Fix kcontrol put callback in ADX") -Cc: stable@vger.kernel.org -Signed-off-by: Sheetal -Reviewed-by: Mohan Kumar D -Reviewed-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-3-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/tegra/tegra210_adx.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - ---- a/sound/soc/tegra/tegra210_adx.c -+++ b/sound/soc/tegra/tegra210_adx.c -@@ -2,7 +2,7 @@ - // - // tegra210_adx.c - Tegra210 ADX driver - // --// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. -+// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. - - #include - #include -@@ -175,10 +175,20 @@ static int tegra210_adx_get_byte_map(str - mc = (struct soc_mixer_control *)kcontrol->private_value; - enabled = adx->byte_mask[mc->reg / 32] & (1 << (mc->reg % 32)); - -+ /* -+ * TODO: Simplify this logic to just return from bytes_map[] -+ * -+ * Presently below is required since bytes_map[] is -+ * tightly packed and cannot store the control value of 256. -+ * Byte mask state is used to know if 256 needs to be returned. -+ * Note that for control value of 256, the put() call stores 0 -+ * in the bytes_map[] and disables the corresponding bit in -+ * byte_mask[]. -+ */ - if (enabled) - ucontrol->value.integer.value[0] = bytes_map[mc->reg]; - else -- ucontrol->value.integer.value[0] = 0; -+ ucontrol->value.integer.value[0] = 256; - - return 0; - } -@@ -192,19 +202,19 @@ static int tegra210_adx_put_byte_map(str - int value = ucontrol->value.integer.value[0]; - struct soc_mixer_control *mc = - (struct soc_mixer_control *)kcontrol->private_value; -+ unsigned int mask_val = adx->byte_mask[mc->reg / 32]; - -- if (value == bytes_map[mc->reg]) -+ if (value >= 0 && value <= 255) -+ mask_val |= (1 << (mc->reg % 32)); -+ else -+ mask_val &= ~(1 << (mc->reg % 32)); -+ -+ if (mask_val == adx->byte_mask[mc->reg / 32]) - return 0; - -- if (value >= 0 && value <= 255) { -- /* update byte map and enable slot */ -- bytes_map[mc->reg] = value; -- adx->byte_mask[mc->reg / 32] |= (1 << (mc->reg % 32)); -- } else { -- /* reset byte map and disable slot */ -- bytes_map[mc->reg] = 0; -- adx->byte_mask[mc->reg / 32] &= ~(1 << (mc->reg % 32)); -- } -+ /* Update byte map and slot */ -+ bytes_map[mc->reg] = value % 256; -+ adx->byte_mask[mc->reg / 32] = mask_val; - - return 1; - } diff --git a/queue-6.4/asoc-tegra-fix-amx-byte-map.patch b/queue-6.4/asoc-tegra-fix-amx-byte-map.patch deleted file mode 100644 index c707318c8b8..00000000000 --- a/queue-6.4/asoc-tegra-fix-amx-byte-map.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 49bd7b08149417a30aa7d92c8c85b3518de44a76 Mon Sep 17 00:00:00 2001 -From: Sheetal -Date: Thu, 29 Jun 2023 10:42:13 +0530 -Subject: ASoC: tegra: Fix AMX byte map - -From: Sheetal - -commit 49bd7b08149417a30aa7d92c8c85b3518de44a76 upstream. - -Byte mask for channel-1 of stream-1 is not getting enabled and this -causes failures during AMX use cases. This happens because the byte -map value 0 matches the byte map array and put() callback returns -without enabling the corresponding bits in the byte mask. - -AMX supports 4 input streams and each stream can take a maximum of -16 channels. Each byte in the output frame is uniquely mapped to a -byte in one of these 4 inputs. This mapping is done with the help of -byte map array via user space control setting. The byte map array -size in the driver is 16 and each array element is of size 4 bytes. -This corresponds to 64 byte map values. - -Each byte in the byte map array can have any value between 0 to 255 -to enable the corresponding bits in the byte mask. The value 256 is -used as a way to disable the byte map. However the byte map array -element cannot store this value. The put() callback disables the byte -mask for 256 value and byte map value is reset to 0 for this case. -This causes problems during subsequent runs since put() callback, -for value of 0, just returns without enabling the byte mask. In short, -the problem is coming because 0 and 256 control values are stored as -0 in the byte map array. - -Right now fix the put() callback by actually looking at the byte mask -array state to identify if any change is needed and update the fields -accordingly. The get() callback needs an update as well to return the -correct control value that user has set before. Note that when user -sets 256, the value is stored as 0 and byte mask is disabled. So byte -mask state is used to either return 256 or the value from byte map -array. - -Given above, this looks bit complicated and all this happens because -the byte map array is tightly packed and cannot actually store the 256 -value. Right now the priority is to fix the existing failure and a TODO -item is put to improve this logic. - -Fixes: 8db78ace1ba8 ("ASoC: tegra: Fix kcontrol put callback in AMX") -Cc: stable@vger.kernel.org -Signed-off-by: Sheetal -Reviewed-by: Mohan Kumar D -Reviewed-by: Sameer Pujar -Link: https://lore.kernel.org/r/1688015537-31682-2-git-send-email-spujar@nvidia.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/tegra/tegra210_amx.c | 40 ++++++++++++++++++++++------------------ - 1 file changed, 22 insertions(+), 18 deletions(-) - ---- a/sound/soc/tegra/tegra210_amx.c -+++ b/sound/soc/tegra/tegra210_amx.c -@@ -2,7 +2,7 @@ - // - // tegra210_amx.c - Tegra210 AMX driver - // --// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. -+// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. - - #include - #include -@@ -203,10 +203,20 @@ static int tegra210_amx_get_byte_map(str - else - enabled = amx->byte_mask[0] & (1 << reg); - -+ /* -+ * TODO: Simplify this logic to just return from bytes_map[] -+ * -+ * Presently below is required since bytes_map[] is -+ * tightly packed and cannot store the control value of 256. -+ * Byte mask state is used to know if 256 needs to be returned. -+ * Note that for control value of 256, the put() call stores 0 -+ * in the bytes_map[] and disables the corresponding bit in -+ * byte_mask[]. -+ */ - if (enabled) - ucontrol->value.integer.value[0] = bytes_map[reg]; - else -- ucontrol->value.integer.value[0] = 0; -+ ucontrol->value.integer.value[0] = 256; - - return 0; - } -@@ -221,25 +231,19 @@ static int tegra210_amx_put_byte_map(str - unsigned char *bytes_map = (unsigned char *)&amx->map; - int reg = mc->reg; - int value = ucontrol->value.integer.value[0]; -+ unsigned int mask_val = amx->byte_mask[reg / 32]; - -- if (value == bytes_map[reg]) -+ if (value >= 0 && value <= 255) -+ mask_val |= (1 << (reg % 32)); -+ else -+ mask_val &= ~(1 << (reg % 32)); -+ -+ if (mask_val == amx->byte_mask[reg / 32]) - return 0; - -- if (value >= 0 && value <= 255) { -- /* Update byte map and enable slot */ -- bytes_map[reg] = value; -- if (reg > 31) -- amx->byte_mask[1] |= (1 << (reg - 32)); -- else -- amx->byte_mask[0] |= (1 << reg); -- } else { -- /* Reset byte map and disable slot */ -- bytes_map[reg] = 0; -- if (reg > 31) -- amx->byte_mask[1] &= ~(1 << (reg - 32)); -- else -- amx->byte_mask[0] &= ~(1 << reg); -- } -+ /* Update byte map and slot */ -+ bytes_map[reg] = value % 256; -+ amx->byte_mask[reg / 32] = mask_val; - - return 1; - } diff --git a/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch b/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch deleted file mode 100644 index 293e66b3be4..00000000000 --- a/queue-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 2985cb1c3caeaa23909dc76b3608d8f5ffa0034c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 16 Jun 2023 21:23:54 +0800 -Subject: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none - -From: Ming Lei - -[ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ] - -After grabbing q->sysfs_lock, q->elevator may become NULL because of -elevator switch. - -Fix the NULL dereference on q->elevator by checking it with lock. - -Reported-by: Guangwu Zhang -Signed-off-by: Ming Lei -Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - block/blk-mq.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/block/blk-mq.c b/block/blk-mq.c -index b9f4546139894..73ed8ccb09ce8 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -4617,9 +4617,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head, - { - struct blk_mq_qe_pair *qe; - -- if (!q->elevator) -- return true; -- - qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); - if (!qe) - return false; -@@ -4627,6 +4624,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, - /* q->elevator needs protection from ->sysfs_lock */ - mutex_lock(&q->sysfs_lock); - -+ /* the check has to be done with holding sysfs_lock */ -+ if (!q->elevator) { -+ kfree(qe); -+ goto unlock; -+ } -+ - INIT_LIST_HEAD(&qe->node); - qe->q = q; - qe->type = q->elevator->type; -@@ -4634,6 +4637,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, - __elevator_get(qe->type); - list_add(&qe->node, head); - elevator_disable(q); -+unlock: - mutex_unlock(&q->sysfs_lock); - - return true; --- -2.39.2 - diff --git a/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch b/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch deleted file mode 100644 index 732ea3bb10b..00000000000 --- a/queue-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0f3d353a227d27998efc4598cfdfc74d33fb522b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 12:25:14 +0200 -Subject: Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Tomasz Moń - -[ Upstream commit 95b7015433053cd5f648ad2a7b8f43b2c99c949a ] - -Commit c13380a55522 ("Bluetooth: btusb: Do not require hardcoded -interface numbers") inadvertedly broke bluetooth on Intel Macbook 2014. -The intention was to keep behavior intact when BTUSB_IFNUM_2 is set and -otherwise allow any interface numbers. The problem is that the new logic -condition omits the case where bInterfaceNumber is 0. - -Fix BTUSB_IFNUM_2 handling by allowing both interface number 0 and 2 -when the flag is set. - -Fixes: c13380a55522 ("Bluetooth: btusb: Do not require hardcoded interface numbers") -Reported-by: John Holland -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217651 -Signed-off-by: Tomasz Moń -Tested-by: John Holland -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/btusb.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index 2a8e2bb038f58..50e23762ec5e9 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -4099,6 +4099,7 @@ static int btusb_probe(struct usb_interface *intf, - BT_DBG("intf %p id %p", intf, id); - - if ((id->driver_info & BTUSB_IFNUM_2) && -+ (intf->cur_altsetting->desc.bInterfaceNumber != 0) && - (intf->cur_altsetting->desc.bInterfaceNumber != 2)) - return -ENODEV; - --- -2.39.2 - diff --git a/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch b/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch deleted file mode 100644 index 4a05013c5c3..00000000000 --- a/queue-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 84ceed6bd7bd6b85f52b80362cae4ce3f2f0daf7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jul 2023 18:43:53 +0530 -Subject: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no - link - -From: Siddh Raman Pant - -[ Upstream commit b4066eb04bb67e7ff66e5aaab0db4a753f37eaad ] - -hci_connect_sco currently returns NULL when there is no link (i.e. when -hci_conn_link() returns NULL). - -sco_connect() expects an ERR_PTR in case of any error (see line 266 in -sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which -tries to get hcon->hdev, resulting in dereferencing a NULL pointer as -reported by syzkaller. - -The same issue exists for iso_connect_cis() calling hci_connect_cis(). - -Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR -instead of NULL. - -Reported-and-tested-by: syzbot+37acd5d80d00d609d233@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=37acd5d80d00d609d233 -Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") -Signed-off-by: Siddh Raman Pant -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/hci_conn.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index 7b0c74ef93296..31c115b225e7e 100644 ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -1684,7 +1684,7 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, - if (!link) { - hci_conn_drop(acl); - hci_conn_drop(sco); -- return NULL; -+ return ERR_PTR(-ENOLINK); - } - - sco->setting = setting; -@@ -2256,7 +2256,7 @@ struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, - if (!link) { - hci_conn_drop(le); - hci_conn_drop(cis); -- return NULL; -+ return ERR_PTR(-ENOLINK); - } - - /* If LE is already connected and CIS handle is already set proceed to --- -2.39.2 - diff --git a/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch b/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch deleted file mode 100644 index 8c4865a7c6c..00000000000 --- a/queue-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 1c0a105690e7ae4ffc1b2c44181d834089aea545 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:32 +0300 -Subject: Bluetooth: hci_event: call disconnect callback before deleting conn - -From: Pauli Virtanen - -[ Upstream commit 7f7cfcb6f0825652973b780f248603e23f16ee90 ] - -In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. - -ISO, L2CAP and SCO connections refer to the hci_conn without -hci_conn_get, so disconn_cfm must be called so they can clean up their -conn, otherwise use-after-free occurs. - -ISO: -========================================================== -iso_sock_connect:880: sk 00000000eabd6557 -iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -... -iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 -hci_dev_put:1487: hci0 orig refcnt 17 -__iso_chan_add:214: conn 00000000b6251073 -iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 -... -hci_rx_work:4085: hci0 Event packet -hci_event_packet:7601: hci0: event 0x0f -hci_cmd_status_evt:4346: hci0: opcode 0x0406 -hci_cs_disconnect:2760: hci0: status 0x0c -hci_sent_cmd_data:3107: hci0 opcode 0x0406 -hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 -hci_conn_unlink:1102: hci0: hcon 000000001696f1fd -hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 -hci_chan_list_flush:2780: hcon 000000001696f1fd -hci_dev_put:1487: hci0 orig refcnt 21 -hci_dev_put:1487: hci0 orig refcnt 20 -hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c -... ... -iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 -BUG: kernel NULL pointer dereference, address: 0000000000000668 -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP PTI -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth -========================================================== - -L2CAP: -================================================================== -hci_cmd_status_evt:4359: hci0: opcode 0x0406 -hci_cs_disconnect:2760: hci0: status 0x0c -hci_sent_cmd_data:3085: hci0 opcode 0x0406 -hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 -hci_conn_unlink:1102: hci0: hcon ffff88800c999000 -hci_chan_list_flush:2780: hcon ffff88800c999000 -hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 -... -BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] -Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 - -CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -Call Trace: - - dump_stack_lvl+0x5b/0x90 - print_report+0xcf/0x670 - ? __virt_addr_valid+0xf8/0x180 - ? hci_send_acl+0x2d/0x540 [bluetooth] - kasan_report+0xa8/0xe0 - ? hci_send_acl+0x2d/0x540 [bluetooth] - hci_send_acl+0x2d/0x540 [bluetooth] - ? __pfx___lock_acquire+0x10/0x10 - l2cap_chan_send+0x1fd/0x1300 [bluetooth] - ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] - ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] - ? lock_release+0x1d5/0x3c0 - ? mark_held_locks+0x1a/0x90 - l2cap_sock_sendmsg+0x100/0x170 [bluetooth] - sock_write_iter+0x275/0x280 - ? __pfx_sock_write_iter+0x10/0x10 - ? __pfx___lock_acquire+0x10/0x10 - do_iter_readv_writev+0x176/0x220 - ? __pfx_do_iter_readv_writev+0x10/0x10 - ? find_held_lock+0x83/0xa0 - ? selinux_file_permission+0x13e/0x210 - do_iter_write+0xda/0x340 - vfs_writev+0x1b4/0x400 - ? __pfx_vfs_writev+0x10/0x10 - ? __seccomp_filter+0x112/0x750 - ? populate_seccomp_data+0x182/0x220 - ? __fget_light+0xdf/0x100 - ? do_writev+0x19d/0x210 - do_writev+0x19d/0x210 - ? __pfx_do_writev+0x10/0x10 - ? mark_held_locks+0x1a/0x90 - do_syscall_64+0x60/0x90 - ? lockdep_hardirqs_on_prepare+0x149/0x210 - ? do_syscall_64+0x6c/0x90 - ? lockdep_hardirqs_on_prepare+0x149/0x210 - entry_SYSCALL_64_after_hwframe+0x72/0xdc -RIP: 0033:0x7ff45cb23e64 -Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 -RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 -RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 -RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 -RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 -R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 -R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 - - -Allocated by task 771: - kasan_save_stack+0x33/0x60 - kasan_set_track+0x25/0x30 - __kasan_kmalloc+0xaa/0xb0 - hci_chan_create+0x67/0x1b0 [bluetooth] - l2cap_conn_add.part.0+0x17/0x590 [bluetooth] - l2cap_connect_cfm+0x266/0x6b0 [bluetooth] - hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] - hci_event_packet+0x38d/0x800 [bluetooth] - hci_rx_work+0x287/0xb20 [bluetooth] - process_one_work+0x4f7/0x970 - worker_thread+0x8f/0x620 - kthread+0x17f/0x1c0 - ret_from_fork+0x2c/0x50 - -Freed by task 771: - kasan_save_stack+0x33/0x60 - kasan_set_track+0x25/0x30 - kasan_save_free_info+0x2e/0x50 - ____kasan_slab_free+0x169/0x1c0 - slab_free_freelist_hook+0x9e/0x1c0 - __kmem_cache_free+0xc0/0x310 - hci_chan_list_flush+0x46/0x90 [bluetooth] - hci_conn_cleanup+0x7d/0x330 [bluetooth] - hci_cs_disconnect+0x35d/0x530 [bluetooth] - hci_cmd_status_evt+0xef/0x2b0 [bluetooth] - hci_event_packet+0x38d/0x800 [bluetooth] - hci_rx_work+0x287/0xb20 [bluetooth] - process_one_work+0x4f7/0x970 - worker_thread+0x8f/0x620 - kthread+0x17f/0x1c0 - ret_from_fork+0x2c/0x50 -================================================================== - -Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/hci_event.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c -index 72b6d189d3de2..cb0b5fe7a6f8c 100644 ---- a/net/bluetooth/hci_event.c -+++ b/net/bluetooth/hci_event.c -@@ -2784,6 +2784,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) - hci_enable_advertising(hdev); - } - -+ /* Inform sockets conn is gone before we delete it */ -+ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); -+ - goto done; - } - --- -2.39.2 - diff --git a/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch b/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch deleted file mode 100644 index 8af4b293be5..00000000000 --- a/queue-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a1ee2560c82046e851ecf0268f802f2e15a138aa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 15:33:14 -0700 -Subject: Bluetooth: hci_sync: Avoid use-after-free in dbg for - hci_remove_adv_monitor() - -From: Douglas Anderson - -[ Upstream commit de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 ] - -KASAN reports that there's a use-after-free in -hci_remove_adv_monitor(). Trawling through the disassembly, you can -see that the complaint is from the access in bt_dev_dbg() under the -HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because -msft_remove_monitor() can end up freeing the monitor -structure. Specifically: - hci_remove_adv_monitor() -> - msft_remove_monitor() -> - msft_remove_monitor_sync() -> - msft_le_cancel_monitor_advertisement_cb() -> - hci_free_adv_monitor() - -Let's fix the problem by just stashing the relevant data when it's -still valid. - -Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") -Signed-off-by: Douglas Anderson -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/hci_core.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c -index b421e196f60c3..1ec83985f1ab0 100644 ---- a/net/bluetooth/hci_core.c -+++ b/net/bluetooth/hci_core.c -@@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, - struct adv_monitor *monitor) - { - int status = 0; -+ int handle; - - switch (hci_get_adv_monitor_offload_ext(hdev)) { - case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ -@@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, - goto free_monitor; - - case HCI_ADV_MONITOR_EXT_MSFT: -+ handle = monitor->handle; - status = msft_remove_monitor(hdev, monitor); - bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", -- hdev->name, monitor->handle, status); -+ hdev->name, handle, status); - break; - } - --- -2.39.2 - diff --git a/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch b/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch deleted file mode 100644 index e802b39b9fc..00000000000 --- a/queue-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch +++ /dev/null @@ -1,292 +0,0 @@ -From 38c1cad8787d706dea39d17a633b391863b8e3a3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:33 +0300 -Subject: Bluetooth: ISO: fix iso_conn related locking and validity issues - -From: Pauli Virtanen - -[ Upstream commit d40ae85ee62e3666f45bc61864b22121346f88ef ] - -sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations -that check/update sk_state and access conn should hold lock_sock, -otherwise they can race. - -The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, -which is how it is in connect/disconnect_cfm -> iso_conn_del -> -iso_chan_del. - -Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock -around updating sk_state and conn. - -iso_conn_del must not occur during iso_connect_cis/bis, as it frees the -iso_conn. Hold hdev->lock longer to prevent that. - -This should not reintroduce the issue fixed in commit 241f51931c35 -("Bluetooth: ISO: Avoid circular locking dependency"), since the we -acquire locks in order. We retain the fix in iso_sock_connect to release -lock_sock before iso_connect_* acquires hdev->lock. - -Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible -circular locking dependency"). We retain the fix in iso_conn_ready to -not acquire iso_conn_lock before lock_sock. - -iso_conn_add shall return iso_conn with valid hcon. Make it so also when -reusing an old CIS connection waiting for disconnect timeout (see -__iso_sock_close where conn->hcon is set to NULL). - -Trace with iso_conn_del after iso_chan_add in iso_connect_cis: -=============================================================== -iso_sock_create:771: sock 00000000be9b69b7 -iso_sock_init:693: sk 000000004dff667e -iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_setsockopt:1289: sk 000000004dff667e -iso_sock_connect:875: sk 000000004dff667e -iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da -iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e -__iso_chan_add:214: conn 00000000daf8625e -iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 -iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 -iso_sock_clear_timer:117: sock 000000004dff667e state 3 - -iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 -hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 -hci_conn_unlink:1102: hci0: hcon 000000007b65d182 -hci_chan_list_flush:2780: hcon 000000007b65d182 -iso_sock_getsockopt:1376: sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getsockopt:1376: sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e -iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 -__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 - -BUG: kernel NULL pointer dereference, address: 0000000000000000 -PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 -Oops: 0000 [#1] PREEMPT SMP PTI -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth -=============================================================== - -Trace with iso_conn_del before iso_chan_add in iso_connect_cis: -=============================================================== -iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da -... -iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 -hci_dev_put:1487: hci0 orig refcnt 21 -hci_event_packet:7607: hci0: event 0x0e -hci_cmd_complete_evt:4231: hci0: opcode 0x2062 -hci_cc_le_set_cig_params:3846: hci0: status 0x07 -hci_sent_cmd_data:3107: hci0 opcode 0x2062 -iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7 -iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12 -hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535 -hci_conn_unlink:1102: hci0: hcon 0000000093bc551f -hci_chan_list_flush:2780: hcon 0000000093bc551f -__iso_chan_add:214: conn 00000000768ae504 - -iso_sock_clear_timer:117: sock 0000000098323f95 state 3 -general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI -CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:detach_if_pending+0x28/0xd0 -Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <> -RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007 -RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000 -RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8 -RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88 -R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80 -R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338 -FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0 -Call Trace: - - timer_delete+0x48/0x80 - try_to_grab_pending+0xdf/0x170 - __cancel_work+0x37/0xb0 - iso_connect_cis+0x141/0x400 [bluetooth] -=============================================================== - -Trace with NULL conn->hcon in state BT_CONNECT: -=============================================================== -__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5 -... -__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5 -iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104 -... -iso_sock_connect:862: sk 00000000129b56c3 -iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a -hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a -hci_dev_hold:1495: hci0 orig refcnt 19 -__iso_chan_add:214: conn 0000000022c03a7e - -iso_sock_clear_timer:117: sock 00000000129b56c3 state 3 -... -iso_sock_ready:1485: sk 00000000129b56c3 -... -iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3 -BUG: kernel NULL pointer dereference, address: 00000000000006a8 -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP PTI -CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth] -=============================================================== - -Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") -Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++------------------- - 1 file changed, 31 insertions(+), 22 deletions(-) - -diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c -index 34d55a85d8f6f..94d5bc104fede 100644 ---- a/net/bluetooth/iso.c -+++ b/net/bluetooth/iso.c -@@ -123,8 +123,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) - { - struct iso_conn *conn = hcon->iso_data; - -- if (conn) -+ if (conn) { -+ if (!conn->hcon) -+ conn->hcon = hcon; - return conn; -+ } - - conn = kzalloc(sizeof(*conn), GFP_KERNEL); - if (!conn) -@@ -300,14 +303,13 @@ static int iso_connect_bis(struct sock *sk) - goto unlock; - } - -- hci_dev_unlock(hdev); -- hci_dev_put(hdev); -+ lock_sock(sk); - - err = iso_chan_add(conn, sk, NULL); -- if (err) -- return err; -- -- lock_sock(sk); -+ if (err) { -+ release_sock(sk); -+ goto unlock; -+ } - - /* Update source addr of the socket */ - bacpy(&iso_pi(sk)->src, &hcon->src); -@@ -321,7 +323,6 @@ static int iso_connect_bis(struct sock *sk) - } - - release_sock(sk); -- return err; - - unlock: - hci_dev_unlock(hdev); -@@ -389,14 +390,13 @@ static int iso_connect_cis(struct sock *sk) - goto unlock; - } - -- hci_dev_unlock(hdev); -- hci_dev_put(hdev); -+ lock_sock(sk); - - err = iso_chan_add(conn, sk, NULL); -- if (err) -- return err; -- -- lock_sock(sk); -+ if (err) { -+ release_sock(sk); -+ goto unlock; -+ } - - /* Update source addr of the socket */ - bacpy(&iso_pi(sk)->src, &hcon->src); -@@ -413,7 +413,6 @@ static int iso_connect_cis(struct sock *sk) - } - - release_sock(sk); -- return err; - - unlock: - hci_dev_unlock(hdev); -@@ -1072,8 +1071,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - size_t len) - { - struct sock *sk = sock->sk; -- struct iso_conn *conn = iso_pi(sk)->conn; - struct sk_buff *skb, **frag; -+ size_t mtu; - int err; - - BT_DBG("sock %p, sk %p", sock, sk); -@@ -1085,11 +1084,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - if (msg->msg_flags & MSG_OOB) - return -EOPNOTSUPP; - -- if (sk->sk_state != BT_CONNECTED) -+ lock_sock(sk); -+ -+ if (sk->sk_state != BT_CONNECTED) { -+ release_sock(sk); - return -ENOTCONN; -+ } -+ -+ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu; -+ -+ release_sock(sk); - -- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, -- HCI_ISO_DATA_HDR_SIZE, 0); -+ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); - if (IS_ERR(skb)) - return PTR_ERR(skb); - -@@ -1102,8 +1108,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, - while (len) { - struct sk_buff *tmp; - -- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, -- 0, 0); -+ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); - if (IS_ERR(tmp)) { - kfree_skb(skb); - return PTR_ERR(tmp); -@@ -1158,15 +1163,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, - BT_DBG("sk %p", sk); - - if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { -+ lock_sock(sk); - switch (sk->sk_state) { - case BT_CONNECT2: -- lock_sock(sk); - iso_conn_defer_accept(pi->conn->hcon); - sk->sk_state = BT_CONFIG; - release_sock(sk); - return 0; - case BT_CONNECT: -+ release_sock(sk); - return iso_connect_cis(sk); -+ default: -+ release_sock(sk); -+ break; - } - } - --- -2.39.2 - diff --git a/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch b/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch deleted file mode 100644 index 84761ceda9b..00000000000 --- a/queue-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch +++ /dev/null @@ -1,100 +0,0 @@ -From cc9d54b74879a34272695218fd49e9ba6687e670 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jul 2023 19:48:19 +0300 -Subject: Bluetooth: SCO: fix sco_conn related locking and validity issues - -From: Pauli Virtanen - -[ Upstream commit 3dcaa192ac2159193bc6ab57bc5369dcb84edd8e ] - -Operations that check/update sk_state and access conn should hold -lock_sock, otherwise they can race. - -The order of taking locks is hci_dev_lock > lock_sock > sco_conn_lock, -which is how it is in connect/disconnect_cfm -> sco_conn_del -> -sco_chan_del. - -Fix locking in sco_connect to take lock_sock around updating sk_state -and conn. - -sco_conn_del must not occur during sco_connect, as it frees the -sco_conn. Hold hdev->lock longer to prevent that. - -sco_conn_add shall return sco_conn with valid hcon. Make it so also when -reusing an old SCO connection waiting for disconnect timeout (see -__sco_sock_close where conn->hcon is set to NULL). - -This should not reintroduce the issue fixed in the earlier -commit 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking -dependency on sco_connect_cfm"), the relevant fix of releasing lock_sock -in sco_sock_connect before acquiring hdev->lock is retained. - -These changes mirror similar fixes earlier in ISO sockets. - -Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/sco.c | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c -index cd1a27ac555d0..7762604ddfc05 100644 ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -126,8 +126,11 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) - struct hci_dev *hdev = hcon->hdev; - struct sco_conn *conn = hcon->sco_data; - -- if (conn) -+ if (conn) { -+ if (!conn->hcon) -+ conn->hcon = hcon; - return conn; -+ } - - conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL); - if (!conn) -@@ -268,21 +271,21 @@ static int sco_connect(struct sock *sk) - goto unlock; - } - -- hci_dev_unlock(hdev); -- hci_dev_put(hdev); -- - conn = sco_conn_add(hcon); - if (!conn) { - hci_conn_drop(hcon); -- return -ENOMEM; -+ err = -ENOMEM; -+ goto unlock; - } - -- err = sco_chan_add(conn, sk, NULL); -- if (err) -- return err; -- - lock_sock(sk); - -+ err = sco_chan_add(conn, sk, NULL); -+ if (err) { -+ release_sock(sk); -+ goto unlock; -+ } -+ - /* Update source addr of the socket */ - bacpy(&sco_pi(sk)->src, &hcon->src); - -@@ -296,8 +299,6 @@ static int sco_connect(struct sock *sk) - - release_sock(sk); - -- return err; -- - unlock: - hci_dev_unlock(hdev); - hci_dev_put(hdev); --- -2.39.2 - diff --git a/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch b/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch deleted file mode 100644 index bad87f05068..00000000000 --- a/queue-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch +++ /dev/null @@ -1,594 +0,0 @@ -From bb40a24b1a5fe8604c76ab2a9447b7b69940a3ae Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 01:04:31 +0300 -Subject: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync - -From: Pauli Virtanen - -[ Upstream commit 195ef75e19287b4bc413da3e3e3722b030ac881e ] - -hci_update_accept_list_sync iterates over hdev->pend_le_conns and -hdev->pend_le_reports, and waits for controller events in the loop body, -without holding hdev lock. - -Meanwhile, these lists and the items may be modified e.g. by -le_scan_cleanup. This can invalidate the list cursor or any other item -in the list, resulting to invalid behavior (eg use-after-free). - -Use RCU for the hci_conn_params action lists. Since the loop bodies in -hci_sync block and we cannot use RCU or hdev->lock for the whole loop, -copy list items first and then iterate on the copy. Only the flags field -is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we -read valid values. - -Free params everywhere with hci_conn_params_free so the cleanup is -guaranteed to be done properly. - -This fixes the following, which can be triggered e.g. by BlueZ new -mgmt-tester case "Add + Remove Device Nowait - Success", or by changing -hci_le_set_cig_params to always return false, and running iso-tester: - -================================================================== -BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 - -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 -Workqueue: hci0 hci_cmd_sync_work -Call Trace: - -dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) -print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) -? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) -? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -kasan_report (mm/kasan/report.c:538) -? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) -? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) -? mutex_lock (kernel/locking/mutex.c:282) -? __pfx_mutex_lock (kernel/locking/mutex.c:282) -? __pfx_mutex_unlock (kernel/locking/mutex.c:538) -? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) -hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) -process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) -worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) -? __pfx_worker_thread (kernel/workqueue.c:2480) -kthread (kernel/kthread.c:376) -? __pfx_kthread (kernel/kthread.c:331) -ret_from_fork (arch/x86/entry/entry_64.S:314) - - -Allocated by task 31: -kasan_save_stack (mm/kasan/common.c:46) -kasan_set_track (mm/kasan/common.c:52) -__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) -hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) -hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) -hci_connect_cis (net/bluetooth/hci_conn.c:2266) -iso_connect_cis (net/bluetooth/iso.c:390) -iso_sock_connect (net/bluetooth/iso.c:899) -__sys_connect (net/socket.c:2003 net/socket.c:2020) -__x64_sys_connect (net/socket.c:2027) -do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) -entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) - -Freed by task 15: -kasan_save_stack (mm/kasan/common.c:46) -kasan_set_track (mm/kasan/common.c:52) -kasan_save_free_info (mm/kasan/generic.c:523) -__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) -__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) -hci_conn_params_del (net/bluetooth/hci_core.c:2323) -le_scan_cleanup (net/bluetooth/hci_conn.c:202) -process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) -worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) -kthread (kernel/kthread.c:376) -ret_from_fork (arch/x86/entry/entry_64.S:314) -================================================================== - -Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") -Signed-off-by: Pauli Virtanen -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - include/net/bluetooth/hci_core.h | 5 ++ - net/bluetooth/hci_conn.c | 10 +-- - net/bluetooth/hci_core.c | 38 ++++++++-- - net/bluetooth/hci_event.c | 12 ++-- - net/bluetooth/hci_sync.c | 117 ++++++++++++++++++++++++++++--- - net/bluetooth/mgmt.c | 26 +++---- - 6 files changed, 164 insertions(+), 44 deletions(-) - -diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h -index 9654567cfae37..870b6d3c5146b 100644 ---- a/include/net/bluetooth/hci_core.h -+++ b/include/net/bluetooth/hci_core.h -@@ -822,6 +822,7 @@ struct hci_conn_params { - - struct hci_conn *conn; - bool explicit_connect; -+ /* Accessed without hdev->lock: */ - hci_conn_flags_t flags; - u8 privacy_mode; - }; -@@ -1573,7 +1574,11 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - bdaddr_t *addr, u8 addr_type); - void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); - void hci_conn_params_clear_disabled(struct hci_dev *hdev); -+void hci_conn_params_free(struct hci_conn_params *param); - -+void hci_pend_le_list_del_init(struct hci_conn_params *param); -+void hci_pend_le_list_add(struct hci_conn_params *param, -+ struct list_head *list); - struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, - bdaddr_t *addr, - u8 addr_type); -diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index 2275e0d9f8419..7b0c74ef93296 100644 ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) - */ - params->explicit_connect = false; - -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - - switch (params->auto_connect) { - case HCI_AUTO_CONN_EXPLICIT: -@@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) - return; - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: -- list_add(¶ms->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(params, &hdev->pend_le_reports); - break; - default: - break; -@@ -1426,8 +1426,8 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev, - if (params->auto_connect == HCI_AUTO_CONN_DISABLED || - params->auto_connect == HCI_AUTO_CONN_REPORT || - params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - } - - params->explicit_connect = true; -diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c -index 48917c68358de..b421e196f60c3 100644 ---- a/net/bluetooth/hci_core.c -+++ b/net/bluetooth/hci_core.c -@@ -2249,21 +2249,45 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, - return NULL; - } - --/* This function requires the caller holds hdev->lock */ -+/* This function requires the caller holds hdev->lock or rcu_read_lock */ - struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, - bdaddr_t *addr, u8 addr_type) - { - struct hci_conn_params *param; - -- list_for_each_entry(param, list, action) { -+ rcu_read_lock(); -+ -+ list_for_each_entry_rcu(param, list, action) { - if (bacmp(¶m->addr, addr) == 0 && -- param->addr_type == addr_type) -+ param->addr_type == addr_type) { -+ rcu_read_unlock(); - return param; -+ } - } - -+ rcu_read_unlock(); -+ - return NULL; - } - -+/* This function requires the caller holds hdev->lock */ -+void hci_pend_le_list_del_init(struct hci_conn_params *param) -+{ -+ if (list_empty(¶m->action)) -+ return; -+ -+ list_del_rcu(¶m->action); -+ synchronize_rcu(); -+ INIT_LIST_HEAD(¶m->action); -+} -+ -+/* This function requires the caller holds hdev->lock */ -+void hci_pend_le_list_add(struct hci_conn_params *param, -+ struct list_head *list) -+{ -+ list_add_rcu(¶m->action, list); -+} -+ - /* This function requires the caller holds hdev->lock */ - struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - bdaddr_t *addr, u8 addr_type) -@@ -2297,14 +2321,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, - return params; - } - --static void hci_conn_params_free(struct hci_conn_params *params) -+void hci_conn_params_free(struct hci_conn_params *params) - { -+ hci_pend_le_list_del_init(params); -+ - if (params->conn) { - hci_conn_drop(params->conn); - hci_conn_put(params->conn); - } - -- list_del(¶ms->action); - list_del(¶ms->list); - kfree(params); - } -@@ -2342,8 +2367,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev) - continue; - } - -- list_del(¶ms->list); -- kfree(params); -+ hci_conn_params_free(params); - } - - BT_DBG("All LE disabled connection parameters were removed"); -diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c -index 21e26d3b286cc..72b6d189d3de2 100644 ---- a/net/bluetooth/hci_event.c -+++ b/net/bluetooth/hci_event.c -@@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, - - params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); - if (params) -- params->privacy_mode = cp->mode; -+ WRITE_ONCE(params->privacy_mode, cp->mode); - - hci_dev_unlock(hdev); - -@@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) - - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - - default: -@@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, - - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_del_init(¶ms->action); -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_del_init(params); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - hci_update_passive_scan(hdev); - break; - -@@ -5961,7 +5961,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, - params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, - conn->dst_type); - if (params) { -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - if (params->conn) { - hci_conn_drop(params->conn); - hci_conn_put(params->conn); -diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c -index b5b1b610df335..1bcb54272dc67 100644 ---- a/net/bluetooth/hci_sync.c -+++ b/net/bluetooth/hci_sync.c -@@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev, - return 0; - } - -+struct conn_params { -+ bdaddr_t addr; -+ u8 addr_type; -+ hci_conn_flags_t flags; -+ u8 privacy_mode; -+}; -+ - /* Adds connection to resolve list if needed. - * Setting params to NULL programs local hdev->irk - */ - static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, -- struct hci_conn_params *params) -+ struct conn_params *params) - { - struct hci_cp_le_add_to_resolv_list cp; - struct smp_irk *irk; - struct bdaddr_list_with_irk *entry; -+ struct hci_conn_params *p; - - if (!use_ll_privacy(hdev)) - return 0; -@@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, - /* Default privacy mode is always Network */ - params->privacy_mode = HCI_NETWORK_PRIVACY; - -+ rcu_read_lock(); -+ p = hci_pend_le_action_lookup(&hdev->pend_le_conns, -+ ¶ms->addr, params->addr_type); -+ if (!p) -+ p = hci_pend_le_action_lookup(&hdev->pend_le_reports, -+ ¶ms->addr, params->addr_type); -+ if (p) -+ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY); -+ rcu_read_unlock(); -+ - done: - if (hci_dev_test_flag(hdev, HCI_PRIVACY)) - memcpy(cp.local_irk, hdev->irk, 16); -@@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, - - /* Set Device Privacy Mode. */ - static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, -- struct hci_conn_params *params) -+ struct conn_params *params) - { - struct hci_cp_le_set_privacy_mode cp; - struct smp_irk *irk; -@@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, - bacpy(&cp.bdaddr, &irk->bdaddr); - cp.mode = HCI_DEVICE_PRIVACY; - -+ /* Note: params->privacy_mode is not updated since it is a copy */ -+ - return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE, - sizeof(cp), &cp, HCI_CMD_TIMEOUT); - } -@@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, - * properly set the privacy mode. - */ - static int hci_le_add_accept_list_sync(struct hci_dev *hdev, -- struct hci_conn_params *params, -+ struct conn_params *params, - u8 *num_entries) - { - struct hci_cp_le_add_to_accept_list cp; -@@ -2447,6 +2467,52 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, - return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk); - } - -+static struct conn_params *conn_params_copy(struct list_head *list, size_t *n) -+{ -+ struct hci_conn_params *params; -+ struct conn_params *p; -+ size_t i; -+ -+ rcu_read_lock(); -+ -+ i = 0; -+ list_for_each_entry_rcu(params, list, action) -+ ++i; -+ *n = i; -+ -+ rcu_read_unlock(); -+ -+ p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL); -+ if (!p) -+ return NULL; -+ -+ rcu_read_lock(); -+ -+ i = 0; -+ list_for_each_entry_rcu(params, list, action) { -+ /* Racing adds are handled in next scan update */ -+ if (i >= *n) -+ break; -+ -+ /* No hdev->lock, but: addr, addr_type are immutable. -+ * privacy_mode is only written by us or in -+ * hci_cc_le_set_privacy_mode that we wait for. -+ * We should be idempotent so MGMT updating flags -+ * while we are processing is OK. -+ */ -+ bacpy(&p[i].addr, ¶ms->addr); -+ p[i].addr_type = params->addr_type; -+ p[i].flags = READ_ONCE(params->flags); -+ p[i].privacy_mode = READ_ONCE(params->privacy_mode); -+ ++i; -+ } -+ -+ rcu_read_unlock(); -+ -+ *n = i; -+ return p; -+} -+ - /* Device must not be scanning when updating the accept list. - * - * Update is done using the following sequence: -@@ -2466,11 +2532,12 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, - */ - static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - { -- struct hci_conn_params *params; -+ struct conn_params *params; - struct bdaddr_list *b, *t; - u8 num_entries = 0; - bool pend_conn, pend_report; - u8 filter_policy; -+ size_t i, n; - int err; - - /* Pause advertising if resolving list can be used as controllers -@@ -2504,6 +2571,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) - continue; - -+ /* Pointers not dereferenced, no locks needed */ - pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns, - &b->bdaddr, - b->bdaddr_type); -@@ -2532,23 +2600,50 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) - * available accept list entries in the controller, then - * just abort and return filer policy value to not use the - * accept list. -+ * -+ * The list and params may be mutated while we wait for events, -+ * so make a copy and iterate it. - */ -- list_for_each_entry(params, &hdev->pend_le_conns, action) { -- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); -- if (err) -+ -+ params = conn_params_copy(&hdev->pend_le_conns, &n); -+ if (!params) { -+ err = -ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < n; ++i) { -+ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], -+ &num_entries); -+ if (err) { -+ kvfree(params); - goto done; -+ } - } - -+ kvfree(params); -+ - /* After adding all new pending connections, walk through - * the list of pending reports and also add these to the - * accept list if there is still space. Abort if space runs out. - */ -- list_for_each_entry(params, &hdev->pend_le_reports, action) { -- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); -- if (err) -+ -+ params = conn_params_copy(&hdev->pend_le_reports, &n); -+ if (!params) { -+ err = -ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < n; ++i) { -+ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], -+ &num_entries); -+ if (err) { -+ kvfree(params); - goto done; -+ } - } - -+ kvfree(params); -+ - /* Use the allowlist unless the following conditions are all true: - * - We are not currently suspending - * - There are 1 or more ADV monitors registered and it's not offloaded -@@ -4839,12 +4934,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev) - struct hci_conn_params *p; - - list_for_each_entry(p, &hdev->le_conn_params, list) { -+ hci_pend_le_list_del_init(p); - if (p->conn) { - hci_conn_drop(p->conn); - hci_conn_put(p->conn); - p->conn = NULL; - } -- list_del_init(&p->action); - } - - BT_DBG("All LE pending actions cleared"); -diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c -index f7b2d0971f240..1e07d0f289723 100644 ---- a/net/bluetooth/mgmt.c -+++ b/net/bluetooth/mgmt.c -@@ -1297,15 +1297,15 @@ static void restart_le_actions(struct hci_dev *hdev) - /* Needed for AUTO_OFF case where might not "really" - * have been powered off. - */ -- list_del_init(&p->action); -+ hci_pend_le_list_del_init(p); - - switch (p->auto_connect) { - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: -- list_add(&p->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(p, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: -- list_add(&p->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(p, &hdev->pend_le_reports); - break; - default: - break; -@@ -5169,7 +5169,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, - goto unlock; - } - -- params->flags = current_flags; -+ WRITE_ONCE(params->flags, current_flags); - status = MGMT_STATUS_SUCCESS; - - /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY -@@ -7580,7 +7580,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, - if (params->auto_connect == auto_connect) - return 0; - -- list_del_init(¶ms->action); -+ hci_pend_le_list_del_init(params); - - switch (auto_connect) { - case HCI_AUTO_CONN_DISABLED: -@@ -7589,18 +7589,18 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, - * connect to device, keep connecting. - */ - if (params->explicit_connect) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - case HCI_AUTO_CONN_REPORT: - if (params->explicit_connect) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - else -- list_add(¶ms->action, &hdev->pend_le_reports); -+ hci_pend_le_list_add(params, &hdev->pend_le_reports); - break; - case HCI_AUTO_CONN_DIRECT: - case HCI_AUTO_CONN_ALWAYS: - if (!is_connected(hdev, addr, addr_type)) -- list_add(¶ms->action, &hdev->pend_le_conns); -+ hci_pend_le_list_add(params, &hdev->pend_le_conns); - break; - } - -@@ -7823,9 +7823,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, - goto unlock; - } - -- list_del(¶ms->action); -- list_del(¶ms->list); -- kfree(params); -+ hci_conn_params_free(params); - - device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type); - } else { -@@ -7856,9 +7854,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, - p->auto_connect = HCI_AUTO_CONN_EXPLICIT; - continue; - } -- list_del(&p->action); -- list_del(&p->list); -- kfree(p); -+ hci_conn_params_free(p); - } - - bt_dev_dbg(hdev, "All LE connection parameters were removed"); --- -2.39.2 - diff --git a/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch deleted file mode 100644 index 400e32122e8..00000000000 --- a/queue-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 57221d8fa06c7bb4348592a89fa64f6d815f8518 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 May 2023 21:37:48 -0700 -Subject: bpf: Address KCSAN report on bpf_lru_list - -From: Martin KaFai Lau - -[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] - -KCSAN reported a data-race when accessing node->ref. -Although node->ref does not have to be accurate, -take this chance to use a more common READ_ONCE() and WRITE_ONCE() -pattern instead of data_race(). - -There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). -This patch also adds bpf_lru_node_clear_ref() to do the -WRITE_ONCE(node->ref, 0) also. - -================================================================== -BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem - -write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: -__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] -__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] -__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 -bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] -bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] -bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 -prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] -__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: -bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] -__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -value changed: 0x01 -> 0x00 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 -================================================================== - -Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com -Signed-off-by: Martin KaFai Lau -Acked-by: Yonghong Song -Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- - kernel/bpf/bpf_lru_list.h | 7 ++----- - 2 files changed, 15 insertions(+), 13 deletions(-) - -diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c -index d99e89f113c43..3dabdd137d102 100644 ---- a/kernel/bpf/bpf_lru_list.c -+++ b/kernel/bpf/bpf_lru_list.c -@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) - /* bpf_lru_node helpers */ - static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) - { -- return node->ref; -+ return READ_ONCE(node->ref); -+} -+ -+static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) -+{ -+ WRITE_ONCE(node->ref, 0); - } - - static void bpf_lru_list_count_inc(struct bpf_lru_list *l, -@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, - - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, &l->lists[tgt_type]); - } - -@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; - } -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - - /* If the moving node is the next_inactive_rotation candidate, - * move the next_inactive_rotation pointer also. -@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, - *(u32 *)((void *)node + lru->hash_offset) = hash; - node->cpu = cpu; - node->type = BPF_LRU_LOCAL_LIST_T_PENDING; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, local_pending_list(loc_l)); - } - -@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, - if (!list_empty(free_list)) { - node = list_first_entry(free_list, struct bpf_lru_node, list); - *(u32 *)((void *)node + lru->hash_offset) = hash; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); - } - -@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, - } - - node->type = BPF_LRU_LOCAL_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, local_free_list(loc_l)); - - raw_spin_unlock_irqrestore(&loc_l->lock, flags); -@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, - - node = (struct bpf_lru_node *)(buf + node_offset); - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - buf += elem_size; - } -@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, - node = (struct bpf_lru_node *)(buf + node_offset); - node->cpu = cpu; - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - i++; - buf += elem_size; -diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h -index 4ea227c9c1ade..8f3c8b2b4490e 100644 ---- a/kernel/bpf/bpf_lru_list.h -+++ b/kernel/bpf/bpf_lru_list.h -@@ -64,11 +64,8 @@ struct bpf_lru { - - static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) - { -- /* ref is an approximation on access frequency. It does not -- * have to be very accurate. Hence, no protection is used. -- */ -- if (!node->ref) -- node->ref = 1; -+ if (!READ_ONCE(node->ref)) -+ WRITE_ONCE(node->ref, 1); - } - - int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, --- -2.39.2 - diff --git a/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch b/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch deleted file mode 100644 index 69d1570961b..00000000000 --- a/queue-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 69e2c18524955cd8fb89335a4ddf8186f4aab6ec Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 09:49:31 -0700 -Subject: bpf, arm64: Fix BTI type used for freplace attached functions - -From: Alexander Duyck - -[ Upstream commit a3f25d614bc73b45e8f02adc6769876dfd16ca84 ] - -When running an freplace attached bpf program on an arm64 system w were -seeing the following issue: - Unhandled 64-bit el1h sync exception on CPU47, ESR 0x0000000036000003 -- BTI - -After a bit of work to track it down I determined that what appeared to be -happening is that the 'bti c' at the start of the program was somehow being -reached after a 'br' instruction. Further digging pointed me toward the -fact that the function was attached via freplace. This in turn led me to -build_plt which I believe is invoking the long jump which is triggering -this error. - -To resolve it we can replace the 'bti c' with 'bti jc' and add a comment -explaining why this has to be modified as such. - -Fixes: b2ad54e1533e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") -Signed-off-by: Alexander Duyck -Acked-by: Xu Kuohai -Link: https://lore.kernel.org/r/168926677665.316237.9953845318337455525.stgit@ahduyck-xeon-server.home.arpa -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - arch/arm64/net/bpf_jit_comp.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c -index b26da8efa616e..0ce5f13eabb1b 100644 ---- a/arch/arm64/net/bpf_jit_comp.c -+++ b/arch/arm64/net/bpf_jit_comp.c -@@ -322,7 +322,13 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) - * - */ - -- emit_bti(A64_BTI_C, ctx); -+ /* bpf function may be invoked by 3 instruction types: -+ * 1. bl, attached via freplace to bpf prog via short jump -+ * 2. br, attached via freplace to bpf prog via long jump -+ * 3. blr, working as a function pointer, used by emit_call. -+ * So BTI_JC should used here to support both br and blr. -+ */ -+ emit_bti(A64_BTI_JC, ctx); - - emit(A64_MOV(1, A64_R(9), A64_LR), ctx); - emit(A64_NOP, ctx); --- -2.39.2 - diff --git a/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch b/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch deleted file mode 100644 index e198a2a3887..00000000000 --- a/queue-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4350e2f0eea4178f3bb70baa675e31ad71759a97 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 May 2023 11:04:09 -0700 -Subject: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log - -From: Andrii Nakryiko - -[ Upstream commit cff36398bd4c7d322d424433db437f3c3391c491 ] - -It's trivial for user to trigger "verifier log line truncated" warning, -as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at -least two pieces of user-provided information that can be output through -this buffer, and both can be arbitrarily sized by user: - - BTF names; - - BTF.ext source code lines strings. - -Verifier log buffer should be properly sized for typical verifier state -output. But it's sort-of expected that this buffer won't be long enough -in some circumstances. So let's drop the check. In any case code will -work correctly, at worst truncating a part of a single line output. - -Reported-by: syzbot+8b2a08dfbd25fd933d75@syzkaller.appspotmail.com -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/r/20230516180409.3549088-1-andrii@kernel.org -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/log.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c -index 046ddff37a76d..850494423530e 100644 ---- a/kernel/bpf/log.c -+++ b/kernel/bpf/log.c -@@ -62,9 +62,6 @@ void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, - - n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); - -- WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, -- "verifier log line truncated - local buffer too short\n"); -- - if (log->level == BPF_LOG_KERNEL) { - bool newline = n > 0 && log->kbuf[n - 1] == '\n'; - --- -2.39.2 - diff --git a/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch deleted file mode 100644 index 40c497a072a..00000000000 --- a/queue-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 0903ef6dae667052bd2e2b5f70fd8d93583fd8fc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 21:45:28 +0530 -Subject: bpf: Fix subprog idx logic in check_max_stack_depth - -From: Kumar Kartikeya Dwivedi - -[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] - -The assignment to idx in check_max_stack_depth happens once we see a -bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of -the code performs a few checks and then pushes the frame to the frame -stack, except the case of async callbacks. If the async callback case -causes the loop iteration to be skipped, the idx assignment will be -incorrect on the next iteration of the loop. The value stored in the -frame stack (as the subprogno of the current subprog) will be incorrect. - -This leads to incorrect checks and incorrect tail_call_reachable -marking. Save the target subprog in a new variable and only assign to -idx once we are done with the is_async_cb check which may skip pushing -of frame to the frame stack and subsequent stack depth checks and tail -call markings. - -Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") -Signed-off-by: Kumar Kartikeya Dwivedi -Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index aac31e33323bb..e95bfe45fd890 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5429,7 +5429,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - continue_func: - subprog_end = subprog[idx + 1].start; - for (; i < subprog_end; i++) { -- int next_insn; -+ int next_insn, sidx; - - if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) - continue; -@@ -5439,14 +5439,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - - /* find the callee */ - next_insn = i + insn[i].imm + 1; -- idx = find_subprog(env, next_insn); -- if (idx < 0) { -+ sidx = find_subprog(env, next_insn); -+ if (sidx < 0) { - WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", - next_insn); - return -EFAULT; - } -- if (subprog[idx].is_async_cb) { -- if (subprog[idx].has_tail_call) { -+ if (subprog[sidx].is_async_cb) { -+ if (subprog[sidx].has_tail_call) { - verbose(env, "verifier bug. subprog has tail_call and async cb\n"); - return -EFAULT; - } -@@ -5455,6 +5455,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - continue; - } - i = next_insn; -+ idx = sidx; - - if (subprog[idx].has_tail_call) - tail_call_reachable = true; --- -2.39.2 - diff --git a/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch b/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch deleted file mode 100644 index 3badce6a052..00000000000 --- a/queue-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5546963a3ee78475dff4b222fafb27b5ad6d2de2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 May 2023 11:14:18 -0700 -Subject: bpf: Print a warning only if writing to unprivileged_bpf_disabled. - -From: Kui-Feng Lee - -[ Upstream commit fedf99200ab086c42a572fca1d7266b06cdc3e3f ] - -Only print the warning message if you are writing to -"/proc/sys/kernel/unprivileged_bpf_disabled". - -The kernel may print an annoying warning when you read -"/proc/sys/kernel/unprivileged_bpf_disabled" saying - - WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible - via Spectre v2 BHB attacks! - -However, this message is only meaningful when the feature is -disabled or enabled. - -Signed-off-by: Kui-Feng Lee -Signed-off-by: Andrii Nakryiko -Acked-by: Yonghong Song -Link: https://lore.kernel.org/bpf/20230502181418.308479-1-kuifeng@meta.com -Signed-off-by: Sasha Levin ---- - kernel/bpf/syscall.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index f1c8733f76b83..5524fcf6fb2a4 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -5394,7 +5394,8 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, - *(int *)table->data = unpriv_enable; - } - -- unpriv_ebpf_notify(unpriv_enable); -+ if (write) -+ unpriv_ebpf_notify(unpriv_enable); - - return ret; - } --- -2.39.2 - diff --git a/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch b/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch deleted file mode 100644 index ed94042d578..00000000000 --- a/queue-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 618abe8dabe1ad1d0d66135467202aca5f3881c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 21:45:29 +0530 -Subject: bpf: Repeat check_max_stack_depth for async callbacks - -From: Kumar Kartikeya Dwivedi - -[ Upstream commit b5e9ad522c4ccd32d322877515cff8d47ed731b9 ] - -While the check_max_stack_depth function explores call chains emanating -from the main prog, which is typically enough to cover all possible call -chains, it doesn't explore those rooted at async callbacks unless the -async callback will have been directly called, since unlike non-async -callbacks it skips their instruction exploration as they don't -contribute to stack depth. - -It could be the case that the async callback leads to a callchain which -exceeds the stack depth, but this is never reachable while only -exploring the entry point from main subprog. Hence, repeat the check for -the main subprog *and* all async callbacks marked by the symbolic -execution pass of the verifier, as execution of the program may begin at -any of them. - -Consider functions with following stack depths: -main: 256 -async: 256 -foo: 256 - -main: - rX = async - bpf_timer_set_callback(...) - -async: - foo() - -Here, async is not descended as it does not contribute to stack depth of -main (since it is referenced using bpf_pseudo_func and not -bpf_pseudo_call). However, when async is invoked asynchronously, it will -end up breaching the MAX_BPF_STACK limit by calling foo. - -Hence, in addition to main, we also need to explore call chains -beginning at all async callback subprogs in a program. - -Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") -Signed-off-by: Kumar Kartikeya Dwivedi -Link: https://lore.kernel.org/r/20230717161530.1238-3-memxor@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index e95bfe45fd890..4fbfe1d086467 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5381,16 +5381,17 @@ static int update_stack_depth(struct bpf_verifier_env *env, - * Since recursion is prevented by check_cfg() this algorithm - * only needs a local stack of MAX_CALL_FRAMES to remember callsites - */ --static int check_max_stack_depth(struct bpf_verifier_env *env) -+static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) - { -- int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; - struct bpf_subprog_info *subprog = env->subprog_info; - struct bpf_insn *insn = env->prog->insnsi; -+ int depth = 0, frame = 0, i, subprog_end; - bool tail_call_reachable = false; - int ret_insn[MAX_CALL_FRAMES]; - int ret_prog[MAX_CALL_FRAMES]; - int j; - -+ i = subprog[idx].start; - process_func: - /* protect against potential stack overflow that might happen when - * bpf2bpf calls get combined with tailcalls. Limit the caller's stack -@@ -5491,6 +5492,22 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) - goto continue_func; - } - -+static int check_max_stack_depth(struct bpf_verifier_env *env) -+{ -+ struct bpf_subprog_info *si = env->subprog_info; -+ int ret; -+ -+ for (int i = 0; i < env->subprog_cnt; i++) { -+ if (!i || si[i].is_async_cb) { -+ ret = check_max_stack_depth_subprog(env, i); -+ if (ret < 0) -+ return ret; -+ } -+ continue; -+ } -+ return 0; -+} -+ - #ifndef CONFIG_BPF_JIT_ALWAYS_ON - static int get_callee_stack_depth(struct bpf_verifier_env *env, - const struct bpf_insn *insn, int idx) --- -2.39.2 - diff --git a/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch b/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch deleted file mode 100644 index 54e4c3386d8..00000000000 --- a/queue-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch +++ /dev/null @@ -1,100 +0,0 @@ -From dbcb5e3b6449240c0366bfcc88051b4ac795a114 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 13:50:29 -0700 -Subject: bpf: Silence a warning in btf_type_id_size() - -From: Yonghong Song - -[ Upstream commit e6c2f594ed961273479505b42040782820190305 ] - -syzbot reported a warning in [1] with the following stacktrace: - WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 - ... - RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 - ... - Call Trace: - - map_check_btf kernel/bpf/syscall.c:1024 [inline] - map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 - __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 - __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] - __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] - __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -With the following btf - [1] DECL_TAG 'a' type_id=4 component_idx=-1 - [2] PTR '(anon)' type_id=0 - [3] TYPE_TAG 'a' type_id=2 - [4] VAR 'a' type_id=3, linkage=static -and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), -the following WARN_ON_ONCE in btf_type_id_size() is triggered: - if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && - !btf_type_is_var(size_type))) - return NULL; - -Note that 'return NULL' is the correct behavior as we don't want -a DECL_TAG type to be used as a btf_{key,value}_type_id even -for the case like 'DECL_TAG -> STRUCT'. So there -is no correctness issue here, we just want to silence warning. - -To silence the warning, I added DECL_TAG as one of kinds in -btf_type_nosize() which will cause btf_type_id_size() returning -NULL earlier without the warning. - - [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ - -Reported-by: syzbot+958967f249155967d42a@syzkaller.appspotmail.com -Signed-off-by: Yonghong Song -Link: https://lore.kernel.org/r/20230530205029.264910-1-yhs@fb.com -Signed-off-by: Martin KaFai Lau -Signed-off-by: Sasha Levin ---- - kernel/bpf/btf.