From 2fde6806a406c5d9d8bd6bfc31526b471991ca2d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 27 Nov 2022 14:07:00 -0500 Subject: [PATCH] Fixes for 6.0 Signed-off-by: Sasha Levin --- ...of-list_del-corruption-in-p9_fd_canc.patch | 75 ++++ ...end_acquire-race-with-pfkey_register.patch | 147 +++++++ ...ential-memory-leak-in-com20020_probe.patch | 61 +++ ...cm-953-define-fixed-regulators-in-ro.patch | 66 +++ ...m9g20ek-enable-udc-vbus-gpio-pinctrl.patch | 57 +++ ...ti6q-fix-ref-tcxo-clock-frequency-pr.patch | 43 ++ ...-fix-memory-leak-in-mxs_machine_init.patch | 40 ++ ...ip-fix-pine64-quartz4-b-pmic-interru.patch | 41 ++ ...ip-fix-quartz64-a-bluetooth-configur.patch | 59 +++ ...da-fix-hda-pcm-buffer-overflow-issue.patch | 66 +++ ...hdac_ext-usage-for-codec-device-crea.patch | 321 +++++++++++++++ ...ke-introduce-hda-codec-init-and-exit.patch | 68 ++++ ...max98373-add-checks-for-devm_kcalloc.patch | 40 ++ ...eset-the-chip_clk_ctrl-reg-on-remove.patch | 48 +++ ...n-t-zero-tdm-masks-in-__soc_pcm_open.patch | 47 +++ ...ntroduce-hda-codec-init-and-exit-rou.patch | 69 ++++ ...-reference-leak-on-blk_mq_alloc_disk.patch | 47 +++ ...vice-refcount-leak-in-bnx2x_vf_is_pc.patch | 58 +++ ...v6-header-handling-when-receiving-ip.patch | 65 +++ ...nxi-rsb-remove-the-shutdown-callback.patch | 55 +++ ...s-sunxi-rsb-support-atomic-transfers.patch | 92 +++++ ...te-change-amd-pstate-driver-to-be-bu.patch | 67 ++++ ...addr-on-failure-after-inet6-_hash_co.patch | 113 ++++++ ...-fix-racing-conflict-of-dma_heap_add.patch | 94 +++++ ...-fix-double-free-in-the-error-path-o.patch | 53 +++ ...-fix-possible-memory-leak-in-vmbus_d.patch | 41 ++ ...n-in-intel_display_power_-_domain-fu.patch | 71 ++++ ...o-not-update-freeing-inode-i_io_list.patch | 84 ++++ ...oob-read-in-__fscache_acquire_volume.patch | 103 +++++ ...art-tx-queues-after-reset-task-failu.patch | 149 +++++++ .../iavf-fix-a-crash-during-reset-task.patch | 95 +++++ ...ndition-between-iavf_shutdown-and-ia.patch | 66 +++ ...ial_mac_set-to-allow-garp-to-work-pr.patch | 82 ++++ ...letable-fix-file-reference-underflow.patch | 182 +++++++++ ...-fix-poll_refs-race-with-cancelation.patch | 154 +++++++ ...rror-return-code-in-fib_table_insert.patch | 40 ++ ...r-dev-to-avoid-possible-use-after-fr.patch | 60 +++ .../macsec-fix-invalid-error-code-set.patch | 38 ++ ...multicast-rx-support-for-cdc-ncm-dev.patch | 47 +++ ...issing-dev_kfree_skb-in-dm9051_loop_.patch | 40 ++ ...disallow-c45-transactions-on-the-bas.patch | 71 ++++ ...t-enetc-cache-accesses-to-priv-si-hw.patch | 376 ++++++++++++++++++ ...ve-tx-ring-priority-across-reconfigu.patch | 126 ++++++ ..._eth_soc-fix-error-handling-in-mtk_o.patch | 42 ++ ..._eth_soc-fix-potential-memory-leak-i.patch | 47 +++ ..._eth_soc-fix-resource-leak-in-error-.patch | 44 ++ ..._eth_soc-move-gdma_to_ppe-and-ppe_ba.patch | 120 ++++++ ..._eth_soc-move-ppe-table-hash-offset-.patch | 194 +++++++++ .../net-liquidio-simplify-if-expression.patch | 50 +++ ...tera-add-missing-unregister_netdev-i.patch | 40 ++ ...lx4-check-retval-of-mlx4_bitmap_init.patch | 43 ++ ...rint-info-on-any-firmware-cmd-failur.patch | 215 ++++++++++ ...ot-query-pci-info-while-pci-disabled.patch | 60 +++ ...itch-set-correctly-vport-destination.patch | 79 ++++ ...-fix-fw-tracer-timestamp-calculation.patch | 38 ++ ...dling-of-entry-refcount-when-command.patch | 62 +++ ...-sync-reset-event-handler-error-flow.patch | 64 +++ ...probing-active-sfs-during-driver-pro.patch | 173 ++++++++ ...d-rule-only-when-all-encaps-are-vali.patch | 148 +++++++ ...possible-invalid-pointer-dereference.patch | 51 +++ ...h-decrement-the-family-specific-qlen.patch | 171 ++++++++ ...pci-device-refcount-leak-while-modul.patch | 60 +++ ...potential-memleak-in-pch_gbe_tx_queu.patch | 38 ++ ...ix-error-return-code-in-at803x_probe.patch | 41 ++ ...fix-potential-memleak-in-ql3xxx_send.patch | 36 ++ ...ow-act_ct-to-be-built-without-nf_nat.patch | 40 ++ ...x-error-handling-in-sparx5_port_open.patch | 63 +++ ...et-thunderx-fix-the-acpi-memory-leak.patch | 41 ++ ...e-acpi_free-but-not-kfree-in-ipc_pci.patch | 39 ++ ...t-wwan-t7xx-fix-the-acpi-memory-leak.patch | 38 ++ ...ntrack-fix-data-races-around-ct-mark.patch | 369 +++++++++++++++++ ...lowtable_offload-add-missing-locking.patch | 55 +++ ...ipset-regression-in-ip_set_hash_ip.c.patch | 66 +++ ...restore-allowing-64-clashing-element.patch | 39 ++ ...les-do-not-set-up-extensions-for-end.patch | 54 +++ ...ix-memory-leak-in-nci_rx_data_packet.patch | 61 +++ ...ci-fix-race-with-opening-and-closing.patch | 42 ++ ...ncorrect-sizing-calculations-in-evt_.patch | 115 ++++++ ...ncorrect-validating-logic-in-evt_tra.patch | 41 ++ ...-fix-memory-leaks-in-evt_transaction.patch | 42 ++ ...m-netdev-validation-for-eeprom-acces.patch | 45 +++ ...able-of-devlink_port_attrs-correctly.patch | 48 +++ ...ebugsfs-fix-pci-device-refcount-leak.patch | 52 +++ ...-reference-count-issue-in-rvu_sdp_in.patch | 55 +++ ...eontx2-pf-add-check-for-devm_kcalloc.patch | 39 ++ ...e-existing-irte-allocation-for-multi.patch | 261 ++++++++++++ ...pply-ab8500-defer-thermal-zone-probe.patch | 49 +++ ...xxx-fix-integer-overflow-in-current_.patch | 41 ++ ...ix-kobject-release-warning-and-memor.patch | 75 ++++ ...or-core-fix-uaf-in-destroy_regulator.patch | 132 ++++++ ...ator-rt5759-fix-oob-in-validate_desc.patch | 54 +++ ...ator-twl6030-re-add-twl6032_subclass.patch | 47 +++ ...etween-conn-bundle-lookup-and-bundle.patch | 173 ++++++++ ...-fix-memory-leak-in-ap_init_qci_info.patch | 42 ++ ...dump-fix-tod-programmable-field-size.patch | 61 +++ ...no-record-found-for-raw_track_access.patch | 75 ++++ ...-handling-of-srb_status-and-capacity.patch | 148 +++++++ ...tests-mptcp-fix-mibit-vs-mbit-mix-up.patch | 52 +++ ...mptcp-gives-slow-test-case-more-time.patch | 61 +++ ...p-run-mptcp_sockopt-from-a-new-netns.patch | 74 ++++ queue-6.0/series | 116 ++++++ ...l-memleak-in-__ef100_hard_start_xmit.patch | 38 ++ ...ase-reference-count-in-dw_spi_dma_in.patch | 47 +++ ...10-quad-fix-duplicate-resource-error.patch | 42 ++ ...ssible-memory-leak-in-optee_register.patch | 41 ++ ...-implicit-declaration-error-of-test_.patch | 49 +++ ...an-extra-conn_get-in-tipc_conn_alloc.patch | 84 ++++ ...inearize-return-value-in-tipc_disc_r.patch | 41 ++ ...tipc-set-con-sock-in-tipc_conn_alloc.patch | 106 +++++ queue-6.0/tsnep-fix-rotten-packets.patch | 125 ++++++ ...robe-failed-when-modprobe-virtio_net.patch | 85 ++++ ...re-vp-assist-page-after-cpu-offlinin.patch | 125 ++++++ ...x-disable_policy-on-ipv4-early-demux.patch | 54 +++ ...x-ignored-return-value-in-xfrm6_init.patch | 59 +++ ...xfrm-fix-oops-in-__xfrm_state_delete.patch | 119 ++++++ ...m-replay-fix-esn-wrap-around-for-gso.patch | 103 +++++ ...-fix-race-between-modprobe-and-mount.patch | 80 ++++ 117 files changed, 9536 insertions(+) create mode 100644 queue-6.0/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch create mode 100644 queue-6.0/af_key-fix-send_acquire-race-with-pfkey_register.patch create mode 100644 queue-6.0/arcnet-fix-potential-memory-leak-in-com20020_probe.patch create mode 100644 queue-6.0/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch create mode 100644 queue-6.0/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch create mode 100644 queue-6.0/arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch create mode 100644 queue-6.0/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch create mode 100644 queue-6.0/arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch create mode 100644 queue-6.0/arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch create mode 100644 queue-6.0/asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch create mode 100644 queue-6.0/asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch create mode 100644 queue-6.0/asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch create mode 100644 queue-6.0/asoc-max98373-add-checks-for-devm_kcalloc.patch create mode 100644 queue-6.0/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch create mode 100644 queue-6.0/asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch create mode 100644 queue-6.0/asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch create mode 100644 queue-6.0/blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch create mode 100644 queue-6.0/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch create mode 100644 queue-6.0/bonding-fix-icmpv6-header-handling-when-receiving-ip.patch create mode 100644 queue-6.0/bus-sunxi-rsb-remove-the-shutdown-callback.patch create mode 100644 queue-6.0/bus-sunxi-rsb-support-atomic-transfers.patch create mode 100644 queue-6.0/cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch create mode 100644 queue-6.0/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch create mode 100644 queue-6.0/dma-buf-fix-racing-conflict-of-dma_heap_add.patch create mode 100644 queue-6.0/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch create mode 100644 queue-6.0/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch create mode 100644 queue-6.0/drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch create mode 100644 queue-6.0/fs-do-not-update-freeing-inode-i_io_list.patch create mode 100644 queue-6.0/fscache-fix-oob-read-in-__fscache_acquire_volume.patch create mode 100644 queue-6.0/iavf-do-not-restart-tx-queues-after-reset-task-failu.patch create mode 100644 queue-6.0/iavf-fix-a-crash-during-reset-task.patch create mode 100644 queue-6.0/iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch create mode 100644 queue-6.0/iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch create mode 100644 queue-6.0/io_uring-filetable-fix-file-reference-underflow.patch create mode 100644 queue-6.0/io_uring-poll-fix-poll_refs-race-with-cancelation.patch create mode 100644 queue-6.0/ipv4-fix-error-return-code-in-fib_table_insert.patch create mode 100644 queue-6.0/ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch create mode 100644 queue-6.0/macsec-fix-invalid-error-code-set.patch create mode 100644 queue-6.0/net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch create mode 100644 queue-6.0/net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch create mode 100644 queue-6.0/net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch create mode 100644 queue-6.0/net-enetc-cache-accesses-to-priv-si-hw.patch create mode 100644 queue-6.0/net-enetc-preserve-tx-ring-priority-across-reconfigu.patch create mode 100644 queue-6.0/net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch create mode 100644 queue-6.0/net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch create mode 100644 queue-6.0/net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch create mode 100644 queue-6.0/net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch create mode 100644 queue-6.0/net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch create mode 100644 queue-6.0/net-liquidio-simplify-if-expression.patch create mode 100644 queue-6.0/net-marvell-prestera-add-missing-unregister_netdev-i.patch create mode 100644 queue-6.0/net-mlx4-check-retval-of-mlx4_bitmap_init.patch create mode 100644 queue-6.0/net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch create mode 100644 queue-6.0/net-mlx5-do-not-query-pci-info-while-pci-disabled.patch create mode 100644 queue-6.0/net-mlx5-e-switch-set-correctly-vport-destination.patch create mode 100644 queue-6.0/net-mlx5-fix-fw-tracer-timestamp-calculation.patch create mode 100644 queue-6.0/net-mlx5-fix-handling-of-entry-refcount-when-command.patch create mode 100644 queue-6.0/net-mlx5-fix-sync-reset-event-handler-error-flow.patch create mode 100644 queue-6.0/net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch create mode 100644 queue-6.0/net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch create mode 100644 queue-6.0/net-mvpp2-fix-possible-invalid-pointer-dereference.patch create mode 100644 queue-6.0/net-neigh-decrement-the-family-specific-qlen.patch create mode 100644 queue-6.0/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch create mode 100644 queue-6.0/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch create mode 100644 queue-6.0/net-phy-at803x-fix-error-return-code-in-at803x_probe.patch create mode 100644 queue-6.0/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch create mode 100644 queue-6.0/net-sched-allow-act_ct-to-be-built-without-nf_nat.patch create mode 100644 queue-6.0/net-sparx5-fix-error-handling-in-sparx5_port_open.patch create mode 100644 queue-6.0/net-thunderx-fix-the-acpi-memory-leak.patch create mode 100644 queue-6.0/net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch create mode 100644 queue-6.0/net-wwan-t7xx-fix-the-acpi-memory-leak.patch create mode 100644 queue-6.0/netfilter-conntrack-fix-data-races-around-ct-mark.patch create mode 100644 queue-6.0/netfilter-flowtable_offload-add-missing-locking.patch create mode 100644 queue-6.0/netfilter-ipset-regression-in-ip_set_hash_ip.c.patch create mode 100644 queue-6.0/netfilter-ipset-restore-allowing-64-clashing-element.patch create mode 100644 queue-6.0/netfilter-nf_tables-do-not-set-up-extensions-for-end.patch create mode 100644 queue-6.0/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch create mode 100644 queue-6.0/nfc-nci-fix-race-with-opening-and-closing.patch create mode 100644 queue-6.0/nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch create mode 100644 queue-6.0/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch create mode 100644 queue-6.0/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch create mode 100644 queue-6.0/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch create mode 100644 queue-6.0/nfp-fill-splittable-of-devlink_port_attrs-correctly.patch create mode 100644 queue-6.0/octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch create mode 100644 queue-6.0/octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch create mode 100644 queue-6.0/octeontx2-pf-add-check-for-devm_kcalloc.patch create mode 100644 queue-6.0/pci-hv-only-reuse-existing-irte-allocation-for-multi.patch create mode 100644 queue-6.0/power-supply-ab8500-defer-thermal-zone-probe.patch create mode 100644 queue-6.0/power-supply-ip5xxx-fix-integer-overflow-in-current_.patch create mode 100644 queue-6.0/regulator-core-fix-kobject-release-warning-and-memor.patch create mode 100644 queue-6.0/regulator-core-fix-uaf-in-destroy_regulator.patch create mode 100644 queue-6.0/regulator-rt5759-fix-oob-in-validate_desc.patch create mode 100644 queue-6.0/regulator-twl6030-re-add-twl6032_subclass.patch create mode 100644 queue-6.0/rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch create mode 100644 queue-6.0/s390-ap-fix-memory-leak-in-ap_init_qci_info.patch create mode 100644 queue-6.0/s390-crashdump-fix-tod-programmable-field-size.patch create mode 100644 queue-6.0/s390-dasd-fix-no-record-found-for-raw_track_access.patch create mode 100644 queue-6.0/scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch create mode 100644 queue-6.0/selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch create mode 100644 queue-6.0/selftests-mptcp-gives-slow-test-case-more-time.patch create mode 100644 queue-6.0/selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch create mode 100644 queue-6.0/sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch create mode 100644 queue-6.0/spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch create mode 100644 queue-6.0/spi-tegra210-quad-fix-duplicate-resource-error.patch create mode 100644 queue-6.0/tee-optee-fix-possible-memory-leak-in-optee_register.patch create mode 100644 queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_.patch create mode 100644 queue-6.0/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch create mode 100644 queue-6.0/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch create mode 100644 queue-6.0/tipc-set-con-sock-in-tipc_conn_alloc.patch create mode 100644 queue-6.0/tsnep-fix-rotten-packets.patch create mode 100644 queue-6.0/virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch create mode 100644 queue-6.0/x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch create mode 100644 queue-6.0/xfrm-fix-disable_policy-on-ipv4-early-demux.patch create mode 100644 queue-6.0/xfrm-fix-ignored-return-value-in-xfrm6_init.patch create mode 100644 queue-6.0/xfrm-fix-oops-in-__xfrm_state_delete.patch create mode 100644 queue-6.0/xfrm-replay-fix-esn-wrap-around-for-gso.patch create mode 100644 queue-6.0/zonefs-fix-race-between-modprobe-and-mount.patch diff --git a/queue-6.0/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch b/queue-6.0/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch new file mode 100644 index 00000000000..f056e299430 --- /dev/null +++ b/queue-6.0/9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch @@ -0,0 +1,75 @@ +From 5e812095a571ec5397848b58693a5741de59490f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 20:26:06 +0800 +Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel() + +From: Zhengchao Shao + +[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ] + +Syz reported the following issue: +kernel BUG at lib/list_debug.c:53! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72 +Call Trace: + +p9_fd_cancel+0xb1/0x270 +p9_client_rpc+0x8ea/0xba0 +p9_client_create+0x9c0/0xed0 +v9fs_session_init+0x1e0/0x1620 +v9fs_mount+0xba/0xb80 +legacy_get_tree+0x103/0x200 +vfs_get_tree+0x89/0x2d0 +path_mount+0x4c0/0x1ac0 +__x64_sys_mount+0x33b/0x430 +do_syscall_64+0x35/0x80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + +The process is as follows: +Thread A: Thread B: +p9_poll_workfn() p9_client_create() +... ... + p9_conn_cancel() p9_fd_cancel() + list_del() ... + ... list_del() //list_del + corruption +There is no lock protection when deleting list in p9_conn_cancel(). After +deleting list in Thread A, thread B will delete the same list again. It +will cause issue of list_del corruption. + +Setting req->status to REQ_STATUS_ERROR under lock prevents other +cleanup paths from trying to manipulate req_list. +The other thread can safely check req->status because it still holds a +reference to req at this point. + +Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com +Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier") +Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +[Dominique: add description of the fix in commit message] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 0191f22d1ec3..8487321c1fc7 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -202,9 +202,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err) + + list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { + list_move(&req->req_list, &cancel_list); ++ req->status = REQ_STATUS_ERROR; + } + + spin_unlock(&m->req_lock); +-- +2.35.1 + diff --git a/queue-6.0/af_key-fix-send_acquire-race-with-pfkey_register.patch b/queue-6.0/af_key-fix-send_acquire-race-with-pfkey_register.patch new file mode 100644 index 00000000000..21ac17df789 --- /dev/null +++ b/queue-6.0/af_key-fix-send_acquire-race-with-pfkey_register.patch @@ -0,0 +1,147 @@ +From 44fe6e4e444f177f3128ad81522bce3ffd651de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 14:06:48 +0800 +Subject: af_key: Fix send_acquire race with pfkey_register + +From: Herbert Xu + +[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ] + +The function pfkey_send_acquire may race with pfkey_register +(which could even be in a different name space). This may result +in a buffer overrun. + +Allocating the maximum amount of memory that could be used prevents +this. + +Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Eric Dumazet +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index c85df5b958d2..213287814328 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2905,7 +2905,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t) + break; + if (!aalg->pfkey_supported) + continue; +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + return sz + sizeof(struct sadb_prop); +@@ -2923,7 +2923,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!ealg->pfkey_supported) + continue; + +- if (!(ealg_tmpl_set(t, ealg) && ealg->available)) ++ if (!(ealg_tmpl_set(t, ealg))) + continue; + + for (k = 1; ; k++) { +@@ -2934,16 +2934,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t) + if (!aalg->pfkey_supported) + continue; + +- if (aalg_tmpl_set(t, aalg) && aalg->available) ++ if (aalg_tmpl_set(t, aalg)) + sz += sizeof(struct sadb_comb); + } + } + return sz + sizeof(struct sadb_prop); + } + +-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -2971,13 +2972,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + +-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) ++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + { + struct sadb_prop *p; ++ int sz = 0; + int i, k; + + p = skb_put(skb, sizeof(struct sadb_prop)); +@@ -3019,8 +3024,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t) + c->sadb_comb_soft_addtime = 20*60*60; + c->sadb_comb_hard_usetime = 8*60*60; + c->sadb_comb_soft_usetime = 7*60*60; ++ sz += sizeof(*c); + } + } ++ ++ return sz + sizeof(*p); + } + + static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c) +@@ -3150,6 +3158,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + struct sadb_x_sec_ctx *sec_ctx; + struct xfrm_sec_ctx *xfrm_ctx; + int ctx_size = 0; ++ int alg_size = 0; + + sockaddr_size = pfkey_sockaddr_size(x->props.family); + if (!sockaddr_size) +@@ -3161,16 +3170,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + sizeof(struct sadb_x_policy); + + if (x->id.proto == IPPROTO_AH) +- size += count_ah_combs(t); ++ alg_size = count_ah_combs(t); + else if (x->id.proto == IPPROTO_ESP) +- size += count_esp_combs(t); ++ alg_size = count_esp_combs(t); + + if ((xfrm_ctx = x->security)) { + ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); + size += sizeof(struct sadb_x_sec_ctx) + ctx_size; + } + +- skb = alloc_skb(size + 16, GFP_ATOMIC); ++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC); + if (skb == NULL) + return -ENOMEM; + +@@ -3224,10 +3233,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + pol->sadb_x_policy_priority = xp->priority; + + /* Set sadb_comb's. */ ++ alg_size = 0; + if (x->id.proto == IPPROTO_AH) +- dump_ah_combs(skb, t); ++ alg_size = dump_ah_combs(skb, t); + else if (x->id.proto == IPPROTO_ESP) +- dump_esp_combs(skb, t); ++ alg_size = dump_esp_combs(skb, t); ++ ++ hdr->sadb_msg_len += alg_size / 8; + + /* security context */ + if (xfrm_ctx) { +-- +2.35.1 + diff --git a/queue-6.0/arcnet-fix-potential-memory-leak-in-com20020_probe.patch b/queue-6.0/arcnet-fix-potential-memory-leak-in-com20020_probe.patch new file mode 100644 index 00000000000..56f4950f11f --- /dev/null +++ b/queue-6.0/arcnet-fix-potential-memory-leak-in-com20020_probe.patch @@ -0,0 +1,61 @@ +From 5ca79fc9d8b75393a7b5dd9ba84f0b23001dce8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 14:24:38 +0800 +Subject: arcnet: fix potential memory leak in com20020_probe() + +From: Wang Hai + +[ Upstream commit 1c40cde6b5171d9c8dfc69be00464fd1c75e210b ] + +In com20020_probe(), if com20020_config() fails, dev and info +will not be freed, which will lead to a memory leak. + +This patch adds freeing dev and info after com20020_config() +fails to fix this bug. + +Compile tested only. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/com20020_cs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/arcnet/com20020_cs.c b/drivers/net/arcnet/com20020_cs.c +index 24150c933fcb..dc3253b318da 100644 +--- a/drivers/net/arcnet/com20020_cs.c ++++ b/drivers/net/arcnet/com20020_cs.c +@@ -113,6 +113,7 @@ static int com20020_probe(struct pcmcia_device *p_dev) + struct com20020_dev *info; + struct net_device *dev; + struct arcnet_local *lp; ++ int ret = -ENOMEM; + + dev_dbg(&p_dev->dev, "com20020_attach()\n"); + +@@ -142,12 +143,18 @@ static int com20020_probe(struct pcmcia_device *p_dev) + info->dev = dev; + p_dev->priv = info; + +- return com20020_config(p_dev); ++ ret = com20020_config(p_dev); ++ if (ret) ++ goto fail_config; ++ ++ return 0; + ++fail_config: ++ free_arcdev(dev); + fail_alloc_dev: + kfree(info); + fail_alloc_info: +- return -ENOMEM; ++ return ret; + } /* com20020_attach */ + + static void com20020_detach(struct pcmcia_device *link) +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch b/queue-6.0/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch new file mode 100644 index 00000000000..bd65eb3924b --- /dev/null +++ b/queue-6.0/arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch @@ -0,0 +1,66 @@ +From a153a0bfcf9df37505442db2dad031e9023983cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 16:31:15 +0200 +Subject: ARM: dts: am335x-pcm-953: Define fixed regulators in root node + +From: Dominik Haller + +[ Upstream commit 8950f345a67d8046d2472dd6ea81fa18ef5b4844 ] + +Remove the regulators node and define fixed regulators in the root node. +Prevents the sdhci-omap driver from waiting in probe deferral forever +because of the missing vmmc-supply and keeps am335x-pcm-953 consistent with +the other Phytec AM335 boards. + +Fixes: bb07a829ec38 ("ARM: dts: Add support for phyCORE-AM335x PCM-953 carrier board") +Signed-off-by: Dominik Haller +Message-Id: <20221011143115.248003-1-d.haller@phytec.de> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am335x-pcm-953.dtsi | 28 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi +index dae448040a97..947497413977 100644 +--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi ++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi +@@ -12,22 +12,20 @@ / { + compatible = "phytec,am335x-pcm-953", "phytec,am335x-phycore-som", "ti,am33xx"; + + /* Power */ +- regulators { +- vcc3v3: fixedregulator@1 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc3v3"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- regulator-boot-on; +- }; ++ vcc3v3: fixedregulator1 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc3v3"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-boot-on; ++ }; + +- vcc1v8: fixedregulator@2 { +- compatible = "regulator-fixed"; +- regulator-name = "vcc1v8"; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; +- regulator-boot-on; +- }; ++ vcc1v8: fixedregulator2 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc1v8"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-boot-on; + }; + + /* User IO */ +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch b/queue-6.0/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch new file mode 100644 index 00000000000..19c79db046c --- /dev/null +++ b/queue-6.0/arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch @@ -0,0 +1,57 @@ +From 85743f593ed8c45f531be12e5d364f954c25303f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:23 +0100 +Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl + +From: Michael Grzeschik + +[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ] + +We set the PIOC to GPIO mode. This way the pin becomes an +input signal will be usable by the controller. Without +this change the udc on the 9g20ek does not work. + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support") +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +index 60d61291f344..024af2db638e 100644 +--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi ++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi +@@ -39,6 +39,13 @@ pinctrl_pck0_as_mck: pck0_as_mck { + + }; + ++ usb1 { ++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio { ++ atmel,pins = ++ ; /* PC5 GPIO */ ++ }; ++ }; ++ + mmc0_slot1 { + pinctrl_board_mmc0_slot1: mmc0_slot1-board { + atmel,pins = +@@ -84,6 +91,8 @@ macb0: ethernet@fffc4000 { + }; + + usb1: gadget@fffa4000 { ++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>; ++ pinctrl-names = "default"; + atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch b/queue-6.0/arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch new file mode 100644 index 00000000000..1a8ad110e30 --- /dev/null +++ b/queue-6.0/arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch @@ -0,0 +1,43 @@ +From 6a7e117086e54c822205669f125647b2bd2d3af0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 10:41:02 -0300 +Subject: ARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties + +From: Fabio Estevam + +[ Upstream commit e68be7b39f21d8a9291a5a3019787cd3ca999dd7 ] + +make dtbs_check gives the following errors: + +ref-clock-frequency: size (9) error for type uint32 +tcxo-clock-frequency: size (9) error for type uint32 + +Fix it by passing the frequencies inside < > as documented in +Documentation/devicetree/bindings/net/wireless/ti,wlcore.yaml. + +Signed-off-by: Fabio Estevam +Fixes: 0d446a505592 ("ARM: dts: add Protonic PRTI6Q board") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q-prti6q.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6q-prti6q.dts b/arch/arm/boot/dts/imx6q-prti6q.dts +index b4605edfd2ab..d8fa83effd63 100644 +--- a/arch/arm/boot/dts/imx6q-prti6q.dts ++++ b/arch/arm/boot/dts/imx6q-prti6q.dts +@@ -364,8 +364,8 @@ wifi { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_wifi>; + interrupts-extended = <&gpio1 30 IRQ_TYPE_LEVEL_HIGH>; +- ref-clock-frequency = "38400000"; +- tcxo-clock-frequency = "19200000"; ++ ref-clock-frequency = <38400000>; ++ tcxo-clock-frequency = <19200000>; + }; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch b/queue-6.0/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch new file mode 100644 index 00000000000..e8e8c098ab3 --- /dev/null +++ b/queue-6.0/arm-mxs-fix-memory-leak-in-mxs_machine_init.patch @@ -0,0 +1,40 @@ +From 27baa624b7bea468c15d5e1e3ccbba7f823b56ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 06:20:11 +0000 +Subject: ARM: mxs: fix memory leak in mxs_machine_init() + +From: Zheng Yongjun + +[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ] + +If of_property_read_string() failed, 'soc_dev_attr' should be +freed before return. Otherwise there is a memory leak. + +Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure") +Signed-off-by: Zheng Yongjun +Reviewed-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mxs/mach-mxs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c +index 25c9d184fa4c..1c57ac401649 100644 +--- a/arch/arm/mach-mxs/mach-mxs.c ++++ b/arch/arm/mach-mxs/mach-mxs.c +@@ -393,8 +393,10 @@ static void __init mxs_machine_init(void) + + root = of_find_node_by_path("/"); + ret = of_property_read_string(root, "model", &soc_dev_attr->machine); +- if (ret) ++ if (ret) { ++ kfree(soc_dev_attr); + return; ++ } + + soc_dev_attr->family = "Freescale MXS Family"; + soc_dev_attr->soc_id = mxs_get_soc_id(); +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch b/queue-6.0/arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch new file mode 100644 index 00000000000..8502b033e46 --- /dev/null +++ b/queue-6.0/arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch @@ -0,0 +1,41 @@ +From be637b7746fdbc573e7d90e841af7f8e3fa3f158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 00:15:13 +0800 +Subject: arm64: dts: rockchip: Fix Pine64 Quartz4-B PMIC interrupt + +From: Chen-Yu Tsai + +[ Upstream commit 562105c1b072411c71ac2202410d83ee79297624 ] + +Ths PMIC's interrupt line is tied to GPIO0_A3. This is described +correctly for the pinmux setting, but incorrectly for the interrupt. + +Correct the interrupt setting so that interrupts from the PMIC get +delivered. + +Fixes: dcc8c66bef79 ("arm64: dts: rockchip: add Pine64 Quartz64-B device tree") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Peter Geis +Link: https://lore.kernel.org/r/20221106161513.4140-1-wens@kernel.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts +index 528bb4e8ac77..a2d0524e0ec9 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts +@@ -176,7 +176,7 @@ rk809: pmic@20 { + compatible = "rockchip,rk809"; + reg = <0x20>; + interrupt-parent = <&gpio0>; +- interrupts = ; ++ interrupts = ; + clock-output-names = "rk808-clkout1", "rk808-clkout2"; + + pinctrl-names = "default"; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch b/queue-6.0/arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch new file mode 100644 index 00000000000..c8bf30ea845 --- /dev/null +++ b/queue-6.0/arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch @@ -0,0 +1,59 @@ +From 7bdab3e72cdc0c77f293cbc8f71ad33cb3a7302a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 14:53:48 +0200 +Subject: arm64: dts: rockchip: fix quartz64-a bluetooth configuration + +From: Lev Popov + +[ Upstream commit 2dcd7e0c821fe9b663f7d3382b6d2faa8edf2129 ] + +For "Quartz64 Model A" add missing RTS line to the UART interface used by +bluetooth and swap bluetooth host-wakeup and device-wakeup gpio pins to +match the boards physical layout. This changes are necessary to make +bluetooth provided by the wireless module work. + +Also set max-speed on the bluetooth device as it's not automatically +detected. + +Fixes: b33a22a1e7c4 ("arm64: dts: rockchip: add basic dts for Pine64 Quartz64-A") +Signed-off-by: Lev Popov +Link: https://lore.kernel.org/r/20220926125350.64783-1-leo@nabam.net +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts +index a05460b92415..25a8c781f4e7 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts +@@ -740,7 +740,7 @@ &uart0 { + + &uart1 { + pinctrl-names = "default"; +- pinctrl-0 = <&uart1m0_xfer &uart1m0_ctsn>; ++ pinctrl-0 = <&uart1m0_xfer &uart1m0_ctsn &uart1m0_rtsn>; + status = "okay"; + uart-has-rtscts; + +@@ -748,13 +748,14 @@ bluetooth { + compatible = "brcm,bcm43438-bt"; + clocks = <&rk817 1>; + clock-names = "lpo"; +- device-wakeup-gpios = <&gpio2 RK_PC1 GPIO_ACTIVE_HIGH>; +- host-wakeup-gpios = <&gpio2 RK_PC0 GPIO_ACTIVE_HIGH>; ++ host-wakeup-gpios = <&gpio2 RK_PC1 GPIO_ACTIVE_HIGH>; ++ device-wakeup-gpios = <&gpio2 RK_PC0 GPIO_ACTIVE_HIGH>; + shutdown-gpios = <&gpio2 RK_PB7 GPIO_ACTIVE_HIGH>; + pinctrl-names = "default"; + pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>; + vbat-supply = <&vcc_sys>; + vddio-supply = <&vcca1v8_pmu>; ++ max-speed = <3000000>; + }; + }; + +-- +2.35.1 + diff --git a/queue-6.0/asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch b/queue-6.0/asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch new file mode 100644 index 00000000000..e9f86bdc2d6 --- /dev/null +++ b/queue-6.0/asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch @@ -0,0 +1,66 @@ +From 0413d34adc5819256a4b0c624e15efe3bf0a54d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 07:40:23 +0800 +Subject: ASoC: hdac_hda: fix hda pcm buffer overflow issue + +From: Junxiao Chang + +[ Upstream commit 37882100cd0629d830db430a8cee0b724fe1fea3 ] + +When KASAN is enabled, below log might be dumped with Intel EHL hardware: +[ 48.583597] ================================================================== +[ 48.585921] BUG: KASAN: slab-out-of-bounds in hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda] +[ 48.587995] Write of size 4 at addr ffff888103489708 by task pulseaudio/759 + +[ 48.589237] CPU: 2 PID: 759 Comm: pulseaudio Tainted: G U E 5.15.71-intel-ese-standard-lts #9 +[ 48.591272] Hardware name: Intel Corporation Elkhart Lake Embedded Platform/ElkhartLake LPDDR4x T3 CRB, BIOS EHLSFWI1.R00.4251.A01.2206130432 06/13/2022 +[ 48.593010] Call Trace: +[ 48.593648] +[ 48.593852] dump_stack_lvl+0x34/0x48 +[ 48.594404] print_address_description.constprop.0+0x1f/0x140 +[ 48.595174] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda] +[ 48.595868] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda] +[ 48.596519] kasan_report.cold+0x7f/0x11b +[ 48.597003] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda] +[ 48.597885] hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda] + +HDAC_LAST_DAI_ID is last index id, pcm buffer array size should +be +1 to avoid out of bound access. + +Fixes: 608b8c36c371 ("ASoC: hdac_hda: add support for HDMI/DP as a HDA codec") +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Junxiao Chang +Signed-off-by: Furong Zhou +Link: https://lore.kernel.org/r/20221109234023.3111035-1-junxiao.chang@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hda.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hda.h b/sound/soc/codecs/hdac_hda.h +index fc19c34ca00e..b65560981abb 100644 +--- a/sound/soc/codecs/hdac_hda.h ++++ b/sound/soc/codecs/hdac_hda.h +@@ -14,7 +14,7 @@ enum { + HDAC_HDMI_1_DAI_ID, + HDAC_HDMI_2_DAI_ID, + HDAC_HDMI_3_DAI_ID, +- HDAC_LAST_DAI_ID = HDAC_HDMI_3_DAI_ID, ++ HDAC_DAI_ID_NUM + }; + + struct hdac_hda_pcm { +@@ -24,7 +24,7 @@ struct hdac_hda_pcm { + + struct hdac_hda_priv { + struct hda_codec *codec; +- struct hdac_hda_pcm pcm[HDAC_LAST_DAI_ID]; ++ struct hdac_hda_pcm pcm[HDAC_DAI_ID_NUM]; + bool need_display_power; + }; + +-- +2.35.1 + diff --git a/queue-6.0/asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch b/queue-6.0/asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch new file mode 100644 index 00000000000..66fcbf57787 --- /dev/null +++ b/queue-6.0/asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch @@ -0,0 +1,321 @@ +From b7c2a85dca6b25a5954948051360460ee574dc57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:17:24 +0200 +Subject: ASoC: Intel: Drop hdac_ext usage for codec device creation + +From: Cezary Rojewski + +[ Upstream commit 3fd63658caed9494cca1d4789a66d3d2def2a0ab ] + +To make snd_hda_codec_device_init() the only constructor for struct +hda_codec instances remaining tasks are: + +1) no struct may wrap struct hda_codec as its base type +2) bus drivers (skylake and sof) which are the current hdac_ext users + need to be adjusted to make use of newly added codec init and exit + routines instead +3) as bus drivers (skylake and sof) are to be responsible for creating + codec device and assigning it to hdac_hda_priv->codec, + hdac_hda_dev_probe() has to be freed of that job + +To keep git bisect happy, all of these in made in one-go. + +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Cezary Rojewski +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20220816111727.3218543-4-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue") +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hda.c | 26 +++++++----------- + sound/soc/codecs/hdac_hda.h | 2 +- + sound/soc/intel/boards/hda_dsp_common.c | 2 +- + sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 +- + sound/soc/intel/skylake/skl.c | 26 ++++++++---------- + sound/soc/sof/intel/hda-codec.c | 29 ++++++++------------ + 6 files changed, 36 insertions(+), 51 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hda.c b/sound/soc/codecs/hdac_hda.c +index 8debcee59224..77df4c5b274a 100644 +--- a/sound/soc/codecs/hdac_hda.c ++++ b/sound/soc/codecs/hdac_hda.c +@@ -246,7 +246,7 @@ static int hdac_hda_dai_hw_free(struct snd_pcm_substream *substream, + return -EINVAL; + + hda_stream = &pcm->stream[substream->stream]; +- snd_hda_codec_cleanup(&hda_pvt->codec, hda_stream, substream); ++ snd_hda_codec_cleanup(hda_pvt->codec, hda_stream, substream); + + return 0; + } +@@ -264,7 +264,7 @@ static int hdac_hda_dai_prepare(struct snd_pcm_substream *substream, + int ret = 0; + + hda_pvt = snd_soc_component_get_drvdata(component); +- hdev = &hda_pvt->codec.core; ++ hdev = &hda_pvt->codec->core; + pcm = snd_soc_find_pcm_from_dai(hda_pvt, dai); + if (!pcm) + return -EINVAL; +@@ -274,7 +274,7 @@ static int hdac_hda_dai_prepare(struct snd_pcm_substream *substream, + stream = hda_pvt->pcm[dai->id].stream_tag[substream->stream]; + format_val = hda_pvt->pcm[dai->id].format_val[substream->stream]; + +- ret = snd_hda_codec_prepare(&hda_pvt->codec, hda_stream, ++ ret = snd_hda_codec_prepare(hda_pvt->codec, hda_stream, + stream, format_val, substream); + if (ret < 0) + dev_err(&hdev->dev, "codec prepare failed %d\n", ret); +@@ -299,7 +299,7 @@ static int hdac_hda_dai_open(struct snd_pcm_substream *substream, + + hda_stream = &pcm->stream[substream->stream]; + +- return hda_stream->ops.open(hda_stream, &hda_pvt->codec, substream); ++ return hda_stream->ops.open(hda_stream, hda_pvt->codec, substream); + } + + static void hdac_hda_dai_close(struct snd_pcm_substream *substream, +@@ -317,7 +317,7 @@ static void hdac_hda_dai_close(struct snd_pcm_substream *substream, + + hda_stream = &pcm->stream[substream->stream]; + +- hda_stream->ops.close(hda_stream, &hda_pvt->codec, substream); ++ hda_stream->ops.close(hda_stream, hda_pvt->codec, substream); + + snd_hda_codec_pcm_put(pcm); + } +@@ -325,7 +325,7 @@ static void hdac_hda_dai_close(struct snd_pcm_substream *substream, + static struct hda_pcm *snd_soc_find_pcm_from_dai(struct hdac_hda_priv *hda_pvt, + struct snd_soc_dai *dai) + { +- struct hda_codec *hcodec = &hda_pvt->codec; ++ struct hda_codec *hcodec = hda_pvt->codec; + struct hda_pcm *cpcm; + const char *pcm_name; + +@@ -394,8 +394,8 @@ static int hdac_hda_codec_probe(struct snd_soc_component *component) + snd_soc_component_get_drvdata(component); + struct snd_soc_dapm_context *dapm = + snd_soc_component_get_dapm(component); +- struct hdac_device *hdev = &hda_pvt->codec.core; +- struct hda_codec *hcodec = &hda_pvt->codec; ++ struct hdac_device *hdev = &hda_pvt->codec->core; ++ struct hda_codec *hcodec = hda_pvt->codec; + struct hdac_ext_link *hlink; + hda_codec_patch_t patch; + int ret; +@@ -515,8 +515,8 @@ static void hdac_hda_codec_remove(struct snd_soc_component *component) + { + struct hdac_hda_priv *hda_pvt = + snd_soc_component_get_drvdata(component); +- struct hdac_device *hdev = &hda_pvt->codec.core; +- struct hda_codec *codec = &hda_pvt->codec; ++ struct hdac_device *hdev = &hda_pvt->codec->core; ++ struct hda_codec *codec = hda_pvt->codec; + struct hdac_ext_link *hlink = NULL; + + hlink = snd_hdac_ext_bus_get_link(hdev->bus, dev_name(&hdev->dev)); +@@ -584,7 +584,6 @@ static const struct snd_soc_component_driver hdac_hda_codec = { + static int hdac_hda_dev_probe(struct hdac_device *hdev) + { + struct hdac_ext_link *hlink; +- struct hdac_hda_priv *hda_pvt; + int ret; + + /* hold the ref while we probe */ +@@ -595,10 +594,6 @@ static int hdac_hda_dev_probe(struct hdac_device *hdev) + } + snd_hdac_ext_bus_link_get(hdev->bus, hlink); + +- hda_pvt = hdac_to_hda_priv(hdev); +- if (!hda_pvt) +- return -ENOMEM; +- + /* ASoC specific initialization */ + ret = devm_snd_soc_register_component(&hdev->dev, + &hdac_hda_codec, hdac_hda_dais, +@@ -608,7 +603,6 @@ static int hdac_hda_dev_probe(struct hdac_device *hdev) + return ret; + } + +- dev_set_drvdata(&hdev->dev, hda_pvt); + snd_hdac_ext_bus_link_put(hdev->bus, hlink); + + return ret; +diff --git a/sound/soc/codecs/hdac_hda.h b/sound/soc/codecs/hdac_hda.h +index d0efc5e254ae..fc19c34ca00e 100644 +--- a/sound/soc/codecs/hdac_hda.h ++++ b/sound/soc/codecs/hdac_hda.h +@@ -23,7 +23,7 @@ struct hdac_hda_pcm { + }; + + struct hdac_hda_priv { +- struct hda_codec codec; ++ struct hda_codec *codec; + struct hdac_hda_pcm pcm[HDAC_LAST_DAI_ID]; + bool need_display_power; + }; +diff --git a/sound/soc/intel/boards/hda_dsp_common.c b/sound/soc/intel/boards/hda_dsp_common.c +index 83c7dfbccd9d..04b7d4f7f9e2 100644 +--- a/sound/soc/intel/boards/hda_dsp_common.c ++++ b/sound/soc/intel/boards/hda_dsp_common.c +@@ -54,7 +54,7 @@ int hda_dsp_hdmi_build_controls(struct snd_soc_card *card, + return -EINVAL; + + hda_pvt = snd_soc_component_get_drvdata(comp); +- hcodec = &hda_pvt->codec; ++ hcodec = hda_pvt->codec; + + list_for_each_entry(hpcm, &hcodec->pcm_list_head, list) { + spcm = hda_dsp_hdmi_pcm_handle(card, i); +diff --git a/sound/soc/intel/boards/skl_hda_dsp_generic.c b/sound/soc/intel/boards/skl_hda_dsp_generic.c +index 81144efb4b44..879ebba52832 100644 +--- a/sound/soc/intel/boards/skl_hda_dsp_generic.c ++++ b/sound/soc/intel/boards/skl_hda_dsp_generic.c +@@ -190,7 +190,7 @@ static void skl_set_hda_codec_autosuspend_delay(struct snd_soc_card *card) + * all codecs are on the same bus, so it's sufficient + * to look up only the first one + */ +- snd_hda_set_power_save(hda_pvt->codec.bus, ++ snd_hda_set_power_save(hda_pvt->codec->bus, + HDA_CODEC_AUTOSUSPEND_DELAY_MS); + break; + } +diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c +index 33b0ed6b0534..c7c1cad2a753 100644 +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -694,7 +694,7 @@ static void skl_codec_device_exit(struct device *dev) + snd_hdac_device_exit(dev_to_hdac_dev(dev)); + } + +-static __maybe_unused struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr) ++static struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr) + { + struct hda_codec *codec; + int ret; +@@ -729,9 +729,8 @@ static int probe_codec(struct hdac_bus *bus, int addr) + struct skl_dev *skl = bus_to_skl(bus); + #if IS_ENABLED(CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC) + struct hdac_hda_priv *hda_codec; +- int err; + #endif +- struct hdac_device *hdev; ++ struct hda_codec *codec; + + mutex_lock(&bus->cmd_mutex); + snd_hdac_bus_send_cmd(bus, cmd); +@@ -747,25 +746,22 @@ static int probe_codec(struct hdac_bus *bus, int addr) + if (!hda_codec) + return -ENOMEM; + +- hda_codec->codec.bus = skl_to_hbus(skl); +- hdev = &hda_codec->codec.core; ++ codec = skl_codec_device_init(bus, addr); ++ if (IS_ERR(codec)) ++ return PTR_ERR(codec); + +- err = snd_hdac_ext_bus_device_init(bus, addr, hdev, HDA_DEV_ASOC); +- if (err < 0) +- return err; ++ hda_codec->codec = codec; ++ dev_set_drvdata(&codec->core.dev, hda_codec); + + /* use legacy bus only for HDA codecs, idisp uses ext bus */ + if ((res & 0xFFFF0000) != IDISP_INTEL_VENDOR_ID) { +- hdev->type = HDA_DEV_LEGACY; +- load_codec_module(&hda_codec->codec); ++ codec->core.type = HDA_DEV_LEGACY; ++ load_codec_module(hda_codec->codec); + } + return 0; + #else +- hdev = devm_kzalloc(&skl->pci->dev, sizeof(*hdev), GFP_KERNEL); +- if (!hdev) +- return -ENOMEM; +- +- return snd_hdac_ext_bus_device_init(bus, addr, hdev, HDA_DEV_ASOC); ++ codec = skl_codec_device_init(bus, addr); ++ return PTR_ERR_OR_ZERO(codec); + #endif /* CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC */ + } + +diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c +index 4c128ba02340..73336648cd25 100644 +--- a/sound/soc/sof/intel/hda-codec.c ++++ b/sound/soc/sof/intel/hda-codec.c +@@ -114,8 +114,7 @@ static void hda_codec_device_exit(struct device *dev) + snd_hdac_device_exit(dev_to_hdac_dev(dev)); + } + +-static __maybe_unused struct hda_codec * +-hda_codec_device_init(struct hdac_bus *bus, int addr, int type) ++static struct hda_codec *hda_codec_device_init(struct hdac_bus *bus, int addr, int type) + { + struct hda_codec *codec; + int ret; +@@ -145,11 +144,10 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + { + #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC) + struct hdac_hda_priv *hda_priv; +- struct hda_codec *codec; + int type = HDA_DEV_LEGACY; + #endif + struct hda_bus *hbus = sof_to_hbus(sdev); +- struct hdac_device *hdev; ++ struct hda_codec *codec; + u32 hda_cmd = (address << 28) | (AC_NODE_ROOT << 20) | + (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID; + u32 resp = -1; +@@ -172,20 +170,20 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + if (!hda_priv) + return -ENOMEM; + +- hda_priv->codec.bus = hbus; +- hdev = &hda_priv->codec.core; +- codec = &hda_priv->codec; +- + /* only probe ASoC codec drivers for HDAC-HDMI */ + if (!hda_codec_use_common_hdmi && (resp & 0xFFFF0000) == IDISP_VID_INTEL) + type = HDA_DEV_ASOC; + +- ret = snd_hdac_ext_bus_device_init(&hbus->core, address, hdev, type); ++ codec = hda_codec_device_init(&hbus->core, address, type); ++ ret = PTR_ERR_OR_ZERO(codec); + if (ret < 0) + return ret; + ++ hda_priv->codec = codec; ++ dev_set_drvdata(&codec->core.dev, hda_priv); ++ + if ((resp & 0xFFFF0000) == IDISP_VID_INTEL) { +- if (!hdev->bus->audio_component) { ++ if (!hbus->core.audio_component) { + dev_dbg(sdev->dev, + "iDisp hw present but no driver\n"); + ret = -ENOENT; +@@ -211,15 +209,12 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + + out: + if (ret < 0) { +- snd_hdac_device_unregister(hdev); +- put_device(&hdev->dev); ++ snd_hdac_device_unregister(&codec->core); ++ put_device(&codec->core.dev); + } + #else +- hdev = devm_kzalloc(sdev->dev, sizeof(*hdev), GFP_KERNEL); +- if (!hdev) +- return -ENOMEM; +- +- ret = snd_hdac_ext_bus_device_init(&hbus->core, address, hdev, HDA_DEV_ASOC); ++ codec = hda_codec_device_init(&hbus->core, address); ++ ret = PTR_ERR_OR_ZERO(codec); + #endif + + return ret; +-- +2.35.1 + diff --git a/queue-6.0/asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch b/queue-6.0/asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch new file mode 100644 index 00000000000..2637d0d12fc --- /dev/null +++ b/queue-6.0/asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch @@ -0,0 +1,68 @@ +From 3a30bcd213a5b161da01e6d88754a588dad63559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:17:22 +0200 +Subject: ASoC: Intel: Skylake: Introduce HDA codec init and exit routines + +From: Cezary Rojewski + +[ Upstream commit e4746d94d00c52918461bc169e009b6784a38e21 ] + +Preliminary step in making snd_hda_codec_device_init() the only +constructor for struct hda_codec instances. To do that, existing usage +of hdac_ext equivalents has to be dropped. + +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Cezary Rojewski +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20220816111727.3218543-2-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue") +Signed-off-by: Sasha Levin +--- + sound/soc/intel/skylake/skl.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c +index aeca58246fc7..33b0ed6b0534 100644 +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -689,6 +689,35 @@ static void load_codec_module(struct hda_codec *codec) + + #endif /* CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC */ + ++static void skl_codec_device_exit(struct device *dev) ++{ ++ snd_hdac_device_exit(dev_to_hdac_dev(dev)); ++} ++ ++static __maybe_unused struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr) ++{ ++ struct hda_codec *codec; ++ int ret; ++ ++ codec = snd_hda_codec_device_init(to_hda_bus(bus), addr, "ehdaudio%dD%d", bus->idx, addr); ++ if (IS_ERR(codec)) { ++ dev_err(bus->dev, "device init failed for hdac device\n"); ++ return codec; ++ } ++ ++ codec->core.type = HDA_DEV_ASOC; ++ codec->core.dev.release = skl_codec_device_exit; ++ ++ ret = snd_hdac_device_register(&codec->core); ++ if (ret) { ++ dev_err(bus->dev, "failed to register hdac device\n"); ++ snd_hdac_device_exit(&codec->core); ++ return ERR_PTR(ret); ++ } ++ ++ return codec; ++} ++ + /* + * Probe the given codec address + */ +-- +2.35.1 + diff --git a/queue-6.0/asoc-max98373-add-checks-for-devm_kcalloc.patch b/queue-6.0/asoc-max98373-add-checks-for-devm_kcalloc.patch new file mode 100644 index 00000000000..5c5f2387355 --- /dev/null +++ b/queue-6.0/asoc-max98373-add-checks-for-devm_kcalloc.patch @@ -0,0 +1,40 @@ +From 8041c1d6dd05e29f3a8b07b8ca8f0342079b720a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 16:25:08 +0800 +Subject: ASoC: max98373: Add checks for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 60591bbf6d5eb44f275eb733943b7757325c1b60 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to check the return value +in order to avoid NULL poineter dereference. + +Fixes: 349dd23931d1 ("ASoC: max98373: don't access volatile registers in bias level off") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20221116082508.17418-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/max98373-i2c.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/codecs/max98373-i2c.c b/sound/soc/codecs/max98373-i2c.c +index 3e04c7f0cce4..ec0905df65d1 100644 +--- a/sound/soc/codecs/max98373-i2c.c ++++ b/sound/soc/codecs/max98373-i2c.c +@@ -549,6 +549,10 @@ static int max98373_i2c_probe(struct i2c_client *i2c) + max98373->cache = devm_kcalloc(&i2c->dev, max98373->cache_num, + sizeof(*max98373->cache), + GFP_KERNEL); ++ if (!max98373->cache) { ++ ret = -ENOMEM; ++ return ret; ++ } + + for (i = 0; i < max98373->cache_num; i++) + max98373->cache[i].reg = max98373_i2c_cache_reg[i]; +-- +2.35.1 + diff --git a/queue-6.0/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch b/queue-6.0/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch new file mode 100644 index 00000000000..170434dc9a0 --- /dev/null +++ b/queue-6.0/asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch @@ -0,0 +1,48 @@ +From c3b6c65587ed9cbe252afd66096377f280d9966c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:06:12 -0500 +Subject: ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove + +From: Detlev Casanova + +[ Upstream commit 0bb8e9b36b5b7f2e77892981ff6c27ee831d8026 ] + +Since commit bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove"), +the device power control registers are reset when the driver is +removed/shutdown. + +This is an issue when the device is configured to use the PLL clock. The +device will stop responding if it is still configured to use the PLL +clock but the PLL clock is powered down. + +When rebooting linux, the probe function will show: +sgtl5000 0-000a: Error reading chip id -11 + +Make sure that the CHIP_CLK_CTRL is reset to its default value before +powering down the device. + +Fixes: bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove") +Signed-off-by: Detlev Casanova +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20221110190612.1341469-1-detlev.casanova@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/sgtl5000.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c +index 3fafd9fc5cfd..75a45ad55aa8 100644 +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1794,6 +1794,7 @@ static int sgtl5000_i2c_remove(struct i2c_client *client) + { + struct sgtl5000_priv *sgtl5000 = i2c_get_clientdata(client); + ++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_CLK_CTRL, SGTL5000_CHIP_CLK_CTRL_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_DIG_POWER, SGTL5000_DIG_POWER_DEFAULT); + regmap_write(sgtl5000->regmap, SGTL5000_CHIP_ANA_POWER, SGTL5000_ANA_POWER_DEFAULT); + +-- +2.35.1 + diff --git a/queue-6.0/asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch b/queue-6.0/asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch new file mode 100644 index 00000000000..7211222691d --- /dev/null +++ b/queue-6.0/asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch @@ -0,0 +1,47 @@ +From 219afc4d991565de986a68de9c150077c1f35cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 13:22:13 +0000 +Subject: ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open() + +From: Richard Fitzgerald + +[ Upstream commit 39bd801d6908900e9ab0cdc2655150f95ddd4f1a ] + +The DAI tx_mask and rx_mask are set by snd_soc_dai_set_tdm_slot() +and used by later code that depends on the TDM settings. So +__soc_pcm_open() should not be obliterating those mask values. + +The code in __soc_pcm_hw_params() uses these masks to calculate the +active channels so that only the AIF_IN/AIF_OUT widgets for the +active TDM slots are enabled. The zeroing of the masks in +__soc_pcm_open() disables this functionality so all AIF widgets +were enabled even for channels that are not assigned to a TDM slot. + +Signed-off-by: Richard Fitzgerald +Fixes: 2e5894d73789 ("ASoC: pcm: Add support for DAI multicodec") +Link: https://lore.kernel.org/r/20221104132213.121847-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-pcm.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index 4d9b91e7e14f..f6a996f0f9c7 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -800,11 +800,6 @@ static int __soc_pcm_open(struct snd_soc_pcm_runtime *rtd, + ret = snd_soc_dai_startup(dai, substream); + if (ret < 0) + goto err; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- dai->tx_mask = 0; +- else +- dai->rx_mask = 0; + } + + /* Dynamic PCM DAI links compat checks use dynamic capabilities */ +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch b/queue-6.0/asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch new file mode 100644 index 00000000000..bd0345b1c32 --- /dev/null +++ b/queue-6.0/asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch @@ -0,0 +1,69 @@ +From 5f08ca2c986acd9e22d559f75b1ece19449470f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:17:23 +0200 +Subject: ASoC: SOF: Intel: Introduce HDA codec init and exit routines + +From: Cezary Rojewski + +[ Upstream commit 829c67319806009abfe3b0b82b3b8b153a2c5e32 ] + +Preliminary step in making snd_hda_codec_device_init() the only +constructor for struct hda_codec instances. To do that, existing usage +of hdac_ext equivalents has to be dropped. + +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Cezary Rojewski +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20220816111727.3218543-3-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue") +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-codec.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c +index 2f3f4a733d9e..4c128ba02340 100644 +--- a/sound/soc/sof/intel/hda-codec.c ++++ b/sound/soc/sof/intel/hda-codec.c +@@ -109,6 +109,36 @@ EXPORT_SYMBOL_NS(hda_codec_jack_check, SND_SOC_SOF_HDA_AUDIO_CODEC); + #define is_generic_config(x) 0 + #endif + ++static void hda_codec_device_exit(struct device *dev) ++{ ++ snd_hdac_device_exit(dev_to_hdac_dev(dev)); ++} ++ ++static __maybe_unused struct hda_codec * ++hda_codec_device_init(struct hdac_bus *bus, int addr, int type) ++{ ++ struct hda_codec *codec; ++ int ret; ++ ++ codec = snd_hda_codec_device_init(to_hda_bus(bus), addr, "ehdaudio%dD%d", bus->idx, addr); ++ if (IS_ERR(codec)) { ++ dev_err(bus->dev, "device init failed for hdac device\n"); ++ return codec; ++ } ++ ++ codec->core.type = type; ++ codec->core.dev.release = hda_codec_device_exit; ++ ++ ret = snd_hdac_device_register(&codec->core); ++ if (ret) { ++ dev_err(bus->dev, "failed to register hdac device\n"); ++ snd_hdac_device_exit(&codec->core); ++ return ERR_PTR(ret); ++ } ++ ++ return codec; ++} ++ + /* probe individual codec */ + static int hda_codec_probe(struct snd_sof_dev *sdev, int address, + bool hda_codec_use_common_hdmi) +-- +2.35.1 + diff --git a/queue-6.0/blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch b/queue-6.0/blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch new file mode 100644 index 00000000000..d780fe14f2d --- /dev/null +++ b/queue-6.0/blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch @@ -0,0 +1,47 @@ +From 4e92e2b99da6f496f21bc0c003fe032123d8f463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 08:27:53 +0100 +Subject: blk-mq: fix queue reference leak on blk_mq_alloc_disk_for_queue + failure + +From: Christoph Hellwig + +[ Upstream commit 22c17e279a1b03bad7987e4a4192b289b890f293 ] + +Drop the request queue reference just acquired when __alloc_disk_node +failed. + +Fixes: 6f8191fdf41d ("block: simplify disk shutdown") +Reported-by: Al Viro +Signed-off-by: Christoph Hellwig +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20221122072753.426077-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 4402e4ecb8b1..3f1f5e3e0951 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3956,9 +3956,14 @@ EXPORT_SYMBOL(__blk_mq_alloc_disk); + struct gendisk *blk_mq_alloc_disk_for_queue(struct request_queue *q, + struct lock_class_key *lkclass) + { ++ struct gendisk *disk; ++ + if (!blk_get_queue(q)) + return NULL; +- return __alloc_disk_node(q, NUMA_NO_NODE, lkclass); ++ disk = __alloc_disk_node(q, NUMA_NO_NODE, lkclass); ++ if (!disk) ++ blk_put_queue(q); ++ return disk; + } + EXPORT_SYMBOL(blk_mq_alloc_disk_for_queue); + +-- +2.35.1 + diff --git a/queue-6.0/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch b/queue-6.0/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch new file mode 100644 index 00000000000..7c92a38a1d2 --- /dev/null +++ b/queue-6.0/bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch @@ -0,0 +1,58 @@ +From 39e73055b68976a0d983a262d8fa3b0c31923758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:02:02 +0800 +Subject: bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending() + +From: Yang Yingliang + +[ Upstream commit 3637a29ccbb6461b7268c5c5db525935d510afc6 ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). Call pci_dev_put() before returning from +bnx2x_vf_is_pcie_pending() to avoid refcount leak. + +Fixes: b56e9670ffa4 ("bnx2x: Prepare device and initialize VF database") +Suggested-by: Jakub Kicinski +Signed-off-by: Yang Yingliang +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221119070202.1407648-1-yangyingliang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +index 11d15cd03600..77d4cb4ad782 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +@@ -795,16 +795,20 @@ static void bnx2x_vf_enable_traffic(struct bnx2x *bp, struct bnx2x_virtf *vf) + + static u8 bnx2x_vf_is_pcie_pending(struct bnx2x *bp, u8 abs_vfid) + { +- struct pci_dev *dev; + struct bnx2x_virtf *vf = bnx2x_vf_by_abs_fid(bp, abs_vfid); ++ struct pci_dev *dev; ++ bool pending; + + if (!vf) + return false; + + dev = pci_get_domain_bus_and_slot(vf->domain, vf->bus, vf->devfn); +- if (dev) +- return bnx2x_is_pcie_pending(dev); +- return false; ++ if (!dev) ++ return false; ++ pending = bnx2x_is_pcie_pending(dev); ++ pci_dev_put(dev); ++ ++ return pending; + } + + int bnx2x_vf_flr_clnup_epilog(struct bnx2x *bp, u8 abs_vfid) +-- +2.35.1 + diff --git a/queue-6.0/bonding-fix-icmpv6-header-handling-when-receiving-ip.patch b/queue-6.0/bonding-fix-icmpv6-header-handling-when-receiving-ip.patch new file mode 100644 index 00000000000..d4e458fa97b --- /dev/null +++ b/queue-6.0/bonding-fix-icmpv6-header-handling-when-receiving-ip.patch @@ -0,0 +1,65 @@ +From 33b5c15a3c8254d3ca517eca9d04ff0ba0ff2d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 11:43:53 +0800 +Subject: bonding: fix ICMPv6 header handling when receiving IPv6 messages + +From: Hangbin Liu + +[ Upstream commit 4d633d1b468b6eb107a81b2fd10b9debddca3d47 ] + +Currently, we get icmp6hdr via function icmp6_hdr(), which needs the skb +transport header to be set first. But there is no rule to ask driver set +transport header before netif_receive_skb() and bond_handle_frame(). So +we will not able to get correct icmp6hdr on some drivers. + +Fix this by using skb_header_pointer to get the IPv6 and ICMPV6 headers. + +Reported-by: Liang Li +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Suggested-by: Eric Dumazet +Signed-off-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20221118034353.1736727-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 86d42306aa5e..76dd5ff1d99d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3231,16 +3231,23 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond, + struct slave *slave) + { + struct slave *curr_active_slave, *curr_arp_slave; +- struct icmp6hdr *hdr = icmp6_hdr(skb); + struct in6_addr *saddr, *daddr; ++ struct { ++ struct ipv6hdr ip6; ++ struct icmp6hdr icmp6; ++ } *combined, _combined; + + if (skb->pkt_type == PACKET_OTHERHOST || +- skb->pkt_type == PACKET_LOOPBACK || +- hdr->icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT) ++ skb->pkt_type == PACKET_LOOPBACK) ++ goto out; ++ ++ combined = skb_header_pointer(skb, 0, sizeof(_combined), &_combined); ++ if (!combined || combined->ip6.nexthdr != NEXTHDR_ICMP || ++ combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT) + goto out; + +- saddr = &ipv6_hdr(skb)->saddr; +- daddr = &ipv6_hdr(skb)->daddr; ++ saddr = &combined->ip6.saddr; ++ daddr = &combined->ip6.saddr; + + slave_dbg(bond->dev, slave->dev, "%s: %s/%d av %d sv %d sip %pI6c tip %pI6c\n", + __func__, slave->dev->name, bond_slave_state(slave), +-- +2.35.1 + diff --git a/queue-6.0/bus-sunxi-rsb-remove-the-shutdown-callback.patch b/queue-6.0/bus-sunxi-rsb-remove-the-shutdown-callback.patch new file mode 100644 index 00000000000..c153f57f74b --- /dev/null +++ b/queue-6.0/bus-sunxi-rsb-remove-the-shutdown-callback.patch @@ -0,0 +1,55 @@ +From b75208806f9d39415562f2d00fbe0728c635eb08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 19:57:47 -0600 +Subject: bus: sunxi-rsb: Remove the shutdown callback + +From: Samuel Holland + +[ Upstream commit 5f4696ddca4b8a0bbbc36bd46829f97aab5a4552 ] + +Shutting down the RSB controller prevents communicating with a PMIC +inside pm_power_off(), since that gets called after device_shutdown(), +so it breaks system poweroff on some boards. + +Reported-by: Ivaylo Dimitrov +Tested-by: Ivaylo Dimitrov +Acked-by: Jernej Skrabec +Fixes: 843107498f91 ("bus: sunxi-rsb: Implement suspend/resume/shutdown callbacks") +Signed-off-by: Samuel Holland +Link: https://lore.kernel.org/r/20221114015749.28490-2-samuel@sholland.