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c -index 25ca17a8e1964..8b4e92439d1d6 100644 ---- a/kernel/bpf/btf.c -+++ b/kernel/bpf/btf.c -@@ -485,25 +485,26 @@ static bool btf_type_is_fwd(const struct btf_type *t) - return BTF_INFO_KIND(t->info) == BTF_KIND_FWD; - } - --static bool btf_type_nosize(const struct btf_type *t) -+static bool btf_type_is_datasec(const struct btf_type *t) - { -- return btf_type_is_void(t) || btf_type_is_fwd(t) || -- btf_type_is_func(t) || btf_type_is_func_proto(t); -+ return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; - } - --static bool btf_type_nosize_or_null(const struct btf_type *t) -+static bool btf_type_is_decl_tag(const struct btf_type *t) - { -- return !t || btf_type_nosize(t); -+ return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; - } - --static bool btf_type_is_datasec(const struct btf_type *t) -+static bool btf_type_nosize(const struct btf_type *t) - { -- return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; -+ return btf_type_is_void(t) || btf_type_is_fwd(t) || -+ btf_type_is_func(t) || btf_type_is_func_proto(t) || -+ btf_type_is_decl_tag(t); - } - --static bool btf_type_is_decl_tag(const struct btf_type *t) -+static bool btf_type_nosize_or_null(const struct btf_type *t) - { -- return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; -+ return !t || btf_type_nosize(t); - } - - static bool btf_type_is_decl_tag_target(const struct btf_type *t) --- -2.39.2 - diff --git a/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch b/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch deleted file mode 100644 index 1f77203606d..00000000000 --- a/queue-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch +++ /dev/null @@ -1,152 +0,0 @@ -From ab66d5336cd3fa2f5a2196a042f23a408d2e29e4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 22:51:49 +0000 -Subject: bpf: tcp: Avoid taking fast sock lock in iterator - -From: Aditi Ghag - -[ Upstream commit 9378096e8a656fb5c4099b26b1370c56f056eab9 ] - -This is a preparatory commit to replace `lock_sock_fast` with -`lock_sock`,and facilitate BPF programs executed from the TCP sockets -iterator to be able to destroy TCP sockets using the bpf_sock_destroy -kfunc (implemented in follow-up commits). - -Previously, BPF TCP iterator was acquiring the sock lock with BH -disabled. This led to scenarios where the sockets hash table bucket lock -can be acquired with BH enabled in some path versus disabled in other. -In such situation, kernel issued a warning since it thinks that in the -BH enabled path the same bucket lock *might* be acquired again in the -softirq context (BH disabled), which will lead to a potential dead lock. -Since bpf_sock_destroy also happens in a process context, the potential -deadlock warning is likely a false alarm. - -Here is a snippet of annotated stack trace that motivated this change: - -``` - -Possible interrupt unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&h->lhash2[i].lock); - local_bh_disable(); - lock(&h->lhash2[i].lock); -kernel imagined possible scenario: - local_bh_disable(); /* Possible softirq */ - lock(&h->lhash2[i].lock); -*** Potential Deadlock *** - -process context: - -lock_acquire+0xcd/0x330 -_raw_spin_lock+0x33/0x40 -------> Acquire (bucket) lhash2.lock with BH enabled -__inet_hash+0x4b/0x210 -inet_csk_listen_start+0xe6/0x100 -inet_listen+0x95/0x1d0 -__sys_listen+0x69/0xb0 -__x64_sys_listen+0x14/0x20 -do_syscall_64+0x3c/0x90 -entry_SYSCALL_64_after_hwframe+0x72/0xdc - -bpf_sock_destroy run from iterator: - -lock_acquire+0xcd/0x330 -_raw_spin_lock+0x33/0x40 -------> Acquire (bucket) lhash2.lock with BH disabled -inet_unhash+0x9a/0x110 -tcp_set_state+0x6a/0x210 -tcp_abort+0x10d/0x200 -bpf_prog_6793c5ca50c43c0d_iter_tcp6_server+0xa4/0xa9 -bpf_iter_run_prog+0x1ff/0x340 -------> lock_sock_fast that acquires sock lock with BH disabled -bpf_iter_tcp_seq_show+0xca/0x190 -bpf_seq_read+0x177/0x450 - -``` - -Also, Yonghong reported a deadlock for non-listening TCP sockets that -this change resolves. Previously, `lock_sock_fast` held the sock spin -lock with BH which was again being acquired in `tcp_abort`: - -``` -watchdog: BUG: soft lockup - CPU#0 stuck for 86s! [test_progs:2331] -RIP: 0010:queued_spin_lock_slowpath+0xd8/0x500 -Call Trace: - - _raw_spin_lock+0x84/0x90 - tcp_abort+0x13c/0x1f0 - bpf_prog_88539c5453a9dd47_iter_tcp6_client+0x82/0x89 - bpf_iter_run_prog+0x1aa/0x2c0 - ? preempt_count_sub+0x1c/0xd0 - ? from_kuid_munged+0x1c8/0x210 - bpf_iter_tcp_seq_show+0x14e/0x1b0 - bpf_seq_read+0x36c/0x6a0 - -bpf_iter_tcp_seq_show - lock_sock_fast - __lock_sock_fast - spin_lock_bh(&sk->sk_lock.slock); - /* * Fast path return with bottom halves disabled and * sock::sk_lock.slock held.* */ - - ... - tcp_abort - local_bh_disable(); - spin_lock(&((sk)->sk_lock.slock)); // from bh_lock_sock(sk) - -``` - -With the switch to `lock_sock`, it calls `spin_unlock_bh` before returning: - -``` -lock_sock - lock_sock_nested - spin_lock_bh(&sk->sk_lock.slock); - : - spin_unlock_bh(&sk->sk_lock.slock); -``` - -Acked-by: Yonghong Song -Acked-by: Stanislav Fomichev -Signed-off-by: Aditi Ghag -Link: https://lore.kernel.org/r/20230519225157.760788-2-aditi.ghag@isovalent.com -Signed-off-by: Martin KaFai Lau -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 06d2573685ca9..434e5f0c8b99d 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -2963,7 +2963,6 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - struct bpf_iter_meta meta; - struct bpf_prog *prog; - struct sock *sk = v; -- bool slow; - uid_t uid; - int ret; - -@@ -2971,7 +2970,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - return 0; - - if (sk_fullsock(sk)) -- slow = lock_sock_fast(sk); -+ lock_sock(sk); - - if (unlikely(sk_unhashed(sk))) { - ret = SEQ_SKIP; -@@ -2995,7 +2994,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) - - unlock: - if (sk_fullsock(sk)) -- unlock_sock_fast(sk, slow); -+ release_sock(sk); - return ret; - - } --- -2.39.2 - diff --git a/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch deleted file mode 100644 index dbdfb4293d0..00000000000 --- a/queue-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 68931bfc8cda6272ea843dde9ba493d4a311b2a9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jul 2023 08:44:49 -0700 -Subject: bridge: Add extack warning when enabling STP in netns. - -From: Kuniyuki Iwashima - -[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] - -When we create an L2 loop on a bridge in netns, we will see packets storm -even if STP is enabled. - - # unshare -n - # ip link add br0 type bridge - # ip link add veth0 type veth peer name veth1 - # ip link set veth0 master br0 up - # ip link set veth1 master br0 up - # ip link set br0 type bridge stp_state 1 - # ip link set br0 up - # sleep 30 - # ip -s link show br0 - 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 - link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff - RX: bytes packets errors dropped missed mcast - 956553768 12861249 0 0 0 12861249 <-. Keep - TX: bytes packets errors dropped carrier collsns | increasing - 1027834 11951 0 0 0 0 <-' rapidly - -This is because llc_rcv() drops all packets in non-root netns and BPDU -is dropped. - -Let's add extack warning when enabling STP in netns. - - # unshare -n - # ip link add br0 type bridge - # ip link set br0 type bridge stp_state 1 - Warning: bridge: STP does not work in non-root netns. - -Note this commit will be reverted later when we namespacify the whole LLC -infra. - -Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") -Suggested-by: Harry Coin -Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ -Suggested-by: Ido Schimmel -Signed-off-by: Kuniyuki Iwashima -Acked-by: Nikolay Aleksandrov -Reviewed-by: Ido Schimmel -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/bridge/br_stp_if.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c -index 75204d36d7f90..b65962682771f 100644 ---- a/net/bridge/br_stp_if.c -+++ b/net/bridge/br_stp_if.c -@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, - { - ASSERT_RTNL(); - -+ if (!net_eq(dev_net(br->dev), &init_net)) -+ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); -+ - if (br_mrp_enabled(br)) { - NL_SET_ERR_MSG_MOD(extack, - "STP can't be enabled if MRP is already enabled"); --- -2.39.2 - diff --git a/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch b/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch deleted file mode 100644 index de7fca554bc..00000000000 --- a/queue-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch +++ /dev/null @@ -1,54 +0,0 @@ -From c753b330c41c8f311cd03dc8b18fcad6f947bf9e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 8 Jun 2023 11:27:45 +0100 -Subject: btrfs: abort transaction at update_ref_for_cow() when ref count is - zero - -From: Filipe Manana - -[ Upstream commit eced687e224eb3cc5a501cf53ad9291337c8dbc5 ] - -At update_ref_for_cow() we are calling btrfs_handle_fs_error() if we find -that the extent buffer has an unexpected ref count of zero, however we can -simply use btrfs_abort_transaction(), which achieves the same purposes: to -turn the fs to error state, abort the current transaction and turn the fs -to RO mode as well. Besides that, btrfs_abort_transaction() also prints a -stack trace which makes it more useful. - -Also, as this is a very unexpected situation, indicating a serious -corruption/inconsistency, tag the if branch as 'unlikely', set the error -code to -EUCLEAN instead of -EROFS, and log an explicit message. - -Reviewed-by: Qu Wenruo -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/ctree.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c -index 4912d624ca3d3..886e661a218fc 100644 ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -417,9 +417,13 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, - &refs, &flags); - if (ret) - return ret; -- if (refs == 0) { -- ret = -EROFS; -- btrfs_handle_fs_error(fs_info, ret, NULL); -+ if (unlikely(refs == 0)) { -+ btrfs_crit(fs_info, -+ "found 0 references for tree block at bytenr %llu level %d root %llu", -+ buf->start, btrfs_header_level(buf), -+ btrfs_root_id(root)); -+ ret = -EUCLEAN; -+ btrfs_abort_transaction(trans, ret); - return ret; - } - } else { --- -2.39.2 - diff --git a/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch b/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch deleted file mode 100644 index c885698bfa6..00000000000 --- a/queue-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 93a51f01a3ca362a5bc53e99086d6fb0fc922e23 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Apr 2023 00:06:02 +0200 -Subject: btrfs: add xxhash to fast checksum implementations - -From: David Sterba - -[ Upstream commit efcfcbc6a36195c42d98e0ee697baba36da94dc8 ] - -The implementation of XXHASH is now CPU only but still fast enough to be -considered for the synchronous checksumming, like non-generic crc32c. - -A userspace benchmark comparing it to various implementations (patched -hash-speedtest from btrfs-progs): - - Block size: 4096 - Iterations: 1000000 - Implementation: builtin - Units: CPU cycles - - NULL-NOP: cycles: 73384294, cycles/i 73 - NULL-MEMCPY: cycles: 228033868, cycles/i 228, 61664.320 MiB/s - CRC32C-ref: cycles: 24758559416, cycles/i 24758, 567.950 MiB/s - CRC32C-NI: cycles: 1194350470, cycles/i 1194, 11773.433 MiB/s - CRC32C-ADLERSW: cycles: 6150186216, cycles/i 6150, 2286.372 MiB/s - CRC32C-ADLERHW: cycles: 626979180, cycles/i 626, 22427.453 MiB/s - CRC32C-PCL: cycles: 466746732, cycles/i 466, 30126.699 MiB/s - XXHASH: cycles: 860656400, cycles/i 860, 16338.188 MiB/s - -Comparing purely software implementation (ref), current outdated -accelerated using crc32q instruction (NI), optimized implementations by -M. Adler (https://stackoverflow.com/questions/17645167/implementing-sse-4-2s-crc32c-in-software/17646775#17646775) -and the best one that was taken from kernel using the PCLMULQDQ -instruction (PCL). - -Reviewed-by: Christoph Hellwig -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/disk-io.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index fc59eb4024438..795b30913c542 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -2265,6 +2265,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type) - if (!strstr(crypto_shash_driver_name(csum_shash), "generic")) - set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); - break; -+ case BTRFS_CSUM_TYPE_XXHASH: -+ set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); -+ break; - default: - break; - } --- -2.39.2 - diff --git a/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch b/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch deleted file mode 100644 index 18fbef7c2be..00000000000 --- a/queue-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch +++ /dev/null @@ -1,44 +0,0 @@ -From e73188bd438294cee72fe11e00cbce1b297072ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Jun 2023 08:13:23 +0200 -Subject: btrfs: be a bit more careful when setting mirror_num_ret in - btrfs_map_block - -From: Christoph Hellwig - -[ Upstream commit 4e7de35eb7d1a1d4f2dda15f39fbedd4798a0b8d ] - -The mirror_num_ret is allowed to be NULL, although it has to be set when -smap is set. Unfortunately that is not a well enough specifiable -invariant for static type checkers, so add a NULL check to make sure they -are fine. - -Fixes: 03793cbbc80f ("btrfs: add fast path for single device io in __btrfs_map_block") -Reported-by: Dan Carpenter -Reviewed-by: Qu Wenruo -Reviewed-by: Johannes Thumshirn -Signed-off-by: Christoph Hellwig -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/volumes.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c -index 5ec000813f047..436e15e3759da 100644 ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -6399,7 +6399,8 @@ int __btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, - (!need_full_stripe(op) || !dev_replace_is_ongoing || - !dev_replace->tgtdev)) { - set_io_stripe(smap, map, stripe_index, stripe_offset, stripe_nr); -- *mirror_num_ret = mirror_num; -+ if (mirror_num_ret) -+ *mirror_num_ret = mirror_num; - *bioc_ret = NULL; - ret = 0; - goto out; --- -2.39.2 - diff --git a/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch b/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch deleted file mode 100644 index 086953f047e..00000000000 --- a/queue-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 8fbd050e44cae916944b0ddd3139df91c9667f1e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 31 May 2023 08:04:56 +0200 -Subject: btrfs: don't check PageError in __extent_writepage - -From: Christoph Hellwig - -[ Upstream commit 3e92499e3b004baffb479d61e191b41b604ece9a ] - -__extent_writepage currenly sets PageError whenever any error happens, -and the also checks for PageError to decide if to call error handling. -This leads to very unclear responsibility for cleaning up on errors. -In the VM and generic writeback helpers the basic idea is that once -I/O is fired off all error handling responsibility is delegated to the -end I/O handler. But if that end I/O handler sets the PageError bit, -and the submitter checks it, the bit could in some cases leak into the -submission context for fast enough I/O. - -Fix this by simply not checking PageError and just using the local -ret variable to check for submission errors. This also fundamentally -solves the long problem documented in a comment in __extent_writepage -by never leaking the error bit into the submission context. - -Reviewed-by: Josef Bacik -Signed-off-by: Christoph Hellwig -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/extent_io.c | 33 +-------------------------------- - 1 file changed, 1 insertion(+), 32 deletions(-) - -diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c -index e3ae55d8bae14..a37a6587efaf0 100644 ---- a/fs/btrfs/extent_io.c -+++ b/fs/btrfs/extent_io.c -@@ -1592,38 +1592,7 @@ static int __extent_writepage(struct page *page, struct btrfs_bio_ctrl *bio_ctrl - set_page_writeback(page); - end_page_writeback(page); - } -- /* -- * Here we used to have a check for PageError() and then set @ret and -- * call end_extent_writepage(). -- * -- * But in fact setting @ret here will cause different error paths -- * between subpage and regular sectorsize. -- * -- * For regular page size, we never submit current page, but only add -- * current page to current bio. -- * The bio submission can only happen in next page. -- * Thus if we hit the PageError() branch, @ret is already set to -- * non-zero value and will not get updated for regular sectorsize. -- * -- * But for subpage case, it's possible we submit part of current page, -- * thus can get PageError() set by submitted bio of the same page, -- * while our @ret is still 0. -- * -- * So here we unify the behavior and don't set @ret. -- * Error can still be properly passed to higher layer as page will -- * be set error, here we just don't handle the IO failure. -- * -- * NOTE: This is just a hotfix for subpage. -- * The root fix will be properly ending ordered extent when we hit -- * an error during writeback. -- * -- * But that needs a bigger refactoring, as we not only need to grab the -- * submitted OE, but also need to know exactly at which bytenr we hit -- * the error. -- * Currently the full page based __extent_writepage_io() is not -- * capable of that. -- */ -- if (PageError(page)) -+ if (ret) - end_extent_writepage(page, ret, page_start, page_end); - unlock_page(page); - ASSERT(ret <= 0); --- -2.39.2 - diff --git a/queue-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch b/queue-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch deleted file mode 100644 index 4286ab29aad..00000000000 --- a/queue-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b777d279ff31979add57e8a3f810bceb7ef0cfb7 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Mon, 3 Jul 2023 18:15:30 +0100 -Subject: btrfs: fix double iput() on inode after an error during orphan cleanup - -From: Filipe Manana - -commit b777d279ff31979add57e8a3f810bceb7ef0cfb7 upstream. - -At btrfs_orphan_cleanup(), if we were able to find the inode, we do an -iput() on the inode, then if btrfs_drop_verity_items() succeeds and then -either btrfs_start_transaction() or btrfs_del_orphan_item() fail, we do -another iput() in the respective error paths, resulting in an extra iput() -on the inode. - -Fix this by setting inode to NULL after the first iput(), as iput() -ignores a NULL inode pointer argument. - -Fixes: a13bb2c03848 ("btrfs: add missing iputs on orphan cleanup failure") -CC: stable@vger.kernel.org # 6.4 -Reviewed-by: Boris Burkov -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/inode.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -3618,6 +3618,7 @@ int btrfs_orphan_cleanup(struct btrfs_ro - if (inode) { - ret = btrfs_drop_verity_items(BTRFS_I(inode)); - iput(inode); -+ inode = NULL; - if (ret) - goto out; - } diff --git a/queue-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch b/queue-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch deleted file mode 100644 index f8422ed5b29..00000000000 --- a/queue-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch +++ /dev/null @@ -1,173 +0,0 @@ -From cbaee87f2ef628c10331b69a2f3def6bc32402d7 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Mon, 3 Jul 2023 18:15:31 +0100 -Subject: btrfs: fix iput() on error pointer after error during orphan cleanup - -From: Filipe Manana - -commit cbaee87f2ef628c10331b69a2f3def6bc32402d7 upstream. - -At btrfs_orphan_cleanup(), if we can't find an inode (btrfs_iget() returns -an -ENOENT error pointer), we proceed with 'ret' set to -ENOENT and the -inode pointer set to ERR_PTR(-ENOENT). Later when we proceed to the body -of the following if statement: - - if (ret == -ENOENT || inode->i_nlink) { - (...) - trans = btrfs_start_transaction(root, 1); - if (IS_ERR(trans)) { - ret = PTR_ERR(trans); - iput(inode); - goto out; - } - (...) - ret = btrfs_del_orphan_item(trans, root, - found_key.objectid); - btrfs_end_transaction(trans); - if (ret) { - iput(inode); - goto out; - } - continue; - } - -If we get an error from btrfs_start_transaction() or from the call to -btrfs_del_orphan_item() we end calling iput() against an inode pointer -that has a value of ERR_PTR(-ENOENT), resulting in a crash with the -following trace: - - [876.667] BUG: kernel NULL pointer dereference, address: 0000000000000096 - [876.667] #PF: supervisor read access in kernel mode - [876.667] #PF: error_code(0x0000) - not-present page - [876.667] PGD 0 P4D 0 - [876.668] Oops: 0000 [#1] PREEMPT SMP PTI - [876.668] CPU: 0 PID: 2356187 Comm: mount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 - [876.668] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 - [876.668] RIP: 0010:iput+0xa/0x20 - [876.668] Code: ff ff ff 66 (...) - [876.669] RSP: 0018:ffffafa9c0c9f9d0 EFLAGS: 00010282 - [876.669] RAX: ffffffffffffffe4 RBX: 000000000009453b RCX: 0000000000000000 - [876.669] RDX: 0000000000000001 RSI: ffffafa9c0c9f930 RDI: fffffffffffffffe - [876.669] RBP: ffff95c612f3b800 R08: 0000000000000001 R09: ffffffffffffffe4 - [876.670] R10: 00018f2a71010000 R11: 000000000ead96e3 R12: ffff95cb7d6909a0 - [876.670] R13: fffffffffffffffe R14: ffff95c60f477000 R15: 00000000ffffffe4 - [876.670] FS: 00007f5fbe30a840(0000) GS:ffff95ccdfa00000(0000) knlGS:0000000000000000 - [876.670] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [876.671] CR2: 0000000000000096 CR3: 000000055e9f6004 CR4: 0000000000370ef0 - [876.671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - [876.671] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - [876.672] Call Trace: - [876.744] - [876.744] ? __die_body+0x1b/0x60 - [876.744] ? page_fault_oops+0x15d/0x450 - [876.745] ? __kmem_cache_alloc_node+0x47/0x410 - [876.745] ? do_user_addr_fault+0x65/0x8a0 - [876.745] ? exc_page_fault+0x74/0x170 - [876.746] ? asm_exc_page_fault+0x22/0x30 - [876.746] ? iput+0xa/0x20 - [876.746] btrfs_orphan_cleanup+0x221/0x330 [btrfs] - [876.746] btrfs_lookup_dentry+0x58f/0x5f0 [btrfs] - [876.747] btrfs_lookup+0xe/0x30 [btrfs] - [876.747] __lookup_slow+0x82/0x130 - [876.785] walk_component+0xe5/0x160 - [876.786] path_lookupat.isra.0+0x6e/0x150 - [876.786] filename_lookup+0xcf/0x1a0 - [876.786] ? mod_objcg_state+0xd2/0x360 - [876.786] ? obj_cgroup_charge+0xf5/0x110 - [876.787] ? should_failslab+0xa/0x20 - [876.787] ? kmem_cache_alloc+0x47/0x450 - [876.787] vfs_path_lookup+0x51/0x90 - [876.788] mount_subtree+0x8d/0x130 - [876.788] btrfs_mount+0x149/0x410 [btrfs] - [876.788] ? __kmem_cache_alloc_node+0x47/0x410 - [876.788] ? vfs_parse_fs_param+0xc0/0x110 - [876.789] legacy_get_tree+0x24/0x50 - [876.834] vfs_get_tree+0x22/0xd0 - [876.852] path_mount+0x2d8/0x9c0 - [876.852] do_mount+0x79/0x90 - [876.852] __x64_sys_mount+0x8e/0xd0 - [876.853] do_syscall_64+0x38/0x90 - [876.899] entry_SYSCALL_64_after_hwframe+0x72/0xdc - [876.958] RIP: 0033:0x7f5fbe50b76a - [876.959] Code: 48 8b 0d a9 (...) - [876.959] RSP: 002b:00007fff01925798 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 - [876.959] RAX: ffffffffffffffda RBX: 00007f5fbe694264 RCX: 00007f5fbe50b76a - [876.960] RDX: 0000561bde6c8720 RSI: 0000561bde6bdec0 RDI: 0000561bde6c31a0 - [876.960] RBP: 0000561bde6bdc70 R08: 0000000000000000 R09: 0000000000000001 - [876.960] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 - [876.960] R13: 0000561bde6c31a0 R14: 0000561bde6c8720 R15: 0000561bde6bdc70 - [876.960] - -So fix this by setting 'inode' to NULL whenever we get an error from -btrfs_iget(), and to make the code simpler, stop testing for 'ret' being --ENOENT to check if we have an inode - instead test for 'inode' being NULL -or not. Having a NULL 'inode' prevents any iput() call from crashing, as -iput() ignores NULL inode pointers. Also, stop testing for a NULL return -value from btrfs_iget() with PTR_ERR_OR_ZERO(), because btrfs_iget() never -returns NULL - in case an inode is not found, it returns ERR_PTR(-ENOENT), -and in case of memory allocation failure, it returns ERR_PTR(-ENOMEM). -We also don't need the extra iput() calls on the error branches for the -btrfs_start_transaction() and btrfs_del_orphan_item() calls, as we have -already called iput() before, so remove them. - -Fixes: a13bb2c03848 ("btrfs: add missing iputs on orphan cleanup failure") -CC: stable@vger.kernel.org # 6.4 -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/inode.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -3546,11 +3546,14 @@ int btrfs_orphan_cleanup(struct btrfs_ro - found_key.type = BTRFS_INODE_ITEM_KEY; - found_key.offset = 0; - inode = btrfs_iget(fs_info->sb, last_objectid, root); -- ret = PTR_ERR_OR_ZERO(inode); -- if (ret && ret != -ENOENT) -- goto out; -+ if (IS_ERR(inode)) { -+ ret = PTR_ERR(inode); -+ inode = NULL; -+ if (ret != -ENOENT) -+ goto out; -+ } - -- if (ret == -ENOENT && root == fs_info->tree_root) { -+ if (!inode && root == fs_info->tree_root) { - struct btrfs_root *dead_root; - int is_dead_root = 0; - -@@ -3611,8 +3614,8 @@ int btrfs_orphan_cleanup(struct btrfs_ro - * deleted but wasn't. The inode number may have been reused, - * but either way, we can delete the orphan item. - */ -- if (ret == -ENOENT || inode->i_nlink) { -- if (!ret) { -+ if (!inode || inode->i_nlink) { -+ if (inode) { - ret = btrfs_drop_verity_items(BTRFS_I(inode)); - iput(inode); - if (ret) -@@ -3621,7 +3624,6 @@ int btrfs_orphan_cleanup(struct btrfs_ro - trans = btrfs_start_transaction(root, 1); - if (IS_ERR(trans)) { - ret = PTR_ERR(trans); -- iput(inode); - goto out; - } - btrfs_debug(fs_info, "auto deleting %Lu", -@@ -3629,10 +3631,8 @@ int btrfs_orphan_cleanup(struct btrfs_ro - ret = btrfs_del_orphan_item(trans, root, - found_key.objectid); - btrfs_end_transaction(trans); -- if (ret) { -- iput(inode); -+ if (ret) - goto out; -- } - continue; - } - diff --git a/queue-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch b/queue-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch deleted file mode 100644 index 4723e94616d..00000000000 --- a/queue-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch +++ /dev/null @@ -1,96 +0,0 @@ -From b19c98f237cd76981aaded52c258ce93f7daa8cb Mon Sep 17 00:00:00 2001 -From: Josef Bacik -Date: Fri, 23 Jun 2023 01:05:41 -0400 -Subject: btrfs: fix race between balance and cancel/pause - -From: Josef Bacik - -commit b19c98f237cd76981aaded52c258ce93f7daa8cb upstream. - -Syzbot reported a panic that looks like this: - - assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 - ------------[ cut here ]------------ - kernel BUG at fs/btrfs/messages.c:259! - RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 - Call Trace: - - btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] - btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] - btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:870 [inline] - __se_sys_ioctl fs/ioctl.c:856 [inline] - __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -The reproducer is running a balance and a cancel or pause in parallel. -The way balance finishes is a bit wonky, if we were paused we need to -save the balance_ctl in the fs_info, but clear it otherwise and cleanup. -However we rely on the return values being specific errors, or having a -cancel request or no pause request. If balance completes and returns 0, -but we have a pause or cancel request we won't do the appropriate -cleanup, and then the next time we try to start a balance we'll trip -this ASSERT. - -The error handling is just wrong here, we always want to clean up, -unless we got -ECANCELLED and we set the appropriate pause flag in the -exclusive op. With this patch the reproducer ran for an hour without -tripping, previously it would trip in less than a few minutes. - -Reported-by: syzbot+c0f3acf145cb465426d5@syzkaller.appspotmail.com -CC: stable@vger.kernel.org # 6.1+ -Signed-off-by: Josef Bacik -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/volumes.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -4071,14 +4071,6 @@ static int alloc_profile_is_valid(u64 fl - return has_single_bit_set(flags); - } - --static inline int balance_need_close(struct btrfs_fs_info *fs_info) --{ -- /* cancel requested || normal exit path */ -- return atomic_read(&fs_info->balance_cancel_req) || -- (atomic_read(&fs_info->balance_pause_req) == 0 && -- atomic_read(&fs_info->balance_cancel_req) == 0); --} -- - /* - * Validate target profile against allowed profiles and return true if it's OK. - * Otherwise print the error message and return false. -@@ -4268,6 +4260,7 @@ int btrfs_balance(struct btrfs_fs_info * - u64 num_devices; - unsigned seq; - bool reducing_redundancy; -+ bool paused = false; - int i; - - if (btrfs_fs_closing(fs_info) || -@@ -4398,6 +4391,7 @@ int btrfs_balance(struct btrfs_fs_info * - if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { - btrfs_info(fs_info, "balance: paused"); - btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); -+ paused = true; - } - /* - * Balance can be canceled by: -@@ -4426,8 +4420,8 @@ int btrfs_balance(struct btrfs_fs_info * - btrfs_update_ioctl_balance_args(fs_info, bargs); - } - -- if ((ret && ret != -ECANCELED && ret != -ENOSPC) || -- balance_need_close(fs_info)) { -+ /* We didn't pause, we can clean everything up. */ -+ if (!paused) { - reset_balance_state(fs_info); - btrfs_exclop_finish(fs_info); - } diff --git a/queue-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/queue-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch deleted file mode 100644 index bd3953815bd..00000000000 --- a/queue-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +++ /dev/null @@ -1,89 +0,0 @@ -From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Fri, 14 Jul 2023 13:42:06 +0100 -Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort - -From: Filipe Manana - -commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. - -If we have a transaction abort with qgroups enabled we get a warning -triggered when doing the final put on the transaction, like this: - - [552.6789] ------------[ cut here ]------------ - [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6817] Modules linked in: btrfs blake2b_generic xor (...) - [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 - [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 - [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6821] Code: bd a0 01 00 (...) - [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 - [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 - [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 - [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 - [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 - [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 - [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 - [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 - [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - [552.6822] Call Trace: - [552.6822] - [552.6822] ? __warn+0x80/0x130 - [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6824] ? report_bug+0x1f4/0x200 - [552.6824] ? handle_bug+0x42/0x70 - [552.6824] ? exc_invalid_op+0x14/0x70 - [552.6824] ? asm_exc_invalid_op+0x16/0x20 - [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] - [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] - [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 - [552.6828] ? try_to_wake_up+0x94/0x5e0 - [552.6828] ? __pfx_process_timeout+0x10/0x10 - [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] - [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] - [552.6832] kthread+0xee/0x120 - [552.6832] ? __pfx_kthread+0x10/0x10 - [552.6832] ret_from_fork+0x29/0x50 - [552.6832] - [552.6832] ---[ end trace 0000000000000000 ]--- - -This corresponds to this line of code: - - void btrfs_put_transaction(struct btrfs_transaction *transaction) - { - (...) - WARN_ON(!RB_EMPTY_ROOT( - &transaction->delayed_refs.dirty_extent_root)); - (...) - } - -The warning happens because btrfs_qgroup_destroy_extent_records(), called -in the transaction abort path, we free all entries from the rbtree -"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we -don't actually empty the rbtree - it's still pointing to nodes that were -freed. - -So set the rbtree's root node to NULL to avoid this warning (assign -RB_ROOT). - -Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") -CC: stable@vger.kernel.org # 5.10+ -Reviewed-by: Josef Bacik -Reviewed-by: Qu Wenruo -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/qgroup.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/qgroup.c -+++ b/fs/btrfs/qgroup.c -@@ -4433,4 +4433,5 @@ void btrfs_qgroup_destroy_extent_records - ulist_free(entry->old_roots); - kfree(entry); - } -+ *root = RB_ROOT; - } diff --git a/queue-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch b/queue-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch deleted file mode 100644 index 37434664335..00000000000 --- a/queue-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 486c737f7fdc0c3f6464cf27ede811daec2769a1 Mon Sep 17 00:00:00 2001 -From: Qu Wenruo -Date: Fri, 30 Jun 2023 08:56:40 +0800 -Subject: btrfs: raid56: always verify the P/Q contents for scrub - -From: Qu Wenruo - -commit 486c737f7fdc0c3f6464cf27ede811daec2769a1 upstream. - -[REGRESSION] -Commit 75b470332965 ("btrfs: raid56: migrate recovery and scrub recovery -path to use error_bitmap") changed the behavior of scrub_rbio(). - -Initially if we have no error reading the raid bio, we will assign -@need_check to true, then finish_parity_scrub() would later verify the -content of P/Q stripes before writeback. - -But after that commit we never verify the content of P/Q stripes and -just writeback them. - -This can lead to unrepaired P/Q stripes during scrub, or already -corrupted P/Q copied to the dev-replace target. - -[FIX] -The situation is more complex than the regression, in fact the initial -behavior is not 100% correct either. - -If we have the following rare case, it can still lead to the same -problem using the old behavior: - - 0 16K 32K 48K 64K - Data 1: |IIIIIII| | - Data 2: | | - Parity: | |CCCCCCC| | - -Where "I" means IO error, "C" means corruption. - -In the above case, we're scrubbing the parity stripe, then read out all -the contents of Data 1, Data 2, Parity stripes. - -But found IO error in Data 1, which leads to rebuild using Data 2 and -Parity and got the correct data. - -In that case, we would not verify if the Parity is correct for range -[16K, 32K). - -So here we have to always verify the content of Parity no matter if we -did recovery or not. - -This patch would remove the @need_check parameter of -finish_parity_scrub() completely, and would always do the P/Q -verification before writeback. - -Fixes: 75b470332965 ("btrfs: raid56: migrate recovery and scrub recovery path to use error_bitmap") -CC: stable@vger.kernel.org # 6.2+ -Signed-off-by: Qu Wenruo -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/raid56.c | 11 +++-------- - 1 file changed, 3 insertions(+), 8 deletions(-) - ---- a/fs/btrfs/raid56.c -+++ b/fs/btrfs/raid56.c -@@ -71,7 +71,7 @@ static void rmw_rbio_work_locked(struct - static void index_rbio_pages(struct btrfs_raid_bio *rbio); - static int alloc_rbio_pages(struct btrfs_raid_bio *rbio); - --static int finish_parity_scrub(struct btrfs_raid_bio *rbio, int need_check); -+static int finish_parity_scrub(struct btrfs_raid_bio *rbio); - static void scrub_rbio_work_locked(struct work_struct *work); - - static void free_raid_bio_pointers(struct btrfs_raid_bio *rbio) -@@ -2404,7 +2404,7 @@ static int alloc_rbio_essential_pages(st - return 0; - } - --static int finish_parity_scrub(struct btrfs_raid_bio *rbio, int need_check) -+static int finish_parity_scrub(struct btrfs_raid_bio *rbio) - { - struct btrfs_io_context *bioc = rbio->bioc; - const u32 sectorsize = bioc->fs_info->sectorsize; -@@ -2445,9 +2445,6 @@ static int finish_parity_scrub(struct bt - */ - clear_bit(RBIO_CACHE_READY_BIT, &rbio->flags); - -- if (!need_check) -- goto writeback; -- - p_sector.page = alloc_page(GFP_NOFS); - if (!p_sector.page) - return -ENOMEM; -@@ -2516,7 +2513,6 @@ static int finish_parity_scrub(struct bt - q_sector.page = NULL; - } - --writeback: - /* - * time to start writing. Make bios for everything from the - * higher layers (the bio_list in our rbio) and our p/q. Ignore -@@ -2699,7 +2695,6 @@ static int scrub_assemble_read_bios(stru - - static void scrub_rbio(struct btrfs_raid_bio *rbio) - { -- bool need_check = false; - int sector_nr; - int ret; - -@@ -2722,7 +2717,7 @@ static void scrub_rbio(struct btrfs_raid - * We have every sector properly prepared. Can finish the scrub - * and writeback the good content. - */ -- ret = finish_parity_scrub(rbio, need_check); -+ ret = finish_parity_scrub(rbio); - wait_event(rbio->io_wait, atomic_read(&rbio->stripes_pending) == 0); - for (sector_nr = 0; sector_nr < rbio->stripe_nsectors; sector_nr++) { - int found_errors; diff --git a/queue-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch b/queue-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch deleted file mode 100644 index db129c6473f..00000000000 --- a/queue-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 17b17fcd6d446b95904a6929c40012ee7f0afc0c Mon Sep 17 00:00:00 2001 -From: Josef Bacik -Date: Wed, 12 Jul 2023 12:44:12 -0400 -Subject: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand - -From: Josef Bacik - -commit 17b17fcd6d446b95904a6929c40012ee7f0afc0c upstream. - -While trying to get the subpage blocksize tests running, I hit the -following panic on generic/476 - - assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 - kernel BUG at fs/btrfs/subpage.c:229! - Internal error: Oops - BUG: 00000000f2000800 [#1] SMP - CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 - Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 - pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) - pc : btrfs_subpage_assert+0xbc/0xf0 - lr : btrfs_subpage_assert+0xbc/0xf0 - Call trace: - btrfs_subpage_assert+0xbc/0xf0 - btrfs_subpage_clear_checked+0x38/0xc0 - btrfs_page_clear_checked+0x48/0x98 - btrfs_truncate_block+0x5d0/0x6a8 - btrfs_cont_expand+0x5c/0x528 - btrfs_write_check.isra.0+0xf8/0x150 - btrfs_buffered_write+0xb4/0x760 - btrfs_do_write_iter+0x2f8/0x4b0 - btrfs_file_write_iter+0x1c/0x30 - do_iter_readv_writev+0xc8/0x158 - do_iter_write+0x9c/0x210 - vfs_iter_write+0x24/0x40 - iter_file_splice_write+0x224/0x390 - direct_splice_actor+0x38/0x68 - splice_direct_to_actor+0x12c/0x260 - do_splice_direct+0x90/0xe8 - generic_copy_file_range+0x50/0x90 - vfs_copy_file_range+0x29c/0x470 - __arm64_sys_copy_file_range+0xcc/0x498 - invoke_syscall.constprop.0+0x80/0xd8 - do_el0_svc+0x6c/0x168 - el0_svc+0x50/0x1b0 - el0t_64_sync_handler+0x114/0x120 - el0t_64_sync+0x194/0x198 - -This happens because during btrfs_cont_expand we'll get a page, set it -as mapped, and if it's not Uptodate we'll read it. However between the -read and re-locking the page we could have called release_folio() on the -page, but left the page in the file mapping. release_folio() can clear -the page private, and thus further down we blow up when we go to modify -the subpage bits. - -Fix this by putting the set_page_extent_mapped() after the read. This -is safe because read_folio() will call set_page_extent_mapped() before -it does the read, and then if we clear page private but leave it on the -mapping we're completely safe re-setting set_page_extent_mapped(). With -this patch I can now run generic/476 without panicing. - -CC: stable@vger.kernel.org # 6.1+ -Reviewed-by: Christoph Hellwig -Signed-off-by: Josef Bacik -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/inode.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -4734,9 +4734,6 @@ again: - ret = -ENOMEM; - goto out; - } -- ret = set_page_extent_mapped(page); -- if (ret < 0) -- goto out_unlock; - - if (!PageUptodate(page)) { - ret = btrfs_read_folio(NULL, page_folio(page)); -@@ -4751,6 +4748,17 @@ again: - goto out_unlock; - } - } -+ -+ /* -+ * We unlock the page after the io is completed and then re-lock it -+ * above. release_folio() could have come in between that and cleared -+ * PagePrivate(), but left the page in the mapping. Set the page mapped -+ * here to make sure it's properly set for the subpage stuff. -+ */ -+ ret = set_page_extent_mapped(page); -+ if (ret < 0) -+ goto out_unlock; -+ - wait_on_page_writeback(page); - - lock_extent(io_tree, block_start, block_end, &cached_state); diff --git a/queue-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/queue-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch deleted file mode 100644 index a32631ad3e0..00000000000 --- a/queue-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Mon, 3 Jul 2023 12:03:21 +0100 -Subject: btrfs: zoned: fix memory leak after finding block group with super blocks - -From: Filipe Manana - -commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. - -At exclude_super_stripes(), if we happen to find a block group that has -super blocks mapped to it and we are on a zoned filesystem, we error out -as this is not supposed to happen, indicating either a bug or maybe some -memory corruption for example. However we are exiting the function without -freeing the memory allocated for the logical address of the super blocks. -Fix this by freeing the logical address. - -Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") -CC: stable@vger.kernel.org # 5.10+ -Reviewed-by: Johannes Thumshirn -Reviewed-by: Anand Jain -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/block-group.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/block-group.c -+++ b/fs/btrfs/block-group.c -@@ -2084,6 +2084,7 @@ static int exclude_super_stripes(struct - - /* Shouldn't have super stripes in sequential zones */ - if (zoned && nr) { -+ kfree(logical); - btrfs_err(fs_info, - "zoned: block group %llu must not contain super block", - cache->start); diff --git a/queue-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch b/queue-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch deleted file mode 100644 index 5aad27d3ae2..00000000000 --- a/queue-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 -From: YueHaibing -Date: Sat, 15 Jul 2023 17:25:43 +0800 -Subject: can: bcm: Fix UAF in bcm_proc_show() - -From: YueHaibing - -commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. - -BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 -Read of size 8 at addr ffff888155846230 by task cat/7862 - -CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 -Call Trace: - - dump_stack_lvl+0xd5/0x150 - print_report+0xc1/0x5e0 - kasan_report+0xba/0xf0 - bcm_proc_show+0x969/0xa80 - seq_read_iter+0x4f6/0x1260 - seq_read+0x165/0x210 - proc_reg_read+0x227/0x300 - vfs_read+0x1d5/0x8d0 - ksys_read+0x11e/0x240 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Allocated by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - __kasan_kmalloc+0x9e/0xa0 - bcm_sendmsg+0x264b/0x44e0 - sock_sendmsg+0xda/0x180 - ____sys_sendmsg+0x735/0x920 - ___sys_sendmsg+0x11d/0x1b0 - __sys_sendmsg+0xfa/0x1d0 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Freed by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - kasan_save_free_info+0x27/0x40 - ____kasan_slab_free+0x161/0x1c0 - slab_free_freelist_hook+0x119/0x220 - __kmem_cache_free+0xb4/0x2e0 - rcu_core+0x809/0x1bd0 - -bcm_op is freed before procfs entry be removed in bcm_release(), -this lead to bcm_proc_show() may read the freed bcm_op. - -Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") -Signed-off-by: YueHaibing -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/bcm.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -1526,6 +1526,12 @@ static int bcm_release(struct socket *so - - lock_sock(sk); - -+#if IS_ENABLED(CONFIG_PROC_FS) -+ /* remove procfs entry */ -+ if (net->can.bcmproc_dir && bo->bcm_proc_read) -+ remove_proc_entry(bo->procname, net->can.bcmproc_dir); -+#endif /* CONFIG_PROC_FS */ -+ - list_for_each_entry_safe(op, next, &bo->tx_ops, list) - bcm_remove_op(op); - -@@ -1561,12 +1567,6 @@ static int bcm_release(struct socket *so - list_for_each_entry_safe(op, next, &bo->rx_ops, list) - bcm_remove_op(op); - --#if IS_ENABLED(CONFIG_PROC_FS) -- /* remove procfs entry */ -- if (net->can.bcmproc_dir && bo->bcm_proc_read) -- remove_proc_entry(bo->procname, net->can.bcmproc_dir); --#endif /* CONFIG_PROC_FS */ -- - /* remove device reference */ - if (bo->bound) { - bo->bound = 0; diff --git a/queue-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch b/queue-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch deleted file mode 100644 index 1a0198cea43..00000000000 --- a/queue-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch +++ /dev/null @@ -1,292 +0,0 @@ -From 5886e4d5ecec3e22844efed90b2dd383ef804b3a Mon Sep 17 00:00:00 2001 -From: Marc Kleine-Budde -Date: Fri, 7 Jul 2023 18:44:23 +0200 -Subject: can: gs_usb: fix time stamp counter initialization - -From: Marc Kleine-Budde - -commit 5886e4d5ecec3e22844efed90b2dd383ef804b3a upstream. - -If the gs_usb device driver is unloaded (or unbound) before the -interface is shut down, the USB stack first calls the struct -usb_driver::disconnect and then the struct net_device_ops::ndo_stop -callback. - -In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more -RX'ed CAN frames are send from the USB device to the host. Later in -gs_can_close() a reset control message is send to each CAN channel to -remove the controller from the CAN bus. In this race window the USB -device can still receive CAN frames from the bus and internally queue -them to be send to the host. - -At least in the current version of the candlelight firmware, the queue -of received CAN frames is not emptied during the reset command. After -loading (or binding) the gs_usb driver, new URBs are submitted during -the struct net_device_ops::ndo_open callback and the candlelight -firmware starts sending its already queued CAN frames to the host. - -However, this scenario was not considered when implementing the -hardware timestamp function. The cycle counter/time counter -infrastructure is set up (gs_usb_timestamp_init()) after the USBs are -submitted, resulting in a NULL pointer dereference if -timecounter_cyc2time() (via the call chain: -gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() -> -gs_usb_skb_set_timestamp()) is called too early. - -Move the gs_usb_timestamp_init() function before the URBs are -submitted to fix this problem. - -For a comprehensive solution, we need to consider gs_usb devices with -more than 1 channel. The cycle counter/time counter infrastructure is -setup per channel, but the RX URBs are per device. Once gs_can_open() -of _a_ channel has been called, and URBs have been submitted, the -gs_usb_receive_bulk_callback() can be called for _all_ available -channels, even for channels that are not running, yet. As cycle -counter/time counter has not set up, this will again lead to a NULL -pointer dereference. - -Convert the cycle counter/time counter from a "per channel" to a "per -device" functionality. Also set it up, before submitting any URBs to -the device. - -Further in gs_usb_receive_bulk_callback(), don't process any URBs for -not started CAN channels, only resubmit the URB. - -Fixes: 45dfa45f52e6 ("can: gs_usb: add RX and TX hardware timestamp support") -Closes: https://github.com/candle-usb/candleLight_fw/issues/137#issuecomment-1623532076 -Cc: stable@vger.kernel.org -Cc: John Whittington -Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-2-9017cefcd9d5@pengutronix.de -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/can/usb/gs_usb.c | 101 ++++++++++++++++++++++--------------------- - 1 file changed, 53 insertions(+), 48 deletions(-) - ---- a/drivers/net/can/usb/gs_usb.c -+++ b/drivers/net/can/usb/gs_usb.c -@@ -303,12 +303,6 @@ struct gs_can { - struct can_bittiming_const bt_const, data_bt_const; - unsigned int channel; /* channel number */ - -- /* time counter for hardware timestamps */ -- struct cyclecounter cc; -- struct timecounter tc; -- spinlock_t tc_lock; /* spinlock to guard access tc->cycle_last */ -- struct delayed_work timestamp; -- - u32 feature; - unsigned int hf_size_tx; - -@@ -325,6 +319,13 @@ struct gs_usb { - struct gs_can *canch[GS_MAX_INTF]; - struct usb_anchor rx_submitted; - struct usb_device *udev; -+ -+ /* time counter for hardware timestamps */ -+ struct cyclecounter cc; -+ struct timecounter tc; -+ spinlock_t tc_lock; /* spinlock to guard access tc->cycle_last */ -+ struct delayed_work timestamp; -+ - unsigned int hf_size_rx; - u8 active_channels; - }; -@@ -388,15 +389,15 @@ static int gs_cmd_reset(struct gs_can *d - GFP_KERNEL); - } - --static inline int gs_usb_get_timestamp(const struct gs_can *dev, -+static inline int gs_usb_get_timestamp(const struct gs_usb *parent, - u32 *timestamp_p) - { - __le32 timestamp; - int rc; - -- rc = usb_control_msg_recv(dev->udev, 0, GS_USB_BREQ_TIMESTAMP, -+ rc = usb_control_msg_recv(parent->udev, 0, GS_USB_BREQ_TIMESTAMP, - USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE, -- dev->channel, 0, -+ 0, 0, - ×tamp, sizeof(timestamp), - USB_CTRL_GET_TIMEOUT, - GFP_KERNEL); -@@ -410,20 +411,20 @@ static inline int gs_usb_get_timestamp(c - - static u64 gs_usb_timestamp_read(const struct cyclecounter *cc) __must_hold(&dev->tc_lock) - { -- struct gs_can *dev = container_of(cc, struct gs_can, cc); -+ struct gs_usb *parent = container_of(cc, struct gs_usb, cc); - u32 timestamp = 0; - int err; - -- lockdep_assert_held(&dev->tc_lock); -+ lockdep_assert_held(&parent->tc_lock); - - /* drop lock for synchronous USB transfer */ -- spin_unlock_bh(&dev->tc_lock); -- err = gs_usb_get_timestamp(dev, ×tamp); -- spin_lock_bh(&dev->tc_lock); -+ spin_unlock_bh(&parent->tc_lock); -+ err = gs_usb_get_timestamp(parent, ×tamp); -+ spin_lock_bh(&parent->tc_lock); - if (err) -- netdev_err(dev->netdev, -- "Error %d while reading timestamp. HW timestamps may be inaccurate.", -- err); -+ dev_err(&parent->udev->dev, -+ "Error %d while reading timestamp. HW timestamps may be inaccurate.", -+ err); - - return timestamp; - } -@@ -431,14 +432,14 @@ static u64 gs_usb_timestamp_read(const s - static void gs_usb_timestamp_work(struct work_struct *work) - { - struct delayed_work *delayed_work = to_delayed_work(work); -- struct gs_can *dev; -+ struct gs_usb *parent; - -- dev = container_of(delayed_work, struct gs_can, timestamp); -- spin_lock_bh(&dev->tc_lock); -- timecounter_read(&dev->tc); -- spin_unlock_bh(&dev->tc_lock); -+ parent = container_of(delayed_work, struct gs_usb, timestamp); -+ spin_lock_bh(&parent->tc_lock); -+ timecounter_read(&parent->tc); -+ spin_unlock_bh(&parent->tc_lock); - -- schedule_delayed_work(&dev->timestamp, -+ schedule_delayed_work(&parent->timestamp, - GS_USB_TIMESTAMP_WORK_DELAY_SEC * HZ); - } - -@@ -446,37 +447,38 @@ static void gs_usb_skb_set_timestamp(str - struct sk_buff *skb, u32 timestamp) - { - struct skb_shared_hwtstamps *hwtstamps = skb_hwtstamps(skb); -+ struct gs_usb *parent = dev->parent; - u64 ns; - -- spin_lock_bh(&dev->tc_lock); -- ns = timecounter_cyc2time(&dev->tc, timestamp); -- spin_unlock_bh(&dev->tc_lock); -+ spin_lock_bh(&parent->tc_lock); -+ ns = timecounter_cyc2time(&parent->tc, timestamp); -+ spin_unlock_bh(&parent->tc_lock); - - hwtstamps->hwtstamp = ns_to_ktime(ns); - } - --static void gs_usb_timestamp_init(struct gs_can *dev) -+static void gs_usb_timestamp_init(struct gs_usb *parent) - { -- struct cyclecounter *cc = &dev->cc; -+ struct cyclecounter *cc = &parent->cc; - - cc->read = gs_usb_timestamp_read; - cc->mask = CYCLECOUNTER_MASK(32); - cc->shift = 32 - bits_per(NSEC_PER_SEC / GS_USB_TIMESTAMP_TIMER_HZ); - cc->mult = clocksource_hz2mult(GS_USB_TIMESTAMP_TIMER_HZ, cc->shift); - -- spin_lock_init(&dev->tc_lock); -- spin_lock_bh(&dev->tc_lock); -- timecounter_init(&dev->tc, &dev->cc, ktime_get_real_ns()); -- spin_unlock_bh(&dev->tc_lock); -+ spin_lock_init(&parent->tc_lock); -+ spin_lock_bh(&parent->tc_lock); -+ timecounter_init(&parent->tc, &parent->cc, ktime_get_real_ns()); -+ spin_unlock_bh(&parent->tc_lock); - -- INIT_DELAYED_WORK(&dev->timestamp, gs_usb_timestamp_work); -- schedule_delayed_work(&dev->timestamp, -+ INIT_DELAYED_WORK(&parent->timestamp, gs_usb_timestamp_work); -+ schedule_delayed_work(&parent->timestamp, - GS_USB_TIMESTAMP_WORK_DELAY_SEC * HZ); - } - --static void gs_usb_timestamp_stop(struct gs_can *dev) -+static void gs_usb_timestamp_stop(struct gs_usb *parent) - { -- cancel_delayed_work_sync(&dev->timestamp); -+ cancel_delayed_work_sync(&parent->timestamp); - } - - static void gs_update_state(struct gs_can *dev, struct can_frame *cf) -@@ -560,6 +562,9 @@ static void gs_usb_receive_bulk_callback - if (!netif_device_present(netdev)) - return; - -+ if (!netif_running(netdev)) -+ goto resubmit_urb; -+ - if (hf->echo_id == -1) { /* normal rx */ - if (hf->flags & GS_CAN_FLAG_FD) { - skb = alloc_canfd_skb(dev->netdev, &cfd); -@@ -856,6 +861,9 @@ static int gs_can_open(struct net_device - } - - if (!parent->active_channels) { -+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) -+ gs_usb_timestamp_init(parent); -+ - for (i = 0; i < GS_MAX_RX_URBS; i++) { - u8 *buf; - -@@ -926,13 +934,9 @@ static int gs_can_open(struct net_device - flags |= GS_CAN_MODE_FD; - - /* if hardware supports timestamps, enable it */ -- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) { -+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) - flags |= GS_CAN_MODE_HW_TIMESTAMP; - -- /* start polling timestamp */ -- gs_usb_timestamp_init(dev); -- } -- - /* finally start device */ - dev->can.state = CAN_STATE_ERROR_ACTIVE; - dm.flags = cpu_to_le32(flags); -@@ -942,8 +946,6 @@ static int gs_can_open(struct net_device - GFP_KERNEL); - if (rc) { - netdev_err(netdev, "Couldn't start device (err=%d)\n", rc); -- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) -- gs_usb_timestamp_stop(dev); - dev->can.state = CAN_STATE_STOPPED; - - goto out_usb_kill_anchored_urbs; -@@ -960,9 +962,13 @@ out_usb_unanchor_urb: - out_usb_free_urb: - usb_free_urb(urb); - out_usb_kill_anchored_urbs: -- if (!parent->active_channels) -+ if (!parent->active_channels) { - usb_kill_anchored_urbs(&dev->tx_submitted); - -+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) -+ gs_usb_timestamp_stop(parent); -+ } -+ - close_candev(netdev); - - return rc; -@@ -1011,14 +1017,13 @@ static int gs_can_close(struct net_devic - - netif_stop_queue(netdev); - -- /* stop polling timestamp */ -- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) -- gs_usb_timestamp_stop(dev); -- - /* Stop polling */ - parent->active_channels--; - if (!parent->active_channels) { - usb_kill_anchored_urbs(&parent->rx_submitted); -+ -+ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) -+ gs_usb_timestamp_stop(parent); - } - - /* Stop sending URBs */ diff --git a/queue-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch b/queue-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch deleted file mode 100644 index 0deda172526..00000000000 --- a/queue-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 2603be9e8167ddc7bea95dcfab9ffc33414215aa Mon Sep 17 00:00:00 2001 -From: Marc Kleine-Budde -Date: Fri, 7 Jul 2023 13:43:10 +0200 -Subject: can: gs_usb: gs_can_open(): improve error handling - -From: Marc Kleine-Budde - -commit 2603be9e8167ddc7bea95dcfab9ffc33414215aa upstream. - -The gs_usb driver handles USB devices with more than 1 CAN channel. -The RX path for all channels share the same bulk endpoint (the -transmitted bulk data encodes the channel number). These per-device -resources are allocated and submitted by the first opened channel. - -During this allocation, the resources are either released immediately -in case of a failure or the URBs are anchored. All anchored URBs are -finally killed with gs_usb_disconnect(). - -Currently, gs_can_open() returns with an error if the allocation of a -URB or a buffer fails. However, if usb_submit_urb() fails, the driver -continues with the URBs submitted so far, even if no URBs were -successfully submitted. - -Treat every error as fatal and free all allocated resources -immediately. - -Switch to goto-style error handling, to prepare the driver for more -per-device resource allocation. - -Cc: stable@vger.kernel.org -Cc: John Whittington -Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-1-9017cefcd9d5@pengutronix.de -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/can/usb/gs_usb.c | 31 ++++++++++++++++++++++--------- - 1 file changed, 22 insertions(+), 9 deletions(-) - ---- a/drivers/net/can/usb/gs_usb.c -+++ b/drivers/net/can/usb/gs_usb.c -@@ -833,6 +833,7 @@ static int gs_can_open(struct net_device - .mode = cpu_to_le32(GS_CAN_MODE_START), - }; - struct gs_host_frame *hf; -+ struct urb *urb = NULL; - u32 ctrlmode; - u32 flags = 0; - int rc, i; -@@ -856,13 +857,14 @@ static int gs_can_open(struct net_device - - if (!parent->active_channels) { - for (i = 0; i < GS_MAX_RX_URBS; i++) { -- struct urb *urb; - u8 *buf; - - /* alloc rx urb */ - urb = usb_alloc_urb(0, GFP_KERNEL); -- if (!urb) -- return -ENOMEM; -+ if (!urb) { -+ rc = -ENOMEM; -+ goto out_usb_kill_anchored_urbs; -+ } - - /* alloc rx buffer */ - buf = kmalloc(dev->parent->hf_size_rx, -@@ -870,8 +872,8 @@ static int gs_can_open(struct net_device - if (!buf) { - netdev_err(netdev, - "No memory left for USB buffer\n"); -- usb_free_urb(urb); -- return -ENOMEM; -+ rc = -ENOMEM; -+ goto out_usb_free_urb; - } - - /* fill, anchor, and submit rx urb */ -@@ -894,9 +896,7 @@ static int gs_can_open(struct net_device - netdev_err(netdev, - "usb_submit failed (err=%d)\n", rc); - -- usb_unanchor_urb(urb); -- usb_free_urb(urb); -- break; -+ goto out_usb_unanchor_urb; - } - - /* Drop reference, -@@ -945,7 +945,8 @@ static int gs_can_open(struct net_device - if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) - gs_usb_timestamp_stop(dev); - dev->can.state = CAN_STATE_STOPPED; -- return rc; -+ -+ goto out_usb_kill_anchored_urbs; - } - - parent->active_channels++; -@@ -953,6 +954,18 @@ static int gs_can_open(struct net_device - netif_start_queue(netdev); - - return 0; -+ -+out_usb_unanchor_urb: -+ usb_unanchor_urb(urb); -+out_usb_free_urb: -+ usb_free_urb(urb); -+out_usb_kill_anchored_urbs: -+ if (!parent->active_channels) -+ usb_kill_anchored_urbs(&dev->tx_submitted); -+ -+ close_candev(netdev); -+ -+ return rc; - } - - static int gs_usb_get_state(const struct net_device *netdev, diff --git a/queue-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch b/queue-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch deleted file mode 100644 index e554d4718c6..00000000000 --- a/queue-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 9efa1a5407e81265ea502cab83be4de503decc49 Mon Sep 17 00:00:00 2001 -From: Fedor Ross -Date: Thu, 4 May 2023 21:50:59 +0200 -Subject: can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout - -From: Fedor Ross - -commit 9efa1a5407e81265ea502cab83be4de503decc49 upstream. - -The mcp251xfd controller needs an idle bus to enter 'Normal CAN 2.0 -mode' or . The maximum length of a CAN frame is 736 bits (64 data -bytes, CAN-FD, EFF mode, worst case bit stuffing and interframe -spacing). For low bit rates like 10 kbit/s the arbitrarily chosen -MCP251XFD_POLL_TIMEOUT_US of 1 ms is too small. - -Otherwise during polling for the CAN controller to enter 'Normal CAN -2.0 mode' the timeout limit is exceeded and the configuration fails -with: - -| $ ip link set dev can1 up type can bitrate 10000 -| [ 731.911072] mcp251xfd spi2.1 can1: Controller failed to enter mode CAN 2.0 Mode (6) and stays in Configuration Mode (4) (con=0x068b0760, osc=0x00000468). -| [ 731.927192] mcp251xfd spi2.1 can1: CRC read error at address 0x0e0c (length=4, data=00 00 00 00, CRC=0x0000) retrying. -| [ 731.938101] A link change request failed with some changes committed already. Interface can1 may have been left with an inconsistent configuration, please check. -| RTNETLINK answers: Connection timed out - -Make MCP251XFD_POLL_TIMEOUT_US timeout calculation dynamic. Use -maximum of 1ms and bit time of 1 full 64 data bytes CAN-FD frame in -EFF mode, worst case bit stuffing and interframe spacing at the -current bit rate. - -For easier backporting define the macro MCP251XFD_FRAME_LEN_MAX_BITS -that holds the max frame length in bits, which is 736. This can be -replaced by can_frame_bits(true, true, true, true, CANFD_MAX_DLEN) in -a cleanup patch later. - -Fixes: 55e5b97f003e8 ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") -Signed-off-by: Fedor Ross -Signed-off-by: Marek Vasut -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/all/20230717-mcp251xfd-fix-increase-poll-timeout-v5-1-06600f34c684@pengutronix.de -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 10 ++++++++-- - drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 1 + - 2 files changed, 9 insertions(+), 2 deletions(-) - ---- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c -+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c -@@ -227,6 +227,8 @@ static int - __mcp251xfd_chip_set_mode(const struct mcp251xfd_priv *priv, - const u8 mode_req, bool nowait) - { -+ const struct can_bittiming *bt = &priv->can.bittiming; -+ unsigned long timeout_us = MCP251XFD_POLL_TIMEOUT_US; - u32 con = 0, con_reqop, osc = 0; - u8 mode; - int err; -@@ -246,12 +248,16 @@ __mcp251xfd_chip_set_mode(const struct m - if (mode_req == MCP251XFD_REG_CON_MODE_SLEEP || nowait) - return 0; - -+ if (bt->bitrate) -+ timeout_us = max_t(unsigned long, timeout_us, -+ MCP251XFD_FRAME_LEN_MAX_BITS * USEC_PER_SEC / -+ bt->bitrate); -+ - err = regmap_read_poll_timeout(priv->map_reg, MCP251XFD_REG_CON, con, - !mcp251xfd_reg_invalid(con) && - FIELD_GET(MCP251XFD_REG_CON_OPMOD_MASK, - con) == mode_req, -- MCP251XFD_POLL_SLEEP_US, -- MCP251XFD_POLL_TIMEOUT_US); -+ MCP251XFD_POLL_SLEEP_US, timeout_us); - if (err != -ETIMEDOUT && err != -EBADMSG) - return err; - ---- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h -+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h -@@ -387,6 +387,7 @@ static_assert(MCP251XFD_TIMESTAMP_WORK_D - #define MCP251XFD_OSC_STAB_TIMEOUT_US (10 * MCP251XFD_OSC_STAB_SLEEP_US) - #define MCP251XFD_POLL_SLEEP_US (10) - #define MCP251XFD_POLL_TIMEOUT_US (USEC_PER_MSEC) -+#define MCP251XFD_FRAME_LEN_MAX_BITS (736) - - /* Misc */ - #define MCP251XFD_NAPI_WEIGHT 32 diff --git a/queue-6.4/can-raw-fix-receiver-memory-leak.patch b/queue-6.4/can-raw-fix-receiver-memory-leak.patch deleted file mode 100644 index 7096dff2c77..00000000000 --- a/queue-6.4/can-raw-fix-receiver-memory-leak.patch +++ /dev/null @@ -1,233 +0,0 @@ -From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 -From: Ziyang Xuan -Date: Tue, 11 Jul 2023 09:17:37 +0800 -Subject: can: raw: fix receiver memory leak - -From: Ziyang Xuan - -commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. - -Got kmemleak errors with the following ltp can_filter testcase: - -for ((i=1; i<=100; i++)) -do - ./can_filter & - sleep 0.1 -done - -============================================================== -[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] -[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] -[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 -[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 -[<00000000fd468496>] do_syscall_64+0x33/0x40 -[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -It's a bug in the concurrent scenario of unregister_netdevice_many() -and raw_release() as following: - - cpu0 cpu1 -unregister_netdevice_many(can_dev) - unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this - net_set_todo(can_dev) - raw_release(can_socket) - dev = dev_get_by_index(, ro->ifindex); // dev == NULL - if (dev) { // receivers in dev_rcv_lists not free because dev is NULL - raw_disable_allfilters(, dev, ); - dev_put(dev); - } - ... - ro->bound = 0; - ... - -call_netdevice_notifiers(NETDEV_UNREGISTER, ) - raw_notify(, NETDEV_UNREGISTER, ) - if (ro->bound) // invalid because ro->bound has been set 0 - raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed - -Add a net_device pointer member in struct raw_sock to record bound -can_dev, and use rtnl_lock to serialize raw_socket members between -raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use -ro->dev to decide whether to free receivers in dev_rcv_lists. - -Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Signed-off-by: Ziyang Xuan -Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- - 1 file changed, 24 insertions(+), 33 deletions(-) - ---- a/net/can/raw.c -+++ b/net/can/raw.c -@@ -84,6 +84,7 @@ struct raw_sock { - struct sock sk; - int bound; - int ifindex; -+ struct net_device *dev; - struct list_head notifier; - int loopback; - int recv_own_msgs; -@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * - if (!net_eq(dev_net(dev), sock_net(sk))) - return; - -- if (ro->ifindex != dev->ifindex) -+ if (ro->dev != dev) - return; - - switch (msg) { -@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - release_sock(sk); - -@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) - - ro->bound = 0; - ro->ifindex = 0; -+ ro->dev = NULL; - - /* set default filter to single entry dfilter */ - ro->dfilter.can_id = 0; -@@ -385,19 +388,13 @@ static int raw_release(struct socket *so - - lock_sock(sk); - -+ rtnl_lock(); - /* remove current filters & unregister */ - if (ro->bound) { -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - - if (ro->count > 1) -@@ -405,8 +402,10 @@ static int raw_release(struct socket *so - - ro->ifindex = 0; - ro->bound = 0; -+ ro->dev = NULL; - ro->count = 0; - free_percpu(ro->uniq); -+ rtnl_unlock(); - - sock_orphan(sk); - sock->sk = NULL; -@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, - struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; - struct sock *sk = sock->sk; - struct raw_sock *ro = raw_sk(sk); -+ struct net_device *dev = NULL; - int ifindex; - int err = 0; - int notify_enetdown = 0; -@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, - if (addr->can_family != AF_CAN) - return -EINVAL; - -+ rtnl_lock(); - lock_sock(sk); - - if (ro->bound && addr->can_ifindex == ro->ifindex) - goto out; - - if (addr->can_ifindex) { -- struct net_device *dev; -- - dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); - if (!dev) { - err = -ENODEV; -@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, - if (!err) { - if (ro->bound) { - /* unregister old filters */ -- if (ro->ifindex) { -- struct net_device *dev; -- -- dev = dev_get_by_index(sock_net(sk), -- ro->ifindex); -- if (dev) { -- raw_disable_allfilters(dev_net(dev), -- dev, sk); -- dev_put(dev); -- } -- } else { -+ if (ro->dev) -+ raw_disable_allfilters(dev_net(ro->dev), -+ ro->dev, sk); -+ else - raw_disable_allfilters(sock_net(sk), NULL, sk); -- } - } - ro->ifindex = ifindex; - ro->bound = 1; -+ ro->dev = dev; - } - - out: - release_sock(sk); -+ rtnl_unlock(); - - if (notify_enetdown) { - sk->sk_err = ENETDOWN; -@@ -553,9 +546,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - if (count > 1) - kfree(filter); - err = -ENODEV; -@@ -596,7 +589,6 @@ static int raw_setsockopt(struct socket - ro->count = count; - - out_fil: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - -@@ -614,9 +606,9 @@ static int raw_setsockopt(struct socket - rtnl_lock(); - lock_sock(sk); - -- if (ro->bound && ro->ifindex) { -- dev = dev_get_by_index(sock_net(sk), ro->ifindex); -- if (!dev) { -+ dev = ro->dev; -+ if (ro->bound && dev) { -+ if (dev->reg_state != NETREG_REGISTERED) { - err = -ENODEV; - goto out_err; - } -@@ -640,7 +632,6 @@ static int raw_setsockopt(struct socket - ro->err_mask = err_mask; - - out_err: -- dev_put(dev); - release_sock(sk); - rtnl_unlock(); - diff --git a/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch b/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch deleted file mode 100644 index f6b11cf8fff..00000000000 --- a/queue-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 5f515044a667882b557d2f1c1ecb6ccdf5886305 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Jul 2023 08:56:33 +0000 -Subject: cifs: fix mid leak during reconnection after timeout threshold - -From: Shyam Prasad N - -[ Upstream commit 69cba9d3c1284e0838ae408830a02c4a063104bc ] - -When the number of responses with status of STATUS_IO_TIMEOUT -exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect -the connection. But we do not return the mid, or the credits -returned for the mid, or reduce the number of in-flight requests. - -This bug could result in the server->in_flight count to go bad, -and also cause a leak in the mids. - -This change moves the check to a few lines below where the -response is decrypted, even of the response is read from the -transform header. This way, the code for returning the mids -can be reused. - -Also, the cifs_reconnect was reconnecting just the transport -connection before. In case of multi-channel, this may not be -what we want to do after several timeouts. Changed that to -reconnect the session and the tree too. - -Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name -MAX_STATUS_IO_TIMEOUT. - -Fixes: 8e670f77c4a5 ("Handle STATUS_IO_TIMEOUT gracefully") -Signed-off-by: Shyam Prasad N -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/smb/client/connect.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c -index d9f0b3b94f007..853209268f507 100644 ---- a/fs/smb/client/connect.c -+++ b/fs/smb/client/connect.c -@@ -60,7 +60,7 @@ extern bool disable_legacy_dialects; - #define TLINK_IDLE_EXPIRE (600 * HZ) - - /* Drop the connection to not overload the server */ --#define NUM_STATUS_IO_TIMEOUT 5 -+#define MAX_STATUS_IO_TIMEOUT 5 - - static int ip_connect(struct TCP_Server_Info *server); - static int generic_ip_connect(struct TCP_Server_Info *server); -@@ -1117,6 +1117,7 @@ cifs_demultiplex_thread(void *p) - struct mid_q_entry *mids[MAX_COMPOUND]; - char *bufs[MAX_COMPOUND]; - unsigned int noreclaim_flag, num_io_timeout = 0; -+ bool pending_reconnect = false; - - noreclaim_flag = memalloc_noreclaim_save(); - cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); -@@ -1156,6 +1157,8 @@ cifs_demultiplex_thread(void *p) - cifs_dbg(FYI, "RFC1002 header 0x%x\n", pdu_length); - if (!is_smb_response(server, buf[0])) - continue; -+ -+ pending_reconnect = false; - next_pdu: - server->pdu_size = pdu_length; - -@@ -1213,10 +1216,13 @@ cifs_demultiplex_thread(void *p) - if (server->ops->is_status_io_timeout && - server->ops->is_status_io_timeout(buf)) { - num_io_timeout++; -- if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { -- cifs_reconnect(server, false); -+ if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { -+ cifs_server_dbg(VFS, -+ "Number of request timeouts exceeded %d. Reconnecting", -+ MAX_STATUS_IO_TIMEOUT); -+ -+ pending_reconnect = true; - num_io_timeout = 0; -- continue; - } - } - -@@ -1263,6 +1269,11 @@ cifs_demultiplex_thread(void *p) - buf = server->smallbuf; - goto next_pdu; - } -+ -+ /* do this reconnect at the very end after processing all MIDs */ -+ if (pending_reconnect) -+ cifs_reconnect(server, true); -+ - } /* end while !EXITING */ - - /* buffer usually freed in free_mid - need to free it here on exit */ --- -2.39.2 - diff --git a/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch b/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch deleted file mode 100644 index 984ca233654..00000000000 --- a/queue-6.4/devlink-make-health-report-on-unregistered-instance-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ffed50746946c408ab88d16ea7c730798e9e312c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 18:55:23 -0700 -Subject: devlink: make health report on unregistered instance warn just once - -From: Jakub Kicinski - -[ Upstream commit 6f4b98147b8dfcabacb19b5c6abd087af66d0049 ] - -Devlink health is involved in error recovery. Machines in bad -state tend to be fairly unreliable, and occasionally get stuck -in error loops. Even with a reasonable grace period devlink health -may get a thousand reports in an hour. - -In case of reporting on an unregistered devlink instance -the subsequent reports don't add much value. Switch to -WARN_ON_ONCE() to avoid flooding dmesg and fleet monitoring -dashboards. - -Reviewed-by: Jiri Pirko -Link: https://lore.kernel.org/r/20230531015523.48961-1-kuba@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/devlink/health.