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 4cd2e127946e..17343cd75338 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -812,14 +812,6 @@ static int sunxi_rsb_remove(struct platform_device *pdev) + return 0; + } + +-static void sunxi_rsb_shutdown(struct platform_device *pdev) +-{ +- struct sunxi_rsb *rsb = platform_get_drvdata(pdev); +- +- pm_runtime_disable(&pdev->dev); +- sunxi_rsb_hw_exit(rsb); +-} +- + static const struct dev_pm_ops sunxi_rsb_dev_pm_ops = { + SET_RUNTIME_PM_OPS(sunxi_rsb_runtime_suspend, + sunxi_rsb_runtime_resume, NULL) +@@ -835,7 +827,6 @@ MODULE_DEVICE_TABLE(of, sunxi_rsb_of_match_table); + static struct platform_driver sunxi_rsb_driver = { + .probe = sunxi_rsb_probe, + .remove = sunxi_rsb_remove, +- .shutdown = sunxi_rsb_shutdown, + .driver = { + .name = RSB_CTRL_NAME, + .of_match_table = sunxi_rsb_of_match_table, +-- +2.35.1 + diff --git a/queue-6.0/bus-sunxi-rsb-support-atomic-transfers.patch b/queue-6.0/bus-sunxi-rsb-support-atomic-transfers.patch new file mode 100644 index 00000000000..e6f29140002 --- /dev/null +++ b/queue-6.0/bus-sunxi-rsb-support-atomic-transfers.patch @@ -0,0 +1,92 @@ +From 6abb3ae53b1374d007b0665bdfec09bcc9eed9b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 19:57:48 -0600 +Subject: bus: sunxi-rsb: Support atomic transfers + +From: Samuel Holland + +[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ] + +When communicating with a PMIC during system poweroff (pm_power_off()), +IRQs are disabled and we are in a RCU read-side critical section, so we +cannot use wait_for_completion_io_timeout(). Instead, poll the status +register for transfer completion. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Samuel Holland +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 17343cd75338..3aa91aed3bf7 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -267,6 +267,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register); + /* common code that starts a transfer */ + static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + { ++ u32 int_mask, status; ++ bool timeout; ++ + if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) { + dev_dbg(rsb->dev, "RSB transfer still in progress\n"); + return -EBUSY; +@@ -274,13 +277,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + + reinit_completion(&rsb->complete); + +- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER, +- rsb->regs + RSB_INTE); ++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER; ++ writel(int_mask, rsb->regs + RSB_INTE); + writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB, + rsb->regs + RSB_CTRL); + +- if (!wait_for_completion_io_timeout(&rsb->complete, +- msecs_to_jiffies(100))) { ++ if (irqs_disabled()) { ++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS, ++ status, (status & int_mask), ++ 10, 100000); ++ writel(status, rsb->regs + RSB_INTS); ++ } else { ++ timeout = !wait_for_completion_io_timeout(&rsb->complete, ++ msecs_to_jiffies(100)); ++ status = rsb->status; ++ } ++ ++ if (timeout) { + dev_dbg(rsb->dev, "RSB timeout\n"); + + /* abort the transfer */ +@@ -292,18 +305,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb) + return -ETIMEDOUT; + } + +- if (rsb->status & RSB_INTS_LOAD_BSY) { ++ if (status & RSB_INTS_LOAD_BSY) { + dev_dbg(rsb->dev, "RSB busy\n"); + return -EBUSY; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR) { +- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) { ++ if (status & RSB_INTS_TRANS_ERR) { ++ if (status & RSB_INTS_TRANS_ERR_ACK) { + dev_dbg(rsb->dev, "RSB slave nack\n"); + return -EINVAL; + } + +- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) { ++ if (status & RSB_INTS_TRANS_ERR_DATA) { + dev_dbg(rsb->dev, "RSB transfer data error\n"); + return -EIO; + } +-- +2.35.1 + diff --git a/queue-6.0/cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch b/queue-6.0/cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch new file mode 100644 index 00000000000..b4c658c202b --- /dev/null +++ b/queue-6.0/cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch @@ -0,0 +1,67 @@ +From 5e4534c08bcfa8607a7ef116c2af62775c1a8ceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 15:35:38 +0800 +Subject: cpufreq: amd-pstate: change amd-pstate driver to be built-in type + +From: Perry Yuan + +[ Upstream commit 456ca88d8a5258fc66edc42a10053ac8473de2b1 ] + +Currently when the amd-pstate and acpi_cpufreq are both built into +kernel as module driver, amd-pstate will not be loaded by default +in this case. + +Change amd-pstate driver as built-in type, it will resolve the loading +sequence problem to allow user to make amd-pstate driver as the default +cpufreq scaling driver. + +Acked-by: Huang Rui +Reviewed-by: Gautham R. Shenoy +Tested-by: Wyes Karny +Signed-off-by: Perry Yuan +Fixes: ec437d71db77 ("cpufreq: amd-pstate: Introduce a new AMD P-State driver to support future processors") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/Kconfig.x86 | 2 +- + drivers/cpufreq/amd-pstate.c | 11 +---------- + 2 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpufreq/Kconfig.x86 b/drivers/cpufreq/Kconfig.x86 +index 55516043b656..8184378f67ef 100644 +--- a/drivers/cpufreq/Kconfig.x86 ++++ b/drivers/cpufreq/Kconfig.x86 +@@ -35,7 +35,7 @@ config X86_PCC_CPUFREQ + If in doubt, say N. + + config X86_AMD_PSTATE +- tristate "AMD Processor P-State driver" ++ bool "AMD Processor P-State driver" + depends on X86 && ACPI + select ACPI_PROCESSOR + select ACPI_CPPC_LIB if X86_64 +diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c +index d63a28c5f95a..e808d2b3ef57 100644 +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -718,16 +718,7 @@ static int __init amd_pstate_init(void) + + return ret; + } +- +-static void __exit amd_pstate_exit(void) +-{ +- cpufreq_unregister_driver(&amd_pstate_driver); +- +- amd_pstate_enable(false); +-} +- +-module_init(amd_pstate_init); +-module_exit(amd_pstate_exit); ++device_initcall(amd_pstate_init); + + MODULE_AUTHOR("Huang Rui "); + MODULE_DESCRIPTION("AMD Processor P-state Frequency Driver"); +-- +2.35.1 + diff --git a/queue-6.0/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch b/queue-6.0/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch new file mode 100644 index 00000000000..329753870c8 --- /dev/null +++ b/queue-6.0/dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch @@ -0,0 +1,113 @@ +From a0a72565c726c9560ceeadb136134095bd5d1b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:49:11 -0800 +Subject: dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 77934dc6db0d2b111a8f2759e9ad2fb67f5cffa5 ] + +When connect() is called on a socket bound to the wildcard address, +we change the socket's saddr to a local address. If the socket +fails to connect() to the destination, we have to reset the saddr. + +However, when an error occurs after inet_hash6?_connect() in +(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave +the socket bound to the address. + +From the user's point of view, whether saddr is reset or not varies +with errno. Let's fix this inconsistent behaviour. + +Note that after this patch, the repro [0] will trigger the WARN_ON() +in inet_csk_get_port() again, but this patch is not buggy and rather +fixes a bug papering over the bhash2's bug for which we need another +fix. + +For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect() +by this sequence: + + s1 = socket() + s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s1.bind(('127.0.0.1', 10000)) + s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000))) + # or s1.connect(('127.0.0.1', 10000)) + + s2 = socket() + s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + s2.bind(('0.0.0.0', 10000)) + s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL + + s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2); + +[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09 + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Joanne Koong +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 2 ++ + net/dccp/ipv6.c | 2 ++ + net/ipv4/tcp_ipv4.c | 2 ++ + net/ipv6/tcp_ipv6.c | 2 ++ + 4 files changed, 8 insertions(+) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index da6e3b20cd75..60379ad7ae06 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -136,6 +136,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * This unhashes the socket and releases the local port, if necessary. + */ + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index fd44638ec16b..f9ed81a0ddbb 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -967,6 +967,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + dccp_set_state(sk, DCCP_CLOSED); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + __sk_dst_reset(sk); + failure: + inet->inet_dport = 0; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index fe9a6022db66..ef8013e2134f 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -323,6 +323,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + * if necessary. + */ + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + ip_rt_put(rt); + sk->sk_route_caps = 0; + inet->inet_dport = 0; +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index e54eee80ce5f..5516cfb96c48 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -340,6 +340,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + late_failure: + tcp_set_state(sk, TCP_CLOSE); ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ inet_reset_saddr(sk); + failure: + inet->inet_dport = 0; + sk->sk_route_caps = 0; +-- +2.35.1 + diff --git a/queue-6.0/dma-buf-fix-racing-conflict-of-dma_heap_add.patch b/queue-6.0/dma-buf-fix-racing-conflict-of-dma_heap_add.patch new file mode 100644 index 00000000000..6e3346c4d11 --- /dev/null +++ b/queue-6.0/dma-buf-fix-racing-conflict-of-dma_heap_add.patch @@ -0,0 +1,94 @@ +From 138dcfa460ed96b55c25e81b5cf1e7643378af56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 00:05:36 +0800 +Subject: dma-buf: fix racing conflict of dma_heap_add() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dawei Li + +[ Upstream commit 432e25902b9651622578c6248e549297d03caf66 ] + +Racing conflict could be: +task A task B +list_for_each_entry +strcmp(h->name)) + list_for_each_entry + strcmp(h->name) +kzalloc kzalloc +...... ..... +device_create device_create +list_add + list_add + +The root cause is that task B has no idea about the fact someone +else(A) has inserted heap with same name when it calls list_add, +so a potential collision occurs. + +Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework") +Signed-off-by: Dawei Li +Acked-by: Andrew Davis +Acked-by: Christian König +Signed-off-by: Sumit Semwal +Link: https://patchwork.freedesktop.org/patch/msgid/TYCP286MB2323873BBDF88020781FB986CA3B9@TYCP286MB2323.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/dma-heap.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c +index 8f5848aa144f..59d158873f4c 100644 +--- a/drivers/dma-buf/dma-heap.c ++++ b/drivers/dma-buf/dma-heap.c +@@ -233,18 +233,6 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info) + return ERR_PTR(-EINVAL); + } + +- /* check the name is unique */ +- mutex_lock(&heap_list_lock); +- list_for_each_entry(h, &heap_list, list) { +- if (!strcmp(h->name, exp_info->name)) { +- mutex_unlock(&heap_list_lock); +- pr_err("dma_heap: Already registered heap named %s\n", +- exp_info->name); +- return ERR_PTR(-EINVAL); +- } +- } +- mutex_unlock(&heap_list_lock); +- + heap = kzalloc(sizeof(*heap), GFP_KERNEL); + if (!heap) + return ERR_PTR(-ENOMEM); +@@ -283,13 +271,27 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info) + err_ret = ERR_CAST(dev_ret); + goto err2; + } +- /* Add heap to the list */ ++ + mutex_lock(&heap_list_lock); ++ /* check the name is unique */ ++ list_for_each_entry(h, &heap_list, list) { ++ if (!strcmp(h->name, exp_info->name)) { ++ mutex_unlock(&heap_list_lock); ++ pr_err("dma_heap: Already registered heap named %s\n", ++ exp_info->name); ++ err_ret = ERR_PTR(-EINVAL); ++ goto err3; ++ } ++ } ++ ++ /* Add heap to the list */ + list_add(&heap->list, &heap_list); + mutex_unlock(&heap_list_lock); + + return heap; + ++err3: ++ device_destroy(dma_heap_class, heap->heap_devt); + err2: + cdev_del(&heap->heap_cdev); + err1: +-- +2.35.1 + diff --git a/queue-6.0/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch b/queue-6.0/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch new file mode 100644 index 00000000000..474182de1b2 --- /dev/null +++ b/queue-6.0/drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch @@ -0,0 +1,53 @@ +From 740facdd0d2a17e9fa1d5f536aaf38f2468ba795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:34 +0800 +Subject: Drivers: hv: vmbus: fix double free in the error path of + vmbus_add_channel_work() + +From: Yang Yingliang + +[ Upstream commit f92a4b50f0bd7fd52391dc4bb9a309085d278f91 ] + +In the error path of vmbus_device_register(), device_unregister() +is called, which calls vmbus_device_release(). The latter frees +the struct hv_device that was passed in to vmbus_device_register(). +So remove the kfree() in vmbus_add_channel_work() to avoid a double +free. + +Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info") +Suggested-by: Michael Kelley +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-2-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 5b120402d405..cc23b90cae02 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -533,13 +533,17 @@ static void vmbus_add_channel_work(struct work_struct *work) + * Add the new device to the bus. This will kick off device-driver + * binding which eventually invokes the device driver's AddDevice() + * method. ++ * ++ * If vmbus_device_register() fails, the 'device_obj' is freed in ++ * vmbus_device_release() as called by device_unregister() in the ++ * error path of vmbus_device_register(). In the outside error ++ * path, there's no need to free it. + */ + ret = vmbus_device_register(newchannel->device_obj); + + if (ret != 0) { + pr_err("unable to add child device object (relid %d)\n", + newchannel->offermsg.child_relid); +- kfree(newchannel->device_obj); + goto err_deq_chan; + } + +-- +2.35.1 + diff --git a/queue-6.0/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch b/queue-6.0/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch new file mode 100644 index 00000000000..f4e2389f9f1 --- /dev/null +++ b/queue-6.0/drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch @@ -0,0 +1,41 @@ +From 4c847547bfa1ffe6cc7262cd4edc0de9636e0c42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 16:11:35 +0800 +Subject: Drivers: hv: vmbus: fix possible memory leak in + vmbus_device_register() + +From: Yang Yingliang + +[ Upstream commit 25c94b051592c010abe92c85b0485f1faedc83f3 ] + +If device_register() returns error in vmbus_device_register(), +the name allocated by dev_set_name() must be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: 09d50ff8a233 ("Staging: hv: make the Hyper-V virtual bus code build") +Signed-off-by: Yang Yingliang +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221119081135.1564691-3-yangyingliang@huawei.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 3c833ea60db6..939ccf921e71 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2083,6 +2083,7 @@ int vmbus_device_register(struct hv_device *child_device_obj) + ret = device_register(&child_device_obj->device); + if (ret) { + pr_err("Unable to register child device\n"); ++ put_device(&child_device_obj->device); + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch b/queue-6.0/drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch new file mode 100644 index 00000000000..7eff4a3e3fa --- /dev/null +++ b/queue-6.0/drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch @@ -0,0 +1,71 @@ +From a6bf6648d7e27728038a34b847b5aae58edf6bad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 14:22:43 +0200 +Subject: drm/i915: Fix warn in intel_display_power_*_domain() functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +[ Upstream commit ebbaa4392e36521fb893973d8a0fcb32f3b6d5eb ] + +The intel_display_power_*_domain() functions should always warn if a +default domain is returned as a fallback, fix this up. Spotted by Ville. + +Fixes: 979e1b32e0e2 ("drm/i915: Sanitize the port -> DDI/AUX power domain mapping for each platform") +Cc: Ville Syrjälä +Cc: Jouni Högander +Signed-off-by: Imre Deak +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221114122251.21327-2-imre.deak@intel.com +(cherry picked from commit 10b85f0e1d922210ae857afed6d012ec32c4b6cb) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_display_power.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_display_power.c b/drivers/gpu/drm/i915/display/intel_display_power.c +index 589af257edeb..3bb113b42cfa 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_power.c ++++ b/drivers/gpu/drm/i915/display/intel_display_power.c +@@ -2427,7 +2427,7 @@ intel_display_power_ddi_io_domain(struct drm_i915_private *i915, enum port port) + { + const struct intel_ddi_port_domains *domains = intel_port_domains_for_port(i915, port); + +- if (drm_WARN_ON(&i915->drm, !domains) || domains->ddi_io == POWER_DOMAIN_INVALID) ++ if (drm_WARN_ON(&i915->drm, !domains || domains->ddi_io == POWER_DOMAIN_INVALID)) + return POWER_DOMAIN_PORT_DDI_IO_A; + + return domains->ddi_io + (int)(port - domains->port_start); +@@ -2438,7 +2438,7 @@ intel_display_power_ddi_lanes_domain(struct drm_i915_private *i915, enum port po + { + const struct intel_ddi_port_domains *domains = intel_port_domains_for_port(i915, port); + +- if (drm_WARN_ON(&i915->drm, !domains) || domains->ddi_lanes == POWER_DOMAIN_INVALID) ++ if (drm_WARN_ON(&i915->drm, !domains || domains->ddi_lanes == POWER_DOMAIN_INVALID)) + return POWER_DOMAIN_PORT_DDI_LANES_A; + + return domains->ddi_lanes + (int)(port - domains->port_start); +@@ -2464,7 +2464,7 @@ intel_display_power_legacy_aux_domain(struct drm_i915_private *i915, enum aux_ch + { + const struct intel_ddi_port_domains *domains = intel_port_domains_for_aux_ch(i915, aux_ch); + +- if (drm_WARN_ON(&i915->drm, !domains) || domains->aux_legacy_usbc == POWER_DOMAIN_INVALID) ++ if (drm_WARN_ON(&i915->drm, !domains || domains->aux_legacy_usbc == POWER_DOMAIN_INVALID)) + return POWER_DOMAIN_AUX_A; + + return domains->aux_legacy_usbc + (int)(aux_ch - domains->aux_ch_start); +@@ -2475,7 +2475,7 @@ intel_display_power_tbt_aux_domain(struct drm_i915_private *i915, enum aux_ch au + { + const struct intel_ddi_port_domains *domains = intel_port_domains_for_aux_ch(i915, aux_ch); + +- if (drm_WARN_ON(&i915->drm, !domains) || domains->aux_tbt == POWER_DOMAIN_INVALID) ++ if (drm_WARN_ON(&i915->drm, !domains || domains->aux_tbt == POWER_DOMAIN_INVALID)) + return POWER_DOMAIN_AUX_TBT1; + + return domains->aux_tbt + (int)(aux_ch - domains->aux_ch_start); +-- +2.35.1 + diff --git a/queue-6.0/fs-do-not-update-freeing-inode-i_io_list.patch b/queue-6.0/fs-do-not-update-freeing-inode-i_io_list.patch new file mode 100644 index 00000000000..7e190ac6295 --- /dev/null +++ b/queue-6.0/fs-do-not-update-freeing-inode-i_io_list.patch @@ -0,0 +1,84 @@ +From f284857ad6013fb3bccf7bd5d78cfa4524ff5c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 20:20:01 +0000 +Subject: fs: do not update freeing inode i_io_list + +From: Svyatoslav Feldsherov + +[ Upstream commit 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 ] + +After commit cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode +already has I_DIRTY_INODE") writeback_single_inode can push inode with +I_DIRTY_TIME set to b_dirty_time list. In case of freeing inode with +I_DIRTY_TIME set this can happen after deletion of inode from i_io_list +at evict. Stack trace is following. + +evict +fat_evict_inode +fat_truncate_blocks +fat_flush_inodes +writeback_inode +sync_inode_metadata(inode, sync=0) +writeback_single_inode(inode, wbc) <- wbc->sync_mode == WB_SYNC_NONE + +This will lead to use after free in flusher thread. + +Similar issue can be triggered if writeback_single_inode in the +stack trace update inode->i_io_list. Add explicit check to avoid it. + +Fixes: cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE") +Reported-by: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com +Reviewed-by: Jan Kara +Signed-off-by: Svyatoslav Feldsherov +Link: https://lore.kernel.org/r/20221115202001.324188-1-feldsherov@google.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 443f83382b9b..9958d4020771 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1712,18 +1712,26 @@ static int writeback_single_inode(struct inode *inode, + wb = inode_to_wb_and_lock_list(inode); + spin_lock(&inode->i_lock); + /* +- * If the inode is now fully clean, then it can be safely removed from +- * its writeback list (if any). Otherwise the flusher threads are +- * responsible for the writeback lists. ++ * If the inode is freeing, its i_io_list shoudn't be updated ++ * as it can be finally deleted at this moment. + */ +- if (!(inode->i_state & I_DIRTY_ALL)) +- inode_cgwb_move_to_attached(inode, wb); +- else if (!(inode->i_state & I_SYNC_QUEUED)) { +- if ((inode->i_state & I_DIRTY)) +- redirty_tail_locked(inode, wb); +- else if (inode->i_state & I_DIRTY_TIME) { +- inode->dirtied_when = jiffies; +- inode_io_list_move_locked(inode, wb, &wb->b_dirty_time); ++ if (!(inode->i_state & I_FREEING)) { ++ /* ++ * If the inode is now fully clean, then it can be safely ++ * removed from its writeback list (if any). Otherwise the ++ * flusher threads are responsible for the writeback lists. ++ */ ++ if (!(inode->i_state & I_DIRTY_ALL)) ++ inode_cgwb_move_to_attached(inode, wb); ++ else if (!(inode->i_state & I_SYNC_QUEUED)) { ++ if ((inode->i_state & I_DIRTY)) ++ redirty_tail_locked(inode, wb); ++ else if (inode->i_state & I_DIRTY_TIME) { ++ inode->dirtied_when = jiffies; ++ inode_io_list_move_locked(inode, ++ wb, ++ &wb->b_dirty_time); ++ } + } + } + +-- +2.35.1 + diff --git a/queue-6.0/fscache-fix-oob-read-in-__fscache_acquire_volume.patch b/queue-6.0/fscache-fix-oob-read-in-__fscache_acquire_volume.patch new file mode 100644 index 00000000000..2bdda7d8bbc --- /dev/null +++ b/queue-6.0/fscache-fix-oob-read-in-__fscache_acquire_volume.patch @@ -0,0 +1,103 @@ +From e24b59516a20045f6bf991329dba0e1fb19acac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 16:31:34 +0000 +Subject: fscache: fix OOB Read in __fscache_acquire_volume + +From: David Howells + +[ Upstream commit 9f0933ac026f7e54fe096797af9de20724e79097 ] + +The type of a->key[0] is char in fscache_volume_same(). If the length +of cache volume key is greater than 127, the value of a->key[0] is less +than 0. In this case, klen becomes much larger than 255 after type +conversion, because the type of klen is size_t. As a result, memcmp() +is read out of bounds. + +This causes a slab-out-of-bounds Read in __fscache_acquire_volume(), as +reported by Syzbot. + +Fix this by changing the type of the stored key to "u8 *" rather than +"char *" (it isn't a simple string anyway). Also put in a check that +the volume name doesn't exceed NAME_MAX. + + BUG: KASAN: slab-out-of-bounds in memcmp+0x16f/0x1c0 lib/string.c:757 + Read of size 8 at addr ffff888016f3aa90 by task syz-executor344/3613 + Call Trace: + memcmp+0x16f/0x1c0 lib/string.c:757 + memcmp include/linux/fortify-string.h:420 [inline] + fscache_volume_same fs/fscache/volume.c:133 [inline] + fscache_hash_volume fs/fscache/volume.c:171 [inline] + __fscache_acquire_volume+0x76c/0x1080 fs/fscache/volume.c:328 + fscache_acquire_volume include/linux/fscache.h:204 [inline] + v9fs_cache_session_get_cookie+0x143/0x240 fs/9p/cache.c:34 + v9fs_session_init+0x1166/0x1810 fs/9p/v9fs.c:473 + v9fs_mount+0xba/0xc90 fs/9p/vfs_super.c:126 + legacy_get_tree+0x105/0x220 fs/fs_context.c:610 + vfs_get_tree+0x89/0x2f0 fs/super.c:1530 + do_new_mount fs/namespace.c:3040 [inline] + path_mount+0x1326/0x1e20 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 + +Fixes: 62ab63352350 ("fscache: Implement volume registration") +Reported-by: syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com +Signed-off-by: David Howells +Reviewed-by: Zhang Peng +Reviewed-by: Jingbo Xu +cc: Dominique Martinet +cc: Jeff Layton +cc: v9fs-developer@lists.sourceforge.net +cc: linux-cachefs@redhat.com +Link: https://lore.kernel.org/r/Y3OH+Dmi0QIOK18n@codewreck.org/ # Zhang Peng's v1 fix +Link: https://lore.kernel.org/r/20221115140447.2971680-1-zhangpeng362@huawei.com/ # Zhang Peng's v2 fix +Link: https://lore.kernel.org/r/166869954095.3793579.8500020902371015443.stgit@warthog.procyon.org.uk/ # v1 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/fscache/volume.c | 7 +++++-- + include/linux/fscache.h | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/fscache/volume.c b/fs/fscache/volume.c +index a058e0136bfe..ab8ceddf9efa 100644 +--- a/fs/fscache/volume.c ++++ b/fs/fscache/volume.c +@@ -203,7 +203,11 @@ static struct fscache_volume *fscache_alloc_volume(const char *volume_key, + struct fscache_volume *volume; + struct fscache_cache *cache; + size_t klen, hlen; +- char *key; ++ u8 *key; ++ ++ klen = strlen(volume_key); ++ if (klen > NAME_MAX) ++ return NULL; + + if (!coherency_data) + coherency_len = 0; +@@ -229,7 +233,6 @@ static struct fscache_volume *fscache_alloc_volume(const char *volume_key, + /* Stick the length on the front of the key and pad it out to make + * hashing easier. + */ +- klen = strlen(volume_key); + hlen = round_up(1 + klen + 1, sizeof(__le32)); + key = kzalloc(hlen, GFP_KERNEL); + if (!key) +diff --git a/include/linux/fscache.h b/include/linux/fscache.h +index 36e5dd84cf59..8e312c8323a8 100644 +--- a/include/linux/fscache.h ++++ b/include/linux/fscache.h +@@ -75,7 +75,7 @@ struct fscache_volume { + atomic_t n_accesses; /* Number of cache accesses in progress */ + unsigned int debug_id; + unsigned int key_hash; /* Hash of key string */ +- char *key; /* Volume ID, eg. "afs@example.com@1234" */ ++ u8 *key; /* Volume ID, eg. "afs@example.com@1234" */ + struct list_head proc_link; /* Link in /proc/fs/fscache/volumes */ + struct hlist_bl_node hash_link; /* Link in hash table */ + struct work_struct work; +-- +2.35.1 + diff --git a/queue-6.0/iavf-do-not-restart-tx-queues-after-reset-task-failu.patch b/queue-6.0/iavf-do-not-restart-tx-queues-after-reset-task-failu.patch new file mode 100644 index 00000000000..f411298e68c --- /dev/null +++ b/queue-6.0/iavf-do-not-restart-tx-queues-after-reset-task-failu.patch @@ -0,0 +1,149 @@ +From 312f06f7bbb3db3bbed2ecd83d3951c35377af6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 11:25:02 +0100 +Subject: iavf: Do not restart Tx queues after reset task failure + +From: Ivan Vecera + +[ Upstream commit 08f1c147b7265245d67321585c68a27e990e0c4b ] + +After commit aa626da947e9 ("iavf: Detach device during reset task") +the device is detached during reset task and re-attached at its end. +The problem occurs when reset task fails because Tx queues are +restarted during device re-attach and this leads later to a crash. + +To resolve this issue properly close the net device in cause of +failure in reset task to avoid restarting of tx queues at the end. +Also replace the hacky manipulation with IFF_UP flag by device close +that clears properly both IFF_UP and __LINK_STATE_START flags. +In these case iavf_close() does not do anything because the adapter +state is already __IAVF_DOWN. + +Reproducer: +1) Run some Tx traffic (e.g. iperf3) over iavf interface +2) Set VF trusted / untrusted in loop + +[root@host ~]# cat repro.sh + +PF=enp65s0f0 +IF=${PF}v0 + +ip link set up $IF +ip addr add 192.168.0.2/24 dev $IF +sleep 1 + +iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null & +sleep 2 + +while :; do + ip link set $PF vf 0 trust on + ip link set $PF vf 0 trust off +done +[root@host ~]# ./repro.sh + +Result: +[ 2006.650969] iavf 0000:41:01.0: Failed to init adminq: -53 +[ 2006.675662] ice 0000:41:00.0: VF 0 is now trusted +[ 2006.689997] iavf 0000:41:01.0: Reset task did not complete, VF disabled +[ 2006.696611] iavf 0000:41:01.0: failed to allocate resources during reinit +[ 2006.703209] ice 0000:41:00.0: VF 0 is now untrusted +[ 2006.737011] ice 0000:41:00.0: VF 0 is now trusted +[ 2006.764536] ice 0000:41:00.0: VF 0 is now untrusted +[ 2006.768919] BUG: kernel NULL pointer dereference, address: 0000000000000b4a +[ 2006.776358] #PF: supervisor read access in kernel mode +[ 2006.781488] #PF: error_code(0x0000) - not-present page +[ 2006.786620] PGD 0 P4D 0 +[ 2006.789152] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 2006.792903] ice 0000:41:00.0: VF 0 is now trusted +[ 2006.793501] CPU: 4 PID: 0 Comm: swapper/4 Kdump: loaded Not tainted 6.1.0-rc3+ #2 +[ 2006.805668] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 +[ 2006.815915] RIP: 0010:iavf_xmit_frame_ring+0x96/0xf70 [iavf] +[ 2006.821028] ice 0000:41:00.0: VF 0 is now untrusted +[ 2006.821572] Code: 48 83 c1 04 48 c1 e1 04 48 01 f9 48 83 c0 10 6b 50 f8 55 c1 ea 14 45 8d 64 14 01 48 39 c8 75 eb 41 83 fc 07 0f 8f e9 08 00 00 <0f> b7 45 4a 0f b7 55 48 41 8d 74 24 05 31 c9 66 39 d0 0f 86 da 00 +[ 2006.845181] RSP: 0018:ffffb253004bc9e8 EFLAGS: 00010293 +[ 2006.850397] RAX: ffff9d154de45b00 RBX: ffff9d15497d52e8 RCX: ffff9d154de45b00 +[ 2006.856327] ice 0000:41:00.0: VF 0 is now trusted +[ 2006.857523] RDX: 0000000000000000 RSI: 00000000000005a8 RDI: ffff9d154de45ac0 +[ 2006.857525] RBP: 0000000000000b00 R08: ffff9d159cb010ac R09: 0000000000000001 +[ 2006.857526] R10: ffff9d154de45940 R11: 0000000000000000 R12: 0000000000000002 +[ 2006.883600] R13: ffff9d1770838dc0 R14: 0000000000000000 R15: ffffffffc07b8380 +[ 2006.885840] ice 0000:41:00.0: VF 0 is now untrusted +[ 2006.890725] FS: 0000000000000000(0000) GS:ffff9d248e900000(0000) knlGS:0000000000000000 +[ 2006.890727] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2006.909419] CR2: 0000000000000b4a CR3: 0000000c39c10002 CR4: 0000000000770ee0 +[ 2006.916543] PKRU: 55555554 +[ 2006.918254] ice 0000:41:00.0: VF 0 is now trusted +[ 2006.919248] Call Trace: +[ 2006.919250] +[ 2006.919252] dev_hard_start_xmit+0x9e/0x1f0 +[ 2006.932587] sch_direct_xmit+0xa0/0x370 +[ 2006.936424] __dev_queue_xmit+0x7af/0xd00 +[ 2006.940429] ip_finish_output2+0x26c/0x540 +[ 2006.944519] ip_output+0x71/0x110 +[ 2006.947831] ? __ip_finish_output+0x2b0/0x2b0 +[ 2006.952180] __ip_queue_xmit+0x16d/0x400 +[ 2006.952721] ice 0000:41:00.0: VF 0 is now untrusted +[ 2006.956098] __tcp_transmit_skb+0xa96/0xbf0 +[ 2006.965148] __tcp_retransmit_skb+0x174/0x860 +[ 2006.969499] ? cubictcp_cwnd_event+0x40/0x40 +[ 2006.973769] tcp_retransmit_skb+0x14/0xb0 +... + +Fixes: aa626da947e9 ("iavf: Detach device during reset task") +Cc: Jacob Keller +Cc: Patryk Piotrowski +Cc: SlawomirX Laba +Signed-off-by: Ivan Vecera +Reviewed-by: Jacob Keller +Reviewed-by: Leon Romanovsky +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 7d349ca708c7..f59b725785eb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2921,7 +2921,6 @@ static void iavf_disable_vf(struct iavf_adapter *adapter) + iavf_free_queues(adapter); + memset(adapter->vf_res, 0, IAVF_VIRTCHNL_VF_RESOURCE_SIZE); + iavf_shutdown_adminq(&adapter->hw); +- adapter->netdev->flags &= ~IFF_UP; + adapter->flags &= ~IAVF_FLAG_RESET_PENDING; + iavf_change_state(adapter, __IAVF_DOWN); + wake_up(&adapter->down_waitqueue); +@@ -3021,6 +3020,11 @@ static void iavf_reset_task(struct work_struct *work) + iavf_disable_vf(adapter); + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); ++ if (netif_running(netdev)) { ++ rtnl_lock(); ++ dev_close(netdev); ++ rtnl_unlock(); ++ } + return; /* Do not attempt to reinit. It's dead, Jim. */ + } + +@@ -3173,6 +3177,16 @@ static void iavf_reset_task(struct work_struct *work) + + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); ++ ++ if (netif_running(netdev)) { ++ /* Close device to ensure that Tx queues will not be started ++ * during netif_device_attach() at the end of the reset task. ++ */ ++ rtnl_lock(); ++ dev_close(netdev); ++ rtnl_unlock(); ++ } ++ + dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n"); + reset_finish: + rtnl_lock(); +-- +2.35.1 + diff --git a/queue-6.0/iavf-fix-a-crash-during-reset-task.patch b/queue-6.0/iavf-fix-a-crash-during-reset-task.patch new file mode 100644 index 00000000000..6b0c8e79e2b --- /dev/null +++ b/queue-6.0/iavf-fix-a-crash-during-reset-task.patch @@ -0,0 +1,95 @@ +From 797a613c9c2fccc2fa4fe6ea4038cabd1f01ba34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 10:35:34 +0100 +Subject: iavf: Fix a crash during reset task + +From: Ivan Vecera + +[ Upstream commit c678669d6b13b77de3b99b97526aaf23c3088d0a ] + +Recent commit aa626da947e9 ("iavf: Detach device during reset task") +removed netif_tx_stop_all_queues() with an assumption that Tx queues +are already stopped by netif_device_detach() in the beginning of +reset task. This assumption is incorrect because during reset +task a potential link event can start Tx queues again. +Revert this change to fix this issue. + +Reproducer: +1. Run some Tx traffic (e.g. iperf3) over iavf interface +2. Switch MTU of this interface in a loop + +[root@host ~]# cat repro.sh + +IF=enp2s0f0v0 + +iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null & +sleep 2 + +while :; do + for i in 1280 1500 2000 900 ; do + ip link set $IF mtu $i + sleep 2 + done +done +[root@host ~]# ./repro.sh + +Result: +[ 306.199917] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex +[ 308.205944] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex +[ 