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/devlink/health.c b/net/devlink/health.c -index 0839706d5741a..194340a8bb863 100644 ---- a/net/devlink/health.c -+++ b/net/devlink/health.c -@@ -480,7 +480,7 @@ static void devlink_recover_notify(struct devlink_health_reporter *reporter, - int err; - - WARN_ON(cmd != DEVLINK_CMD_HEALTH_REPORTER_RECOVER); -- WARN_ON(!xa_get_mark(&devlinks, devlink->index, DEVLINK_REGISTERED)); -+ ASSERT_DEVLINK_REGISTERED(devlink); - - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); - if (!msg) --- -2.39.2 - diff --git a/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch b/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch deleted file mode 100644 index f46677d8d6a..00000000000 --- a/queue-6.4/devlink-report-devlink_port_type_warn-source-device.patch +++ /dev/null @@ -1,77 +0,0 @@ -From efc47b3052db7de925bb43d839f0d060039cac0e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 11:54:47 +0200 -Subject: devlink: report devlink_port_type_warn source device - -From: Petr Oros - -[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] - -devlink_port_type_warn is scheduled for port devlink and warning -when the port type is not set. But from this warning it is not easy -found out which device (driver) has no devlink port set. - -[ 3709.975552] Type was not set for devlink port. -[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 -[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm -[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse -[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 -[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 -[ 3710.108437] Workqueue: events devlink_port_type_warn -[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 -[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 -[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 -[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 -[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 -[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 -[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 -[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 -[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 -[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 -[ 3710.108456] PKRU: 55555554 -[ 3710.108457] Call Trace: -[ 3710.108458] -[ 3710.108459] process_one_work+0x1e2/0x3b0 -[ 3710.108466] ? rescuer_thread+0x390/0x390 -[ 3710.108468] worker_thread+0x50/0x3a0 -[ 3710.108471] ? rescuer_thread+0x390/0x390 -[ 3710.108473] kthread+0xdd/0x100 -[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 -[ 3710.108479] ret_from_fork+0x1f/0x30 -[ 3710.108485] -[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- - -After patch: -[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. -[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. - -Signed-off-by: Petr Oros -Reviewed-by: Pavan Chebbi -Reviewed-by: Jakub Kicinski -Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/devlink/leftover.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c -index cd02549680767..790e61b2a9404 100644 ---- a/net/devlink/leftover.c -+++ b/net/devlink/leftover.c -@@ -6772,7 +6772,10 @@ void devlink_notify_unregister(struct devlink *devlink) - - static void devlink_port_type_warn(struct work_struct *work) - { -- WARN(true, "Type was not set for devlink port."); -+ struct devlink_port *port = container_of(to_delayed_work(work), -+ struct devlink_port, -+ type_warn_dw); -+ dev_warn(port->devlink->dev, "Type was not set for devlink port."); - } - - static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) --- -2.39.2 - diff --git a/queue-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch b/queue-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch deleted file mode 100644 index f19af73fc66..00000000000 --- a/queue-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 05abb3be91d8788328231ee02973ab3d47f5e3d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= -Date: Thu, 13 Jul 2023 22:47:45 +0300 -Subject: dma-buf/dma-resv: Stop leaking on krealloc() failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ville Syrjälä - -commit 05abb3be91d8788328231ee02973ab3d47f5e3d2 upstream. - -Currently dma_resv_get_fences() will leak the previously -allocated array if the fence iteration got restarted and -the krealloc_array() fails. - -Free the old array by hand, and make sure we still clear -the returned *fences so the caller won't end up accessing -freed memory. Some (but not all) of the callers of -dma_resv_get_fences() seem to still trawl through the -array even when dma_resv_get_fences() failed. And let's -zero out *num_fences as well for good measure. - -Cc: Sumit Semwal -Cc: Christian König -Cc: linux-media@vger.kernel.org -Cc: dri-devel@lists.freedesktop.org -Cc: linaro-mm-sig@lists.linaro.org -Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3") -Signed-off-by: Ville Syrjälä -Reviewed-by: Christian König -Cc: stable@vger.kernel.org -Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.com -Signed-off-by: Christian König -Signed-off-by: Greg Kroah-Hartman ---- - drivers/dma-buf/dma-resv.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/drivers/dma-buf/dma-resv.c -+++ b/drivers/dma-buf/dma-resv.c -@@ -571,6 +571,7 @@ int dma_resv_get_fences(struct dma_resv - dma_resv_for_each_fence_unlocked(&cursor, fence) { - - if (dma_resv_iter_is_restarted(&cursor)) { -+ struct dma_fence **new_fences; - unsigned int count; - - while (*num_fences) -@@ -579,13 +580,17 @@ int dma_resv_get_fences(struct dma_resv - count = cursor.num_fences + 1; - - /* Eventually re-allocate the array */ -- *fences = krealloc_array(*fences, count, -- sizeof(void *), -- GFP_KERNEL); -- if (count && !*fences) { -+ new_fences = krealloc_array(*fences, count, -+ sizeof(void *), -+ GFP_KERNEL); -+ if (count && !new_fences) { -+ kfree(*fences); -+ *fences = NULL; -+ *num_fences = 0; - dma_resv_iter_end(&cursor); - return -ENOMEM; - } -+ *fences = new_fences; - } - - (*fences)[(*num_fences)++] = dma_fence_get(fence); diff --git a/queue-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch b/queue-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch deleted file mode 100644 index 36d7d6bdfa9..00000000000 --- a/queue-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5a25cefc0920088bb9afafeb80ad3dcd84fe278b Mon Sep 17 00:00:00 2001 -From: Taimur Hassan -Date: Tue, 20 Jun 2023 17:00:28 -0400 -Subject: drm/amd/display: check TG is non-null before checking if enabled - -From: Taimur Hassan - -commit 5a25cefc0920088bb9afafeb80ad3dcd84fe278b upstream. - -[Why & How] -If there is no TG allocation we can dereference a NULL pointer when -checking if the TG is enabled. - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Nicholas Kazlauskas -Acked-by: Alan Liu -Signed-off-by: Taimur Hassan -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c -@@ -3309,7 +3309,8 @@ void dcn10_wait_for_mpcc_disconnect( - if (pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst]) { - struct hubp *hubp = get_hubp_by_inst(res_pool, mpcc_inst); - -- if (pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) -+ if (pipe_ctx->stream_res.tg && -+ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) - res_pool->mpc->funcs->wait_for_idle(res_pool->mpc, mpcc_inst); - pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst] = false; - hubp->funcs->set_blank(hubp, true); diff --git a/queue-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/queue-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch deleted file mode 100644 index 6b589736210..00000000000 --- a/queue-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 -From: Zhikai Zhai -Date: Fri, 30 Jun 2023 11:35:14 +0800 -Subject: drm/amd/display: Disable MPC split by default on special asic - -From: Zhikai Zhai - -commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. - -[WHY] -All of pipes will be used when the MPC split enable on the dcn -which just has 2 pipes. Then MPO enter will trigger the minimal -transition which need programe dcn from 2 pipes MPC split to 2 -pipes MPO. This action will cause lag if happen frequently. - -[HOW] -Disable the MPC split for the platform which dcn resource is limited - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Alvin Lee -Acked-by: Alan Liu -Signed-off-by: Zhikai Zhai -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c -@@ -65,7 +65,7 @@ static const struct dc_debug_options deb - .timing_trace = false, - .clock_trace = true, - .disable_pplib_clock_request = true, -- .pipe_split_policy = MPC_SPLIT_DYNAMIC, -+ .pipe_split_policy = MPC_SPLIT_AVOID, - .force_single_disp_pipe_split = false, - .disable_dcc = DCC_ENABLE, - .vsr_support = true, diff --git a/queue-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/queue-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch deleted file mode 100644 index 0f5dc5b7106..00000000000 --- a/queue-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 -From: Nicholas Kazlauskas -Date: Thu, 29 Jun 2023 10:35:59 -0400 -Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 - -From: Nicholas Kazlauskas - -commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. - -[Why & How] -Port of a change that went into DCN314 to keep the PHY enabled -when we have a connected and active DP display. - -The PHY can hang if PHY refclk is disabled inadvertently. - -Cc: Mario Limonciello -Cc: Alex Deucher -Cc: stable@vger.kernel.org -Reviewed-by: Josip Pavic -Acked-by: Alan Liu -Signed-off-by: Nicholas Kazlauskas -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c -+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c -@@ -87,6 +87,11 @@ static int dcn31_get_active_display_cnt_ - stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || - stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) - tmds_present = true; -+ -+ /* Checking stream / link detection ensuring that PHY is active*/ -+ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) -+ display_count++; -+ - } - - for (i = 0; i < dc->link_count; i++) { diff --git a/queue-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch b/queue-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch deleted file mode 100644 index f1e0c6a71d6..00000000000 --- a/queue-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1ca67aba8d11c2849d395013e1fdce02918d5657 Mon Sep 17 00:00:00 2001 -From: Simon Ser -Date: Wed, 21 Jun 2023 17:24:59 -0300 -Subject: drm/amd/display: only accept async flips for fast updates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Simon Ser - -commit 1ca67aba8d11c2849d395013e1fdce02918d5657 upstream. - -Up until now, amdgpu was silently degrading to vsync when -user-space requested an async flip but the hardware didn't support -it. - -The hardware doesn't support immediate flips when the update changes -the FB pitch, the DCC state, the rotation, enables or disables CRTCs -or planes, etc. This is reflected in the dm_crtc_state.update_type -field: UPDATE_TYPE_FAST means that immediate flip is supported. - -Silently degrading async flips to vsync is not the expected behavior -from a uAPI point-of-view. Xorg expects async flips to fail if -unsupported, to be able to fall back to a blit. i915 already behaves -this way. - -This patch aligns amdgpu with uAPI expectations and returns a failure -when an async flip is not possible. - -Signed-off-by: Simon Ser -Reviewed-by: André Almeida -Reviewed-by: Alex Deucher -Reviewed-by: Harry Wentland -Signed-off-by: André Almeida -Signed-off-by: Hamza Mahfooz -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++++ - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 12 ++++++++++++ - 2 files changed, 20 insertions(+) - ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -@@ -8055,7 +8055,15 @@ static void amdgpu_dm_commit_planes(stru - * Only allow immediate flips for fast updates that don't - * change memory domain, FB pitch, DCC state, rotation or - * mirroring. -+ * -+ * dm_crtc_helper_atomic_check() only accepts async flips with -+ * fast updates. - */ -+ if (crtc->state->async_flip && -+ acrtc_state->update_type != UPDATE_TYPE_FAST) -+ drm_warn_once(state->dev, -+ "[PLANE:%d:%s] async flip with non-fast update\n", -+ plane->base.id, plane->name); - bundle->flip_addrs[planes_count].flip_immediate = - crtc->state->async_flip && - acrtc_state->update_type == UPDATE_TYPE_FAST && ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c -@@ -398,6 +398,18 @@ static int dm_crtc_helper_atomic_check(s - return -EINVAL; - } - -+ /* -+ * Only allow async flips for fast updates that don't change the FB -+ * pitch, the DCC state, rotation, etc. -+ */ -+ if (crtc_state->async_flip && -+ dm_crtc_state->update_type != UPDATE_TYPE_FAST) { -+ drm_dbg_atomic(crtc->dev, -+ "[CRTC:%d:%s] async flips are only supported for fast updates\n", -+ crtc->base.id, crtc->name); -+ return -EINVAL; -+ } -+ - /* In some use cases, like reset, no stream is attached */ - if (!dm_crtc_state->stream) - return 0; diff --git a/queue-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch b/queue-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch deleted file mode 100644 index e03c027ce19..00000000000 --- a/queue-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a4eb11824170d742531998f4ebd1c6a18b63db47 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Tue, 13 Jun 2023 12:15:38 -0400 -Subject: drm/amdgpu/pm: make gfxclock consistent for sienna cichlid - -From: Alex Deucher - -commit a4eb11824170d742531998f4ebd1c6a18b63db47 upstream. - -Use average gfxclock for consistency with other dGPUs. - -Reviewed-by: Kenneth Feng -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org # 6.1.x -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c -+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c -@@ -1927,12 +1927,16 @@ static int sienna_cichlid_read_sensor(st - *size = 4; - break; - case AMDGPU_PP_SENSOR_GFX_MCLK: -- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_UCLK, (uint32_t *)data); -+ ret = sienna_cichlid_get_smu_metrics_data(smu, -+ METRICS_CURR_UCLK, -+ (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; - break; - case AMDGPU_PP_SENSOR_GFX_SCLK: -- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_GFXCLK, (uint32_t *)data); -+ ret = sienna_cichlid_get_smu_metrics_data(smu, -+ METRICS_AVERAGE_GFXCLK, -+ (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; - break; diff --git a/queue-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch b/queue-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch deleted file mode 100644 index 27426d1dce5..00000000000 --- a/queue-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Tue, 13 Jun 2023 12:36:17 -0400 -Subject: drm/amdgpu/pm: make mclk consistent for smu 13.0.7 - -From: Alex Deucher - -commit 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 upstream. - -Use current uclk to be consistent with other dGPUs. - -Reviewed-by: Kenneth Feng -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org # 6.1.x -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c -+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c -@@ -940,7 +940,7 @@ static int smu_v13_0_7_read_sensor(struc - break; - case AMDGPU_PP_SENSOR_GFX_MCLK: - ret = smu_v13_0_7_get_smu_metrics_data(smu, -- METRICS_AVERAGE_UCLK, -+ METRICS_CURR_UCLK, - (uint32_t *)data); - *(uint32_t *)data *= 100; - *size = 4; diff --git a/queue-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch b/queue-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch deleted file mode 100644 index d26cdf175ba..00000000000 --- a/queue-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch +++ /dev/null @@ -1,101 +0,0 @@ -From b42ae87a7b3878afaf4c3852ca66c025a5b996e0 Mon Sep 17 00:00:00 2001 -From: Guchun Chen -Date: Thu, 6 Jul 2023 15:57:21 +0800 -Subject: drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Guchun Chen - -commit b42ae87a7b3878afaf4c3852ca66c025a5b996e0 upstream. - -In below thousands of screen rotation loop tests with virtual display -enabled, a CPU hard lockup issue may happen, leading system to unresponsive -and crash. - -do { - xrandr --output Virtual --rotate inverted - xrandr --output Virtual --rotate right - xrandr --output Virtual --rotate left - xrandr --output Virtual --rotate normal -} while (1); - -NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 - -? hrtimer_run_softirq+0x140/0x140 -? store_vblank+0xe0/0xe0 [drm] -hrtimer_cancel+0x15/0x30 -amdgpu_vkms_disable_vblank+0x15/0x30 [amdgpu] -drm_vblank_disable_and_save+0x185/0x1f0 [drm] -drm_crtc_vblank_off+0x159/0x4c0 [drm] -? record_print_text.cold+0x11/0x11 -? wait_for_completion_timeout+0x232/0x280 -? drm_crtc_wait_one_vblank+0x40/0x40 [drm] -? bit_wait_io_timeout+0xe0/0xe0 -? wait_for_completion_interruptible+0x1d7/0x320 -? mutex_unlock+0x81/0xd0 -amdgpu_vkms_crtc_atomic_disable - -It's caused by a stuck in lock dependency in such scenario on different -CPUs. - -CPU1 CPU2 -drm_crtc_vblank_off hrtimer_interrupt - grab event_lock (irq disabled) __hrtimer_run_queues - grab vbl_lock/vblank_time_block amdgpu_vkms_vblank_simulate - amdgpu_vkms_disable_vblank drm_handle_vblank - hrtimer_cancel grab dev->event_lock - -So CPU1 stucks in hrtimer_cancel as timer callback is running endless on -current clock base, as that timer queue on CPU2 has no chance to finish it -because of failing to hold the lock. So NMI watchdog will throw the errors -after its threshold, and all later CPUs are impacted/blocked. - -So use hrtimer_try_to_cancel to fix this, as disable_vblank callback -does not need to wait the handler to finish. And also it's not necessary -to check the return value of hrtimer_try_to_cancel, because even if it's --1 which means current timer callback is running, it will be reprogrammed -in hrtimer_start with calling enable_vblank to make it works. - -v2: only re-arm timer when vblank is enabled (Christian) and add a Fixes -tag as well - -v3: drop warn printing (Christian) - -v4: drop superfluous check of blank->enabled in timer function, as it's -guaranteed in drm_handle_vblank (Christian) - -Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)") -Cc: stable@vger.kernel.org -Suggested-by: Christian König -Signed-off-by: Guchun Chen -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c -@@ -55,8 +55,9 @@ static enum hrtimer_restart amdgpu_vkms_ - DRM_WARN("%s: vblank timer overrun\n", __func__); - - ret = drm_crtc_handle_vblank(crtc); -+ /* Don't queue timer again when vblank is disabled. */ - if (!ret) -- DRM_ERROR("amdgpu_vkms failure on handling vblank"); -+ return HRTIMER_NORESTART; - - return HRTIMER_RESTART; - } -@@ -81,7 +82,7 @@ static void amdgpu_vkms_disable_vblank(s - { - struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); - -- hrtimer_cancel(&amdgpu_crtc->vblank_timer); -+ hrtimer_try_to_cancel(&amdgpu_crtc->vblank_timer); - } - - static bool amdgpu_vkms_get_vblank_timestamp(struct drm_crtc *crtc, diff --git a/queue-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/queue-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch deleted file mode 100644 index a9ac372f0a0..00000000000 --- a/queue-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 -From: Jocelyn Falempe -Date: Tue, 11 Jul 2023 11:20:44 +0200 -Subject: drm/client: Fix memory leak in drm_client_modeset_probe - -From: Jocelyn Falempe - -commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. - -When a new mode is set to modeset->mode, the previous mode should be freed. -This fixes the following kmemleak report: - -drm_mode_duplicate+0x45/0x220 [drm] -drm_client_modeset_probe+0x944/0xf50 [drm] -__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] -drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] -drm_client_register+0x169/0x240 [drm] -ast_pci_probe+0x142/0x190 [ast] -local_pci_probe+0xdc/0x180 -work_for_cpu_fn+0x4e/0xa0 -process_one_work+0x8b7/0x1540 -worker_thread+0x70a/0xed0 -kthread+0x29f/0x340 -ret_from_fork+0x1f/0x30 - -cc: -Reported-by: Zhang Yi -Signed-off-by: Jocelyn Falempe -Reviewed-by: Javier Martinez Canillas -Reviewed-by: Thomas Zimmermann -Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_client_modeset.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/gpu/drm/drm_client_modeset.c -+++ b/drivers/gpu/drm/drm_client_modeset.c -@@ -867,6 +867,7 @@ int drm_client_modeset_probe(struct drm_ - break; - } - -+ kfree(modeset->mode); - modeset->mode = drm_mode_duplicate(dev, mode); - drm_connector_get(connector); - modeset->connectors[modeset->num_connectors++] = connector; diff --git a/queue-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/queue-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch deleted file mode 100644 index 05491d11e2a..00000000000 --- a/queue-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +++ /dev/null @@ -1,68 +0,0 @@ -From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 -From: Jocelyn Falempe -Date: Tue, 11 Jul 2023 11:20:43 +0200 -Subject: drm/client: Fix memory leak in drm_client_target_cloned - -From: Jocelyn Falempe - -commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. - -dmt_mode is allocated and never freed in this function. -It was found with the ast driver, but most drivers using generic fbdev -setup are probably affected. - -This fixes the following kmemleak report: - backtrace: - [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] - [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] - [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] - [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] - [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] - [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] - [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] - [<00000000987f19bb>] local_pci_probe+0xdc/0x180 - [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 - [<0000000000b85301>] process_one_work+0x8b7/0x1540 - [<000000003375b17c>] worker_thread+0x70a/0xed0 - [<00000000b0d43cd9>] kthread+0x29f/0x340 - [<000000008d770833>] ret_from_fork+0x1f/0x30 -unreferenced object 0xff11000333089a00 (size 128): - -cc: -Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") -Reported-by: Zhang Yi -Signed-off-by: Jocelyn Falempe -Reviewed-by: Javier Martinez Canillas -Reviewed-by: Thomas Zimmermann -Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_client_modeset.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/gpu/drm/drm_client_modeset.c -+++ b/drivers/gpu/drm/drm_client_modeset.c -@@ -311,6 +311,9 @@ static bool drm_client_target_cloned(str - can_clone = true; - dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); - -+ if (!dmt_mode) -+ goto fail; -+ - for (i = 0; i < connector_count; i++) { - if (!enabled[i]) - continue; -@@ -326,11 +329,13 @@ static bool drm_client_target_cloned(str - if (!modes[i]) - can_clone = false; - } -+ kfree(dmt_mode); - - if (can_clone) { - DRM_DEBUG_KMS("can clone using 1024x768\n"); - return true; - } -+fail: - DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); - return false; - } diff --git a/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch b/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch deleted file mode 100644 index 571d13a8c25..00000000000 --- a/queue-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 339638982e36115af550bd2e6ffd2b87fa2d288a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jul 2023 17:34:10 +0200 -Subject: drm/i915/perf: add sentinel to xehp_oa_b_counters - -From: Andrzej Hajda - -[ Upstream commit 785b3f667b4bf98804cad135005e964df0c750de ] - -Arrays passed to reg_in_range_table should end with empty record. - -The patch solves KASAN detected bug with signature: -BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] -Read of size 4 at addr ffffffffa1555d90 by task perf/1518 - -CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1 -Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023 -Call Trace: - -... -xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] - -Fixes: 0fa9349dda03 ("drm/i915/perf: complete programming whitelisting for XEHPSDV") -Signed-off-by: Andrzej Hajda -Reviewed-by: Andi Shyti -Reviewed-by: Nirmoy Das -Link: https://patchwork.freedesktop.org/patch/msgid/20230711153410.1224997-1-andrzej.hajda@intel.com -(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798) -Signed-off-by: Tvrtko Ursulin -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/i915/i915_perf.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c -index 3035cba2c6a29..d7caae281fb92 100644 ---- a/drivers/gpu/drm/i915/i915_perf.c -+++ b/drivers/gpu/drm/i915/i915_perf.c -@@ -4442,6 +4442,7 @@ static const struct i915_range mtl_oam_b_counters[] = { - static const struct i915_range xehp_oa_b_counters[] = { - { .start = 0xdc48, .end = 0xdc48 }, /* OAA_ENABLE_REG */ - { .start = 0xdd00, .end = 0xdd48 }, /* OAG_LCE0_0 - OAA_LENABLE_REG */ -+ {} - }; - - static const struct i915_range gen7_oa_mux_regs[] = { --- -2.39.2 - diff --git a/queue-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch b/queue-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch deleted file mode 100644 index 16a88f3e81c..00000000000 --- a/queue-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2b5d1c29f6c4cb19369ef92881465e5ede75f4ef Mon Sep 17 00:00:00 2001 -From: Ben Skeggs -Date: Wed, 19 Jul 2023 14:40:50 +1000 -Subject: drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts - -From: Ben Skeggs - -commit 2b5d1c29f6c4cb19369ef92881465e5ede75f4ef upstream. - -Fixes crash on boards with ANX9805 TMDS/DP encoders. - -Cc: stable@vger.kernel.org # 6.4+ -Signed-off-by: Ben Skeggs -Reviewed-by: Karol Herbst -Signed-off-by: Karol Herbst -Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-2-skeggsb@gmail.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 29 +++++++++++++++-------- - 1 file changed, 19 insertions(+), 10 deletions(-) - ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c -@@ -81,20 +81,29 @@ nvkm_uconn_uevent(struct nvkm_object *ob - return -ENOSYS; - - list_for_each_entry(outp, &conn->disp->outps, head) { -- if (outp->info.connector == conn->index && outp->dp.aux) { -- if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; -- if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; -- if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; -- -- return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, -- nvkm_uconn_uevent_aux); -- } -+ if (outp->info.connector == conn->index) -+ break; -+ } -+ -+ if (&outp->head == &conn->disp->outps) -+ return -EINVAL; -+ -+ if (outp->dp.aux && !outp->info.location) { -+ if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; -+ if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; -+ if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; -+ -+ return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, -+ nvkm_uconn_uevent_aux); - } - - if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_GPIO_HI; - if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO; -- if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) -- return -EINVAL; -+ if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) { -+ /* TODO: support DP IRQ on ANX9805 and remove this hack. */ -+ if (!outp->info.location) -+ return -EINVAL; -+ } - - return nvkm_uevent_add(uevent, &device->gpio->event, conn->info.hpd, bits, - nvkm_uconn_uevent_gpio); diff --git a/queue-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch b/queue-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch deleted file mode 100644 index c9bf0d564b1..00000000000 --- a/queue-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 752a281032b2d6f4564be827e082bde6f7d2fd4f Mon Sep 17 00:00:00 2001 -From: Ben Skeggs -Date: Wed, 19 Jul 2023 14:40:49 +1000 -Subject: drm/nouveau/i2c: fix number of aux event slots - -From: Ben Skeggs - -commit 752a281032b2d6f4564be827e082bde6f7d2fd4f upstream. - -This was completely bogus before, using maximum DCB device index rather -than maximum AUX ID to size the buffer that stores event refcounts. - -*Pretty* unlikely to have been an actual problem on most configurations, -that is, unless you've got one of the rare boards that have off-chip DP. - -There, it'll likely crash. - -Cc: stable@vger.kernel.org # 6.4+ -Signed-off-by: Ben Skeggs -Reviewed-by: Karol Herbst -Signed-off-by: Karol Herbst -Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-1-skeggsb@gmail.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 4 ++-- - drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 11 +++++++++-- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h -index 40a1065ae626..ef441dfdea09 100644 ---- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h -+++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h -@@ -16,7 +16,7 @@ struct nvkm_i2c_bus { - const struct nvkm_i2c_bus_func *func; - struct nvkm_i2c_pad *pad; - #define NVKM_I2C_BUS_CCB(n) /* 'n' is ccb index */ (n) --#define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) -+#define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) - #define NVKM_I2C_BUS_PRI /* ccb primary comm. port */ -1 - #define NVKM_I2C_BUS_SEC /* ccb secondary comm. port */ -2 - int id; -@@ -38,7 +38,7 @@ struct nvkm_i2c_aux { - const struct nvkm_i2c_aux_func *func; - struct nvkm_i2c_pad *pad; - #define NVKM_I2C_AUX_CCB(n) /* 'n' is ccb index */ (n) --#define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) -+#define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) - int id; - - struct mutex mutex; -diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c -index 976539de4220..731b2f68d3db 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c -+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c -@@ -260,10 +260,11 @@ nvkm_i2c_new_(const struct nvkm_i2c_func *func, struct nvkm_device *device, - { - struct nvkm_bios *bios = device->bios; - struct nvkm_i2c *i2c; -+ struct nvkm_i2c_aux *aux; - struct dcb_i2c_entry ccbE; - struct dcb_output dcbE; - u8 ver, hdr; -- int ret, i; -+ int ret, i, ids; - - if (!(i2c = *pi2c = kzalloc(sizeof(*i2c), GFP_KERNEL))) - return -ENOMEM; -@@ -406,5 +407,11 @@ nvkm_i2c_new_(const struct nvkm_i2c_func *func, struct nvkm_device *device, - } - } - -- return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, i, &i2c->event); -+ ids = 0; -+ list_for_each_entry(aux, &i2c->aux, head) -+ ids = max(ids, aux->id + 1); -+ if (!ids) -+ return 0; -+ -+ return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, ids, &i2c->event); - } --- -2.41.0 - diff --git a/queue-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch b/queue-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch deleted file mode 100644 index 0860926f5fa..00000000000 --- a/queue-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ea293f823a8805735d9e00124df81a8f448ed1ae Mon Sep 17 00:00:00 2001 -From: Ben Skeggs -Date: Wed, 19 Jul 2023 14:40:51 +1000 -Subject: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP - -From: Ben Skeggs - -commit ea293f823a8805735d9e00124df81a8f448ed1ae upstream. - -Fixes OOPS on boards with ANX9805 DP encoders. - -Cc: stable@vger.kernel.org # 6.4+ -Signed-off-by: Ben Skeggs -Reviewed-by: Karol Herbst -Signed-off-by: Karol Herbst -Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-3-skeggsb@gmail.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/gpu/drm/nouveau/dispnv50/disp.c -+++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c -@@ -1873,6 +1873,8 @@ nv50_pior_destroy(struct drm_encoder *en - nvif_outp_dtor(&nv_encoder->outp); - - drm_encoder_cleanup(encoder); -+ -+ mutex_destroy(&nv_encoder->dp.hpd_irq_lock); - kfree(encoder); - } - -@@ -1917,6 +1919,8 @@ nv50_pior_create(struct drm_connector *c - nv_encoder->i2c = ddc; - nv_encoder->aux = aux; - -+ mutex_init(&nv_encoder->dp.hpd_irq_lock); -+ - encoder = to_drm_encoder(nv_encoder); - encoder->possible_crtcs = dcbe->heads; - encoder->possible_clones = 0; diff --git a/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch deleted file mode 100644 index 08d1232a000..00000000000 --- a/queue-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e9340f07719757a070b11277d243dd9908bca63c Mon Sep 17 00:00:00 2001 -From: hackyzh002 -Date: Wed, 19 Apr 2023 20:20:58 +0800 -Subject: [PATCH AUTOSEL 5.4 01/12] drm/radeon: Fix integer overflow in - radeon_cs_parser_init -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] - -The type of size is unsigned, if size is 0x40000000, there will be an -integer overflow, size will be zero after size *= sizeof(uint32_t), -will cause uninitialized memory to be referenced later - -Reviewed-by: Christian König -Signed-off-by: hackyzh002 -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/radeon/radeon_cs.c -+++ b/drivers/gpu/drm/radeon/radeon_cs.c -@@ -270,7 +270,8 @@ int radeon_cs_parser_init(struct radeon_ - { - struct drm_radeon_cs *cs = data; - uint64_t *chunk_array_ptr; -- unsigned size, i; -+ u64 size; -+ unsigned i; - u32 ring = RADEON_CS_RING_GFX; - s32 priority = 0; - diff --git a/queue-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch b/queue-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch deleted file mode 100644 index ec7d02a4a12..00000000000 --- a/queue-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4481913607e58196c48a4fef5e6f45350684ec3c Mon Sep 17 00:00:00 2001 -From: Yunxiang Li -Date: Thu, 22 Jun 2023 10:18:03 -0400 -Subject: drm/ttm: fix bulk_move corruption when adding a entry -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Yunxiang Li - -commit 4481913607e58196c48a4fef5e6f45350684ec3c upstream. - -When the resource is the first in the bulk_move range, adding it again -(thus moving it to the tail) will corrupt the list since the first -pointer is not moved. This eventually lead to null pointer deref in -ttm_lru_bulk_move_del() - -Fixes: fee2ede15542 ("drm/ttm: rework bulk move handling v5") -Signed-off-by: Yunxiang Li -Reviewed-by: Christian König -CC: stable@vger.kernel.org -Link: https://patchwork.freedesktop.org/patch/msgid/20230622141902.28718-3-Yunxiang.Li@amd.com -Signed-off-by: Christian König -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/ttm/ttm_resource.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/ttm/ttm_resource.c -+++ b/drivers/gpu/drm/ttm/ttm_resource.c -@@ -86,6 +86,8 @@ static void ttm_lru_bulk_move_pos_tail(s - struct ttm_resource *res) - { - if (pos->last != res) { -+ if (pos->first == res) -+ pos->first = list_next_entry(res, lru); - list_move(&res->lru, &pos->last->lru); - pos->last = res; - } -@@ -111,7 +113,8 @@ static void ttm_lru_bulk_move_del(struct - { - struct ttm_lru_bulk_move_pos *pos = ttm_lru_bulk_move_pos(bulk, res); - -- if (unlikely(pos->first == res && pos->last == res)) { -+ if (unlikely(WARN_ON(!pos->first || !pos->last) || -+ (pos->first == res && pos->last == res))) { - pos->first = NULL; - pos->last = NULL; - } else if (pos->first == res) { diff --git a/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch b/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch deleted file mode 100644 index 574853312c2..00000000000 --- a/queue-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 1fa4b768ca5d93b65efcc45c07ce247b86e19e6d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 00:34:05 +0200 -Subject: dsa: mv88e6xxx: Do a final check before timing out - -From: Linus Walleij - -[ Upstream commit 95ce158b6c93b28842b54b42ad1cb221b9844062 ] - -I get sporadic timeouts from the driver when using the -MV88E6352. Reading the status again after the loop fixes the -problem: the operation is successful but goes undetected. - -Some added prints show things like this: - -[ 58.356209] mv88e6085 mdio_mux-0.1:00: Timeout while waiting - for switch, addr 1b reg 0b, mask 8000, val 0000, data c000 -[ 58.367487] mv88e6085 mdio_mux-0.1:00: Timeout waiting for - ATU op 4000, fid 0001 -(...) -[ 61.826293] mv88e6085 mdio_mux-0.1:00: Timeout while waiting - for switch, addr 1c reg 18, mask 8000, val 0000, data 9860 -[ 61.837560] mv88e6085 mdio_mux-0.1:00: Timeout waiting - for PHY command 1860 to complete - -The reason is probably not the commands: I think those are -mostly fine with the 50+50ms timeout, but the problem -appears when OpenWrt brings up several interfaces in -parallel on a system with 7 populated ports: if one of -them take more than 50 ms and waits one or more of the -others can get stuck on the mutex for the switch and then -this can easily multiply. - -As we sleep and wait, the function loop needs a final -check after exiting the loop if we were successful. - -Suggested-by: Andrew Lunn -Cc: Tobias Waldekranz -Fixes: 35da1dfd9484 ("net: dsa: mv88e6xxx: Improve performance of busy bit polling") -Signed-off-by: Linus Walleij -Reviewed-by: Andrew Lunn -Link: https://lore.kernel.org/r/20230712223405.861899-1-linus.walleij@linaro.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c -index 08a46ffd53af9..642e93e8623eb 100644 ---- a/drivers/net/dsa/mv88e6xxx/chip.c -+++ b/drivers/net/dsa/mv88e6xxx/chip.c -@@ -109,6 +109,13 @@ int mv88e6xxx_wait_mask(struct mv88e6xxx_chip *chip, int addr, int reg, - usleep_range(1000, 2000); - } - -+ err = mv88e6xxx_read(chip, addr, reg, &data); -+ if (err) -+ return err; -+ -+ if ((data & mask) == val) -+ return 0; -+ - dev_err(chip->dev, "Timeout while waiting for switch\n"); - return -ETIMEDOUT; - } --- -2.39.2 - diff --git a/queue-6.4/erofs-fix-detection-of-atomic-context.patch b/queue-6.4/erofs-fix-detection-of-atomic-context.patch deleted file mode 100644 index 9ead507c835..00000000000 --- a/queue-6.4/erofs-fix-detection-of-atomic-context.patch +++ /dev/null @@ -1,100 +0,0 @@ -From e75759218787dc40a2c6c61685bd4428918ca596 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 15:08:47 -0700 -Subject: erofs: Fix detection of atomic context - -From: Sandeep Dhavale - -[ Upstream commit 12d0a24afd9ea58e581ea64d64e066f2027b28d9 ] - -Current check for atomic context is not sufficient as -z_erofs_decompressqueue_endio can be called under rcu lock -from blk_mq_flush_plug_list(). See the stacktrace [1] - -In such case we should hand off the decompression work for async -processing rather than trying to do sync decompression in current -context. Patch fixes the detection by checking for -rcu_read_lock_any_held() and while at it use more appropriate -!in_task() check than in_atomic(). - -Background: Historically erofs would always schedule a kworker for -decompression which would incur the scheduling cost regardless of -the context. But z_erofs_decompressqueue_endio() may not always -be in atomic context and we could actually benefit from doing the -decompression in z_erofs_decompressqueue_endio() if we are in -thread context, for example when running with dm-verity. -This optimization was later added in patch [2] which has shown -improvement in performance benchmarks. - -============================================== -[1] Problem stacktrace -[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291 -[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi -[name:core&]preempt_count: 0, expected: 0 -[name:core&]RCU nest depth: 1, expected: 0 -CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1 -Hardware name: MT6897 (DT) -Call trace: - dump_backtrace+0x108/0x15c - show_stack+0x20/0x30 - dump_stack_lvl+0x6c/0x8c - dump_stack+0x20/0x48 - __might_resched+0x1fc/0x308 - __might_sleep+0x50/0x88 - mutex_lock+0x2c/0x110 - z_erofs_decompress_queue+0x11c/0xc10 - z_erofs_decompress_kickoff+0x110/0x1a4 - z_erofs_decompressqueue_endio+0x154/0x180 - bio_endio+0x1b0/0x1d8 - __dm_io_complete+0x22c/0x280 - clone_endio+0xe4/0x280 - bio_endio+0x1b0/0x1d8 - blk_update_request+0x138/0x3a4 - blk_mq_plug_issue_direct+0xd4/0x19c - blk_mq_flush_plug_list+0x2b0/0x354 - __blk_flush_plug+0x110/0x160 - blk_finish_plug+0x30/0x4c - read_pages+0x2fc/0x370 - page_cache_ra_unbounded+0xa4/0x23c - page_cache_ra_order+0x290/0x320 - do_sync_mmap_readahead+0x108/0x2c0 - filemap_fault+0x19c/0x52c - __do_fault+0xc4/0x114 - handle_mm_fault+0x5b4/0x1168 - do_page_fault+0x338/0x4b4 - do_translation_fault+0x40/0x60 - do_mem_abort+0x60/0xc8 - el0_da+0x4c/0xe0 - el0t_64_sync_handler+0xd4/0xfc - el0t_64_sync+0x1a0/0x1a4 - -[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/ - -Reported-by: Will Shiu -Suggested-by: Gao Xiang -Signed-off-by: Sandeep Dhavale -Reviewed-by: Gao Xiang -Reviewed-by: Alexandre Mergnat -Link: https://lore.kernel.org/r/20230621220848.3379029-1-dhavale@google.com -Signed-off-by: Gao Xiang -Signed-off-by: Sasha Levin ---- - fs/erofs/zdata.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c -index 997ca4b32e87f..4a1c238600c52 100644 ---- a/fs/erofs/zdata.c -+++ b/fs/erofs/zdata.c -@@ -1411,7 +1411,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, - if (atomic_add_return(bios, &io->pending_bios)) - return; - /* Use (kthread_)work and sync decompression for atomic contexts only */ -- if (in_atomic() || irqs_disabled()) { -+ if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { - #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD - struct kthread_worker *worker; - --- -2.39.2 - diff --git a/queue-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/queue-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch deleted file mode 100644 index da8e336b4be..00000000000 --- a/queue-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 -From: Eric Whitney -Date: Mon, 22 May 2023 14:15:20 -0400 -Subject: ext4: correct inline offset when handling xattrs in inode body - -From: Eric Whitney - -commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. - -When run on a file system where the inline_data feature has been -enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 -to emit error messages indicating that inline directory entries are -corrupted. This occurs because the inline offset used to locate -inline directory entries in the inode body is not updated when an -xattr in that shared region is deleted and the region is shifted in -memory to recover the space it occupied. If the deleted xattr precedes -the system.data attribute, which points to the inline directory entries, -that attribute will be moved further up in the region. The inline -offset continues to point to whatever is located in system.data's former -location, with unfortunate effects when used to access directory entries -or (presumably) inline data in the inode body. - -Cc: stable@kernel.org -Signed-off-by: Eric Whitney -Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/xattr.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1782,6 +1782,20 @@ static int ext4_xattr_set_entry(struct e - memmove(here, (void *)here + size, - (void *)last - (void *)here + sizeof(__u32)); - memset(last, 0, size); -+ -+ /* -+ * Update i_inline_off - moved ibody region might contain -+ * system.data attribute. Handling a failure here won't -+ * cause other complications for setting an xattr. -+ */ -+ if (!is_block && ext4_has_inline_data(inode)) { -+ ret = ext4_find_inline_data_nolock(inode); -+ if (ret) { -+ ext4_warning_inode(inode, -+ "unable to update i_inline_off"); -+ goto out; -+ } -+ } - } else if (s->not_found) { - /* Insert new name. */ - size_t size = EXT4_XATTR_LEN(name_len); diff --git a/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch deleted file mode 100644 index 72947bf228e..00000000000 --- a/queue-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f3098e2e134597b5de84bfaf143eb0113a929381 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 15 Jul 2023 16:16:56 +0800 -Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe - -From: Zhang Shurong - -[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] - -This func misses checking for platform_get_irq()'s call and may passes the -negative error codes to request_irq(), which takes unsigned IRQ #, -causing it to fail with -EINVAL, overriding an original error code. - -Fix this by stop calling request_irq() with invalid IRQ #s. - -Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") -Signed-off-by: Zhang Shurong -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/au1200fb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c -index aed88ce45bf09..d8f085d4ede30 100644 ---- a/drivers/video/fbdev/au1200fb.c -+++ b/drivers/video/fbdev/au1200fb.c -@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) - - /* Now hook interrupt too */ - irq = platform_get_irq(dev, 0); -+ if (irq < 0) -+ return irq; -+ - ret = request_irq(irq, au1200fb_handle_irq, - IRQF_SHARED, "lcd", (void *)dev); - if (ret) { --- -2.39.2 - diff --git a/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch b/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch deleted file mode 100644 index ab0525e3219..00000000000 --- a/queue-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d5ea2fdfc87225588c235e2d54f298077b023d39 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jul 2023 21:19:58 +0800 -Subject: fbdev: imxfb: Removed unneeded release_mem_region - -From: Yangtao Li - -[ Upstream commit 45fcc058a75bf5d65cf4c32da44a252fbe873cd4 ] - -Remove unnecessary release_mem_region from the error path to prevent -mem region from being released twice, which could avoid resource leak -or other unexpected issues. - -Fixes: b083c22d5114 ("video: fbdev: imxfb: Convert request_mem_region + ioremap to devm_ioremap_resource") -Signed-off-by: Yangtao Li -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/imxfb.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c -index 5fbcb78a9caee..c8b1c73412d36 100644 ---- a/drivers/video/fbdev/imxfb.c -+++ b/drivers/video/fbdev/imxfb.c -@@ -1043,7 +1043,6 @@ static int imxfb_probe(struct platform_device *pdev) - failed_map: - failed_ioremap: - failed_getclock: -- release_mem_region(res->start, resource_size(res)); - failed_of_parse: - kfree(info->pseudo_palette); - failed_init: --- -2.39.2 - diff --git a/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch deleted file mode 100644 index a8b7127e2f4..00000000000 --- a/queue-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch +++ /dev/null @@ -1,43 +0,0 @@ -From e5b3b55ac7affc28ab87a9c787d2c41e898454c6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 15:24:37 +0200 -Subject: fbdev: imxfb: warn about invalid left/right margin - -From: Martin Kaiser - -[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] - -Warn about invalid var->left_margin or var->right_margin. Their values -are read from the device tree. - -We store var->left_margin-3 and var->right_margin-1 in register -fields. These fields should be >= 0. - -Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") -Signed-off-by: Martin Kaiser -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/imxfb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c -index adf36690c342b..5fbcb78a9caee 100644 ---- a/drivers/video/fbdev/imxfb.c -+++ b/drivers/video/fbdev/imxfb.c -@@ -613,10 +613,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf - if (var->hsync_len < 1 || var->hsync_len > 64) - printk(KERN_ERR "%s: invalid hsync_len %d\n", - info->fix.id, var->hsync_len); -- if (var->left_margin > 255) -+ if (var->left_margin < 3 || var->left_margin > 255) - printk(KERN_ERR "%s: invalid left_margin %d\n", - info->fix.id, var->left_margin); -- if (var->right_margin > 255) -+ if (var->right_margin < 1 || var->right_margin > 255) - printk(KERN_ERR "%s: invalid right_margin %d\n", - info->fix.id, var->right_margin); - if (var->yres < 1 || var->yres > ymax_mask) --- -2.39.2 - diff --git a/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch deleted file mode 100644 index 5f05fd14f14..00000000000 --- a/queue-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 83e1fa1cec9a9b3872feb64aee1620612e20b784 Mon Sep 17 00:00:00 2001 -From: Immad Mir -Date: Fri, 23 Jun 2023 19:17:08 +0530 -Subject: [PATCH AUTOSEL 5.4 12/12] FS: JFS: Check for read-only mounted - filesystem in txBegin -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] - - This patch adds a check for read-only mounted filesystem - in txBegin before starting a transaction potentially saving - from NULL pointer deref. - -Signed-off-by: Immad Mir -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/jfs_txnmgr.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c -index c8ce7f1bc5942..6f6a5b9203d3f 100644 ---- a/fs/jfs/jfs_txnmgr.c -+++ b/fs/jfs/jfs_txnmgr.c -@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, int flag) - jfs_info("txBegin: flag = 0x%x", flag); - log = JFS_SBI(sb)->log; - -+ if (!log) { -+ jfs_error(sb, "read-only filesystem\n"); -+ return 0; -+ } -+ - TXN_LOCK(); - - INCREMENT(TxStat.txBegin); --- -2.39.2 - diff --git a/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch deleted file mode 100644 index e8b03e8b953..00000000000 --- a/queue-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 097f5e82578e6895fd4f5528a020321647644b89 Mon Sep 17 00:00:00 2001 -From: Immad Mir -Date: Fri, 23 Jun 2023 19:14:01 +0530 -Subject: [PATCH AUTOSEL 5.4 11/12] FS: JFS: Fix null-ptr-deref Read in txBegin -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] - - Syzkaller reported an issue where txBegin may be called - on a superblock in a read-only mounted filesystem which leads - to NULL pointer deref. This could be solved by checking if - the filesystem is read-only before calling txBegin, and returning - with appropiate error code. - -Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 - -Signed-off-by: Immad Mir -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/namei.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/jfs/namei.c -+++ b/fs/jfs/namei.c -@@ -799,6 +799,11 @@ static int jfs_link(struct dentry *old_d - if (rc) - goto out; - -+ if (isReadOnly(ip)) { -+ jfs_error(ip->i_sb, "read-only filesystem\n"); -+ return -EROFS; -+ } -+ - tid = txBegin(ip->i_sb, 0); - - mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); diff --git a/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch deleted file mode 100644 index e3baf5a2fc9..00000000000 --- a/queue-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +++ /dev/null @@ -1,83 +0,0 @@ -From d97453868eeba3d85be2772979541dc4ed88233b Mon Sep 17 00:00:00 2001 -From: Yogesh -Date: Thu, 22 Jun 2023 00:07:03 +0530 -Subject: [PATCH AUTOSEL 5.4 09/12] fs: jfs: Fix UBSAN: - array-index-out-of-bounds in dbAllocDmapLev -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] - -Syzkaller reported the following issue: - -UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 -index -84 is out of range for type 's8[341]' (aka 'signed char[341]') -CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 - ubsan_epilogue lib/ubsan.c:217 [inline] - __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 - dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 - dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 - dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 - dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 - dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] - dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 - jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 - lookup_open fs/namei.c:3492 [inline] - open_last_lookups fs/namei.c:3560 [inline] - path_openat+0x13df/0x3170 fs/namei.c:3788 - do_filp_open+0x234/0x490 fs/namei.c:3818 - do_sys_openat2+0x13f/0x500 fs/open.c:1356 - do_sys_open fs/open.c:1372 [inline] - __do_sys_openat fs/open.c:1388 [inline] - __se_sys_openat fs/open.c:1383 [inline] - __x64_sys_openat+0x247/0x290 fs/open.c:1383 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd -RIP: 0033:0x7f1f4e33f7e9 -Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 -RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c -RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 -R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - - -The bug occurs when the dbAllocDmapLev()function attempts to access -dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. - -To rectify this, the patch introduces a safeguard within the -dbAllocDmapLev() function. A check has been added to verify if leafidx is -negative. If it is, the function immediately returns an I/O error, preventing -any further execution that could potentially cause harm. - -Tested via syzbot. - -Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 -Signed-off-by: Yogesh -Signed-off-by: Dave Kleikamp -Signed-off-by: Sasha Levin ---- - fs/jfs/jfs_dmap.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/jfs/jfs_dmap.c -+++ b/fs/jfs/jfs_dmap.c -@@ -1959,6 +1959,9 @@ dbAllocDmapLev(struct bmap * bmp, - if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) - return -ENOSPC; - -+ if (leafidx < 0) -+ return -EIO; -+ - /* determine the block number within the file system corresponding - * to the leaf at which free space was found. - */ diff --git a/queue-6.4/fuse-add-feature-flag-for-expire-only.patch b/queue-6.4/fuse-add-feature-flag-for-expire-only.patch deleted file mode 100644 index ea9c473f5ac..00000000000 --- a/queue-6.4/fuse-add-feature-flag-for-expire-only.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5cadfbd5a11e5495cac217534c5f788168b1afd7 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Mon, 27 Mar 2023 16:14:49 +0200 -Subject: fuse: add feature flag for expire-only - -From: Miklos Szeredi - -commit 5cadfbd5a11e5495cac217534c5f788168b1afd7 upstream. - -Add an init flag idicating whether the FUSE_EXPIRE_ONLY flag of -FUSE_NOTIFY_INVAL_ENTRY is effective. - -This is needed for backports of this feature, otherwise the server could -just check the protocol version. - -Fixes: 4f8d37020e1f ("fuse: add "expire only" mode to FUSE_NOTIFY_INVAL_ENTRY") -Cc: # v6.2 -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/inode.c | 3 ++- - include/uapi/linux/fuse.h | 3 +++ - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -1254,7 +1254,8 @@ void fuse_send_init(struct fuse_mount *f - FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS | - FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA | - FUSE_HANDLE_KILLPRIV_V2 | FUSE_SETXATTR_EXT | FUSE_INIT_EXT | -- FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP; -+ FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP | -+ FUSE_HAS_EXPIRE_ONLY; - #ifdef CONFIG_FUSE_DAX - if (fm->fc->dax) - flags |= FUSE_MAP_ALIGNMENT; ---- a/include/uapi/linux/fuse.h -+++ b/include/uapi/linux/fuse.h -@@ -206,6 +206,7 @@ - * - add extension header - * - add FUSE_EXT_GROUPS - * - add FUSE_CREATE_SUPP_GROUP -+ * - add FUSE_HAS_EXPIRE_ONLY - */ - - #ifndef _LINUX_FUSE_H -@@ -369,6 +370,7 @@ struct fuse_file_lock { - * FUSE_HAS_INODE_DAX: use per inode DAX - * FUSE_CREATE_SUPP_GROUP: add supplementary group info to create, mkdir, - * symlink and mknod (single group that matches parent) -+ * FUSE_HAS_EXPIRE_ONLY: kernel supports expiry-only entry invalidation - */ - #define FUSE_ASYNC_READ (1 << 0) - #define FUSE_POSIX_LOCKS (1 << 1) -@@ -406,6 +408,7 @@ struct fuse_file_lock { - #define FUSE_SECURITY_CTX (1ULL << 32) - #define FUSE_HAS_INODE_DAX (1ULL << 33) - #define FUSE_CREATE_SUPP_GROUP (1ULL << 34) -+#define FUSE_HAS_EXPIRE_ONLY (1ULL << 35) - - /** - * CUSE INIT request/reply flags diff --git a/queue-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch b/queue-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch deleted file mode 100644 index 7ee5a8380e7..00000000000 --- a/queue-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 3066ff93476c35679cb07a97cce37d9bb07632ff Mon Sep 17 00:00:00 2001 -From: Bernd Schubert -Date: Fri, 15 Apr 2022 13:53:56 +0200 -Subject: fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT - -From: Bernd Schubert - -commit 3066ff93476c35679cb07a97cce37d9bb07632ff upstream. - -This is just a safety precaution to avoid checking flags on memory that was -initialized on the user space side. libfuse zeroes struct fuse_init_out -outarg, but this is not guranteed to be done in all implementations. -Better is to act on flags and to only apply flags2 when FUSE_INIT_EXT is -set. - -There is a risk with this change, though - it might break existing user -space libraries, which are already using flags2 without setting -FUSE_INIT_EXT. - -The corresponding libfuse patch is here -https://github.com/libfuse/libfuse/pull/662 - -Signed-off-by: Bernd Schubert -Fixes: 53db28933e95 ("fuse: extend init flags") -Cc: # v5.17 -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/inode.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -1134,7 +1134,10 @@ static void process_init_reply(struct fu - process_init_limits(fc, arg); - - if (arg->minor >= 6) { -- u64 flags = arg->flags | (u64) arg->flags2 << 32; -+ u64 flags = arg->flags; -+ -+ if (flags & FUSE_INIT_EXT) -+ flags |= (u64) arg->flags2 << 32; - - ra_pages = arg->max_readahead / PAGE_SIZE; - if (flags & FUSE_ASYNC_READ) diff --git a/queue-6.4/fuse-ioctl-translate-enosys-in-outarg.patch b/queue-6.4/fuse-ioctl-translate-enosys-in-outarg.patch deleted file mode 100644 index ffa3f307976..00000000000 --- a/queue-6.4/fuse-ioctl-translate-enosys-in-outarg.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Wed, 7 Jun 2023 17:49:21 +0200 -Subject: fuse: ioctl: translate ENOSYS in outarg - -From: Miklos Szeredi - -commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. - -Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace -responds with ENOSYS it should be translated to ENOTTY. - -There are two ways to return an error from the IOCTL request: - - - fuse_out_header.error - - fuse_ioctl_out.result - -Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this -issue for the first case, but missed the second case. This patch fixes the -second case. - -Reported-by: Jonathan Katz -Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ -Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/ioctl.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - ---- a/fs/fuse/ioctl.c -+++ b/fs/fuse/ioctl.c -@@ -9,14 +9,23 @@ - #include - #include - --static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) -+static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, -+ struct fuse_ioctl_out *outarg) - { -- ssize_t ret = fuse_simple_request(fm, args); -+ ssize_t ret; -+ -+ args->out_args[0].size = sizeof(*outarg); -+ args->out_args[0].value = outarg; -+ -+ ret = fuse_simple_request(fm, args); - - /* Translate ENOSYS, which shouldn't be returned from fs */ - if (ret == -ENOSYS) - ret = -ENOTTY; - -+ if (ret >= 0 && outarg->result == -ENOSYS) -+ outarg->result = -ENOTTY; -+ - return ret; - } - -@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un - } - - ap.args.out_numargs = 2; -- ap.args.out_args[0].size = sizeof(outarg); -- ap.args.out_args[0].value = &outarg; - ap.args.out_args[1].size = out_size; - ap.args.out_pages = true; - ap.args.out_argvar = true; - -- transferred = fuse_send_ioctl(fm, &ap.args); -+ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); - err = transferred; - if (transferred < 0) - goto out; -@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode - args.in_args[1].size = inarg.in_size; - args.in_args[1].value = ptr; - args.out_numargs = 2; -- args.out_args[0].size = sizeof(outarg); -- args.out_args[0].value = &outarg; - args.out_args[1].size = inarg.out_size; - args.out_args[1].value = ptr; - -- err = fuse_send_ioctl(fm, &args); -+ err = fuse_send_ioctl(fm, &args, &outarg); - if (!err) { - if (outarg.result < 0) - err = outarg.result; diff --git a/queue-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/queue-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch deleted file mode 100644 index 46e5be8f3be..00000000000 --- a/queue-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Wed, 7 Jun 2023 17:49:20 +0200 -Subject: fuse: revalidate: don't invalidate if interrupted - -From: Miklos Szeredi - -commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. - -If the LOOKUP request triggered from fuse_dentry_revalidate() is -interrupted, then the dentry will be invalidated, possibly resulting in -submounts being unmounted. - -Reported-by: Xu Rongbo -Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ -Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -258,7 +258,7 @@ static int fuse_dentry_revalidate(struct - spin_unlock(&fi->lock); - } - kfree(forget); -- if (ret == -ENOMEM) -+ if (ret == -ENOMEM || ret == -EINTR) - goto out; - if (ret || fuse_invalid_attr(&outarg.attr) || - fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch b/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch deleted file mode 100644 index 0beed69978a..00000000000 --- a/queue-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 6090361de3c7650680b9a2b098828072864fe334 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 10:28:00 -0700 -Subject: gso: fix dodgy bit handling for GSO_UDP_L4 - -From: Yan Zhai - -[ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ] - -Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 -packets.") checks DODGY bit for UDP, but for packets that can be fed -directly to the device after gso_segs reset, it actually falls through -to fragmentation: - -https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/ - -This change restores the expected behavior of GSO_UDP_L4 packets. - -Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.") -Suggested-by: Willem de Bruijn -Signed-off-by: Yan Zhai -Reviewed-by: Willem de Bruijn -Acked-by: Jason Wang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/udp_offload.c | 16 +++++++++++----- - net/ipv6/udp_offload.c | 3 +-- - 2 files changed, 12 insertions(+), 7 deletions(-) - -diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c -index 1f01e15ca24fd..4a61832e7f69b 100644 ---- a/net/ipv4/udp_offload.c -+++ b/net/ipv4/udp_offload.c -@@ -273,13 +273,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, - __sum16 check; - __be16 newlen; - -- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) -- return __udp_gso_segment_list(gso_skb, features, is_ipv6); -- - mss = skb_shinfo(gso_skb)->gso_size; - if (gso_skb->len <= sizeof(*uh) + mss) - return ERR_PTR(-EINVAL); - -+ if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { -+ /* Packet is from an untrusted source, reset gso_segs. */ -+ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), -+ mss); -+ return NULL; -+ } -+ -+ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) -+ return __udp_gso_segment_list(gso_skb, features, is_ipv6); -+ - skb_pull(gso_skb, sizeof(*uh)); - - /* clear destructor to avoid skb_segment assigning it to tail */ -@@ -387,8 +394,7 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, - if (!pskb_may_pull(skb, sizeof(struct udphdr))) - goto out; - -- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && -- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) -+ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) - return __udp_gso_segment(skb, features, false); - - mss = skb_shinfo(skb)->gso_size; -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index c39c1e32f9804..e0e10f6bcdc18 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -42,8 +42,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - if (!pskb_may_pull(skb, sizeof(struct udphdr))) - goto out; - -- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && -- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) -+ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) - return __udp_gso_segment(skb, features, true); - - mss = skb_shinfo(skb)->gso_size; --- -2.39.2 - diff --git a/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch b/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch deleted file mode 100644 index ec2516b9a3e..00000000000 --- a/queue-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch +++ /dev/null @@ -1,49 +0,0 @@ -From df2df0b1368fc95618c0173e921b0ec0361f3a50 Mon Sep 17 00:00:00 2001 -From: Marco Morandini -Date: Tue, 30 May 2023 15:40:08 +0200 -Subject: [PATCH AUTOSEL 5.4 05/12] HID: add quirk for 03f0:464a HP Elite - Presenter Mouse -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 0db117359e47750d8bd310d19f13e1c4ef7fc26a ] - -HP Elite Presenter Mouse HID Record Descriptor shows -two mouses (Repord ID 0x1 and 0x2), one keypad (Report ID 0x5), -two Consumer Controls (Report IDs 0x6 and 0x3). -Previous to this commit it registers one mouse, one keypad -and one Consumer Control, and it was usable only as a -digitl laser pointer (one of the two mouses). This patch defines -the 464a USB device ID and enables the HID_QUIRK_MULTI_INPUT -quirk for it, allowing to use the device both as a mouse -and a digital laser pointer. - -Signed-off-by: Marco Morandini -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-ids.h | 1 + - drivers/hid/hid-quirks.c | 1 + - 2 files changed, 2 insertions(+) - ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -620,6 +620,7 @@ - #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 - - #define USB_VENDOR_ID_HP 0x03f0 -+#define USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A 0x464a - #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a - #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a - #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a ---- a/drivers/hid/hid-quirks.c -+++ b/drivers/hid/hid-quirks.c -@@ -96,6 +96,7 @@ static const struct hid_device_id hid_qu - { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096), HID_QUIRK_NO_INIT_REPORTS }, - { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A293), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A), HID_QUIRK_ALWAYS_POLL }, -+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A), HID_QUIRK_MULTI_INPUT }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, - { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch b/queue-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch deleted file mode 100644 index ed3cef99490..00000000000 --- a/queue-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 07e981137f17e5275b6fa5fd0c28b0ddb4519702 Mon Sep 17 00:00:00 2001 -From: Helge Deller -Date: Fri, 21 Jul 2023 17:24:32 +0200 -Subject: ia64: mmap: Consider pgoff when searching for free mapping - -From: Helge Deller - -commit 07e981137f17e5275b6fa5fd0c28b0ddb4519702 upstream. - -IA64 is the only architecture which does not consider the pgoff value when -searching for a possible free memory region with vm_unmapped_area(). -Adding this seems to have no negative side effect on IA64, so add it now -to make IA64 consistent with all other architectures. - -Cc: stable@vger.kernel.org # 6.4 -Signed-off-by: Helge Deller -Tested-by: matoro -Cc: Andrew Morton -Cc: linux-ia64@vger.kernel.org -Link: https://lore.kernel.org/r/20230721152432.196382-3-deller@gmx.de -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - arch/ia64/kernel/sys_ia64.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c -index 6e948d015332..eb561cc93632 100644 ---- a/arch/ia64/kernel/sys_ia64.c -+++ b/arch/ia64/kernel/sys_ia64.c -@@ -63,7 +63,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len - info.low_limit = addr; - info.high_limit = TASK_SIZE; - info.align_mask = align_mask; -- info.align_offset = 0; -+ info.align_offset = pgoff << PAGE_SHIFT; - return vm_unmapped_area(&info); - } - --- -2.41.0 - diff --git a/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch b/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch deleted file mode 100644 index 2cc89a6021d..00000000000 --- a/queue-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch +++ /dev/null @@ -1,342 +0,0 @@ -From 5f761430984862f987bf461a697a429a2963c676 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:25 -0400 -Subject: iavf: fix a deadlock caused by rtnl and driver's lock circular - dependencies - -From: Ahmed Zaki - -[ Upstream commit d1639a17319ba78a018280cd2df6577a7e5d9fab ] - -A driver's lock (crit_lock) is used to serialize all the driver's tasks. -Lockdep, however, shows a circular dependency between rtnl and -crit_lock. This happens when an ndo that already holds the rtnl requests -the driver to reset, since the reset task (in some paths) tries to grab -rtnl to either change real number of queues of update netdev features. - - [566.241851] ====================================================== - [566.241893] WARNING: possible circular locking dependency detected - [566.241936] 6.2.14-100.fc36.x86_64+debug #1 Tainted: G OE - [566.241984] ------------------------------------------------------ - [566.242025] repro.sh/2604 is trying to acquire lock: - [566.242061] ffff9280fc5ceee8 (&adapter->crit_lock){+.+.}-{3:3}, at: iavf_close+0x3c/0x240 [iavf] - [566.242167] - but task is already holding lock: - [566.242209] ffffffff9976d350 (rtnl_mutex){+.+.}-{3:3}, at: iavf_remove+0x6b5/0x730 [iavf] - [566.242300] - which lock already depends on the new lock. - - [566.242353] - the existing dependency chain (in reverse order) is: - [566.242401] - -> #1 (rtnl_mutex){+.+.}-{3:3}: - [566.242451] __mutex_lock+0xc1/0xbb0 - [566.242489] iavf_init_interrupt_scheme+0x179/0x440 [iavf] - [566.242560] iavf_watchdog_task+0x80b/0x1400 [iavf] - [566.242627] process_one_work+0x2b3/0x560 - [566.242663] worker_thread+0x4f/0x3a0 - [566.242696] kthread+0xf2/0x120 - [566.242730] ret_from_fork+0x29/0x50 - [566.242763] - -> #0 (&adapter->crit_lock){+.+.}-{3:3}: - [566.242815] __lock_acquire+0x15ff/0x22b0 - [566.242869] lock_acquire+0xd2/0x2c0 - [566.242901] __mutex_lock+0xc1/0xbb0 - [566.242934] iavf_close+0x3c/0x240 [iavf] - [566.242997] __dev_close_many+0xac/0x120 - [566.243036] dev_close_many+0x8b/0x140 - [566.243071] unregister_netdevice_many_notify+0x165/0x7c0 - [566.243116] unregister_netdevice_queue+0xd3/0x110 - [566.243157] iavf_remove+0x6c1/0x730 [iavf] - [566.243217] pci_device_remove+0x33/0xa0 - [566.243257] device_release_driver_internal+0x1bc/0x240 - [566.243299] pci_stop_bus_device+0x6c/0x90 - [566.243338] pci_stop_and_remove_bus_device+0xe/0x20 - [566.243380] pci_iov_remove_virtfn+0xd1/0x130 - [566.243417] sriov_disable+0x34/0xe0 - [566.243448] ice_free_vfs+0x2da/0x330 [ice] - [566.244383] ice_sriov_configure+0x88/0xad0 [ice] - [566.245353] sriov_numvfs_store+0xde/0x1d0 - [566.246156] kernfs_fop_write_iter+0x15e/0x210 - [566.246921] vfs_write+0x288/0x530 - [566.247671] ksys_write+0x74/0xf0 - [566.248408] do_syscall_64+0x58/0x80 - [566.249145] entry_SYSCALL_64_after_hwframe+0x72/0xdc - [566.249886] - other info that might help us debug this: - - [566.252014] Possible unsafe locking scenario: - - [566.253432] CPU0 CPU1 - [566.254118] ---- ---- - [566.254800] lock(rtnl_mutex); - [566.255514] lock(&adapter->crit_lock); - [566.256233] lock(rtnl_mutex); - [566.256897] lock(&adapter->crit_lock); - [566.257388] - *** DEADLOCK *** - -The deadlock can be triggered by a script that is continuously resetting -the VF adapter while doing other operations requiring RTNL, e.g: - - while :; do - ip link set $VF up - ethtool --set-channels $VF combined 2 - ip link set $VF down - ip link set $VF up - ethtool --set-channels $VF combined 4 - ip link set $VF down - done - -Any operation that triggers a reset can substitute "ethtool --set-channles" - -As a fix, add a new task "finish_config" that do all the work which -needs rtnl lock. With the exception of iavf_remove(), all work that -require rtnl should be called from this task. - -As for iavf_remove(), at the point where we need to call -unregister_netdevice() (and grab rtnl_lock), we make sure the finish_config -task is not running (cancel_work_sync()) to safely grab rtnl. Subsequent -finish_config work cannot restart after that since the task is guarded -by the __IAVF_IN_REMOVE_TASK bit in iavf_schedule_finish_config(). - -Fixes: 5ac49f3c2702 ("iavf: use mutexes for locking of critical sections") -Signed-off-by: Ahmed Zaki -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 + - drivers/net/ethernet/intel/iavf/iavf_main.c | 114 +++++++++++++----- - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + - 3 files changed, 85 insertions(+), 32 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index a5cab19eb6a8b..bf5e3c8e97e04 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -255,6 +255,7 @@ struct iavf_adapter { - struct workqueue_struct *wq; - struct work_struct reset_task; - struct work_struct adminq_task; -+ struct work_struct finish_config; - struct delayed_work client_task; - wait_queue_head_t down_waitqueue; - wait_queue_head_t reset_waitqueue; -@@ -521,6 +522,7 @@ int iavf_process_config(struct iavf_adapter *adapter); - int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); - void iavf_schedule_reset(struct iavf_adapter *adapter); - void iavf_schedule_request_stats(struct iavf_adapter *adapter); -+void iavf_schedule_finish_config(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); - void iavf_set_ethtool_ops(struct net_device *netdev); - void iavf_update_stats(struct iavf_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 8cb9b74b3ebea..161750c1598f8 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1702,10 +1702,10 @@ static int iavf_set_interrupt_capability(struct iavf_adapter *adapter) - adapter->msix_entries[vector].entry = vector; - - err = iavf_acquire_msix_vectors(adapter, v_budget); -+ if (!err) -+ iavf_schedule_finish_config(adapter); - - out: -- netif_set_real_num_rx_queues(adapter->netdev, pairs); -- netif_set_real_num_tx_queues(adapter->netdev, pairs); - return err; - } - -@@ -1925,9 +1925,7 @@ static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) - goto err_alloc_queues; - } - -- rtnl_lock(); - err = iavf_set_interrupt_capability(adapter); -- rtnl_unlock(); - if (err) { - dev_err(&adapter->pdev->dev, - "Unable to setup interrupt capabilities\n"); -@@ -2013,6 +2011,78 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool runni - return err; - } - -+/** -+ * iavf_finish_config - do all netdev work that needs RTNL -+ * @work: our work_struct -+ * -+ * Do work that needs both RTNL and crit_lock. -+ **/ -+static void iavf_finish_config(struct work_struct *work) -+{ -+ struct iavf_adapter *adapter; -+ int pairs, err; -+ -+ adapter = container_of(work, struct iavf_adapter, finish_config); -+ -+ /* Always take RTNL first to prevent circular lock dependency */ -+ rtnl_lock(); -+ mutex_lock(&adapter->crit_lock); -+ -+ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && -+ adapter->netdev_registered && -+ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { -+ netdev_update_features(adapter->netdev); -+ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ } -+ -+ switch (adapter->state) { -+ case __IAVF_DOWN: -+ if (!adapter->netdev_registered) { -+ err = register_netdevice(adapter->netdev); -+ if (err) { -+ dev_err(&adapter->pdev->dev, "Unable to register netdev (%d)\n", -+ err); -+ -+ /* go back and try again.*/ -+ iavf_free_rss(adapter); -+ iavf_free_misc_irq(adapter); -+ iavf_reset_interrupt_capability(adapter); -+ iavf_change_state(adapter, -+ __IAVF_INIT_CONFIG_ADAPTER); -+ goto out; -+ } -+ adapter->netdev_registered = true; -+ } -+ -+ /* Set the real number of queues when reset occurs while -+ * state == __IAVF_DOWN -+ */ -+ fallthrough; -+ case __IAVF_RUNNING: -+ pairs = adapter->num_active_queues; -+ netif_set_real_num_rx_queues(adapter->netdev, pairs); -+ netif_set_real_num_tx_queues(adapter->netdev, pairs); -+ break; -+ -+ default: -+ break; -+ } -+ -+out: -+ mutex_unlock(&adapter->crit_lock); -+ rtnl_unlock(); -+} -+ -+/** -+ * iavf_schedule_finish_config - Set the flags and schedule a reset event -+ * @adapter: board private structure -+ **/ -+void iavf_schedule_finish_config(struct iavf_adapter *adapter) -+{ -+ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) -+ queue_work(adapter->wq, &adapter->finish_config); -+} -+ - /** - * iavf_process_aq_command - process aq_required flags - * and sends aq command -@@ -2650,22 +2720,8 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - - netif_carrier_off(netdev); - adapter->link_up = false; -- -- /* set the semaphore to prevent any callbacks after device registration -- * up to time when state of driver will be set to __IAVF_DOWN -- */ -- rtnl_lock(); -- if (!adapter->netdev_registered) { -- err = register_netdevice(netdev); -- if (err) { -- rtnl_unlock(); -- goto err_register; -- } -- } -- -- adapter->netdev_registered = true; -- - netif_tx_stop_all_queues(netdev); -+ - if (CLIENT_ALLOWED(adapter)) { - err = iavf_lan_add_device(adapter); - if (err) -@@ -2678,7 +2734,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - - iavf_change_state(adapter, __IAVF_DOWN); - set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); -- rtnl_unlock(); - - iavf_misc_irq_enable(adapter); - wake_up(&adapter->down_waitqueue); -@@ -2698,10 +2753,11 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) - /* request initial VLAN offload settings */ - iavf_set_vlan_offload_features(adapter, 0, netdev->features); - -+ iavf_schedule_finish_config(adapter); - return; -+ - err_mem: - iavf_free_rss(adapter); --err_register: - iavf_free_misc_irq(adapter); - err_sw_init: - iavf_reset_interrupt_capability(adapter); -@@ -2728,15 +2784,6 @@ static void iavf_watchdog_task(struct work_struct *work) - goto restart_watchdog; - } - -- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && -- adapter->netdev_registered && -- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && -- rtnl_trylock()) { -- netdev_update_features(adapter->netdev); -- rtnl_unlock(); -- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; -- } -- - if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) - iavf_change_state(adapter, __IAVF_COMM_FAILED); - -@@ -4978,6 +5025,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - INIT_WORK(&adapter->reset_task, iavf_reset_task); - INIT_WORK(&adapter->adminq_task, iavf_adminq_task); -+ INIT_WORK(&adapter->finish_config, iavf_finish_config); - INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); - INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); - queue_delayed_work(adapter->wq, &adapter->watchdog_task, -@@ -5120,13 +5168,15 @@ static void iavf_remove(struct pci_dev *pdev) - usleep_range(500, 1000); - } - cancel_delayed_work_sync(&adapter->watchdog_task); -+ cancel_work_sync(&adapter->finish_config); - -+ rtnl_lock(); - if (adapter->netdev_registered) { -- rtnl_lock(); - unregister_netdevice(netdev); - adapter->netdev_registered = false; -- rtnl_unlock(); - } -+ rtnl_unlock(); -+ - if (CLIENT_ALLOWED(adapter)) { - err = iavf_lan_del_device(adapter); - if (err) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 1bab896aaf40c..073ac29ed84c7 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2237,6 +2237,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - - iavf_process_config(adapter); - adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; -+ iavf_schedule_finish_config(adapter); - - iavf_set_queue_vlan_tag_loc(adapter); - --- -2.39.2 - diff --git a/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch deleted file mode 100644 index cc8b7f34cd3..00000000000 --- a/queue-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 9a0a6f5caa0dcedb4c41554c0d5d7f5fd401e046 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 May 2023 19:11:48 +0800 -Subject: iavf: Fix out-of-bounds when setting channels on remove - -From: Ding Hui - -[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] - -If we set channels greater during iavf_remove(), and waiting reset done -would be timeout, then returned with error but changed num_active_queues -directly, that will lead to OOB like the following logs. Because the -num_active_queues is greater than tx/rx_rings[] allocated actually. - -Reproducer: - - [root@host ~]# cat repro.sh - #!/bin/bash - - pf_dbsf="0000:41:00.0" - vf0_dbsf="0000:41:02.0" - g_pids=() - - function do_set_numvf() - { - echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - } - - function do_set_channel() - { - local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) - [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } - ifconfig $nic 192.168.18.5 netmask 255.255.255.0 - ifconfig $nic up - ethtool -L $nic combined 1 - ethtool -L $nic combined 4 - sleep $((RANDOM%3)) - } - - function on_exit() - { - local pid - for pid in "${g_pids[@]}"; do - kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null - done - g_pids=() - } - - trap "on_exit; exit" EXIT - - while :; do do_set_numvf ; done & - g_pids+=($!) - while :; do do_set_channel ; done & - g_pids+=($!) - - wait - -Result: - -[ 3506.152887] iavf 0000:41:02.0: Removing device -[ 3510.400799] ================================================================== -[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 -[ 3510.400823] -[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 -[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 -[ 3510.400835] Call Trace: -[ 3510.400851] dump_stack+0x71/0xab -[ 3510.400860] print_address_description+0x6b/0x290 -[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400868] kasan_report+0x14a/0x2b0 -[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] -[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] -[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] -[ 3510.400891] ? wait_woken+0x1d0/0x1d0 -[ 3510.400895] ? notifier_call_chain+0xc1/0x130 -[ 3510.400903] pci_device_remove+0xa8/0x1f0 -[ 3510.400910] device_release_driver_internal+0x1c6/0x460 -[ 3510.400916] pci_stop_bus_device+0x101/0x150 -[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 -[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 -[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 -[ 3510.400929] ? pci_get_subsys+0x90/0x90 -[ 3510.400932] sriov_disable+0xed/0x3e0 -[ 3510.400936] ? bus_find_device+0x12d/0x1a0 -[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] -[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] -[ 3510.400968] ? pci_get_device+0x7c/0x90 -[ 3510.400970] ? pci_get_subsys+0x90/0x90 -[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 -[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 -[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 3510.401001] sriov_numvfs_store+0x214/0x290 -[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 -[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 -[ 3510.401011] ? __check_object_size+0x15a/0x350 -[ 3510.401018] kernfs_fop_write+0x280/0x3f0 -[ 3510.401022] vfs_write+0x145/0x440 -[ 3510.401025] ksys_write+0xab/0x160 -[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 -[ 3510.401031] ? fput_many+0x1a/0x120 -[ 3510.401032] ? filp_close+0xf0/0x130 -[ 3510.401038] do_syscall_64+0xa0/0x370 -[ 3510.401041] ? page_fault+0x8/0x30 -[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 -[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 -[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 -[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 -[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 -[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 -[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 -[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 -[ 3510.401090] -[ 3510.401093] Allocated by task 76795: -[ 3510.401098] kasan_kmalloc+0xa6/0xd0 -[ 3510.401099] __kmalloc+0xfb/0x200 -[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] -[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] -[ 3510.401114] process_one_work+0x56a/0x11f0 -[ 3510.401115] worker_thread+0x8f/0xf40 -[ 3510.401117] kthread+0x2a0/0x390 -[ 3510.401119] ret_from_fork+0x1f/0x40 -[ 3510.401122] 0xffffffffffffffff -[ 3510.401123] - -In timeout handling, we should keep the original num_active_queues -and reset num_req_queues to 0. - -Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") -Signed-off-by: Ding Hui -Cc: Donglin Peng -Cc: Huang Cun -Reviewed-by: Leon Romanovsky -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index 6f171d1d85b75..92443f8e9fbdf 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -1863,7 +1863,7 @@ static int iavf_set_channels(struct net_device *netdev, - } - if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { - adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; -- adapter->num_active_queues = num_req; -+ adapter->num_req_queues = 0; - return -EOPNOTSUPP; - } - --- -2.39.2 - diff --git a/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch b/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch deleted file mode 100644 index d8c2ed28871..00000000000 --- a/queue-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch +++ /dev/null @@ -1,190 +0,0 @@ -From abbc67998f91be1d120f00aa0a1ed11511c3ac34 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:26 -0400 -Subject: iavf: fix reset task race with iavf_remove() - -From: Ahmed Zaki - -[ Upstream commit c34743daca0eb1dc855831a5210f0800a850088e ] - -The reset task is currently scheduled from the watchdog or adminq tasks. -First, all direct calls to schedule the reset task are replaced with the -iavf_schedule_reset(), which is modified to accept the flag showing the -type of reset. - -To prevent the reset task from starting once iavf_remove() starts, we need -to check the __IAVF_IN_REMOVE_TASK bit before we schedule it. This is now -easily added to iavf_schedule_reset(). - -Finally, remove the check for IAVF_FLAG_RESET_NEEDED in the watchdog task. -It is redundant since all callers who set the flag immediately schedules -the reset task. - -Fixes: 3ccd54ef44eb ("iavf: Fix init state closure on remove") -Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") -Signed-off-by: Ahmed Zaki -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 +- - .../net/ethernet/intel/iavf/iavf_ethtool.c | 8 ++--- - drivers/net/ethernet/intel/iavf/iavf_main.c | 32 +++++++------------ - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 3 +- - 4 files changed, 16 insertions(+), 29 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index bf5e3c8e97e04..8cbdebc5b6989 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -520,7 +520,7 @@ int iavf_up(struct iavf_adapter *adapter); - void iavf_down(struct iavf_adapter *adapter); - int iavf_process_config(struct iavf_adapter *adapter); - int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); --void iavf_schedule_reset(struct iavf_adapter *adapter); -+void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); - void iavf_schedule_request_stats(struct iavf_adapter *adapter); - void iavf_schedule_finish_config(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index b7141c2a941d1..2f47cfa7f06e2 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -532,8 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - /* issue a reset to force legacy-rx change to take effect */ - if (changed_flags & IAVF_FLAG_LEGACY_RX) { - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret) - netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); -@@ -676,8 +675,7 @@ static int iavf_set_ringparam(struct net_device *netdev, - } - - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret) - netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); -@@ -1860,7 +1858,7 @@ static int iavf_set_channels(struct net_device *netdev, - - adapter->num_req_queues = num_req; - adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - - ret = iavf_wait_for_reset(adapter); - if (ret) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 161750c1598f8..ba96312feb505 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -309,12 +309,14 @@ static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) - /** - * iavf_schedule_reset - Set the flags and schedule a reset event - * @adapter: board private structure -+ * @flags: IAVF_FLAG_RESET_PENDING or IAVF_FLAG_RESET_NEEDED - **/ --void iavf_schedule_reset(struct iavf_adapter *adapter) -+void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) - { -- if (!(adapter->flags & -- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -+ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && -+ !(adapter->flags & -+ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { -+ adapter->flags |= flags; - queue_work(adapter->wq, &adapter->reset_task); - } - } -@@ -342,7 +344,7 @@ static void iavf_tx_timeout(struct net_device *netdev, unsigned int txqueue) - struct iavf_adapter *adapter = netdev_priv(netdev); - - adapter->tx_timeout_count++; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - } - - /** -@@ -2490,7 +2492,7 @@ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter) - adapter->vsi_res->num_queue_pairs); - adapter->flags |= IAVF_FLAG_REINIT_MSIX_NEEDED; - adapter->num_req_queues = adapter->vsi_res->num_queue_pairs; -- iavf_schedule_reset(adapter); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - - return -EAGAIN; - } -@@ -2787,14 +2789,6 @@ static void iavf_watchdog_task(struct work_struct *work) - if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) - iavf_change_state(adapter, __IAVF_COMM_FAILED); - -- if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { -- adapter->aq_required = 0; -- adapter->current_op = VIRTCHNL_OP_UNKNOWN; -- mutex_unlock(&adapter->crit_lock); -- queue_work(adapter->wq, &adapter->reset_task); -- return; -- } -- - switch (adapter->state) { - case __IAVF_STARTUP: - iavf_startup(adapter); -@@ -2922,11 +2916,10 @@ static void iavf_watchdog_task(struct work_struct *work) - /* check for hw reset */ - reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK; - if (!reg_val) { -- adapter->flags |= IAVF_FLAG_RESET_PENDING; - adapter->aq_required = 0; - adapter->current_op = VIRTCHNL_OP_UNKNOWN; - dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); - mutex_unlock(&adapter->crit_lock); - queue_delayed_work(adapter->wq, - &adapter->watchdog_task, HZ * 2); -@@ -3324,9 +3317,7 @@ static void iavf_adminq_task(struct work_struct *work) - } while (pending); - mutex_unlock(&adapter->crit_lock); - -- if ((adapter->flags & -- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || -- adapter->state == __IAVF_RESETTING) -+ if (iavf_is_reset_in_progress(adapter)) - goto freedom; - - /* check for error indications */ -@@ -4423,8 +4414,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - } - - if (netif_running(netdev)) { -- adapter->flags |= IAVF_FLAG_RESET_NEEDED; -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); - ret = iavf_wait_for_reset(adapter); - if (ret < 0) - netdev_warn(netdev, "MTU change interrupted waiting for reset"); -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 073ac29ed84c7..be3c007ce90a9 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -1961,9 +1961,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - case VIRTCHNL_EVENT_RESET_IMPENDING: - dev_info(&adapter->pdev->dev, "Reset indication received from the PF\n"); - if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { -- adapter->flags |= IAVF_FLAG_RESET_PENDING; - dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); -- queue_work(adapter->wq, &adapter->reset_task); -+ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); - } - break; - default: --- -2.39.2 - diff --git a/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch b/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch deleted file mode 100644 index 8687449a498..00000000000 --- a/queue-6.4/iavf-fix-use-after-free-in-free_netdev.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 787c2cf45c807afa52660119d30d9fa8d9d95e6a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 May 2023 19:11:47 +0800 -Subject: iavf: Fix use-after-free in free_netdev - -From: Ding Hui - -[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] - -We do netif_napi_add() for all allocated q_vectors[], but potentially -do netif_napi_del() for part of them, then kfree q_vectors and leave -invalid pointers at dev->napi_list. - -Reproducer: - - [root@host ~]# cat repro.sh - #!/bin/bash - - pf_dbsf="0000:41:00.0" - vf0_dbsf="0000:41:02.0" - g_pids=() - - function do_set_numvf() - { - echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs - sleep $((RANDOM%3+1)) - } - - function do_set_channel() - { - local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) - [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } - ifconfig $nic 192.168.18.5 netmask 255.255.255.0 - ifconfig $nic up - ethtool -L $nic combined 1 - ethtool -L $nic combined 4 - sleep $((RANDOM%3)) - } - - function on_exit() - { - local pid - for pid in "${g_pids[@]}"; do - kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null - done - g_pids=() - } - - trap "on_exit; exit" EXIT - - while :; do do_set_numvf ; done & - g_pids+=($!) - while :; do do_set_channel ; done & - g_pids+=($!) - - wait - -Result: - -[ 4093.900222] ================================================================== -[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 -[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 -[ 4093.900233] -[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 -[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 -[ 4093.900239] Call Trace: -[ 4093.900244] dump_stack+0x71/0xab -[ 4093.900249] print_address_description+0x6b/0x290 -[ 4093.900251] ? free_netdev+0x308/0x390 -[ 4093.900252] kasan_report+0x14a/0x2b0 -[ 4093.900254] free_netdev+0x308/0x390 -[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] -[ 4093.900265] pci_device_remove+0xa8/0x1f0 -[ 4093.900268] device_release_driver_internal+0x1c6/0x460 -[ 4093.900271] pci_stop_bus_device+0x101/0x150 -[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 -[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 -[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 -[ 4093.900278] ? pci_get_subsys+0x90/0x90 -[ 4093.900280] sriov_disable+0xed/0x3e0 -[ 4093.900282] ? bus_find_device+0x12d/0x1a0 -[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] -[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] -[ 4093.900299] ? pci_get_device+0x7c/0x90 -[ 4093.900300] ? pci_get_subsys+0x90/0x90 -[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 -[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 -[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 4093.900318] sriov_numvfs_store+0x214/0x290 -[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 -[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 -[ 4093.900323] ? __check_object_size+0x15a/0x350 -[ 4093.900326] kernfs_fop_write+0x280/0x3f0 -[ 4093.900329] vfs_write+0x145/0x440 -[ 4093.900330] ksys_write+0xab/0x160 -[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 -[ 4093.900334] ? fput_many+0x1a/0x120 -[ 4093.900335] ? filp_close+0xf0/0x130 -[ 4093.900338] do_syscall_64+0xa0/0x370 -[ 4093.900339] ? page_fault+0x8/0x30 -[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 -[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 -[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 -[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 -[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 -[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 -[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 -[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 -[ 4093.900367] -[ 4093.900368] Allocated by task 820: -[ 4093.900371] kasan_kmalloc+0xa6/0xd0 -[ 4093.900373] __kmalloc+0xfb/0x200 -[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] -[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] -[ 4093.900382] process_one_work+0x56a/0x11f0 -[ 4093.900383] worker_thread+0x8f/0xf40 -[ 4093.900384] kthread+0x2a0/0x390 -[ 4093.900385] ret_from_fork+0x1f/0x40 -[ 4093.900387] 0xffffffffffffffff -[ 4093.900387] -[ 4093.900388] Freed by task 6699: -[ 4093.900390] __kasan_slab_free+0x137/0x190 -[ 4093.900391] kfree+0x8b/0x1b0 -[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] -[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] -[ 4093.900399] pci_device_remove+0xa8/0x1f0 -[ 4093.900400] device_release_driver_internal+0x1c6/0x460 -[ 4093.900401] pci_stop_bus_device+0x101/0x150 -[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 -[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 -[ 4093.900404] sriov_disable+0xed/0x3e0 -[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] -[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] -[ 4093.900416] sriov_numvfs_store+0x214/0x290 -[ 4093.900417] kernfs_fop_write+0x280/0x3f0 -[ 4093.900418] vfs_write+0x145/0x440 -[ 4093.900419] ksys_write+0xab/0x160 -[ 4093.900420] do_syscall_64+0xa0/0x370 -[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca -[ 4093.900422] 0xffffffffffffffff -[ 4093.900422] -[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 - which belongs to the cache kmalloc-8k of size 8192 -[ 4093.900425] The buggy address is located 5184 bytes inside of - 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) -[ 4093.900425] The buggy address belongs to the page: -[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 -[ 4093.900430] flags: 0x10000000008100(slab|head) -[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 -[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 -[ 4093.900434] page dumped because: kasan: bad access detected -[ 4093.900435] -[ 4093.900435] Memory state around the buggy address: -[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900438] ^ -[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 4093.900440] ================================================================== - -Although the patch #2 (of 2) can avoid the issue triggered by this -repro.sh, there still are other potential risks that if num_active_queues -is changed to less than allocated q_vectors[] by unexpected, the -mismatched netif_napi_add/del() can also cause UAF. - -Since we actually call netif_napi_add() for all allocated q_vectors -unconditionally in iavf_alloc_q_vectors(), so we should fix it by -letting netif_napi_del() match to netif_napi_add(). - -Fixes: 5eae00c57f5e ("i40evf: main driver core") -Signed-off-by: Ding Hui -Cc: Donglin Peng -Cc: Huang Cun -Reviewed-by: Simon Horman -Reviewed-by: Madhu Chittim -Reviewed-by: Leon Romanovsky -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 4a66873882d12..601de8e8f3654 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1840,19 +1840,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) - static void iavf_free_q_vectors(struct iavf_adapter *adapter) - { - int q_idx, num_q_vectors; -- int napi_vectors; - - if (!adapter->q_vectors) - return; - - num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; -- napi_vectors = adapter->num_active_queues; - - for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { - struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; - -- if (q_idx < napi_vectors) -- netif_napi_del(&q_vector->napi); -+ netif_napi_del(&q_vector->napi); - } - kfree(adapter->q_vectors); - adapter->q_vectors = NULL; --- -2.39.2 - diff --git a/queue-6.4/iavf-make-functions-static-where-possible.patch b/queue-6.4/iavf-make-functions-static-where-possible.patch deleted file mode 100644 index e48bf7b084f..00000000000 --- a/queue-6.4/iavf-make-functions-static-where-possible.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 68b6c8edce9d8fbb94f77072800d2fdebbf603d5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 08:54:05 -0700 -Subject: iavf: make functions static where possible - -From: Przemek Kitszel - -[ Upstream commit a4aadf0f5905661cd25c366b96cc1c840f05b756 ] - -Make all possible functions static. - -Move iavf_force_wb() up to avoid forward declaration. - -Suggested-by: Maciej Fijalkowski -Reviewed-by: Maciej Fijalkowski -Signed-off-by: Przemek Kitszel -Signed-off-by: Tony Nguyen -Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 10 ----- - drivers/net/ethernet/intel/iavf/iavf_main.c | 14 +++---- - drivers/net/ethernet/intel/iavf/iavf_txrx.c | 43 ++++++++++----------- - drivers/net/ethernet/intel/iavf/iavf_txrx.h | 4 -- - 4 files changed, 28 insertions(+), 43 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index 39d0fe76a38ff..f80f2735e6886 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -523,9 +523,6 @@ void iavf_schedule_request_stats(struct iavf_adapter *adapter); - void iavf_reset(struct iavf_adapter *adapter); - void iavf_set_ethtool_ops(struct net_device *netdev); - void iavf_update_stats(struct iavf_adapter *adapter); --void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); --int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); --void iavf_irq_enable_queues(struct iavf_adapter *adapter); - void iavf_free_all_tx_resources(struct iavf_adapter *adapter); - void iavf_free_all_rx_resources(struct iavf_adapter *adapter); - -@@ -579,17 +576,10 @@ void iavf_enable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_disable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_enable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); - void iavf_disable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); --int iavf_replace_primary_mac(struct iavf_adapter *adapter, -- const u8 *new_mac); --void --iavf_set_vlan_offload_features(struct iavf_adapter *adapter, -- netdev_features_t prev_features, -- netdev_features_t features); - void iavf_add_fdir_filter(struct iavf_adapter *adapter); - void iavf_del_fdir_filter(struct iavf_adapter *adapter); - void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); - void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); - struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - const u8 *macaddr); --int iavf_lock_timeout(struct mutex *lock, unsigned int msecs); - #endif /* _IAVF_H_ */ -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index b698f8917f049..b24e54823e6ae 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -253,7 +253,7 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw, - * - * Returns 0 on success, negative on failure - **/ --int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) -+static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) - { - unsigned int wait, delay = 10; - -@@ -362,7 +362,7 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) - * iavf_irq_enable_queues - Enable interrupt for all queues - * @adapter: board private structure - **/ --void iavf_irq_enable_queues(struct iavf_adapter *adapter) -+static void iavf_irq_enable_queues(struct iavf_adapter *adapter) - { - struct iavf_hw *hw = &adapter->hw; - int i; -@@ -1003,8 +1003,8 @@ struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - * - * Do not call this with mac_vlan_list_lock! - **/ --int iavf_replace_primary_mac(struct iavf_adapter *adapter, -- const u8 *new_mac) -+static int iavf_replace_primary_mac(struct iavf_adapter *adapter, -+ const u8 *new_mac) - { - struct iavf_hw *hw = &adapter->hw; - struct iavf_mac_filter *f; -@@ -1860,7 +1860,7 @@ static void iavf_free_q_vectors(struct iavf_adapter *adapter) - * @adapter: board private structure - * - **/ --void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) -+static void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) - { - if (!adapter->msix_entries) - return; -@@ -1875,7 +1875,7 @@ void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) - * @adapter: board private structure to initialize - * - **/ --int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) -+static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) - { - int err; - -@@ -2174,7 +2174,7 @@ static int iavf_process_aq_command(struct iavf_adapter *adapter) - * the watchdog if any changes are requested to expedite the request via - * virtchnl. - **/ --void -+static void - iavf_set_vlan_offload_features(struct iavf_adapter *adapter, - netdev_features_t prev_features, - netdev_features_t features) -diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c -index e989feda133c1..8c5f6096b0022 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c -@@ -54,7 +54,7 @@ static void iavf_unmap_and_free_tx_resource(struct iavf_ring *ring, - * iavf_clean_tx_ring - Free any empty Tx buffers - * @tx_ring: ring to be cleaned - **/ --void iavf_clean_tx_ring(struct iavf_ring *tx_ring) -+static void iavf_clean_tx_ring(struct iavf_ring *tx_ring) - { - unsigned long bi_size; - u16 i; -@@ -110,7 +110,7 @@ void iavf_free_tx_resources(struct iavf_ring *tx_ring) - * Since there is no access to the ring head register - * in XL710, we need to use our local copies - **/ --u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) -+static u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) - { - u32 head, tail; - -@@ -127,6 +127,24 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) - return 0; - } - -+/** -+ * iavf_force_wb - Issue SW Interrupt so HW does a wb -+ * @vsi: the VSI we care about -+ * @q_vector: the vector on which to force writeback -+ **/ -+static void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) -+{ -+ u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | -+ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ -+ IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | -+ IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK -+ /* allow 00 to be written to the index */; -+ -+ wr32(&vsi->back->hw, -+ IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), -+ val); -+} -+ - /** - * iavf_detect_recover_hung - Function to detect and recover hung_queues - * @vsi: pointer to vsi struct with tx queues -@@ -352,25 +370,6 @@ static void iavf_enable_wb_on_itr(struct iavf_vsi *vsi, - q_vector->arm_wb_state = true; - } - --/** -- * iavf_force_wb - Issue SW Interrupt so HW does a wb -- * @vsi: the VSI we care about -- * @q_vector: the vector on which to force writeback -- * -- **/ --void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) --{ -- u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | -- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ -- IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | -- IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK -- /* allow 00 to be written to the index */; -- -- wr32(&vsi->back->hw, -- IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), -- val); --} -- - static inline bool iavf_container_is_rx(struct iavf_q_vector *q_vector, - struct iavf_ring_container *rc) - { -@@ -687,7 +686,7 @@ int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring) - * iavf_clean_rx_ring - Free Rx buffers - * @rx_ring: ring to be cleaned - **/ --void iavf_clean_rx_ring(struct iavf_ring *rx_ring) -+static void iavf_clean_rx_ring(struct iavf_ring *rx_ring) - { - unsigned long bi_size; - u16 i; -diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h -index 2624bf6d009e3..7e6ee32d19b69 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h -+++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h -@@ -442,15 +442,11 @@ static inline unsigned int iavf_rx_pg_order(struct iavf_ring *ring) - - bool iavf_alloc_rx_buffers(struct iavf_ring *rxr, u16 cleaned_count); - netdev_tx_t iavf_xmit_frame(struct sk_buff *skb, struct net_device *netdev); --void iavf_clean_tx_ring(struct iavf_ring *tx_ring); --void iavf_clean_rx_ring(struct iavf_ring *rx_ring); - int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring); - int iavf_setup_rx_descriptors(struct iavf_ring *rx_ring); - void iavf_free_tx_resources(struct iavf_ring *tx_ring); - void iavf_free_rx_resources(struct iavf_ring *rx_ring); - int iavf_napi_poll(struct napi_struct *napi, int budget); --void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector); --u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw); - void iavf_detect_recover_hung(struct iavf_vsi *vsi); - int __iavf_maybe_stop_tx(struct iavf_ring *tx_ring, int size); - bool __iavf_chk_linearize(struct sk_buff *skb); --- -2.39.2 - diff --git a/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch b/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch deleted file mode 100644 index c0278ecdafd..00000000000 --- a/queue-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 31c8df7f7a300777b2f0073fd70320c0734a785f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 15:46:02 -0600 -Subject: iavf: use internal state to free traffic IRQs - -From: Ahmed Zaki - -[ Upstream commit a77ed5c5b768e9649be240a2d864e5cd9c6a2015 ] - -If the system tries to close the netdev while iavf_reset_task() is -running, __LINK_STATE_START will be cleared and netif_running() will -return false in iavf_reinit_interrupt_scheme(). This will result in -iavf_free_traffic_irqs() not being called and a leak as follows: - - [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' - [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 - -is shown when pci_disable_msix() is later called. Fix by using the -internal adapter state. The traffic IRQs will always exist if -state == __IAVF_RUNNING. - -Fixes: 5b36e8d04b44 ("i40evf: Enable VF to request an alternate queue allocation") -Signed-off-by: Ahmed Zaki -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index 601de8e8f3654..b698f8917f049 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -1941,15 +1941,16 @@ static void iavf_free_rss(struct iavf_adapter *adapter) - /** - * iavf_reinit_interrupt_scheme - Reallocate queues and vectors - * @adapter: board private structure -+ * @running: true if adapter->state == __IAVF_RUNNING - * - * Returns 0 on success, negative on failure - **/ --static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) -+static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool running) - { - struct net_device *netdev = adapter->netdev; - int err; - -- if (netif_running(netdev)) -+ if (running) - iavf_free_traffic_irqs(adapter); - iavf_free_misc_irq(adapter); - iavf_reset_interrupt_capability(adapter); -@@ -3065,7 +3066,7 @@ static void iavf_reset_task(struct work_struct *work) - - if ((adapter->flags & IAVF_FLAG_REINIT_MSIX_NEEDED) || - (adapter->flags & IAVF_FLAG_REINIT_ITR_NEEDED)) { -- err = iavf_reinit_interrupt_scheme(adapter); -+ err = iavf_reinit_interrupt_scheme(adapter, running); - if (err) - goto reset_err; - } --- -2.39.2 - diff --git a/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch b/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch deleted file mode 100644 index 176c0e422c4..00000000000 --- a/queue-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch +++ /dev/null @@ -1,253 +0,0 @@ -From 1536bf50c1b1e60700372a8344141f9a05a00b68 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 10:52:22 -0400 -Subject: iavf: Wait for reset in callbacks which trigger it - -From: Marcin Szycik - -[ Upstream commit c2ed2403f12c74a74a0091ed5d830e72c58406e8 ] - -There was a fail when trying to add the interface to bonding -right after changing the MTU on the interface. It was caused -by bonding interface unable to open the interface due to -interface being in __RESETTING state because of MTU change. - -Add new reset_waitqueue to indicate that reset has finished. - -Add waiting for reset to finish in callbacks which trigger hw reset: -iavf_set_priv_flags(), iavf_change_mtu() and iavf_set_ringparam(). -We use a 5000ms timeout period because on Hyper-V based systems, -this operation takes around 3000-4000ms. In normal circumstances, -it doesn't take more than 500ms to complete. - -Add a function iavf_wait_for_reset() to reuse waiting for reset code and -use it also in iavf_set_channels(), which already waits for reset. -We don't use error handling in iavf_set_channels() as this could -cause the device to be in incorrect state if the reset was scheduled -but hit timeout or the waitng function was interrupted by a signal. - -Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") -Signed-off-by: Marcin Szycik -Co-developed-by: Dawid Wesierski -Signed-off-by: Dawid Wesierski -Signed-off-by: Sylwester Dziedziuch -Signed-off-by: Kamil Maziarz -Signed-off-by: Mateusz Palczewski -Tested-by: Rafal Romanowski -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/iavf/iavf.h | 2 + - .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 ++++++----- - drivers/net/ethernet/intel/iavf/iavf_main.c | 51 ++++++++++++++++++- - .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + - 4 files changed, 68 insertions(+), 17 deletions(-) - -diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h -index f80f2735e6886..a5cab19eb6a8b 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf.h -+++ b/drivers/net/ethernet/intel/iavf/iavf.h -@@ -257,6 +257,7 @@ struct iavf_adapter { - struct work_struct adminq_task; - struct delayed_work client_task; - wait_queue_head_t down_waitqueue; -+ wait_queue_head_t reset_waitqueue; - wait_queue_head_t vc_waitqueue; - struct iavf_q_vector *q_vectors; - struct list_head vlan_filter_list; -@@ -582,4 +583,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); - void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); - struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, - const u8 *macaddr); -+int iavf_wait_for_reset(struct iavf_adapter *adapter); - #endif /* _IAVF_H_ */ -diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -index 92443f8e9fbdf..b7141c2a941d1 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c -@@ -484,6 +484,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 orig_flags, new_flags, changed_flags; -+ int ret = 0; - u32 i; - - orig_flags = READ_ONCE(adapter->flags); -@@ -533,10 +534,13 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); - } - } - -- return 0; -+ return ret; - } - - /** -@@ -627,6 +631,7 @@ static int iavf_set_ringparam(struct net_device *netdev, - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 new_rx_count, new_tx_count; -+ int ret = 0; - - if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) - return -EINVAL; -@@ -673,9 +678,12 @@ static int iavf_set_ringparam(struct net_device *netdev, - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); - } - -- return 0; -+ return ret; - } - - /** -@@ -1830,7 +1838,7 @@ static int iavf_set_channels(struct net_device *netdev, - { - struct iavf_adapter *adapter = netdev_priv(netdev); - u32 num_req = ch->combined_count; -- int i; -+ int ret = 0; - - if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && - adapter->num_tc) { -@@ -1854,20 +1862,11 @@ static int iavf_set_channels(struct net_device *netdev, - adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; - iavf_schedule_reset(adapter); - -- /* wait for the reset is done */ -- for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { -- msleep(IAVF_RESET_WAIT_MS); -- if (adapter->flags & IAVF_FLAG_RESET_PENDING) -- continue; -- break; -- } -- if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { -- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; -- adapter->num_req_queues = 0; -- return -EOPNOTSUPP; -- } -+ ret = iavf_wait_for_reset(adapter); -+ if (ret) -+ netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); - -- return 0; -+ return ret; - } - - /** -diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c -index b24e54823e6ae..8cb9b74b3ebea 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_main.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c -@@ -166,6 +166,45 @@ static struct iavf_adapter *iavf_pdev_to_adapter(struct pci_dev *pdev) - return netdev_priv(pci_get_drvdata(pdev)); - } - -+/** -+ * iavf_is_reset_in_progress - Check if a reset is in progress -+ * @adapter: board private structure -+ */ -+static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) -+{ -+ if (adapter->state == __IAVF_RESETTING || -+ adapter->flags & (IAVF_FLAG_RESET_PENDING | -+ IAVF_FLAG_RESET_NEEDED)) -+ return true; -+ -+ return false; -+} -+ -+/** -+ * iavf_wait_for_reset - Wait for reset to finish. -+ * @adapter: board private structure -+ * -+ * Returns 0 if reset finished successfully, negative on timeout or interrupt. -+ */ -+int iavf_wait_for_reset(struct iavf_adapter *adapter) -+{ -+ int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, -+ !iavf_is_reset_in_progress(adapter), -+ msecs_to_jiffies(5000)); -+ -+ /* If ret < 0 then it means wait was interrupted. -+ * If ret == 0 then it means we got a timeout while waiting -+ * for reset to finish. -+ * If ret > 0 it means reset has finished. -+ */ -+ if (ret > 0) -+ return 0; -+ else if (ret < 0) -+ return -EINTR; -+ else -+ return -EBUSY; -+} -+ - /** - * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code - * @hw: pointer to the HW structure -@@ -3161,6 +3200,7 @@ static void iavf_reset_task(struct work_struct *work) - - adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; - -+ wake_up(&adapter->reset_waitqueue); - mutex_unlock(&adapter->client_lock); - mutex_unlock(&adapter->crit_lock); - -@@ -4325,6 +4365,7 @@ static int iavf_close(struct net_device *netdev) - static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - { - struct iavf_adapter *adapter = netdev_priv(netdev); -+ int ret = 0; - - netdev_dbg(netdev, "changing MTU from %d to %d\n", - netdev->mtu, new_mtu); -@@ -4337,9 +4378,14 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) - if (netif_running(netdev)) { - adapter->flags |= IAVF_FLAG_RESET_NEEDED; - queue_work(adapter->wq, &adapter->reset_task); -+ ret = iavf_wait_for_reset(adapter); -+ if (ret < 0) -+ netdev_warn(netdev, "MTU change interrupted waiting for reset"); -+ else if (ret) -+ netdev_warn(netdev, "MTU change timed out waiting for reset"); - } - -- return 0; -+ return ret; - } - - #define NETIF_VLAN_OFFLOAD_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ -@@ -4940,6 +4986,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - /* Setup the wait queue for indicating transition to down status */ - init_waitqueue_head(&adapter->down_waitqueue); - -+ /* Setup the wait queue for indicating transition to running state */ -+ init_waitqueue_head(&adapter->reset_waitqueue); -+ - /* Setup the wait queue for indicating virtchannel events */ - init_waitqueue_head(&adapter->vc_waitqueue); - -diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -index 7c0578b5457b9..1bab896aaf40c 100644 ---- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c -@@ -2285,6 +2285,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, - case VIRTCHNL_OP_ENABLE_QUEUES: - /* enable transmits */ - iavf_irq_enable(adapter, true); -+ wake_up(&adapter->reset_waitqueue); - adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; - break; - case VIRTCHNL_OP_DISABLE_QUEUES: --- -2.39.2 - diff --git a/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch b/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch deleted file mode 100644 index 1d5f0e4e51b..00000000000 --- a/queue-6.4/ice-prevent-null-pointer-deref-during-reload.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 93590b860be32d444cc9d6dfbc0e7308f63b6ef7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Jul 2023 08:25:51 +0200 -Subject: ice: prevent NULL pointer deref during reload - -From: Michal Swiatkowski - -[ Upstream commit b3e7b3a6ee92ab927f750a6b19615ce88ece808f ] - -Calling ethtool during reload can lead to call trace, because VSI isn't -configured for some time, but netdev is alive. - -To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors -to 0 after freeing and add a check for ::tx/rx_rings in ring related -ethtool ops. - -Add proper unroll of filters in ice_start_eth(). - -Reproduction: -$watch -n 0.1 -d 'ethtool -g enp24s0f0np0' -$devlink dev reload pci/0000:18:00.0 action driver_reinit - -Call trace before fix: -[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 -[66303.926259] #PF: supervisor read access in kernel mode -[66303.926286] #PF: error_code(0x0000) - not-present page -[66303.926311] PGD 0 P4D 0 -[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI -[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 -[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 -[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] -[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 -[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 -[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 -[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 -[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 -[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 -[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 -[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 -[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 -[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[66303.927060] PKRU: 55555554 -[66303.927075] Call Trace: -[66303.927094] -[66303.927111] ? __die+0x23/0x70 -[66303.927140] ? page_fault_oops+0x171/0x4e0 -[66303.927176] ? exc_page_fault+0x7f/0x180 -[66303.927209] ? asm_exc_page_fault+0x26/0x30 -[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] -[66303.927433] rings_prepare_data+0x62/0x80 -[66303.927469] ethnl_default_doit+0xe2/0x350 -[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 -[66303.927538] genl_rcv_msg+0x1b1/0x2c0 -[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 -[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 -[66303.927615] netlink_rcv_skb+0x58/0x110 -[66303.927644] genl_rcv+0x28/0x40 -[66303.927665] netlink_unicast+0x19e/0x290 -[66303.927691] netlink_sendmsg+0x254/0x4d0 -[66303.927717] sock_sendmsg+0x93/0xa0 -[66303.927743] __sys_sendto+0x126/0x170 -[66303.927780] __x64_sys_sendto+0x24/0x30 -[66303.928593] do_syscall_64+0x5d/0x90 -[66303.929370] ? __count_memcg_events+0x60/0xa0 -[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 -[66303.930920] ? handle_mm_fault+0x9e/0x350 -[66303.931688] ? do_user_addr_fault+0x258/0x740 -[66303.932452] ? exc_page_fault+0x7f/0x180 -[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc - -Fixes: 5b246e533d01 ("ice: split probe into smaller functions") -Reviewed-by: Przemek Kitszel -Signed-off-by: Michal Swiatkowski -Reviewed-by: Simon Horman -Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/ice/ice_base.c | 2 ++ - drivers/net/ethernet/intel/ice/ice_ethtool.c | 13 +++++++++++-- - drivers/net/ethernet/intel/ice/ice_main.c | 10 ++++++++-- - 3 files changed, 21 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c -index 1911d644dfa8d..619cb07a40691 100644 ---- a/drivers/net/ethernet/intel/ice/ice_base.c -+++ b/drivers/net/ethernet/intel/ice/ice_base.c -@@ -758,6 +758,8 @@ void ice_vsi_free_q_vectors(struct ice_vsi *vsi) - - ice_for_each_q_vector(vsi, v_idx) - ice_free_q_vector(vsi, v_idx); -+ -+ vsi->num_q_vectors = 0; - } - - /** -diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c -index f86e814354a31..ec4138e684bd2 100644 ---- a/drivers/net/ethernet/intel/ice/ice_ethtool.c -+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c -@@ -2920,8 +2920,13 @@ ice_get_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, - - ring->rx_max_pending = ICE_MAX_NUM_DESC; - ring->tx_max_pending = ICE_MAX_NUM_DESC; -- ring->rx_pending = vsi->rx_rings[0]->count; -- ring->tx_pending = vsi->tx_rings[0]->count; -+ if (vsi->tx_rings && vsi->rx_rings) { -+ ring->rx_pending = vsi->rx_rings[0]->count; -+ ring->tx_pending = vsi->tx_rings[0]->count; -+ } else { -+ ring->rx_pending = 0; -+ ring->tx_pending = 0; -+ } - - /* Rx mini and jumbo rings are not supported */ - ring->rx_mini_max_pending = 0; -@@ -2955,6 +2960,10 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, - return -EINVAL; - } - -+ /* Return if there is no rings (device is reloading) */ -+ if (!vsi->tx_rings || !vsi->rx_rings) -+ return -EBUSY; -+ - new_tx_cnt = ALIGN(ring->tx_pending, ICE_REQ_DESC_MULTIPLE); - if (new_tx_cnt != ring->tx_pending) - netdev_info(netdev, "Requested Tx descriptor count rounded up to %d\n", -diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c -index 1277e0a044ee4..fbe70458fda27 100644 ---- a/drivers/net/ethernet/intel/ice/ice_main.c -+++ b/drivers/net/ethernet/intel/ice/ice_main.c -@@ -4655,9 +4655,9 @@ static int ice_start_eth(struct ice_vsi *vsi) - if (err) - return err; - -- rtnl_lock(); - err = ice_vsi_open(vsi); -- rtnl_unlock(); -+ if (err) -+ ice_fltr_remove_all(vsi); - - return err; - } -@@ -5120,6 +5120,7 @@ int ice_load(struct ice_pf *pf) - params = ice_vsi_to_params(vsi); - params.flags = ICE_VSI_FLAG_INIT; - -+ rtnl_lock(); - err = ice_vsi_cfg(vsi, ¶ms); - if (err) - goto err_vsi_cfg; -@@ -5127,6 +5128,7 @@ int ice_load(struct ice_pf *pf) - err = ice_start_eth(ice_get_main_vsi(pf)); - if (err) - goto err_start_eth; -+ rtnl_unlock(); - - err = ice_init_rdma(pf); - if (err) -@@ -5141,9 +5143,11 @@ int ice_load(struct ice_pf *pf) - - err_init_rdma: - ice_vsi_close(ice_get_main_vsi(pf)); -+ rtnl_lock(); - err_start_eth: - ice_vsi_decfg(ice_get_main_vsi(pf)); - err_vsi_cfg: -+ rtnl_unlock(); - ice_deinit_dev(pf); - return err; - } -@@ -5156,8 +5160,10 @@ void ice_unload(struct ice_pf *pf) - { - ice_deinit_features(pf); - ice_deinit_rdma(pf); -+ rtnl_lock(); - ice_stop_eth(ice_get_main_vsi(pf)); - ice_vsi_decfg(ice_get_main_vsi(pf)); -+ rtnl_unlock(); - ice_deinit_dev(pf); - } - --- -2.39.2 - diff --git a/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch b/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch deleted file mode 100644 index 54b6608fdc7..00000000000 --- a/queue-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch +++ /dev/null @@ -1,90 +0,0 @@ -From d1aeebd398c1fd5efc7811ba8bf4afb8b5eae005 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 12:58:13 +0200 -Subject: ice: Unregister netdev and devlink_port only once - -From: Petr Oros - -[ Upstream commit 24a3298ac9e6bd8de838ab79f7868207170d556d ] - -Since commit 6624e780a577fc ("ice: split ice_vsi_setup into smaller -functions") ice_vsi_release does things twice. There is unregister -netdev which is unregistered in ice_deinit_eth also. - -It also unregisters the devlink_port twice which is also unregistered -in ice_deinit_eth(). This double deregistration is hidden because -devl_port_unregister ignores the return value of xa_erase. - -[ 68.642167] Call Trace: -[ 68.650385] ice_devlink_destroy_pf_port+0xe/0x20 [ice] -[ 68.655656] ice_vsi_release+0x445/0x690 [ice] -[ 68.660147] ice_deinit+0x99/0x280 [ice] -[ 68.664117] ice_remove+0x1b6/0x5c0 [ice] - -[ 171.103841] Call Trace: -[ 171.109607] ice_devlink_destroy_pf_port+0xf/0x20 [ice] -[ 171.114841] ice_remove+0x158/0x270 [ice] -[ 171.118854] pci_device_remove+0x3b/0xc0 -[ 171.122779] device_release_driver_internal+0xc7/0x170 -[ 171.127912] driver_detach+0x54/0x8c -[ 171.131491] bus_remove_driver+0x77/0xd1 -[ 171.135406] pci_unregister_driver+0x2d/0xb0 -[ 171.139670] ice_module_exit+0xc/0x55f [ice] - -Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") -Signed-off-by: Petr Oros -Reviewed-by: Maciej Fijalkowski -Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/ice/ice_lib.c | 27 ------------------------ - 1 file changed, 27 deletions(-) - -diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c -index 11ae0e41f518a..284a1f0bfdb54 100644 ---- a/drivers/net/ethernet/intel/ice/ice_lib.c -+++ b/drivers/net/ethernet/intel/ice/ice_lib.c -@@ -3272,39 +3272,12 @@ int ice_vsi_release(struct ice_vsi *vsi) - return -ENODEV; - pf = vsi->back; - -- /* do not unregister while driver is in the reset recovery pending -- * state. Since reset/rebuild happens through PF service task workqueue, -- * it's not a good idea to unregister netdev that is associated to the -- * PF that is running the work queue items currently. This is done to -- * avoid check_flush_dependency() warning on this wq -- */ -- if (vsi->netdev && !ice_is_reset_in_progress(pf->state) && -- (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state))) { -- unregister_netdev(vsi->netdev); -- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); -- } -- -- if (vsi->type == ICE_VSI_PF) -- ice_devlink_destroy_pf_port(pf); -- - if (test_bit(ICE_FLAG_RSS_ENA, pf->flags)) - ice_rss_clean(vsi); - - ice_vsi_close(vsi); - ice_vsi_decfg(vsi); - -- if (vsi->netdev) { -- if (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state)) { -- unregister_netdev(vsi->netdev); -- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); -- } -- if (test_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state)) { -- free_netdev(vsi->netdev); -- vsi->netdev = NULL; -- clear_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state); -- } -- } -- - /* retain SW VSI data structure since it is needed to unregister and - * free VSI netdev when PF is not in reset recovery pending state,\ - * for ex: during rmmod. --- -2.39.2 - diff --git a/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch deleted file mode 100644 index a8077232de8..00000000000 --- a/queue-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 47bae22598c4635fb1b9ce70516f7a13ffb75aa3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 10:47:32 -0700 -Subject: igb: Fix igb_down hung on surprise removal - -From: Ying Hsu - -[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] - -In a setup where a Thunderbolt hub connects to Ethernet and a display -through USB Type-C, users may experience a hung task timeout when they -remove the cable between the PC and the Thunderbolt hub. -This is because the igb_down function is called multiple times when -the Thunderbolt hub is unplugged. For example, the igb_io_error_detected -triggers the first call, and the igb_remove triggers the second call. -The second call to igb_down will block at napi_synchronize. -Here's the call trace: - __schedule+0x3b0/0xddb - ? __mod_timer+0x164/0x5d3 - schedule+0x44/0xa8 - schedule_timeout+0xb2/0x2a4 - ? run_local_timers+0x4e/0x4e - msleep+0x31/0x38 - igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] - __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] - igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] - __dev_close_many+0x95/0xec - dev_close_many+0x6e/0x103 - unregister_netdevice_many+0x105/0x5b1 - unregister_netdevice_queue+0xc2/0x10d - unregister_netdev+0x1c/0x23 - igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] - pci_device_remove+0x3f/0x9c - device_release_driver_internal+0xfe/0x1b4 - pci_stop_bus_device+0x5b/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_and_remove_bus_device+0x12/0x19 - pciehp_unconfigure_device+0x76/0xe9 - pciehp_disable_slot+0x6e/0x131 - pciehp_handle_presence_or_link_change+0x7a/0x3f7 - pciehp_ist+0xbe/0x194 - irq_thread_fn+0x22/0x4d - ? irq_thread+0x1fd/0x1fd - irq_thread+0x17b/0x1fd - ? irq_forced_thread_fn+0x5f/0x5f - kthread+0x142/0x153 - ? __irq_get_irqchip_state+0x46/0x46 - ? kthread_associate_blkcg+0x71/0x71 - ret_from_fork+0x1f/0x30 - -In this case, igb_io_error_detected detaches the network interface -and requests a PCIE slot reset, however, the PCIE reset callback is -not being invoked and thus the Ethernet connection breaks down. -As the PCIE error in this case is a non-fatal one, requesting a -slot reset can be avoided. -This patch fixes the task hung issue and preserves Ethernet -connection by ignoring non-fatal PCIE errors. - -Signed-off-by: Ying Hsu -Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) -Signed-off-by: Tony Nguyen -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c -index bb3db387d49cf..ba5e1d1320f67 100644 ---- a/drivers/net/ethernet/intel/igb/igb_main.c -+++ b/drivers/net/ethernet/intel/igb/igb_main.c -@@ -9585,6 +9585,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, - struct net_device *netdev = pci_get_drvdata(pdev); - struct igb_adapter *adapter = netdev_priv(netdev); - -+ if (state == pci_channel_io_normal) { -+ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); -+ return PCI_ERS_RESULT_CAN_RECOVER; -+ } -+ - netif_device_detach(netdev); - - if (state == pci_channel_io_perm_failure) --- -2.39.2 - diff --git a/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch b/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch deleted file mode 100644 index f5fb3bd8114..00000000000 --- a/queue-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch +++ /dev/null @@ -1,61 +0,0 @@ -From df3cfe2aab8fbc415d4ae2485e94aa3caa55fbed Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Apr 2023 09:36:11 +0200 -Subject: igc: Avoid transmit queue timeout for XDP - -From: Kurt Kanzenbach - -[ Upstream commit 95b681485563c64585de78662ee52d06b7fa47d9 ] - -High XDP load triggers the netdev watchdog: - -|NETDEV WATCHDOG: enp3s0 (igc): transmit queue 2 timed out - -The reason is the Tx queue transmission start (txq->trans_start) is not updated -in XDP code path. Therefore, add it for all XDP transmission functions. - -Signed-off-by: Kurt Kanzenbach -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Stable-dep-of: 78adb4bcf99e ("igc: Prevent garbled TX queue with XDP ZEROCOPY") -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index 44aa4342cbbb5..ef4ea46442f21 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -2417,6 +2417,8 @@ static int igc_xdp_xmit_back(struct igc_adapter *adapter, struct xdp_buff *xdp) - nq = txring_txq(ring); - - __netif_tx_lock(nq, cpu); -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); - res = igc_xdp_init_tx_descriptor(ring, xdpf); - __netif_tx_unlock(nq); - return res; -@@ -2833,6 +2835,9 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - - __netif_tx_lock(nq, cpu); - -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); -+ - budget = igc_desc_unused(ring); - - while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { -@@ -6385,6 +6390,9 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, - - __netif_tx_lock(nq, cpu); - -+ /* Avoid transmit queue timeout since we share it with the slow path */ -+ txq_trans_cond_update(nq); -+ - drops = 0; - for (i = 0; i < num_frames; i++) { - int err; --- -2.39.2 - diff --git a/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch deleted file mode 100644 index a98a1d90121..00000000000 --- a/queue-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ac30745bc06e7ef6e04ae5bc4b2135ca5fcc4df2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 10:54:44 -0700 -Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY - -From: Florian Kauer - -[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] - -In normal operation, each populated queue item has -next_to_watch pointing to the last TX desc of the packet, -while each cleaned item has it set to 0. In particular, -next_to_use that points to the next (necessarily clean) -item to use has next_to_watch set to 0. - -When the TX queue is used both by an application using -AF_XDP with ZEROCOPY as well as a second non-XDP application -generating high traffic, the queue pointers can get in -an invalid state where next_to_use points to an item -where next_to_watch is NOT set to 0. - -However, the implementation assumes at several places -that this is never the case, so if it does hold, -bad things happen. In particular, within the loop inside -of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. -Finally, this prevents any further transmission via -this queue and it never gets unblocked or signaled. -Secondly, if the queue is in this garbled state, -the inner loop of igc_clean_tx_ring() will never terminate, -completely hogging a CPU core. - -The reason is that igc_xdp_xmit_zc() reads next_to_use -before acquiring the lock, and writing it back -(potentially unmodified) later. If it got modified -before locking, the outdated next_to_use is written -pointing to an item that was already used elsewhere -(and thus next_to_watch got written). - -Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") -Signed-off-by: Florian Kauer -Reviewed-by: Kurt Kanzenbach -Tested-by: Kurt Kanzenbach -Acked-by: Vinicius Costa Gomes -Reviewed-by: Simon Horman -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index ef4ea46442f21..496a4eb687b00 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -2826,9 +2826,8 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - struct netdev_queue *nq = txring_txq(ring); - union igc_adv_tx_desc *tx_desc = NULL; - int cpu = smp_processor_id(); -- u16 ntu = ring->next_to_use; - struct xdp_desc xdp_desc; -- u16 budget; -+ u16 budget, ntu; - - if (!netif_carrier_ok(ring->netdev)) - return; -@@ -2838,6 +2837,7 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) - /* Avoid transmit queue timeout since we share it with the slow path */ - txq_trans_cond_update(nq); - -+ ntu = ring->next_to_use; - budget = igc_desc_unused(ring); - - while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { --- -2.39.2 - diff --git a/queue-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch b/queue-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch deleted file mode 100644 index 3fa307b3781..00000000000 --- a/queue-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 32832a407a7178eec3215fad9b1a3298c14b0d69 Mon Sep 17 00:00:00 2001 -From: Helge Deller -Date: Fri, 21 Jul 2023 17:24:31 +0200 -Subject: io_uring: Fix io_uring mmap() by using architecture-provided get_unmapped_area() - -From: Helge Deller - -commit 32832a407a7178eec3215fad9b1a3298c14b0d69 upstream. - -The io_uring testcase is broken on IA-64 since commit d808459b2e31 -("io_uring: Adjust mapping wrt architecture aliasing requirements"). - -The reason is, that this commit introduced an own architecture -independend get_unmapped_area() search algorithm which finds on IA-64 a -memory region which is outside of the regular memory region used for -shared userspace mappings and which can't be used on that platform -due to aliasing. - -To avoid similar problems on IA-64 and other platforms in the future, -it's better to switch back to the architecture-provided -get_unmapped_area() function and adjust the needed input parameters -before the call. Beside fixing the issue, the function now becomes -easier to understand and maintain. - -This patch has been successfully tested with the io_uring testcase on -physical x86-64, ppc64le, IA-64 and PA-RISC machines. On PA-RISC the LTP -mmmap testcases did not report any regressions. - -Cc: stable@vger.kernel.org # 6.4 -Signed-off-by: Helge Deller -Reported-by: matoro -Fixes: d808459b2e31 ("io_uring: Adjust mapping wrt architecture aliasing requirements") -Link: https://lore.kernel.org/r/20230721152432.196382-2-deller@gmx.de -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - arch/parisc/kernel/sys_parisc.c | 15 +++++++++----- - io_uring/io_uring.c | 42 ++++++++++++++++------------------------ - 2 files changed, 27 insertions(+), 30 deletions(-) - ---- a/arch/parisc/kernel/sys_parisc.c -+++ b/arch/parisc/kernel/sys_parisc.c -@@ -26,12 +26,17 @@ - #include - - /* -- * Construct an artificial page offset for the mapping based on the physical -+ * Construct an artificial page offset for the mapping based on the virtual - * address of the kernel file mapping variable. -+ * If filp is zero the calculated pgoff value aliases the memory of the given -+ * address. This is useful for io_uring where the mapping shall alias a kernel -+ * address and a userspace adress where both the kernel and the userspace -+ * access the same memory region. - */ --#define GET_FILP_PGOFF(filp) \ -- (filp ? (((unsigned long) filp->f_mapping) >> 8) \ -- & ((SHM_COLOUR-1) >> PAGE_SHIFT) : 0UL) -+#define GET_FILP_PGOFF(filp, addr) \ -+ ((filp ? (((unsigned long) filp->f_mapping) >> 8) \ -+ & ((SHM_COLOUR-1) >> PAGE_SHIFT) : 0UL) \ -+ + (addr >> PAGE_SHIFT)) - - static unsigned long shared_align_offset(unsigned long filp_pgoff, - unsigned long pgoff) -@@ -111,7 +116,7 @@ static unsigned long arch_get_unmapped_a - do_color_align = 0; - if (filp || (flags & MAP_SHARED)) - do_color_align = 1; -- filp_pgoff = GET_FILP_PGOFF(filp); -+ filp_pgoff = GET_FILP_PGOFF(filp, addr); - - if (flags & MAP_FIXED) { - /* Even MAP_FIXED mappings must reside within TASK_SIZE */ ---- a/io_uring/io_uring.c -+++ b/io_uring/io_uring.c -@@ -3433,8 +3433,6 @@ static unsigned long io_uring_mmu_get_un - unsigned long addr, unsigned long len, - unsigned long pgoff, unsigned long flags) - { -- const unsigned long mmap_end = arch_get_mmap_end(addr, len, flags); -- struct vm_unmapped_area_info info; - void *ptr; - - /* -@@ -3449,32 +3447,26 @@ static unsigned long io_uring_mmu_get_un - if (IS_ERR(ptr)) - return -ENOMEM; - -- info.flags = VM_UNMAPPED_AREA_TOPDOWN; -- info.length = len; -- info.low_limit = max(PAGE_SIZE, mmap_min_addr); -- info.high_limit = arch_get_mmap_base(addr, current->mm->mmap_base); -+ /* -+ * Some architectures have strong cache aliasing requirements. -+ * For such architectures we need a coherent mapping which aliases -+ * kernel memory *and* userspace memory. To achieve that: -+ * - use a NULL file pointer to reference physical memory, and -+ * - use the kernel virtual address of the shared io_uring context -+ * (instead of the userspace-provided address, which has to be 0UL -+ * anyway). -+ * For architectures without such aliasing requirements, the -+ * architecture will return any suitable mapping because addr is 0. -+ */ -+ filp = NULL; -+ flags |= MAP_SHARED; -+ pgoff = 0; /* has been translated to ptr above */ - #ifdef SHM_COLOUR -- info.align_mask = PAGE_MASK & (SHM_COLOUR - 1UL); -+ addr = (uintptr_t) ptr; - #else -- info.align_mask = PAGE_MASK & (SHMLBA - 1UL); -+ addr = 0UL; - #endif -- info.align_offset = (unsigned long) ptr; -- -- /* -- * A failed mmap() very likely causes application failure, -- * so fall back to the bottom-up function here. This scenario -- * can happen with large stack limits and large mmap() -- * allocations. -- */ -- addr = vm_unmapped_area(&info); -- if (offset_in_page(addr)) { -- info.flags = 0; -- info.low_limit = TASK_UNMAPPED_BASE; -- info.high_limit = mmap_end; -- addr = vm_unmapped_area(&info); -- } -- -- return addr; -+ return current->mm->get_unmapped_area(filp, addr, len, pgoff, flags); - } - - #else /* !CONFIG_MMU */ diff --git a/queue-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch b/queue-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch deleted file mode 100644 index 7b407db4bc2..00000000000 --- a/queue-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a9be202269580ca611c6cebac90eaf1795497800 Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Thu, 20 Jul 2023 13:16:53 -0600 -Subject: io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq - -From: Jens Axboe - -commit a9be202269580ca611c6cebac90eaf1795497800 upstream. - -io-wq assumes that an issue is blocking, but it may not be if the -request type has asked for a non-blocking attempt. If we get --EAGAIN for that case, then we need to treat it as a final result -and not retry or arm poll for it. - -Cc: stable@vger.kernel.org # 5.10+ -Link: https://github.com/axboe/liburing/issues/897 -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - io_uring/io_uring.