310.103223] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 310.110179] #PF: supervisor write access in kernel mode +[ 310.115396] #PF: error_code(0x0002) - not-present page +[ 310.120526] PGD 0 P4D 0 +[ 310.123057] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ 310.127408] CPU: 24 PID: 183 Comm: kworker/u64:9 Kdump: loaded Not tainted 6.1.0-rc3+ #2 +[ 310.135485] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 +[ 310.145728] Workqueue: iavf iavf_reset_task [iavf] +[ 310.150520] RIP: 0010:iavf_xmit_frame_ring+0xd1/0xf70 [iavf] +[ 310.156180] Code: d0 0f 86 da 00 00 00 83 e8 01 0f b7 fa 29 f8 01 c8 39 c6 0f 8f a0 08 00 00 48 8b 45 20 48 8d 14 92 bf 01 00 00 00 4c 8d 3c d0 <49> 89 5f 08 8b 43 70 66 41 89 7f 14 41 89 47 10 f6 83 82 00 00 00 +[ 310.174918] RSP: 0018:ffffbb5f0082caa0 EFLAGS: 00010293 +[ 310.180137] RAX: 0000000000000000 RBX: ffff92345471a6e8 RCX: 0000000000000200 +[ 310.187259] RDX: 0000000000000000 RSI: 000000000000000d RDI: 0000000000000001 +[ 310.194385] RBP: ffff92341d249000 R08: ffff92434987fcac R09: 0000000000000001 +[ 310.201509] R10: 0000000011f683b9 R11: 0000000011f50641 R12: 0000000000000008 +[ 310.208631] R13: ffff923447500000 R14: 0000000000000000 R15: 0000000000000000 +[ 310.215756] FS: 0000000000000000(0000) GS:ffff92434ee00000(0000) knlGS:0000000000000000 +[ 310.223835] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 310.229572] CR2: 0000000000000008 CR3: 0000000fbc210004 CR4: 0000000000770ee0 +[ 310.236696] PKRU: 55555554 +[ 310.239399] Call Trace: +[ 310.241844] +[ 310.243855] ? dst_alloc+0x5b/0xb0 +[ 310.247260] dev_hard_start_xmit+0x9e/0x1f0 +[ 310.251439] sch_direct_xmit+0xa0/0x370 +[ 310.255276] __qdisc_run+0x13e/0x580 +[ 310.258848] __dev_queue_xmit+0x431/0xd00 +[ 310.262851] ? selinux_ip_postroute+0x147/0x3f0 +[ 310.267377] ip_finish_output2+0x26c/0x540 + +Fixes: aa626da947e9 ("iavf: Detach device during reset task") +Cc: Jacob Keller +Cc: Patryk Piotrowski +Cc: SlawomirX Laba +Signed-off-by: Ivan Vecera +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 79fef8c59d65..7d349ca708c7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3033,6 +3033,7 @@ static void iavf_reset_task(struct work_struct *work) + + if (running) { + netif_carrier_off(netdev); ++ netif_tx_stop_all_queues(netdev); + adapter->link_up = false; + iavf_napi_disable_all(adapter); + } +-- +2.35.1 + diff --git a/queue-6.0/iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch b/queue-6.0/iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch new file mode 100644 index 00000000000..aa3118964a1 --- /dev/null +++ b/queue-6.0/iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch @@ -0,0 +1,66 @@ +From 8a19ad3112a35ca9e97dec46f369ba85eaf8fbfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 14:00:03 +0100 +Subject: iavf: Fix race condition between iavf_shutdown and iavf_remove + +From: Slawomir Laba + +[ Upstream commit a8417330f8a57275ed934293e832982b6d882713 ] + +Fix a deadlock introduced by commit +974578017fc1 ("iavf: Add waiting so the port is initialized in remove") +due to race condition between iavf_shutdown and iavf_remove, where +iavf_remove stucks forever in while loop since iavf_shutdown already +set __IAVF_REMOVE adapter state. + +Fix this by checking if the __IAVF_IN_REMOVE_TASK has already been +set and return if so. + +Fixes: 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") +Signed-off-by: Slawomir Laba +Signed-off-by: Mateusz Palczewski +Tested-by: Marek Szlosek +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 005bb8378c76..cff03723f4f9 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -5042,23 +5042,21 @@ static int __maybe_unused iavf_resume(struct device *dev_d) + static void iavf_remove(struct pci_dev *pdev) + { + struct iavf_adapter *adapter = iavf_pdev_to_adapter(pdev); +- struct net_device *netdev = adapter->netdev; + struct iavf_fdir_fltr *fdir, *fdirtmp; + struct iavf_vlan_filter *vlf, *vlftmp; ++ struct iavf_cloud_filter *cf, *cftmp; + struct iavf_adv_rss *rss, *rsstmp; + struct iavf_mac_filter *f, *ftmp; +- struct iavf_cloud_filter *cf, *cftmp; +- struct iavf_hw *hw = &adapter->hw; ++ struct net_device *netdev; ++ struct iavf_hw *hw; + int err; + +- /* When reboot/shutdown is in progress no need to do anything +- * as the adapter is already REMOVE state that was set during +- * iavf_shutdown() callback. +- */ +- if (adapter->state == __IAVF_REMOVE) ++ netdev = adapter->netdev; ++ hw = &adapter->hw; ++ ++ if (test_and_set_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) + return; + +- set_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section); + /* Wait until port initialization is complete. + * There are flows where register/unregister netdev may race. + */ +-- +2.35.1 + diff --git a/queue-6.0/iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch b/queue-6.0/iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch new file mode 100644 index 00000000000..ecd195062ed --- /dev/null +++ b/queue-6.0/iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch @@ -0,0 +1,82 @@ +From d6d6113ac5026ef0b61aeb6adf51eed27a3a3974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 15:14:44 +0100 +Subject: iavf: remove INITIAL_MAC_SET to allow gARP to work properly + +From: Stefan Assmann + +[ Upstream commit bb861c14f1b8cb9cbf03a132db7f22ec4e692b91 ] + +IAVF_FLAG_INITIAL_MAC_SET prevents waiting on iavf_is_mac_set_handled() +the first time the MAC is set. This breaks gratuitous ARP because the +MAC address has not been updated yet when the gARP packet is sent out. + +Current behaviour: +$ echo 1 > /sys/class/net/ens4f0/device/sriov_numvfs +iavf 0000:88:02.0: MAC address: ee:04:19:14:ec:ea +$ ip addr add 192.168.1.1/24 dev ens4f0v0 +$ ip link set dev ens4f0v0 up +$ echo 1 > /proc/sys/net/ipv4/conf/ens4f0v0/arp_notify +$ ip link set ens4f0v0 addr 00:11:22:33:44:55 +07:23:41.676611 ee:04:19:14:ec:ea > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.1 tell 192.168.1.1, length 28 + +With IAVF_FLAG_INITIAL_MAC_SET removed: +$ echo 1 > /sys/class/net/ens4f0/device/sriov_numvfs +iavf 0000:88:02.0: MAC address: 3e:8a:16:a2:37:6d +$ ip addr add 192.168.1.1/24 dev ens4f0v0 +$ ip link set dev ens4f0v0 up +$ echo 1 > /proc/sys/net/ipv4/conf/ens4f0v0/arp_notify +$ ip link set ens4f0v0 addr 00:11:22:33:44:55 +07:28:01.836608 00:11:22:33:44:55 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.1 tell 192.168.1.1, length 28 + +Fixes: 35a2443d0910 ("iavf: Add waiting for response from PF in set mac") +Signed-off-by: Stefan Assmann +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 1 - + drivers/net/ethernet/intel/iavf/iavf_main.c | 8 -------- + 2 files changed, 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 3f6187c16424..0d1bab4ac1b0 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -298,7 +298,6 @@ struct iavf_adapter { + #define IAVF_FLAG_QUEUES_DISABLED BIT(17) + #define IAVF_FLAG_SETUP_NETDEV_FEATURES BIT(18) + #define IAVF_FLAG_REINIT_MSIX_NEEDED BIT(20) +-#define IAVF_FLAG_INITIAL_MAC_SET BIT(23) + /* duplicates for common code */ + #define IAVF_FLAG_DCB_ENABLED 0 + /* flags for admin queue service task */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index f59b725785eb..005bb8378c76 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1087,12 +1087,6 @@ static int iavf_set_mac(struct net_device *netdev, void *p) + if (ret) + return ret; + +- /* If this is an initial set MAC during VF spawn do not wait */ +- if (adapter->flags & IAVF_FLAG_INITIAL_MAC_SET) { +- adapter->flags &= ~IAVF_FLAG_INITIAL_MAC_SET; +- return 0; +- } +- + ret = wait_event_interruptible_timeout(adapter->vc_waitqueue, + iavf_is_mac_set_handled(netdev, addr->sa_data), + msecs_to_jiffies(2500)); +@@ -2605,8 +2599,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + ether_addr_copy(netdev->perm_addr, adapter->hw.mac.addr); + } + +- adapter->flags |= IAVF_FLAG_INITIAL_MAC_SET; +- + adapter->tx_desc_count = IAVF_DEFAULT_TXD; + adapter->rx_desc_count = IAVF_DEFAULT_RXD; + err = iavf_init_interrupt_scheme(adapter); +-- +2.35.1 + diff --git a/queue-6.0/io_uring-filetable-fix-file-reference-underflow.patch b/queue-6.0/io_uring-filetable-fix-file-reference-underflow.patch new file mode 100644 index 00000000000..2d9514d5440 --- /dev/null +++ b/queue-6.0/io_uring-filetable-fix-file-reference-underflow.patch @@ -0,0 +1,182 @@ +From 364af0a9ec465b2fc19c1548347387e6fc1b433a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 02:40:15 +0800 +Subject: io_uring/filetable: fix file reference underflow + +From: Lin Ma + +[ Upstream commit 9d94c04c0db024922e886c9fd429659f22f48ea4 ] + +There is an interesting reference bug when -ENOMEM occurs in calling of +io_install_fixed_file(). KASan report like below: + +[ 14.057131] ================================================================== +[ 14.059161] BUG: KASAN: use-after-free in unix_get_socket+0x10/0x90 +[ 14.060975] Read of size 8 at addr ffff88800b09cf20 by task kworker/u8:2/45 +[ 14.062684] +[ 14.062768] CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted 6.1.0-rc4 #1 +[ 14.063099] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 14.063666] Workqueue: events_unbound io_ring_exit_work +[ 14.063936] Call Trace: +[ 14.064065] +[ 14.064175] dump_stack_lvl+0x34/0x48 +[ 14.064360] print_report+0x172/0x475 +[ 14.064547] ? _raw_spin_lock_irq+0x83/0xe0 +[ 14.064758] ? __virt_addr_valid+0xef/0x170 +[ 14.064975] ? unix_get_socket+0x10/0x90 +[ 14.065167] kasan_report+0xad/0x130 +[ 14.065353] ? unix_get_socket+0x10/0x90 +[ 14.065553] unix_get_socket+0x10/0x90 +[ 14.065744] __io_sqe_files_unregister+0x87/0x1e0 +[ 14.065989] ? io_rsrc_refs_drop+0x1c/0xd0 +[ 14.066199] io_ring_exit_work+0x388/0x6a5 +[ 14.066410] ? io_uring_try_cancel_requests+0x5bf/0x5bf +[ 14.066674] ? try_to_wake_up+0xdb/0x910 +[ 14.066873] ? virt_to_head_page+0xbe/0xbe +[ 14.067080] ? __schedule+0x574/0xd20 +[ 14.067273] ? read_word_at_a_time+0xe/0x20 +[ 14.067492] ? strscpy+0xb5/0x190 +[ 14.067665] process_one_work+0x423/0x710 +[ 14.067879] worker_thread+0x2a2/0x6f0 +[ 14.068073] ? process_one_work+0x710/0x710 +[ 14.068284] kthread+0x163/0x1a0 +[ 14.068454] ? kthread_complete_and_exit+0x20/0x20 +[ 14.068697] ret_from_fork+0x22/0x30 +[ 14.068886] +[ 14.069000] +[ 14.069088] Allocated by task 289: +[ 14.069269] kasan_save_stack+0x1e/0x40 +[ 14.069463] kasan_set_track+0x21/0x30 +[ 14.069652] __kasan_slab_alloc+0x58/0x70 +[ 14.069899] kmem_cache_alloc+0xc5/0x200 +[ 14.070100] __alloc_file+0x20/0x160 +[ 14.070283] alloc_empty_file+0x3b/0xc0 +[ 14.070479] path_openat+0xc3/0x1770 +[ 14.070689] do_filp_open+0x150/0x270 +[ 14.070888] do_sys_openat2+0x113/0x270 +[ 14.071081] __x64_sys_openat+0xc8/0x140 +[ 14.071283] do_syscall_64+0x3b/0x90 +[ 14.071466] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 14.071791] +[ 14.071874] Freed by task 0: +[ 14.072027] kasan_save_stack+0x1e/0x40 +[ 14.072224] kasan_set_track+0x21/0x30 +[ 14.072415] kasan_save_free_info+0x2a/0x50 +[ 14.072627] __kasan_slab_free+0x106/0x190 +[ 14.072858] kmem_cache_free+0x98/0x340 +[ 14.073075] rcu_core+0x427/0xe50 +[ 14.073249] __do_softirq+0x110/0x3cd +[ 14.073440] +[ 14.073523] Last potentially related work creation: +[ 14.073801] kasan_save_stack+0x1e/0x40 +[ 14.074017] __kasan_record_aux_stack+0x97/0xb0 +[ 14.074264] call_rcu+0x41/0x550 +[ 14.074436] task_work_run+0xf4/0x170 +[ 14.074619] exit_to_user_mode_prepare+0x113/0x120 +[ 14.074858] syscall_exit_to_user_mode+0x1d/0x40 +[ 14.075092] do_syscall_64+0x48/0x90 +[ 14.075272] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 14.075529] +[ 14.075612] Second to last potentially related work creation: +[ 14.075900] kasan_save_stack+0x1e/0x40 +[ 14.076098] __kasan_record_aux_stack+0x97/0xb0 +[ 14.076325] task_work_add+0x72/0x1b0 +[ 14.076512] fput+0x65/0xc0 +[ 14.076657] filp_close+0x8e/0xa0 +[ 14.076825] __x64_sys_close+0x15/0x50 +[ 14.077019] do_syscall_64+0x3b/0x90 +[ 14.077199] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 14.077448] +[ 14.077530] The buggy address belongs to the object at ffff88800b09cf00 +[ 14.077530] which belongs to the cache filp of size 232 +[ 14.078105] The buggy address is located 32 bytes inside of +[ 14.078105] 232-byte region [ffff88800b09cf00, ffff88800b09cfe8) +[ 14.078685] +[ 14.078771] The buggy address belongs to the physical page: +[ 14.079046] page:000000001bd520e7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800b09de00 pfn:0xb09c +[ 14.079575] head:000000001bd520e7 order:1 compound_mapcount:0 compound_pincount:0 +[ 14.079946] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 14.080244] raw: 0100000000010200 0000000000000000 dead000000000001 ffff88800493cc80 +[ 14.080629] raw: ffff88800b09de00 0000000080190018 00000001ffffffff 0000000000000000 +[ 14.081016] page dumped because: kasan: bad access detected +[ 14.081293] +[ 14.081376] Memory state around the buggy address: +[ 14.081618] ffff88800b09ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 14.081974] ffff88800b09ce80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc +[ 14.082336] >ffff88800b09cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 14.082690] ^ +[ 14.082909] ffff88800b09cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc +[ 14.083266] ffff88800b09d000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb +[ 14.083622] ================================================================== + +The actual tracing of this bug is shown below: + +commit 8c71fe750215 ("io_uring: ensure fput() called correspondingly +when direct install fails") adds an additional fput() in +io_fixed_fd_install() when io_file_bitmap_get() returns error values. In +that case, the routine will never make it to io_install_fixed_file() due +to an early return. + +static int io_fixed_fd_install(...) +{ + if (alloc_slot) { + ... + ret = io_file_bitmap_get(ctx); + if (unlikely(ret < 0)) { + io_ring_submit_unlock(ctx, issue_flags); + fput(file); + return ret; + } + ... + } + ... + ret = io_install_fixed_file(req, file, issue_flags, file_slot); + ... +} + +In the above scenario, the reference is okay as io_fixed_fd_install() +ensures the fput() is called when something bad happens, either via +bitmap or via inner io_install_fixed_file(). + +However, the commit 61c1b44a21d7 ("io_uring: fix deadlock on iowq file +slot alloc") breaks the balance because it places fput() into the common +path for both io_file_bitmap_get() and io_install_fixed_file(). Since +io_install_fixed_file() handles the fput() itself, the reference +underflow come across then. + +There are some extra commits make the current code into +io_fixed_fd_install() -> __io_fixed_fd_install() -> +io_install_fixed_file() + +However, the fact that there is an extra fput() is called if +io_install_fixed_file() calls fput(). Traversing through the code, I +find that the existing two callers to __io_fixed_fd_install(): +io_fixed_fd_install() and io_msg_send_fd() have fput() when handling +error return, this patch simply removes the fput() in +io_install_fixed_file() to fix the bug. + +Fixes: 61c1b44a21d7 ("io_uring: fix deadlock on iowq file slot alloc") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/be4ba4b.5d44.184a0a406a4.Coremail.linma@zju.edu.cn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/filetable.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/io_uring/filetable.c b/io_uring/filetable.c +index 7b473259f3f4..68dfc6936aa7 100644 +--- a/io_uring/filetable.c ++++ b/io_uring/filetable.c +@@ -101,8 +101,6 @@ static int io_install_fixed_file(struct io_ring_ctx *ctx, struct file *file, + err: + if (needs_switch) + io_rsrc_node_switch(ctx, ctx->file_data); +- if (ret) +- fput(file); + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/io_uring-poll-fix-poll_refs-race-with-cancelation.patch b/queue-6.0/io_uring-poll-fix-poll_refs-race-with-cancelation.patch new file mode 100644 index 00000000000..958c0f5aea1 --- /dev/null +++ b/queue-6.0/io_uring-poll-fix-poll_refs-race-with-cancelation.patch @@ -0,0 +1,154 @@ +From f49bdcc706dcb8cf28d503fe99c12554abc58cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 07:15:54 -0700 +Subject: io_uring/poll: fix poll_refs race with cancelation + +From: Lin Ma + +[ Upstream commit 12ad3d2d6c5b0131a6052de91360849e3e154846 ] + +There is an interesting race condition of poll_refs which could result +in a NULL pointer dereference. The crash trace is like: + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 0 PID: 30781 Comm: syz-executor.2 Not tainted 6.0.0-g493ffd6605b2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:io_poll_remove_entry io_uring/poll.c:154 [inline] +RIP: 0010:io_poll_remove_entries+0x171/0x5b4 io_uring/poll.c:190 +Code: ... +RSP: 0018:ffff88810dfefba0 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000040000 +RDX: ffffc900030c4000 RSI: 000000000003ffff RDI: 0000000000040000 +RBP: 0000000000000008 R08: ffffffff9764d3dd R09: fffffbfff3836781 +R10: fffffbfff3836781 R11: 0000000000000000 R12: 1ffff11003422d60 +R13: ffff88801a116b04 R14: ffff88801a116ac0 R15: dffffc0000000000 +FS: 00007f9c07497700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffb5c00ea98 CR3: 0000000105680005 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + io_apoll_task_func+0x3f/0xa0 io_uring/poll.c:299 + handle_tw_list io_uring/io_uring.c:1037 [inline] + tctx_task_work+0x37e/0x4f0 io_uring/io_uring.c:1090 + task_work_run+0x13a/0x1b0 kernel/task_work.c:177 + get_signal+0x2402/0x25a0 kernel/signal.c:2635 + arch_do_signal_or_restart+0x3b/0x660 arch/x86/kernel/signal.c:869 + exit_to_user_mode_loop kernel/entry/common.c:166 [inline] + exit_to_user_mode_prepare+0xc2/0x160 kernel/entry/common.c:201 + __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] + syscall_exit_to_user_mode+0x58/0x160 kernel/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The root cause for this is a tiny overlooking in +io_poll_check_events() when cocurrently run with poll cancel routine +io_poll_cancel_req(). + +The interleaving to trigger use-after-free: + +CPU0 | CPU1 + | +io_apoll_task_func() | io_poll_cancel_req() + io_poll_check_events() | + // do while first loop | + v = atomic_read(...) | + // v = poll_refs = 1 | + ... | io_poll_mark_cancelled() + | atomic_or() + | // poll_refs = +IO_POLL_CANCEL_FLAG | 1 + | + atomic_sub_return(...) | + // poll_refs = IO_POLL_CANCEL_FLAG | + // loop continue | + | + | io_poll_execute() + | io_poll_get_ownership() + | // poll_refs = +IO_POLL_CANCEL_FLAG | 1 + | // gets the ownership + v = atomic_read(...) | + // poll_refs not change | + | + if (v & IO_POLL_CANCEL_FLAG) | + return -ECANCELED; | + // io_poll_check_events return | + // will go into | + // io_req_complete_failed() free req | + | + | io_apoll_task_func() + | // also go into +io_req_complete_failed() + +And the interleaving to trigger the kernel WARNING: + +CPU0 | CPU1 + | +io_apoll_task_func() | io_poll_cancel_req() + io_poll_check_events() | + // do while first loop | + v = atomic_read(...) | + // v = poll_refs = 1 | + ... | io_poll_mark_cancelled() + | atomic_or() + | // poll_refs = +IO_POLL_CANCEL_FLAG | 1 + | + atomic_sub_return(...) | + // poll_refs = IO_POLL_CANCEL_FLAG | + // loop continue | + | + v = atomic_read(...) | + // v = IO_POLL_CANCEL_FLAG | + | io_poll_execute() + | io_poll_get_ownership() + | // poll_refs = +IO_POLL_CANCEL_FLAG | 1 + | // gets the ownership + | + WARN_ON_ONCE(!(v & IO_POLL_REF_MASK))) | + // v & IO_POLL_REF_MASK = 0 WARN | + | + | io_apoll_task_func() + | // also go into +io_req_complete_failed() + +By looking up the source code and communicating with Pavel, the +implementation of this atomic poll refs should continue the loop of +io_poll_check_events() just to avoid somewhere else to grab the +ownership. Therefore, this patch simply adds another AND operation to +make sure the loop will stop if it finds the poll_refs is exactly equal +to IO_POLL_CANCEL_FLAG. Since io_poll_cancel_req() grabs ownership and +will finally make its way to io_req_complete_failed(), the req will +be reclaimed as expected. + +Fixes: aa43477b0402 ("io_uring: poll rework") +Signed-off-by: Lin Ma +Reviewed-by: Pavel Begunkov +[axboe: tweak description and code style] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/poll.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/io_uring/poll.c b/io_uring/poll.c +index 055632e9092a..0d721f8c4bc4 100644 +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -274,7 +274,8 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked) + * Release all references, retry if someone tried to restart + * task_work while we were executing it. + */ +- } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs)); ++ } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs) & ++ IO_POLL_REF_MASK); + + return IOU_POLL_NO_ACTION; + } +-- +2.35.1 + diff --git a/queue-6.0/ipv4-fix-error-return-code-in-fib_table_insert.patch b/queue-6.0/ipv4-fix-error-return-code-in-fib_table_insert.patch new file mode 100644 index 00000000000..a50953ef3d6 --- /dev/null +++ b/queue-6.0/ipv4-fix-error-return-code-in-fib_table_insert.patch @@ -0,0 +1,40 @@ +From bffaa8cd0edead6caec65278b1c10e5c3e646251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 15:28:38 +0800 +Subject: ipv4: Fix error return code in fib_table_insert() + +From: Ziyang Xuan + +[ Upstream commit 568fe84940ac0e4e0b2cd7751b8b4911f7b9c215 ] + +In fib_table_insert(), if the alias was already inserted, but node not +exist, the error code should be set before return from error handling path. + +Fixes: a6c76c17df02 ("ipv4: Notify route after insertion to the routing table") +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20221120072838.2167047-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 452ff177e4da..f26d5ac117d6 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1381,8 +1381,10 @@ int fib_table_insert(struct net *net, struct fib_table *tb, + + /* The alias was already inserted, so the node must exist. */ + l = l ? l : fib_find_node(t, &tp, key); +- if (WARN_ON_ONCE(!l)) ++ if (WARN_ON_ONCE(!l)) { ++ err = -ENOENT; + goto out_free_new_fa; ++ } + + if (fib_find_alias(&l->leaf, new_fa->fa_slen, 0, 0, tb->tb_id, true) == + new_fa) { +-- +2.35.1 + diff --git a/queue-6.0/ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch b/queue-6.0/ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch new file mode 100644 index 00000000000..350d225017e --- /dev/null +++ b/queue-6.0/ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch @@ -0,0 +1,60 @@ +From ccee9bc96eff59f1be118e10b85dce17a9303402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 17:19:14 -0800 +Subject: ipvlan: hold lower dev to avoid possible use-after-free + +From: Mahesh Bandewar + +[ Upstream commit 40b9d1ab63f5c4f3cb69450044d07b45e5af72e1 ] + +Recently syzkaller discovered the issue of disappearing lower +device (NETDEV_UNREGISTER) while the virtual device (like +macvlan) is still having it as a lower device. So it's just +a matter of time similar discovery will be made for IPvlan +device setup. So fixing it preemptively. Also while at it, +add a refcount tracker. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan.h | 1 + + drivers/net/ipvlan/ipvlan_main.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h +index de94921cbef9..025e0c19ec25 100644 +--- a/drivers/net/ipvlan/ipvlan.h ++++ b/drivers/net/ipvlan/ipvlan.h +@@ -98,6 +98,7 @@ struct ipvl_port { + struct sk_buff_head backlog; + int count; + struct ida ida; ++ netdevice_tracker dev_tracker; + }; + + struct ipvl_skb_cb { +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 49ba8a50dfb1..9043bcd1b41d 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -83,6 +83,7 @@ static int ipvlan_port_create(struct net_device *dev) + if (err) + goto err; + ++ netdev_hold(dev, &port->dev_tracker, GFP_KERNEL); + return 0; + + err: +@@ -95,6 +96,7 @@ static void ipvlan_port_destroy(struct net_device *dev) + struct ipvl_port *port = ipvlan_port_get_rtnl(dev); + struct sk_buff *skb; + ++ netdev_put(dev, &port->dev_tracker); + if (port->mode == IPVLAN_MODE_L3S) + ipvlan_l3s_unregister(port); + netdev_rx_handler_unregister(dev); +-- +2.35.1 + diff --git a/queue-6.0/macsec-fix-invalid-error-code-set.patch b/queue-6.0/macsec-fix-invalid-error-code-set.patch new file mode 100644 index 00000000000..fd175ecc283 --- /dev/null +++ b/queue-6.0/macsec-fix-invalid-error-code-set.patch @@ -0,0 +1,38 @@ +From a68c4f0ab3651dda97ffdfb7ad7963586a75947d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:12:49 +0800 +Subject: macsec: Fix invalid error code set + +From: YueHaibing + +[ Upstream commit 7cef6b73fba96abef731a53501924fc3c4a0f947 ] + +'ret' is defined twice in macsec_changelink(), when it is set in macsec_is_offloaded +case, it will be invalid before return. + +Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") +Signed-off-by: YueHaibing +Reviewed-by: Saeed Mahameed +Reviewed-by: Antoine Tenart +Link: https://lore.kernel.org/r/20221118011249.48112-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index d145ad189778..104fc564a766 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3855,7 +3855,6 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], + if (macsec_is_offloaded(macsec)) { + const struct macsec_ops *ops; + struct macsec_context ctx; +- int ret; + + ops = macsec_get_ops(netdev_priv(dev), &ctx); + if (!ops) { +-- +2.35.1 + diff --git a/queue-6.0/net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch b/queue-6.0/net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch new file mode 100644 index 00000000000..738c14d3f30 --- /dev/null +++ b/queue-6.0/net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch @@ -0,0 +1,47 @@ +From e1bb4ea41d0da5a102a8f8567be1983a3200697f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 21:53:05 +0100 +Subject: net/cdc_ncm: Fix multicast RX support for CDC NCM devices with ZLP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Santiago Ruano Rincón + +[ Upstream commit 748064b54c99418f615aabff5755996cd9816969 ] + +ZLP for DisplayLink ethernet devices was enabled in 6.0: +266c0190aee3 ("net/cdc_ncm: Enable ZLP for DisplayLink ethernet devices"). +The related driver_info should be the "same as cdc_ncm_info, but with +FLAG_SEND_ZLP". However, set_rx_mode that enables handling multicast +traffic was missing in the new cdc_ncm_zlp_info. + +usbnet_cdc_update_filter rx mode was introduced in linux 5.9 with: +e10dcb1b6ba7 ("net: cdc_ncm: hook into set_rx_mode to admit multicast +traffic") + +Without this hook, multicast, and then IPv6 SLAAC, is broken. + +Fixes: 266c0190aee3 ("net/cdc_ncm: Enable ZLP for DisplayLink ethernet devices") +Signed-off-by: Santiago Ruano Rincón +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 8d5cbda33f66..0897fdb6254b 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1915,6 +1915,7 @@ static const struct driver_info cdc_ncm_zlp_info = { + .status = cdc_ncm_status, + .rx_fixup = cdc_ncm_rx_fixup, + .tx_fixup = cdc_ncm_tx_fixup, ++ .set_rx_mode = usbnet_cdc_update_filter, + }; + + /* Same as cdc_ncm_info, but with FLAG_WWAN */ +-- +2.35.1 + diff --git a/queue-6.0/net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch b/queue-6.0/net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch new file mode 100644 index 00000000000..6709f226dbf --- /dev/null +++ b/queue-6.0/net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch @@ -0,0 +1,40 @@ +From c7d8af2f3d709cacfb95aa8cb5445fd4ecc1eaf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 03:32:26 +0000 +Subject: net: dm9051: Fix missing dev_kfree_skb() in dm9051_loop_rx() + +From: Yuan Can + +[ Upstream commit bac81f40c2c1484a2bd416b3fbf983f6e76488cd ] + +The dm9051_loop_rx() returns without release skb when dm9051_stop_mrcmd() +returns error, free the skb to avoid this leak. + +Fixes: 2dc95a4d30ed ("net: Add dm9051 driver") +Signed-off-by: Yuan Can +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/davicom/dm9051.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c +index a523ddda7609..de7105a84747 100644 +--- a/drivers/net/ethernet/davicom/dm9051.c ++++ b/drivers/net/ethernet/davicom/dm9051.c +@@ -798,8 +798,10 @@ static int dm9051_loop_rx(struct board_info *db) + } + + ret = dm9051_stop_mrcmd(db); +- if (ret) ++ if (ret) { ++ dev_kfree_skb(skb); + return ret; ++ } + + skb->protocol = eth_type_trans(skb, db->ndev); + if (db->ndev->features & NETIF_F_RXCSUM) +-- +2.35.1 + diff --git a/queue-6.0/net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch b/queue-6.0/net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch new file mode 100644 index 00000000000..357cb1f329e --- /dev/null +++ b/queue-6.0/net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch @@ -0,0 +1,71 @@ +From 0158b4b7b23ff257e9687497fff9a10567cc0118 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 12:06:53 +0200 +Subject: net: dsa: sja1105: disallow C45 transactions on the BASE-TX MDIO bus + +From: Vladimir Oltean + +[ Upstream commit 24deec6b9e4a051635f75777844ffc184644fec9 ] + +You'd think people know that the internal 100BASE-TX PHY on the SJA1110 +responds only to clause 22 MDIO transactions, but they don't :) + +When a clause 45 transaction is attempted, sja1105_base_tx_mdio_read() +and sja1105_base_tx_mdio_write() don't expect "reg" to contain bit 30 +set (MII_ADDR_C45) and pack this value into the SPI transaction buffer. + +But the field in the SPI buffer has a width smaller than 30 bits, so we +see this confusing message from the packing() API rather than a proper +rejection of C45 transactions: + +Call trace: + dump_stack+0x1c/0x38 + sja1105_pack+0xbc/0xc0 [sja1105] + sja1105_xfer+0x114/0x2b0 [sja1105] + sja1105_xfer_u32+0x44/0xf4 [sja1105] + sja1105_base_tx_mdio_read+0x44/0x7c [sja1105] + mdiobus_read+0x44/0x80 + get_phy_c45_ids+0x70/0x234 + get_phy_device+0x68/0x15c + fwnode_mdiobus_register_phy+0x74/0x240 + of_mdiobus_register+0x13c/0x380 + sja1105_mdiobus_register+0x368/0x490 [sja1105] + sja1105_setup+0x94/0x119c [sja1105] +Cannot store 401d2405 inside bits 24-4 (would truncate) + +Fixes: 5a8f09748ee7 ("net: dsa: sja1105: register the MDIO buses for 100base-T1 and 100base-TX") +Signed-off-by: Vladimir Oltean +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_mdio.