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/io_uring/io_uring.c -+++ b/io_uring/io_uring.c -@@ -2032,6 +2032,14 @@ fail: - ret = io_issue_sqe(req, issue_flags); - if (ret != -EAGAIN) - break; -+ -+ /* -+ * If REQ_F_NOWAIT is set, then don't wait or retry with -+ * poll. -EAGAIN is final for that case. -+ */ -+ if (req->flags & REQ_F_NOWAIT) -+ break; -+ - /* - * We can get EAGAIN for iopolled IO even though we're - * forcing a sync submission from here, since we can't diff --git a/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch b/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch deleted file mode 100644 index 15849e6c1ef..00000000000 --- a/queue-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d7bf48d29d77eb138f5bacd1a9c2891e60d7a754 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Apr 2023 11:55:31 +0300 -Subject: iommu/sva: Fix signedness bug in iommu_sva_alloc_pasid() - -From: Dan Carpenter - -[ Upstream commit c20ecf7bb6153149b81a9277eda23398957656f2 ] - -The ida_alloc_range() function returns negative error codes on error. -On success it returns values in the min to max range (inclusive). It -never returns more then INT_MAX even if "max" is higher. It never -returns values in the 0 to (min - 1) range. - -The bug is that "min" is an unsigned int so negative error codes will -be promoted to high positive values errors treated as success. - -Fixes: 1a14bf0fc7ed ("iommu/sva: Use GFP_KERNEL for pasid allocation") -Signed-off-by: Dan Carpenter -Reviewed-by: Lu Baolu -Link: https://lore.kernel.org/r/6b32095d-7491-4ebb-a850-12e96209eaaf@kili.mountain -Signed-off-by: Joerg Roedel -Signed-off-by: Sasha Levin ---- - drivers/iommu/iommu-sva.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c -index 3ebd4b6586b3e..05c0fb2acbc44 100644 ---- a/drivers/iommu/iommu-sva.c -+++ b/drivers/iommu/iommu-sva.c -@@ -34,8 +34,9 @@ static int iommu_sva_alloc_pasid(struct mm_struct *mm, ioasid_t min, ioasid_t ma - } - - ret = ida_alloc_range(&iommu_global_pasid_ida, min, max, GFP_KERNEL); -- if (ret < min) -+ if (ret < 0) - goto out; -+ - mm->pasid = ret; - ret = 0; - out: --- -2.39.2 - diff --git a/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch b/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch deleted file mode 100644 index 2d1d445c81b..00000000000 --- a/queue-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 695a430cb85dc054be8ebfe3f013f48def52def1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 16 Jun 2023 14:43:55 +0200 -Subject: iov_iter: Mark copy_iovec_from_user() noclone - -From: Peter Zijlstra - -[ Upstream commit 719a937b7003933de1298ffa4b881dd6a234e244 ] - -Extend commit 50f9a76ef127 ("iov_iter: Mark -copy_compat_iovec_from_user() noinline") to also cover -copy_iovec_from_user(). Different compiler versions cause the same -problem on different functions. - -lib/iov_iter.o: warning: objtool: .altinstr_replacement+0x1f: redundant UACCESS disable -lib/iov_iter.o: warning: objtool: iovec_from_user+0x84: call to copy_iovec_from_user.part.0() with UACCESS enabled -lib/iov_iter.o: warning: objtool: __import_iovec+0x143: call to copy_iovec_from_user.part.0() with UACCESS enabled - -Fixes: 50f9a76ef127 ("iov_iter: Mark copy_compat_iovec_from_user() noinline") -Signed-off-by: Peter Zijlstra (Intel) -Tested-by: Borislav Petkov (AMD) -Link: https://lkml.kernel.org/r/20230616124354.GD4253@hirez.programming.kicks-ass.net -Signed-off-by: Sasha Levin ---- - lib/iov_iter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/iov_iter.c b/lib/iov_iter.c -index 960223ed91991..061cc3ed58f5b 100644 ---- a/lib/iov_iter.c -+++ b/lib/iov_iter.c -@@ -1795,7 +1795,7 @@ static __noclone int copy_compat_iovec_from_user(struct iovec *iov, - return ret; - } - --static int copy_iovec_from_user(struct iovec *iov, -+static __noclone int copy_iovec_from_user(struct iovec *iov, - const struct iovec __user *uiov, unsigned long nr_segs) - { - int ret = -EFAULT; --- -2.39.2 - diff --git a/queue-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch b/queue-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch deleted file mode 100644 index 2cd2baafb78..00000000000 --- a/queue-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch +++ /dev/null @@ -1,191 +0,0 @@ -From c2d6fd9d6f35079f1669f0100f05b46708c74b7f Mon Sep 17 00:00:00 2001 -From: Zhang Yi -Date: Tue, 6 Jun 2023 21:59:23 +0800 -Subject: jbd2: recheck chechpointing non-dirty buffer - -From: Zhang Yi - -commit c2d6fd9d6f35079f1669f0100f05b46708c74b7f upstream. - -There is a long-standing metadata corruption issue that happens from -time to time, but it's very difficult to reproduce and analyse, benefit -from the JBD2_CYCLE_RECORD option, we found out that the problem is the -checkpointing process miss to write out some buffers which are raced by -another do_get_write_access(). Looks below for detail. - -jbd2_log_do_checkpoint() //transaction X - //buffer A is dirty and not belones to any transaction - __buffer_relink_io() //move it to the IO list - __flush_batch() - write_dirty_buffer() - do_get_write_access() - clear_buffer_dirty - __jbd2_journal_file_buffer() - //add buffer A to a new transaction Y - lock_buffer(bh) - //doesn't write out - __jbd2_journal_remove_checkpoint() - //finish checkpoint except buffer A - //filesystem corrupt if the new transaction Y isn't fully write out. - -Due to the t_checkpoint_list walking loop in jbd2_log_do_checkpoint() -have already handles waiting for buffers under IO and re-added new -transaction to complete commit, and it also removing cleaned buffers, -this makes sure the list will eventually get empty. So it's fine to -leave buffers on the t_checkpoint_list while flushing out and completely -stop using the t_checkpoint_io_list. - -Cc: stable@vger.kernel.org -Suggested-by: Jan Kara -Signed-off-by: Zhang Yi -Tested-by: Zhihao Cheng -Reviewed-by: Jan Kara -Link: https://lore.kernel.org/r/20230606135928.434610-2-yi.zhang@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/jbd2/checkpoint.c | 102 ++++++++++++++------------------------------------- - 1 file changed, 29 insertions(+), 73 deletions(-) - ---- a/fs/jbd2/checkpoint.c -+++ b/fs/jbd2/checkpoint.c -@@ -58,28 +58,6 @@ static inline void __buffer_unlink(struc - } - - /* -- * Move a buffer from the checkpoint list to the checkpoint io list -- * -- * Called with j_list_lock held -- */ --static inline void __buffer_relink_io(struct journal_head *jh) --{ -- transaction_t *transaction = jh->b_cp_transaction; -- -- __buffer_unlink_first(jh); -- -- if (!transaction->t_checkpoint_io_list) { -- jh->b_cpnext = jh->b_cpprev = jh; -- } else { -- jh->b_cpnext = transaction->t_checkpoint_io_list; -- jh->b_cpprev = transaction->t_checkpoint_io_list->b_cpprev; -- jh->b_cpprev->b_cpnext = jh; -- jh->b_cpnext->b_cpprev = jh; -- } -- transaction->t_checkpoint_io_list = jh; --} -- --/* - * Check a checkpoint buffer could be release or not. - * - * Requires j_list_lock -@@ -183,6 +161,7 @@ __flush_batch(journal_t *journal, int *b - struct buffer_head *bh = journal->j_chkpt_bhs[i]; - BUFFER_TRACE(bh, "brelse"); - __brelse(bh); -+ journal->j_chkpt_bhs[i] = NULL; - } - *batch_count = 0; - } -@@ -242,6 +221,11 @@ restart: - jh = transaction->t_checkpoint_list; - bh = jh2bh(jh); - -+ /* -+ * The buffer may be writing back, or flushing out in the -+ * last couple of cycles, or re-adding into a new transaction, -+ * need to check it again until it's unlocked. -+ */ - if (buffer_locked(bh)) { - get_bh(bh); - spin_unlock(&journal->j_list_lock); -@@ -287,28 +271,32 @@ restart: - } - if (!buffer_dirty(bh)) { - BUFFER_TRACE(bh, "remove from checkpoint"); -- if (__jbd2_journal_remove_checkpoint(jh)) -- /* The transaction was released; we're done */ -+ /* -+ * If the transaction was released or the checkpoint -+ * list was empty, we're done. -+ */ -+ if (__jbd2_journal_remove_checkpoint(jh) || -+ !transaction->t_checkpoint_list) - goto out; -- continue; -+ } else { -+ /* -+ * We are about to write the buffer, it could be -+ * raced by some other transaction shrink or buffer -+ * re-log logic once we release the j_list_lock, -+ * leave it on the checkpoint list and check status -+ * again to make sure it's clean. -+ */ -+ BUFFER_TRACE(bh, "queue"); -+ get_bh(bh); -+ J_ASSERT_BH(bh, !buffer_jwrite(bh)); -+ journal->j_chkpt_bhs[batch_count++] = bh; -+ transaction->t_chp_stats.cs_written++; -+ transaction->t_checkpoint_list = jh->b_cpnext; - } -- /* -- * Important: we are about to write the buffer, and -- * possibly block, while still holding the journal -- * lock. We cannot afford to let the transaction -- * logic start messing around with this buffer before -- * we write it to disk, as that would break -- * recoverability. -- */ -- BUFFER_TRACE(bh, "queue"); -- get_bh(bh); -- J_ASSERT_BH(bh, !buffer_jwrite(bh)); -- journal->j_chkpt_bhs[batch_count++] = bh; -- __buffer_relink_io(jh); -- transaction->t_chp_stats.cs_written++; -+ - if ((batch_count == JBD2_NR_BATCH) || -- need_resched() || -- spin_needbreak(&journal->j_list_lock)) -+ need_resched() || spin_needbreak(&journal->j_list_lock) || -+ jh2bh(transaction->t_checkpoint_list) == journal->j_chkpt_bhs[0]) - goto unlock_and_flush; - } - -@@ -322,38 +310,6 @@ restart: - goto restart; - } - -- /* -- * Now we issued all of the transaction's buffers, let's deal -- * with the buffers that are out for I/O. -- */ --restart2: -- /* Did somebody clean up the transaction in the meanwhile? */ -- if (journal->j_checkpoint_transactions != transaction || -- transaction->t_tid != this_tid) -- goto out; -- -- while (transaction->t_checkpoint_io_list) { -- jh = transaction->t_checkpoint_io_list; -- bh = jh2bh(jh); -- if (buffer_locked(bh)) { -- get_bh(bh); -- spin_unlock(&journal->j_list_lock); -- wait_on_buffer(bh); -- /* the journal_head may have gone by now */ -- BUFFER_TRACE(bh, "brelse"); -- __brelse(bh); -- spin_lock(&journal->j_list_lock); -- goto restart2; -- } -- -- /* -- * Now in whatever state the buffer currently is, we -- * know that it has been written out and so we can -- * drop it from the list -- */ -- if (__jbd2_journal_remove_checkpoint(jh)) -- break; -- } - out: - spin_unlock(&journal->j_list_lock); - result = jbd2_cleanup_journal_tail(journal); diff --git a/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch b/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch deleted file mode 100644 index 2888b9c887c..00000000000 --- a/queue-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch +++ /dev/null @@ -1,104 +0,0 @@ -From e566bf07b787c98df80e25d78ed32b1cf422af9a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 11:19:26 -0700 -Subject: kallsyms: strip LTO-only suffixes from promoted global functions - -From: Yonghong Song - -[ Upstream commit 8cc32a9bbf2934d90762d9de0187adcb5ad46a11 ] - -Commit 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") -stripped all function/variable suffixes started with '.' regardless -of whether those suffixes are generated at LTO mode or not. In fact, -as far as I know, in LTO mode, when a static function/variable is -promoted to the global scope, '.llvm.<...>' suffix is added. - -The existing mechanism breaks live patch for a LTO kernel even if -no .llvm.<...> symbols are involved. For example, for the following -kernel symbols: - $ grep bpf_verifier_vlog /proc/kallsyms - ffffffff81549f60 t bpf_verifier_vlog - ffffffff8268b430 d bpf_verifier_vlog._entry - ffffffff8282a958 d bpf_verifier_vlog._entry_ptr - ffffffff82e12a1f d bpf_verifier_vlog.__already_done -'bpf_verifier_vlog' is a static function. '_entry', '_entry_ptr' and -'__already_done' are static variables used inside 'bpf_verifier_vlog', -so llvm promotes them to file-level static with prefix 'bpf_verifier_vlog.'. -Note that the func-level to file-level static function promotion also -happens without LTO. - -Given a symbol name 'bpf_verifier_vlog', with LTO kernel, current mechanism will -return 4 symbols to live patch subsystem which current live patching -subsystem cannot handle it. With non-LTO kernel, only one symbol -is returned. - -In [1], we have a lengthy discussion, the suggestion is to separate two -cases: - (1). new symbols with suffix which are generated regardless of whether - LTO is enabled or not, and - (2). new symbols with suffix generated only when LTO is enabled. - -The cleanup_symbol_name() should only remove suffixes for case (2). -Case (1) should not be changed so it can work uniformly with or without LTO. - -This patch removed LTO-only suffix '.llvm.<...>' so live patching and -tracing should work the same way for non-LTO kernel. -The cleanup_symbol_name() in scripts/kallsyms.c is also changed to have the same -filtering pattern so both kernel and kallsyms tool have the same -expectation on the order of symbols. - - [1] https://lore.kernel.org/live-patching/20230615170048.2382735-1-song@kernel.org/T/#u - -Fixes: 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") -Reported-by: Song Liu -Signed-off-by: Yonghong Song -Reviewed-by: Zhen Lei -Reviewed-by: Nick Desaulniers -Acked-by: Song Liu -Link: https://lore.kernel.org/r/20230628181926.4102448-1-yhs@fb.com -Signed-off-by: Kees Cook -Signed-off-by: Sasha Levin ---- - kernel/kallsyms.c | 5 ++--- - scripts/kallsyms.c | 6 +++--- - 2 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c -index 77747391f49b6..4874508bb950e 100644 ---- a/kernel/kallsyms.c -+++ b/kernel/kallsyms.c -@@ -174,11 +174,10 @@ static bool cleanup_symbol_name(char *s) - * LLVM appends various suffixes for local functions and variables that - * must be promoted to global scope as part of LTO. This can break - * hooking of static functions with kprobes. '.' is not a valid -- * character in an identifier in C. Suffixes observed: -+ * character in an identifier in C. Suffixes only in LLVM LTO observed: - * - foo.llvm.[0-9a-f]+ -- * - foo.[0-9a-f]+ - */ -- res = strchr(s, '.'); -+ res = strstr(s, ".llvm."); - if (res) { - *res = '\0'; - return true; -diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c -index 0d2db41177b23..13af6d0ff845d 100644 ---- a/scripts/kallsyms.c -+++ b/scripts/kallsyms.c -@@ -346,10 +346,10 @@ static void cleanup_symbol_name(char *s) - * ASCII[_] = 5f - * ASCII[a-z] = 61,7a - * -- * As above, replacing '.' with '\0' does not affect the main sorting, -- * but it helps us with subsorting. -+ * As above, replacing the first '.' in ".llvm." with '\0' does not -+ * affect the main sorting, but it helps us with subsorting. - */ -- p = strchr(s, '.'); -+ p = strstr(s, ".llvm."); - if (p) - *p = '\0'; - } --- -2.39.2 - diff --git a/queue-6.4/kbuild-rust-avoid-creating-temporary-files.patch b/queue-6.4/kbuild-rust-avoid-creating-temporary-files.patch deleted file mode 100644 index 8780702118a..00000000000 --- a/queue-6.4/kbuild-rust-avoid-creating-temporary-files.patch +++ /dev/null @@ -1,74 +0,0 @@ -From df01b7cfcef08bf3fdcac2909d0e1910781d6bfd Mon Sep 17 00:00:00 2001 -From: Miguel Ojeda -Date: Sun, 23 Jul 2023 16:21:28 +0200 -Subject: kbuild: rust: avoid creating temporary files - -From: Miguel Ojeda - -commit df01b7cfcef08bf3fdcac2909d0e1910781d6bfd upstream. - -`rustc` outputs by default the temporary files (i.e. the ones saved -by `-Csave-temps`, such as `*.rcgu*` files) in the current working -directory when `-o` and `--out-dir` are not given (even if -`--emit=x=path` is given, i.e. it does not use those for temporaries). - -Since out-of-tree modules are compiled from the `linux` tree, -`rustc` then tries to create them there, which may not be accessible. - -Thus pass `--out-dir` explicitly, even if it is just for the temporary -files. - -Similarly, do so for Rust host programs too. - -Reported-by: Raphael Nestler -Closes: https://github.com/Rust-for-Linux/linux/issues/1015 -Reported-by: Andrea Righi -Tested-by: Raphael Nestler # non-hostprogs -Tested-by: Andrea Righi # non-hostprogs -Fixes: 295d8398c67e ("kbuild: specify output names separately for each emission type from rustc") -Cc: stable@vger.kernel.org -Signed-off-by: Miguel Ojeda -Tested-by: Martin Rodriguez Reboredo -Signed-off-by: Masahiro Yamada -Signed-off-by: Greg Kroah-Hartman ---- - scripts/Makefile.build | 5 ++++- - scripts/Makefile.host | 6 +++++- - 2 files changed, 9 insertions(+), 2 deletions(-) - ---- a/scripts/Makefile.build -+++ b/scripts/Makefile.build -@@ -279,6 +279,9 @@ $(obj)/%.lst: $(src)/%.c FORCE - - rust_allowed_features := core_ffi_c,explicit_generic_args_with_impl_trait,new_uninit,pin_macro - -+# `--out-dir` is required to avoid temporaries being created by `rustc` in the -+# current working directory, which may be not accessible in the out-of-tree -+# modules case. - rust_common_cmd = \ - RUST_MODFILE=$(modfile) $(RUSTC_OR_CLIPPY) $(rust_flags) \ - -Zallow-features=$(rust_allowed_features) \ -@@ -287,7 +290,7 @@ rust_common_cmd = \ - --extern alloc --extern kernel \ - --crate-type rlib -L $(objtree)/rust/ \ - --crate-name $(basename $(notdir $@)) \ -- --emit=dep-info=$(depfile) -+ --out-dir $(dir $@) --emit=dep-info=$(depfile) - - # `--emit=obj`, `--emit=asm` and `--emit=llvm-ir` imply a single codegen unit - # will be used. We explicitly request `-Ccodegen-units=1` in any case, and ---- a/scripts/Makefile.host -+++ b/scripts/Makefile.host -@@ -86,7 +86,11 @@ hostc_flags = -Wp,-MMD,$(depfile) \ - hostcxx_flags = -Wp,-MMD,$(depfile) \ - $(KBUILD_HOSTCXXFLAGS) $(HOST_EXTRACXXFLAGS) \ - $(HOSTCXXFLAGS_$(target-stem).o) --hostrust_flags = --emit=dep-info=$(depfile) \ -+ -+# `--out-dir` is required to avoid temporaries being created by `rustc` in the -+# current working directory, which may be not accessible in the out-of-tree -+# modules case. -+hostrust_flags = --out-dir $(dir $@) --emit=dep-info=$(depfile) \ - $(KBUILD_HOSTRUSTFLAGS) $(HOST_EXTRARUSTFLAGS) \ - $(HOSTRUSTFLAGS_$(target-stem)) - diff --git a/queue-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/queue-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch deleted file mode 100644 index 75ed3459f73..00000000000 --- a/queue-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +++ /dev/null @@ -1,177 +0,0 @@ -From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 -From: Petr Pavlu -Date: Thu, 23 Mar 2023 14:04:12 +0100 -Subject: keys: Fix linking a duplicate key to a keyring's assoc_array - -From: Petr Pavlu - -commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. - -When making a DNS query inside the kernel using dns_query(), the request -code can in rare cases end up creating a duplicate index key in the -assoc_array of the destination keyring. It is eventually found by -a BUG_ON() check in the assoc_array implementation and results in -a crash. - -Example report: -[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! -[2158499.700039] invalid opcode: 0000 [#1] SMP PTI -[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 -[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 -[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] -[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 -[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f -[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 -[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 -[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 -[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 -[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 -[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 -[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 -[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 -[2158499.700702] Call Trace: -[2158499.700741] ? key_alloc+0x447/0x4b0 -[2158499.700768] ? __key_link_begin+0x43/0xa0 -[2158499.700790] __key_link_begin+0x43/0xa0 -[2158499.700814] request_key_and_link+0x2c7/0x730 -[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] -[2158499.700873] ? key_default_cmp+0x20/0x20 -[2158499.700898] request_key_tag+0x43/0xa0 -[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] -[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] -[2158499.701164] ? scnprintf+0x49/0x90 -[2158499.701190] ? __switch_to_asm+0x40/0x70 -[2158499.701211] ? __switch_to_asm+0x34/0x70 -[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] -[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] -[2158499.701632] process_one_work+0x1f8/0x3e0 -[2158499.701658] worker_thread+0x2d/0x3f0 -[2158499.701682] ? process_one_work+0x3e0/0x3e0 -[2158499.701703] kthread+0x10d/0x130 -[2158499.701723] ? kthread_park+0xb0/0xb0 -[2158499.701746] ret_from_fork+0x1f/0x40 - -The situation occurs as follows: -* Some kernel facility invokes dns_query() to resolve a hostname, for - example, "abcdef". The function registers its global DNS resolver - cache as current->cred.thread_keyring and passes the query to - request_key_net() -> request_key_tag() -> request_key_and_link(). -* Function request_key_and_link() creates a keyring_search_context - object. Its match_data.cmp method gets set via a call to - type->match_preparse() (resolves to dns_resolver_match_preparse()) to - dns_resolver_cmp(). -* Function request_key_and_link() continues and invokes - search_process_keyrings_rcu() which returns that a given key was not - found. The control is then passed to request_key_and_link() -> - construct_alloc_key(). -* Concurrently to that, a second task similarly makes a DNS query for - "abcdef." and its result gets inserted into the DNS resolver cache. -* Back on the first task, function construct_alloc_key() first runs - __key_link_begin() to determine an assoc_array_edit operation to - insert a new key. Index keys in the array are compared exactly as-is, - using keyring_compare_object(). The operation finds that "abcdef" is - not yet present in the destination keyring. -* Function construct_alloc_key() continues and checks if a given key is - already present on some keyring by again calling - search_process_keyrings_rcu(). This search is done using - dns_resolver_cmp() and "abcdef" gets matched with now present key - "abcdef.". -* The found key is linked on the destination keyring by calling - __key_link() and using the previously calculated assoc_array_edit - operation. This inserts the "abcdef." key in the array but creates - a duplicity because the same index key is already present. - -Fix the problem by postponing __key_link_begin() in -construct_alloc_key() until an actual key which should be linked into -the destination keyring is determined. - -[jarkko@kernel.org: added a fixes tag and cc to stable] -Cc: stable@vger.kernel.org # v5.3+ -Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") -Signed-off-by: Petr Pavlu -Reviewed-by: Joey Lee -Reviewed-by: Jarkko Sakkinen -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Greg Kroah-Hartman ---- - security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- - 1 file changed, 24 insertions(+), 11 deletions(-) - ---- a/security/keys/request_key.c -+++ b/security/keys/request_key.c -@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke - set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); - - if (dest_keyring) { -- ret = __key_link_lock(dest_keyring, &ctx->index_key); -+ ret = __key_link_lock(dest_keyring, &key->index_key); - if (ret < 0) - goto link_lock_failed; -- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); -- if (ret < 0) -- goto link_prealloc_failed; - } - -- /* attach the key to the destination keyring under lock, but we do need -+ /* -+ * Attach the key to the destination keyring under lock, but we do need - * to do another check just in case someone beat us to it whilst we -- * waited for locks */ -+ * waited for locks. -+ * -+ * The caller might specify a comparison function which looks for keys -+ * that do not exactly match but are still equivalent from the caller's -+ * perspective. The __key_link_begin() operation must be done only after -+ * an actual key is determined. -+ */ - mutex_lock(&key_construction_mutex); - - rcu_read_lock(); -@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke - if (!IS_ERR(key_ref)) - goto key_already_present; - -- if (dest_keyring) -+ if (dest_keyring) { -+ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); -+ if (ret < 0) -+ goto link_alloc_failed; - __key_link(dest_keyring, key, &edit); -+ } - - mutex_unlock(&key_construction_mutex); - if (dest_keyring) -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+ __key_link_end(dest_keyring, &key->index_key, edit); - mutex_unlock(&user->cons_lock); - *_key = key; - kleave(" = 0 [%d]", key_serial(key)); -@@ -438,10 +446,13 @@ key_already_present: - mutex_unlock(&key_construction_mutex); - key = key_ref_to_ptr(key_ref); - if (dest_keyring) { -+ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); -+ if (ret < 0) -+ goto link_alloc_failed_unlocked; - ret = __key_link_check_live_key(dest_keyring, key); - if (ret == 0) - __key_link(dest_keyring, key, &edit); -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+ __key_link_end(dest_keyring, &key->index_key, edit); - if (ret < 0) - goto link_check_failed; - } -@@ -456,8 +467,10 @@ link_check_failed: - kleave(" = %d [linkcheck]", ret); - return ret; - --link_prealloc_failed: -- __key_link_end(dest_keyring, &ctx->index_key, edit); -+link_alloc_failed: -+ mutex_unlock(&key_construction_mutex); -+link_alloc_failed_unlocked: -+ __key_link_end(dest_keyring, &key->index_key, edit); - link_lock_failed: - mutex_unlock(&user->cons_lock); - key_put(key); diff --git a/queue-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch b/queue-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch deleted file mode 100644 index 67ebb0aa4d4..00000000000 --- a/queue-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch +++ /dev/null @@ -1,204 +0,0 @@ -From df6556adf27b7372cfcd97e1c0afb0d516c8279f Mon Sep 17 00:00:00 2001 -From: Oliver Upton -Date: Tue, 27 Jun 2023 23:54:05 +0000 -Subject: KVM: arm64: Correctly handle page aging notifiers for unaligned memslot - -From: Oliver Upton - -commit df6556adf27b7372cfcd97e1c0afb0d516c8279f upstream. - -Userspace is allowed to select any PAGE_SIZE aligned hva to back guest -memory. This is even the case with hugepages, although it is a rather -suboptimal configuration as PTE level mappings are used at stage-2. - -The arm64 page aging handlers have an assumption that the specified -range is exactly one page/block of memory, which in the aforementioned -case is not necessarily true. All together this leads to the WARN() in -kvm_age_gfn() firing. - -However, the WARN is only part of the issue as the table walkers visit -at most a single leaf PTE. For hugepage-backed memory in a memslot that -isn't hugepage-aligned, page aging entirely misses accesses to the -hugepage beyond the first page in the memslot. - -Add a new walker dedicated to handling page aging MMU notifiers capable -of walking a range of PTEs. Convert kvm(_test)_age_gfn() over to the new -walker and drop the WARN that caught the issue in the first place. The -implementation of this walker was inspired by the test_clear_young() -implementation by Yu Zhao [*], but repurposed to address a bug in the -existing aging implementation. - -Cc: stable@vger.kernel.org # v5.15 -Fixes: 056aad67f836 ("kvm: arm/arm64: Rework gpa callback handlers") -Link: https://lore.kernel.org/kvmarm/20230526234435.662652-6-yuzhao@google.com/ -Co-developed-by: Yu Zhao -Signed-off-by: Yu Zhao -Reported-by: Reiji Watanabe -Reviewed-by: Marc Zyngier -Reviewed-by: Shaoqin Huang -Link: https://lore.kernel.org/r/20230627235405.4069823-1-oliver.upton@linux.dev -Signed-off-by: Oliver Upton -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/kvm_pgtable.h | 26 ++++++------------- - arch/arm64/kvm/hyp/pgtable.c | 47 ++++++++++++++++++++++++++++------- - arch/arm64/kvm/mmu.c | 18 +++++-------- - 3 files changed, 55 insertions(+), 36 deletions(-) - ---- a/arch/arm64/include/asm/kvm_pgtable.h -+++ b/arch/arm64/include/asm/kvm_pgtable.h -@@ -556,22 +556,26 @@ int kvm_pgtable_stage2_wrprotect(struct - kvm_pte_t kvm_pgtable_stage2_mkyoung(struct kvm_pgtable *pgt, u64 addr); - - /** -- * kvm_pgtable_stage2_mkold() - Clear the access flag in a page-table entry. -+ * kvm_pgtable_stage2_test_clear_young() - Test and optionally clear the access -+ * flag in a page-table entry. - * @pgt: Page-table structure initialised by kvm_pgtable_stage2_init*(). - * @addr: Intermediate physical address to identify the page-table entry. -+ * @size: Size of the address range to visit. -+ * @mkold: True if the access flag should be cleared. - * - * The offset of @addr within a page is ignored. - * -- * If there is a valid, leaf page-table entry used to translate @addr, then -- * clear the access flag in that entry. -+ * Tests and conditionally clears the access flag for every valid, leaf -+ * page-table entry used to translate the range [@addr, @addr + @size). - * - * Note that it is the caller's responsibility to invalidate the TLB after - * calling this function to ensure that the updated permissions are visible - * to the CPUs. - * -- * Return: The old page-table entry prior to clearing the flag, 0 on failure. -+ * Return: True if any of the visited PTEs had the access flag set. - */ --kvm_pte_t kvm_pgtable_stage2_mkold(struct kvm_pgtable *pgt, u64 addr); -+bool kvm_pgtable_stage2_test_clear_young(struct kvm_pgtable *pgt, u64 addr, -+ u64 size, bool mkold); - - /** - * kvm_pgtable_stage2_relax_perms() - Relax the permissions enforced by a -@@ -594,18 +598,6 @@ int kvm_pgtable_stage2_relax_perms(struc - enum kvm_pgtable_prot prot); - - /** -- * kvm_pgtable_stage2_is_young() - Test whether a page-table entry has the -- * access flag set. -- * @pgt: Page-table structure initialised by kvm_pgtable_stage2_init*(). -- * @addr: Intermediate physical address to identify the page-table entry. -- * -- * The offset of @addr within a page is ignored. -- * -- * Return: True if the page-table entry has the access flag set, false otherwise. -- */ --bool kvm_pgtable_stage2_is_young(struct kvm_pgtable *pgt, u64 addr); -- --/** - * kvm_pgtable_stage2_flush_range() - Clean and invalidate data cache to Point - * of Coherency for guest stage-2 address - * range. ---- a/arch/arm64/kvm/hyp/pgtable.c -+++ b/arch/arm64/kvm/hyp/pgtable.c -@@ -1173,25 +1173,54 @@ kvm_pte_t kvm_pgtable_stage2_mkyoung(str - return pte; - } - --kvm_pte_t kvm_pgtable_stage2_mkold(struct kvm_pgtable *pgt, u64 addr) -+struct stage2_age_data { -+ bool mkold; -+ bool young; -+}; -+ -+static int stage2_age_walker(const struct kvm_pgtable_visit_ctx *ctx, -+ enum kvm_pgtable_walk_flags visit) - { -- kvm_pte_t pte = 0; -- stage2_update_leaf_attrs(pgt, addr, 1, 0, KVM_PTE_LEAF_ATTR_LO_S2_AF, -- &pte, NULL, 0); -+ kvm_pte_t new = ctx->old & ~KVM_PTE_LEAF_ATTR_LO_S2_AF; -+ struct stage2_age_data *data = ctx->arg; -+ -+ if (!kvm_pte_valid(ctx->old) || new == ctx->old) -+ return 0; -+ -+ data->young = true; -+ -+ /* -+ * stage2_age_walker() is always called while holding the MMU lock for -+ * write, so this will always succeed. Nonetheless, this deliberately -+ * follows the race detection pattern of the other stage-2 walkers in -+ * case the locking mechanics of the MMU notifiers is ever changed. -+ */ -+ if (data->mkold && !stage2_try_set_pte(ctx, new)) -+ return -EAGAIN; -+ - /* - * "But where's the TLBI?!", you scream. - * "Over in the core code", I sigh. - * - * See the '->clear_flush_young()' callback on the KVM mmu notifier. - */ -- return pte; -+ return 0; - } - --bool kvm_pgtable_stage2_is_young(struct kvm_pgtable *pgt, u64 addr) -+bool kvm_pgtable_stage2_test_clear_young(struct kvm_pgtable *pgt, u64 addr, -+ u64 size, bool mkold) - { -- kvm_pte_t pte = 0; -- stage2_update_leaf_attrs(pgt, addr, 1, 0, 0, &pte, NULL, 0); -- return pte & KVM_PTE_LEAF_ATTR_LO_S2_AF; -+ struct stage2_age_data data = { -+ .mkold = mkold, -+ }; -+ struct kvm_pgtable_walker walker = { -+ .cb = stage2_age_walker, -+ .arg = &data, -+ .flags = KVM_PGTABLE_WALK_LEAF, -+ }; -+ -+ WARN_ON(kvm_pgtable_walk(pgt, addr, size, &walker)); -+ return data.young; - } - - int kvm_pgtable_stage2_relax_perms(struct kvm_pgtable *pgt, u64 addr, ---- a/arch/arm64/kvm/mmu.c -+++ b/arch/arm64/kvm/mmu.c -@@ -1639,27 +1639,25 @@ bool kvm_set_spte_gfn(struct kvm *kvm, s - bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range) - { - u64 size = (range->end - range->start) << PAGE_SHIFT; -- kvm_pte_t kpte; -- pte_t pte; - - if (!kvm->arch.mmu.pgt) - return false; - -- WARN_ON(size != PAGE_SIZE && size != PMD_SIZE && size != PUD_SIZE); -- -- kpte = kvm_pgtable_stage2_mkold(kvm->arch.mmu.pgt, -- range->start << PAGE_SHIFT); -- pte = __pte(kpte); -- return pte_valid(pte) && pte_young(pte); -+ return kvm_pgtable_stage2_test_clear_young(kvm->arch.mmu.pgt, -+ range->start << PAGE_SHIFT, -+ size, true); - } - - bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range) - { -+ u64 size = (range->end - range->start) << PAGE_SHIFT; -+ - if (!kvm->arch.mmu.pgt) - return false; - -- return kvm_pgtable_stage2_is_young(kvm->arch.mmu.pgt, -- range->start << PAGE_SHIFT); -+ return kvm_pgtable_stage2_test_clear_young(kvm->arch.mmu.pgt, -+ range->start << PAGE_SHIFT, -+ size, false); - } - - phys_addr_t kvm_mmu_get_httbr(void) diff --git a/queue-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch b/queue-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch deleted file mode 100644 index 893eef4684e..00000000000 --- a/queue-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 970dee09b230895fe2230d2b32ad05a2826818c6 Mon Sep 17 00:00:00 2001 -From: Marc Zyngier -Date: Mon, 3 Jul 2023 17:35:48 +0100 -Subject: KVM: arm64: Disable preemption in kvm_arch_hardware_enable() - -From: Marc Zyngier - -commit 970dee09b230895fe2230d2b32ad05a2826818c6 upstream. - -Since 0bf50497f03b ("KVM: Drop kvm_count_lock and instead protect -kvm_usage_count with kvm_lock"), hotplugging back a CPU whilst -a guest is running results in a number of ugly splats as most -of this code expects to run with preemption disabled, which isn't -the case anymore. - -While the context is preemptable, it isn't migratable, which should -be enough. But we have plenty of preemptible() checks all over -the place, and our per-CPU accessors also disable preemption. - -Since this affects released versions, let's do the easy fix first, -disabling preemption in kvm_arch_hardware_enable(). We can always -revisit this with a more invasive fix in the future. - -Fixes: 0bf50497f03b ("KVM: Drop kvm_count_lock and instead protect kvm_usage_count with kvm_lock") -Reported-by: Kristina Martsenko -Tested-by: Kristina Martsenko -Signed-off-by: Marc Zyngier -Link: https://lore.kernel.org/r/aeab7562-2d39-e78e-93b1-4711f8cc3fa5@arm.com -Cc: stable@vger.kernel.org # v6.3, v6.4 -Link: https://lore.kernel.org/r/20230703163548.1498943-1-maz@kernel.org -Signed-off-by: Oliver Upton -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arm.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -1793,8 +1793,17 @@ static void _kvm_arch_hardware_enable(vo - - int kvm_arch_hardware_enable(void) - { -- int was_enabled = __this_cpu_read(kvm_arm_hardware_enabled); -+ int was_enabled; - -+ /* -+ * Most calls to this function are made with migration -+ * disabled, but not with preemption disabled. The former is -+ * enough to ensure correctness, but most of the helpers -+ * expect the later and will throw a tantrum otherwise. -+ */ -+ preempt_disable(); -+ -+ was_enabled = __this_cpu_read(kvm_arm_hardware_enabled); - _kvm_arch_hardware_enable(NULL); - - if (!was_enabled) { -@@ -1802,6 +1811,8 @@ int kvm_arch_hardware_enable(void) - kvm_timer_cpu_up(); - } - -+ preempt_enable(); -+ - return 0; - } - diff --git a/queue-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch b/queue-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch deleted file mode 100644 index 5184db3f8fa..00000000000 --- a/queue-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch +++ /dev/null @@ -1,65 +0,0 @@ -From fe769e6c1f80f542d6f4e7f7c8c6bf20c1307f99 Mon Sep 17 00:00:00 2001 -From: Marc Zyngier -Date: Tue, 27 Jun 2023 15:05:57 +0100 -Subject: KVM: arm64: timers: Use CNTHCTL_EL2 when setting non-CNTKCTL_EL1 bits - -From: Marc Zyngier - -commit fe769e6c1f80f542d6f4e7f7c8c6bf20c1307f99 upstream. - -It recently appeared that, when running VHE, there is a notable -difference between using CNTKCTL_EL1 and CNTHCTL_EL2, despite what -the architecture documents: - -- When accessed from EL2, bits [19:18] and [16:10] of CNTKCTL_EL1 have - the same assignment as CNTHCTL_EL2 -- When accessed from EL1, bits [19:18] and [16:10] are RES0 - -It is all OK, until you factor in NV, where the EL2 guest runs at EL1. -In this configuration, CNTKCTL_EL11 doesn't trap, nor ends up in -the VNCR page. This means that any write from the guest affecting -CNTHCTL_EL2 using CNTKCTL_EL1 ends up losing some state. Not good. - -The fix it obvious: don't use CNTKCTL_EL1 if you want to change bits -that are not part of the EL1 definition of CNTKCTL_EL1, and use -CNTHCTL_EL2 instead. This doesn't change anything for a bare-metal OS, -and fixes it when running under NV. The NV hypervisor will itself -have to work harder to merge the two accessors. - -Note that there is a pending update to the architecture to address -this issue by making the affected bits UNKNOWN when CNTKCTL_EL1 is -used from EL2 with VHE enabled. - -Fixes: c605ee245097 ("KVM: arm64: timers: Allow physical offset without CNTPOFF_EL2") -Signed-off-by: Marc Zyngier -Cc: stable@vger.kernel.org # v6.4 -Reviewed-by: Eric Auger -Link: https://lore.kernel.org/r/20230627140557.544885-1-maz@kernel.org -Signed-off-by: Oliver Upton -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/arch_timer.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/arch/arm64/kvm/arch_timer.c -+++ b/arch/arm64/kvm/arch_timer.c -@@ -827,8 +827,8 @@ static void timer_set_traps(struct kvm_v - assign_clear_set_bit(tpt, CNTHCTL_EL1PCEN << 10, set, clr); - assign_clear_set_bit(tpc, CNTHCTL_EL1PCTEN << 10, set, clr); - -- /* This only happens on VHE, so use the CNTKCTL_EL1 accessor */ -- sysreg_clear_set(cntkctl_el1, clr, set); -+ /* This only happens on VHE, so use the CNTHCTL_EL2 accessor. */ -+ sysreg_clear_set(cnthctl_el2, clr, set); - } - - void kvm_timer_vcpu_load(struct kvm_vcpu *vcpu) -@@ -1559,7 +1559,7 @@ no_vgic: - void kvm_timer_init_vhe(void) - { - if (cpus_have_final_cap(ARM64_HAS_ECV_CNTPOFF)) -- sysreg_clear_set(cntkctl_el1, 0, CNTHCTL_ECV); -+ sysreg_clear_set(cnthctl_el2, 0, CNTHCTL_ECV); - } - - int kvm_arm_timer_set_attr(struct kvm_vcpu *vcpu, struct kvm_device_attr *attr) diff --git a/queue-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch b/queue-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch deleted file mode 100644 index 21aed153f1d..00000000000 --- a/queue-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch +++ /dev/null @@ -1,134 +0,0 @@ -From b321c31c9b7b309dcde5e8854b741c8e6a9a05f0 Mon Sep 17 00:00:00 2001 -From: Marc Zyngier -Date: Thu, 13 Jul 2023 08:06:57 +0100 -Subject: KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption - -From: Marc Zyngier - -commit b321c31c9b7b309dcde5e8854b741c8e6a9a05f0 upstream. - -Xiang reports that VMs occasionally fail to boot on GICv4.1 systems when -running a preemptible kernel, as it is possible that a vCPU is blocked -without requesting a doorbell interrupt. - -The issue is that any preemption that occurs between vgic_v4_put() and -schedule() on the block path will mark the vPE as nonresident and *not* -request a doorbell irq. This occurs because when the vcpu thread is -resumed on its way to block, vcpu_load() will make the vPE resident -again. Once the vcpu actually blocks, we don't request a doorbell -anymore, and the vcpu won't be woken up on interrupt delivery. - -Fix it by tracking that we're entering WFI, and key the doorbell -request on that flag. This allows us not to make the vPE resident -when going through a preempt/schedule cycle, meaning we don't lose -any state. - -Cc: stable@vger.kernel.org -Fixes: 8e01d9a396e6 ("KVM: arm64: vgic-v4: Move the GICv4 residency flow to be driven by vcpu_load/put") -Reported-by: Xiang Chen -Suggested-by: Zenghui Yu -Tested-by: Xiang Chen -Co-developed-by: Oliver Upton -Signed-off-by: Marc Zyngier -Acked-by: Zenghui Yu -Link: https://lore.kernel.org/r/20230713070657.3873244-1-maz@kernel.org -Signed-off-by: Oliver Upton -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/kvm_host.h | 2 ++ - arch/arm64/kvm/arm.c | 6 ++++-- - arch/arm64/kvm/vgic/vgic-v3.c | 2 +- - arch/arm64/kvm/vgic/vgic-v4.c | 7 +++++-- - include/kvm/arm_vgic.h | 2 +- - 5 files changed, 13 insertions(+), 6 deletions(-) - ---- a/arch/arm64/include/asm/kvm_host.h -+++ b/arch/arm64/include/asm/kvm_host.h -@@ -701,6 +701,8 @@ struct kvm_vcpu_arch { - #define DBG_SS_ACTIVE_PENDING __vcpu_single_flag(sflags, BIT(5)) - /* PMUSERENR for the guest EL0 is on physical CPU */ - #define PMUSERENR_ON_CPU __vcpu_single_flag(sflags, BIT(6)) -+/* WFI instruction trapped */ -+#define IN_WFI __vcpu_single_flag(sflags, BIT(7)) - - - /* Pointer to the vcpu's SVE FFR for sve_{save,load}_state() */ ---- a/arch/arm64/kvm/arm.c -+++ b/arch/arm64/kvm/arm.c -@@ -704,13 +704,15 @@ void kvm_vcpu_wfi(struct kvm_vcpu *vcpu) - */ - preempt_disable(); - kvm_vgic_vmcr_sync(vcpu); -- vgic_v4_put(vcpu, true); -+ vcpu_set_flag(vcpu, IN_WFI); -+ vgic_v4_put(vcpu); - preempt_enable(); - - kvm_vcpu_halt(vcpu); - vcpu_clear_flag(vcpu, IN_WFIT); - - preempt_disable(); -+ vcpu_clear_flag(vcpu, IN_WFI); - vgic_v4_load(vcpu); - preempt_enable(); - } -@@ -778,7 +780,7 @@ static int check_vcpu_requests(struct kv - if (kvm_check_request(KVM_REQ_RELOAD_GICv4, vcpu)) { - /* The distributor enable bits were changed */ - preempt_disable(); -- vgic_v4_put(vcpu, false); -+ vgic_v4_put(vcpu); - vgic_v4_load(vcpu); - preempt_enable(); - } ---- a/arch/arm64/kvm/vgic/vgic-v3.c -+++ b/arch/arm64/kvm/vgic/vgic-v3.c -@@ -749,7 +749,7 @@ void vgic_v3_put(struct kvm_vcpu *vcpu) - { - struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3; - -- WARN_ON(vgic_v4_put(vcpu, false)); -+ WARN_ON(vgic_v4_put(vcpu)); - - vgic_v3_vmcr_sync(vcpu); - ---- a/arch/arm64/kvm/vgic/vgic-v4.c -+++ b/arch/arm64/kvm/vgic/vgic-v4.c -@@ -336,14 +336,14 @@ void vgic_v4_teardown(struct kvm *kvm) - its_vm->vpes = NULL; - } - --int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db) -+int vgic_v4_put(struct kvm_vcpu *vcpu) - { - struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe; - - if (!vgic_supports_direct_msis(vcpu->kvm) || !vpe->resident) - return 0; - -- return its_make_vpe_non_resident(vpe, need_db); -+ return its_make_vpe_non_resident(vpe, !!vcpu_get_flag(vcpu, IN_WFI)); - } - - int vgic_v4_load(struct kvm_vcpu *vcpu) -@@ -354,6 +354,9 @@ int vgic_v4_load(struct kvm_vcpu *vcpu) - if (!vgic_supports_direct_msis(vcpu->kvm) || vpe->resident) - return 0; - -+ if (vcpu_get_flag(vcpu, IN_WFI)) -+ return 0; -+ - /* - * Before making the VPE resident, make sure the redistributor - * corresponding to our current CPU expects us here. See the ---- a/include/kvm/arm_vgic.h -+++ b/include/kvm/arm_vgic.h -@@ -431,7 +431,7 @@ int kvm_vgic_v4_unset_forwarding(struct - - int vgic_v4_load(struct kvm_vcpu *vcpu); - void vgic_v4_commit(struct kvm_vcpu *vcpu); --int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db); -+int vgic_v4_put(struct kvm_vcpu *vcpu); - - /* CPU HP callbacks */ - void kvm_vgic_cpu_up(void); diff --git a/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch deleted file mode 100644 index 4a6e0b72084..00000000000 --- a/queue-6.4/llc-don-t-drop-packet-from-non-root-netns.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ab300723a1ee5601a0a426d0d158f60c650f82d0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 10:41:51 -0700 -Subject: llc: Don't drop packet from non-root netns. - -From: Kuniyuki Iwashima - -[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] - -Now these upper layer protocol handlers can be called from llc_rcv() -as sap->rcv_func(), which is registered by llc_sap_open(). - - * function which is passed to register_8022_client() - -> no in-kernel user calls register_8022_client(). - - * snap_rcv() - `- proto->rcvfunc() : registered by register_snap_client() - -> aarp_rcv() and atalk_rcv() drop packets from non-root netns - - * stp_pdu_rcv() - `- garp_protos[]->rcv() : registered by stp_proto_register() - -> garp_pdu_rcv() and br_stp_rcv() are netns-aware - -So, we can safely remove the netns restriction in llc_rcv(). - -Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/llc/llc_input.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c -index c309b72a58779..7cac441862e21 100644 ---- a/net/llc/llc_input.c -+++ b/net/llc/llc_input.c -@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, - void (*sta_handler)(struct sk_buff *skb); - void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); - -- if (!net_eq(dev_net(dev), &init_net)) -- goto drop; -- - /* - * When the interface is in promisc. mode, drop all the crap that it - * receives, do not try to analyse it. --- -2.39.2 - diff --git a/queue-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch b/queue-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch deleted file mode 100644 index 50edbd715e6..00000000000 --- a/queue-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd Mon Sep 17 00:00:00 2001 -From: "Liam R. Howlett" -Date: Wed, 12 Jul 2023 13:39:16 -0400 -Subject: maple_tree: fix node allocation testing on 32 bit - -From: Liam R. Howlett - -commit ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd upstream. - -Internal node counting was altered and the 64 bit test was updated, -however the 32bit test was missed. - -Restore the 32bit test to a functional state. - -Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ -Link: https://lkml.kernel.org/r/20230712173916.168805-2-Liam.Howlett@oracle.com -Fixes: 541e06b772c1 ("maple_tree: remove GFP_ZERO from kmem_cache_alloc() and kmem_cache_alloc_bulk()") -Signed-off-by: Liam R. Howlett -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/radix-tree/maple.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/tools/testing/radix-tree/maple.c -+++ b/tools/testing/radix-tree/maple.c -@@ -206,9 +206,9 @@ static noinline void check_new_node(stru - e = i - 1; - } else { - if (i >= 4) -- e = i - 4; -- else if (i == 3) -- e = i - 2; -+ e = i - 3; -+ else if (i >= 1) -+ e = i - 1; - else - e = 0; - } diff --git a/queue-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch b/queue-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch deleted file mode 100644 index a246c4bc1cb..00000000000 --- a/queue-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c769fd88b9742954763a968e84de09f7ad78cfe Mon Sep 17 00:00:00 2001 -From: Peng Zhang -Date: Tue, 11 Jul 2023 11:54:37 +0800 -Subject: maple_tree: set the node limit when creating a new root node - -From: Peng Zhang - -commit 3c769fd88b9742954763a968e84de09f7ad78cfe upstream. - -Set the node limit of the root node so that the last pivot of all nodes is -the node limit (if the node is not full). - -This patch also fixes a bug in mas_rev_awalk(). Effectively, always -setting a maximum makes mas_logical_pivot() behave as mas_safe_pivot(). -Without this fix, it is possible that very small tasks would fail to find -the correct gap. Although this has not been observed with real tasks, it -has been reported to happen in m68k nommu running the maple tree tests. - -Link: https://lkml.kernel.org/r/20230711035444.526-1-zhangpeng.00@bytedance.com -Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ -Link: https://lkml.kernel.org/r/20230711035444.526-2-zhangpeng.00@bytedance.com -Fixes: 54a611b60590 ("Maple Tree: add new data structure") -Signed-off-by: Peng Zhang -Reviewed-by: Liam R. Howlett -Tested-by: Geert Uytterhoeven -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - lib/maple_tree.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/lib/maple_tree.c -+++ b/lib/maple_tree.c -@@ -3693,7 +3693,8 @@ static inline int mas_root_expand(struct - mas->offset = slot; - pivots[slot] = mas->last; - if (mas->last != ULONG_MAX) -- slot++; -+ pivots[++slot] = ULONG_MAX; -+ - mas->depth = 1; - mas_set_height(mas); - ma_set_meta(node, maple_leaf_64, 0, slot); diff --git a/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch deleted file mode 100644 index d6817daedd1..00000000000 --- a/queue-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 80f2228049410e7eff45840000d380b5604945b6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 May 2023 09:56:07 +0800 -Subject: md: fix data corruption for raid456 when reshape restart while grow - up - -From: Yu Kuai - -[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] - -Currently, if reshape is interrupted, echo "reshape" to sync_action will -restart reshape from scratch, for example: - -echo frozen > sync_action -echo reshape > sync_action - -This will corrupt data before reshape_position if the array is growing, -fix the problem by continue reshape from reshape_position. - -Reported-by: Peter Neuwirth -Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ -Signed-off-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 350094f1cb09f..18384251399ab 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -4807,11 +4807,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) - return -EINVAL; - err = mddev_lock(mddev); - if (!err) { -- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) -+ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { - err = -EBUSY; -- else { -+ } else if (mddev->reshape_position == MaxSector || -+ mddev->pers->check_reshape == NULL || -+ mddev->pers->check_reshape(mddev)) { - clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); - err = mddev->pers->start_reshape(mddev); -+ } else { -+ /* -+ * If reshape is still in progress, and -+ * md_check_recovery() can continue to reshape, -+ * don't restart reshape because data can be -+ * corrupted for raid456. -+ */ -+ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); - } - mddev_unlock(mddev); - } --- -2.39.2 - diff --git a/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch deleted file mode 100644 index b2cb0c775d8..00000000000 --- a/queue-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ef7e4e57e0ab49f62d54a77d61419b84c4936aff Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 May 2023 21:11:00 +0800 -Subject: md/raid10: prevent soft lockup while flush writes - -From: Yu Kuai - -[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] - -Currently, there is no limit for raid1/raid10 plugged bio. While flushing -writes, raid1 has cond_resched() while raid10 doesn't, and too many -writes can cause soft lockup. - -Follow up soft lockup can be triggered easily with writeback test for -raid10 with ramdisks: - -watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] -Call Trace: - - call_rcu+0x16/0x20 - put_object+0x41/0x80 - __delete_object+0x50/0x90 - delete_object_full+0x2b/0x40 - kmemleak_free+0x46/0xa0 - slab_free_freelist_hook.constprop.0+0xed/0x1a0 - kmem_cache_free+0xfd/0x300 - mempool_free_slab+0x1f/0x30 - mempool_free+0x3a/0x100 - bio_free+0x59/0x80 - bio_put+0xcf/0x2c0 - free_r10bio+0xbf/0xf0 - raid_end_bio_io+0x78/0xb0 - one_write_done+0x8a/0xa0 - raid10_end_write_request+0x1b4/0x430 - bio_endio+0x175/0x320 - brd_submit_bio+0x3b9/0x9b7 [brd] - __submit_bio+0x69/0xe0 - submit_bio_noacct_nocheck+0x1e6/0x5a0 - submit_bio_noacct+0x38c/0x7e0 - flush_pending_writes+0xf0/0x240 - raid10d+0xac/0x1ed0 - -Fix the problem by adding cond_resched() to raid10 like what raid1 did. - -Note that unlimited plugged bio still need to be optimized, for example, -in the case of lots of dirty pages writeback, this will take lots of -memory and io will spend a long time in plug, hence io latency is bad. - -Signed-off-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/raid10.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 9d23963496194..ee75b058438f3 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -920,6 +920,7 @@ static void flush_pending_writes(struct r10conf *conf) - - raid1_submit_write(bio); - bio = next; -+ cond_resched(); - } - blk_finish_plug(&plug); - } else -@@ -1132,6 +1133,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) - - raid1_submit_write(bio); - bio = next; -+ cond_resched(); - } - kfree(plug); - } --- -2.39.2 - diff --git a/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch b/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch deleted file mode 100644 index c2f17fc583d..00000000000 --- a/queue-6.4/mips-dec-prom-address-warray-bounds-warning.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c903bed38cada61c448c48520cd02ec55c71c4bb Mon Sep 17 00:00:00 2001 -From: "Gustavo A. R. Silva" -Date: Thu, 22 Jun 2023 17:43:57 -0600 -Subject: [PATCH AUTOSEL 5.4 10/12] MIPS: dec: prom: Address -Warray-bounds - warning -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] - -Zero-length arrays are deprecated, and we are replacing them with flexible -array members instead. So, replace zero-length array with flexible-array -member in struct memmap. - -Address the following warning found after building (with GCC-13) mips64 -with decstation_64_defconfig: -In function 'rex_setup_memory_region', - inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: -arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] - 72 | if (bm->bitmap[i] == 0xff) - | ~~~~~~~~~~^~~ -In file included from arch/mips/dec/prom/memory.c:16: -./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': -./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' - 73 | unsigned char bitmap[0]; - -This helps with the ongoing efforts to globally enable -Warray-bounds. - -This results in no differences in binary output. - -Link: https://github.com/KSPP/linux/issues/79 -Link: https://github.com/KSPP/linux/issues/323 -Signed-off-by: Gustavo A. R. Silva -Signed-off-by: Thomas Bogendoerfer -Signed-off-by: Sasha Levin ---- - arch/mips/include/asm/dec/prom.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/mips/include/asm/dec/prom.h b/arch/mips/include/asm/dec/prom.h -index 1e1247add1cf8..908e96e3a3117 100644 ---- a/arch/mips/include/asm/dec/prom.h -+++ b/arch/mips/include/asm/dec/prom.h -@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic) - */ - typedef struct { - int pagesize; -- unsigned char bitmap[0]; -+ unsigned char bitmap[]; - } memmap; - - --- -2.39.2 - diff --git a/queue-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch b/queue-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch deleted file mode 100644 index cdab42a7c6d..00000000000 --- a/queue-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 2658f94d679243209889cdfa8de3743cde1abea9 Mon Sep 17 00:00:00 2001 -From: "Liam R. Howlett" -Date: Tue, 11 Jul 2023 13:50:20 -0400 -Subject: mm/mlock: fix vma iterator conversion of apply_vma_lock_flags() - -From: Liam R. Howlett - -commit 2658f94d679243209889cdfa8de3743cde1abea9 upstream. - -apply_vma_lock_flags() calls mlock_fixup(), which could merge the VMA -after where the vma iterator is located. Although this is not an issue, -the next iteration of the loop will check the start of the vma to be equal -to the locally saved 'tmp' variable and cause an incorrect failure -scenario. Fix the error by setting tmp to the end of the vma iterator -value before restarting the loop. - -There is also a potential of the error code being overwritten when the -loop terminates early. Fix the return issue by directly returning when an -error is encountered since there is nothing to undo after the loop. - -Link: https://lkml.kernel.org/r/20230711175020.4091336-1-Liam.Howlett@oracle.com -Fixes: 37598f5a9d8b ("mlock: convert mlock to vma iterator") -Signed-off-by: Liam R. Howlett -Reported-by: Ryan Roberts - Link: https://lore.kernel.org/linux-mm/50341ca1-d582-b33a-e3d0-acb08a65166f@arm.com/ -Tested-by: Ryan Roberts -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/mlock.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - ---- a/mm/mlock.c -+++ b/mm/mlock.c -@@ -471,7 +471,6 @@ static int apply_vma_lock_flags(unsigned - { - unsigned long nstart, end, tmp; - struct vm_area_struct *vma, *prev; -- int error; - VMA_ITERATOR(vmi, current->mm, start); - - VM_BUG_ON(offset_in_page(start)); -@@ -492,6 +491,7 @@ static int apply_vma_lock_flags(unsigned - nstart = start; - tmp = vma->vm_start; - for_each_vma_range(vmi, vma, end) { -+ int error; - vm_flags_t newflags; - - if (vma->vm_start != tmp) -@@ -505,14 +505,15 @@ static int apply_vma_lock_flags(unsigned - tmp = end; - error = mlock_fixup(&vmi, vma, &prev, nstart, tmp, newflags); - if (error) -- break; -+ return error; -+ tmp = vma_iter_end(&vmi); - nstart = tmp; - } - -- if (vma_iter_end(&vmi) < end) -+ if (tmp < end) - return -ENOMEM; - -- return error; -+ return 0; - } - - /* diff --git a/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch b/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch deleted file mode 100644 index 258fa77bfad..00000000000 --- a/queue-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch +++ /dev/null @@ -1,94 +0,0 @@ -From a7360bc2cf287cca1717eceba861bb3b9886c55e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 17:46:22 -0700 -Subject: net: dsa: microchip: correct KSZ8795 static MAC table access - -From: Tristram Ha - -[ Upstream commit 4bdf79d686b49ac49373b36466acfb93972c7d7c ] - -The KSZ8795 driver code was modified to use on KSZ8863/73, which has -different register definitions. Some of the new KSZ8795 register -information are wrong compared to previous code. - -KSZ8795 also behaves differently in that the STATIC_MAC_TABLE_USE_FID -and STATIC_MAC_TABLE_FID bits are off by 1 when doing MAC table reading -than writing. To compensate that a special code was added to shift the -register value by 1 before applying those bits. This is wrong when the -code is running on KSZ8863, so this special code is only executed when -KSZ8795 is detected. - -Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") -Signed-off-by: Tristram Ha -Reviewed-by: Horatiu Vultur -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/microchip/ksz8795.c | 8 +++++++- - drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- - drivers/net/dsa/microchip/ksz_common.h | 7 +++++++ - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c -index f56fca1b1a222..cc5b19a3d0df2 100644 ---- a/drivers/net/dsa/microchip/ksz8795.c -+++ b/drivers/net/dsa/microchip/ksz8795.c -@@ -506,7 +506,13 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, - (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> - shifts[STATIC_MAC_FWD_PORTS]; - alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; -- data_hi >>= 1; -+ -+ /* KSZ8795 family switches have STATIC_MAC_TABLE_USE_FID and -+ * STATIC_MAC_TABLE_FID definitions off by 1 when doing read on the -+ * static MAC table compared to doing write. -+ */ -+ if (ksz_is_ksz87xx(dev)) -+ data_hi >>= 1; - alu->is_static = true; - alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; - alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> -diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c -index a4428be5f483c..a0ba2605bb620 100644 ---- a/drivers/net/dsa/microchip/ksz_common.c -+++ b/drivers/net/dsa/microchip/ksz_common.c -@@ -331,13 +331,13 @@ static const u32 ksz8795_masks[] = { - [STATIC_MAC_TABLE_VALID] = BIT(21), - [STATIC_MAC_TABLE_USE_FID] = BIT(23), - [STATIC_MAC_TABLE_FID] = GENMASK(30, 24), -- [STATIC_MAC_TABLE_OVERRIDE] = BIT(26), -- [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(24, 20), -+ [STATIC_MAC_TABLE_OVERRIDE] = BIT(22), -+ [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(20, 16), - [DYNAMIC_MAC_TABLE_ENTRIES_H] = GENMASK(6, 0), -- [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(8), -+ [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(7), - [DYNAMIC_MAC_TABLE_NOT_READY] = BIT(7), - [DYNAMIC_MAC_TABLE_ENTRIES] = GENMASK(31, 29), -- [DYNAMIC_MAC_TABLE_FID] = GENMASK(26, 20), -+ [DYNAMIC_MAC_TABLE_FID] = GENMASK(22, 16), - [DYNAMIC_MAC_TABLE_SRC_PORT] = GENMASK(26, 24), - [DYNAMIC_MAC_TABLE_TIMESTAMP] = GENMASK(28, 27), - [P_MII_TX_FLOW_CTRL] = BIT(5), -diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h -index 8abecaf6089ef..33d9a2f6af27a 100644 ---- a/drivers/net/dsa/microchip/ksz_common.h -+++ b/drivers/net/dsa/microchip/ksz_common.h -@@ -569,6 +569,13 @@ static inline void ksz_regmap_unlock(void *__mtx) - mutex_unlock(mtx); - } - -+static inline bool ksz_is_ksz87xx(struct ksz_device *dev) -+{ -+ return dev->chip_id == KSZ8795_CHIP_ID || -+ dev->chip_id == KSZ8794_CHIP_ID || -+ dev->chip_id == KSZ8765_CHIP_ID; -+} -+ - static inline bool ksz_is_ksz88x3(struct ksz_device *dev) - { - return dev->chip_id == KSZ8830_CHIP_ID; --- -2.39.2 - diff --git a/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch b/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch deleted file mode 100644 index 3a167dfd58f..00000000000 --- a/queue-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 34e9af935105e7093a075c88cfc44a3f7868b627 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 00:20:35 +0800 -Subject: net: ethernet: litex: add support for 64 bit stats - -From: Jisheng Zhang - -[ Upstream commit 18da174d865a87d47d2f33f5b0a322efcf067728 ] - -Implement 64 bit per cpu stats to fix the overflow of netdev->stats -on 32 bit platforms. To simplify the code, we use net core -pcpu_sw_netstats infrastructure. One small drawback is some memory -overhead because litex uses just one queue, but we allocate the -counters per cpu. - -Signed-off-by: Jisheng Zhang -Reviewed-by: Simon Horman -Acked-by: Gabriel Somlo -Link: https://lore.kernel.org/r/20230614162035.300-1-jszhang@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/litex/litex_liteeth.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c -index 35f24e0f09349..ffa96059079c6 100644 ---- a/drivers/net/ethernet/litex/litex_liteeth.c -+++ b/drivers/net/ethernet/litex/litex_liteeth.c -@@ -78,8 +78,7 @@ static int liteeth_rx(struct net_device *netdev) - memcpy_fromio(data, priv->rx_base + rx_slot * priv->slot_size, len); - skb->protocol = eth_type_trans(skb, netdev); - -- netdev->stats.rx_packets++; -- netdev->stats.rx_bytes += len; -+ dev_sw_netstats_rx_add(netdev, len); - - return netif_rx(skb); - -@@ -185,8 +184,7 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, - litex_write16(priv->base + LITEETH_READER_LENGTH, skb->len); - litex_write8(priv->base + LITEETH_READER_START, 1); - -- netdev->stats.tx_bytes += skb->len; -- netdev->stats.tx_packets++; -+ dev_sw_netstats_tx_add(netdev, 1, skb->len); - - priv->tx_slot = (priv->tx_slot + 1) % priv->num_tx_slots; - dev_kfree_skb_any(skb); -@@ -194,9 +192,17 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, - return NETDEV_TX_OK; - } - -+static void -+liteeth_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats) -+{ -+ netdev_stats_to_stats64(stats, &netdev->stats); -+ dev_fetch_sw_netstats(stats, netdev->tstats); -+} -+ - static const struct net_device_ops liteeth_netdev_ops = { - .ndo_open = liteeth_open, - .ndo_stop = liteeth_stop, -+ .ndo_get_stats64 = liteeth_get_stats64, - .ndo_start_xmit = liteeth_start_xmit, - }; - -@@ -242,6 +248,11 @@ static int liteeth_probe(struct platform_device *pdev) - priv->netdev = netdev; - priv->dev = &pdev->dev; - -+ netdev->tstats = devm_netdev_alloc_pcpu_stats(&pdev->dev, -+ struct pcpu_sw_netstats); -+ if (!netdev->tstats) -+ return -ENOMEM; -+ - irq = platform_get_irq(pdev, 0); - if (irq < 0) - return irq; --- -2.39.2 - diff --git a/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch b/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch deleted file mode 100644 index 653b4cbb470..00000000000 --- a/queue-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4cb705f4015d47ec6907fcb6d63ca051b0729491 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 01:39:36 +0100 -Subject: net: ethernet: mtk_eth_soc: always mtk_get_ib1_pkt_type - -From: Daniel Golle - -[ Upstream commit 9f9d4c1a2e82174a4e799ec405284a2b0de32b6a ] - -entries and bind debugfs files would display wrong data on NETSYS_V2 and -later because instead of using mtk_get_ib1_pkt_type the driver would use -MTK_FOE_IB1_PACKET_TYPE which corresponds to NETSYS_V1(.x) SoCs. -Use mtk_get_ib1_pkt_type so entries and bind records display correctly. - -Fixes: 03a3180e5c09e ("net: ethernet: mtk_eth_soc: introduce flow offloading support for mt7986") -Signed-off-by: Daniel Golle -Acked-by: Lorenzo Bianconi -Link: https://lore.kernel.org/r/c0ae03d0182f4d27b874cbdf0059bc972c317f3c.1689727134.git.daniel@makrotopia.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c -index 316fe2e70fead..1a97feca77f23 100644 ---- a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c -+++ b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c -@@ -98,7 +98,7 @@ mtk_ppe_debugfs_foe_show(struct seq_file *m, void *private, bool bind) - - acct = mtk_foe_entry_get_mib(ppe, i, NULL); - -- type = FIELD_GET(MTK_FOE_IB1_PACKET_TYPE, entry->ib1); -+ type = mtk_get_ib1_pkt_type(ppe->eth, entry->ib1); - seq_printf(m, "%05x %s %7s", i, - mtk_foe_entry_state_str(state), - mtk_foe_pkt_type_str(type)); --- -2.39.2 - diff --git a/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch deleted file mode 100644 index 07bff9f3a74..00000000000 --- a/queue-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8c1eaba2f6d01540a7166c686b9673e70df454c3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 03:42:29 +0100 -Subject: net: ethernet: mtk_eth_soc: handle probe deferral - -From: Daniel Golle - -[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] - -Move the call to of_get_ethdev_address to mtk_add_mac which is part of -the probe function and can hence itself return -EPROBE_DEFER should -of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely -get rid of the mtk_init function. - -The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced -in situations in which the NVMEM provider holding the MAC address has -not yet be loaded at the time mtk_eth_soc is initially probed. In this -case probing of mtk_eth_soc should be deferred instead of falling back -to use a random MAC address, so once the NVMEM provider becomes -available probing can be repeated. - -Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") -Signed-off-by: Daniel Golle -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- - 1 file changed, 11 insertions(+), 18 deletions(-) - -diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c -index 834c644b67db5..2d15342c260ae 100644 ---- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c -+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c -@@ -3846,23 +3846,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) - return 0; - } - --static int __init mtk_init(struct net_device *dev) --{ -- struct mtk_mac *mac = netdev_priv(dev); -- struct mtk_eth *eth = mac->hw; -- int ret; -- -- ret = of_get_ethdev_address(mac->of_node, dev); -- if (ret) { -- /* If the mac address is invalid, use random mac address */ -- eth_hw_addr_random(dev); -- dev_err(eth->dev, "generated random MAC address %pM\n", -- dev->dev_addr); -- } -- -- return 0; --} -- - static void mtk_uninit(struct net_device *dev) - { - struct mtk_mac *mac = netdev_priv(dev); -@@ -4278,7 +4261,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { - }; - - static const struct net_device_ops mtk_netdev_ops = { -- .ndo_init = mtk_init, - .ndo_uninit = mtk_uninit, - .ndo_open = mtk_open, - .ndo_stop = mtk_stop, -@@ -4340,6 +4322,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) - mac->hw = eth; - mac->of_node = np; - -+ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); -+ if (err == -EPROBE_DEFER) -+ return err; -+ -+ if (err) { -+ /* If the mac address is invalid, use random mac address */ -+ eth_hw_addr_random(eth->netdev[id]); -+ dev_err(eth->dev, "generated random MAC address %pM\n", -+ eth->netdev[id]->dev_addr); -+ } -+ - memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); - mac->hwlro_ip_cnt = 0; - --- -2.39.2 - diff --git a/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch deleted file mode 100644 index aa4f166c2e0..00000000000 --- a/queue-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 0734d7075e1b22684e639d53914c1b54e355f26f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jul 2023 16:36:57 +0530 -Subject: net: ethernet: ti: cpsw_ale: Fix - cpsw_ale_get_field()/cpsw_ale_set_field() - -From: Tanmay Patil - -[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] - -CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. -The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the -field will be strictly contained within one word. However, this is not -guaranteed to be the case and it is possible for ALE field entries to span -across up to two words at the most. - -Fix the methods to handle getting/setting fields spanning up to two words. - -Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") -Signed-off-by: Tanmay Patil -[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] -Signed-off-by: Siddharth Vadapalli -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c -index 0c5e783e574c4..64bf22cd860c9 100644 ---- a/drivers/net/ethernet/ti/cpsw_ale.c -+++ b/drivers/net/ethernet/ti/cpsw_ale.c -@@ -106,23 +106,37 @@ struct cpsw_ale_dev_id { - - static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) - { -- int idx; -+ int idx, idx2; -+ u32 hi_val = 0; - - idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be fetched exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); -+ } - start -= idx * 32; - idx = 2 - idx; /* flip */ -- return (ale_entry[idx] >> start) & BITMASK(bits); -+ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); - } - - static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, - u32 value) - { -- int idx; -+ int idx, idx2; - - value &= BITMASK(bits); -- idx = start / 32; -+ idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be set exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); -+ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); -+ } - start -= idx * 32; -- idx = 2 - idx; /* flip */ -+ idx = 2 - idx; /* flip */ - ale_entry[idx] &= ~(BITMASK(bits) << start); - ale_entry[idx] |= (value << start); - } --- -2.39.2 - diff --git a/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch b/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch deleted file mode 100644 index 2fc2df03878..00000000000 --- a/queue-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch +++ /dev/null @@ -1,140 +0,0 @@ -From dc77ee4a0a97049edbad6c3f13a92c2edc7a6c5a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 20:33:08 +0800 -Subject: net: hns3: fix strncpy() not using dest-buf length as length issue - -From: Hao Chen - -[ Upstream commit 1cf3d5567f273a8746d1bade00633a93204f80f0 ] - -Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length, -it may result in dest-buf overflow. - -This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0 -compiler. - -The warning reports as below: - -hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on -the length of the source argument [-Wstringop-truncation] - -strncpy(pos, items[i].name, strlen(items[i].name)); - -hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before -terminating nul copying as many bytes from a string as its length -[-Wstringop-truncation] - -strncpy(pos, result[i], strlen(result[i])); - -strncpy() use src-length as copy-length, it may result in -dest-buf overflow. - -So,this patch add some values check to avoid this issue. - -Signed-off-by: Hao Chen -Reported-by: kernel test robot -Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/ -Signed-off-by: Hao Lan -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++----- - .