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105_mdio.c b/drivers/net/dsa/sja1105/sja1105_mdio.c +index 215dd17ca790..4059fcc8c832 100644 +--- a/drivers/net/dsa/sja1105/sja1105_mdio.c ++++ b/drivers/net/dsa/sja1105/sja1105_mdio.c +@@ -256,6 +256,9 @@ static int sja1105_base_tx_mdio_read(struct mii_bus *bus, int phy, int reg) + u32 tmp; + int rc; + ++ if (reg & MII_ADDR_C45) ++ return -EOPNOTSUPP; ++ + rc = sja1105_xfer_u32(priv, SPI_READ, regs->mdio_100base_tx + reg, + &tmp, NULL); + if (rc < 0) +@@ -272,6 +275,9 @@ static int sja1105_base_tx_mdio_write(struct mii_bus *bus, int phy, int reg, + const struct sja1105_regs *regs = priv->info->regs; + u32 tmp = val; + ++ if (reg & MII_ADDR_C45) ++ return -EOPNOTSUPP; ++ + return sja1105_xfer_u32(priv, SPI_WRITE, regs->mdio_100base_tx + reg, + &tmp, NULL); + } +-- +2.35.1 + diff --git a/queue-6.0/net-enetc-cache-accesses-to-priv-si-hw.patch b/queue-6.0/net-enetc-cache-accesses-to-priv-si-hw.patch new file mode 100644 index 00000000000..058fc320731 --- /dev/null +++ b/queue-6.0/net-enetc-cache-accesses-to-priv-si-hw.patch @@ -0,0 +1,376 @@ +From 306a1eef0576dc6d1ed0b4d3ceaacf297187f76d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 12:52:02 +0300 +Subject: net: enetc: cache accesses to &priv->si->hw + +From: Vladimir Oltean + +[ Upstream commit 715bf2610f1d1adf3d4f9b7b3dd729984ec4270a ] + +The &priv->si->hw construct dereferences 2 pointers and makes lines +longer than they need to be, in turn making the code harder to read. + +Replace &priv->si->hw accesses with a "hw" variable when there are 2 or +more accesses within a function that dereference this. This includes +loops, since &priv->si->hw is a loop invariant. + +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Stable-dep-of: 290b5fe096e7 ("net: enetc: preserve TX ring priority across reconfiguration") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 28 +++++---- + drivers/net/ethernet/freescale/enetc/enetc.h | 9 +-- + .../net/ethernet/freescale/enetc/enetc_qos.c | 60 +++++++++---------- + 3 files changed, 49 insertions(+), 48 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index d0fd3045ce11..e6dbc78f490c 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2121,13 +2121,14 @@ static void enetc_setup_rxbdr(struct enetc_hw *hw, struct enetc_bdr *rx_ring) + + static void enetc_setup_bdrs(struct enetc_ndev_priv *priv) + { ++ struct enetc_hw *hw = &priv->si->hw; + int i; + + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_setup_txbdr(&priv->si->hw, priv->tx_ring[i]); ++ enetc_setup_txbdr(hw, priv->tx_ring[i]); + + for (i = 0; i < priv->num_rx_rings; i++) +- enetc_setup_rxbdr(&priv->si->hw, priv->rx_ring[i]); ++ enetc_setup_rxbdr(hw, priv->rx_ring[i]); + } + + static void enetc_clear_rxbdr(struct enetc_hw *hw, struct enetc_bdr *rx_ring) +@@ -2160,13 +2161,14 @@ static void enetc_clear_txbdr(struct enetc_hw *hw, struct enetc_bdr *tx_ring) + + static void enetc_clear_bdrs(struct enetc_ndev_priv *priv) + { ++ struct enetc_hw *hw = &priv->si->hw; + int i; + + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_clear_txbdr(&priv->si->hw, priv->tx_ring[i]); ++ enetc_clear_txbdr(hw, priv->tx_ring[i]); + + for (i = 0; i < priv->num_rx_rings; i++) +- enetc_clear_rxbdr(&priv->si->hw, priv->rx_ring[i]); ++ enetc_clear_rxbdr(hw, priv->rx_ring[i]); + + udelay(1); + } +@@ -2174,13 +2176,13 @@ static void enetc_clear_bdrs(struct enetc_ndev_priv *priv) + static int enetc_setup_irqs(struct enetc_ndev_priv *priv) + { + struct pci_dev *pdev = priv->si->pdev; ++ struct enetc_hw *hw = &priv->si->hw; + int i, j, err; + + for (i = 0; i < priv->bdr_int_num; i++) { + int irq = pci_irq_vector(pdev, ENETC_BDR_INT_BASE_IDX + i); + struct enetc_int_vector *v = priv->int_vector[i]; + int entry = ENETC_BDR_INT_BASE_IDX + i; +- struct enetc_hw *hw = &priv->si->hw; + + snprintf(v->name, sizeof(v->name), "%s-rxtx%d", + priv->ndev->name, i); +@@ -2268,13 +2270,14 @@ static void enetc_setup_interrupts(struct enetc_ndev_priv *priv) + + static void enetc_clear_interrupts(struct enetc_ndev_priv *priv) + { ++ struct enetc_hw *hw = &priv->si->hw; + int i; + + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_txbdr_wr(&priv->si->hw, i, ENETC_TBIER, 0); ++ enetc_txbdr_wr(hw, i, ENETC_TBIER, 0); + + for (i = 0; i < priv->num_rx_rings; i++) +- enetc_rxbdr_wr(&priv->si->hw, i, ENETC_RBIER, 0); ++ enetc_rxbdr_wr(hw, i, ENETC_RBIER, 0); + } + + static int enetc_phylink_connect(struct net_device *ndev) +@@ -2441,6 +2444,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data) + { + struct enetc_ndev_priv *priv = netdev_priv(ndev); + struct tc_mqprio_qopt *mqprio = type_data; ++ struct enetc_hw *hw = &priv->si->hw; + struct enetc_bdr *tx_ring; + int num_stack_tx_queues; + u8 num_tc; +@@ -2457,7 +2461,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data) + /* Reset all ring priorities to 0 */ + for (i = 0; i < priv->num_tx_rings; i++) { + tx_ring = priv->tx_ring[i]; +- enetc_set_bdr_prio(&priv->si->hw, tx_ring->index, 0); ++ enetc_set_bdr_prio(hw, tx_ring->index, 0); + } + + return 0; +@@ -2476,7 +2480,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data) + */ + for (i = 0; i < num_tc; i++) { + tx_ring = priv->tx_ring[i]; +- enetc_set_bdr_prio(&priv->si->hw, tx_ring->index, i); ++ enetc_set_bdr_prio(hw, tx_ring->index, i); + } + + /* Reset the number of netdev queues based on the TC count */ +@@ -2589,19 +2593,21 @@ static int enetc_set_rss(struct net_device *ndev, int en) + static void enetc_enable_rxvlan(struct net_device *ndev, bool en) + { + struct enetc_ndev_priv *priv = netdev_priv(ndev); ++ struct enetc_hw *hw = &priv->si->hw; + int i; + + for (i = 0; i < priv->num_rx_rings; i++) +- enetc_bdr_enable_rxvlan(&priv->si->hw, i, en); ++ enetc_bdr_enable_rxvlan(hw, i, en); + } + + static void enetc_enable_txvlan(struct net_device *ndev, bool en) + { + struct enetc_ndev_priv *priv = netdev_priv(ndev); ++ struct enetc_hw *hw = &priv->si->hw; + int i; + + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_bdr_enable_txvlan(&priv->si->hw, i, en); ++ enetc_bdr_enable_txvlan(hw, i, en); + } + + void enetc_set_features(struct net_device *ndev, netdev_features_t features) +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index 2cfe6944ebd3..748677b2ce1f 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -467,19 +467,20 @@ int enetc_set_psfp(struct net_device *ndev, bool en); + + static inline void enetc_get_max_cap(struct enetc_ndev_priv *priv) + { ++ struct enetc_hw *hw = &priv->si->hw; + u32 reg; + +- reg = enetc_port_rd(&priv->si->hw, ENETC_PSIDCAPR); ++ reg = enetc_port_rd(hw, ENETC_PSIDCAPR); + priv->psfp_cap.max_streamid = reg & ENETC_PSIDCAPR_MSK; + /* Port stream filter capability */ +- reg = enetc_port_rd(&priv->si->hw, ENETC_PSFCAPR); ++ reg = enetc_port_rd(hw, ENETC_PSFCAPR); + priv->psfp_cap.max_psfp_filter = reg & ENETC_PSFCAPR_MSK; + /* Port stream gate capability */ +- reg = enetc_port_rd(&priv->si->hw, ENETC_PSGCAPR); ++ reg = enetc_port_rd(hw, ENETC_PSGCAPR); + priv->psfp_cap.max_psfp_gate = (reg & ENETC_PSGCAPR_SGIT_MSK); + priv->psfp_cap.max_psfp_gatelist = (reg & ENETC_PSGCAPR_GCL_MSK) >> 16; + /* Port flow meter capability */ +- reg = enetc_port_rd(&priv->si->hw, ENETC_PFMCAPR); ++ reg = enetc_port_rd(hw, ENETC_PFMCAPR); + priv->psfp_cap.max_psfp_meter = reg & ENETC_PFMCAPR_MSK; + } + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +index f8a2f02ce22d..2e783ef73690 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +@@ -17,8 +17,9 @@ static u16 enetc_get_max_gcl_len(struct enetc_hw *hw) + + void enetc_sched_speed_set(struct enetc_ndev_priv *priv, int speed) + { ++ struct enetc_hw *hw = &priv->si->hw; + u32 old_speed = priv->speed; +- u32 pspeed; ++ u32 pspeed, tmp; + + if (speed == old_speed) + return; +@@ -39,16 +40,15 @@ void enetc_sched_speed_set(struct enetc_ndev_priv *priv, int speed) + } + + priv->speed = speed; +- enetc_port_wr(&priv->si->hw, ENETC_PMR, +- (enetc_port_rd(&priv->si->hw, ENETC_PMR) +- & (~ENETC_PMR_PSPEED_MASK)) +- | pspeed); ++ tmp = enetc_port_rd(hw, ENETC_PMR); ++ enetc_port_wr(hw, ENETC_PMR, (tmp & ~ENETC_PMR_PSPEED_MASK) | pspeed); + } + + static int enetc_setup_taprio(struct net_device *ndev, + struct tc_taprio_qopt_offload *admin_conf) + { + struct enetc_ndev_priv *priv = netdev_priv(ndev); ++ struct enetc_hw *hw = &priv->si->hw; + struct enetc_cbd cbd = {.cmd = 0}; + struct tgs_gcl_conf *gcl_config; + struct tgs_gcl_data *gcl_data; +@@ -61,15 +61,13 @@ static int enetc_setup_taprio(struct net_device *ndev, + int err; + int i; + +- if (admin_conf->num_entries > enetc_get_max_gcl_len(&priv->si->hw)) ++ if (admin_conf->num_entries > enetc_get_max_gcl_len(hw)) + return -EINVAL; + gcl_len = admin_conf->num_entries; + +- tge = enetc_rd(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET); ++ tge = enetc_rd(hw, ENETC_QBV_PTGCR_OFFSET); + if (!admin_conf->enable) { +- enetc_wr(&priv->si->hw, +- ENETC_QBV_PTGCR_OFFSET, +- tge & (~ENETC_QBV_TGE)); ++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge & ~ENETC_QBV_TGE); + + priv->active_offloads &= ~ENETC_F_QBV; + +@@ -117,14 +115,11 @@ static int enetc_setup_taprio(struct net_device *ndev, + cbd.cls = BDCR_CMD_PORT_GCL; + cbd.status_flags = 0; + +- enetc_wr(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET, +- tge | ENETC_QBV_TGE); ++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge | ENETC_QBV_TGE); + + err = enetc_send_cmd(priv->si, &cbd); + if (err) +- enetc_wr(&priv->si->hw, +- ENETC_QBV_PTGCR_OFFSET, +- tge & (~ENETC_QBV_TGE)); ++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge & ~ENETC_QBV_TGE); + + enetc_cbd_free_data_mem(priv->si, data_size, tmp, &dma); + +@@ -138,6 +133,7 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data) + { + struct tc_taprio_qopt_offload *taprio = type_data; + struct enetc_ndev_priv *priv = netdev_priv(ndev); ++ struct enetc_hw *hw = &priv->si->hw; + int err; + int i; + +@@ -147,16 +143,14 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data) + return -EBUSY; + + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_set_bdr_prio(&priv->si->hw, +- priv->tx_ring[i]->index, ++ enetc_set_bdr_prio(hw, priv->tx_ring[i]->index, + taprio->enable ? i : 0); + + err = enetc_setup_taprio(ndev, taprio); + + if (err) + for (i = 0; i < priv->num_tx_rings; i++) +- enetc_set_bdr_prio(&priv->si->hw, +- priv->tx_ring[i]->index, ++ enetc_set_bdr_prio(hw, priv->tx_ring[i]->index, + taprio->enable ? 0 : i); + + return err; +@@ -178,7 +172,7 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + struct tc_cbs_qopt_offload *cbs = type_data; + u32 port_transmit_rate = priv->speed; + u8 tc_nums = netdev_get_num_tc(ndev); +- struct enetc_si *si = priv->si; ++ struct enetc_hw *hw = &priv->si->hw; + u32 hi_credit_bit, hi_credit_reg; + u32 max_interference_size; + u32 port_frame_max_size; +@@ -199,15 +193,15 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + * lower than this TC have been disabled. + */ + if (tc == prio_top && +- enetc_get_cbs_enable(&si->hw, prio_next)) { ++ enetc_get_cbs_enable(hw, prio_next)) { + dev_err(&ndev->dev, + "Disable TC%d before disable TC%d\n", + prio_next, tc); + return -EINVAL; + } + +- enetc_port_wr(&si->hw, ENETC_PTCCBSR1(tc), 0); +- enetc_port_wr(&si->hw, ENETC_PTCCBSR0(tc), 0); ++ enetc_port_wr(hw, ENETC_PTCCBSR1(tc), 0); ++ enetc_port_wr(hw, ENETC_PTCCBSR0(tc), 0); + + return 0; + } +@@ -224,13 +218,13 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + * higher than this TC have been enabled. + */ + if (tc == prio_next) { +- if (!enetc_get_cbs_enable(&si->hw, prio_top)) { ++ if (!enetc_get_cbs_enable(hw, prio_top)) { + dev_err(&ndev->dev, + "Enable TC%d first before enable TC%d\n", + prio_top, prio_next); + return -EINVAL; + } +- bw_sum += enetc_get_cbs_bw(&si->hw, prio_top); ++ bw_sum += enetc_get_cbs_bw(hw, prio_top); + } + + if (bw_sum + bw >= 100) { +@@ -239,7 +233,7 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + return -EINVAL; + } + +- enetc_port_rd(&si->hw, ENETC_PTCMSDUR(tc)); ++ enetc_port_rd(hw, ENETC_PTCMSDUR(tc)); + + /* For top prio TC, the max_interfrence_size is maxSizedFrame. + * +@@ -259,8 +253,8 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + u32 m0, ma, r0, ra; + + m0 = port_frame_max_size * 8; +- ma = enetc_port_rd(&si->hw, ENETC_PTCMSDUR(prio_top)) * 8; +- ra = enetc_get_cbs_bw(&si->hw, prio_top) * ++ ma = enetc_port_rd(hw, ENETC_PTCMSDUR(prio_top)) * 8; ++ ra = enetc_get_cbs_bw(hw, prio_top) * + port_transmit_rate * 10000ULL; + r0 = port_transmit_rate * 1000000ULL; + max_interference_size = m0 + ma + +@@ -280,10 +274,10 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data) + hi_credit_reg = (u32)div_u64((ENETC_CLK * 100ULL) * hi_credit_bit, + port_transmit_rate * 1000000ULL); + +- enetc_port_wr(&si->hw, ENETC_PTCCBSR1(tc), hi_credit_reg); ++ enetc_port_wr(hw, ENETC_PTCCBSR1(tc), hi_credit_reg); + + /* Set bw register and enable this traffic class */ +- enetc_port_wr(&si->hw, ENETC_PTCCBSR0(tc), bw | ENETC_CBSE); ++ enetc_port_wr(hw, ENETC_PTCCBSR0(tc), bw | ENETC_CBSE); + + return 0; + } +@@ -293,6 +287,7 @@ int enetc_setup_tc_txtime(struct net_device *ndev, void *type_data) + struct enetc_ndev_priv *priv = netdev_priv(ndev); + struct tc_etf_qopt_offload *qopt = type_data; + u8 tc_nums = netdev_get_num_tc(ndev); ++ struct enetc_hw *hw = &priv->si->hw; + int tc; + + if (!tc_nums) +@@ -304,12 +299,11 @@ int enetc_setup_tc_txtime(struct net_device *ndev, void *type_data) + return -EINVAL; + + /* TSD and Qbv are mutually exclusive in hardware */ +- if (enetc_rd(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET) & ENETC_QBV_TGE) ++ if (enetc_rd(hw, ENETC_QBV_PTGCR_OFFSET) & ENETC_QBV_TGE) + return -EBUSY; + + priv->tx_ring[tc]->tsd_enable = qopt->enable; +- enetc_port_wr(&priv->si->hw, ENETC_PTCTSDR(tc), +- qopt->enable ? ENETC_TSDE : 0); ++ enetc_port_wr(hw, ENETC_PTCTSDR(tc), qopt->enable ? ENETC_TSDE : 0); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/net-enetc-preserve-tx-ring-priority-across-reconfigu.patch b/queue-6.0/net-enetc-preserve-tx-ring-priority-across-reconfigu.patch new file mode 100644 index 00000000000..877f22d2f49 --- /dev/null +++ b/queue-6.0/net-enetc-preserve-tx-ring-priority-across-reconfigu.patch @@ -0,0 +1,126 @@ +From 3141e01fb539012903048b637dd4ac15065f68bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 15:09:36 +0200 +Subject: net: enetc: preserve TX ring priority across reconfiguration + +From: Vladimir Oltean + +[ Upstream commit 290b5fe096e7dd0aad730d1af4f7f2d9fea43e11 ] + +In the blamed commit, a rudimentary reallocation procedure for RX buffer +descriptors was implemented, for the situation when their format changes +between normal (no PTP) and extended (PTP). + +enetc_hwtstamp_set() calls enetc_close() and enetc_open() in a sequence, +and this sequence loses information which was previously configured in +the TX BDR Mode Register, specifically via the enetc_set_bdr_prio() call. +The TX ring priority is configured by tc-mqprio and tc-taprio, and +affects important things for TSN such as the TX time of packets. The +issue manifests itself most visibly by the fact that isochron --txtime +reports premature packet transmissions when PTP is first enabled on an +enetc interface. + +Save the TX ring priority in a new field in struct enetc_bdr (occupies a +2 byte hole on arm64) in order to make this survive a ring reconfiguration. + +Fixes: 434cebabd3a2 ("enetc: Add dynamic allocation of extended Rx BD rings") +Signed-off-by: Vladimir Oltean +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/r/20221122130936.1704151-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 8 ++++--- + drivers/net/ethernet/freescale/enetc/enetc.h | 1 + + .../net/ethernet/freescale/enetc/enetc_qos.c | 21 ++++++++++++------- + 3 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index e6dbc78f490c..1d8ec1b120a1 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2058,7 +2058,7 @@ static void enetc_setup_txbdr(struct enetc_hw *hw, struct enetc_bdr *tx_ring) + /* enable Tx ints by setting pkt thr to 1 */ + enetc_txbdr_wr(hw, idx, ENETC_TBICR0, ENETC_TBICR0_ICEN | 0x1); + +- tbmr = ENETC_TBMR_EN; ++ tbmr = ENETC_TBMR_EN | ENETC_TBMR_SET_PRIO(tx_ring->prio); + if (tx_ring->ndev->features & NETIF_F_HW_VLAN_CTAG_TX) + tbmr |= ENETC_TBMR_VIH; + +@@ -2461,7 +2461,8 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data) + /* Reset all ring priorities to 0 */ + for (i = 0; i < priv->num_tx_rings; i++) { + tx_ring = priv->tx_ring[i]; +- enetc_set_bdr_prio(hw, tx_ring->index, 0); ++ tx_ring->prio = 0; ++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio); + } + + return 0; +@@ -2480,7 +2481,8 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data) + */ + for (i = 0; i < num_tc; i++) { + tx_ring = priv->tx_ring[i]; +- enetc_set_bdr_prio(hw, tx_ring->index, i); ++ tx_ring->prio = i; ++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio); + } + + /* Reset the number of netdev queues based on the TC count */ +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h +index 748677b2ce1f..bb1b3b0e40e4 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc.h +@@ -95,6 +95,7 @@ struct enetc_bdr { + void __iomem *rcir; + }; + u16 index; ++ u16 prio; + int bd_count; /* # of BDs */ + int next_to_use; + int next_to_clean; +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +index 2e783ef73690..5fcb02b00699 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +@@ -134,6 +134,7 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data) + struct tc_taprio_qopt_offload *taprio = type_data; + struct enetc_ndev_priv *priv = netdev_priv(ndev); + struct enetc_hw *hw = &priv->si->hw; ++ struct enetc_bdr *tx_ring; + int err; + int i; + +@@ -142,16 +143,20 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data) + if (priv->tx_ring[i]->tsd_enable) + return -EBUSY; + +- for (i = 0; i < priv->num_tx_rings; i++) +- enetc_set_bdr_prio(hw, priv->tx_ring[i]->index, +- taprio->enable ? i : 0); ++ for (i = 0; i < priv->num_tx_rings; i++) { ++ tx_ring = priv->tx_ring[i]; ++ tx_ring->prio = taprio->enable ? i : 0; ++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio); ++ } + + err = enetc_setup_taprio(ndev, taprio); +- +- if (err) +- for (i = 0; i < priv->num_tx_rings; i++) +- enetc_set_bdr_prio(hw, priv->tx_ring[i]->index, +- taprio->enable ? 0 : i); ++ if (err) { ++ for (i = 0; i < priv->num_tx_rings; i++) { ++ tx_ring = priv->tx_ring[i]; ++ tx_ring->prio = taprio->enable ? 0 : i; ++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio); ++ } ++ } + + return err; + } +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch b/queue-6.0/net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch new file mode 100644 index 00000000000..2ec2646f832 --- /dev/null +++ b/queue-6.0/net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch @@ -0,0 +1,42 @@ +From 484fd6fdf013ea302b765c132858f13b5e4958ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 19:13:56 +0800 +Subject: net: ethernet: mtk_eth_soc: fix error handling in mtk_open() + +From: Liu Jian + +[ Upstream commit f70074140524c59a0935947b06dd6cb6e1ea642d ] + +If mtk_start_dma() fails, invoke phylink_disconnect_phy() to perform +cleanup. phylink_disconnect_phy() contains the put_device action. If +phylink_disconnect_phy is not performed, the Kref of netdev will leak. + +Fixes: b8fc9f30821e ("net: ethernet: mediatek: Add basic PHYLINK support") +Signed-off-by: Liu Jian +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20221117111356.161547-1-liujian56@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 84433f3a3e22..a75f5931f746 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2979,8 +2979,10 @@ static int mtk_open(struct net_device *dev) + u32 gdm_config = MTK_GDMA_TO_PDMA; + + err = mtk_start_dma(eth); +- if (err) ++ if (err) { ++ phylink_disconnect_phy(mac->phylink); + return err; ++ } + + if (eth->soc->offload_version && mtk_ppe_start(eth->ppe) == 0) + gdm_config = MTK_GDMA_TO_PPE; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch b/queue-6.0/net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch new file mode 100644 index 00000000000..0703ec0c640 --- /dev/null +++ b/queue-6.0/net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch @@ -0,0 +1,47 @@ +From 2f8480dd1390869d9da5d9aff1394927b1dc2cfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 11:54:05 +0800 +Subject: net: ethernet: mtk_eth_soc: fix potential memory leak in + mtk_rx_alloc() + +From: Ziyang Xuan + +[ Upstream commit 3213f808ae21be3891885de2f3a775afafcda987 ] + +When fail to dma_map_single() in mtk_rx_alloc(), it returns directly. +But the memory allocated for local variable data is not freed, and +local variabel data has not been attached to ring->data[i] yet, so the +memory allocated for local variable data will not be freed outside +mtk_rx_alloc() too. Thus memory leak would occur in this scenario. + +Add skb_free_frag(data) when dma_map_single() failed. + +Fixes: 23233e577ef9 ("net: ethernet: mtk_eth_soc: rely on page_pool for single page buffers") +Signed-off-by: Ziyang Xuan +Acked-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/20221120035405.1464341-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index a75f5931f746..916b570bdbf4 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2363,8 +2363,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + data + NET_SKB_PAD + eth->ip_align, + ring->buf_size, DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(eth->dma_dev, +- dma_addr))) ++ dma_addr))) { ++ skb_free_frag(data); + return -ENOMEM; ++ } + } + rxd->rxd1 = (unsigned int)dma_addr; + ring->data[i] = data; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch b/queue-6.0/net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch new file mode 100644 index 00000000000..10fc46e2641 --- /dev/null +++ b/queue-6.0/net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch @@ -0,0 +1,44 @@ +From 4e58a22b8c56dd315710693fe63bc284a76b017d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 13:52:58 +0800 +Subject: net: ethernet: mtk_eth_soc: fix resource leak in error path + +From: Yan Cangang + +[ Upstream commit 8110437e59616293228cd781c486d8495a61e36a ] + +In mtk_probe(), when mtk_ppe_init() or mtk_eth_offload_init() failed, +mtk_mdio_cleanup() isn't called. Fix it. + +Fixes: ba37b7caf1ed ("net: ethernet: mtk_eth_soc: add support for initializing the PPE") +Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support") +Signed-off-by: Yan Cangang +Reviewed-by: Leon Romanovsky +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 3db24ddd1261..aee57b22c496 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -4114,12 +4114,12 @@ static int mtk_probe(struct platform_device *pdev) + eth->ppe = mtk_ppe_init(eth, eth->base + ppe_addr, 2); + if (!eth->ppe) { + err = -ENOMEM; +- goto err_free_dev; ++ goto err_deinit_mdio; + } + + err = mtk_eth_offload_init(eth); + if (err) +- goto err_free_dev; ++ goto err_deinit_mdio; + } + + for (i = 0; i < MTK_MAX_DEVS; i++) { +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch b/queue-6.0/net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch new file mode 100644 index 00000000000..5991d20c1bb --- /dev/null +++ b/queue-6.0/net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch @@ -0,0 +1,120 @@ +From 6563f43c89765e075e8784d921e17bd680d01189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 12:11:15 +0200 +Subject: net: ethernet: mtk_eth_soc: move gdma_to_ppe and ppe_base definitions + in mtk register map + +From: Lorenzo Bianconi + +[ Upstream commit 329bce5139cfb00dba40f038ec090572b81ff2a9 ] + +This is a preliminary patch to introduce mt7986 hw packet engine. + +Tested-by: Daniel Golle +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Paolo Abeni +Stable-dep-of: 8110437e5961 ("net: ethernet: mtk_eth_soc: fix resource leak in error path") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 +++++++++++---- + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 3 ++- + drivers/net/ethernet/mediatek/mtk_ppe.h | 2 -- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 916b570bdbf4..83c636d44142 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -73,6 +73,8 @@ static const struct mtk_reg_map mtk_reg_map = { + .fq_blen = 0x1b2c, + }, + .gdm1_cnt = 0x2400, ++ .gdma_to_ppe = 0x4444, ++ .ppe_base = 0x0c00, + }; + + static const struct mtk_reg_map mt7628_reg_map = { +@@ -126,6 +128,8 @@ static const struct mtk_reg_map mt7986_reg_map = { + .fq_blen = 0x472c, + }, + .gdm1_cnt = 0x1c00, ++ .gdma_to_ppe = 0x3333, ++ .ppe_base = 0x2000, + }; + + /* strings used by ethtool */ +@@ -2978,6 +2982,7 @@ static int mtk_open(struct net_device *dev) + + /* we run 2 netdevs on the same dma ring so we only bring it up once */ + if (!refcount_read(ð->dma_refcnt)) { ++ const struct mtk_soc_data *soc = eth->soc; + u32 gdm_config = MTK_GDMA_TO_PDMA; + + err = mtk_start_dma(eth); +@@ -2986,15 +2991,15 @@ static int mtk_open(struct net_device *dev) + return err; + } + +- if (eth->soc->offload_version && mtk_ppe_start(eth->ppe) == 0) +- gdm_config = MTK_GDMA_TO_PPE; ++ if (soc->offload_version && mtk_ppe_start(eth->ppe) == 0) ++ gdm_config = soc->reg_map->gdma_to_ppe; + + mtk_gdm_config(eth, gdm_config); + + napi_enable(ð->tx_napi); + napi_enable(ð->rx_napi); + mtk_tx_irq_enable(eth, MTK_TX_DONE_INT); +- mtk_rx_irq_enable(eth, eth->soc->txrx.rx_irq_done_mask); ++ mtk_rx_irq_enable(eth, soc->txrx.rx_irq_done_mask); + refcount_set(ð->dma_refcnt, 1); + } + else +@@ -4104,7 +4109,9 @@ static int mtk_probe(struct platform_device *pdev) + } + + if (eth->soc->offload_version) { +- eth->ppe = mtk_ppe_init(eth, eth->base + MTK_ETH_PPE_BASE, 2); ++ u32 ppe_addr = eth->soc->reg_map->ppe_base; ++ ++ eth->ppe = mtk_ppe_init(eth, eth->base + ppe_addr, 2); + if (!eth->ppe) { + err = -ENOMEM; + goto err_free_dev; +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 0f9668a4079d..511752729f5c 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -105,7 +105,6 @@ + #define MTK_GDMA_TCS_EN BIT(21) + #define MTK_GDMA_UCS_EN BIT(20) + #define MTK_GDMA_TO_PDMA 0x0 +-#define MTK_GDMA_TO_PPE 0x4444 + #define MTK_GDMA_DROP_ALL 0x7777 + + /* Unicast Filter MAC Address Register - Low */ +@@ -955,6 +954,8 @@ struct mtk_reg_map { + u32 fq_blen; /* fq free page buffer length */ + } qdma; + u32 gdm1_cnt; ++ u32 gdma_to_ppe; ++ u32 ppe_base; + }; + + /* struct mtk_eth_data - This is the structure holding all differences +diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.h b/drivers/net/ethernet/mediatek/mtk_ppe.h +index 69ffce04d630..ceb7dfe281de 100644 +--- a/drivers/net/ethernet/mediatek/mtk_ppe.h ++++ b/drivers/net/ethernet/mediatek/mtk_ppe.h +@@ -8,8 +8,6 @@ + #include + #include + +-#define MTK_ETH_PPE_BASE 0xc00 +- + #define MTK_PPE_ENTRIES_SHIFT 3 + #define MTK_PPE_ENTRIES (1024 << MTK_PPE_ENTRIES_SHIFT) + #define MTK_PPE_HASH_MASK (MTK_PPE_ENTRIES - 1) +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch b/queue-6.0/net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch new file mode 100644 index 00000000000..40653583e87 --- /dev/null +++ b/queue-6.0/net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch @@ -0,0 +1,194 @@ +From b034d1ecdd1dbd4497d9c5c8da4fe32fb429d1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 12:11:16 +0200 +Subject: net: ethernet: mtk_eth_soc: move ppe table hash offset to + mtk_soc_data structure + +From: Lorenzo Bianconi + +[ Upstream commit ba2fc48c5e1e9e1934939f0d12ff8b985dcc6e5d ] + +This is a preliminary patch to introduce mt7986 hw packet engine. + +Tested-by: Daniel Golle +Co-developed-by: Bo Jiao +Signed-off-by: Bo Jiao +Co-developed-by: Sujuan Chen +Signed-off-by: Sujuan Chen +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Paolo Abeni +Stable-dep-of: 8110437e5961 ("net: ethernet: mtk_eth_soc: fix resource leak in error path") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 ++++ + drivers/net/ethernet/mediatek/mtk_eth_soc.h | 2 ++ + drivers/net/ethernet/mediatek/mtk_ppe.c | 24 +++++++++++++++------ + drivers/net/ethernet/mediatek/mtk_ppe.h | 2 +- + 4 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 83c636d44142..3db24ddd1261 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -4210,6 +4210,7 @@ static const struct mtk_soc_data mt7621_data = { + .required_clks = MT7621_CLKS_BITMAP, + .required_pctl = false, + .offload_version = 2, ++ .hash_offset = 2, + .txrx = { + .txd_size = sizeof(struct mtk_tx_dma), + .rxd_size = sizeof(struct mtk_rx_dma), +@@ -4228,6 +4229,7 @@ static const struct mtk_soc_data mt7622_data = { + .required_clks = MT7622_CLKS_BITMAP, + .required_pctl = false, + .offload_version = 2, ++ .hash_offset = 2, + .txrx = { + .txd_size = sizeof(struct mtk_tx_dma), + .rxd_size = sizeof(struct mtk_rx_dma), +@@ -4245,6 +4247,7 @@ static const struct mtk_soc_data mt7623_data = { + .required_clks = MT7623_CLKS_BITMAP, + .required_pctl = true, + .offload_version = 2, ++ .hash_offset = 2, + .txrx = { + .txd_size = sizeof(struct mtk_tx_dma), + .rxd_size = sizeof(struct mtk_rx_dma), +@@ -4278,6 +4281,7 @@ static const struct mtk_soc_data mt7986_data = { + .caps = MT7986_CAPS, + .required_clks = MT7986_CLKS_BITMAP, + .required_pctl = false, ++ .hash_offset = 4, + .txrx = { + .txd_size = sizeof(struct mtk_tx_dma_v2), + .rxd_size = sizeof(struct mtk_rx_dma_v2), +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +index 511752729f5c..26ed1c8b77c3 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h +@@ -969,6 +969,7 @@ struct mtk_reg_map { + * the target SoC + * @required_pctl A bool value to show whether the SoC requires + * the extra setup for those pins used by GMAC. ++ * @hash_offset Flow table hash offset. + * @txd_size Tx DMA descriptor size. + * @rxd_size Rx DMA descriptor size. + * @rx_irq_done_mask Rx irq done register mask. +@@ -983,6 +984,7 @@ struct mtk_soc_data { + u32 required_clks; + bool required_pctl; + u8 offload_version; ++ u8 hash_offset; + netdev_features_t hw_features; + struct { + u32 txd_size; +diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.c b/drivers/net/ethernet/mediatek/mtk_ppe.c +index 148ea636ef97..6ecac461fd76 100644 +--- a/drivers/net/ethernet/mediatek/mtk_ppe.c ++++ b/drivers/net/ethernet/mediatek/mtk_ppe.c +@@ -88,7 +88,7 @@ static void mtk_ppe_cache_enable(struct mtk_ppe *ppe, bool enable) + enable * MTK_PPE_CACHE_CTL_EN); + } + +-static u32 mtk_ppe_hash_entry(struct mtk_foe_entry *e) ++static u32 mtk_ppe_hash_entry(struct mtk_eth *eth, struct mtk_foe_entry *e) + { + u32 hv1, hv2, hv3; + u32 hash; +@@ -122,7 +122,7 @@ static u32 mtk_ppe_hash_entry(struct mtk_foe_entry *e) + hash = (hash >> 24) | ((hash & 0xffffff) << 8); + hash ^= hv1 ^ hv2 ^ hv3; + hash ^= hash >> 16; +- hash <<= 1; ++ hash <<= (ffs(eth->soc->hash_offset) - 1); + hash &= MTK_PPE_ENTRIES - 1; + + return hash; +@@ -540,15 +540,16 @@ mtk_foe_entry_commit_l2(struct mtk_ppe *ppe, struct mtk_flow_entry *entry) + int mtk_foe_entry_commit(struct mtk_ppe *ppe, struct mtk_flow_entry *entry) + { + int type = FIELD_GET(MTK_FOE_IB1_PACKET_TYPE, entry->data.ib1); ++ const struct mtk_soc_data *soc = ppe->eth->soc; + u32 hash; + + if (type == MTK_PPE_PKT_TYPE_BRIDGE) + return mtk_foe_entry_commit_l2(ppe, entry); + +- hash = mtk_ppe_hash_entry(&entry->data); ++ hash = mtk_ppe_hash_entry(ppe->eth, &entry->data); + entry->hash = 0xffff; + spin_lock_bh(&ppe_lock); +- hlist_add_head(&entry->list, &ppe->foe_flow[hash / 2]); ++ hlist_add_head(&entry->list, &ppe->foe_flow[hash / soc->hash_offset]); + spin_unlock_bh(&ppe_lock); + + return 0; +@@ -558,6 +559,7 @@ static void + mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry, + u16 hash) + { ++ const struct mtk_soc_data *soc = ppe->eth->soc; + struct mtk_flow_entry *flow_info; + struct mtk_foe_entry foe, *hwe; + struct mtk_foe_mac_info *l2; +@@ -572,7 +574,8 @@ mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry, + flow_info->l2_data.base_flow = entry; + flow_info->type = MTK_FLOW_TYPE_L2_SUBFLOW; + flow_info->hash = hash; +- hlist_add_head(&flow_info->list, &ppe->foe_flow[hash / 2]); ++ hlist_add_head(&flow_info->list, ++ &ppe->foe_flow[hash / soc->hash_offset]); + hlist_add_head(&flow_info->l2_data.list, &entry->l2_flows); + + hwe = &ppe->foe_table[hash]; +@@ -596,7 +599,8 @@ mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry, + + void __mtk_ppe_check_skb(struct mtk_ppe *ppe, struct sk_buff *skb, u16 hash) + { +- struct hlist_head *head = &ppe->foe_flow[hash / 2]; ++ const struct mtk_soc_data *soc = ppe->eth->soc; ++ struct hlist_head *head = &ppe->foe_flow[hash / soc->hash_offset]; + struct mtk_foe_entry *hwe = &ppe->foe_table[hash]; + struct mtk_flow_entry *entry; + struct mtk_foe_bridge key = {}; +@@ -680,9 +684,11 @@ int mtk_foe_entry_idle_time(struct mtk_ppe *ppe, struct mtk_flow_entry *entry) + struct mtk_ppe *mtk_ppe_init(struct mtk_eth *eth, void __iomem *base, + int version) + { ++ const struct mtk_soc_data *soc = eth->soc; + struct device *dev = eth->dev; + struct mtk_foe_entry *foe; + struct mtk_ppe *ppe; ++ u32 foe_flow_size; + + ppe = devm_kzalloc(dev, sizeof(*ppe), GFP_KERNEL); + if (!ppe) +@@ -705,6 +711,12 @@ struct mtk_ppe *mtk_ppe_init(struct mtk_eth *eth, void __iomem *base, + + ppe->foe_table = foe; + ++ foe_flow_size = (MTK_PPE_ENTRIES / soc->hash_offset) * ++ sizeof(*ppe->foe_flow); ++ ppe->foe_flow = devm_kzalloc(dev, foe_flow_size, GFP_KERNEL); ++ if (!ppe->foe_flow) ++ return NULL; ++ + mtk_ppe_debugfs_init(ppe); + + return ppe; +diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.h b/drivers/net/ethernet/mediatek/mtk_ppe.h +index ceb7dfe281de..7a16503690f3 100644 +--- a/drivers/net/ethernet/mediatek/mtk_ppe.h ++++ b/drivers/net/ethernet/mediatek/mtk_ppe.h +@@ -270,7 +270,7 @@ struct mtk_ppe { + dma_addr_t foe_phys; + + u16 foe_check_time[MTK_PPE_ENTRIES]; +- struct hlist_head foe_flow[MTK_PPE_ENTRIES / 2]; ++ struct hlist_head *foe_flow; + + struct rhashtable l2_flows; + +-- +2.35.1 + diff --git a/queue-6.0/net-liquidio-simplify-if-expression.patch b/queue-6.0/net-liquidio-simplify-if-expression.patch new file mode 100644 index 00000000000..5a09da89f8a --- /dev/null +++ b/queue-6.0/net-liquidio-simplify-if-expression.patch @@ -0,0 +1,50 @@ +From 321a0d21f20bb1651f164110cfff276422f4feba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 19:34:39 +0200 +Subject: net: liquidio: simplify if expression + +From: Leon Romanovsky + +[ Upstream commit 733d4bbf9514890eb53ebe75827bf1fb4fd25ebe ] + +Fix the warning reported by kbuild: + +cocci warnings: (new ones prefixed by >>) +>> drivers/net/ethernet/cavium/liquidio/lio_main.c:1797:54-56: WARNING !A || A && B is equivalent to !A || B + drivers/net/ethernet/cavium/liquidio/lio_main.c:1827:54-56: WARNING !A || A && B is equivalent to !A || B + +Fixes: 8979f428a4af ("net: liquidio: release resources when liquidio driver open failed") +Reported-by: kernel test robot +Signed-off-by: Leon Romanovsky +Reviewed-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index bf6a72143040..1e5dc0ea0e31 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -1799,7 +1799,7 @@ static int liquidio_open(struct net_device *netdev) + + ifstate_set(lio, LIO_IFSTATE_RUNNING); + +- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) { ++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on) { + ret = setup_tx_poll_fn(netdev); + if (ret) + goto err_poll; +@@ -1829,7 +1829,7 @@ static int liquidio_open(struct net_device *netdev) + return 0; + + err_rx_ctrl: +- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) ++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on) + cleanup_tx_poll_fn(netdev); + err_poll: + if (lio->ptp_clock) { +-- +2.35.1 + diff --git a/queue-6.0/net-marvell-prestera-add-missing-unregister_netdev-i.patch b/queue-6.0/net-marvell-prestera-add-missing-unregister_netdev-i.patch new file mode 100644 index 00000000000..75e71f03a20 --- /dev/null +++ b/queue-6.0/net-marvell-prestera-add-missing-unregister_netdev-i.patch @@ -0,0 +1,40 @@ +From b1c19dd1a51c78e28e747637999bd947a52d65fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:10:31 +0800 +Subject: net: marvell: prestera: add missing unregister_netdev() in + prestera_port_create() + +From: Zhang Changzhong + +[ Upstream commit 9a234a2a085ab9fd2be8d0c1eedfcd10f74b97eb ] + +If prestera_port_sfp_bind() fails, unregister_netdev() should be called +in error handling path. + +Compile tested only. + +Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support") +Signed-off-by: Zhang Changzhong +Reviewed-by: Maciej Fijalkowski +Link: https://lore.kernel.org/r/1669115432-36841-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index a0ad0bcbf89f..9f588ecba93e 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -730,6 +730,7 @@ static int prestera_port_create(struct prestera_switch *sw, u32 id) + return 0; + + err_sfp_bind: ++ unregister_netdev(dev); + err_register_netdev: + prestera_port_list_del(port); + err_port_init: +-- +2.35.1 + diff --git a/queue-6.0/net-mlx4-check-retval-of-mlx4_bitmap_init.patch b/queue-6.0/net-mlx4-check-retval-of-mlx4_bitmap_init.patch new file mode 100644 index 00000000000..6a75fea9c22 --- /dev/null +++ b/queue-6.0/net-mlx4-check-retval-of-mlx4_bitmap_init.patch @@ -0,0 +1,43 @@ +From c70bcadfa56c1aaaecf4dd9813c4432922c00228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:28:06 +0300 +Subject: net/mlx4: Check retval of mlx4_bitmap_init + +From: Peter Kosyh + +[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ] + +If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference +the NULL pointer (bitmap->table). + +Make sure, that mlx4_bitmap_alloc_range called in no error case. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering") +Reviewed-by: Tariq Toukan +Signed-off-by: Peter Kosyh +Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c +index b149e601f673..48cfaa7eaf50 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -697,7 +697,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev, + err = mlx4_bitmap_init(*bitmap + k, 1, + MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0, + 0); +- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); ++ if (!err) ++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0); + } + + if (err) +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch b/queue-6.0/net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch new file mode 100644 index 00000000000..ece3b597f0a --- /dev/null +++ b/queue-6.0/net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch @@ -0,0 +1,215 @@ +From 03872a04c29b00192985c348156b493fe21d79f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:14:03 +0300 +Subject: net/mlx5: cmdif, Print info on any firmware cmd failure to tracepoint + +From: Moshe Shemesh + +[ Upstream commit 870c2481174b839e7159555127bc8b5a5d0699ba ] + +While moving to new CMD API (quiet API), some pre-existing flows may call the new API +function that in case of error, returns the error instead of printing it as previously done. +For such flows we bring back the print but to tracepoint this time for sys admins to +have the ability to check for errors especially for commands using the new quiet API. + +Tracepoint output example: + devlink-1333 [001] ..... 822.746922: mlx5_cmd: ACCESS_REG(0x805) op_mod(0x0) failed, status bad resource(0x5), syndrome (0xb06e1f), err(-22) + +Fixes: f23519e542e5 ("net/mlx5: cmdif, Add new api for command execution") +Signed-off-by: Moshe Shemesh +Reviewed-by: Shay Drory +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 41 +++++++++-------- + .../mellanox/mlx5/core/diag/cmd_tracepoint.h | 45 +++++++++++++++++++ + include/linux/mlx5/driver.h | 1 + + 3 files changed, 68 insertions(+), 19 deletions(-) + create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 2e0d59ca62b5..df3e284ca5c6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -45,6 +45,8 @@ + #include "mlx5_core.h" + #include "lib/eq.h" + #include "lib/tout.h" ++#define CREATE_TRACE_POINTS ++#include "diag/cmd_tracepoint.h" + + enum { + CMD_IF_REV = 5, +@@ -785,27 +787,14 @@ EXPORT_SYMBOL(mlx5_cmd_out_err); + static void cmd_status_print(struct mlx5_core_dev *dev, void *in, void *out) + { + u16 opcode, op_mod; +- u32 syndrome; +- u8 status; + u16 uid; +- int err; +- +- syndrome = MLX5_GET(mbox_out, out, syndrome); +- status = MLX5_GET(mbox_out, out, status); + + opcode = MLX5_GET(mbox_in, in, opcode); + op_mod = MLX5_GET(mbox_in, in, op_mod); + uid = MLX5_GET(mbox_in, in, uid); + +- err = cmd_status_to_err(status); +- + if (!uid && opcode != MLX5_CMD_OP_DESTROY_MKEY) + mlx5_cmd_out_err(dev, opcode, op_mod, out); +- else +- mlx5_core_dbg(dev, +- "%s(0x%x) op_mod(0x%x) uid(%d) failed, status %s(0x%x), syndrome (0x%x), err(%d)\n", +- mlx5_command_str(opcode), opcode, op_mod, uid, +- cmd_status_str(status), status, syndrome, err); + } + + int mlx5_cmd_check(struct mlx5_core_dev *dev, int err, void *in, void *out) +@@ -1892,6 +1881,16 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out, + return err; + } + ++static void mlx5_cmd_err_trace(struct mlx5_core_dev *dev, u16 opcode, u16 op_mod, void *out) ++{ ++ u32 syndrome = MLX5_GET(mbox_out, out, syndrome); ++ u8 status = MLX5_GET(mbox_out, out, status); ++ ++ trace_mlx5_cmd(mlx5_command_str(opcode), opcode, op_mod, ++ cmd_status_str(status), status, syndrome, ++ cmd_status_to_err(status)); ++} ++ + static void cmd_status_log(struct mlx5_core_dev *dev, u16 opcode, u8 status, + u32 syndrome, int err) + { +@@ -1914,7 +1913,7 @@ static void cmd_status_log(struct mlx5_core_dev *dev, u16 opcode, u8 status, + } + + /* preserve -EREMOTEIO for outbox.status != OK, otherwise return err as is */ +-static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, void *out) ++static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, u16 op_mod, void *out) + { + u32 syndrome = MLX5_GET(mbox_out, out, syndrome); + u8 status = MLX5_GET(mbox_out, out, status); +@@ -1922,8 +1921,10 @@ static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, void * + if (err == -EREMOTEIO) /* -EREMOTEIO is preserved */ + err = -EIO; + +- if (!err && status != MLX5_CMD_STAT_OK) ++ if (!err && status != MLX5_CMD_STAT_OK) { + err = -EREMOTEIO; ++ mlx5_cmd_err_trace(dev, opcode, op_mod, out); ++ } + + cmd_status_log(dev, opcode, status, syndrome, err); + return err; +@@ -1951,9 +1952,9 @@ int mlx5_cmd_do(struct mlx5_core_dev *dev, void *in, int in_size, void *out, int + { + int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, false); + u16 opcode = MLX5_GET(mbox_in, in, opcode); ++ u16 op_mod = MLX5_GET(mbox_in, in, op_mod); + +- err = cmd_status_err(dev, err, opcode, out); +- return err; ++ return cmd_status_err(dev, err, opcode, op_mod, out); + } + EXPORT_SYMBOL(mlx5_cmd_do); + +@@ -1997,8 +1998,9 @@ int mlx5_cmd_exec_polling(struct mlx5_core_dev *dev, void *in, int in_size, + { + int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, true); + u16 opcode = MLX5_GET(mbox_in, in, opcode); ++ u16 op_mod = MLX5_GET(mbox_in, in, op_mod); + +- err = cmd_status_err(dev, err, opcode, out); ++ err = cmd_status_err(dev, err, opcode, op_mod, out); + return mlx5_cmd_check(dev, err, in, out); + } + EXPORT_SYMBOL(mlx5_cmd_exec_polling); +@@ -2034,7 +2036,7 @@ static void mlx5_cmd_exec_cb_handler(int status, void *_work) + struct mlx5_async_ctx *ctx; + + ctx = work->ctx; +- status = cmd_status_err(ctx->dev, status, work->opcode, work->out); ++ status = cmd_status_err(ctx->dev, status, work->opcode, work->op_mod, work->out); + work->user_callback(status, work); + if (atomic_dec_and_test(&ctx->num_inflight)) + complete(&ctx->inflight_done); +@@ -2049,6 +2051,7 @@ int mlx5_cmd_exec_cb(struct mlx5_async_ctx *ctx, void *in, int in_size, + work->ctx = ctx; + work->user_callback = callback; + work->opcode = MLX5_GET(mbox_in, in, opcode); ++ work->op_mod = MLX5_GET(mbox_in, in, op_mod); + work->out = out; + if (WARN_ON(!atomic_inc_not_zero(&ctx->num_inflight))) + return -EIO; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h +new file mode 100644 +index 000000000000..406ebe17405f +--- /dev/null ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h +@@ -0,0 +1,45 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */ ++/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ ++ ++#undef TRACE_SYSTEM ++#define TRACE_SYSTEM mlx5 ++ ++#if !defined(_MLX5_CMD_TP_H_) || defined(TRACE_HEADER_MULTI_READ) ++#define _MLX5_CMD_TP_H_ ++ ++#include ++#include ++ ++TRACE_EVENT(mlx5_cmd, ++ TP_PROTO(const char *command_str, u16 opcode, u16 op_mod, ++ const char *status_str, u8 status, u32 syndrome, int err), ++ TP_ARGS(command_str, opcode, op_mod, status_str, status, syndrome, err), ++ TP_STRUCT__entry(__string(command_str, command_str) ++ __field(u16, opcode) ++ __field(u16, op_mod) ++ __string(status_str, status_str) ++ __field(u8, status) ++ __field(u32, syndrome) ++ __field(int, err) ++ ), ++ TP_fast_assign(__assign_str(command_str, command_str); ++ __entry->opcode = opcode; ++ __entry->op_mod = op_mod; ++ __assign_str(status_str, status_str); ++ __entry->status = status; ++ __entry->syndrome = syndrome; ++ __entry->err = err; ++ ), ++ TP_printk("%s(0x%x) op_mod(0x%x) failed, status %s(0x%x), syndrome (0x%x), err(%d)", ++ __get_str(command_str), __entry->opcode, __entry->op_mod, ++ __get_str(status_str), __entry->status, __entry->syndrome, ++ __entry->err) ++); ++ ++#endif /* _MLX5_CMD_TP_H_ */ ++ ++#undef TRACE_INCLUDE_PATH ++#define TRACE_INCLUDE_PATH ./diag ++#undef TRACE_INCLUDE_FILE ++#define TRACE_INCLUDE_FILE cmd_tracepoint ++#include +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 454dab40baf6..2d56cfe0911d 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -984,6 +984,7 @@ struct mlx5_async_work { + struct mlx5_async_ctx *ctx; + mlx5_async_cbk_t user_callback; + u16 opcode; /* cmd opcode */ ++ u16 op_mod; /* cmd op_mod */ + void *out; /* pointer to the cmd output buffer */ + }; + +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-do-not-query-pci-info-while-pci-disabled.patch b/queue-6.0/net-mlx5-do-not-query-pci-info-while-pci-disabled.patch new file mode 100644 index 00000000000..a44eb6b3c3f --- /dev/null +++ b/queue-6.0/net-mlx5-do-not-query-pci-info-while-pci-disabled.patch @@ -0,0 +1,60 @@ +From 5bb6463b36f7f0d83171dc1db39f3c1334661f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 09:49:07 +0300 +Subject: net/mlx5: Do not query pci info while pci disabled + +From: Roy Novich + +[ Upstream commit 394164f9d5a3020a7fd719d228386d48d544ec67 ] + +The driver should not interact with PCI while PCI is disabled. Trying to +do so may result in being unable to get vital signs during PCI reset, +driver gets timed out and fails to recover. + +Fixes: fad1783a6d66 ("net/mlx5: Print more info on pci error handlers") +Signed-off-by: Roy Novich +Reviewed-by: Moshe Shemesh +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index e5e32430b6af..ac178796e484 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1759,7 +1759,8 @@ static pci_ers_result_t mlx5_pci_err_detected(struct pci_dev *pdev, + res = state == pci_channel_io_perm_failure ? + PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET; + +- mlx5_pci_trace(dev, "Exit, result = %d, %s\n", res, result2str(res)); ++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Exit, result = %d, %s\n", ++ __func__, dev->state, dev->pci_status, res, result2str(res)); + return res; + } + +@@ -1798,7 +1799,8 @@ static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev) + struct mlx5_core_dev *dev = pci_get_drvdata(pdev); + int err; + +- mlx5_pci_trace(dev, "Enter\n"); ++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Enter\n", ++ __func__, dev->state, dev->pci_status); + + err = mlx5_pci_enable_device(dev); + if (err) { +@@ -1820,7 +1822,8 @@ static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev) + + res = PCI_ERS_RESULT_RECOVERED; + out: +- mlx5_pci_trace(dev, "Exit, err = %d, result = %d, %s\n", err, res, result2str(res)); ++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Exit, err = %d, result = %d, %s\n", ++ __func__, dev->state, dev->pci_status, err, res, result2str(res)); + return res; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-e-switch-set-correctly-vport-destination.patch b/queue-6.0/net-mlx5-e-switch-set-correctly-vport-destination.patch new file mode 100644 index 00000000000..e572a1248ee --- /dev/null +++ b/queue-6.0/net-mlx5-e-switch-set-correctly-vport-destination.patch @@ -0,0 +1,79 @@ +From 2dda68e888d0819c8b8c04955e5ce4bdfcea87bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:10:15 +0200 +Subject: net/mlx5: E-Switch, Set correctly vport destination + +From: Roi Dayan + +[ Upstream commit 6d942e40448931be9371f1ba8cb592778807ce18 ] + +The cited commit moved from using reformat_id integer to packet_reformat +pointer which introduced the possibility to null pointer dereference. +When setting packet reformat flag and pkt_reformat pointer must +exists so checking MLX5_ESW_DEST_ENCAP is not enough, we need +to make sure the pkt_reformat is valid and check for MLX5_ESW_DEST_ENCAP_VALID. +If the dest encap valid flag does not exists then pkt_reformat can be +either invalid address or null. +Also, to make sure we don't try to access invalid pkt_reformat set it to +null when invalidated and invalidate it before calling add flow code as +its logically more correct and to be safe. + +Fixes: 2b688ea5efde ("net/mlx5: Add flow steering actions to fs_cmd shim layer") +Signed-off-by: Roi Dayan +Reviewed-by: Chris Mi +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 10 ++++++---- + .../net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 +- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index 5aff97914367..5b6a79d2034e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -224,15 +224,16 @@ void mlx5e_tc_encap_flows_del(struct mlx5e_priv *priv, + list_for_each_entry(flow, flow_list, tmp_list) { + if (!mlx5e_is_offloaded_flow(flow) || flow_flag_test(flow, SLOW)) + continue; +- spec = &flow->attr->parse_attr->spec; +- +- /* update from encap rule to slow path rule */ +- rule = mlx5e_tc_offload_to_slow_path(esw, flow, spec); + + attr = mlx5e_tc_get_encap_attr(flow); + esw_attr = attr->esw_attr; + /* mark the flow's encap dest as non-valid */ + esw_attr->dests[flow->tmp_entry_index].flags &= ~MLX5_ESW_DEST_ENCAP_VALID; ++ esw_attr->dests[flow->tmp_entry_index].pkt_reformat = NULL; ++ ++ /* update from encap rule to slow path rule */ ++ spec = &flow->attr->parse_attr->spec; ++ rule = mlx5e_tc_offload_to_slow_path(esw, flow, spec); + + if (IS_ERR(rule)) { + err = PTR_ERR(rule); +@@ -251,6 +252,7 @@ void mlx5e_tc_encap_flows_del(struct mlx5e_priv *priv, + /* we know that the encap is valid */ + e->flags &= ~MLX5_ENCAP_ENTRY_VALID; + mlx5_packet_reformat_dealloc(priv->mdev, e->pkt_reformat); ++ e->pkt_reformat = NULL; + } + + static void mlx5e_take_tmp_flow(struct mlx5e_tc_flow *flow, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 3c68cac4a9c2..061ac8799354 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -431,7 +431,7 @@ esw_setup_vport_dest(struct mlx5_flow_destination *dest, struct mlx5_flow_act *f + mlx5_lag_mpesw_is_activated(esw->dev)) + dest[dest_idx].type = MLX5_FLOW_DESTINATION_TYPE_UPLINK; + } +- if (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP) { ++ if (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP_VALID) { + if (pkt_reformat) { + flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT; + flow_act->pkt_reformat = esw_attr->dests[attr_idx].pkt_reformat; +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-fix-fw-tracer-timestamp-calculation.patch b/queue-6.0/net-mlx5-fix-fw-tracer-timestamp-calculation.patch new file mode 100644 index 00000000000..5f9d6018bb9 --- /dev/null +++ b/queue-6.0/net-mlx5-fix-fw-tracer-timestamp-calculation.patch @@ -0,0 +1,38 @@ +From e840186a0281c8ef375548a025b9b8bda254c768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 12:25:59 +0300 +Subject: net/mlx5: Fix FW tracer timestamp calculation + +From: Moshe Shemesh + +[ Upstream commit 61db3d7b99a367416e489ccf764cc5f9b00d62a1 ] + +Fix a bug in calculation of FW tracer timestamp. Decreasing one in the +calculation should effect only bits 52_7 and not effect bits 6_0 of the +timestamp, otherwise bits 6_0 are always set in this calculation. + +Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support") +Signed-off-by: Moshe Shemesh +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 978a2bb8e122..21831386b26e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -638,7 +638,7 @@ static void mlx5_tracer_handle_timestamp_trace(struct mlx5_fw_tracer *tracer, + trace_timestamp = (timestamp_event.timestamp & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + else +- trace_timestamp = ((timestamp_event.timestamp & MASK_52_7) - 1) | ++ trace_timestamp = ((timestamp_event.timestamp - 1) & MASK_52_7) | + (str_frmt->timestamp & MASK_6_0); + + mlx5_tracer_print_trace(str_frmt, dev, trace_timestamp); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-fix-handling-of-entry-refcount-when-command.patch b/queue-6.0/net-mlx5-fix-handling-of-entry-refcount-when-command.patch new file mode 100644 index 00000000000..ae0a74b8d91 --- /dev/null +++ b/queue-6.0/net-mlx5-fix-handling-of-entry-refcount-when-command.patch @@ -0,0 +1,62 @@ +From 86d068207a06e7badd2c3ec81512735c77800c65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 09:07:20 +0200 +Subject: net/mlx5: Fix handling of entry refcount when command is not issued + to FW + +From: Moshe Shemesh + +[ Upstream commit aaf2e65cac7f2e1ae729c2fbc849091df9699f96 ] + +In case command interface is down, or the command is not allowed, driver +did not increment the entry refcount, but might have decrement as part +of forced completion handling. + +Fix that by always increment and decrement the refcount to make it +symmetric for all flows. + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Moshe Shemesh +Reported-by: Jack Wang +Tested-by: Jack Wang +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index df3e284ca5c6..74bd05e5dda2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1005,6 +1005,7 @@ static void cmd_work_handler(struct work_struct *work) + cmd_ent_get(ent); + set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + ++ cmd_ent_get(ent); /* for the _real_ FW event on completion */ + /* Skip sending command to fw if internal error */ + if (mlx5_cmd_is_down(dev) || !opcode_allowed(&dev->cmd, ent->op)) { + ent->ret = -ENXIO; +@@ -1012,7 +1013,6 @@ static void cmd_work_handler(struct work_struct *work) + return; + } + +- cmd_ent_get(ent); /* for the _real_ FW event on completion */ + /* ring doorbell after the descriptor is valid */ + mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx); + wmb(); +@@ -1661,8 +1661,8 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + cmd_ent_put(ent); /* timeout work was canceled */ + + if (!forced || /* Real FW completion */ +- pci_channel_offline(dev->pdev) || /* FW is inaccessible */ +- dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) ++ mlx5_cmd_is_down(dev) || /* No real FW completion is expected */ ++ !opcode_allowed(cmd, ent->op)) + cmd_ent_put(ent); + + ent->ts2 = ktime_get_ns(); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-fix-sync-reset-event-handler-error-flow.patch b/queue-6.0/net-mlx5-fix-sync-reset-event-handler-error-flow.patch new file mode 100644 index 00000000000..2937ba43955 --- /dev/null +++ b/queue-6.0/net-mlx5-fix-sync-reset-event-handler-error-flow.patch @@ -0,0 +1,64 @@ +From 7e1c7c716ce90dbf2d4c77791d60c06faa84ee95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 09:03:48 +0300 +Subject: net/mlx5: Fix sync reset event handler error flow + +From: Moshe Shemesh + +[ Upstream commit e1ad07b9227f9cbaf4bd2b6ec00b84c303657593 ] + +When sync reset now event handling fails on mlx5_pci_link_toggle() then +no reset was done. However, since mlx5_cmd_fast_teardown_hca() was +already done, the firmware function is closed and the driver is left +without firmware functionality. + +Fix it by setting device error state and reopen the firmware resources. +Reopening is done by the thread that was called for devlink reload +fw_activate as it already holds the devlink lock. + +Fixes: 5ec697446f46 ("net/mlx5: Add support for devlink reload action fw activate") +Signed-off-by: Moshe Shemesh +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index 9d908a0ccfef..1e46f9afa40e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -9,7 +9,8 @@ enum { + MLX5_FW_RESET_FLAGS_RESET_REQUESTED, + MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST, + MLX5_FW_RESET_FLAGS_PENDING_COMP, +- MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS ++ MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS, ++ MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED + }; + + struct mlx5_fw_reset { +@@ -406,7 +407,7 @@ static void mlx5_sync_reset_now_event(struct work_struct *work) + err = mlx5_pci_link_toggle(dev); + if (err) { + mlx5_core_warn(dev, "mlx5_pci_link_toggle failed, no reset done, err %d\n", err); +- goto done; ++ set_bit(MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED, &fw_reset->reset_flags); + } + + mlx5_enter_error_state(dev, true); +@@ -482,6 +483,10 @@ int mlx5_fw_reset_wait_reset_done(struct mlx5_core_dev *dev) + goto out; + } + err = fw_reset->ret; ++ if (test_and_clear_bit(MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED, &fw_reset->reset_flags)) { ++ mlx5_unload_one_devl_locked(dev); ++ mlx5_load_one_devl_locked(dev, false); ++ } + out: + clear_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags); + return err; +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch b/queue-6.0/net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch new file mode 100644 index 00000000000..95edc6f470c --- /dev/null +++ b/queue-6.0/net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch @@ -0,0 +1,173 @@ +From eebe589567154bca6359d245da694b5a94532ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 12:38:41 +0300 +Subject: net/mlx5: SF: Fix probing active SFs during driver probe phase + +From: Shay Drory + +[ Upstream commit 4f57332d6a551185ba729617f04455e83fbe4e41 ] + +When SF devices and SF port representors are located on different +functions, unloading and reloading of SF parent driver doesn't recreate +the existing SF present in the device. +Fix it by querying SFs and probe active SFs during driver probe phase. + +Fixes: 90d010b8634b ("net/mlx5: SF, Add auxiliary device support") +Signed-off-by: Shay Drory +Reviewed-by: Parav Pandit +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/sf/dev/dev.c | 88 +++++++++++++++++++ + 1 file changed, 88 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c +index 7da012ff0d41..8e2abbab05f0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c +@@ -18,6 +18,10 @@ struct mlx5_sf_dev_table { + phys_addr_t base_address; + u64 sf_bar_length; + struct notifier_block nb; ++ struct mutex table_lock; /* Serializes sf life cycle and vhca state change handler */ ++ struct workqueue_struct *active_wq; ++ struct work_struct work; ++ u8 stop_active_wq:1; + struct mlx5_core_dev *dev; + }; + +@@ -168,6 +172,7 @@ mlx5_sf_dev_state_change_handler(struct notifier_block *nb, unsigned long event_ + return 0; + + sf_index = event->function_id - base_id; ++ mutex_lock(&table->table_lock); + sf_dev = xa_load(&table->devices, sf_index); + switch (event->new_vhca_state) { + case MLX5_VHCA_STATE_INVALID: +@@ -191,6 +196,7 @@ mlx5_sf_dev_state_change_handler(struct notifier_block *nb, unsigned long event_ + default: + break; + } ++ mutex_unlock(&table->table_lock); + return 0; + } + +@@ -215,6 +221,78 @@ static int mlx5_sf_dev_vhca_arm_all(struct mlx5_sf_dev_table *table) + return 0; + } + ++static void mlx5_sf_dev_add_active_work(struct work_struct *work) ++{ ++ struct mlx5_sf_dev_table *table = container_of(work, struct mlx5_sf_dev_table, work); ++ u32 out[MLX5_ST_SZ_DW(query_vhca_state_out)] = {}; ++ struct mlx5_core_dev *dev = table->dev; ++ u16 max_functions; ++ u16 function_id; ++ u16 sw_func_id; ++ int err = 0; ++ u8 state; ++ int i; ++ ++ max_functions = mlx5_sf_max_functions(dev); ++ function_id = MLX5_CAP_GEN(dev, sf_base_id); ++ for (i = 0; i < max_functions; i++, function_id++) { ++ if (table->stop_active_wq) ++ return; ++ err = mlx5_cmd_query_vhca_state(dev, function_id, out, sizeof(out)); ++ if (err) ++ /* A failure of specific vhca doesn't mean others will ++ * fail as well. ++ */ ++ continue; ++ state = MLX5_GET(query_vhca_state_out, out, vhca_state_context.vhca_state); ++ if (state != MLX5_VHCA_STATE_ACTIVE) ++ continue; ++ ++ sw_func_id = MLX5_GET(query_vhca_state_out, out, vhca_state_context.sw_function_id); ++ mutex_lock(&table->table_lock); ++ /* Don't probe device which is already probe */ ++ if (!xa_load(&table->devices, i)) ++ mlx5_sf_dev_add(dev, i, function_id, sw_func_id); ++ /* There is a race where SF got inactive after the query ++ * above. e.g.: the query returns that the state of the ++ * SF is active, and after that the eswitch manager set it to ++ * inactive. ++ * This case cannot be managed in SW, since the probing of the ++ * SF is on one system, and the inactivation is on a different ++ * system. ++ * If the inactive is done after the SF perform init_hca(), ++ * the SF will fully probe and then removed. If it was ++ * done before init_hca(), the SF probe will fail. ++ */ ++ mutex_unlock(&table->table_lock); ++ } ++} ++ ++/* In case SFs are generated externally, probe active SFs */ ++static int mlx5_sf_dev_queue_active_work(struct mlx5_sf_dev_table *table) ++{ ++ if (MLX5_CAP_GEN(table->dev, eswitch_manager)) ++ return 0; /* the table is local */ ++ ++ /* Use a workqueue to probe active SFs, which are in large ++ * quantity and may take up to minutes to probe. ++ */ ++ table->active_wq = create_singlethread_workqueue("mlx5_active_sf"); ++ if (!table->active_wq) ++ return -ENOMEM; ++ INIT_WORK(&table->work, &mlx5_sf_dev_add_active_work); ++ queue_work(table->active_wq, &table->work); ++ return 0; ++} ++ ++static void mlx5_sf_dev_destroy_active_work(struct mlx5_sf_dev_table *table) ++{ ++ if (table->active_wq) { ++ table->stop_active_wq = true; ++ destroy_workqueue(table->active_wq); ++ } ++} ++ + void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev) + { + struct mlx5_sf_dev_table *table; +@@ -240,11 +318,17 @@ void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev) + table->base_address = pci_resource_start(dev->pdev, 2); + table->max_sfs = max_sfs; + xa_init(&table->devices); ++ mutex_init(&table->table_lock); + dev->priv.sf_dev_table = table; + + err = mlx5_vhca_event_notifier_register(dev, &table->nb); + if (err) + goto vhca_err; ++ ++ err = mlx5_sf_dev_queue_active_work(table); ++ if (err) ++ goto add_active_err; ++ + err = mlx5_sf_dev_vhca_arm_all(table); + if (err) + goto arm_err; +@@ -252,6 +336,8 @@ void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev) + return; + + arm_err: ++ mlx5_sf_dev_destroy_active_work(table); ++add_active_err: + mlx5_vhca_event_notifier_unregister(dev, &table->nb); + vhca_err: + table->max_sfs = 0; +@@ -279,7 +365,9 @@ void mlx5_sf_dev_table_destroy(struct mlx5_core_dev *dev) + if (!table) + return; + ++ mlx5_sf_dev_destroy_active_work(table); + mlx5_vhca_event_notifier_unregister(dev, &table->nb); ++ mutex_destroy(&table->table_lock); + + /* Now that event handler is not running, it is safe to destroy + * the sf device without race. +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch b/queue-6.0/net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch new file mode 100644 index 00000000000..89f07b9691d --- /dev/null +++ b/queue-6.0/net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch @@ -0,0 +1,148 @@ +From 5e25da545fee2753d618391ccfe3afade0fa4144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 07:45:45 +0200 +Subject: net/mlx5e: Offload rule only when all encaps are valid + +From: Chris Mi + +[ Upstream commit f377422044b2093c835e5f3717f8c8c58da1db1f ] + +The cited commit adds a for loop to support multiple encapsulations. +But it only checks if the last encap is valid. + +Fix it by setting slow path flag when one of the encap is invalid. + +Fixes: f493f15534ec ("net/mlx5e: Move flow attr reformat action bit to per dest flags") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en/tc_tun_encap.c | 6 ++---- + .../mellanox/mlx5/core/en/tc_tun_encap.h | 3 +-- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 17 ++++++----------- + 3 files changed, 9 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index 5b6a79d2034e..ff73d25bc6eb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -764,8 +764,7 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + struct net_device *mirred_dev, + int out_index, + struct netlink_ext_ack *extack, +- struct net_device **encap_dev, +- bool *encap_valid) ++ struct net_device **encap_dev) + { + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; + struct mlx5e_tc_flow_parse_attr *parse_attr; +@@ -880,9 +879,8 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + if (e->flags & MLX5_ENCAP_ENTRY_VALID) { + attr->esw_attr->dests[out_index].pkt_reformat = e->pkt_reformat; + attr->esw_attr->dests[out_index].flags |= MLX5_ESW_DEST_ENCAP_VALID; +- *encap_valid = true; + } else { +- *encap_valid = false; ++ flow_flag_set(flow, SLOW); + } + mutex_unlock(&esw->offloads.encap_tbl_lock); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h +index d542b8476491..8ad273dde40e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h +@@ -17,8 +17,7 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv, + struct net_device *mirred_dev, + int out_index, + struct netlink_ext_ack *extack, +- struct net_device **encap_dev, +- bool *encap_valid); ++ struct net_device **encap_dev); + + int mlx5e_attach_decap(struct mlx5e_priv *priv, + struct mlx5e_tc_flow *flow, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 229c14b1af00..949ef560df78 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1620,7 +1620,6 @@ set_encap_dests(struct mlx5e_priv *priv, + struct mlx5e_tc_flow *flow, + struct mlx5_flow_attr *attr, + struct netlink_ext_ack *extack, +- bool *encap_valid, + bool *vf_tun) + { + struct mlx5e_tc_flow_parse_attr *parse_attr; +@@ -1637,7 +1636,6 @@ set_encap_dests(struct mlx5e_priv *priv, + parse_attr = attr->parse_attr; + esw_attr = attr->esw_attr; + *vf_tun = false; +- *encap_valid = true; + + for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) { + struct net_device *out_dev; +@@ -1654,7 +1652,7 @@ set_encap_dests(struct mlx5e_priv *priv, + goto out; + } + err = mlx5e_attach_encap(priv, flow, attr, out_dev, out_index, +- extack, &encap_dev, encap_valid); ++ extack, &encap_dev); + dev_put(out_dev); + if (err) + goto out; +@@ -1718,8 +1716,8 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv, + struct mlx5e_tc_flow_parse_attr *parse_attr; + struct mlx5_flow_attr *attr = flow->attr; + struct mlx5_esw_flow_attr *esw_attr; +- bool vf_tun, encap_valid; + u32 max_prio, max_chain; ++ bool vf_tun; + int err = 0; + + parse_attr = attr->parse_attr; +@@ -1809,7 +1807,7 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv, + esw_attr->int_port = int_port; + } + +- err = set_encap_dests(priv, flow, attr, extack, &encap_valid, &vf_tun); ++ err = set_encap_dests(priv, flow, attr, extack, &vf_tun); + if (err) + goto err_out; + +@@ -1839,7 +1837,7 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv, + * (1) there's no error + * (2) there's an encap action and we don't have valid neigh + */ +- if (!encap_valid || flow_flag_test(flow, SLOW)) ++ if (flow_flag_test(flow, SLOW)) + flow->rule[0] = mlx5e_tc_offload_to_slow_path(esw, flow, &parse_attr->spec); + else + flow->rule[0] = mlx5e_tc_offload_fdb_rules(esw, flow, &parse_attr->spec, attr); +@@ -3737,7 +3735,7 @@ alloc_flow_post_acts(struct mlx5e_tc_flow *flow, struct netlink_ext_ack *extack) + struct mlx5e_post_act *post_act = get_post_action(flow->priv); + struct mlx5_flow_attr *attr, *next_attr = NULL; + struct mlx5e_post_act_handle *handle; +- bool vf_tun, encap_valid = true; ++ bool vf_tun; + int err; + + /* This is going in reverse order as needed. +@@ -3759,13 +3757,10 @@ alloc_flow_post_acts(struct mlx5e_tc_flow *flow, struct netlink_ext_ack *extack) + if (list_is_last(&attr->list, &flow->attrs)) + break; + +- err = set_encap_dests(flow->priv, flow, attr, extack, &encap_valid, &vf_tun); ++ err = set_encap_dests(flow->priv, flow, attr, extack, &vf_tun); + if (err) + goto out_free; + +- if (!encap_valid) +- flow_flag_set(flow, SLOW); +- + err = actions_prepare_mod_hdr_actions(flow->priv, flow, attr, extack); + if (err) + goto out_free; +-- +2.35.1 + diff --git a/queue-6.0/net-mvpp2-fix-possible-invalid-pointer-dereference.patch b/queue-6.0/net-mvpp2-fix-possible-invalid-pointer-dereference.patch new file mode 100644 index 00000000000..d04d8615da0 --- /dev/null +++ b/queue-6.0/net-mvpp2-fix-possible-invalid-pointer-dereference.patch @@ -0,0 +1,51 @@ +From 0a4159b014052763351d29204f4583893185e041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:40:32 +0800 +Subject: net: mvpp2: fix possible invalid pointer dereference + +From: Hui Tang + +[ Upstream commit cbe867685386af1f0a2648f5279f6e4c74bfd17f ] + +It will cause invalid pointer dereference to priv->cm3_base behind, +if PTR_ERR(priv->cm3_base) in mvpp2_get_sram(). + +Fixes: e54ad1e01c00 ("net: mvpp2: add CM3 SRAM memory map") +Signed-off-by: Hui Tang +Link: https://lore.kernel.org/r/20221117084032.101144-1-tanghui20@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index eaa51cd7456b..8f86be995092 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -7352,6 +7352,7 @@ static int mvpp2_get_sram(struct platform_device *pdev, + struct mvpp2 *priv) + { + struct resource *res; ++ void __iomem *base; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 2); + if (!res) { +@@ -7362,9 +7363,12 @@ static int mvpp2_get_sram(struct platform_device *pdev, + return 0; + } + +- priv->cm3_base = devm_ioremap_resource(&pdev->dev, res); ++ base = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(base)) ++ return PTR_ERR(base); + +- return PTR_ERR_OR_ZERO(priv->cm3_base); ++ priv->cm3_base = base; ++ return 0; + } + + static int mvpp2_probe(struct platform_device *pdev) +-- +2.35.1 + diff --git a/queue-6.0/net-neigh-decrement-the-family-specific-qlen.patch b/queue-6.0/net-neigh-decrement-the-family-specific-qlen.patch new file mode 100644 index 00000000000..eb911ea3e31 --- /dev/null +++ b/queue-6.0/net-neigh-decrement-the-family-specific-qlen.patch @@ -0,0 +1,171 @@ +From c26d17d65872f3c6aa61e7094f72ba797cff2454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 23:09:41 +0100 +Subject: net: neigh: decrement the family specific qlen + +From: Thomas Zeitlhofer + +[ Upstream commit 8207f253a097fe15c93d85ac15ebb73c5e39e1e1 ] + +Commit 0ff4eb3d5ebb ("neighbour: make proxy_queue.qlen limit +per-device") introduced the length counter qlen in struct neigh_parms. +There are separate neigh_parms instances for IPv4/ARP and IPv6/ND, and +while the family specific qlen is incremented in pneigh_enqueue(), the +mentioned commit decrements always the IPv4/ARP specific qlen, +regardless of the currently processed family, in pneigh_queue_purge() +and neigh_proxy_process(). + +As a result, with IPv6/ND, the family specific qlen is only incremented +(and never decremented) until it exceeds PROXY_QLEN, and then, according +to the check in pneigh_enqueue(), neighbor solicitations are not +answered anymore. As an example, this is noted when using the +subnet-router anycast address to access a Linux router. After a certain +amount of time (in the observed case, qlen exceeded PROXY_QLEN after two +days), the Linux router stops answering neighbor solicitations for its +subnet-router anycast address and effectively becomes unreachable. + +Another result with IPv6/ND is that the IPv4/ARP specific qlen is +decremented more often than incremented. This leads to negative qlen +values, as a signed integer has been used for the length counter qlen, +and potentially to an integer overflow. + +Fix this by introducing the helper function neigh_parms_qlen_dec(), +which decrements the family specific qlen. Thereby, make use of the +existing helper function neigh_get_dev_parms_rcu(), whose definition +therefore needs to be placed earlier in neighbour.c. Take the family +member from struct neigh_table to determine the currently processed +family and appropriately call neigh_parms_qlen_dec() from +pneigh_queue_purge() and neigh_proxy_process(). + +Additionally, use an unsigned integer for the length counter qlen. + +Fixes: 0ff4eb3d5ebb ("neighbour: make proxy_queue.qlen limit per-device") +Signed-off-by: Thomas Zeitlhofer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 2 +- + net/core/neighbour.c | 58 +++++++++++++++++++++-------------------- + 2 files changed, 31 insertions(+), 29 deletions(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 3827a6b395fd..bce6b228cf56 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -83,7 +83,7 @@ struct neigh_parms { + struct rcu_head rcu_head; + + int reachable_time; +- int qlen; ++ u32 qlen; + int data[NEIGH_VAR_DATA_MAX]; + DECLARE_BITMAP(data_state, NEIGH_VAR_DATA_MAX); + }; +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 84755db81e9d..35f5a3125808 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -307,7 +307,31 @@ static int neigh_del_timer(struct neighbour *n) + return 0; + } + +-static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) ++static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev, ++ int family) ++{ ++ switch (family) { ++ case AF_INET: ++ return __in_dev_arp_parms_get_rcu(dev); ++ case AF_INET6: ++ return __in6_dev_nd_parms_get_rcu(dev); ++ } ++ return NULL; ++} ++ ++static void neigh_parms_qlen_dec(struct net_device *dev, int family) ++{ ++ struct neigh_parms *p; ++ ++ rcu_read_lock(); ++ p = neigh_get_dev_parms_rcu(dev, family); ++ if (p) ++ p->qlen--; ++ rcu_read_unlock(); ++} ++ ++static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net, ++ int family) + { + struct sk_buff_head tmp; + unsigned long flags; +@@ -321,13 +345,7 @@ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) + struct net_device *dev = skb->dev; + + if (net == NULL || net_eq(dev_net(dev), net)) { +- struct in_device *in_dev; +- +- rcu_read_lock(); +- in_dev = __in_dev_get_rcu(dev); +- if (in_dev) +- in_dev->arp_parms->qlen--; +- rcu_read_unlock(); ++ neigh_parms_qlen_dec(dev, family); + __skb_unlink(skb, list); + __skb_queue_tail(&tmp, skb); + } +@@ -409,7 +427,8 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev, + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev, skip_perm); + pneigh_ifdown_and_unlock(tbl, dev); +- pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL); ++ pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL, ++ tbl->family); + if (skb_queue_empty_lockless(&tbl->proxy_queue)) + del_timer_sync(&tbl->proxy_timer); + return 0; +@@ -1621,13 +1640,8 @@ static void neigh_proxy_process(struct timer_list *t) + + if (tdif <= 0) { + struct net_device *dev = skb->dev; +- struct in_device *in_dev; + +- rcu_read_lock(); +- in_dev = __in_dev_get_rcu(dev); +- if (in_dev) +- in_dev->arp_parms->qlen--; +- rcu_read_unlock(); ++ neigh_parms_qlen_dec(dev, tbl->family); + __skb_unlink(skb, &tbl->proxy_queue); + + if (tbl->proxy_redo && netif_running(dev)) { +@@ -1821,7 +1835,7 @@ int neigh_table_clear(int index, struct neigh_table *tbl) + cancel_delayed_work_sync(&tbl->managed_work); + cancel_delayed_work_sync(&tbl->gc_work); + del_timer_sync(&tbl->proxy_timer); +- pneigh_queue_purge(&tbl->proxy_queue, NULL); ++ pneigh_queue_purge(&tbl->proxy_queue, NULL, tbl->family); + neigh_ifdown(tbl, NULL); + if (atomic_read(&tbl->entries)) + pr_crit("neighbour leakage\n"); +@@ -3542,18 +3556,6 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write, + return ret; + } + +-static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev, +- int family) +-{ +- switch (family) { +- case AF_INET: +- return __in_dev_arp_parms_get_rcu(dev); +- case AF_INET6: +- return __in6_dev_nd_parms_get_rcu(dev); +- } +- return NULL; +-} +- + static void neigh_copy_dflt_parms(struct net *net, struct neigh_parms *p, + int index) + { +-- +2.35.1 + diff --git a/queue-6.0/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch b/queue-6.0/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch new file mode 100644 index 00000000000..4a6ff08e25b --- /dev/null +++ b/queue-6.0/net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch @@ -0,0 +1,60 @@ +From c5ec43f7a3e4f4e532f31b80347d908a05ae70cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:51:48 +0800 +Subject: net: pch_gbe: fix pci device refcount leak while module exiting + +From: Yang Yingliang + +[ Upstream commit 5619537284f1017e9f6c7500b02b859b3830a06d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). + +In pch_gbe_probe(), pci_get_domain_bus_and_slot() is called, +so in error path in probe() and remove() function, pci_dev_put() +should be called to avoid refcount leak. Compile tested only. + +Fixes: 1a0bdadb4e36 ("net/pch_gbe: supports eg20t ptp clock") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221117135148.301014-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 98792907a4c3..63b6b7d86ccb 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -2460,6 +2460,7 @@ static void pch_gbe_remove(struct pci_dev *pdev) + unregister_netdev(netdev); + + pch_gbe_phy_hw_reset(&adapter->hw); ++ pci_dev_put(adapter->ptp_pdev); + + free_netdev(netdev); + } +@@ -2535,7 +2536,7 @@ static int pch_gbe_probe(struct pci_dev *pdev, + /* setup the private structure */ + ret = pch_gbe_sw_init(adapter); + if (ret) +- goto err_free_netdev; ++ goto err_put_dev; + + /* Initialize PHY */ + ret = pch_gbe_init_phy(adapter); +@@ -2593,6 +2594,8 @@ static int pch_gbe_probe(struct pci_dev *pdev, + + err_free_adapter: + pch_gbe_phy_hw_reset(&adapter->hw); ++err_put_dev: ++ pci_dev_put(adapter->ptp_pdev); + err_free_netdev: + free_netdev(netdev); + return ret; +-- +2.35.1 + diff --git a/queue-6.0/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch b/queue-6.0/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch new file mode 100644 index 00000000000..998cc9760cb --- /dev/null +++ b/queue-6.0/net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch @@ -0,0 +1,38 @@ +From 0ebba388f1ab3fac28a3a99366c8801c02b6b2a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:55:27 +0800 +Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() + +From: Wang Hai + +[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ] + +In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether +pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue() +needs to free skb before returning. But pch_gbe_tx_queue() returns without +freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any() +to fix it. + +Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH") +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 46da937ad27f..98792907a4c3 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -1143,6 +1143,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter, + buffer_info->dma = 0; + buffer_info->time_stamp = 0; + tx_ring->next_to_use = ring_num; ++ dev_kfree_skb_any(skb); + return; + } + buffer_info->mapped = true; +-- +2.35.1 + diff --git a/queue-6.0/net-phy-at803x-fix-error-return-code-in-at803x_probe.patch b/queue-6.0/net-phy-at803x-fix-error-return-code-in-at803x_probe.patch new file mode 100644 index 00000000000..722fb7f943c --- /dev/null +++ b/queue-6.0/net-phy-at803x-fix-error-return-code-in-at803x_probe.patch @@ -0,0 +1,41 @@ +From 6a435eca6e713eb787fb747672607f1d506c7e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 10:36:35 +0000 +Subject: net: phy: at803x: fix error return code in at803x_probe() + +From: Wei Yongjun + +[ Upstream commit 1f0dd412e34e177621769866bef347f0b22364df ] + +Fix to return a negative error code from the ccr read error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 3265f4218878 ("net: phy: at803x: add fiber support") +Signed-off-by: Wei Yongjun +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20221118103635.254256-1-weiyongjun@huaweicloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/at803x.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c +index 59fe356942b5..249e7ee4a2bb 100644 +--- a/drivers/net/phy/at803x.c ++++ b/drivers/net/phy/at803x.c +@@ -862,8 +862,10 @@ static int at803x_probe(struct phy_device *phydev) + .wolopts = 0, + }; + +- if (ccr < 0) ++ if (ccr < 0) { ++ ret = ccr; + goto err; ++ } + mode_cfg = ccr & AT803X_MODE_CFG_MASK; + + switch (mode_cfg) { +-- +2.35.1 + diff --git a/queue-6.0/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch b/queue-6.0/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch new file mode 100644 index 00000000000..df917c09456 --- /dev/null +++ b/queue-6.0/net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch @@ -0,0 +1,36 @@ +From 3c44ca99934207f7ac2d559d8c1a84223f1fadcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:50:38 +0800 +Subject: net/qla3xxx: fix potential memleak in ql3xxx_send() + +From: Zhang Changzhong + +[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ] + +The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error +handling case, add dev_kfree_skb_any() to fix it. + +Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 06f4d9a9e938..5a2d70a91868 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2471,6 +2471,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb, + skb_shinfo(skb)->nr_frags); + if (tx_cb->seg_count == -1) { + netdev_err(ndev, "%s: invalid segment count!\n", __func__); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-sched-allow-act_ct-to-be-built-without-nf_nat.patch b/queue-6.0/net-sched-allow-act_ct-to-be-built-without-nf_nat.patch new file mode 100644 index 00000000000..034269555d8 --- /dev/null +++ b/queue-6.0/net-sched-allow-act_ct-to-be-built-without-nf_nat.patch @@ -0,0 +1,40 @@ +From e773288f8d7d8d4143f564eb1d83ab0006a66108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:33:03 -0500 +Subject: net: sched: allow act_ct to be built without NF_NAT + +From: Xin Long + +[ Upstream commit 8427fd100c7b7793650e212a81e42f1cf124613d ] + +In commit f11fe1dae1c4 ("net/sched: Make NET_ACT_CT depends on NF_NAT"), +it fixed the build failure when NF_NAT is m and NET_ACT_CT is y by +adding depends on NF_NAT for NET_ACT_CT. However, it would also cause +NET_ACT_CT cannot be built without NF_NAT, which is not expected. This +patch fixes it by changing to use "(!NF_NAT || NF_NAT)" as the depend. + +Fixes: f11fe1dae1c4 ("net/sched: Make NET_ACT_CT depends on NF_NAT") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/b6386f28d1ba34721795fb776a91cbdabb203447.1668807183.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/Kconfig b/net/sched/Kconfig +index 1e8ab4749c6c..4662a6ce8a7e 100644 +--- a/net/sched/Kconfig ++++ b/net/sched/Kconfig +@@ -976,7 +976,7 @@ config NET_ACT_TUNNEL_KEY + + config NET_ACT_CT + tristate "connection tracking tc action" +- depends on NET_CLS_ACT && NF_CONNTRACK && NF_NAT && NF_FLOW_TABLE ++ depends on NET_CLS_ACT && NF_CONNTRACK && (!NF_NAT || NF_NAT) && NF_FLOW_TABLE + help + Say Y here to allow sending the packets to conntrack module. + +-- +2.35.1 + diff --git a/queue-6.0/net-sparx5-fix-error-handling-in-sparx5_port_open.patch b/queue-6.0/net-sparx5-fix-error-handling-in-sparx5_port_open.patch new file mode 100644 index 00000000000..3a058fa63b8 --- /dev/null +++ b/queue-6.0/net-sparx5-fix-error-handling-in-sparx5_port_open.patch @@ -0,0 +1,63 @@ +From 0dd115e3f4730e3e1c5c06e087f19999b333b609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 20:59:18 +0800 +Subject: net: sparx5: fix error handling in sparx5_port_open() + +From: Liu Jian + +[ Upstream commit 4305fe232b8aa59af3761adc9fe6b6aa40913960 ] + +If phylink_of_phy_connect() fails, the port should be disabled. +If sparx5_serdes_set()/phy_power_on() fails, the port should be +disabled and the phylink should be stopped and disconnected. + +Fixes: 946e7fd5053a ("net: sparx5: add port module support") +Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support") +Signed-off-by: Liu Jian +Tested-by: Bjarni Jonasson +Reviewed-by: Steen Hegelund +Link: https://lore.kernel.org/r/20221117125918.203997-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microchip/sparx5/sparx5_netdev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c +index af4d3e1f1a6d..3f112a897a60 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c +@@ -103,7 +103,7 @@ static int sparx5_port_open(struct net_device *ndev) + err = phylink_of_phy_connect(port->phylink, port->of_node, 0); + if (err) { + netdev_err(ndev, "Could not attach to PHY\n"); +- return err; ++ goto err_connect; + } + + phylink_start(port->phylink); +@@ -115,10 +115,20 @@ static int sparx5_port_open(struct net_device *ndev) + err = sparx5_serdes_set(port->sparx5, port, &port->conf); + else + err = phy_power_on(port->serdes); +- if (err) ++ if (err) { + netdev_err(ndev, "%s failed\n", __func__); ++ goto out_power; ++ } + } + ++ return 0; ++ ++out_power: ++ phylink_stop(port->phylink); ++ phylink_disconnect_phy(port->phylink); ++err_connect: ++ sparx5_port_enable(port, false); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-thunderx-fix-the-acpi-memory-leak.patch b/queue-6.0/net-thunderx-fix-the-acpi-memory-leak.patch new file mode 100644 index 00000000000..d381e835d2b --- /dev/null +++ b/queue-6.0/net-thunderx-fix-the-acpi-memory-leak.patch @@ -0,0 +1,41 @@ +From 4ac33d3bd679ff0df5159027ab4c8b123fe7065e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:22:36 +0800 +Subject: net: thunderx: Fix the ACPI memory leak + +From: Yu Liao + +[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ] + +The ACPI buffer memory (string.pointer) should be freed as the buffer is +not used after returning from bgx_acpi_match_id(), free it to prevent +memory leak. + +Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.") +Signed-off-by: Yu Liao +Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 2f6484dc186a..7eb2ddbe9bad 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1436,8 +1436,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + return AE_OK; + } + +- if (strncmp(string.pointer, bgx_sel, 4)) ++ if (strncmp(string.pointer, bgx_sel, 4)) { ++ kfree(string.pointer); + return AE_OK; ++ } + + acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1, + bgx_acpi_register_phy, NULL, bgx, NULL); +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch b/queue-6.0/net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch new file mode 100644 index 00000000000..4158a51c312 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch @@ -0,0 +1,39 @@ +From af10742b035b2fff445d519af0b9a531eae570b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 14:24:47 +0800 +Subject: net: wwan: iosm: use ACPI_FREE() but not kfree() in + ipc_pcie_read_bios_cfg() + +From: Wang ShaoBo + +[ Upstream commit e541dd7763fc34aec2f93f652a396cc2e7b92d8d ] + +acpi_evaluate_dsm() should be coupled with ACPI_FREE() to free the ACPI +memory, because we need to track the allocation of acpi_object when +ACPI_DBG_TRACK_ALLOCATIONS enabled, so use ACPI_FREE() instead of kfree(). + +Fixes: d38a648d2d6c ("net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg") +Signed-off-by: Wang ShaoBo +Link: https://lore.kernel.org/r/20221118062447.2324881-1-bobo.shaobowang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +index 97cb6846c6ae..f604d4a01e1b 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c +@@ -249,7 +249,7 @@ static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev) + if (object->integer.value == 3) + sleep_state = IPC_PCIE_D3L2; + +- kfree(object); ++ ACPI_FREE(object); + + default_ret: + return sleep_state; +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-t7xx-fix-the-acpi-memory-leak.patch b/queue-6.0/net-wwan-t7xx-fix-the-acpi-memory-leak.patch new file mode 100644 index 00000000000..2547ad1b0b4 --- /dev/null +++ b/queue-6.0/net-wwan-t7xx-fix-the-acpi-memory-leak.patch @@ -0,0 +1,38 @@ +From e92470b62594c52c9671f1ab1485733402d45130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 20:19:40 +0800 +Subject: net: wwan: t7xx: Fix the ACPI memory leak + +From: Hanjun Guo + +[ Upstream commit 08e8a949f684e1fbc4b1efd2337d72ec8f3613d9 ] + +The ACPI buffer memory (buffer.pointer) should be freed as the +buffer is not used after acpi_evaluate_object(), free it to +prevent memory leak. + +Fixes: 13e920d93e37 ("net: wwan: t7xx: Add core components") +Signed-off-by: Hanjun Guo +Link: https://lore.kernel.org/r/1669119580-28977-1-git-send-email-guohanjun@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_modem_ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wwan/t7xx/t7xx_modem_ops.c b/drivers/net/wwan/t7xx/t7xx_modem_ops.c +index 3458af31e864..7d0f5e4f0a78 100644 +--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c ++++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c +@@ -165,6 +165,8 @@ static int t7xx_acpi_reset(struct t7xx_pci_dev *t7xx_dev, char *fn_name) + return -EFAULT; + } + ++ kfree(buffer.pointer); ++ + #endif + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/netfilter-conntrack-fix-data-races-around-ct-mark.patch b/queue-6.0/netfilter-conntrack-fix-data-races-around-ct-mark.patch new file mode 100644 index 00000000000..7dfacfb8e4b --- /dev/null +++ b/queue-6.0/netfilter-conntrack-fix-data-races-around-ct-mark.patch @@ -0,0 +1,369 @@ +From d8852aaefc6a0f39574834c66ca5501fc2e7dc99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 12:39:07 -0700 +Subject: netfilter: conntrack: Fix data-races around ct mark + +From: Daniel Xu + +[ Upstream commit 52d1aa8b8249ff477aaa38b6f74a8ced780d079c ] + +nf_conn:mark can be read from and written to in parallel. Use +READ_ONCE()/WRITE_ONCE() for reads and writes to prevent unwanted +compiler optimizations. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Daniel Xu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 2 +- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 ++-- + net/netfilter/nf_conntrack_core.c | 2 +- + net/netfilter/nf_conntrack_netlink.c | 24 ++++++++++++++---------- + net/netfilter/nf_conntrack_standalone.c | 2 +- + net/netfilter/nft_ct.c | 6 +++--- + net/netfilter/xt_connmark.c | 18 ++++++++++-------- + net/openvswitch/conntrack.c | 8 ++++---- + net/sched/act_connmark.c | 4 ++-- + net/sched/act_ct.c | 8 ++++---- + net/sched/act_ctinfo.c | 6 +++--- + 11 files changed, 45 insertions(+), 39 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 7105529abb0f..c433b1fb961a 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -272,7 +272,7 @@ skb_flow_dissect_ct(const struct sk_buff *skb, + key->ct_zone = ct->zone.id; + #endif + #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) +- key->ct_mark = ct->mark; ++ key->ct_mark = READ_ONCE(ct->mark); + #endif + + cl = nf_ct_labels_find(ct); +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index f8e176c77d1c..b3cc416ed292 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -435,7 +435,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) + + switch (ctinfo) { + case IP_CT_NEW: +- ct->mark = hash; ++ WRITE_ONCE(ct->mark, hash); + break; + case IP_CT_RELATED: + case IP_CT_RELATED_REPLY: +@@ -452,7 +452,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) + #ifdef DEBUG + nf_ct_dump_tuple_ip(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); + #endif +- pr_debug("hash=%u ct_hash=%u ", hash, ct->mark); ++ pr_debug("hash=%u ct_hash=%u ", hash, READ_ONCE(ct->mark)); + if (!clusterip_responsible(cipinfo->config, hash)) { + pr_debug("not responsible\n"); + return NF_DROP; +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 8f261cd5b3a5..60289c074eef 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1781,7 +1781,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- ct->mark = exp->master->mark; ++ ct->mark = READ_ONCE(exp->master->mark); + #endif + #ifdef CONFIG_NF_CONNTRACK_SECMARK + ct->secmark = exp->master->secmark; +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 7562b215b932..d71150a40fb0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -328,9 +328,9 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +-static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) ++static int ctnetlink_dump_mark(struct sk_buff *skb, u32 mark) + { +- if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) ++ if (nla_put_be32(skb, CTA_MARK, htonl(mark))) + goto nla_put_failure; + return 0; + +@@ -543,7 +543,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb, + static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) + { + if (ctnetlink_dump_status(skb, ct) < 0 || +- ctnetlink_dump_mark(skb, ct) < 0 || ++ ctnetlink_dump_mark(skb, READ_ONCE(ct->mark)) < 0 || + ctnetlink_dump_secctx(skb, ct) < 0 || + ctnetlink_dump_id(skb, ct) < 0 || + ctnetlink_dump_use(skb, ct) < 0 || +@@ -722,6 +722,7 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) + struct sk_buff *skb; + unsigned int type; + unsigned int flags = 0, group; ++ u32 mark; + int err; + + if (events & (1 << IPCT_DESTROY)) { +@@ -826,8 +827,9 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if ((events & (1 << IPCT_MARK) || ct->mark) +- && ctnetlink_dump_mark(skb, ct) < 0) ++ mark = READ_ONCE(ct->mark); ++ if ((events & (1 << IPCT_MARK) || mark) && ++ ctnetlink_dump_mark(skb, mark) < 0) + goto nla_put_failure; + #endif + nlmsg_end(skb, nlh); +@@ -1154,7 +1156,7 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data) + } + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if ((ct->mark & filter->mark.mask) != filter->mark.val) ++ if ((READ_ONCE(ct->mark) & filter->mark.mask) != filter->mark.val) + goto ignore_entry; + #endif + status = (u32)READ_ONCE(ct->status); +@@ -2002,9 +2004,9 @@ static void ctnetlink_change_mark(struct nf_conn *ct, + mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); + + mark = ntohl(nla_get_be32(cda[CTA_MARK])); +- newmark = (ct->mark & mask) ^ mark; +- if (newmark != ct->mark) +- ct->mark = newmark; ++ newmark = (READ_ONCE(ct->mark) & mask) ^ mark; ++ if (newmark != READ_ONCE(ct->mark)) ++ WRITE_ONCE(ct->mark, newmark); + } + #endif + +@@ -2669,6 +2671,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) + { + const struct nf_conntrack_zone *zone; + struct nlattr *nest_parms; ++ u32 mark; + + zone = nf_ct_zone(ct); + +@@ -2730,7 +2733,8 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) + goto nla_put_failure; + + #ifdef CONFIG_NF_CONNTRACK_MARK +- if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) ++ mark = READ_ONCE(ct->mark); ++ if (mark && ctnetlink_dump_mark(skb, mark) < 0) + goto nla_put_failure; + #endif + if (ctnetlink_dump_labels(skb, ct) < 0) +diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c +index 4ffe84c5a82c..bca839ab1ae8 100644 +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -366,7 +366,7 @@ static int ct_seq_show(struct seq_file *s, void *v) + goto release; + + #if defined(CONFIG_NF_CONNTRACK_MARK) +- seq_printf(s, "mark=%u ", ct->mark); ++ seq_printf(s, "mark=%u ", READ_ONCE(ct->mark)); + #endif + + ct_show_secctx(s, ct); +diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c +index a3f01f209a53..641dc21f92b4 100644 +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -98,7 +98,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr, + return; + #ifdef CONFIG_NF_CONNTRACK_MARK + case NFT_CT_MARK: +- *dest = ct->mark; ++ *dest = READ_ONCE(ct->mark); + return; + #endif + #ifdef CONFIG_NF_CONNTRACK_SECMARK +@@ -297,8 +297,8 @@ static void nft_ct_set_eval(const struct nft_expr *expr, + switch (priv->key) { + #ifdef CONFIG_NF_CONNTRACK_MARK + case NFT_CT_MARK: +- if (ct->mark != value) { +- ct->mark = value; ++ if (READ_ONCE(ct->mark) != value) { ++ WRITE_ONCE(ct->mark, value); + nf_conntrack_event_cache(IPCT_MARK, ct); + } + break; +diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c +index e5ebc0810675..ad3c033db64e 100644 +--- a/net/netfilter/xt_connmark.c ++++ b/net/netfilter/xt_connmark.c +@@ -30,6 +30,7 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info) + u_int32_t new_targetmark; + struct nf_conn *ct; + u_int32_t newmark; ++ u_int32_t oldmark; + + ct = nf_ct_get(skb, &ctinfo); + if (ct == NULL) +@@ -37,14 +38,15 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info) + + switch (info->mode) { + case XT_CONNMARK_SET: +- newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; ++ oldmark = READ_ONCE(ct->mark); ++ newmark = (oldmark & ~info->ctmask) ^ info->ctmark; + if (info->shift_dir == D_SHIFT_RIGHT) + newmark >>= info->shift_bits; + else + newmark <<= info->shift_bits; + +- if (ct->mark != newmark) { +- ct->mark = newmark; ++ if (READ_ONCE(ct->mark) != newmark) { ++ WRITE_ONCE(ct->mark, newmark); + nf_conntrack_event_cache(IPCT_MARK, ct); + } + break; +@@ -55,15 +57,15 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info) + else + new_targetmark <<= info->shift_bits; + +- newmark = (ct->mark & ~info->ctmask) ^ ++ newmark = (READ_ONCE(ct->mark) & ~info->ctmask) ^ + new_targetmark; +- if (ct->mark != newmark) { +- ct->mark = newmark; ++ if (READ_ONCE(ct->mark) != newmark) { ++ WRITE_ONCE(ct->mark, newmark); + nf_conntrack_event_cache(IPCT_MARK, ct); + } + break; + case XT_CONNMARK_RESTORE: +- new_targetmark = (ct->mark & info->ctmask); ++ new_targetmark = (READ_ONCE(ct->mark) & info->ctmask); + if (info->shift_dir == D_SHIFT_RIGHT) + new_targetmark >>= info->shift_bits; + else +@@ -126,7 +128,7 @@ connmark_mt(const struct sk_buff *skb, struct xt_action_param *par) + if (ct == NULL) + return false; + +- return ((ct->mark & info->mask) == info->mark) ^ info->invert; ++ return ((READ_ONCE(ct->mark) & info->mask) == info->mark) ^ info->invert; + } + + static int connmark_mt_check(const struct xt_mtchk_param *par) +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 4e70df91d0f2..fc5b374fe568 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -152,7 +152,7 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo) + static u32 ovs_ct_get_mark(const struct nf_conn *ct) + { + #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) +- return ct ? ct->mark : 0; ++ return ct ? READ_ONCE(ct->mark) : 0; + #else + return 0; + #endif +@@ -340,9 +340,9 @@ static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key, + #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) + u32 new_mark; + +- new_mark = ct_mark | (ct->mark & ~(mask)); +- if (ct->mark != new_mark) { +- ct->mark = new_mark; ++ new_mark = ct_mark | (READ_ONCE(ct->mark) & ~(mask)); ++ if (READ_ONCE(ct->mark) != new_mark) { ++ WRITE_ONCE(ct->mark, new_mark); + if (nf_ct_is_confirmed(ct)) + nf_conntrack_event_cache(IPCT_MARK, ct); + key->ct.mark = new_mark; +diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c +index 09e2aafc8943..0deb4e96a6c2 100644 +--- a/net/sched/act_connmark.c ++++ b/net/sched/act_connmark.c +@@ -62,7 +62,7 @@ static int tcf_connmark_act(struct sk_buff *skb, const struct tc_action *a, + + c = nf_ct_get(skb, &ctinfo); + if (c) { +- skb->mark = c->mark; ++ skb->mark = READ_ONCE(c->mark); + /* using overlimits stats to count how many packets marked */ + ca->tcf_qstats.overlimits++; + goto out; +@@ -82,7 +82,7 @@ static int tcf_connmark_act(struct sk_buff *skb, const struct tc_action *a, + c = nf_ct_tuplehash_to_ctrack(thash); + /* using overlimits stats to count how many packets marked */ + ca->tcf_qstats.overlimits++; +- skb->mark = c->mark; ++ skb->mark = READ_ONCE(c->mark); + nf_ct_put(c); + + out: +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 5950974ae8f6..a015915e5b72 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -178,7 +178,7 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, + entry = tcf_ct_flow_table_flow_action_get_next(action); + entry->id = FLOW_ACTION_CT_METADATA; + #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) +- entry->ct_metadata.mark = ct->mark; ++ entry->ct_metadata.mark = READ_ONCE(ct->mark); + #endif + ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : + IP_CT_ESTABLISHED_REPLY; +@@ -940,9 +940,9 @@ static void tcf_ct_act_set_mark(struct nf_conn *ct, u32 mark, u32 mask) + if (!mask) + return; + +- new_mark = mark | (ct->mark & ~(mask)); +- if (ct->mark != new_mark) { +- ct->mark = new_mark; ++ new_mark = mark | (READ_ONCE(ct->mark) & ~(mask)); ++ if (READ_ONCE(ct->mark) != new_mark) { ++ WRITE_ONCE(ct->mark, new_mark); + if (nf_ct_is_confirmed(ct)) + nf_conntrack_event_cache(IPCT_MARK, ct); + } +diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c +index 0281e45987a4..65a20f3c9514 100644 +--- a/net/sched/act_ctinfo.c ++++ b/net/sched/act_ctinfo.c +@@ -33,7 +33,7 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + { + u8 dscp, newdscp; + +- newdscp = (((ct->mark & cp->dscpmask) >> cp->dscpmaskshift) << 2) & ++ newdscp = (((READ_ONCE(ct->mark) & cp->dscpmask) >> cp->dscpmaskshift) << 2) & + ~INET_ECN_MASK; + + switch (proto) { +@@ -73,7 +73,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + struct sk_buff *skb) + { + ca->stats_cpmark_set++; +- skb->mark = ct->mark & cp->cpmarkmask; ++ skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask; + } + + static int tcf_ctinfo_act(struct sk_buff *skb, const struct tc_action *a, +@@ -131,7 +131,7 @@ static int tcf_ctinfo_act(struct sk_buff *skb, const struct tc_action *a, + } + + if (cp->mode & CTINFO_MODE_DSCP) +- if (!cp->dscpstatemask || (ct->mark & cp->dscpstatemask)) ++ if (!cp->dscpstatemask || (READ_ONCE(ct->mark) & cp->dscpstatemask)) + tcf_ctinfo_dscp_set(ct, ca, cp, skb, wlen, proto); + + if (cp->mode & CTINFO_MODE_CPMARK) +-- +2.35.1 + diff --git a/queue-6.0/netfilter-flowtable_offload-add-missing-locking.patch b/queue-6.0/netfilter-flowtable_offload-add-missing-locking.patch new file mode 100644 index 00000000000..a515c0e2e6a --- /dev/null +++ b/queue-6.0/netfilter-flowtable_offload-add-missing-locking.patch @@ -0,0 +1,55 @@ +From 0d7c7ce9bcd34a84ca816c6c0386669a62caa959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:26:15 +0100 +Subject: netfilter: flowtable_offload: add missing locking + +From: Felix Fietkau + +[ Upstream commit bcd9e3c1656d0f7dd9743598c65c3ae24efb38d0 ] + +nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow +block cb list while they are being traversed elsewhere, causing a crash. +Add a write lock around the calls to protect readers + +Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") +Reported-by: Chad Monroe +Signed-off-by: Felix Fietkau +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_offload.