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++--- - 2 files changed, 48 insertions(+), 12 deletions(-) - -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -index d385ffc218766..32bb14303473b 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c -@@ -438,19 +438,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, - const struct hns3_dbg_item *items, - const char **result, u16 size) - { -+#define HNS3_DBG_LINE_END_LEN 2 - char *pos = content; -+ u16 item_len; - u16 i; - -+ if (!len) { -+ return; -+ } else if (len <= HNS3_DBG_LINE_END_LEN) { -+ *pos++ = '\0'; -+ return; -+ } -+ - memset(content, ' ', len); -- for (i = 0; i < size; i++) { -- if (result) -- strncpy(pos, result[i], strlen(result[i])); -- else -- strncpy(pos, items[i].name, strlen(items[i].name)); -+ len -= HNS3_DBG_LINE_END_LEN; - -- pos += strlen(items[i].name) + items[i].interval; -+ for (i = 0; i < size; i++) { -+ item_len = strlen(items[i].name) + items[i].interval; -+ if (len < item_len) -+ break; -+ -+ if (result) { -+ if (item_len < strlen(result[i])) -+ break; -+ strscpy(pos, result[i], strlen(result[i])); -+ } else { -+ strscpy(pos, items[i].name, strlen(items[i].name)); -+ } -+ pos += item_len; -+ len -= item_len; - } -- - *pos++ = '\n'; - *pos++ = '\0'; - } -diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -index a0b46e7d863eb..233c132dc513e 100644 ---- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c -@@ -88,16 +88,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, - const struct hclge_dbg_item *items, - const char **result, u16 size) - { -+#define HCLGE_DBG_LINE_END_LEN 2 - char *pos = content; -+ u16 item_len; - u16 i; - -+ if (!len) { -+ return; -+ } else if (len <= HCLGE_DBG_LINE_END_LEN) { -+ *pos++ = '\0'; -+ return; -+ } -+ - memset(content, ' ', len); -+ len -= HCLGE_DBG_LINE_END_LEN; -+ - for (i = 0; i < size; i++) { -- if (result) -- strncpy(pos, result[i], strlen(result[i])); -- else -- strncpy(pos, items[i].name, strlen(items[i].name)); -- pos += strlen(items[i].name) + items[i].interval; -+ item_len = strlen(items[i].name) + items[i].interval; -+ if (len < item_len) -+ break; -+ -+ if (result) { -+ if (item_len < strlen(result[i])) -+ break; -+ strscpy(pos, result[i], strlen(result[i])); -+ } else { -+ strscpy(pos, items[i].name, strlen(items[i].name)); -+ } -+ pos += item_len; -+ len -= item_len; - } - *pos++ = '\n'; - *pos++ = '\0'; --- -2.39.2 - diff --git a/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch b/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch deleted file mode 100644 index 9e2e5f71328..00000000000 --- a/queue-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch +++ /dev/null @@ -1,134 +0,0 @@ -From eb3d2ceb4d7e11c861c8385f94a0f307e72a546d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 May 2023 18:14:52 +0200 -Subject: net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV - -From: Antoine Tenart - -[ Upstream commit c0a8966e2bc7d31f77a7246947ebc09c1ff06066 ] - -When using IPv4/TCP, skb->hash comes from sk->sk_txhash except in -TIME_WAIT and SYN_RECV where it's not set in the reply skb from -ip_send_unicast_reply. Those packets will have a mismatched hash with -others from the same flow as their hashes will be 0. IPv6 does not have -the same issue as the hash is set from the socket txhash in those cases. - -This commits sets the hash in the reply skb from ip_send_unicast_reply, -which makes the IPv4 code behaving like IPv6. - -Signed-off-by: Antoine Tenart -Reviewed-by: Eric Dumazet -Signed-off-by: Paolo Abeni -Stable-dep-of: 5e5265522a9a ("tcp: annotate data-races around tcp_rsk(req)->txhash") -Signed-off-by: Sasha Levin ---- - include/net/ip.h | 2 +- - net/ipv4/ip_output.c | 4 +++- - net/ipv4/tcp_ipv4.c | 14 +++++++++----- - 3 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index acec504c469a0..83a1a9bc3ceb1 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -282,7 +282,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - const struct ip_options *sopt, - __be32 daddr, __be32 saddr, - const struct ip_reply_arg *arg, -- unsigned int len, u64 transmit_time); -+ unsigned int len, u64 transmit_time, u32 txhash); - - #define IP_INC_STATS(net, field) SNMP_INC_STATS64((net)->mib.ip_statistics, field) - #define __IP_INC_STATS(net, field) __SNMP_INC_STATS64((net)->mib.ip_statistics, field) -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 61892268e8a6c..a1bead441026e 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1692,7 +1692,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - const struct ip_options *sopt, - __be32 daddr, __be32 saddr, - const struct ip_reply_arg *arg, -- unsigned int len, u64 transmit_time) -+ unsigned int len, u64 transmit_time, u32 txhash) - { - struct ip_options_data replyopts; - struct ipcm_cookie ipc; -@@ -1755,6 +1755,8 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, - arg->csum)); - nskb->ip_summed = CHECKSUM_NONE; - nskb->mono_delivery_time = !!transmit_time; -+ if (txhash) -+ skb_set_hash(nskb, txhash, PKT_HASH_TYPE_L4); - ip_push_pending_frames(sk, &fl4); - } - out: -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 434e5f0c8b99d..a64069077e388 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -692,6 +692,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - u64 transmit_time = 0; - struct sock *ctl_sk; - struct net *net; -+ u32 txhash = 0; - - /* Never send a reset in response to a reset. */ - if (th->rst) -@@ -829,6 +830,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - inet_twsk(sk)->tw_priority : sk->sk_priority; - transmit_time = tcp_transmit_time(sk); - xfrm_sk_clone_policy(ctl_sk, sk); -+ txhash = (sk->sk_state == TCP_TIME_WAIT) ? -+ inet_twsk(sk)->tw_txhash : sk->sk_txhash; - } else { - ctl_sk->sk_mark = 0; - ctl_sk->sk_priority = 0; -@@ -837,7 +840,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) - skb, &TCP_SKB_CB(skb)->header.h4.opt, - ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, - &arg, arg.iov[0].iov_len, -- transmit_time); -+ transmit_time, txhash); - - xfrm_sk_free_policy(ctl_sk); - sock_net_set(ctl_sk, &init_net); -@@ -859,7 +862,7 @@ static void tcp_v4_send_ack(const struct sock *sk, - struct sk_buff *skb, u32 seq, u32 ack, - u32 win, u32 tsval, u32 tsecr, int oif, - struct tcp_md5sig_key *key, -- int reply_flags, u8 tos) -+ int reply_flags, u8 tos, u32 txhash) - { - const struct tcphdr *th = tcp_hdr(skb); - struct { -@@ -935,7 +938,7 @@ static void tcp_v4_send_ack(const struct sock *sk, - skb, &TCP_SKB_CB(skb)->header.h4.opt, - ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, - &arg, arg.iov[0].iov_len, -- transmit_time); -+ transmit_time, txhash); - - sock_net_set(ctl_sk, &init_net); - __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); -@@ -955,7 +958,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) - tw->tw_bound_dev_if, - tcp_twsk_md5_key(tcptw), - tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, -- tw->tw_tos -+ tw->tw_tos, -+ tw->tw_txhash - ); - - inet_twsk_put(tw); -@@ -988,7 +992,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -- ip_hdr(skb)->tos); -+ ip_hdr(skb)->tos, tcp_rsk(req)->txhash); - } - - /* --- -2.39.2 - diff --git a/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch deleted file mode 100644 index 1168758b98d..00000000000 --- a/queue-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8f4e7983251e6782f216def6e2b47a48976a5841 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 17:59:19 +0800 -Subject: net: ipv4: Use kfree_sensitive instead of kfree - -From: Wang Ming - -[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] - -key might contain private part of the key, so better use -kfree_sensitive to free it. - -Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") -Signed-off-by: Wang Ming -Reviewed-by: Tariq Toukan -Reviewed-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/esp4.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c -index ba06ed42e4284..2be2d49225573 100644 ---- a/net/ipv4/esp4.c -+++ b/net/ipv4/esp4.c -@@ -1132,7 +1132,7 @@ static int esp_init_authenc(struct xfrm_state *x, - err = crypto_aead_setkey(aead, key, keylen); - - free_key: -- kfree(key); -+ kfree_sensitive(key); - - error: - return err; --- -2.39.2 - diff --git a/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch deleted file mode 100644 index 37d6b8e74ad..00000000000 --- a/queue-6.4/net-ipv6-check-return-value-of-pskb_trim.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d0da4855c330577e5a7f752994ed3ff21108a28c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 22:45:19 +0800 -Subject: net:ipv6: check return value of pskb_trim() - -From: Yuanjun Gong - -[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] - -goto tx_err if an unexpected result is returned by pskb_tirm() -in ip6erspan_tunnel_xmit(). - -Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") -Signed-off-by: Yuanjun Gong -Reviewed-by: David Ahern -Reviewed-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/ip6_gre.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index da80974ad23ae..070d87abf7c02 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, - goto tx_err; - - if (skb->len > dev->mtu + dev->hard_header_len) { -- pskb_trim(skb, dev->mtu + dev->hard_header_len); -+ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) -+ goto tx_err; - truncate = true; - } - --- -2.39.2 - diff --git a/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch deleted file mode 100644 index e4403bc3168..00000000000 --- a/queue-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +++ /dev/null @@ -1,74 +0,0 @@ -From e235c3ee00174e1880d74b700a763a90fde32659 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 03:02:31 +0300 -Subject: net: phy: prevent stale pointer dereference in phy_init() - -From: Vladimir Oltean - -[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] - -mdio_bus_init() and phy_driver_register() both have error paths, and if -those are ever hit, ethtool will have a stale pointer to the -phy_ethtool_phy_ops stub structure, which references memory from a -module that failed to load (phylib). - -It is probably hard to force an error in this code path even manually, -but the error teardown path of phy_init() should be the same as -phy_exit(), which is now simply not the case. - -Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") -Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ -Suggested-by: Russell King (Oracle) -Signed-off-by: Vladimir Oltean -Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/phy/phy_device.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c -index 53598210be6cb..2c4e6de8f4d9f 100644 ---- a/drivers/net/phy/phy_device.c -+++ b/drivers/net/phy/phy_device.c -@@ -3452,23 +3452,30 @@ static int __init phy_init(void) - { - int rc; - -+ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); -+ - rc = mdio_bus_init(); - if (rc) -- return rc; -+ goto err_ethtool_phy_ops; - -- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); - features_init(); - - rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); - if (rc) -- goto err_c45; -+ goto err_mdio_bus; - - rc = phy_driver_register(&genphy_driver, THIS_MODULE); -- if (rc) { -- phy_driver_unregister(&genphy_c45_driver); -+ if (rc) -+ goto err_c45; -+ -+ return 0; -+ - err_c45: -- mdio_bus_exit(); -- } -+ phy_driver_unregister(&genphy_c45_driver); -+err_mdio_bus: -+ mdio_bus_exit(); -+err_ethtool_phy_ops: -+ ethtool_set_ethtool_phy_ops(NULL); - - return rc; - } --- -2.39.2 - diff --git a/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch deleted file mode 100644 index 65bbd8b5b76..00000000000 --- a/queue-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 3f90b408fd41b67b0faf99913c06f69d68098ac1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:13 -0300 -Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error - -From: Victor Nogueira - -[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] - -If cls_bpf_offload errors out, we must also undo tcf_bind_filter that -was done before the error. - -Fix that by calling tcf_unbind_filter in errout_parms. - -Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ - 1 file changed, 47 insertions(+), 52 deletions(-) - -diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c -index 466c26df853a0..382c7a71f81f2 100644 ---- a/net/sched/cls_bpf.c -+++ b/net/sched/cls_bpf.c -@@ -406,56 +406,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, - return 0; - } - --static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, -- struct cls_bpf_prog *prog, unsigned long base, -- struct nlattr **tb, struct nlattr *est, u32 flags, -- struct netlink_ext_ack *extack) --{ -- bool is_bpf, is_ebpf, have_exts = false; -- u32 gen_flags = 0; -- int ret; -- -- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; -- is_ebpf = tb[TCA_BPF_FD]; -- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) -- return -EINVAL; -- -- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, -- extack); -- if (ret < 0) -- return ret; -- -- if (tb[TCA_BPF_FLAGS]) { -- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); -- -- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) -- return -EINVAL; -- -- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; -- } -- if (tb[TCA_BPF_FLAGS_GEN]) { -- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); -- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || -- !tc_flags_valid(gen_flags)) -- return -EINVAL; -- } -- -- prog->exts_integrated = have_exts; -- prog->gen_flags = gen_flags; -- -- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : -- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); -- if (ret < 0) -- return ret; -- -- if (tb[TCA_BPF_CLASSID]) { -- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); -- tcf_bind_filter(tp, &prog->res, base); -- } -- -- return 0; --} -- - static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - struct tcf_proto *tp, unsigned long base, - u32 handle, struct nlattr **tca, -@@ -463,9 +413,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - struct netlink_ext_ack *extack) - { - struct cls_bpf_head *head = rtnl_dereference(tp->root); -+ bool is_bpf, is_ebpf, have_exts = false; - struct cls_bpf_prog *oldprog = *arg; - struct nlattr *tb[TCA_BPF_MAX + 1]; -+ bool bound_to_filter = false; - struct cls_bpf_prog *prog; -+ u32 gen_flags = 0; - int ret; - - if (tca[TCA_OPTIONS] == NULL) -@@ -504,11 +457,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - goto errout; - prog->handle = handle; - -- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, -- extack); -+ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; -+ is_ebpf = tb[TCA_BPF_FD]; -+ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ -+ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, -+ flags, extack); -+ if (ret < 0) -+ goto errout_idr; -+ -+ if (tb[TCA_BPF_FLAGS]) { -+ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); -+ -+ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ -+ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; -+ } -+ if (tb[TCA_BPF_FLAGS_GEN]) { -+ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); -+ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || -+ !tc_flags_valid(gen_flags)) { -+ ret = -EINVAL; -+ goto errout_idr; -+ } -+ } -+ -+ prog->exts_integrated = have_exts; -+ prog->gen_flags = gen_flags; -+ -+ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : -+ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); - if (ret < 0) - goto errout_idr; - -+ if (tb[TCA_BPF_CLASSID]) { -+ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); -+ tcf_bind_filter(tp, &prog->res, base); -+ bound_to_filter = true; -+ } -+ - ret = cls_bpf_offload(tp, prog, oldprog, extack); - if (ret) - goto errout_parms; -@@ -530,6 +523,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, - return 0; - - errout_parms: -+ if (bound_to_filter) -+ tcf_unbind_filter(tp, &prog->res); - cls_bpf_free_parms(prog); - errout_idr: - if (!oldprog) --- -2.39.2 - diff --git a/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch b/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch deleted file mode 100644 index c1618ab1fc3..00000000000 --- a/queue-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 8bf4268767afc1aceffbef4ebe37fb672dc70de2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:10 -0300 -Subject: net: sched: cls_matchall: Undo tcf_bind_filter in case of failure - after mall_set_parms - -From: Victor Nogueira - -[ Upstream commit b3d0e0489430735e2e7626aa37e6462cdd136e9d ] - -In case an error occurred after mall_set_parms executed successfully, we -must undo the tcf_bind_filter call it issues. - -Fix that by calling tcf_unbind_filter in err_replace_hw_filter label. - -Fixes: ec2507d2a306 ("net/sched: cls_matchall: Fix error path") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_matchall.c | 35 ++++++++++++----------------------- - 1 file changed, 12 insertions(+), 23 deletions(-) - -diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c -index fa3bbd187eb97..c4ed11df62548 100644 ---- a/net/sched/cls_matchall.c -+++ b/net/sched/cls_matchall.c -@@ -159,26 +159,6 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { - [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, - }; - --static int mall_set_parms(struct net *net, struct tcf_proto *tp, -- struct cls_mall_head *head, -- unsigned long base, struct nlattr **tb, -- struct nlattr *est, u32 flags, u32 fl_flags, -- struct netlink_ext_ack *extack) --{ -- int err; -- -- err = tcf_exts_validate_ex(net, tp, tb, est, &head->exts, flags, -- fl_flags, extack); -- if (err < 0) -- return err; -- -- if (tb[TCA_MATCHALL_CLASSID]) { -- head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -- tcf_bind_filter(tp, &head->res, base); -- } -- return 0; --} -- - static int mall_change(struct net *net, struct sk_buff *in_skb, - struct tcf_proto *tp, unsigned long base, - u32 handle, struct nlattr **tca, -@@ -187,6 +167,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - { - struct cls_mall_head *head = rtnl_dereference(tp->root); - struct nlattr *tb[TCA_MATCHALL_MAX + 1]; -+ bool bound_to_filter = false; - struct cls_mall_head *new; - u32 userflags = 0; - int err; -@@ -226,11 +207,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - goto err_alloc_percpu; - } - -- err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], -- flags, new->flags, extack); -- if (err) -+ err = tcf_exts_validate_ex(net, tp, tb, tca[TCA_RATE], -+ &new->exts, flags, new->flags, extack); -+ if (err < 0) - goto err_set_parms; - -+ if (tb[TCA_MATCHALL_CLASSID]) { -+ new->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); -+ tcf_bind_filter(tp, &new->res, base); -+ bound_to_filter = true; -+ } -+ - if (!tc_skip_hw(new->flags)) { - err = mall_replace_hw_filter(tp, new, (unsigned long)new, - extack); -@@ -246,6 +233,8 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, - return 0; - - err_replace_hw_filter: -+ if (bound_to_filter) -+ tcf_unbind_filter(tp, &new->res); - err_set_parms: - free_percpu(new->pf); - err_alloc_percpu: --- -2.39.2 - diff --git a/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch b/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch deleted file mode 100644 index 9d39b03d79a..00000000000 --- a/queue-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 30ac61ca94fe6221447d2e6ad43c9620bc035240 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:12 -0300 -Subject: net: sched: cls_u32: Undo refcount decrement in case update failed - -From: Victor Nogueira - -[ Upstream commit e8d3d78c19be0264a5692bed477c303523aead31 ] - -In the case of an update, when TCA_U32_LINK is set, u32_set_parms will -decrement the refcount of the ht_down (struct tc_u_hnode) pointer -present in the older u32 filter which we are replacing. However, if -u32_replace_hw_knode errors out, the update command fails and that -ht_down pointer continues decremented. To fix that, when -u32_replace_hw_knode fails, check if ht_down's refcount was decremented -and undo the decrement. - -Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_u32.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c -index ed358466d042a..5abf31e432caf 100644 ---- a/net/sched/cls_u32.c -+++ b/net/sched/cls_u32.c -@@ -928,6 +928,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - if (err) { - u32_unbind_filter(tp, new, tb); - -+ if (tb[TCA_U32_LINK]) { -+ struct tc_u_hnode *ht_old; -+ -+ ht_old = rtnl_dereference(n->ht_down); -+ if (ht_old) -+ ht_old->refcnt++; -+ } - __u32_destroy_key(new); - return err; - } --- -2.39.2 - diff --git a/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch b/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch deleted file mode 100644 index 6454b027c7b..00000000000 --- a/queue-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 30d5f447b9e2287545f1e04059c3a1b974153809 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Jul 2023 15:05:11 -0300 -Subject: net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode - -From: Victor Nogueira - -[ Upstream commit 9cb36faedeafb9720ac236aeae2ea57091d90a09 ] - -When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter -operation done at u32_set_parms. - -Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") -Signed-off-by: Victor Nogueira -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Reviewed-by: Simon Horman -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/sched/cls_u32.c | 41 ++++++++++++++++++++++++++++++----------- - 1 file changed, 30 insertions(+), 11 deletions(-) - -diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c -index d15d50de79802..ed358466d042a 100644 ---- a/net/sched/cls_u32.c -+++ b/net/sched/cls_u32.c -@@ -712,8 +712,23 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = { - [TCA_U32_FLAGS] = { .type = NLA_U32 }, - }; - -+static void u32_unbind_filter(struct tcf_proto *tp, struct tc_u_knode *n, -+ struct nlattr **tb) -+{ -+ if (tb[TCA_U32_CLASSID]) -+ tcf_unbind_filter(tp, &n->res); -+} -+ -+static void u32_bind_filter(struct tcf_proto *tp, struct tc_u_knode *n, -+ unsigned long base, struct nlattr **tb) -+{ -+ if (tb[TCA_U32_CLASSID]) { -+ n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); -+ tcf_bind_filter(tp, &n->res, base); -+ } -+} -+ - static int u32_set_parms(struct net *net, struct tcf_proto *tp, -- unsigned long base, - struct tc_u_knode *n, struct nlattr **tb, - struct nlattr *est, u32 flags, u32 fl_flags, - struct netlink_ext_ack *extack) -@@ -760,10 +775,6 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, - if (ht_old) - ht_old->refcnt--; - } -- if (tb[TCA_U32_CLASSID]) { -- n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); -- tcf_bind_filter(tp, &n->res, base); -- } - - if (ifindex >= 0) - n->ifindex = ifindex; -@@ -903,17 +914,20 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - if (!new) - return -ENOMEM; - -- err = u32_set_parms(net, tp, base, new, tb, -- tca[TCA_RATE], flags, new->flags, -- extack); -+ err = u32_set_parms(net, tp, new, tb, tca[TCA_RATE], -+ flags, new->flags, extack); - - if (err) { - __u32_destroy_key(new); - return err; - } - -+ u32_bind_filter(tp, new, base, tb); -+ - err = u32_replace_hw_knode(tp, new, flags, extack); - if (err) { -+ u32_unbind_filter(tp, new, tb); -+ - __u32_destroy_key(new); - return err; - } -@@ -1074,15 +1088,18 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - } - #endif - -- err = u32_set_parms(net, tp, base, n, tb, tca[TCA_RATE], -+ err = u32_set_parms(net, tp, n, tb, tca[TCA_RATE], - flags, n->flags, extack); -+ -+ u32_bind_filter(tp, n, base, tb); -+ - if (err == 0) { - struct tc_u_knode __rcu **ins; - struct tc_u_knode *pins; - - err = u32_replace_hw_knode(tp, n, flags, extack); - if (err) -- goto errhw; -+ goto errunbind; - - if (!tc_in_hw(n->flags)) - n->flags |= TCA_CLS_FLAGS_NOT_IN_HW; -@@ -1100,7 +1117,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, - return 0; - } - --errhw: -+errunbind: -+ u32_unbind_filter(tp, n, tb); -+ - #ifdef CONFIG_CLS_U32_MARK - free_percpu(n->pcpu_success); - #endif --- -2.39.2 - diff --git a/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch deleted file mode 100644 index 8c23502598b..00000000000 --- a/queue-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1c96f1664cded724709812e0e8e690891772de93 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 01:30:33 +0200 -Subject: netfilter: nf_tables: can't schedule in nft_chain_validate - -From: Florian Westphal - -[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] - -Can be called via nft set element list iteration, which may acquire -rcu and/or bh read lock (depends on set type). - -BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 -in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft -preempt_count: 0, expected: 0 -RCU nest depth: 1, expected: 0 -2 locks held by nft/1232: - #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid - #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire -Call Trace: - nft_chain_validate - nft_lookup_validate_setelem - nft_pipapo_walk - nft_lookup_validate - nft_chain_validate - nft_immediate_validate - nft_chain_validate - nf_tables_validate - nf_tables_abort - -No choice but to move it to nf_tables_validate(). - -Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 51909bcc181fa..f3a4aa9054876 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -3684,8 +3684,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) - if (err < 0) - return err; - } -- -- cond_resched(); - } - - return 0; -@@ -3709,6 +3707,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) - err = nft_chain_validate(&ctx, chain); - if (err < 0) - return err; -+ -+ cond_resched(); - } - - return 0; --- -2.39.2 - diff --git a/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch deleted file mode 100644 index eccda340124..00000000000 --- a/queue-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f4fcc8395bef8aae868c0a5b93122227e28d956c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 00:29:58 +0200 -Subject: netfilter: nf_tables: fix spurious set element insertion failure - -From: Florian Westphal - -[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] - -On some platforms there is a padding hole in the nft_verdict -structure, between the verdict code and the chain pointer. - -On element insertion, if the new element clashes with an existing one and -NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as -the data associated with duplicated element is the same as the existing -one. The data equality check uses memcmp. - -For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT -padding area leads to spurious failure even if the verdict data is the -same. - -This then makes the insertion fail with 'already exists' error, even -though the new "key : data" matches an existing entry and userspace -told the kernel that it doesn't want to receive an error indication. - -Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 18546f9b2a63a..51909bcc181fa 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -10482,6 +10482,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, - - if (!tb[NFTA_VERDICT_CODE]) - return -EINVAL; -+ -+ /* zero padding hole for memcmp */ -+ memset(data, 0, sizeof(*data)); - data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); - - switch (data->verdict.code) { --- -2.39.2 - diff --git a/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch deleted file mode 100644 index 7cbdf132e89..00000000000 --- a/queue-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 60ac4e0fadccbe1e209e8c149fc44bfce8466f67 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 20:19:43 +0200 -Subject: netfilter: nf_tables: skip bound chain in netns release path - -From: Pablo Neira Ayuso - -[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] - -Skip bound chain from netns release path, the rule that owns this chain -releases these objects. - -Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index f3a4aa9054876..e3049c7db9041 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -10767,6 +10767,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) - ctx.family = table->family; - ctx.table = table; - list_for_each_entry(chain, &table->chains, list) { -+ if (nft_chain_is_bound(chain)) -+ continue; -+ - ctx.chain = chain; - list_for_each_entry_safe(rule, nr, &chain->rules, list) { - list_del(&rule->list); --- -2.39.2 - diff --git a/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch deleted file mode 100644 index f128b270530..00000000000 --- a/queue-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +++ /dev/null @@ -1,43 +0,0 @@ -From dcc7e01ee2a877f6891ba56d1c4572f13efba902 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 09:17:21 +0200 -Subject: netfilter: nf_tables: skip bound chain on rule flush - -From: Pablo Neira Ayuso - -[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] - -Skip bound chain when flushing table rules, the rule that owns this -chain releases these objects. - -Otherwise, the following warning is triggered: - - WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] - CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 - RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] - -Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") -Reported-by: Kevin Rich -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index e3049c7db9041..ccf0b3d80fd97 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -4086,6 +4086,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, - list_for_each_entry(chain, &table->chains, list) { - if (!nft_is_active_next(net, chain)) - continue; -+ if (nft_chain_is_bound(chain)) -+ continue; - - ctx.chain = chain; - err = nft_delrule_by_chain(&ctx); --- -2.39.2 - diff --git a/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch deleted file mode 100644 index fc62486e1f3..00000000000 --- a/queue-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e9898b88b4dcdecf994451f8d9d7f65534108a87 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:08:21 +0200 -Subject: netfilter: nft_set_pipapo: fix improper element removal - -From: Florian Westphal - -[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] - -end key should be equal to start unless NFT_SET_EXT_KEY_END is present. - -Its possible to add elements that only have a start key -("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. - -Insertion treats this via: - -if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) - end = (const u8 *)nft_set_ext_key_end(ext)->data; -else - end = start; - -but removal side always uses nft_set_ext_key_end(). -This is wrong and leads to garbage remaining in the set after removal -next lookup/insert attempt will give: - -BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 -Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 -Call Trace: - kasan_report+0x105/0x140 - pipapo_get+0x8eb/0xb90 - nft_pipapo_insert+0x1dc/0x1710 - nf_tables_newsetelem+0x31f5/0x4e00 - .. - -Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") -Reported-by: lonial con -Reviewed-by: Stefano Brivio -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nft_set_pipapo.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c -index 0452ee586c1cc..a81829c10feab 100644 ---- a/net/netfilter/nft_set_pipapo.c -+++ b/net/netfilter/nft_set_pipapo.c -@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, - int i, start, rules_fx; - - match_start = data; -- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ -+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) -+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ else -+ match_end = data; - - start = first_rule; - rules_fx = rules_f0; --- -2.39.2 - diff --git a/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch deleted file mode 100644 index 0230574a51f..00000000000 --- a/queue-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8c589aa43ad6305dbe3d9b1288d7a998bb0f2e56 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jul 2023 15:07:41 +0530 -Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces - -From: Geetha sowjanya - -[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] - -Current driver enables backpressure for LBK interfaces. -But these interfaces do not support this feature. -Hence, this patch fixes the issue by skipping the -backpressure configuration for these interfaces. - -Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). -Signed-off-by: Geetha sowjanya -Signed-off-by: Sunil Goutham -Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -index 18284ad751572..384d26bee9b23 100644 ---- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c -@@ -1452,8 +1452,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) - if (err) - goto err_free_npa_lf; - -- /* Enable backpressure */ -- otx2_nix_config_bp(pf, true); -+ /* Enable backpressure for CGX mapped PF/VFs */ -+ if (!is_otx2_lbkvf(pf->pdev)) -+ otx2_nix_config_bp(pf, true); - - /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ - err = otx2_rq_aura_pool_init(pf); --- -2.39.2 - diff --git a/queue-6.4/of-preserve-of-display-device-name-for-compatibility.patch b/queue-6.4/of-preserve-of-display-device-name-for-compatibility.patch deleted file mode 100644 index 2af0884b5f4..00000000000 --- a/queue-6.4/of-preserve-of-display-device-name-for-compatibility.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 Mon Sep 17 00:00:00 2001 -From: Rob Herring -Date: Mon, 10 Jul 2023 11:40:07 -0600 -Subject: of: Preserve "of-display" device name for compatibility -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Rob Herring - -commit 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 upstream. - -Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"), -as spotted by Frédéric Bonnard, the historical "of-display" device is -gone: the updated logic creates "of-display.0" instead, then as many -"of-display.N" as required. - -This means that offb no longer finds the expected device, which prevents -the Debian Installer from setting up its interface, at least on ppc64el. - -Fix this by keeping "of-display" for the first device and "of-display.N" -for subsequent devices. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328 -Link: https://bugs.debian.org/1033058 -Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique") -Cc: stable@vger.kernel.org -Cc: Cyril Brulebois -Cc: Thomas Zimmermann -Cc: Helge Deller -Acked-by: Helge Deller -Acked-by: Thomas Zimmermann -Reviewed-by: Michal Suchánek -Link: https://lore.kernel.org/r/20230710174007.2291013-1-robh@kernel.org -Signed-off-by: Rob Herring -Signed-off-by: Greg Kroah-Hartman ---- - drivers/of/platform.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/of/platform.c -+++ b/drivers/of/platform.c -@@ -553,7 +553,7 @@ static int __init of_platform_default_po - if (!of_get_property(node, "linux,opened", NULL) || - !of_get_property(node, "linux,boot-display", NULL)) - continue; -- dev = of_platform_device_create(node, "of-display.0", NULL); -+ dev = of_platform_device_create(node, "of-display", NULL); - of_node_put(node); - if (WARN_ON(!dev)) - return -ENOMEM; diff --git a/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch b/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch deleted file mode 100644 index 38512f7a3ec..00000000000 --- a/queue-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b31ea69c18255782ee8d005de2dc7f39ca0ab8a2 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Tue, 13 Jun 2023 10:13:37 +0200 -Subject: [PATCH AUTOSEL 5.4 06/12] ovl: check type and offset of struct - vfsmount in ovl_entry -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] - -Porting overlayfs to the new amount api I started experiencing random -crashes that couldn't be explained easily. So after much debugging and -reasoning it became clear that struct ovl_entry requires the point to -struct vfsmount to be the first member and of type struct vfsmount. - -During the port I added a new member at the beginning of struct -ovl_entry which broke all over the place in the form of random crashes -and cache corruptions. While there's a comment in ovl_free_fs() to the -effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing -it" there's no such comment on struct ovl_entry which makes this easy to -trip over. - -Add a comment and two static asserts for both the offset and the type of -pointer in struct ovl_entry. - -Signed-off-by: Christian Brauner -Signed-off-by: Amir Goldstein -Signed-off-by: Sasha Levin ---- - fs/overlayfs/ovl_entry.h | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/fs/overlayfs/ovl_entry.h -+++ b/fs/overlayfs/ovl_entry.h -@@ -32,6 +32,7 @@ struct ovl_sb { - }; - - struct ovl_layer { -+ /* ovl_free_fs() relies on @mnt being the first member! */ - struct vfsmount *mnt; - /* Trap in ovl inode cache */ - struct inode *trap; -@@ -42,6 +43,14 @@ struct ovl_layer { - int fsid; - }; - -+/* -+ * ovl_free_fs() relies on @mnt being the first member when unmounting -+ * the private mounts created for each layer. Let's check both the -+ * offset and type. -+ */ -+static_assert(offsetof(struct ovl_layer, mnt) == 0); -+static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); -+ - struct ovl_path { - const struct ovl_layer *layer; - struct dentry *dentry; diff --git a/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch b/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch deleted file mode 100644 index 70fa7345751..00000000000 --- a/queue-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e8950b3996fccc846685515d638f7af34ddfaf5a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Jul 2023 16:45:46 +0100 -Subject: perf build: Fix library not found error when using CSLIBS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: James Clark - -[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] - --L only specifies the search path for libraries directly provided in the -link line with -l. Because -lopencsd isn't specified, it's only linked -because it's a dependency of -lopencsd_c_api. Dependencies like this are -resolved using the default system search paths or -rpath-link=... rather -than -L. This means that compilation only works if OpenCSD is installed -to the system rather than provided with the CSLIBS (-L) option. - -This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less -conventional than just adding -lopencsd to the link line so that it uses --L. -lopencsd seems to have been removed in commit ed17b1914978eddb -("perf tools: Drop requirement for libstdc++.so for libopencsd check") -because it was thought that there was a chance compilation would work -even if it didn't exist, but I think that only applies to libstdc++ so -there is no harm to add it back. libopencsd.so and libopencsd_c_api.so -would always exist together. - -Testing -======= - -The following scenarios now all work: - - * Cross build with OpenCSD installed - * Cross build using CSLIBS=... - * Native build with OpenCSD installed - * Native build using CSLIBS=... - * Static cross build with OpenCSD installed - * Static cross build with CSLIBS=... - -Committer testing: - - ⬢[acme@toolbox perf-tools]$ alias m - alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' - ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd - libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) - libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) - ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release - Fedora release 36 (Thirty Six) - ⬢[acme@toolbox perf-tools]$ - -Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") -Reported-by: Radhey Shyam Pandey -Signed-off-by: James Clark -Tested-by: Arnaldo Carvalho de Melo -Tested-by: Radhey Shyam Pandey -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: Uwe Kleine-König -Cc: coresight@lists.linaro.org -Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ -Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ -Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/Makefile.config | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config -index a794d9eca93d8..72f068682c9a2 100644 ---- a/tools/perf/Makefile.config -+++ b/tools/perf/Makefile.config -@@ -155,9 +155,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto - ifdef CSINCLUDES - LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) - endif --OPENCSDLIBS := -lopencsd_c_api -+OPENCSDLIBS := -lopencsd_c_api -lopencsd - ifeq ($(findstring -static,${LDFLAGS}),-static) -- OPENCSDLIBS += -lopencsd -lstdc++ -+ OPENCSDLIBS += -lstdc++ - endif - ifdef CSLIBS - LIBOPENCSD_LDFLAGS := -L$(CSLIBS) --- -2.39.2 - diff --git a/queue-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/queue-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch deleted file mode 100644 index ac282bd2634..00000000000 --- a/queue-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Georg=20M=C3=BCller?= -Date: Wed, 28 Jun 2023 10:45:50 +0200 -Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Georg Müller - -commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. - -This patch adds a test to validate that 'perf probe' works for binaries -where DWARF info is split into multiple CUs - -Signed-off-by: Georg Müller -Acked-by: Masami Hiramatsu (Google) -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: regressions@lists.linux.dev -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ - 1 file changed, 77 insertions(+) - create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh - ---- /dev/null -+++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh -@@ -0,0 +1,77 @@ -+#!/bin/bash -+# test perf probe of function from different CU -+# SPDX-License-Identifier: GPL-2.0 -+ -+set -e -+ -+temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) -+ -+cleanup() -+{ -+ trap - EXIT TERM INT -+ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then -+ echo "--- Cleaning up ---" -+ perf probe -x ${temp_dir}/testfile -d foo -+ rm -f "${temp_dir}/"* -+ rmdir "${temp_dir}" -+ fi -+} -+ -+trap_cleanup() -+{ -+ cleanup -+ exit 1 -+} -+ -+trap trap_cleanup EXIT TERM INT -+ -+cat > ${temp_dir}/testfile-foo.h << EOF -+struct t -+{ -+ int *p; -+ int c; -+}; -+ -+extern int foo (int i, struct t *t); -+EOF -+ -+cat > ${temp_dir}/testfile-foo.c << EOF -+#include "testfile-foo.h" -+ -+int -+foo (int i, struct t *t) -+{ -+ int j, res = 0; -+ for (j = 0; j < i && j < t->c; j++) -+ res += t->p[j]; -+ -+ return res; -+} -+EOF -+ -+cat > ${temp_dir}/testfile-main.c << EOF -+#include "testfile-foo.h" -+ -+static struct t g; -+ -+int -+main (int argc, char **argv) -+{ -+ int i; -+ int j[argc]; -+ g.c = argc; -+ g.p = j; -+ for (i = 0; i < argc; i++) -+ j[i] = (int) argv[i][0]; -+ return foo (3, &g); -+} -+EOF -+ -+gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o -+gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o -+gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o -+ -+perf probe -x ${temp_dir}/testfile --funcs foo -+perf probe -x ${temp_dir}/testfile foo -+ -+cleanup diff --git a/queue-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch b/queue-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch deleted file mode 100644 index 8d4924e4eea..00000000000 --- a/queue-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch +++ /dev/null @@ -1,66 +0,0 @@ -From c66e1c68c13b872505f25ab641c44b77313ee7fe Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Georg=20M=C3=BCller?= -Date: Wed, 28 Jun 2023 10:45:51 +0200 -Subject: perf probe: Read DWARF files from the correct CU -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Georg Müller - -commit c66e1c68c13b872505f25ab641c44b77313ee7fe upstream. - -After switching from dwarf_decl_file() to die_get_decl_file(), it is not -possible to add probes for certain functions: - - $ perf probe -x /usr/lib/systemd/systemd-logind match_unit_removed - A function DIE doesn't have decl_line. Maybe broken DWARF? - A function DIE doesn't have decl_line. Maybe broken DWARF? - Probe point 'match_unit_removed' not found. - Error: Failed to add events. - -The problem is that die_get_decl_file() uses the wrong CU to search for -the file. elfutils commit e1db5cdc9f has some good explanation for this: - - dwarf_decl_file uses dwarf_attr_integrate to get the DW_AT_decl_file - attribute. This means the attribute might come from a different DIE - in a different CU. If so, we need to use the CU associated with the - attribute, not the original DIE, to resolve the file name. - -This patch uses the same source of information as elfutils: use attribute -DW_AT_decl_file and use this CU to search for the file. - -Fixes: dc9a5d2ccd5c823c ("perf probe: Fix to get declared file name from clang DWARF5") -Signed-off-by: Georg Müller -Acked-by: Masami Hiramatsu (Google) -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: regressions@lists.linux.dev -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230628084551.1860532-6-georgmueller@gmx.net -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/util/dwarf-aux.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/tools/perf/util/dwarf-aux.c -+++ b/tools/perf/util/dwarf-aux.c -@@ -478,8 +478,10 @@ static const char *die_get_file_name(Dwa - { - Dwarf_Die cu_die; - Dwarf_Files *files; -+ Dwarf_Attribute attr_mem; - -- if (idx < 0 || !dwarf_diecu(dw_die, &cu_die, NULL, NULL) || -+ if (idx < 0 || !dwarf_attr_integrate(dw_die, DW_AT_decl_file, &attr_mem) || -+ !dwarf_cu_die(attr_mem.cu, &cu_die, NULL, NULL, NULL, NULL, NULL, NULL) || - dwarf_getsrcfiles(&cu_die, &files, NULL) != 0) - return NULL; - diff --git a/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch b/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch deleted file mode 100644 index f493ccf4f70..00000000000 --- a/queue-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 4c55d9de4ff4c13926e629a17f4bfa200ad81072 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 4 Jul 2023 12:18:58 +0100 -Subject: pinctrl: renesas: rzg2l: Handle non-unique subnode names - -From: Biju Das - -[ Upstream commit bfc374a145ae133613e05b9b89be561f169cb58d ] - -Currently, sd1 and sd0 have unique subnode names 'sd1_mux' and 'sd0_mux'. -If we change these to non-unique subnode names such as 'mux' this can -lead to the below conflict as the RZ/G2L pin control driver considers -only the names of the subnodes. - - pinctrl-rzg2l 11030000.pinctrl: pin P47_0 already requested by 11c00000.mmc; cannot claim for 11c10000.mmc - pinctrl-rzg2l 11030000.pinctrl: pin-376 (11c10000.mmc) status -22 - pinctrl-rzg2l 11030000.pinctrl: could not request pin 376 (P47_0) from group mux on device pinctrl-rzg2l - renesas_sdhi_internal_dmac 11c10000.mmc: Error applying setting, reverse things back - -Fix this by constructing unique names from the node names of both the -pin control configuration node and its child node, where appropriate. - -Based on the work done by Geert for the RZ/V2M pinctrl driver. - -Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") -Signed-off-by: Biju Das -Reviewed-by: Geert Uytterhoeven -Link: https://lore.kernel.org/r/20230704111858.215278-1-biju.das.jz@bp.renesas.com -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/renesas/pinctrl-rzg2l.c | 28 ++++++++++++++++++------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c -index 9511d920565e9..b53d26167da52 100644 ---- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c -+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c -@@ -249,6 +249,7 @@ static int rzg2l_map_add_config(struct pinctrl_map *map, - - static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct device_node *np, -+ struct device_node *parent, - struct pinctrl_map **map, - unsigned int *num_maps, - unsigned int *index) -@@ -266,6 +267,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct property *prop; - int ret, gsel, fsel; - const char **pin_fn; -+ const char *name; - const char *pin; - - pinmux = of_find_property(np, "pinmux", NULL); -@@ -349,8 +351,19 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - psel_val[i] = MUX_FUNC(value); - } - -+ if (parent) { -+ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", -+ parent, np); -+ if (!name) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ } else { -+ name = np->name; -+ } -+ - /* Register a single pin group listing all the pins we read from DT */ -- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); -+ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); - if (gsel < 0) { - ret = gsel; - goto done; -@@ -360,17 +373,16 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, - * Register a single group function where the 'data' is an array PSEL - * register values read from DT. - */ -- pin_fn[0] = np->name; -- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, -- psel_val); -+ pin_fn[0] = name; -+ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); - if (fsel < 0) { - ret = fsel; - goto remove_group; - } - - maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; -- maps[idx].data.mux.group = np->name; -- maps[idx].data.mux.function = np->name; -+ maps[idx].data.mux.group = name; -+ maps[idx].data.mux.function = name; - idx++; - - dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); -@@ -417,7 +429,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, - index = 0; - - for_each_child_of_node(np, child) { -- ret = rzg2l_dt_subnode_to_map(pctldev, child, map, -+ ret = rzg2l_dt_subnode_to_map(pctldev, child, np, map, - num_maps, &index); - if (ret < 0) { - of_node_put(child); -@@ -426,7 +438,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, - } - - if (*num_maps == 0) { -- ret = rzg2l_dt_subnode_to_map(pctldev, np, map, -+ ret = rzg2l_dt_subnode_to_map(pctldev, np, NULL, map, - num_maps, &index); - if (ret < 0) - goto done; --- -2.39.2 - diff --git a/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch b/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch deleted file mode 100644 index 13fece4625d..00000000000 --- a/queue-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 42c475f98a2c3df692cf6e15aa2f9ff1a4451452 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jul 2023 17:07:06 +0200 -Subject: pinctrl: renesas: rzv2m: Handle non-unique subnode names - -From: Geert Uytterhoeven - -[ Upstream commit f46a0b47cc0829acd050213194c5a77351e619b2 ] - -The eMMC and SDHI pin control configuration nodes in DT have subnodes -with the same names ("data" and "ctrl"). As the RZ/V2M pin control -driver considers only the names of the subnodes, this leads to -conflicts: - - pinctrl-rzv2m b6250000.pinctrl: pin P8_2 already requested by 85000000.mmc; cannot claim for 85020000.mmc - pinctrl-rzv2m b6250000.pinctrl: pin-130 (85020000.mmc) status -22 - renesas_sdhi_internal_dmac 85020000.mmc: Error applying setting, reverse things back - -Fix this by constructing unique names from the node names of both the -pin control configuration node and its child node, where appropriate. - -Reported by: Fabrizio Castro - -Fixes: 92a9b825257614af ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") -Signed-off-by: Geert Uytterhoeven -Tested-by: Fabrizio Castro -Link: https://lore.kernel.org/r/607bd6ab4905b0b1b119a06ef953fa1184505777.1688396717.git.geert+renesas@glider.be -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/renesas/pinctrl-rzv2m.c | 28 ++++++++++++++++++------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c -index e5472293bc7fb..35b23c1a5684d 100644 ---- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c -+++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c -@@ -209,6 +209,7 @@ static int rzv2m_map_add_config(struct pinctrl_map *map, - - static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct device_node *np, -+ struct device_node *parent, - struct pinctrl_map **map, - unsigned int *num_maps, - unsigned int *index) -@@ -226,6 +227,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - struct property *prop; - int ret, gsel, fsel; - const char **pin_fn; -+ const char *name; - const char *pin; - - pinmux = of_find_property(np, "pinmux", NULL); -@@ -309,8 +311,19 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - psel_val[i] = MUX_FUNC(value); - } - -+ if (parent) { -+ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", -+ parent, np); -+ if (!name) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ } else { -+ name = np->name; -+ } -+ - /* Register a single pin group listing all the pins we read from DT */ -- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); -+ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); - if (gsel < 0) { - ret = gsel; - goto done; -@@ -320,17 +333,16 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, - * Register a single group function where the 'data' is an array PSEL - * register values read from DT. - */ -- pin_fn[0] = np->name; -- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, -- psel_val); -+ pin_fn[0] = name; -+ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); - if (fsel < 0) { - ret = fsel; - goto remove_group; - } - - maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; -- maps[idx].data.mux.group = np->name; -- maps[idx].data.mux.function = np->name; -+ maps[idx].data.mux.group = name; -+ maps[idx].data.mux.function = name; - idx++; - - dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); -@@ -377,7 +389,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, - index = 0; - - for_each_child_of_node(np, child) { -- ret = rzv2m_dt_subnode_to_map(pctldev, child, map, -+ ret = rzv2m_dt_subnode_to_map(pctldev, child, np, map, - num_maps, &index); - if (ret < 0) { - of_node_put(child); -@@ -386,7 +398,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, - } - - if (*num_maps == 0) { -- ret = rzv2m_dt_subnode_to_map(pctldev, np, map, -+ ret = rzv2m_dt_subnode_to_map(pctldev, np, NULL, map, - num_maps, &index); - if (ret < 0) - goto done; --- -2.39.2 - diff --git a/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch deleted file mode 100644 index 2930b69c794..00000000000 --- a/queue-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 8833636766cff05f84668466c87b643c9d37b3fb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 20:58:47 +0200 -Subject: posix-timers: Ensure timer ID search-loop limit is valid - -From: Thomas Gleixner - -[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] - -posix_timer_add() tries to allocate a posix timer ID by starting from the -cached ID which was stored by the last successful allocation. - -This is done in a loop searching the ID space for a free slot one by -one. The loop has to terminate when the search wrapped around to the -starting point. - -But that's racy vs. establishing the starting point. That is read out -lockless, which leads to the following problem: - -CPU0 CPU1 -posix_timer_add() - start = sig->posix_timer_id; - lock(hash_lock); - ... posix_timer_add() - if (++sig->posix_timer_id < 0) - start = sig->posix_timer_id; - sig->posix_timer_id = 0; - -So CPU1 can observe a negative start value, i.e. -1, and the loop break -never happens because the condition can never be true: - - if (sig->posix_timer_id == start) - break; - -While this is unlikely to ever turn into an endless loop as the ID space is -huge (INT_MAX), the racy read of the start value caught the attention of -KCSAN and Dmitry unearthed that incorrectness. - -Rewrite it so that all id operations are under the hash lock. - -Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com -Reported-by: Dmitry Vyukov -Signed-off-by: Thomas Gleixner -Reviewed-by: Frederic Weisbecker -Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx -Signed-off-by: Sasha Levin ---- - include/linux/sched/signal.h | 2 +- - kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- - 2 files changed, 19 insertions(+), 14 deletions(-) - -diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h -index 20099268fa257..669e8cff40c74 100644 ---- a/include/linux/sched/signal.h -+++ b/include/linux/sched/signal.h -@@ -135,7 +135,7 @@ struct signal_struct { - #ifdef CONFIG_POSIX_TIMERS - - /* POSIX.1b Interval Timers */ -- int posix_timer_id; -+ unsigned int next_posix_timer_id; - struct list_head posix_timers; - - /* ITIMER_REAL timer for the process */ -diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c -index ed3c4a9543982..2d6cf93ca370a 100644 ---- a/kernel/time/posix-timers.c -+++ b/kernel/time/posix-timers.c -@@ -140,25 +140,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) - static int posix_timer_add(struct k_itimer *timer) - { - struct signal_struct *sig = current->signal; -- int first_free_id = sig->posix_timer_id; - struct hlist_head *head; -- int ret = -ENOENT; -+ unsigned int cnt, id; - -- do { -+ /* -+ * FIXME: Replace this by a per signal struct xarray once there is -+ * a plan to handle the resulting CRIU regression gracefully. -+ */ -+ for (cnt = 0; cnt <= INT_MAX; cnt++) { - spin_lock(&hash_lock); -- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; -- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { -+ id = sig->next_posix_timer_id; -+ -+ /* Write the next ID back. Clamp it to the positive space */ -+ sig->next_posix_timer_id = (id + 1) & INT_MAX; -+ -+ head = &posix_timers_hashtable[hash(sig, id)]; -+ if (!__posix_timers_find(head, sig, id)) { - hlist_add_head_rcu(&timer->t_hash, head); -- ret = sig->posix_timer_id; -+ spin_unlock(&hash_lock); -+ return id; - } -- if (++sig->posix_timer_id < 0) -- sig->posix_timer_id = 0; -- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) -- /* Loop over all possible ids completed */ -- ret = -EAGAIN; - spin_unlock(&hash_lock); -- } while (ret == -ENOENT); -- return ret; -+ } -+ /* POSIX return code when no timer ID could be allocated */ -+ return -EAGAIN; - } - - static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) --- -2.39.2 - diff --git a/queue-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch b/queue-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch deleted file mode 100644 index 1c29ce63ef1..00000000000 --- a/queue-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 636e348353a7cc52609fdba5ff3270065da140d5 Mon Sep 17 00:00:00 2001 -From: Miguel Ojeda -Date: Sun, 9 Jul 2023 01:33:44 +0200 -Subject: prctl: move PR_GET_AUXV out of PR_MCE_KILL - -From: Miguel Ojeda - -commit 636e348353a7cc52609fdba5ff3270065da140d5 upstream. - -Somehow PR_GET_AUXV got added into PR_MCE_KILL's switch when the patch was -applied [1]. - -Thus move it out of the switch, to the place the patch added it. - -In the recently released v6.4 kernel some user could, in principle, be -already using this feature by mapping the right page and passing the -PR_GET_AUXV constant as a pointer: - - prctl(PR_MCE_KILL, PR_GET_AUXV, ...) - -So this does change the behavior for users. We could keep the bug since -the other subcases in PR_MCE_KILL (PR_MCE_KILL_CLEAR and PR_MCE_KILL_SET) -do not overlap. - -However, v6.4 may be recent enough (2 weeks old) that moving the lines -(rather than just adding a new case) does not break anybody? Moreover, -the documentation in man-pages was just committed today [2]. - -Link: https://lkml.kernel.org/r/20230708233344.361854-1-ojeda@kernel.org -Fixes: ddc65971bb67 ("prctl: add PR_GET_AUXV to copy auxv to userspace") -Link: https://lore.kernel.org/all/d81864a7f7f43bca6afa2a09fc2e850e4050ab42.1680611394.git.josh@joshtriplett.org/ [1] -Link: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=8cf0c06bfd3c2b219b044d4151c96f0da50af9ad [2] -Signed-off-by: Miguel Ojeda -Cc: Josh Triplett -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - kernel/sys.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2529,11 +2529,6 @@ SYSCALL_DEFINE5(prctl, int, option, unsi - else - return -EINVAL; - break; -- case PR_GET_AUXV: -- if (arg4 || arg5) -- return -EINVAL; -- error = prctl_get_auxv((void __user *)arg2, arg3); -- break; - default: - return -EINVAL; - } -@@ -2688,6 +2683,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsi - case PR_SET_VMA: - error = prctl_set_vma(arg2, arg3, arg4, arg5); - break; -+ case PR_GET_AUXV: -+ if (arg4 || arg5) -+ return -EINVAL; -+ error = prctl_get_auxv((void __user *)arg2, arg3); -+ break; - #ifdef CONFIG_KSM - case PR_SET_MEMORY_MERGE: - if (arg3 || arg4 || arg5) diff --git a/queue-6.4/quota-fix-warning-in-dqgrab.patch b/queue-6.4/quota-fix-warning-in-dqgrab.patch deleted file mode 100644 index 982c7d1d8c2..00000000000 --- a/queue-6.4/quota-fix-warning-in-dqgrab.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 75b565477bbbb5a728fa106e0189d9fcb2131bcd Mon Sep 17 00:00:00 2001 -From: Ye Bin -Date: Mon, 5 Jun 2023 22:07:31 +0800 -Subject: [PATCH AUTOSEL 5.4 04/12] quota: fix warning in dqgrab() -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] - -There's issue as follows when do fault injection: -WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 -Modules linked in: -CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 -RIP: 0010:dquot_disable+0x13b7/0x18c0 -RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 -RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 -RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 -RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 -R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 -R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 -FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - dquot_load_quota_sb+0xd53/0x1060 - dquot_resume+0x172/0x230 - ext4_reconfigure+0x1dc6/0x27b0 - reconfigure_super+0x515/0xa90 - __x64_sys_fsconfig+0xb19/0xd20 - do_syscall_64+0x39/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Above issue may happens as follows: -ProcessA ProcessB ProcessC -sys_fsconfig - vfs_fsconfig_locked - reconfigure_super - ext4_remount - dquot_suspend -> suspend all type quota - - sys_fsconfig - vfs_fsconfig_locked - reconfigure_super - ext4_remount - dquot_resume - ret = dquot_load_quota_sb - add_dquot_ref - do_open -> open file O_RDWR - vfs_open - do_dentry_open - get_write_access - atomic_inc_unless_negative(&inode->i_writecount) - ext4_file_open - dquot_file_open - dquot_initialize - __dquot_initialize - dqget - atomic_inc(&dquot->dq_count); - - __dquot_initialize - __dquot_initialize - dqget - if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) - ext4_acquire_dquot - -> Return error DQ_ACTIVE_B flag isn't set - dquot_disable - invalidate_dquots - if (atomic_read(&dquot->dq_count)) - dqgrab - WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) - -> Trigger warning - -In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when -dqgrab(). -To solve above issue just replace the dqgrab() use in invalidate_dquots() with -atomic_inc(&dquot->dq_count). - -Signed-off-by: Ye Bin -Signed-off-by: Jan Kara -Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> -Signed-off-by: Sasha Levin ---- - fs/quota/dquot.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -555,7 +555,7 @@ restart: - continue; - /* Wait for dquot users */ - if (atomic_read(&dquot->dq_count)) { -- dqgrab(dquot); -+ atomic_inc(&dquot->dq_count); - spin_unlock(&dq_list_lock); - /* - * Once dqput() wakes us up, we know it's time to free diff --git a/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch deleted file mode 100644 index d7b4aaab3d7..00000000000 --- a/queue-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e215781d8a2d612e8bfa6015837e3d0b89231552 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Mon, 5 Jun 2023 22:07:30 +0800 -Subject: [PATCH AUTOSEL 5.4 03/12] quota: Properly disable quotas when - add_dquot_ref() fails -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] - -When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want -to disable quotas we are trying to enable. However dquot_disable() call -was passed just the flags we are enabling so in case flags == -DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL -instead of properly disabling quotas. Fix the problem by always passing -DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this -case. - -Reported-and-tested-by: Ye Bin -Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com -Signed-off-by: Jan Kara -Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> -Signed-off-by: Sasha Levin ---- - fs/quota/dquot.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -2420,7 +2420,8 @@ int dquot_load_quota_sb(struct super_blo - - error = add_dquot_ref(sb, type); - if (error) -- dquot_disable(sb, type, flags); -+ dquot_disable(sb, type, -+ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); - - return error; - out_fmt: diff --git a/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch b/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch deleted file mode 100644 index 6e12fab0d69..00000000000 --- a/queue-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b3641346909bdc69007b6208b28d795d29f08fe1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 14 Jul 2023 07:39:36 +0200 -Subject: r8169: fix ASPM-related problem for chip version 42 and 43 - -From: Heiner Kallweit - -[ Upstream commit 162d626f3013215b82b6514ca14f20932c7ccce5 ] - -Referenced commit missed that for chip versions 42 and 43 ASPM -remained disabled in the respective rtl_hw_start_...() routines. -This resulted in problems as described in the referenced bug -ticket. Therefore re-instantiate the previous logic. - -Fixes: 5fc3f6c90cca ("r8169: consolidate disabling ASPM before EPHY access") -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217635 -Signed-off-by: Heiner Kallweit -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/realtek/r8169_main.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c -index ca0140963ff3a..b69122686407d 100644 ---- a/drivers/net/ethernet/realtek/r8169_main.c -+++ b/drivers/net/ethernet/realtek/r8169_main.c -@@ -2747,6 +2747,13 @@ static void rtl_hw_aspm_clkreq_enable(struct rtl8169_private *tp, bool enable) - return; - - if (enable) { -+ /* On these chip versions ASPM can even harm -+ * bus communication of other PCI devices. -+ */ -+ if (tp->mac_version == RTL_GIGA_MAC_VER_42 || -+ tp->mac_version == RTL_GIGA_MAC_VER_43) -+ return; -+ - rtl_mod_config5(tp, 0, ASPM_en); - rtl_mod_config2(tp, 0, ClkReqEn); - --- -2.39.2 - diff --git a/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch b/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch deleted file mode 100644 index 67c2488f9b7..00000000000 --- a/queue-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch +++ /dev/null @@ -1,76 +0,0 @@ -From c2695efafc87a2ebcdaa8213853f069251cdf6dc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Apr 2023 16:05:38 -0700 -Subject: rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp - -From: Paul E. McKenney - -[ Upstream commit 9146eb25495ea8bfb5010192e61e3ed5805ce9ef ] - -The per-CPU rcu_data structure's ->cpu_no_qs.b.exp field is updated -only on the instance corresponding to the current CPU, but can be read -more widely. Unmarked accesses are OK from the corresponding CPU, but -only if interrupts are disabled, given that interrupt handlers can and -do modify this field. - -Unfortunately, although the load from rcu_preempt_deferred_qs() is always -carried out from the corresponding CPU, interrupts are not necessarily -disabled. This commit therefore upgrades this load to READ_ONCE. - -Similarly, the diagnostic access from synchronize_rcu_expedited_wait() -might run with interrupts disabled and from some other CPU. This commit -therefore marks this load with data_race(). - -Finally, the C-language access in rcu_preempt_ctxt_queue() is OK as -is because interrupts are disabled and this load is always from the -corresponding CPU. This commit adds a comment giving the rationale for -this access being safe. - -This data race was reported by KCSAN. Not appropriate for backporting -due to failure being unlikely. - -Signed-off-by: Paul E. McKenney -Signed-off-by: Sasha Levin ---- - kernel/rcu/tree_exp.h | 2 +- - kernel/rcu/tree_plugin.h | 4 +++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h -index 3b7abb58157df..8239b39d945bd 100644 ---- a/kernel/rcu/tree_exp.h -+++ b/kernel/rcu/tree_exp.h -@@ -643,7 +643,7 @@ static void synchronize_rcu_expedited_wait(void) - "O."[!!cpu_online(cpu)], - "o."[!!(rdp->grpmask & rnp->expmaskinit)], - "N."[!!(rdp->grpmask & rnp->expmaskinitnext)], -- "D."[!!(rdp->cpu_no_qs.b.exp)]); -+ "D."[!!data_race(rdp->cpu_no_qs.b.exp)]); - } - } - pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", -diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h -index 7b0fe741a0886..41021080ad258 100644 ---- a/kernel/rcu/tree_plugin.h -+++ b/kernel/rcu/tree_plugin.h -@@ -257,6 +257,8 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp) - * GP should not be able to end until we report, so there should be - * no need to check for a subsequent expedited GP. (Though we are - * still in a quiescent state in any case.) -+ * -+ * Interrupts are disabled, so ->cpu_no_qs.b.exp cannot change. - */ - if (blkd_state & RCU_EXP_BLKD && rdp->cpu_no_qs.b.exp) - rcu_report_exp_rdp(rdp); -@@ -941,7 +943,7 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) - { - struct rcu_data *rdp = this_cpu_ptr(&rcu_data); - -- if (rdp->cpu_no_qs.b.exp) -+ if (READ_ONCE(rdp->cpu_no_qs.b.exp)) - rcu_report_exp_rdp(rdp); - } - --- -2.39.2 - diff --git a/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch b/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch deleted file mode 100644 index a151907eb59..00000000000 --- a/queue-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 1e5233c6acc983e4260bd78c410a36f74d547a9f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Aug 2022 01:22:05 +0900 -Subject: rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic() - -From: Shigeru Yoshida - -[ Upstream commit 5fc8cbe4cf0fd34ded8045c385790c3bf04f6785 ] - -pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because -pr_info() calls printk() that might sleep, this will result in BUG -like below: - -[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues. -[ 0.206463] -[ 0.206464] ============================= -[ 0.206464] [ BUG: Invalid wait context ] -[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted -[ 0.206466] ----------------------------- -[ 0.206466] swapper/0/1 is trying to lock: -[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0 -[ 0.206473] other info that might help us debug this: -[ 0.206473] context-{5:5} -[ 0.206474] 3 locks held by swapper/0/1: -[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0 -[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e -[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330 -[ 0.206485] stack backtrace: -[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5 -[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 -[ 0.206489] Call Trace: -[ 0.206490] -[ 0.206491] dump_stack_lvl+0x6a/0x9f -[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe -[ 0.206496] ? stack_trace_save+0x46/0x70 -[ 0.206497] lock_acquire+0xd1/0x2f0 -[ 0.206499] ? serial8250_console_write+0x327/0x4a0 -[ 0.206500] ? __lock_acquire+0x5c7/0x2720 -[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90 -[ 0.206504] ? serial8250_console_write+0x327/0x4a0 -[ 0.206506] serial8250_console_write+0x327/0x4a0 -[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330 -[ 0.206511] console_unlock+0xf7/0x1f0 -[ 0.206512] vprintk_emit+0xf7/0x330 -[ 0.206514] _printk+0x63/0x7e -[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32 -[ 0.206518] rcu_init_tasks_generic+0x5/0xd9 -[ 0.206522] kernel_init_freeable+0x15b/0x2a2 -[ 0.206523] ? rest_init+0x160/0x160 -[ 0.206526] kernel_init+0x11/0x120 -[ 0.206527] ret_from_fork+0x1f/0x30 -[ 0.206530] -[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1. - -This patch moves pr_info() so that it is called without -rtp->cbs_gbl_lock locked. - -Signed-off-by: Shigeru Yoshida -Tested-by: "Zhang, Qiang1" -Signed-off-by: Paul E. McKenney -Signed-off-by: Sasha Levin ---- - kernel/rcu/tasks.h | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h -index 8f08c087142b0..9b9ce09f8f358 100644 ---- a/kernel/rcu/tasks.h -+++ b/kernel/rcu/tasks.h -@@ -241,7 +241,6 @@ static void cblist_init_generic(struct rcu_tasks *rtp) - if (rcu_task_enqueue_lim < 0) { - rcu_task_enqueue_lim = 1; - rcu_task_cb_adjust = true; -- pr_info("%s: Setting adjustable number of callback queues.\n", __func__); - } else if (rcu_task_enqueue_lim == 0) { - rcu_task_enqueue_lim = 1; - } -@@ -272,6 +271,10 @@ static void cblist_init_generic(struct rcu_tasks *rtp) - raw_spin_unlock_rcu_node(rtpcp); // irqs remain disabled. - } - raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); -+ -+ if (rcu_task_cb_adjust) -+ pr_info("%s: Setting adjustable number of callback queues.\n", __func__); -+ - pr_info("%s: Setting shift to %d and lim to %d.\n", __func__, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim)); - } - --- -2.39.2 - diff --git a/queue-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/queue-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch deleted file mode 100644 index b920fc52b6d..00000000000 --- a/queue-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Wed, 12 Jul 2023 12:16:40 +0100 -Subject: regmap: Account for register length in SMBus I/O limits - -From: Mark Brown - -commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. - -The SMBus I2C buses have limits on the size of transfers they can do but -do not factor in the register length meaning we may try to do a transfer -longer than our length limit, the core will not take care of this. -Future changes will factor this out into the core but there are a number -of users that assume current behaviour so let's just do something -conservative here. - -This does not take account padding bits but practically speaking these -are very rarely if ever used on I2C buses given that they generally run -slowly enough to mean there's no issue. - -Cc: stable@kernel.org -Signed-off-by: Mark Brown -Reviewed-by: Xu Yilun -Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/regmap/regmap-i2c.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/base/regmap/regmap-i2c.c -+++ b/drivers/base/regmap/regmap-i2c.c -@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi - static const struct regmap_bus regmap_i2c_smbus_i2c_block = { - .write = regmap_i2c_smbus_i2c_write, - .read = regmap_i2c_smbus_i2c_read, -- .max_raw_read = I2C_SMBUS_BLOCK_MAX, -- .max_raw_write = I2C_SMBUS_BLOCK_MAX, -+ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, -+ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, - }; - - static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, -@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg - static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { - .write = regmap_i2c_smbus_i2c_write_reg16, - .read = regmap_i2c_smbus_i2c_read_reg16, -- .max_raw_read = I2C_SMBUS_BLOCK_MAX, -- .max_raw_write = I2C_SMBUS_BLOCK_MAX, -+ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, -+ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, - }; - - static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/queue-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/queue-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch deleted file mode 100644 index 65305f80f18..00000000000 --- a/queue-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +++ /dev/null @@ -1,64 +0,0 @@ -From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Wed, 12 Jul 2023 12:16:39 +0100 -Subject: regmap: Drop initial version of maximum transfer length fixes - -From: Mark Brown - -commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. - -When problems were noticed with the register address not being taken -into account when limiting raw transfers with I2C devices we fixed this -in the core. Unfortunately it has subsequently been realised that a lot -of buses were relying on the prior behaviour, partly due to unclear -documentation not making it obvious what was intended in the core. This -is all more involved to fix than is sensible for a fix commit so let's -just drop the original fixes, a separate commit will fix the originally -observed problem in an I2C specific way - -Fixes: 3981514180c9 ("regmap: Account for register length when chunking") -Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") -Signed-off-by: Mark Brown -Reviewed-by: Xu Yilun -Cc: stable@kernel.org -Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/base/regmap/regmap-spi-avmm.c | 2 +- - drivers/base/regmap/regmap.c | 6 ++---- - 2 files changed, 3 insertions(+), 5 deletions(-) - ---- a/drivers/base/regmap/regmap-spi-avmm.c -+++ b/drivers/base/regmap/regmap-spi-avmm.c -@@ -660,7 +660,7 @@ static const struct regmap_bus regmap_sp - .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, - .val_format_endian_default = REGMAP_ENDIAN_NATIVE, - .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, -- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, -+ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, - .free_context = spi_avmm_bridge_ctx_free, - }; - ---- a/drivers/base/regmap/regmap.c -+++ b/drivers/base/regmap/regmap.c -@@ -2082,8 +2082,6 @@ int _regmap_raw_write(struct regmap *map - size_t val_count = val_len / val_bytes; - size_t chunk_count, chunk_bytes; - size_t chunk_regs = val_count; -- size_t max_data = map->max_raw_write - map->format.reg_bytes - -- map->format.pad_bytes; - int ret, i; - - if (!val_count) -@@ -2091,8 +2089,8 @@ int _regmap_raw_write(struct regmap *map - - if (map->use_single_write) - chunk_regs = 1; -- else if (map->max_raw_write && val_len > max_data) -- chunk_regs = max_data / val_bytes; -+ else if (map->max_raw_write && val_len > map->max_raw_write) -+ chunk_regs = map->max_raw_write / val_bytes; - - chunk_count = val_count / chunk_regs; - chunk_bytes = chunk_regs * val_bytes; diff --git a/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch b/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch deleted file mode 100644 index 1e71c3257b6..00000000000 --- a/queue-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 91572c4910ad8526b74672f2e2764d2f86dc2152 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 16 Jun 2023 16:36:28 +0200 -Subject: regulator: da9063: fix null pointer deref with partial DT config - -From: Martin Fuzzey - -[ Upstream commit 98e2dd5f7a8be5cb2501a897e96910393a49f0ff ] - -When some of the da9063 regulators do not have corresponding DT nodes -a null pointer dereference occurs on boot because such regulators have -no init_data causing the pointers calculated in -da9063_check_xvp_constraints() to be invalid. - -Do not dereference them in this case. - -Fixes: b8717a80e6ee ("regulator: da9063: implement setter for voltage monitoring") -Signed-off-by: Martin Fuzzey -Link: https://lore.kernel.org/r/20230616143736.2946173-1-martin.fuzzey@flowbird.group -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/regulator/da9063-regulator.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/regulator/da9063-regulator.c b/drivers/regulator/da9063-regulator.c -index c5dd77be558b6..dfd5ec9f75c90 100644 ---- a/drivers/regulator/da9063-regulator.c -+++ b/drivers/regulator/da9063-regulator.c -@@ -778,6 +778,9 @@ static int da9063_check_xvp_constraints(struct regulator_config *config) - const struct notification_limit *uv_l = &constr->under_voltage_limits; - const struct notification_limit *ov_l = &constr->over_voltage_limits; - -+ if (!config->init_data) /* No config in DT, pointers will be invalid */ -+ return 0; -+ - /* make sure that only one severity is used to clarify if unchanged, enabled or disabled */ - if ((!!uv_l->prot + !!uv_l->err + !!uv_l->warn) > 1) { - dev_err(config->dev, "%s: at most one voltage monitoring severity allowed!\n", --- -2.39.2 - diff --git a/queue-6.4/revert-r8169-disable-aspm-during-napi-poll.patch b/queue-6.4/revert-r8169-disable-aspm-during-napi-poll.patch deleted file mode 100644 index c73014b42af..00000000000 --- a/queue-6.4/revert-r8169-disable-aspm-during-napi-poll.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e31a9fedc7d8d80722b19628e66fcb5a36981780 Mon Sep 17 00:00:00 2001 -From: Heiner Kallweit -Date: Tue, 18 Jul 2023 13:12:32 +0200 -Subject: Revert "r8169: disable ASPM during NAPI poll" - -From: Heiner Kallweit - -commit e31a9fedc7d8d80722b19628e66fcb5a36981780 upstream. - -This reverts commit e1ed3e4d91112027b90c7ee61479141b3f948e6a. - -Turned out the change causes a performance regression. - -Link: https://lore.kernel.org/netdev/20230713124914.GA12924@green245/T/ -Cc: stable@vger.kernel.org -Signed-off-by: Heiner Kallweit -Link: https://lore.kernel.org/r/055c6bc2-74fa-8c67-9897-3f658abb5ae7@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/realtek/r8169_main.c | 11 +---------- - 1 file changed, 1 insertion(+), 10 deletions(-) - ---- a/drivers/net/ethernet/realtek/r8169_main.c -+++ b/drivers/net/ethernet/realtek/r8169_main.c -@@ -4514,10 +4514,6 @@ static irqreturn_t rtl8169_interrupt(int - } - - if (napi_schedule_prep(&tp->napi)) { -- rtl_unlock_config_regs(tp); -- rtl_hw_aspm_clkreq_enable(tp, false); -- rtl_lock_config_regs(tp); -- - rtl_irq_disable(tp); - __napi_schedule(&tp->napi); - } -@@ -4577,14 +4573,9 @@ static int rtl8169_poll(struct napi_stru - - work_done = rtl_rx(dev, tp, budget); - -- if (work_done < budget && napi_complete_done(napi, work_done)) { -+ if (work_done < budget && napi_complete_done(napi, work_done)) - rtl_irq_enable(tp); - -- rtl_unlock_config_regs(tp); -- rtl_hw_aspm_clkreq_enable(tp, true); -- rtl_lock_config_regs(tp); -- } -- - return work_done; - } - diff --git a/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch deleted file mode 100644 index 59e6ff34715..00000000000 --- a/queue-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +++ /dev/null @@ -1,113 +0,0 @@ -From ecd467dd886c50804703a2c430a0a51d19acb739 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:59:18 -0700 -Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash - table" - -From: Kuniyuki Iwashima - -[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] - -This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. - -Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in -ehash table") reversed the order in how a socket is inserted into ehash -to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are -swapped. However, it introduced another lookup failure. - -The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU -and does not have SOCK_RCU_FREE, so the socket could be reused even while -it is being referenced on another CPU doing RCU lookup. - -Let's say a socket is reused and inserted into the same hash bucket during -lookup. After the blamed commit, a new socket is inserted at the end of -the list. If that happens, we will skip sockets placed after the previous -position of the reused socket, resulting in ehash lookup failure. - -As described in Documentation/RCU/rculist_nulls.rst, we should insert a -new socket at the head of the list to avoid such an issue. - -This issue, the swap-lookup-failure, and another variant reported in [0] -can all be handled properly by adding a locked ehash lookup suggested by -Eric Dumazet [1]. - -However, this issue could occur for every packet, thus more likely than -the other two races, so let's revert the change for now. - -Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] -Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] -Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") -Signed-off-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/inet_hashtables.c | 17 ++--------------- - net/ipv4/inet_timewait_sock.c | 8 ++++---- - 2 files changed, 6 insertions(+), 19 deletions(-) - -diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index e7391bf310a75..0819d6001b9ab 100644 ---- a/net/ipv4/inet_hashtables.c -+++ b/net/ipv4/inet_hashtables.c -@@ -650,20 +650,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - spin_lock(lock); - if (osk) { - WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); -- ret = sk_hashed(osk); -- if (ret) { -- /* Before deleting the node, we insert a new one to make -- * sure that the look-up-sk process would not miss either -- * of them and that at least one node would exist in ehash -- * table all the time. Otherwise there's a tiny chance -- * that lookup process could find nothing in ehash table. -- */ -- __sk_nulls_add_node_tail_rcu(sk, list); -- sk_nulls_del_node_init_rcu(osk); -- } -- goto unlock; -- } -- if (found_dup_sk) { -+ ret = sk_nulls_del_node_init_rcu(osk); -+ } else if (found_dup_sk) { - *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); - if (*found_dup_sk) - ret = false; -@@ -672,7 +660,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - if (ret) - __sk_nulls_add_node_rcu(sk, list); - --unlock: - spin_unlock(lock); - - return ret; -diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c -index 40052414c7c71..2c1b245dba8e8 100644 ---- a/net/ipv4/inet_timewait_sock.c -+++ b/net/ipv4/inet_timewait_sock.c -@@ -88,10 +88,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) - } - EXPORT_SYMBOL_GPL(inet_twsk_put); - --static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, -- struct hlist_nulls_head *list) -+static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, -+ struct hlist_nulls_head *list) - { -- hlist_nulls_add_tail_rcu(&tw->tw_node, list); -+ hlist_nulls_add_head_rcu(&tw->tw_node, list); - } - - static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, -@@ -144,7 +144,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, - - spin_lock(lock); - -- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); -+ inet_twsk_add_node_rcu(tw, &ehead->chain); - - /* Step 3: Remove SK from hash chain */ - if (__sk_nulls_del_node_init_rcu(sk)) --- -2.39.2 - diff --git a/queue-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch b/queue-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch deleted file mode 100644 index fd5360b6832..00000000000 --- a/queue-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 4cfca532ddc3474b3fc42592d0e4237544344b1a Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Mon, 17 Jul 2023 16:55:29 +0200 -Subject: s390/zcrypt: fix reply buffer calculations for CCA replies - -From: Harald Freudenberger - -commit 4cfca532ddc3474b3fc42592d0e4237544344b1a upstream. - -The length information for available buffer space for CCA -replies is covered with two fields in the T6 header prepended -on each CCA reply: fromcardlen1 and fromcardlen2. The sum of -these both values must not exceed the AP bus limit for this -card (24KB for CEX8, 12KB CEX7 and older) minus the always -present headers. - -The current code adjusted the fromcardlen2 value in case -of exceeding the AP bus limit when there was a non-zero -value given from userspace. Some tests now showed that this -was the wrong assumption. Instead the userspace value given for -this field should always be trusted and if the sum of the -two fields exceeds the AP bus limit for this card the first -field fromcardlen1 should be adjusted instead. - -So now the calculation is done with this new insight in mind. -Also some additional checks for overflow have been introduced -and some comments to provide some documentation for future -maintainers of this complicated calculation code. - -Furthermore the 128 bytes of fix overhead which is used -in the current code is not correct. Investigations showed -that for a reply always the same two header structs are -prepended before a possible payload. So this is also fixed -with this patch. - -Signed-off-by: Harald Freudenberger -Reviewed-by: Holger Dengler -Cc: stable@vger.kernel.org -Signed-off-by: Heiko Carstens -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/crypto/zcrypt_msgtype6.c | 33 +++++++++++++++++++++++---------- - 1 file changed, 23 insertions(+), 10 deletions(-) - ---- a/drivers/s390/crypto/zcrypt_msgtype6.c -+++ b/drivers/s390/crypto/zcrypt_msgtype6.c -@@ -1111,23 +1111,36 @@ static long zcrypt_msgtype6_send_cprb(bo - struct ica_xcRB *xcrb, - struct ap_message *ap_msg) - { -- int rc; - struct response_type *rtype = ap_msg->private; - struct { - struct type6_hdr hdr; - struct CPRBX cprbx; - /* ... more data blocks ... */ - } __packed * msg = ap_msg->msg; -+ unsigned int max_payload_size; -+ int rc, delta; - -- /* -- * Set the queue's reply buffer length minus 128 byte padding -- * as reply limit for the card firmware. -- */ -- msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1, -- zq->reply.bufsize - 128); -- if (msg->hdr.fromcardlen2) -- msg->hdr.fromcardlen2 = -- zq->reply.bufsize - msg->hdr.fromcardlen1 - 128; -+ /* calculate maximum payload for this card and msg type */ -+ max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg); -+ -+ /* limit each of the two from fields to the maximum payload size */ -+ msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size); -+ msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size); -+ -+ /* calculate delta if the sum of both exceeds max payload size */ -+ delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2 -+ - max_payload_size; -+ if (delta > 0) { -+ /* -+ * Sum exceeds maximum payload size, prune fromcardlen1 -+ * (always trust fromcardlen2) -+ */ -+ if (delta > msg->hdr.fromcardlen1) { -+ rc = -EINVAL; -+ goto out; -+ } -+ msg->hdr.fromcardlen1 -= delta; -+ } - - init_completion(&rtype->work); - rc = ap_queue_message(zq->queue, ap_msg); diff --git a/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch deleted file mode 100644 index c3d56f7147f..00000000000 --- a/queue-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 498906b1791b700260f1db996d22a4934185a8f9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 16:25:07 +0800 -Subject: sched/fair: Don't balance task to its current running CPU - -From: Yicong Yang - -[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] - -We've run into the case that the balancer tries to balance a migration -disabled task and trigger the warning in set_task_cpu() like below: - - ------------[ cut here ]------------ - WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 - Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> - CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 - Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 - pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : set_task_cpu+0x188/0x240 - lr : load_balance+0x5d0/0xc60 - sp : ffff80000803bc70 - x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 - x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 - x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 - x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 - x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 - x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 - x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e - x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a - x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 - Call trace: - set_task_cpu+0x188/0x240 - load_balance+0x5d0/0xc60 - rebalance_domains+0x26c/0x380 - _nohz_idle_balance.isra.0+0x1e0/0x370 - run_rebalance_domains+0x6c/0x80 - __do_softirq+0x128/0x3d8 - ____do_softirq+0x18/0x24 - call_on_irq_stack+0x2c/0x38 - do_softirq_own_stack+0x24/0x3c - __irq_exit_rcu+0xcc/0xf4 - irq_exit_rcu+0x18/0x24 - el1_interrupt+0x4c/0xe4 - el1h_64_irq_handler+0x18/0x2c - el1h_64_irq+0x74/0x78 - arch_cpu_idle+0x18/0x4c - default_idle_call+0x58/0x194 - do_idle+0x244/0x2b0 - cpu_startup_entry+0x30/0x3c - secondary_start_kernel+0x14c/0x190 - __secondary_switched+0xb0/0xb4 - ---[ end trace 0000000000000000 ]--- - -Further investigation shows that the warning is superfluous, the migration -disabled task is just going to be migrated to its current running CPU. -This is because that on load balance if the dst_cpu is not allowed by the -task, we'll re-select a new_dst_cpu as a candidate. If no task can be -balanced to dst_cpu we'll try to balance the task to the new_dst_cpu -instead. In this case when the migration disabled task is not on CPU it -only allows to run on its current CPU, load balance will select its -current CPU as new_dst_cpu and later triggers the warning above. - -The new_dst_cpu is chosen from the env->dst_grpmask. Currently it -contains CPUs in sched_group_span() and if we have overlapped groups it's -possible to run into this case. This patch makes env->dst_grpmask of -group_balance_mask() which exclude any CPUs from the busiest group and -solve the issue. For balancing in a domain with no overlapped groups -the behaviour keeps same as before. - -Suggested-by: Vincent Guittot -Signed-off-by: Yicong Yang -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Vincent Guittot -Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com -Signed-off-by: Sasha Levin ---- - kernel/sched/fair.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 4da5f35417626..e427056b440bb 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -10762,7 +10762,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, - .sd = sd, - .dst_cpu = this_cpu, - .dst_rq = this_rq, -- .dst_grpmask = sched_group_span(sd->groups), -+ .dst_grpmask = group_balance_mask(sd->groups), - .idle = idle, - .loop_break = SCHED_NR_MIGRATE_BREAK, - .cpus = cpus, --- -2.39.2 - diff --git a/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch b/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch deleted file mode 100644 index 12a4c0ab560..00000000000 --- a/queue-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch +++ /dev/null @@ -1,41 +0,0 @@ -From eb7afb14a34b80e0302a1d23d86f4850e5a83b66 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 16:07:47 +0800 -Subject: sched/fair: Use recent_used_cpu to test p->cpus_ptr - -From: Miaohe Lin - -[ Upstream commit ae2ad293d6be143ad223f5f947cca07bcbe42595 ] - -When checking whether a recently used CPU can be a potential idle -candidate, recent_used_cpu should be used to test p->cpus_ptr as -p->recent_used_cpu is not equal to recent_used_cpu and candidate -decision is made based on recent_used_cpu here. - -Fixes: 89aafd67f28c ("sched/fair: Use prev instead of new target as recent_used_cpu") -Signed-off-by: Miaohe Lin -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Phil Auld -Acked-by: Mel Gorman -Link: https://lore.kernel.org/r/20230620080747.359122-1-linmiaohe@huawei.com -Signed-off-by: Sasha Levin ---- - kernel/sched/fair.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index e427056b440bb..dacb56d7e9147 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -7174,7 +7174,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) - recent_used_cpu != target && - cpus_share_cache(recent_used_cpu, target) && - (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) && -- cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) && -+ cpumask_test_cpu(recent_used_cpu, p->cpus_ptr) && - asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) { - return recent_used_cpu; - } --- -2.39.2 - diff --git a/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch b/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch deleted file mode 100644 index 34898dfaba7..00000000000 --- a/queue-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 56dc7c53b82c1b75affc5981051b3679cdfd065f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 17:56:12 -0700 -Subject: sched/psi: use kernfs polling functions for PSI trigger polling - -From: Suren Baghdasaryan - -[ Upstream commit aff037078ecaecf34a7c2afab1341815f90fba5e ] - -Destroying psi trigger in cgroup_file_release causes UAF issues when -a cgroup is removed from under a polling process. This is happening -because cgroup removal causes a call to cgroup_file_release while the -actual file is still alive. Destroying the trigger at this point would -also destroy its waitqueue head and if there is still a polling process -on that file accessing the waitqueue, it will step on the freed pointer: - -do_select - vfs_poll - do_rmdir - cgroup_rmdir - kernfs_drain_open_files - cgroup_file_release - cgroup_pressure_release - psi_trigger_destroy - wake_up_pollfree(&t->event_wait) -// vfs_poll is unblocked - synchronize_rcu - kfree(t) - poll_freewait -> UAF access to the trigger's waitqueue head - -Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), -however the same issue exists for synchronous poll() case. -The root cause of this issue is that the lifecycles of the psi trigger's -waitqueue and of the file associated with the trigger are different. Fix -this by using kernfs_generic_poll function when polling on cgroup-specific -psi triggers. It internally uses kernfs_open_node->poll waitqueue head -with its lifecycle tied to the file's lifecycle. This also renders the -fix in [1] obsolete, so revert it. - -[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") - -Fixes: 0e94682b73bf ("psi: introduce psi monitor") -Closes: https://lore.kernel.org/all/20230613062306.101831-1-lujialin4@huawei.com/ -Reported-by: Lu Jialin -Signed-off-by: Suren Baghdasaryan -Signed-off-by: Peter Zijlstra (Intel) -Link: https://lkml.kernel.org/r/20230630005612.1014540-1-surenb@google.com -Signed-off-by: Sasha Levin ---- - include/linux/psi.h | 5 +++-- - include/linux/psi_types.h | 3 +++ - kernel/cgroup/cgroup.c | 2 +- - kernel/sched/psi.c | 29 +++++++++++++++++++++-------- - 4 files changed, 28 insertions(+), 11 deletions(-) - -diff --git a/include/linux/psi.h b/include/linux/psi.h -index ab26200c28033..e0745873e3f26 100644 ---- a/include/linux/psi.h -+++ b/include/linux/psi.h -@@ -23,8 +23,9 @@ void psi_memstall_enter(unsigned long *flags); - void psi_memstall_leave(unsigned long *flags); - - int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); --struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res, struct file *file); -+struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, -+ enum psi_res res, struct file *file, -+ struct kernfs_open_file *of); - void psi_trigger_destroy(struct psi_trigger *t); - - __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, -diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h -index 040c089581c6c..f1fd3a8044e0e 100644 ---- a/include/linux/psi_types.h -+++ b/include/linux/psi_types.h -@@ -137,6 +137,9 @@ struct psi_trigger { - /* Wait queue for polling */ - wait_queue_head_t event_wait; - -+ /* Kernfs file for cgroup triggers */ -+ struct kernfs_open_file *of; -+ - /* Pending event flag */ - int event; - -diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c -index 4d42f0cbc11ea..3299ec69ce0d1 100644 ---- a/kernel/cgroup/cgroup.c -+++ b/kernel/cgroup/cgroup.c -@@ -3785,7 +3785,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, - } - - psi = cgroup_psi(cgrp); -- new = psi_trigger_create(psi, buf, res, of->file); -+ new = psi_trigger_create(psi, buf, res, of->file, of); - if (IS_ERR(new)) { - cgroup_put(cgrp); - return PTR_ERR(new); -diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c -index e072f6b31bf30..80d8c10e93638 100644 ---- a/kernel/sched/psi.c -+++ b/kernel/sched/psi.c -@@ -494,8 +494,12 @@ static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, - continue; - - /* Generate an event */ -- if (cmpxchg(&t->event, 0, 1) == 0) -- wake_up_interruptible(&t->event_wait); -+ if (cmpxchg(&t->event, 0, 1) == 0) { -+ if (t->of) -+ kernfs_notify(t->of->kn); -+ else -+ wake_up_interruptible(&t->event_wait); -+ } - t->last_event_time = now; - /* Reset threshold breach flag once event got generated */ - t->pending_event = false; -@@ -1272,8 +1276,9 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) - return 0; - } - --struct psi_trigger *psi_trigger_create(struct psi_group *group, -- char *buf, enum psi_res res, struct file *file) -+struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, -+ enum psi_res res, struct file *file, -+ struct kernfs_open_file *of) - { - struct psi_trigger *t; - enum psi_states state; -@@ -1333,7 +1338,9 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, - - t->event = 0; - t->last_event_time = 0; -- init_waitqueue_head(&t->event_wait); -+ t->of = of; -+ if (!of) -+ init_waitqueue_head(&t->event_wait); - t->pending_event = false; - t->aggregator = privileged ? PSI_POLL : PSI_AVGS; - -@@ -1390,7 +1397,10 @@ void psi_trigger_destroy(struct psi_trigger *t) - * being accessed later. Can happen if cgroup is deleted from under a - * polling process. - */ -- wake_up_pollfree(&t->event_wait); -+ if (t->of) -+ kernfs_notify(t->of->kn); -+ else -+ wake_up_interruptible(&t->event_wait); - - if (t->aggregator == PSI_AVGS) { - mutex_lock(&group->avgs_lock); -@@ -1462,7 +1472,10 @@ __poll_t psi_trigger_poll(void **trigger_ptr, - if (!t) - return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; - -- poll_wait(file, &t->event_wait, wait); -+ if (t->of) -+ kernfs_generic_poll(t->of, wait); -+ else -+ poll_wait(file, &t->event_wait, wait); - - if (cmpxchg(&t->event, 1, 0) == 1) - ret |= EPOLLPRI; -@@ -1532,7 +1545,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, - return -EBUSY; - } - -- new = psi_trigger_create(&psi_system, buf, res, file); -+ new = psi_trigger_create(&psi_system, buf, res, file, NULL); - if (IS_ERR(new)) { - mutex_unlock(&seq->lock); - return PTR_ERR(new); --- -2.39.2 - diff --git a/queue-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch b/queue-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch deleted file mode 100644 index c0f5e846269..00000000000 --- a/queue-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch +++ /dev/null @@ -1,69 +0,0 @@ -From fcaa174a9c995cf0af3967e55644a1543ea07e36 Mon Sep 17 00:00:00 2001 -From: Yu Kuai -Date: Thu, 22 Jun 2023 00:01:11 +0800 -Subject: scsi/sg: don't grab scsi host module reference - -From: Yu Kuai - -commit fcaa174a9c995cf0af3967e55644a1543ea07e36 upstream. - -In order to prevent request_queue to be freed before cleaning up -blktrace debugfs entries, commit db59133e9279 ("scsi: sg: fix blktrace -debugfs entries leakage") use scsi_device_get(), however, -scsi_device_get() will also grab scsi module reference and scsi module -can't be removed. - -It's reported that blktests can't unload scsi_debug after block/001: - -blktests (master) # ./check block -block/001 (stress device hotplugging) [failed] - +++ /root/blktests/results/nodev/block/001.out.bad 2023-06-19 - Running block/001 - Stressing sd - +modprobe: FATAL: Module scsi_debug is in use. - -Fix this problem by grabbing request_queue reference directly, so that -scsi host module can still be unloaded while request_queue will be -pinged by sg device. - -Reported-by: Chaitanya Kulkarni -Link: https://lore.kernel.org/all/1760da91-876d-fc9c-ab51-999a6f66ad50@nvidia.com/ -Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage") -Signed-off-by: Yu Kuai -Reviewed-by: Christoph Hellwig -Link: https://lore.kernel.org/r/20230621160111.1433521-1-yukuai1@huaweicloud.com -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/sg.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1496,7 +1496,7 @@ sg_add_device(struct device *cl_dev) - int error; - unsigned long iflags; - -- error = scsi_device_get(scsidp); -+ error = blk_get_queue(scsidp->request_queue); - if (error) - return error; - -@@ -1557,7 +1557,7 @@ cdev_add_err: - out: - if (cdev) - cdev_del(cdev); -- scsi_device_put(scsidp); -+ blk_put_queue(scsidp->request_queue); - return error; - } - -@@ -1574,7 +1574,7 @@ sg_device_destroy(struct kref *kref) - */ - - blk_trace_remove(q); -- scsi_device_put(sdp->device); -+ blk_put_queue(q); - - write_lock_irqsave(&sg_index_lock, flags); - idr_remove(&sg_index_idr, sdp->index); diff --git a/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch b/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch deleted file mode 100644 index e9fb8ddc8c6..00000000000 --- a/queue-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 16176e2729a460f26254bf143981355bcb83b0a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 10 Jun 2023 10:20:02 +0800 -Subject: scsi: sg: fix blktrace debugfs entries leakage - -From: Yu Kuai - -[ Upstream commit db59133e927916d8a25ee1fd8264f2808040909d ] - -sg_ioctl() support to enable blktrace, which will create debugfs entries -"/sys/kernel/debug/block/sgx/", however, there is no guarantee that user -will remove these entries through ioctl, and deleting sg device doesn't -cleanup these blktrace entries. - -This problem can be fixed by cleanup blktrace while releasing -request_queue, however, it's not a good idea to do this special handling -in common layer just for sg device. - -Fix this problem by shutdown bltkrace in sg_device_destroy(), where the -device is deleted and all the users close the device, also grab a -scsi_device reference from sg_add_device() to prevent scsi_device to be -freed before sg_device_destroy(); - -Signed-off-by: Yu Kuai -Reviewed-by: Christoph Hellwig -Reviewed-by: Martin K. Petersen -Link: https://lore.kernel.org/r/20230610022003.2557284-3-yukuai1@huaweicloud.com -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/scsi/sg.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 037f8c98a6d36..0adfbd77437f3 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1496,6 +1496,10 @@ sg_add_device(struct device *cl_dev) - int error; - unsigned long iflags; - -+ error = scsi_device_get(scsidp); -+ if (error) -+ return error; -+ - error = -ENOMEM; - cdev = cdev_alloc(); - if (!cdev) { -@@ -1553,6 +1557,7 @@ sg_add_device(struct device *cl_dev) - out: - if (cdev) - cdev_del(cdev); -+ scsi_device_put(scsidp); - return error; - } - -@@ -1560,6 +1565,7 @@ static void - sg_device_destroy(struct kref *kref) - { - struct sg_device *sdp = container_of(kref, struct sg_device, d_ref); -+ struct request_queue *q = sdp->device->request_queue; - unsigned long flags; - - /* CAUTION! Note that the device can still be found via idr_find() -@@ -1567,6 +1573,9 @@ sg_device_destroy(struct kref *kref) - * any other cleanup. - */ - -+ blk_trace_remove(q); -+ scsi_device_put(sdp->device); -+ - write_lock_irqsave(&sg_index_lock, flags); - idr_remove(&sg_index_idr, sdp->index); - write_unlock_irqrestore(&sg_index_lock, flags); --- -2.39.2 - diff --git a/queue-6.4/security-keys-modify-mismatched-function-name.patch b/queue-6.4/security-keys-modify-mismatched-function-name.patch deleted file mode 100644 index ff9e657682b..00000000000 --- a/queue-6.4/security-keys-modify-mismatched-function-name.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 21805edfcc8da6e82b94128693f355e1e10cef54 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Jun 2023 10:18:25 +0800 -Subject: security: keys: Modify mismatched function name - -From: Jiapeng Chong - -[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] - -No functional modification involved. - -security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. - -Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") -Reported-by: Abaci Robot -Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 -Signed-off-by: Jiapeng Chong -Reviewed-by: Paul Moore -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Sasha Levin ---- - security/keys/trusted-keys/trusted_tpm2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c -index 2b2c8eb258d5b..bc700f85f80be 100644 ---- a/security/keys/trusted-keys/trusted_tpm2.c -+++ b/security/keys/trusted-keys/trusted_tpm2.c -@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, - } - - /** -- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. -+ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. - * - * @buf: an allocated tpm_buf instance - * @session_handle: session handle --- -2.39.2 - diff --git a/queue-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch b/queue-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch deleted file mode 100644 index bdaf788d1de..00000000000 --- a/queue-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 25b5949c30938c7f26dbadc948b491e0e0811c78 Mon Sep 17 00:00:00 2001 -From: Colin Ian King -Date: Wed, 12 Jul 2023 14:46:48 +0100 -Subject: selftests/mm: mkdirty: fix incorrect position of #endif - -From: Colin Ian King - -commit 25b5949c30938c7f26dbadc948b491e0e0811c78 upstream. - -The #endif is the wrong side of a } causing a build failure when -__NR_userfaultfd is not defined. Fix this by moving the #end to enclose -the } - -Link: https://lkml.kernel.org/r/20230712134648.456349-1-colin.i.king@gmail.com -Fixes: 9eac40fc0cc7 ("selftests/mm: mkdirty: test behavior of (pte|pmd)_mkdirty on VMAs without write permissions") -Signed-off-by: Colin Ian King -Reviewed-by: David Hildenbrand -Cc: Shuah Khan -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/mm/mkdirty.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/testing/selftests/mm/mkdirty.c -+++ b/tools/testing/selftests/mm/mkdirty.c -@@ -321,8 +321,8 @@ close_uffd: - munmap: - munmap(dst, pagesize); - free(src); --#endif /* __NR_userfaultfd */ - } -+#endif /* __NR_userfaultfd */ - - int main(void) - { diff --git a/queue-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch b/queue-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch deleted file mode 100644 index cdab180886e..00000000000 --- a/queue-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:46 +0200 -Subject: selftests: tc: add ConnTrack procfs kconfig - -From: Matthieu Baerts - -commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. - -When looking at the TC selftest reports, I noticed one test was failing -because /proc/net/nf_conntrack was not available. - - not ok 373 3992 - Add ct action triggering DNAT tuple conflict - Could not match regex pattern. Verify command output: - cat: /proc/net/nf_conntrack: No such file or directory - -It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue -can be fixed simply by adding it to the list of required kconfig. - -Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] -Signed-off-by: Matthieu Baerts -Tested-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/config | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/testing/selftests/tc-testing/config -+++ b/tools/testing/selftests/tc-testing/config -@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_MARK=y - CONFIG_NF_CONNTRACK_ZONES=y - CONFIG_NF_CONNTRACK_LABELS=y -+CONFIG_NF_CONNTRACK_PROCFS=y - CONFIG_NF_FLOW_TABLE=m - CONFIG_NF_NAT=m - CONFIG_NETFILTER_XT_TARGET_LOG=m diff --git a/queue-6.4/selftests-tc-add-ct-action-kconfig-dep.patch b/queue-6.4/selftests-tc-add-ct-action-kconfig-dep.patch deleted file mode 100644 index 07859eec8d1..00000000000 --- a/queue-6.4/selftests-tc-add-ct-action-kconfig-dep.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:45 +0200 -Subject: selftests: tc: add 'ct' action kconfig dep - -From: Matthieu Baerts - -commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. - -When looking for something else in LKFT reports [1], I noticed most of -the tests were skipped because the "teardown stage" did not complete -successfully. - -Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required -but not listed in the 'config' file. Adding it to the list fixes the -issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final -kconfig. - -Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") -Cc: stable@vger.kernel.org -Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] -Suggested-by: Pedro Tammela -Signed-off-by: Matthieu Baerts -Tested-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/config | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/testing/selftests/tc-testing/config -+++ b/tools/testing/selftests/tc-testing/config -@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_MARK=y - CONFIG_NF_CONNTRACK_ZONES=y - CONFIG_NF_CONNTRACK_LABELS=y -+CONFIG_NF_FLOW_TABLE=m - CONFIG_NF_NAT=m - CONFIG_NETFILTER_XT_TARGET_LOG=m - diff --git a/queue-6.4/selftests-tc-set-timeout-to-15-minutes.patch b/queue-6.4/selftests-tc-set-timeout-to-15-minutes.patch deleted file mode 100644 index ea00bbfff7d..00000000000 --- a/queue-6.4/selftests-tc-set-timeout-to-15-minutes.patch +++ /dev/null @@ -1,43 +0,0 @@ -From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 -From: Matthieu Baerts -Date: Thu, 13 Jul 2023 23:16:44 +0200 -Subject: selftests: tc: set timeout to 15 minutes - -From: Matthieu Baerts - -commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. - -When looking for something else in LKFT reports [1], I noticed that the -TC selftest ended with a timeout error: - - not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds - -The timeout had been introduced 3 years ago, see the Fixes commit below. - -This timeout is only in place when executing the selftests via the -kselftests runner scripts. I guess this is not what most TC devs are -using and nobody noticed the issue before. - -The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks -like it is plenty more time than what it takes in "normal" conditions. - -Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") -Cc: stable@vger.kernel.org -Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] -Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] -Suggested-by: Pedro Tammela -Signed-off-by: Matthieu Baerts -Reviewed-by: Zhengchao Shao -Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net -Acked-by: Jamal Hadi Salim -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/tc-testing/settings | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 tools/testing/selftests/tc-testing/settings - ---- /dev/null -+++ b/tools/testing/selftests/tc-testing/settings -@@ -0,0 +1 @@ -+timeout=900 diff --git a/queue-6.4/series b/queue-6.4/series index 30521451c7f..64ecbc6dba5 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -1,227 +1,2 @@ -io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch -io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch -alsa-hda-realtek-remove-3k-pull-low-procedure.patch -alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch -alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch -maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch -mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch -maple_tree-fix-node-allocation-testing-on-32-bit.patch -selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch -keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch -prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch -perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch -perf-probe-read-dwarf-files-from-the-correct-cu.patch -btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch -btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch -fuse-revalidate-don-t-invalidate-if-interrupted.patch -fuse-add-feature-flag-for-expire-only.patch -fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch -btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch -btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch -btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch -btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch -fuse-ioctl-translate-enosys-in-outarg.patch -btrfs-fix-race-between-balance-and-cancel-pause.patch -selftests-tc-set-timeout-to-15-minutes.patch -accel-qaic-fix-a-leak-in-map_user_pages.patch -selftests-tc-add-ct-action-kconfig-dep.patch -regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch -s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch -of-preserve-of-display-device-name-for-compatibility.patch -regmap-account-for-register-length-in-smbus-i-o-limits.patch -ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch -arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch -can-raw-fix-receiver-memory-leak.patch -can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch -can-bcm-fix-uaf-in-bcm_proc_show.patch -can-gs_usb-gs_can_open-improve-error-handling.patch -can-gs_usb-fix-time-stamp-counter-initialization.patch -revert-r8169-disable-aspm-during-napi-poll.patch -selftests-tc-add-conntrack-procfs-kconfig.patch -accel-qaic-tighten-bounds-checking-in-encode_message.patch -accel-qaic-tighten-bounds-checking-in-decode_message.patch -accel-qaic-add-consistent-integer-overflow-checks.patch -dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch -drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch -drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch -drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch -drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch -drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch -drm-nouveau-i2c-fix-number-of-aux-event-slots.patch -drm-client-fix-memory-leak-in-drm_client_target_cloned.patch -drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch -drm-amd-display-only-accept-async-flips-for-fast-updates.patch -drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch -drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch -drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch -asoc-fsl_sai-disable-bit-clock-with-transmitter.patch -asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch -asoc-tegra-fix-adx-byte-map.patch -asoc-rt5640-fix-sleep-in-atomic-context.patch -asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch -asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch -asoc-cs35l45-select-regmap_irq.patch -asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch -asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch -asoc-tegra-fix-amx-byte-map.patch -asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch -asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch -asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch -asoc-codecs-wcd938x-fix-codec-initialisation-race.patch -asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch -kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch -kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch -kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch -kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch -ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch -drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch -alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch -quota-properly-disable-quotas-when-add_dquot_ref-fai.patch -quota-fix-warning-in-dqgrab.patch -hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch -ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch -udf-fix-uninitialized-array-access-for-some-pathname.patch -alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch -fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch -mips-dec-prom-address-warray-bounds-warning.patch -fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch -fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch -md-fix-data-corruption-for-raid456-when-reshape-rest.patch -md-raid10-prevent-soft-lockup-while-flush-writes.patch -scsi-sg-fix-blktrace-debugfs-entries-leakage.patch -blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch -posix-timers-ensure-timer-id-search-loop-limit-is-va.patch -btrfs-add-xxhash-to-fast-checksum-implementations.patch -btrfs-don-t-check-pageerror-in-__extent_writepage.patch -btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch -erofs-fix-detection-of-atomic-context.patch -acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch -acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch -acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch -acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch -acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch -acpi-resource-remove-zen-specific-match-and-quirks.patch -arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch -arm64-mm-fix-va-range-sanity-check.patch -acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch -rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch -rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch -tools-nolibc-ensure-stack-protector-guard-is-never-z.patch -sched-fair-don-t-balance-task-to-its-current-running.patch -wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch -bpf-print-a-warning-only-if-writing-to-unprivileged_.patch -bpf-address-kcsan-report-on-bpf_lru_list.patch -spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch -bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch -bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch -wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch -bpf-silence-a-warning-in-btf_type_id_size.patch -devlink-make-health-report-on-unregistered-instance-.patch -wifi-ath11k-add-support-default-regdb-while-searchin.patch -wifi-mac80211_hwsim-fix-possible-null-dereference.patch -spi-dw-add-compatible-for-intel-mount-evans-soc.patch -wifi-ath12k-avoid-null-pointer-access-during-managem.patch -wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch -wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch -net-ethernet-litex-add-support-for-64-bit-stats.patch -devlink-report-devlink_port_type_warn-source-device.patch -wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch -wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch -wifi-iwlwifi-add-support-for-new-pci-id.patch -wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch -wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch -igb-fix-igb_down-hung-on-surprise-removal.patch -net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch -asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch -asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch -asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch -asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch -iov_iter-mark-copy_iovec_from_user-noclone.patch -sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch -sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch -pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch -pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch -spi-bcm63xx-fix-max-prepend-length.patch -fbdev-imxfb-warn-about-invalid-left-right-margin.patch -fbdev-imxfb-removed-unneeded-release_mem_region.patch -perf-build-fix-library-not-found-error-when-using-cs.patch -btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch -spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch -kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch -smb-client-fix-missed-ses-refcounting.patch -arm64-fix-hfgxtr_el2-field-naming.patch -dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch -net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch -bridge-add-extack-warning-when-enabling-stp-in-netns.patch -net-ethernet-mtk_eth_soc-handle-probe-deferral.patch -gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch -iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch -cifs-fix-mid-leak-during-reconnection-after-timeout-.patch -ice-unregister-netdev-and-devlink_port-only-once.patch -ice-prevent-null-pointer-deref-during-reload.patch -asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch -regulator-da9063-fix-null-pointer-deref-with-partial.patch -net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch -net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch -net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch -net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch -net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch -r8169-fix-aspm-related-problem-for-chip-version-42-a.patch -drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch -iavf-fix-use-after-free-in-free_netdev.patch -iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch -iavf-use-internal-state-to-free-traffic-irqs.patch -iavf-make-functions-static-where-possible.patch -iavf-wait-for-reset-in-callbacks-which-trigger-it.patch -iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch -iavf-fix-reset-task-race-with-iavf_remove.patch -security-keys-modify-mismatched-function-name.patch -vrf-fix-lockdep-splat-in-output-path.patch -octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch -bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch -bpf-repeat-check_max_stack_depth-for-async-callbacks.patch -bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch -igc-avoid-transmit-queue-timeout-for-xdp.patch -igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch -net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch -tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch -tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch -net-ipv4-use-kfree_sensitive-instead-of-kfree.patch -net-ipv6-check-return-value-of-pskb_trim.patch -revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch -net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch -fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch -llc-don-t-drop-packet-from-non-root-netns.patch -alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch -netfilter-nf_tables-fix-spurious-set-element-inserti.patch -netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch -netfilter-nft_set_pipapo-fix-improper-element-remova.patch -netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch -netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch -bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch -bluetooth-hci_event-call-disconnect-callback-before-.patch -bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch -bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch -bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch -bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch -bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch -tcp-annotate-data-races-around-tp-tcp_tx_delay.patch -tcp-annotate-data-races-around-tp-tsoffset.patch -tcp-annotate-data-races-around-tp-keepalive_time.patch -tcp-annotate-data-races-around-tp-keepalive_intvl.patch -tcp-annotate-data-races-around-tp-keepalive_probes.patch -tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch -tcp-annotate-data-races-around-tp-linger2.patch -tcp-annotate-data-races-around-rskq_defer_accept.patch -tcp-annotate-data-races-around-tp-notsent_lowat.patch -tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch -tcp-annotate-data-races-around-fastopenq.max_qlen.patch -net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch -jbd2-recheck-chechpointing-non-dirty-buffer.patch -kbuild-rust-avoid-creating-temporary-files.patch -tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch -drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch -spi-dw-remove-misleading-comment-for-mount-evans-soc.patch -scsi-sg-don-t-grab-scsi-host-module-reference.patch x86-cpu-amd-move-the-errata-checking-functionality-up.patch x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/queue-6.4/smb-client-fix-missed-ses-refcounting.patch b/queue-6.4/smb-client-fix-missed-ses-refcounting.patch deleted file mode 100644 index a209fbf914a..00000000000 --- a/queue-6.4/smb-client-fix-missed-ses-refcounting.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 7f47ebc21a8e24962ac932e93de9a7d1e696e3d7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jul 2023 14:15:10 -0300 -Subject: smb: client: fix missed ses refcounting - -From: Paulo Alcantara - -[ Upstream commit bf99f6be2d20146942bce6f9e90a0ceef12cbc1e ] - -Use new cifs_smb_ses_inc_refcount() helper to get an active reference -of @ses and @ses->dfs_root_ses (if set). This will prevent -@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() -and thus potentially causing an use-after-free bug. - -Fixes: 8e3554150d6c ("cifs: fix sharing of DFS connections") -Signed-off-by: Paulo Alcantara (SUSE) -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/smb/client/dfs.c | 26 ++++++++++---------------- - fs/smb/client/smb2transport.c | 2 +- - 2 files changed, 11 insertions(+), 17 deletions(-) - -diff --git a/fs/smb/client/dfs.c b/fs/smb/client/dfs.c -index 26d14dd0482ef..cf83617236d8b 100644 ---- a/fs/smb/client/dfs.c -+++ b/fs/smb/client/dfs.c -@@ -66,6 +66,12 @@ static int get_session(struct cifs_mount_ctx *mnt_ctx, const char *full_path) - return rc; - } - -+/* -+ * Track individual DFS referral servers used by new DFS mount. -+ * -+ * On success, their lifetime will be shared by final tcon (dfs_ses_list). -+ * Otherwise, they will be put by dfs_put_root_smb_sessions() in cifs_mount(). -+ */ - static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) - { - struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; -@@ -80,11 +86,12 @@ static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) - INIT_LIST_HEAD(&root_ses->list); - - spin_lock(&cifs_tcp_ses_lock); -- ses->ses_count++; -+ cifs_smb_ses_inc_refcount(ses); - spin_unlock(&cifs_tcp_ses_lock); - root_ses->ses = ses; - list_add_tail(&root_ses->list, &mnt_ctx->dfs_ses_list); - } -+ /* Select new DFS referral server so that new referrals go through it */ - ctx->dfs_root_ses = ses; - return 0; - } -@@ -244,7 +251,6 @@ static int __dfs_mount_share(struct cifs_mount_ctx *mnt_ctx) - int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) - { - struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; -- struct cifs_ses *ses; - bool nodfs = ctx->nodfs; - int rc; - -@@ -278,20 +284,8 @@ int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) - } - - *isdfs = true; -- /* -- * Prevent DFS root session of being put in the first call to -- * cifs_mount_put_conns(). If another DFS root server was not found -- * while chasing the referrals (@ctx->dfs_root_ses == @ses), then we -- * can safely put extra refcount of @ses. -- */ -- ses = mnt_ctx->ses; -- mnt_ctx->ses = NULL; -- mnt_ctx->server = NULL; -- rc = __dfs_mount_share(mnt_ctx); -- if (ses == ctx->dfs_root_ses) -- cifs_put_smb_ses(ses); -- -- return rc; -+ add_root_smb_session(mnt_ctx); -+ return __dfs_mount_share(mnt_ctx); - } - - /* Update dfs referral path of superblock */ -diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c -index 22954a9c7a6c7..355e8700530fc 100644 ---- a/fs/smb/client/smb2transport.c -+++ b/fs/smb/client/smb2transport.c -@@ -159,7 +159,7 @@ smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id) - spin_unlock(&ses->ses_lock); - continue; - } -- ++ses->ses_count; -+ cifs_smb_ses_inc_refcount(ses); - spin_unlock(&ses->ses_lock); - return ses; - } --- -2.39.2 - diff --git a/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch b/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch deleted file mode 100644 index 5375ee76f78..00000000000 --- a/queue-6.4/spi-bcm63xx-fix-max-prepend-length.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 85db4a1c7589a014ef7e05be2349369ceb31e125 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 09:14:52 +0200 -Subject: spi: bcm63xx: fix max prepend length - -From: Jonas Gorski - -[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] - -The command word is defined as following: - - /* Command */ - #define SPI_CMD_COMMAND_SHIFT 0 - #define SPI_CMD_DEVICE_ID_SHIFT 4 - #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 - #define SPI_CMD_ONE_BYTE_SHIFT 11 - #define SPI_CMD_ONE_WIRE_SHIFT 12 - -If the prepend byte count field starts at bit 8, and the next defined -bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and -thus the max value is 7, not 15. - -Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") -Signed-off-by: Jonas Gorski -Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-bcm63xx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c -index 9aecb77c3d892..07b5b71b23520 100644 ---- a/drivers/spi/spi-bcm63xx.c -+++ b/drivers/spi/spi-bcm63xx.c -@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { - SPI_MSG_DATA_SIZE, - }; - --#define BCM63XX_SPI_MAX_PREPEND 15 -+#define BCM63XX_SPI_MAX_PREPEND 7 - - #define BCM63XX_SPI_MAX_CS 8 - #define BCM63XX_SPI_BUS_NUM 0 --- -2.39.2 - diff --git a/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch b/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch deleted file mode 100644 index e4ec977db97..00000000000 --- a/queue-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch +++ /dev/null @@ -1,91 +0,0 @@ -From a6e25408e4037a4e7c973bcbdc45c46f3e710817 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 May 2023 11:16:05 -0700 -Subject: spi: cadence-quadspi: Add compatible for AMD Pensando Elba SoC - -From: Brad Larson - -[ Upstream commit f5c2f9f9584353bc816d76a65c97dd03dc61678c ] - -The AMD Pensando Elba SoC has the Cadence QSPI controller integrated. - -The quirk CQSPI_NEEDS_APB_AHB_HAZARD_WAR is added and if enabled -a dummy readback from the controller is performed to ensure -synchronization. - -Signed-off-by: Brad Larson ---- - drivers/spi/spi-cadence-quadspi.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c -index 32449bef4415a..abf10f92415dc 100644 ---- a/drivers/spi/spi-cadence-quadspi.c -+++ b/drivers/spi/spi-cadence-quadspi.c -@@ -40,6 +40,7 @@ - #define CQSPI_SUPPORT_EXTERNAL_DMA BIT(2) - #define CQSPI_NO_SUPPORT_WR_COMPLETION BIT(3) - #define CQSPI_SLOW_SRAM BIT(4) -+#define CQSPI_NEEDS_APB_AHB_HAZARD_WAR BIT(5) - - /* Capabilities */ - #define CQSPI_SUPPORTS_OCTAL BIT(0) -@@ -90,6 +91,7 @@ struct cqspi_st { - u32 pd_dev_id; - bool wr_completion; - bool slow_sram; -+ bool apb_ahb_hazard; - }; - - struct cqspi_driver_platdata { -@@ -1027,6 +1029,13 @@ static int cqspi_indirect_write_execute(struct cqspi_flash_pdata *f_pdata, - if (cqspi->wr_delay) - ndelay(cqspi->wr_delay); - -+ /* -+ * If a hazard exists between the APB and AHB interfaces, perform a -+ * dummy readback from the controller to ensure synchronization. -+ */ -+ if (cqspi->apb_ahb_hazard) -+ readl(reg_base + CQSPI_REG_INDIRECTWR); -+ - while (remaining > 0) { - size_t write_words, mod_bytes; - -@@ -1754,6 +1763,8 @@ static int cqspi_probe(struct platform_device *pdev) - cqspi->wr_completion = false; - if (ddata->quirks & CQSPI_SLOW_SRAM) - cqspi->slow_sram = true; -+ if (ddata->quirks & CQSPI_NEEDS_APB_AHB_HAZARD_WAR) -+ cqspi->apb_ahb_hazard = true; - - if (of_device_is_compatible(pdev->dev.of_node, - "xlnx,versal-ospi-1.0")) { -@@ -1888,6 +1899,10 @@ static const struct cqspi_driver_platdata jh7110_qspi = { - .quirks = CQSPI_DISABLE_DAC_MODE, - }; - -+static const struct cqspi_driver_platdata pensando_cdns_qspi = { -+ .quirks = CQSPI_NEEDS_APB_AHB_HAZARD_WAR | CQSPI_DISABLE_DAC_MODE, -+}; -+ - static const struct of_device_id cqspi_dt_ids[] = { - { - .compatible = "cdns,qspi-nor", -@@ -1917,6 +1932,10 @@ static const struct of_device_id cqspi_dt_ids[] = { - .compatible = "starfive,jh7110-qspi", - .data = &jh7110_qspi, - }, -+ { -+ .compatible = "amd,pensando-elba-qspi", -+ .data = &pensando_cdns_qspi, -+ }, - { /* end of table */ } - }; - --- -2.39.2 - diff --git a/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch b/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch deleted file mode 100644 index 7e4132d1509..00000000000 --- a/queue-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 5c7b90ce00cd6f8e21d963c6fe6d85aec915540e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Jun 2023 07:54:01 -0700 -Subject: spi: dw: Add compatible for Intel Mount Evans SoC - -From: Abe Kohandel - -[ Upstream commit 0760d5d0e9f0c0e2200a0323a61d1995bb745dee ] - -The Intel Mount Evans SoC's Integrated Management Complex uses the SPI -controller for access to a NOR SPI FLASH. However, the SoC doesn't -provide a mechanism to override the native chip select signal. - -This driver doesn't use DMA for memory operations when a chip select -override is not provided due to the native chip select timing behavior. -As a result no DMA configuration is done for the controller and this -configuration is not tested. - -The controller also has an errata where a full TX FIFO can result in -data corruption. The suggested workaround is to never completely fill -the FIFO. The TX FIFO has a size of 32 so the fifo_len is set to 31. - -Signed-off-by: Abe Kohandel -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20230606145402.474866-2-abe.kohandel@intel.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-dw-mmio.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c -index 15f5e9cb54ad4..5a38cb09a650d 100644 ---- a/drivers/spi/spi-dw-mmio.c -+++ b/drivers/spi/spi-dw-mmio.c -@@ -236,6 +236,31 @@ static int dw_spi_intel_init(struct platform_device *pdev, - return 0; - } - -+/* -+ * The Intel Mount Evans SoC's Integrated Management Complex uses the -+ * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't -+ * provide a mechanism to override the native chip select signal. -+ * -+ * This driver doesn't use DMA for memory operations when a chip select -+ * override is not provided due to the native chip select timing behavior. -+ * As a result no DMA configuration is done for the controller and this -+ * configuration is not tested. -+ */ -+static int dw_spi_mountevans_imc_init(struct platform_device *pdev, -+ struct dw_spi_mmio *dwsmmio) -+{ -+ /* -+ * The Intel Mount Evans SoC's Integrated Management Complex DW -+ * apb_ssi_v4.02a controller has an errata where a full TX FIFO can -+ * result in data corruption. The suggested workaround is to never -+ * completely fill the FIFO. The TX FIFO has a size of 32 so the -+ * fifo_len is set to 31. -+ */ -+ dwsmmio->dws.fifo_len = 31; -+ -+ return 0; -+} -+ - static int dw_spi_canaan_k210_init(struct platform_device *pdev, - struct dw_spi_mmio *dwsmmio) - { -@@ -405,6 +430,10 @@ static const struct of_device_id dw_spi_mmio_of_match[] = { - { .compatible = "snps,dwc-ssi-1.01a", .data = dw_spi_hssi_init}, - { .compatible = "intel,keembay-ssi", .data = dw_spi_intel_init}, - { .compatible = "intel,thunderbay-ssi", .data = dw_spi_intel_init}, -+ { -+ .compatible = "intel,mountevans-imc-ssi", -+ .data = dw_spi_mountevans_imc_init, -+ }, - { .compatible = "microchip,sparx5-spi", dw_spi_mscc_sparx5_init}, - { .compatible = "canaan,k210-spi", dw_spi_canaan_k210_init}, - { .compatible = "amd,pensando-elba-spi", .data = dw_spi_elba_init}, --- -2.39.2 - diff --git a/queue-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch b/queue-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch deleted file mode 100644 index 95194c927c4..00000000000 --- a/queue-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 Mon Sep 17 00:00:00 2001 -From: Abe Kohandel -Date: Tue, 6 Jun 2023 16:18:44 -0700 -Subject: spi: dw: Remove misleading comment for Mount Evans SoC - -From: Abe Kohandel - -commit 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 upstream. - -Remove a misleading comment about the DMA operations of the Intel Mount -Evans SoC's SPI Controller as requested by Serge. - -Signed-off-by: Abe Kohandel -Link: https://lore.kernel.org/linux-spi/20230606191333.247ucbf7h3tlooxf@mobilestation/ -Fixes: 0760d5d0e9f0 ("spi: dw: Add compatible for Intel Mount Evans SoC") -Reviewed-by: Serge Semin -Link: https://lore.kernel.org/r/20230606231844.726272-1-abe.kohandel@intel.com -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - drivers/spi/spi-dw-mmio.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - ---- a/drivers/spi/spi-dw-mmio.c -+++ b/drivers/spi/spi-dw-mmio.c -@@ -237,14 +237,7 @@ static int dw_spi_intel_init(struct plat - } - - /* -- * The Intel Mount Evans SoC's Integrated Management Complex uses the -- * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't -- * provide a mechanism to override the native chip select signal. -- * -- * This driver doesn't use DMA for memory operations when a chip select -- * override is not provided due to the native chip select timing behavior. -- * As a result no DMA configuration is done for the controller and this -- * configuration is not tested. -+ * DMA-based mem ops are not configured for this device and are not tested. - */ - static int dw_spi_mountevans_imc_init(struct platform_device *pdev, - struct dw_spi_mmio *dwsmmio) diff --git a/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch b/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch deleted file mode 100644 index 33df33382a5..00000000000 --- a/queue-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 18195ef4c4ce79e318fb5c779ab1ea8c6a1e88c8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jul 2023 17:20:20 +0900 -Subject: spi: s3c64xx: clear loopback bit after loopback test - -From: Jaewon Kim - -[ Upstream commit 9ec3c5517e22a12d2ff1b71e844f7913641460c6 ] - -When SPI loopback transfer is performed, S3C64XX_SPI_MODE_SELF_LOOPBACK -bit still remained. It works as loopback even if the next transfer is -not spi loopback mode. -If not SPI_LOOP, needs to clear S3C64XX_SPI_MODE_SELF_LOOPBACK bit. - -Signed-off-by: Jaewon Kim -Fixes: ffb7bcd3b27e ("spi: s3c64xx: support loopback mode") -Reviewed-by: Chanho Park -Link: https://lore.kernel.org/r/20230711082020.138165-1-jaewon02.kim@samsung.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-s3c64xx.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c -index 7ac17f0d18a95..1a8b31e20baf2 100644 ---- a/drivers/spi/spi-s3c64xx.c -+++ b/drivers/spi/spi-s3c64xx.c -@@ -668,6 +668,8 @@ static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) - - if ((sdd->cur_mode & SPI_LOOP) && sdd->port_conf->has_loopback) - val |= S3C64XX_SPI_MODE_SELF_LOOPBACK; -+ else -+ val &= ~S3C64XX_SPI_MODE_SELF_LOOPBACK; - - writel(val, regs + S3C64XX_SPI_MODE_CFG); - --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch deleted file mode 100644 index c7070edb201..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 5b09a1d0f89f0fe1f11380b4827375463adc9b58 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:57 +0000 -Subject: tcp: annotate data-races around fastopenq.max_qlen - -From: Eric Dumazet - -[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] - -This field can be read locklessly. - -Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/linux/tcp.h | 2 +- - net/ipv4/tcp.c | 2 +- - net/ipv4/tcp_fastopen.c | 6 ++++-- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/include/linux/tcp.h b/include/linux/tcp.h -index b4c08ac869835..91a37c99ba665 100644 ---- a/include/linux/tcp.h -+++ b/include/linux/tcp.h -@@ -513,7 +513,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) - struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; - int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); - -- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); -+ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); - } - - static inline void tcp_move_syn(struct tcp_sock *tp, -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c9b955d9d7ace..79f29e138fc9f 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -4254,7 +4254,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_FASTOPEN: -- val = icsk->icsk_accept_queue.fastopenq.max_qlen; -+ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); - break; - - case TCP_FASTOPEN_CONNECT: -diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c -index 45cc7f1ca2961..85e4953f11821 100644 ---- a/net/ipv4/tcp_fastopen.c -+++ b/net/ipv4/tcp_fastopen.c -@@ -296,6 +296,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, - static bool tcp_fastopen_queue_check(struct sock *sk) - { - struct fastopen_queue *fastopenq; -+ int max_qlen; - - /* Make sure the listener has enabled fastopen, and we don't - * exceed the max # of pending TFO requests allowed before trying -@@ -308,10 +309,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) - * temporarily vs a server not supporting Fast Open at all. - */ - fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; -- if (fastopenq->max_qlen == 0) -+ max_qlen = READ_ONCE(fastopenq->max_qlen); -+ if (max_qlen == 0) - return false; - -- if (fastopenq->qlen >= fastopenq->max_qlen) { -+ if (fastopenq->qlen >= max_qlen) { - struct request_sock *req1; - spin_lock(&fastopenq->lock); - req1 = fastopenq->rskq_rst_head; --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch deleted file mode 100644 index 8e0c0cc38f6..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 97078fbe71e9da46eaf0ff1bd216712e9fb816e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:52 +0000 -Subject: tcp: annotate data-races around icsk->icsk_syn_retries - -From: Eric Dumazet - -[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] - -do_tcp_getsockopt() and reqsk_timer_handler() read -icsk->icsk_syn_retries while another cpu might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/inet_connection_sock.c | 2 +- - net/ipv4/tcp.c | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 1386787eaf1a5..3105a676eba76 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -1016,7 +1016,7 @@ static void reqsk_timer_handler(struct timer_list *t) - - icsk = inet_csk(sk_listener); - net = sock_net(sk_listener); -- max_syn_ack_retries = icsk->icsk_syn_retries ? : -+ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : - READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); - /* Normally all the openreqs are young and become mature - * (i.e. converted to established socket) for first timeout. -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index cc7966cfad1a3..488cf4ae75fab 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3400,7 +3400,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- inet_csk(sk)->icsk_syn_retries = val; -+ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); - release_sock(sk); - return 0; - } -@@ -3681,7 +3681,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_SYNCNT) - err = -EINVAL; - else -- icsk->icsk_syn_retries = val; -+ WRITE_ONCE(icsk->icsk_syn_retries, val); - break; - - case TCP_SAVE_SYN: -@@ -4102,7 +4102,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = keepalive_probes(tp); - break; - case TCP_SYNCNT: -- val = icsk->icsk_syn_retries ? : -+ val = READ_ONCE(icsk->icsk_syn_retries) ? : - READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); - break; - case TCP_LINGER2: --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch deleted file mode 100644 index 67b0bc746df..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 65a31d1209b2ad2cee321305e50cc53cc92031e7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:56 +0000 -Subject: tcp: annotate data-races around icsk->icsk_user_timeout - -From: Eric Dumazet - -[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] - -This field can be read locklessly from do_tcp_getsockopt() - -Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 4556ba6e7d74d..c9b955d9d7ace 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3409,7 +3409,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); - void tcp_sock_set_user_timeout(struct sock *sk, u32 val) - { - lock_sock(sk); -- inet_csk(sk)->icsk_user_timeout = val; -+ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); - release_sock(sk); - } - EXPORT_SYMBOL(tcp_sock_set_user_timeout); -@@ -3729,7 +3729,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 0) - err = -EINVAL; - else -- icsk->icsk_user_timeout = val; -+ WRITE_ONCE(icsk->icsk_user_timeout, val); - break; - - case TCP_FASTOPEN: -@@ -4250,7 +4250,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_USER_TIMEOUT: -- val = icsk->icsk_user_timeout; -+ val = READ_ONCE(icsk->icsk_user_timeout); - break; - - case TCP_FASTOPEN: --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch deleted file mode 100644 index 9a5faac4cb3..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f1ac3daf1c804ebe70383f81c2f4438bf429b0b1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:54 +0000 -Subject: tcp: annotate data-races around rskq_defer_accept - -From: Eric Dumazet - -[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] - -do_tcp_getsockopt() reads rskq_defer_accept while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 0ebe775bde688..c95d8b43390b6 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3703,9 +3703,9 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - - case TCP_DEFER_ACCEPT: - /* Translate value in seconds to number of retransmits */ -- icsk->icsk_accept_queue.rskq_defer_accept = -- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -- TCP_RTO_MAX / HZ); -+ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, -+ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ)); - break; - - case TCP_WINDOW_CLAMP: -@@ -4111,8 +4111,9 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; - case TCP_DEFER_ACCEPT: -- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, -- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); -+ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); -+ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ); - break; - case TCP_WINDOW_CLAMP: - val = tp->window_clamp; --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch deleted file mode 100644 index 3074c2dd698..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +++ /dev/null @@ -1,184 +0,0 @@ -From b7a226c14fd63574e5f9f99c875c51589d9111f0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:44:45 +0000 -Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent - -From: Eric Dumazet - -[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] - -TCP request sockets are lockless, tcp_rsk(req)->ts_recent -can change while being read by another cpu as syzbot noticed. - -This is harmless, but we should annotate the known races. - -Note that tcp_check_req() changes req->ts_recent a bit early, -we might change this in the future. - -BUG: KCSAN: data-race in tcp_check_req / tcp_check_req - -write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: -tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 -tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 -ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 -ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 -dst_input include/net/dst.h:468 [inline] -ip_rcv_finish net/ipv4/ip_input.c:449 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 -__netif_receive_skb_one_core net/core/dev.c:5493 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 -process_backlog+0x21f/0x380 net/core/dev.c:5935 -__napi_poll+0x60/0x3b0 net/core/dev.c:6498 -napi_poll net/core/dev.c:6565 [inline] -net_rx_action+0x32b/0x750 net/core/dev.c:6698 -__do_softirq+0xc1/0x265 kernel/softirq.c:571 -do_softirq+0x7e/0xb0 kernel/softirq.c:472 -__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 -local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 -rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] -__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 -dev_queue_xmit include/linux/netdevice.h:3088 [inline] -neigh_hh_output include/net/neighbour.h:528 [inline] -neigh_output include/net/neighbour.h:542 [inline] -ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 -ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 -NF_HOOK_COND include/linux/netfilter.h:292 [inline] -ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 -dst_output include/net/dst.h:458 [inline] -ip_local_out net/ipv4/ip_output.c:126 [inline] -__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 -ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 -__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 -tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] -tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 -__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 -tcp_push_pending_frames include/net/tcp.h:1952 [inline] -__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] -tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 -rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 -rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 -rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 -process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 -worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 -kthread+0x1d7/0x210 kernel/kthread.c:379 -ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 - -read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: -tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 -tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 -ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 -ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 -dst_input include/net/dst.h:468 [inline] -ip_rcv_finish net/ipv4/ip_input.c:449 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 -__netif_receive_skb_one_core net/core/dev.c:5493 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 -process_backlog+0x21f/0x380 net/core/dev.c:5935 -__napi_poll+0x60/0x3b0 net/core/dev.c:6498 -napi_poll net/core/dev.c:6565 [inline] -net_rx_action+0x32b/0x750 net/core/dev.c:6698 -__do_softirq+0xc1/0x265 kernel/softirq.c:571 -run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 -smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 -kthread+0x1d7/0x210 kernel/kthread.c:379 -ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 - -value changed: 0x1cd237f1 -> 0x1cd237f2 - -Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Reviewed-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 2 +- - net/ipv4/tcp_minisocks.c | 9 ++++++--- - net/ipv4/tcp_output.c | 2 +- - net/ipv6/tcp_ipv6.c | 2 +- - 4 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 52229c75e76f6..5d3e49ceb6917 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -988,7 +988,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - tcp_rsk(req)->rcv_nxt, - req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, - tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, -- req->ts_recent, -+ READ_ONCE(req->ts_recent), - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index 909f3b4ed2059..62641d42b06b5 100644 ---- a/net/ipv4/tcp_minisocks.c -+++ b/net/ipv4/tcp_minisocks.c -@@ -555,7 +555,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, - newtp->max_window = newtp->snd_wnd; - - if (newtp->rx_opt.tstamp_ok) { -- newtp->rx_opt.ts_recent = req->ts_recent; -+ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); - newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); - newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; - } else { -@@ -619,7 +619,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, - tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); - - if (tmp_opt.saw_tstamp) { -- tmp_opt.ts_recent = req->ts_recent; -+ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); - if (tmp_opt.rcv_tsecr) - tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; - /* We do not store true stamp, but it is not required, -@@ -758,8 +758,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, - - /* In sequence, PAWS is OK. */ - -+ /* TODO: We probably should defer ts_recent change once -+ * we take ownership of @req. -+ */ - if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) -- req->ts_recent = tmp_opt.rcv_tsval; -+ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); - - if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { - /* Truncate SYN, it is out of window starting -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 1538b59913777..518cb4abc8b4f 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -876,7 +876,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, - if (likely(ireq->tstamp_ok)) { - opts->options |= OPTION_TS; - opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; -- opts->tsecr = req->ts_recent; -+ opts->tsecr = READ_ONCE(req->ts_recent); - remaining -= TCPOLEN_TSTAMP_ALIGNED; - } - if (likely(ireq->sack_ok)) { -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index a3c86b714b242..f7c248a7f8d1d 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1130,7 +1130,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - tcp_rsk(req)->rcv_nxt, - req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, - tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, -- req->ts_recent, sk->sk_bound_dev_if, -+ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), - ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, - READ_ONCE(tcp_rsk(req)->txhash)); --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch b/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch deleted file mode 100644 index 1ddefd6e96d..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 88776fdbebf0e1811026f988f6a954812ae75b6e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:44:44 +0000 -Subject: tcp: annotate data-races around tcp_rsk(req)->txhash - -From: Eric Dumazet - -[ Upstream commit 5e5265522a9a7f91d1b0bd411d634bdaf16c80cd ] - -TCP request sockets are lockless, some of their fields -can change while being read by another cpu as syzbot noticed. - -This is usually harmless, but we should annotate the known -races. - -This patch takes care of tcp_rsk(req)->txhash, -a separate one is needed for tcp_rsk(req)->ts_recent. - -BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack - -write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1: -tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213 -inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880 -tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665 -tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673 -ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 -ip6_input_finish net/ipv6/ip6_input.c:482 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 -dst_input include/net/dst.h:468 [inline] -ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 -NF_HOOK include/linux/netfilter.h:303 [inline] -ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 -__netif_receive_skb_one_core net/core/dev.c:5452 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 -netif_receive_skb_internal net/core/dev.c:5652 [inline] -netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 -tun_rx_batched+0x3bf/0x400 -tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 -tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 -call_write_iter include/linux/fs.h:1871 [inline] -new_sync_write fs/read_write.c:491 [inline] -vfs_write+0x4ab/0x7d0 fs/read_write.c:584 -ksys_write+0xeb/0x1a0 fs/read_write.c:637 -__do_sys_write fs/read_write.c:649 [inline] -__se_sys_write fs/read_write.c:646 [inline] -__x64_sys_write+0x42/0x50 fs/read_write.c:646 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0: -tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663 -tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544 -tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059 -tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175 -tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494 -tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509 -tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735 -ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 -ip6_input_finish net/ipv6/ip6_input.c:482 [inline] -NF_HOOK include/linux/netfilter.h:303 [inline] -ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 -dst_input include/net/dst.h:468 [inline] -ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 -NF_HOOK include/linux/netfilter.h:303 [inline] -ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 -__netif_receive_skb_one_core net/core/dev.c:5452 [inline] -__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 -netif_receive_skb_internal net/core/dev.c:5652 [inline] -netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 -tun_rx_batched+0x3bf/0x400 -tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 -tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 -call_write_iter include/linux/fs.h:1871 [inline] -new_sync_write fs/read_write.c:491 [inline] -vfs_write+0x4ab/0x7d0 fs/read_write.c:584 -ksys_write+0xeb/0x1a0 fs/read_write.c:637 -__do_sys_write fs/read_write.c:649 [inline] -__se_sys_write fs/read_write.c:646 [inline] -__x64_sys_write+0x42/0x50 fs/read_write.c:646 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -value changed: 0x91d25731 -> 0xe79325cd - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1a754 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 - -Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Reviewed-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_ipv4.c | 3 ++- - net/ipv4/tcp_minisocks.c | 2 +- - net/ipv4/tcp_output.c | 4 ++-- - net/ipv6/tcp_ipv6.c | 2 +- - 4 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index a64069077e388..52229c75e76f6 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -992,7 +992,8 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, -- ip_hdr(skb)->tos, tcp_rsk(req)->txhash); -+ ip_hdr(skb)->tos, -+ READ_ONCE(tcp_rsk(req)->txhash)); - } - - /* -diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index dac0d62120e62..909f3b4ed2059 100644 ---- a/net/ipv4/tcp_minisocks.c -+++ b/net/ipv4/tcp_minisocks.c -@@ -528,7 +528,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, - newicsk->icsk_ack.lrcvtime = tcp_jiffies32; - - newtp->lsndtime = tcp_jiffies32; -- newsk->sk_txhash = treq->txhash; -+ newsk->sk_txhash = READ_ONCE(treq->txhash); - newtp->total_retrans = req->num_retrans; - - tcp_init_xmit_timers(newsk); -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index cfe128b81a010..1538b59913777 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -3578,7 +3578,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, - rcu_read_lock(); - md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); - #endif -- skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); -+ skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); - /* bpf program will be interested in the tcp_flags */ - TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK; - tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5, -@@ -4121,7 +4121,7 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) - - /* Paired with WRITE_ONCE() in sock_setsockopt() */ - if (READ_ONCE(sk->sk_txrehash) == SOCK_TXREHASH_ENABLED) -- tcp_rsk(req)->txhash = net_tx_rndhash(); -+ WRITE_ONCE(tcp_rsk(req)->txhash, net_tx_rndhash()); - res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, - NULL); - if (!res) { -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 7132eb213a7a2..a3c86b714b242 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1133,7 +1133,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - req->ts_recent, sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), - ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, -- tcp_rsk(req)->txhash); -+ READ_ONCE(tcp_rsk(req)->txhash)); - } - - --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch deleted file mode 100644 index e11dfeec5ce..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch +++ /dev/null @@ -1,68 +0,0 @@ -From eb1f807c757603fcae643c60d5656a557d7fcf23 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:50 +0000 -Subject: tcp: annotate data-races around tp->keepalive_intvl - -From: Eric Dumazet - -[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] - -do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 9 +++++++-- - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 9a12e8c09ea04..45d50a40795da 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1514,9 +1514,14 @@ void tcp_leave_memory_pressure(struct sock *sk); - static inline int keepalive_intvl_when(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; -+ -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() -+ * and do_tcp_setsockopt(). -+ */ -+ val = READ_ONCE(tp->keepalive_intvl); - -- return tp->keepalive_intvl ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); - } - - static inline int keepalive_time_when(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c3b743093d482..514817119bd4d 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3454,7 +3454,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- tcp_sk(sk)->keepalive_intvl = val * HZ; -+ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); - release_sock(sk); - return 0; - } -@@ -3668,7 +3668,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_KEEPINTVL) - err = -EINVAL; - else -- tp->keepalive_intvl = val * HZ; -+ WRITE_ONCE(tp->keepalive_intvl, val * HZ); - break; - case TCP_KEEPCNT: - if (val < 1 || val > MAX_TCP_KEEPCNT) --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch deleted file mode 100644 index 020838dea02..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3c544d75eaf9ba69dfea97b2f66579cb211ea2c6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:51 +0000 -Subject: tcp: annotate data-races around tp->keepalive_probes - -From: Eric Dumazet - -[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] - -do_tcp_getsockopt() reads tp->keepalive_probes while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 9 +++++++-- - net/ipv4/tcp.c | 5 +++-- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 45d50a40795da..f5c20afab6286 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1538,9 +1538,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) - static inline int keepalive_probes(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; -+ -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() -+ * and do_tcp_setsockopt(). -+ */ -+ val = READ_ONCE(tp->keepalive_probes); - -- return tp->keepalive_probes ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); - } - - static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 514817119bd4d..cc7966cfad1a3 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3466,7 +3466,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) - return -EINVAL; - - lock_sock(sk); -- tcp_sk(sk)->keepalive_probes = val; -+ /* Paired with READ_ONCE() in keepalive_probes() */ -+ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); - release_sock(sk); - return 0; - } -@@ -3674,7 +3675,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (val < 1 || val > MAX_TCP_KEEPCNT) - err = -EINVAL; - else -- tp->keepalive_probes = val; -+ WRITE_ONCE(tp->keepalive_probes, val); - break; - case TCP_SYNCNT: - if (val < 1 || val > MAX_TCP_SYNCNT) --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch b/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch deleted file mode 100644 index bb6ff6bcbd7..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2eef7f4c025ee2aa146f34a5772cc1b7a238dbca Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:49 +0000 -Subject: tcp: annotate data-races around tp->keepalive_time - -From: Eric Dumazet - -[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] - -do_tcp_getsockopt() reads tp->keepalive_time while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 7 +++++-- - net/ipv4/tcp.c | 3 ++- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 5066e4586cf09..9a12e8c09ea04 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1522,9 +1522,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) - static inline int keepalive_time_when(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -+ int val; - -- return tp->keepalive_time ? : -- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); -+ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ -+ val = READ_ONCE(tp->keepalive_time); -+ -+ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); - } - - static inline int keepalive_probes(const struct tcp_sock *tp) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 15b1191411ec3..c3b743093d482 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3421,7 +3421,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) - if (val < 1 || val > MAX_TCP_KEEPIDLE) - return -EINVAL; - -- tp->keepalive_time = val * HZ; -+ /* Paired with WRITE_ONCE() in keepalive_time_when() */ -+ WRITE_ONCE(tp->keepalive_time, val * HZ); - if (sock_flag(sk, SOCK_KEEPOPEN) && - !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { - u32 elapsed = keepalive_time_elapsed(tp); --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch b/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch deleted file mode 100644 index 17e38352929..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-linger2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c991ef8d2f78d59e37d46bc34f83543e35380e48 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:53 +0000 -Subject: tcp: annotate data-races around tp->linger2 - -From: Eric Dumazet - -[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] - -do_tcp_getsockopt() reads tp->linger2 while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 488cf4ae75fab..0ebe775bde688 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3694,11 +3694,11 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - - case TCP_LINGER2: - if (val < 0) -- tp->linger2 = -1; -+ WRITE_ONCE(tp->linger2, -1); - else if (val > TCP_FIN_TIMEOUT_MAX / HZ) -- tp->linger2 = TCP_FIN_TIMEOUT_MAX; -+ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); - else -- tp->linger2 = val * HZ; -+ WRITE_ONCE(tp->linger2, val * HZ); - break; - - case TCP_DEFER_ACCEPT: -@@ -4106,7 +4106,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); - break; - case TCP_LINGER2: -- val = tp->linger2; -+ val = READ_ONCE(tp->linger2); - if (val >= 0) - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch deleted file mode 100644 index ed048ebf4ba..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 4bc5036687890dfe01504c01b2f18fd6df09d832 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:55 +0000 -Subject: tcp: annotate data-races around tp->notsent_lowat - -From: Eric Dumazet - -[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] - -tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() -and tcp_poll(). - -Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 6 +++++- - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index f5c20afab6286..182337a8cf94a 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -2066,7 +2066,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); - static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); -+ u32 val; -+ -+ val = READ_ONCE(tp->notsent_lowat); -+ -+ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); - } - - bool tcp_stream_memory_free(const struct sock *sk, int wake); -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c95d8b43390b6..4556ba6e7d74d 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3773,7 +3773,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - err = tcp_repair_set_window(tp, optval, optlen); - break; - case TCP_NOTSENT_LOWAT: -- tp->notsent_lowat = val; -+ WRITE_ONCE(tp->notsent_lowat, val); - sk->sk_write_space(sk); - break; - case TCP_INQ: -@@ -4273,7 +4273,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); - break; - case TCP_NOTSENT_LOWAT: -- val = tp->notsent_lowat; -+ val = READ_ONCE(tp->notsent_lowat); - break; - case TCP_INQ: - val = tp->recvmsg_inq; --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch deleted file mode 100644 index fa3423207b2..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 6da2c91d66ac6794f97598f35fdc0561132cce52 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:47 +0000 -Subject: tcp: annotate data-races around tp->tcp_tx_delay - -From: Eric Dumazet - -[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] - -do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu -might change its value. - -Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 8d20d9221238c..c0e0add372f75 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3783,7 +3783,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - case TCP_TX_DELAY: - if (val) - tcp_enable_tx_delay(); -- tp->tcp_tx_delay = val; -+ WRITE_ONCE(tp->tcp_tx_delay, val); - break; - default: - err = -ENOPROTOOPT; -@@ -4263,7 +4263,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_TX_DELAY: -- val = tp->tcp_tx_delay; -+ val = READ_ONCE(tp->tcp_tx_delay); - break; - - case TCP_TIMESTAMP: --- -2.39.2 - diff --git a/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch b/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch deleted file mode 100644 index 3b97d04b026..00000000000 --- a/queue-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5388118e5be93f20f250500b27911813da339615 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:48 +0000 -Subject: tcp: annotate data-races around tp->tsoffset - -From: Eric Dumazet - -[ Upstream commit dd23c9f1e8d5c1d2e3d29393412385ccb9c7a948 ] - -do_tcp_getsockopt() reads tp->tsoffset while another cpu -might change its value. - -Fixes: 93be6ce0e91b ("tcp: set and get per-socket timestamp") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 4 ++-- - net/ipv4/tcp_ipv4.c | 5 +++-- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index c0e0add372f75..15b1191411ec3 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3765,7 +3765,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, - if (!tp->repair) - err = -EPERM; - else -- tp->tsoffset = val - tcp_time_stamp_raw(); -+ WRITE_ONCE(tp->tsoffset, val - tcp_time_stamp_raw()); - break; - case TCP_REPAIR_WINDOW: - err = tcp_repair_set_window(tp, optval, optlen); -@@ -4267,7 +4267,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_TIMESTAMP: -- val = tcp_time_stamp_raw() + tp->tsoffset; -+ val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); - break; - case TCP_NOTSENT_LOWAT: - val = tp->notsent_lowat; -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index 5d3e49ceb6917..f37d13ee7b4cc 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -307,8 +307,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) - inet->inet_daddr, - inet->inet_sport, - usin->sin_port)); -- tp->tsoffset = secure_tcp_ts_off(net, inet->inet_saddr, -- inet->inet_daddr); -+ WRITE_ONCE(tp->tsoffset, -+ secure_tcp_ts_off(net, inet->inet_saddr, -+ inet->inet_daddr)); - } - - inet->inet_id = get_random_u16(); --- -2.39.2 - diff --git a/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch b/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch deleted file mode 100644 index 1fee388a390..00000000000 --- a/queue-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch +++ /dev/null @@ -1,45 +0,0 @@ -From f43714dfffa897d008f9e65fde3c5aa5e8c9d357 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 21 May 2023 11:36:31 +0200 -Subject: tools/nolibc: ensure stack protector guard is never zero -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Thomas Weißschuh - -[ Upstream commit 88fc7eb54ecc6db8b773341ce39ad201066fa7da ] - -The all-zero pattern is one of the more probable out-of-bound writes so -add a special case to not accidentally accept it. - -Also it enables the reliable detection of stack protector initialization -during testing. - -Signed-off-by: Thomas Weißschuh -Signed-off-by: Willy Tarreau -Signed-off-by: Paul E. McKenney -Signed-off-by: Sasha Levin ---- - tools/include/nolibc/stackprotector.h | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tools/include/nolibc/stackprotector.h b/tools/include/nolibc/stackprotector.h -index d119cbbbc256f..9890e86c26172 100644 ---- a/tools/include/nolibc/stackprotector.h -+++ b/tools/include/nolibc/stackprotector.h -@@ -45,8 +45,9 @@ __attribute__((weak,no_stack_protector,section(".text.nolibc_stack_chk"))) - void __stack_chk_init(void) - { - my_syscall3(__NR_getrandom, &__stack_chk_guard, sizeof(__stack_chk_guard), 0); -- /* a bit more randomness in case getrandom() fails */ -- __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; -+ /* a bit more randomness in case getrandom() fails, ensure the guard is never 0 */ -+ if (__stack_chk_guard != (uintptr_t) &__stack_chk_guard) -+ __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; - } - #endif // defined(NOLIBC_STACKPROTECTOR) - --- -2.39.2 - diff --git a/queue-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/queue-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch deleted file mode 100644 index 7db4ebfafcd..00000000000 --- a/queue-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 -From: Mohamed Khalfella -Date: Fri, 14 Jul 2023 20:33:41 +0000 -Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list - -From: Mohamed Khalfella - -commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. - -Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if -they have referenced variables") added a check to fail histogram creation -if save_hist_vars() failed to add histogram to hist_vars list. But the -commit failed to set ret to failed return code before jumping to -unregister histogram, fix it. - -Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com - -Cc: stable@vger.kernel.org -Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") -Signed-off-by: Mohamed Khalfella -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_hist.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/kernel/trace/trace_events_hist.c -+++ b/kernel/trace/trace_events_hist.c -@@ -6668,7 +6668,8 @@ static int event_hist_trigger_parse(stru - goto out_unreg; - - if (has_hist_vars(hist_data) || hist_data->n_var_refs) { -- if (save_hist_vars(hist_data)) -+ ret = save_hist_vars(hist_data); -+ if (ret) - goto out_unreg; - } - diff --git a/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch b/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch deleted file mode 100644 index f441b8a81d2..00000000000 --- a/queue-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5afab5540afc4763031f025a6abfd3be2b509cbf Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Wed, 21 Jun 2023 11:32:35 +0200 -Subject: [PATCH AUTOSEL 5.4 07/12] udf: Fix uninitialized array access for - some pathnames -X-stable: review -X-Patchwork-Hint: Ignore -X-stable-base: Linux 5.4.249 - -[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] - -For filenames that begin with . and are between 2 and 5 characters long, -UDF charset conversion code would read uninitialized memory in the -output buffer. The only practical impact is that the name may be prepended a -"unification hash" when it is not actually needed but still it is good -to fix this. - -Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com -Signed-off-by: Jan Kara -Signed-off-by: Sasha Levin ---- - fs/udf/unicode.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c -index 622569007b530..2142cbd1dde24 100644 ---- a/fs/udf/unicode.c -+++ b/fs/udf/unicode.c -@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct super_block *sb, - } - - if (translate) { -- if (str_o_len <= 2 && str_o[0] == '.' && -+ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && - (str_o_len == 1 || str_o[1] == '.')) - needsCRC = 1; - if (needsCRC) { --- -2.39.2 - diff --git a/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch b/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch deleted file mode 100644 index 17befa9989a..00000000000 --- a/queue-6.4/vrf-fix-lockdep-splat-in-output-path.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 758179b3adfd2b1b23f1aeb82d8d9fbcdd680dea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 15 Jul 2023 18:36:05 +0300 -Subject: vrf: Fix lockdep splat in output path - -From: Ido Schimmel - -[ Upstream commit 2033ab90380d46e0e9f0520fd6776a73d107fd95 ] - -Cited commit converted the neighbour code to use the standard RCU -variant instead of the RCU-bh variant, but the VRF code still uses -rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup -code in its IPv4 and IPv6 output paths, resulting in lockdep splats -[1][2]. Can be reproduced using [3]. - -Fix by switching to rcu_read_lock() / rcu_read_unlock(). - -[1] -============================= -WARNING: suspicious RCU usage -6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted ------------------------------ -include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! - -other info that might help us debug this: - -rcu_scheduler_active = 2, debug_locks = 1 -2 locks held by ping/183: - #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0 - #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030 - -stack backtrace: -CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 -Call Trace: - - dump_stack_lvl+0xc1/0xf0 - lockdep_rcu_suspicious+0x211/0x3b0 - vrf_output+0x1380/0x2030 - ip_push_pending_frames+0x125/0x2a0 - raw_sendmsg+0x200d/0x33c0 - inet_sendmsg+0xa2/0xe0 - __sys_sendto+0x2aa/0x420 - __x64_sys_sendto+0xe5/0x1c0 - do_syscall_64+0x38/0x80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -[2] -============================= -WARNING: suspicious RCU usage -6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted ------------------------------ -include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! - -other info that might help us debug this: - -rcu_scheduler_active = 2, debug_locks = 1 -2 locks held by ping6/182: - #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50 - #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310 - -stack backtrace: -CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 -Call Trace: - - dump_stack_lvl+0xc1/0xf0 - lockdep_rcu_suspicious+0x211/0x3b0 - vrf_output6+0xd32/0x1310 - ip6_local_out+0xb4/0x1a0 - ip6_send_skb+0xbc/0x340 - ip6_push_pending_frames+0xe5/0x110 - rawv6_sendmsg+0x2e6e/0x3e50 - inet_sendmsg+0xa2/0xe0 - __sys_sendto+0x2aa/0x420 - __x64_sys_sendto+0xe5/0x1c0 - do_syscall_64+0x38/0x80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -[3] -#!/bin/bash - -ip link add name vrf-red up numtxqueues 2 type vrf table 10 -ip link add name swp1 up master vrf-red type dummy -ip address add 192.0.2.1/24 dev swp1 -ip address add 2001:db8:1::1/64 dev swp1 -ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1 -ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1 -ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null -ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null - -Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh") -Reported-by: Naresh Kamboju -Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/ -Signed-off-by: Ido Schimmel -Reviewed-by: David Ahern -Reviewed-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - drivers/net/vrf.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index bdb3a76a352e4..6043e63b42f97 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -664,7 +664,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, - skb->protocol = htons(ETH_P_IPV6); - skb->dev = dev; - -- rcu_read_lock_bh(); -+ rcu_read_lock(); - nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); - neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); - if (unlikely(!neigh)) -@@ -672,10 +672,10 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, - if (!IS_ERR(neigh)) { - sock_confirm_neigh(skb, neigh); - ret = neigh_output(neigh, skb, false); -- rcu_read_unlock_bh(); -+ rcu_read_unlock(); - return ret; - } -- rcu_read_unlock_bh(); -+ rcu_read_unlock(); - - IP6_INC_STATS(dev_net(dst->dev), - ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); -@@ -889,7 +889,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s - } - } - -- rcu_read_lock_bh(); -+ rcu_read_lock(); - - neigh = ip_neigh_for_gw(rt, skb, &is_v6gw); - if (!IS_ERR(neigh)) { -@@ -898,11 +898,11 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s - sock_confirm_neigh(skb, neigh); - /* if crossing protocols, can not use the cached header */ - ret = neigh_output(neigh, skb, is_v6gw); -- rcu_read_unlock_bh(); -+ rcu_read_unlock(); - return ret; - } - -- rcu_read_unlock_bh(); -+ rcu_read_unlock(); - vrf_tx_error(skb->dev, skb); - return -EINVAL; - } --- -2.39.2 - diff --git a/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch b/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch deleted file mode 100644 index f161a7312f6..00000000000 --- a/queue-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 840cfcbe99d98723176ed5ffc3c5bc25c8fa6eae Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 26 May 2023 12:41:06 +0300 -Subject: wifi: ath11k: add support default regdb while searching board-2.bin - for WCN6855 - -From: Wen Gong - -[ Upstream commit 88ca89202f8e8afb5225eb5244d79cd67c15d744 ] - -Sometimes board-2.bin does not have the regdb data which matched the -parameters such as vendor, device, subsystem-vendor, subsystem-device -and etc. Add default regdb data with 'bus=%s' into board-2.bin for -WCN6855, then ath11k use 'bus=pci' to search regdb data in board-2.bin -for WCN6855. - -kernel: [ 122.515808] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262' -kernel: [ 122.517240] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 -kernel: [ 122.517280] ath11k_pci 0000:03:00.0: failed to fetch regdb data for bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262 from ath11k/WCN6855/hw2.0/board-2.bin -kernel: [ 122.517464] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci' -kernel: [ 122.518901] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 -kernel: [ 122.518915] ath11k_pci 0000:03:00.0: board name -kernel: [ 122.518917] ath11k_pci 0000:03:00.0: 00000000: 62 75 73 3d 70 63 69 bus=pci -kernel: [ 122.518918] ath11k_pci 0000:03:00.0: boot found match regdb data for name 'bus=pci' -kernel: [ 122.518920] ath11k_pci 0000:03:00.0: boot found regdb data for 'bus=pci' -kernel: [ 122.518921] ath11k_pci 0000:03:00.0: fetched regdb - -Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 - -Signed-off-by: Wen Gong -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230517133959.8224-1-quic_wgong@quicinc.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/core.c | 53 +++++++++++++++++++------- - 1 file changed, 40 insertions(+), 13 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c -index 9de23c11e18bb..8ab1a62351b98 100644 ---- a/drivers/net/wireless/ath/ath11k/core.c -+++ b/drivers/net/wireless/ath/ath11k/core.c -@@ -962,7 +962,8 @@ int ath11k_core_check_dt(struct ath11k_base *ab) - } - - static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, -- size_t name_len, bool with_variant) -+ size_t name_len, bool with_variant, -+ bool bus_type_mode) - { - /* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */ - char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 }; -@@ -973,15 +974,20 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - - switch (ab->id.bdf_search) { - case ATH11K_BDF_SEARCH_BUS_AND_BOARD: -- scnprintf(name, name_len, -- "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", -- ath11k_bus_str(ab->hif.bus), -- ab->id.vendor, ab->id.device, -- ab->id.subsystem_vendor, -- ab->id.subsystem_device, -- ab->qmi.target.chip_id, -- ab->qmi.target.board_id, -- variant); -+ if (bus_type_mode) -+ scnprintf(name, name_len, -+ "bus=%s", -+ ath11k_bus_str(ab->hif.bus)); -+ else -+ scnprintf(name, name_len, -+ "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", -+ ath11k_bus_str(ab->hif.bus), -+ ab->id.vendor, ab->id.device, -+ ab->id.subsystem_vendor, -+ ab->id.subsystem_device, -+ ab->qmi.target.chip_id, -+ ab->qmi.target.board_id, -+ variant); - break; - default: - scnprintf(name, name_len, -@@ -1000,13 +1006,19 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - static int ath11k_core_create_board_name(struct ath11k_base *ab, char *name, - size_t name_len) - { -- return __ath11k_core_create_board_name(ab, name, name_len, true); -+ return __ath11k_core_create_board_name(ab, name, name_len, true, false); - } - - static int ath11k_core_create_fallback_board_name(struct ath11k_base *ab, char *name, - size_t name_len) - { -- return __ath11k_core_create_board_name(ab, name, name_len, false); -+ return __ath11k_core_create_board_name(ab, name, name_len, false, false); -+} -+ -+static int ath11k_core_create_bus_type_board_name(struct ath11k_base *ab, char *name, -+ size_t name_len) -+{ -+ return __ath11k_core_create_board_name(ab, name, name_len, false, true); - } - - const struct firmware *ath11k_core_firmware_request(struct ath11k_base *ab, -@@ -1310,7 +1322,7 @@ int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd) - - int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd) - { -- char boardname[BOARD_NAME_SIZE]; -+ char boardname[BOARD_NAME_SIZE], default_boardname[BOARD_NAME_SIZE]; - int ret; - - ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE); -@@ -1327,6 +1339,21 @@ int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd - if (!ret) - goto exit; - -+ ret = ath11k_core_create_bus_type_board_name(ab, default_boardname, -+ BOARD_NAME_SIZE); -+ if (ret) { -+ ath11k_dbg(ab, ATH11K_DBG_BOOT, -+ "failed to create default board name for regdb: %d", ret); -+ goto exit; -+ } -+ -+ ret = ath11k_core_fetch_board_data_api_n(ab, bd, default_boardname, -+ ATH11K_BD_IE_REGDB, -+ ATH11K_BD_IE_REGDB_NAME, -+ ATH11K_BD_IE_REGDB_DATA); -+ if (!ret) -+ goto exit; -+ - ret = ath11k_core_fetch_board_data_api_1(ab, bd, ATH11K_REGDB_FILE_NAME); - if (ret) - ath11k_dbg(ab, ATH11K_DBG_BOOT, "failed to fetch %s from %s\n", --- -2.39.2 - diff --git a/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch b/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch deleted file mode 100644 index 0535b3157d7..00000000000 --- a/queue-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 83694f488fc680ab7e911063ae8091119626d81b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Jun 2023 14:41:28 +0530 -Subject: wifi: ath11k: fix memory leak in WMI firmware stats - -From: P Praneesh - -[ Upstream commit 6aafa1c2d3e3fea2ebe84c018003f2a91722e607 ] - -Memory allocated for firmware pdev, vdev and beacon statistics -are not released during rmmod. - -Fix it by calling ath11k_fw_stats_free() function before hardware -unregister. - -While at it, avoid calling ath11k_fw_stats_free() while processing -the firmware stats received in the WMI event because the local list -is getting spliced and reinitialised and hence there are no elements -in the list after splicing. - -Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 - -Signed-off-by: P Praneesh -Signed-off-by: Aditya Kumar Singh -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230606091128.14202-1-quic_adisi@quicinc.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/mac.c | 1 + - drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++ - 2 files changed, 6 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c -index 05920ad413c55..01ff197b017f7 100644 ---- a/drivers/net/wireless/ath/ath11k/mac.c -+++ b/drivers/net/wireless/ath/ath11k/mac.c -@@ -9468,6 +9468,7 @@ void ath11k_mac_destroy(struct ath11k_base *ab) - if (!ar) - continue; - -+ ath11k_fw_stats_free(&ar->fw_stats); - ieee80211_free_hw(ar->hw); - pdev->ar = NULL; - } -diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c -index d0b59bc2905a9..42d9b29623a47 100644 ---- a/drivers/net/wireless/ath/ath11k/wmi.c -+++ b/drivers/net/wireless/ath/ath11k/wmi.c -@@ -8103,6 +8103,11 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk - rcu_read_unlock(); - spin_unlock_bh(&ar->data_lock); - -+ /* Since the stats's pdev, vdev and beacon list are spliced and reinitialised -+ * at this point, no need to free the individual list. -+ */ -+ return; -+ - free: - ath11k_fw_stats_free(&stats); - } --- -2.39.2 - diff --git a/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch deleted file mode 100644 index 9ce3d807503..00000000000 --- a/queue-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 897dae6285f339120b727c5a3f8488b3ff25af16 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 21 Apr 2023 16:54:45 +0200 -Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full - channel range - -From: Maxime Bizon - -[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] - -Because of what seems to be a typo, a 6Ghz-only phy for which the BDF -does not allow the 7115Mhz channel will fail to register: - - WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 - Modules linked in: ath11k_pci sbsa_gwdt - CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 - Hardware name: Freebox V7R Board (DT) - Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work - pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : wiphy_register+0x914/0x954 - lr : ieee80211_register_hw+0x67c/0xc10 - sp : ffffff800b123aa0 - x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 - x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 - x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 - x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 - x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f - x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd - x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 - x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 - x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 - x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 - Call trace: - wiphy_register+0x914/0x954 - ieee80211_register_hw+0x67c/0xc10 - ath11k_mac_register+0x7c4/0xe10 - ath11k_core_qmi_firmware_ready+0x1f4/0x570 - ath11k_qmi_driver_event_work+0x198/0x590 - process_one_work+0x1b8/0x328 - worker_thread+0x6c/0x414 - kthread+0x100/0x104 - ret_from_fork+0x10/0x20 - ---[ end trace 0000000000000000 ]--- - ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 - ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 - ath11k_pci 0002:01:00.0: failed to create pdev core: -22 - -Signed-off-by: Maxime Bizon -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath11k/mac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c -index 1c93f1afccc57..05920ad413c55 100644 ---- a/drivers/net/wireless/ath/ath11k/mac.c -+++ b/drivers/net/wireless/ath/ath11k/mac.c -@@ -8892,7 +8892,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, - } - - if (supported_bands & WMI_HOST_WLAN_5G_CAP) { -- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { -+ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { - channels = kmemdup(ath11k_6ghz_channels, - sizeof(ath11k_6ghz_channels), GFP_KERNEL); - if (!channels) { --- -2.39.2 - diff --git a/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch b/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch deleted file mode 100644 index b94f627d18f..00000000000 --- a/queue-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 45f055b96df5274a12510ef11de0f670e5e27c58 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 13:35:15 +0300 -Subject: wifi: ath12k: Avoid NULL pointer access during management transmit - cleanup - -From: Balamurugan S - -[ Upstream commit 054b5580a36e435692c203c19abdcb9f7734320e ] - -Currently 'ar' reference is not added in skb_cb. -Though this is generally not used during transmit completion -callbacks, on interface removal the remaining idr cleanup callback -uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them -during transmit call for proper usage to avoid NULL pointer dereference. - -Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 - -Signed-off-by: Balamurugan S -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230518071046.14337-1-quic_bselvara@quicinc.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath12k/mac.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c -index ee792822b4113..58acfe8fdf8c0 100644 ---- a/drivers/net/wireless/ath/ath12k/mac.c -+++ b/drivers/net/wireless/ath/ath12k/mac.c -@@ -4425,6 +4425,7 @@ static int ath12k_mac_mgmt_tx_wmi(struct ath12k *ar, struct ath12k_vif *arvif, - int buf_id; - int ret; - -+ ATH12K_SKB_CB(skb)->ar = ar; - spin_lock_bh(&ar->txmgmt_idr_lock); - buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0, - ATH12K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC); --- -2.39.2 - diff --git a/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch b/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch deleted file mode 100644 index 3c1ae137475..00000000000 --- a/queue-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 52ee25f8ec39aa349eac6d31f626770d6bd2b068 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 13:03:59 +0300 -Subject: wifi: iwlwifi: Add support for new PCI Id - -From: Mukesh Sisodiya - -[ Upstream commit 35bd6f1d043d089fcb60450e1287cc65f0095787 ] - -Add support for the PCI Id 51F1 without IMR support. - -Signed-off-by: Mukesh Sisodiya -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230620125813.9800e652e789.Ic06a085832ac3f988c8ef07d856c8e281563295d@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -index 79115eb1c2852..e9fe6cea891aa 100644 ---- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -@@ -495,6 +495,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { - {IWL_PCI_DEVICE(0x7AF0, PCI_ANY_ID, iwl_so_trans_cfg)}, - {IWL_PCI_DEVICE(0x51F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_imr_trans_cfg)}, -+ {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x54F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, - {IWL_PCI_DEVICE(0x7F70, PCI_ANY_ID, iwl_so_trans_cfg)}, - -@@ -544,6 +545,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { - IWL_DEV_INFO(0x51F0, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_160_name), - IWL_DEV_INFO(0x51F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), - IWL_DEV_INFO(0x51F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), -+ IWL_DEV_INFO(0x51F1, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), - IWL_DEV_INFO(0x54F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), - IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), - IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), --- -2.39.2 - diff --git a/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch b/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch deleted file mode 100644 index 2e4d18afa45..00000000000 --- a/queue-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 153c633de624c710571fbdd0782a74845b1b2774 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 14 Jun 2023 15:50:08 +0300 -Subject: wifi: iwlwifi: mvm: Add NULL check before dereferencing the pointer - -From: Mukesh Sisodiya - -[ Upstream commit 7dd50fd5478056929a012c6bf8b3c6f87c7e9e87 ] - -While vif pointers are protected by the corresponding "*active" -fields, static checkers can get confused sometimes. Add an explicit -check. - -Signed-off-by: Mukesh Sisodiya -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230614154951.78749ae91fb5.Id3c05d13eeee6638f0930f750e93fb928d5c9dee@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/power.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/power.c b/drivers/net/wireless/intel/iwlwifi/mvm/power.c -index ac1dae52556f8..19839cc44eb3d 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c -@@ -647,30 +647,32 @@ static void iwl_mvm_power_set_pm(struct iwl_mvm *mvm, - return; - - /* enable PM on bss if bss stand alone */ -- if (vifs->bss_active && !vifs->p2p_active && !vifs->ap_active) { -+ if (bss_mvmvif && vifs->bss_active && !vifs->p2p_active && -+ !vifs->ap_active) { - bss_mvmvif->pm_enabled = true; - return; - } - - /* enable PM on p2p if p2p stand alone */ -- if (vifs->p2p_active && !vifs->bss_active && !vifs->ap_active) { -+ if (p2p_mvmvif && vifs->p2p_active && !vifs->bss_active && -+ !vifs->ap_active) { - p2p_mvmvif->pm_enabled = true; - return; - } - -- if (vifs->bss_active && vifs->p2p_active) -+ if (p2p_mvmvif && bss_mvmvif && vifs->bss_active && vifs->p2p_active) - client_same_channel = - iwl_mvm_have_links_same_channel(bss_mvmvif, p2p_mvmvif); - -- if (vifs->bss_active && vifs->ap_active) -+ if (bss_mvmvif && ap_mvmvif && vifs->bss_active && vifs->ap_active) - ap_same_channel = - iwl_mvm_have_links_same_channel(bss_mvmvif, ap_mvmvif); - - /* clients are not stand alone: enable PM if DCM */ - if (!(client_same_channel || ap_same_channel)) { -- if (vifs->bss_active) -+ if (bss_mvmvif && vifs->bss_active) - bss_mvmvif->pm_enabled = true; -- if (vifs->p2p_active) -+ if (p2p_mvmvif && vifs->p2p_active) - p2p_mvmvif->pm_enabled = true; - return; - } --- -2.39.2 - diff --git a/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch deleted file mode 100644 index 134f5d4e344..00000000000 --- a/queue-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +++ /dev/null @@ -1,47 +0,0 @@ -From dace976cec6dcc24ea4796d017d381407df57a5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 13:04:02 +0300 -Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow - -From: Johannes Berg - -[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] - -Roee reported various hard-to-debug crashes with pings in -EHT aggregation scenarios. Enabling KASAN showed that we -access the BAID allocation out of bounds, and looking at -the code a bit shows that since the reorder buffer entry -(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug -such as lockdep is enabled, then staring from an agg size -512 we overflow the size calculation, and allocate a much -smaller structure than we should, causing slab corruption -once we initialize this. - -Fix this by simply using u32 instead of u16. - -Reported-by: Roee Goldfiner -Signed-off-by: Johannes Berg -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -index b85e363544f8b..7f9a809dd081c 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -@@ -2884,7 +2884,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, - } - - if (iwl_mvm_has_new_rx_api(mvm) && start) { -- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); -+ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); - - /* sparse doesn't like the __align() so don't check */ - #ifndef __CHECKER__ --- -2.39.2 - diff --git a/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch b/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch deleted file mode 100644 index d1c5e8b417e..00000000000 --- a/queue-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch +++ /dev/null @@ -1,51 +0,0 @@ -From a37efc3bc4885e014924de01edb24e2175627ad3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 13 Jun 2023 15:57:21 +0300 -Subject: wifi: iwlwifi: mvm: fix potential array out of bounds access - -From: Gregory Greenman - -[ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ] - -Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying -key_len size in iwl_mvm_sec_key_add(). - -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c -index 8853821b37168..1e659bd07392a 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c -@@ -1,6 +1,6 @@ - // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause - /* -- * Copyright (C) 2022 Intel Corporation -+ * Copyright (C) 2022 - 2023 Intel Corporation - */ - #include - #include -@@ -179,9 +179,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm, - .u.add.key_flags = cpu_to_le32(key_flags), - .u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)), - }; -+ int max_key_len = sizeof(cmd.u.add.key); - int ret; - -- if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key))) -+ if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 || -+ keyconf->cipher == WLAN_CIPHER_SUITE_WEP104) -+ max_key_len -= IWL_SEC_WEP_KEY_OFFSET; -+ -+ if (WARN_ON(keyconf->keylen > max_key_len)) - return -EINVAL; - - if (WARN_ON(!sta_mask)) --- -2.39.2 - diff --git a/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch b/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch deleted file mode 100644 index 482fbaaa02d..00000000000 --- a/queue-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 34442c9ff04263d558c7a4292daac7e818b44817 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 13:12:20 +0300 -Subject: wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 - -From: Yi Kuo - -[ Upstream commit f4daceae4087bbb3e9a56044b44601d520d009d2 ] - -Intel Killer AX1675i/s with device id 51f1 would show -"No config found for PCI dev 51f1/1672" in dmesg and refuse to work. -Add the new device id 51F1 for 1675i/s to fix the issue. - -Signed-off-by: Yi Kuo -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230621130444.ee224675380b.I921c905e21e8d041ad808def8f454f27b5ebcd8b@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -index e9fe6cea891aa..e086664a4eaca 100644 ---- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c -@@ -684,6 +684,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { - IWL_DEV_INFO(0x2726, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x51F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), - IWL_DEV_INFO(0x51F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), -+ IWL_DEV_INFO(0x51F1, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), -+ IWL_DEV_INFO(0x51F1, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x54F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), - IWL_DEV_INFO(0x54F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), - IWL_DEV_INFO(0x7A70, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), --- -2.39.2 - diff --git a/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch b/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch deleted file mode 100644 index e3f1c611b85..00000000000 --- a/queue-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d130537977b35b9a7ba5591cd4645081cdf732e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Jun 2023 12:11:27 +0300 -Subject: wifi: mac80211_hwsim: Fix possible NULL dereference - -From: Ilan Peer - -[ Upstream commit 0cc80943ef518a1c51a1111e9346d1daf11dd545 ] - -In a call to mac80211_hwsim_select_tx_link() the sta pointer might -be NULL, thus need to check that it is not NULL before accessing it. - -Signed-off-by: Ilan Peer -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230604120651.f4d889fc98c4.Iae85f527ed245a37637a874bb8b8c83d79812512@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/virtual/mac80211_hwsim.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c -index 89c7a1420381d..ed5af63025979 100644 ---- a/drivers/net/wireless/virtual/mac80211_hwsim.c -+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c -@@ -4,7 +4,7 @@ - * Copyright (c) 2008, Jouni Malinen - * Copyright (c) 2011, Javier Lopez - * Copyright (c) 2016 - 2017 Intel Deutschland GmbH -- * Copyright (C) 2018 - 2022 Intel Corporation -+ * Copyright (C) 2018 - 2023 Intel Corporation - */ - - /* -@@ -1864,7 +1864,7 @@ mac80211_hwsim_select_tx_link(struct mac80211_hwsim_data *data, - - WARN_ON(is_multicast_ether_addr(hdr->addr1)); - -- if (WARN_ON_ONCE(!sta->valid_links)) -+ if (WARN_ON_ONCE(!sta || !sta->valid_links)) - return &vif->bss_conf; - - for (i = 0; i < ARRAY_SIZE(vif->link_conf); i++) { --- -2.39.2 - diff --git a/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch b/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch deleted file mode 100644 index e3b4b1b0414..00000000000 --- a/queue-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 4357179094d447fe2d49c33c6de95fab7905d53f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 May 2023 22:24:22 +0200 -Subject: wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr() - -From: Martin Blumenstingl - -[ Upstream commit e967229ead0e6c5047a1cfd5a0db58ceb930800b ] - -rtw_sdio_rx_isr() is responsible for receiving data from the wifi chip -and is called from the SDIO interrupt handler when the interrupt status -register (HISR) has the RX_REQUEST bit set. After the first batch of -data has been processed by the driver the wifi chip may have more data -ready to be read, which is managed by a loop in rtw_sdio_rx_isr(). - -It turns out that there are cases where the RX buffer length (from the -REG_SDIO_RX0_REQ_LEN register) does not match the data we receive. The -following two cases were observed with a RTL8723DS card: -- RX length is smaller than the total packet length including overhead - and actual data bytes (whose length is part of the buffer we read from - the wifi chip and is stored in rtw_rx_pkt_stat.pkt_len). This can - result in errors like: - skbuff: skb_over_panic: text:ffff8000011924ac len:3341 put:3341 - (one case observed was: RX buffer length = 1536 bytes but - rtw_rx_pkt_stat.pkt_len = 1546 bytes, this is not valid as it means - we need to read beyond the end of the buffer) -- RX length looks valid but rtw_rx_pkt_stat.pkt_len is zero - -Check if the RX_REQUEST is set in the HISR register for each iteration -inside rtw_sdio_rx_isr(). This mimics what the RTL8723DS vendor driver -does and makes the driver only read more data if the RX_REQUEST bit is -set (which seems to be a way for the card's hardware or firmware to -tell the host that data is ready to be processed). - -For RTW_WCPU_11AC chips this check is not needed. The RTL8822BS vendor -driver for example states that this check is unnecessary (but still uses -it) and the RTL8822CS drops this check entirely. - -Reviewed-by: Ping-Ke Shih -Signed-off-by: Martin Blumenstingl -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230522202425.1827005-2-martin.blumenstingl@googlemail.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/realtek/rtw88/sdio.c | 24 ++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c -index 06fce7c3addaa..2c1fb2dabd40a 100644 ---- a/drivers/net/wireless/realtek/rtw88/sdio.c -+++ b/drivers/net/wireless/realtek/rtw88/sdio.c -@@ -998,9 +998,9 @@ static void rtw_sdio_rxfifo_recv(struct rtw_dev *rtwdev, u32 rx_len) - - static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) - { -- u32 rx_len, total_rx_bytes = 0; -+ u32 rx_len, hisr, total_rx_bytes = 0; - -- while (total_rx_bytes < SZ_64K) { -+ do { - if (rtw_chip_wcpu_11n(rtwdev)) - rx_len = rtw_read16(rtwdev, REG_SDIO_RX0_REQ_LEN); - else -@@ -1012,7 +1012,25 @@ static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) - rtw_sdio_rxfifo_recv(rtwdev, rx_len); - - total_rx_bytes += rx_len; -- } -+ -+ if (rtw_chip_wcpu_11n(rtwdev)) { -+ /* Stop if no more RX requests are pending, even if -+ * rx_len could be greater than zero in the next -+ * iteration. This is needed because the RX buffer may -+ * already contain data while either HW or FW are not -+ * done filling that buffer yet. Still reading the -+ * buffer can result in packets where -+ * rtw_rx_pkt_stat.pkt_len is zero or points beyond the -+ * end of the buffer. -+ */ -+ hisr = rtw_read32(rtwdev, REG_SDIO_HISR); -+ } else { -+ /* RTW_WCPU_11AC chips have improved hardware or -+ * firmware and can use rx_len unconditionally. -+ */ -+ hisr = REG_SDIO_HISR_RX_REQUEST; -+ } -+ } while (total_rx_bytes < SZ_64K && hisr & REG_SDIO_HISR_RX_REQUEST); - } - - static void rtw_sdio_handle_interrupt(struct sdio_func *sdio_func) --- -2.39.2 - diff --git a/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch deleted file mode 100644 index 2333f9338d4..00000000000 --- a/queue-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 63e6efa14f435540aab95084d9ee613a389d4fd6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 12:04:07 -0600 -Subject: wifi: wext-core: Fix -Wstringop-overflow warning in - ioctl_standard_iw_point() - -From: Gustavo A. R. Silva - -[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] - --Wstringop-overflow is legitimately warning us about extra_size -pontentially being zero at some point, hence potenially ending -up _allocating_ zero bytes of memory for extra pointer and then -trying to access such object in a call to copy_from_user(). - -Fix this by adding a sanity check to ensure we never end up -trying to allocate zero bytes of data for extra pointer, before -continue executing the rest of the code in the function. - -Address the following -Wstringop-overflow warning seen when built -m68k architecture with allyesconfig configuration: - from net/wireless/wext-core.c:11: -In function '_copy_from_user', - inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: -arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] - 48 | #define memset(d, c, n) __builtin_memset(d, c, n) - | ^~~~~~~~~~~~~~~~~~~~~~~~~ -include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' - 153 | memset(to + (n - res), 0, res); - | ^~~~~~ -In function 'kmalloc', - inlined from 'kzalloc' at include/linux/slab.h:694:9, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: -include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' - 577 | return __kmalloc(size, flags); - | ^~~~~~~~~~~~~~~~~~~~~~ - -This help with the ongoing efforts to globally enable --Wstringop-overflow. - -Link: https://github.com/KSPP/linux/issues/315 -Signed-off-by: Gustavo A. R. Silva -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/wext-core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index a125fd1fa1342..a161c64d1765e 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, - } - } - -+ /* Sanity-check to ensure we never end up _allocating_ zero -+ * bytes of data for extra. -+ */ -+ if (extra_size <= 0) -+ return -EFAULT; -+ - /* kzalloc() ensures NULL-termination for essid_compat. */ - extra = kzalloc(extra_size, GFP_KERNEL); - if (!extra) --- -2.39.2 -