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c +index b04645ced89b..00b522890d77 100644 +--- a/net/netfilter/nf_flow_table_offload.c ++++ b/net/netfilter/nf_flow_table_offload.c +@@ -1098,6 +1098,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable, + struct flow_block_cb *block_cb, *next; + int err = 0; + ++ down_write(&flowtable->flow_block_lock); + switch (cmd) { + case FLOW_BLOCK_BIND: + list_splice(&bo->cb_list, &flowtable->flow_block.cb_list); +@@ -1112,6 +1113,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable, + WARN_ON_ONCE(1); + err = -EOPNOTSUPP; + } ++ up_write(&flowtable->flow_block_lock); + + return err; + } +@@ -1168,7 +1170,9 @@ static int nf_flow_table_offload_cmd(struct flow_block_offload *bo, + + nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable, + extack); ++ down_write(&flowtable->flow_block_lock); + err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo); ++ up_write(&flowtable->flow_block_lock); + if (err < 0) + return err; + +-- +2.35.1 + diff --git a/queue-6.0/netfilter-ipset-regression-in-ip_set_hash_ip.c.patch b/queue-6.0/netfilter-ipset-regression-in-ip_set_hash_ip.c.patch new file mode 100644 index 00000000000..d7bf515c933 --- /dev/null +++ b/queue-6.0/netfilter-ipset-regression-in-ip_set_hash_ip.c.patch @@ -0,0 +1,66 @@ +From 063d887e6805f11fc8ec4968d76a2e79088e062d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 14:26:50 -0400 +Subject: netfilter: ipset: regression in ip_set_hash_ip.c + +From: Vishwanath Pai + +[ Upstream commit c7aa1a76d4a0a3c401025b60c401412bbb60f8c6 ] + +This patch introduced a regression: commit 48596a8ddc46 ("netfilter: +ipset: Fix adding an IPv4 range containing more than 2^31 addresses") + +The variable e.ip is passed to adtfn() function which finally adds the +ip address to the set. The patch above refactored the for loop and moved +e.ip = htonl(ip) to the end of the for loop. + +What this means is that if the value of "ip" changes between the first +assignement of e.ip and the forloop, then e.ip is pointing to a +different ip address than "ip". + +Test case: +$ ipset create jdtest_tmp hash:ip family inet hashsize 2048 maxelem 100000 +$ ipset add jdtest_tmp 10.0.1.1/31 +ipset v6.21.1: Element cannot be added to the set: it's already added + +The value of ip gets updated inside the "else if (tb[IPSET_ATTR_CIDR])" +block but e.ip is still pointing to the old value. + +Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses") +Reviewed-by: Joshua Hunt +Signed-off-by: Vishwanath Pai +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_ip.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c +index dd30c03d5a23..75d556d71652 100644 +--- a/net/netfilter/ipset/ip_set_hash_ip.c ++++ b/net/netfilter/ipset/ip_set_hash_ip.c +@@ -151,18 +151,16 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], + if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE) + return -ERANGE; + +- if (retried) { ++ if (retried) + ip = ntohl(h->next.ip); +- e.ip = htonl(ip); +- } + for (; ip <= ip_to;) { ++ e.ip = htonl(ip); + ret = adtfn(set, &e, &ext, &ext, flags); + if (ret && !ip_set_eexist(ret, flags)) + return ret; + + ip += hosts; +- e.ip = htonl(ip); +- if (e.ip == 0) ++ if (ip == 0) + return 0; + + ret = 0; +-- +2.35.1 + diff --git a/queue-6.0/netfilter-ipset-restore-allowing-64-clashing-element.patch b/queue-6.0/netfilter-ipset-restore-allowing-64-clashing-element.patch new file mode 100644 index 00000000000..09d6a0c423f --- /dev/null +++ b/queue-6.0/netfilter-ipset-restore-allowing-64-clashing-element.patch @@ -0,0 +1,39 @@ +From de5a5d98dd956fe8f2ffbf6f1f3089eb0d14235c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 20:18:58 +0100 +Subject: netfilter: ipset: restore allowing 64 clashing elements in + hash:net,iface + +From: Jozsef Kadlecsik + +[ Upstream commit 6a66ce44a51bdfc47721f0c591137df2d4b21247 ] + +The commit 510841da1fcc ("netfilter: ipset: enforce documented limit to +prevent allocating huge memory") was too strict and prevented to add up to +64 clashing elements to a hash:net,iface type of set. This patch fixes the +issue and now the type behaves as documented. + +Fixes: 510841da1fcc ("netfilter: ipset: enforce documented limit to prevent allocating huge memory") +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index 3adc291d9ce1..7499192af586 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -916,7 +916,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, + #ifdef IP_SET_HASH_WITH_MULTI + if (h->bucketsize >= AHASH_MAX_TUNED) + goto set_full; +- else if (h->bucketsize < multi) ++ else if (h->bucketsize <= multi) + h->bucketsize += AHASH_INIT_SIZE; + #endif + if (n->size >= AHASH_MAX(h)) { +-- +2.35.1 + diff --git a/queue-6.0/netfilter-nf_tables-do-not-set-up-extensions-for-end.patch b/queue-6.0/netfilter-nf_tables-do-not-set-up-extensions-for-end.patch new file mode 100644 index 00000000000..1bd76926641 --- /dev/null +++ b/queue-6.0/netfilter-nf_tables-do-not-set-up-extensions-for-end.patch @@ -0,0 +1,54 @@ +From b02d98151e07db34bdb39fcdc2ebba209377c634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 11:31:54 +0100 +Subject: netfilter: nf_tables: do not set up extensions for end interval + +From: Pablo Neira Ayuso + +[ Upstream commit 33c7aba0b4ffd6d7cdab862a034eb582a5120a38 ] + +Elements with an end interval flag set on do not store extensions. The +global set definition is currently setting on the timeout and stateful +expression for end interval elements. + +This leads to skipping end interval elements from the set->ops->walk() +path as the expired check bogusly reports true. + +Moreover, do not set up stateful expressions for elements with end +interval flag set on since this is never used. + +Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") +Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 42e370575c30..0a6f3c1e9ab7 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5958,7 +5958,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + &timeout); + if (err) + return err; +- } else if (set->flags & NFT_SET_TIMEOUT) { ++ } else if (set->flags & NFT_SET_TIMEOUT && ++ !(flags & NFT_SET_ELEM_INTERVAL_END)) { + timeout = set->timeout; + } + +@@ -6024,7 +6025,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + err = -EOPNOTSUPP; + goto err_set_elem_expr; + } +- } else if (set->num_exprs > 0) { ++ } else if (set->num_exprs > 0 && ++ !(flags & NFT_SET_ELEM_INTERVAL_END)) { + err = nft_set_elem_expr_clone(ctx, set, expr_array); + if (err < 0) + goto err_set_elem_expr_clone; +-- +2.35.1 + diff --git a/queue-6.0/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch b/queue-6.0/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch new file mode 100644 index 00000000000..9c8eaecaff0 --- /dev/null +++ b/queue-6.0/nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch @@ -0,0 +1,61 @@ +From 91e4bec2517cbdc057bffbb67d8a5c9e0d943b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:24:19 +0800 +Subject: NFC: nci: fix memory leak in nci_rx_data_packet() + +From: Liu Shixin + +[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ] + +Syzbot reported a memory leak about skb: + +unreferenced object 0xffff88810e144e00 (size 240): + comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 + [] alloc_skb include/linux/skbuff.h:1267 [inline] + [] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 + [] do_loop_readv_writev fs/read_write.c:759 [inline] + [] do_loop_readv_writev fs/read_write.c:743 [inline] + [] do_iter_write+0x253/0x300 fs/read_write.c:863 + [] vfs_writev+0xdd/0x240 fs/read_write.c:934 + [] do_writev+0xa6/0x1c0 fs/read_write.c:977 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In nci_rx_data_packet(), if we don't get a valid conn_info, we will return +directly but forget to release the skb. + +Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com +Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index aa5e712adf07..3d36ea5701f0 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -279,8 +279,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) + nci_plen(skb->data)); + + conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data)); +- if (!conn_info) ++ if (!conn_info) { ++ kfree_skb(skb); + return; ++ } + + /* strip the nci data header */ + skb_pull(skb, NCI_DATA_HDR_SIZE); +-- +2.35.1 + diff --git a/queue-6.0/nfc-nci-fix-race-with-opening-and-closing.patch b/queue-6.0/nfc-nci-fix-race-with-opening-and-closing.patch new file mode 100644 index 00000000000..2805f23fd3f --- /dev/null +++ b/queue-6.0/nfc-nci-fix-race-with-opening-and-closing.patch @@ -0,0 +1,42 @@ +From 15d6780e4860a345c773de73165aa25c503cdb18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 21:02:49 +0800 +Subject: nfc/nci: fix race with opening and closing + +From: Lin Ma + +[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ] + +Previously we leverage NCI_UNREG and the lock inside nci_close_device to +prevent the race condition between opening a device and closing a +device. However, it still has problem because a failed opening command +will erase the NCI_UNREG flag and allow another opening command to +bypass the status checking. + +This fix corrects that by making sure the NCI_UNREG is held. + +Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com +Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race") +Signed-off-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 6a193cce2a75..4ffdf2f45c44 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev) + skb_queue_purge(&ndev->tx_q); + + ndev->ops->close(ndev); +- ndev->flags = 0; ++ ndev->flags &= BIT(NCI_UNREG); + } + + done: +-- +2.35.1 + diff --git a/queue-6.0/nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch b/queue-6.0/nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch new file mode 100644 index 00000000000..cdddcfd0f02 --- /dev/null +++ b/queue-6.0/nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch @@ -0,0 +1,115 @@ +From 83596260290d5ab70b2844ea37beca74f0fd2e00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:46 -0600 +Subject: nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit 0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287 ] + +The transaction buffer is allocated by using the size of the packet buf, +and subtracting two which seems intended to remove the two tags which are +not present in the target structure. This calculation leads to under +counting memory because of differences between the packet contents and the +target structure. The aid_len field is a u8 in the packet, but a u32 in +the structure, resulting in at least 3 bytes always being under counted. +Further, the aid data is a variable length field in the packet, but fixed +in the structure, so if this field is less than the max, the difference is +added to the under counting. + +To fix, perform validation checks progressively to safely reach the +next field, to determine the size of both buffers and verify both tags. +Once all validation checks pass, allocate the buffer and copy the data. +This eliminates freeing memory on the error path, as validation checks are +moved ahead of memory allocation. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 51 +++++++++++++++++++++++++++++------------ + 1 file changed, 36 insertions(+), 15 deletions(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index fc59916ae5ae..ec87dd21e054 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -312,6 +312,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + int r = 0; + struct device *dev = &ndev->nfc_dev->dev; + struct nfc_evt_transaction *transaction; ++ u32 aid_len; ++ u8 params_len; + + pr_debug("connectivity gate event: %x\n", event); + +@@ -325,28 +327,47 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + * Description Tag Length + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 ++ * ++ * The key differences are aid storage length is variably sized ++ * in the packet, but fixed in nfc_evt_transaction, and that ++ * the aid_len is u8 in the packet, but u32 in the structure, ++ * and the tags in the packet are not included in ++ * nfc_evt_transaction. ++ * ++ * size(b): 1 1 5-16 1 1 0-255 ++ * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 ++ * mem name: aid_tag(M) aid_len aid params_tag(M) params_len params ++ * example: 0x81 5-16 X 0x82 0-255 X + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 || +- skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) ++ if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +- transaction = devm_kzalloc(dev, skb->len - 2, GFP_KERNEL); +- if (!transaction) +- return -ENOMEM; ++ aid_len = skb->data[1]; + +- transaction->aid_len = skb->data[1]; +- memcpy(transaction->aid, &skb->data[2], transaction->aid_len); ++ if (skb->len < aid_len + 4 || ++ aid_len > sizeof(transaction->aid)) ++ return -EPROTO; + +- /* Check next byte is PARAMETERS tag (82) */ +- if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) { +- devm_kfree(dev, transaction); ++ params_len = skb->data[aid_len + 3]; ++ ++ /* Verify PARAMETERS tag is (82), and final check that there is ++ * enough space in the packet to read everything. ++ */ ++ if (skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG || ++ skb->len < aid_len + 4 + params_len) + return -EPROTO; +- } + +- transaction->params_len = skb->data[transaction->aid_len + 3]; +- memcpy(transaction->params, skb->data + +- transaction->aid_len + 4, transaction->params_len); ++ transaction = devm_kzalloc(dev, sizeof(*transaction) + ++ params_len, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; ++ ++ transaction->aid_len = aid_len; ++ transaction->params_len = params_len; ++ ++ memcpy(transaction->aid, &skb->data[2], aid_len); ++ memcpy(transaction->params, &skb->data[aid_len + 4], ++ params_len); + + r = nfc_se_transaction(ndev->nfc_dev, host, transaction); + break; +-- +2.35.1 + diff --git a/queue-6.0/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch b/queue-6.0/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch new file mode 100644 index 00000000000..3c85cd8dd4f --- /dev/null +++ b/queue-6.0/nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch @@ -0,0 +1,41 @@ +From 35b136ba2a4e841881e9bff68906e5b0ff6949b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:44 -0600 +Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ] + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 7764b1a4c3cf..589e1dec78e7 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -326,7 +326,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +-- +2.35.1 + diff --git a/queue-6.0/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch b/queue-6.0/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch new file mode 100644 index 00000000000..9d62d35feed --- /dev/null +++ b/queue-6.0/nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch @@ -0,0 +1,42 @@ +From c5747effd631529130e15b46a8cdca85aa8f7577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:42:45 -0600 +Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION + +From: Martin Faltesek + +[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ] + +Error path does not free previously allocated memory. Add devm_kfree() to +the failure path. + +Reported-by: Denis Efremov +Reviewed-by: Guenter Roeck +Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") +Signed-off-by: Martin Faltesek +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index 589e1dec78e7..fc59916ae5ae 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -339,8 +339,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + memcpy(transaction->params, skb->data + +-- +2.35.1 + diff --git a/queue-6.0/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch b/queue-6.0/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch new file mode 100644 index 00000000000..27c7f838f7f --- /dev/null +++ b/queue-6.0/nfp-add-port-from-netdev-validation-for-eeprom-acces.patch @@ -0,0 +1,45 @@ +From 9db7ce20fe3b87c84d9a5a60cf313e675f8144d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:37:44 +0100 +Subject: nfp: add port from netdev validation for EEPROM access + +From: Jaco Coetzee + +[ Upstream commit 0873016d46f6dfafd1bdf4d9b935b3331b226f7c ] + +Setting of the port flag `NFP_PORT_CHANGED`, introduced +to ensure the correct reading of EEPROM data, causes a +fatal kernel NULL pointer dereference in cases where +the target netdev type cannot be determined. + +Add validation of port struct pointer before attempting +to set the `NFP_PORT_CHANGED` flag. Return that operation +is not supported if the netdev type cannot be determined. + +Fixes: 4ae97cae07e1 ("nfp: ethtool: fix the display error of `ethtool -m DEVNAME`") +Signed-off-by: Jaco Coetzee +Reviewed-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +index b19bff0db1fd..400b22ad6a34 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -1395,6 +1395,9 @@ nfp_port_get_module_info(struct net_device *netdev, + u8 data; + + port = nfp_port_from_netdev(netdev); ++ if (!port) ++ return -EOPNOTSUPP; ++ + /* update port state to get latest interface */ + set_bit(NFP_PORT_CHANGED, &port->flags); + eth_port = nfp_port_get_eth_port(port); +-- +2.35.1 + diff --git a/queue-6.0/nfp-fill-splittable-of-devlink_port_attrs-correctly.patch b/queue-6.0/nfp-fill-splittable-of-devlink_port_attrs-correctly.patch new file mode 100644 index 00000000000..4ddb9bec8fa --- /dev/null +++ b/queue-6.0/nfp-fill-splittable-of-devlink_port_attrs-correctly.patch @@ -0,0 +1,48 @@ +From c88db5ce639a64a23f0ab55f6ca217d60e144590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:37:43 +0100 +Subject: nfp: fill splittable of devlink_port_attrs correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Diana Wang + +[ Upstream commit 4abd9600b9d15d3d92a9ac25cf200422a4c415ee ] + +The error is reflected in that it shows wrong splittable status of +port when executing "devlink port show". +The reason which leads the error is that the assigned operation of +splittable is just a simple negation operation of split and it does +not consider port lanes quantity. A splittable port should have +several lanes that can be split(lanes quantity > 1). +If without the judgement, it will show wrong message for some +firmware, such as 2x25G, 2x10G. + +Fixes: a0f49b548652 ("devlink: Add a new devlink port split ability attribute and pass to netlink") +Signed-off-by: Diana Wang +Reviewed-by: Louis Peens +Reviewed-by: Niklas Söderlund +Signed-off-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_devlink.c b/drivers/net/ethernet/netronome/nfp/nfp_devlink.c +index 405786c00334..cb08d7bf9524 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_devlink.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_devlink.c +@@ -341,7 +341,7 @@ int nfp_devlink_port_register(struct nfp_app *app, struct nfp_port *port) + return ret; + + attrs.split = eth_port.is_split; +- attrs.splittable = !attrs.split; ++ attrs.splittable = eth_port.port_lanes > 1 && !attrs.split; + attrs.lanes = eth_port.port_lanes; + attrs.flavour = DEVLINK_PORT_FLAVOUR_PHYSICAL; + attrs.phys.port_number = eth_port.label_port; +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch b/queue-6.0/octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..dba36b38f9c --- /dev/null +++ b/queue-6.0/octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch @@ -0,0 +1,52 @@ +From 88de914b83bd929355d3da9395b75280628f0113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 20:46:58 +0800 +Subject: octeontx2-af: debugsfs: fix pci device refcount leak + +From: Yang Yingliang + +[ Upstream commit d66608803aa2ffb9e475623343f69996305771ae ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). + +So before returning from rvu_dbg_rvu_pf_cgx_map_display() or +cgx_print_dmac_flt(), pci_dev_put() is called to avoid refcount +leak. + +Fixes: dbc52debf95f ("octeontx2-af: Debugfs support for DMAC filters") +Fixes: e2fb37303865 ("octeontx2-af: Display CGX, NIX and PF map in debugfs.") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221117124658.162409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +index f42a09f04b25..70cda1571324 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +@@ -535,6 +535,8 @@ static int rvu_dbg_rvu_pf_cgx_map_display(struct seq_file *filp, void *unused) + sprintf(lmac, "LMAC%d", lmac_id); + seq_printf(filp, "%s\t0x%x\t\tNIX%d\t\t%s\t%s\n", + dev_name(&pdev->dev), pcifunc, blkid, cgx, lmac); ++ ++ pci_dev_put(pdev); + } + return 0; + } +@@ -2221,6 +2223,7 @@ static int cgx_print_dmac_flt(struct seq_file *s, int lmac_id) + } + } + ++ pci_dev_put(pdev); + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch b/queue-6.0/octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch new file mode 100644 index 00000000000..eef50e3d140 --- /dev/null +++ b/queue-6.0/octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch @@ -0,0 +1,55 @@ +From a69944c0831993020c329a03779df45ae000b1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:59:19 +0800 +Subject: octeontx2-af: Fix reference count issue in rvu_sdp_init() + +From: Xiongfeng Wang + +[ Upstream commit ad17c2a3f11b0f6b122e7842d8f7d9a5fcc7ac63 ] + +pci_get_device() will decrease the reference count for the *from* +parameter. So we don't need to call put_device() to decrease the +reference. Let's remove the put_device() in the loop and only decrease +the reference count of the returned 'pdev' for the last loop because it +will not be passed to pci_get_device() as input parameter. We don't need +to check if 'pdev' is NULL because it is already checked inside +pci_dev_put(). Also add pci_dev_put() for the error path. + +Fixes: fe1939bb2340 ("octeontx2-af: Add SDP interface support") +Signed-off-by: Xiongfeng Wang +Reviewed-by: Saeed Mahameed +Link: https://lore.kernel.org/r/20221123065919.31499-1-wangxiongfeng2@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c +index b04fb226f708..ae50d56258ec 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c +@@ -62,15 +62,18 @@ int rvu_sdp_init(struct rvu *rvu) + pfvf->sdp_info = devm_kzalloc(rvu->dev, + sizeof(struct sdp_node_info), + GFP_KERNEL); +- if (!pfvf->sdp_info) ++ if (!pfvf->sdp_info) { ++ pci_dev_put(pdev); + return -ENOMEM; ++ } + + dev_info(rvu->dev, "SDP PF number:%d\n", sdp_pf_num[i]); + +- put_device(&pdev->dev); + i++; + } + ++ pci_dev_put(pdev); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/octeontx2-pf-add-check-for-devm_kcalloc.patch b/queue-6.0/octeontx2-pf-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..196423fcd06 --- /dev/null +++ b/queue-6.0/octeontx2-pf-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From fd0c53295dc3613348fbc5e5e3bc1499a52b2acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 13:54:49 +0800 +Subject: octeontx2-pf: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit cd07eadd5147ffdae11b6fd28b77a3872f2a2484 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Maciej Fijalkowski +Link: https://lore.kernel.org/r/20221122055449.31247-1-jiasheng@iscas.ac.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 0879a48411f3..3dc90060d70d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -4979,6 +4979,8 @@ static int nix_setup_ipolicers(struct rvu *rvu, + ipolicer->ref_count = devm_kcalloc(rvu->dev, + ipolicer->band_prof.max, + sizeof(u16), GFP_KERNEL); ++ if (!ipolicer->ref_count) ++ return -ENOMEM; + } + + /* Set policer timeunit to 2us ie (19 + 1) * 100 nsec = 2us */ +-- +2.35.1 + diff --git a/queue-6.0/pci-hv-only-reuse-existing-irte-allocation-for-multi.patch b/queue-6.0/pci-hv-only-reuse-existing-irte-allocation-for-multi.patch new file mode 100644 index 00000000000..a387db7fc5a --- /dev/null +++ b/queue-6.0/pci-hv-only-reuse-existing-irte-allocation-for-multi.patch @@ -0,0 +1,261 @@ +From 3ce956996c7082c047976f5825d568d0126ea7b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 15:29:53 -0700 +Subject: PCI: hv: Only reuse existing IRTE allocation for Multi-MSI + +From: Dexuan Cui + +[ Upstream commit c234ba8042920fa83635808dc5673f36869ca280 ] + +Jeffrey added Multi-MSI support to the pci-hyperv driver by the 4 patches: +08e61e861a0e ("PCI: hv: Fix multi-MSI to allow more than one MSI vector") +455880dfe292 ("PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI") +b4b77778ecc5 ("PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()") +a2bad844a67b ("PCI: hv: Fix interrupt mapping for multi-MSI") + +It turns out that the third patch (b4b77778ecc5) causes a performance +regression because all the interrupts now happen on 1 physical CPU (or two +pCPUs, if one pCPU doesn't have enough vectors). When a guest has many PCI +devices, it may suffer from soft lockups if the workload is heavy, e.g., +see https://lwn.net/ml/linux-kernel/20220804025104.15673-1-decui@microsoft.com/ + +Commit b4b77778ecc5 itself is good. The real issue is that the hypercall in +hv_irq_unmask() -> hv_arch_irq_unmask() -> +hv_do_hypercall(HVCALL_RETARGET_INTERRUPT...) only changes the target +virtual CPU rather than physical CPU; with b4b77778ecc5, the pCPU is +determined only once in hv_compose_msi_msg() where only vCPU0 is specified; +consequently the hypervisor only uses 1 target pCPU for all the interrupts. + +Note: before b4b77778ecc5, the pCPU is determined twice, and when the pCPU +is determined the second time, the vCPU in the effective affinity mask is +used (i.e., it isn't always vCPU0), so the hypervisor chooses different +pCPU for each interrupt. + +The hypercall will be fixed in future to update the pCPU as well, but +that will take quite a while, so let's restore the old behavior in +hv_compose_msi_msg(), i.e., don't reuse the existing IRTE allocation for +single-MSI and MSI-X; for multi-MSI, we choose the vCPU in a round-robin +manner for each PCI device, so the interrupts of different devices can +happen on different pCPUs, though the interrupts of each device happen on +some single pCPU. + +The hypercall fix may not be backported to all old versions of Hyper-V, so +we want to have this guest side change forever (or at least till we're sure +the old affected versions of Hyper-V are no longer supported). + +Fixes: b4b77778ecc5 ("PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()") +Co-developed-by: Jeffrey Hugo +Signed-off-by: Jeffrey Hugo +Co-developed-by: Carl Vanderlip +Signed-off-by: Carl Vanderlip +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221104222953.11356-1-decui@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 90 ++++++++++++++++++++++++----- + 1 file changed, 75 insertions(+), 15 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index ba64284eaf9f..f1ec8931dfbc 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1613,7 +1613,7 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp, + } + + static u32 hv_compose_msi_req_v1( +- struct pci_create_interrupt *int_pkt, const struct cpumask *affinity, ++ struct pci_create_interrupt *int_pkt, + u32 slot, u8 vector, u16 vector_count) + { + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE; +@@ -1631,6 +1631,35 @@ static u32 hv_compose_msi_req_v1( + return sizeof(*int_pkt); + } + ++/* ++ * The vCPU selected by hv_compose_multi_msi_req_get_cpu() and ++ * hv_compose_msi_req_get_cpu() is a "dummy" vCPU because the final vCPU to be ++ * interrupted is specified later in hv_irq_unmask() and communicated to Hyper-V ++ * via the HVCALL_RETARGET_INTERRUPT hypercall. But the choice of dummy vCPU is ++ * not irrelevant because Hyper-V chooses the physical CPU to handle the ++ * interrupts based on the vCPU specified in message sent to the vPCI VSP in ++ * hv_compose_msi_msg(). Hyper-V's choice of pCPU is not visible to the guest, ++ * but assigning too many vPCI device interrupts to the same pCPU can cause a ++ * performance bottleneck. So we spread out the dummy vCPUs to influence Hyper-V ++ * to spread out the pCPUs that it selects. ++ * ++ * For the single-MSI and MSI-X cases, it's OK for hv_compose_msi_req_get_cpu() ++ * to always return the same dummy vCPU, because a second call to ++ * hv_compose_msi_msg() contains the "real" vCPU, causing Hyper-V to choose a ++ * new pCPU for the interrupt. But for the multi-MSI case, the second call to ++ * hv_compose_msi_msg() exits without sending a message to the vPCI VSP, so the ++ * original dummy vCPU is used. This dummy vCPU must be round-robin'ed so that ++ * the pCPUs are spread out. All interrupts for a multi-MSI device end up using ++ * the same pCPU, even though the vCPUs will be spread out by later calls ++ * to hv_irq_unmask(), but that is the best we can do now. ++ * ++ * With Hyper-V in Nov 2022, the HVCALL_RETARGET_INTERRUPT hypercall does *not* ++ * cause Hyper-V to reselect the pCPU based on the specified vCPU. Such an ++ * enhancement is planned for a future version. With that enhancement, the ++ * dummy vCPU selection won't matter, and interrupts for the same multi-MSI ++ * device will be spread across multiple pCPUs. ++ */ ++ + /* + * Create MSI w/ dummy vCPU set targeting just one vCPU, overwritten + * by subsequent retarget in hv_irq_unmask(). +@@ -1640,18 +1669,39 @@ static int hv_compose_msi_req_get_cpu(const struct cpumask *affinity) + return cpumask_first_and(affinity, cpu_online_mask); + } + +-static u32 hv_compose_msi_req_v2( +- struct pci_create_interrupt2 *int_pkt, const struct cpumask *affinity, +- u32 slot, u8 vector, u16 vector_count) ++/* ++ * Make sure the dummy vCPU values for multi-MSI don't all point to vCPU0. ++ */ ++static int hv_compose_multi_msi_req_get_cpu(void) + { ++ static DEFINE_SPINLOCK(multi_msi_cpu_lock); ++ ++ /* -1 means starting with CPU 0 */ ++ static int cpu_next = -1; ++ ++ unsigned long flags; + int cpu; + ++ spin_lock_irqsave(&multi_msi_cpu_lock, flags); ++ ++ cpu_next = cpumask_next_wrap(cpu_next, cpu_online_mask, nr_cpu_ids, ++ false); ++ cpu = cpu_next; ++ ++ spin_unlock_irqrestore(&multi_msi_cpu_lock, flags); ++ ++ return cpu; ++} ++ ++static u32 hv_compose_msi_req_v2( ++ struct pci_create_interrupt2 *int_pkt, int cpu, ++ u32 slot, u8 vector, u16 vector_count) ++{ + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE2; + int_pkt->wslot.slot = slot; + int_pkt->int_desc.vector = vector; + int_pkt->int_desc.vector_count = vector_count; + int_pkt->int_desc.delivery_mode = DELIVERY_MODE; +- cpu = hv_compose_msi_req_get_cpu(affinity); + int_pkt->int_desc.processor_array[0] = + hv_cpu_number_to_vp_number(cpu); + int_pkt->int_desc.processor_count = 1; +@@ -1660,18 +1710,15 @@ static u32 hv_compose_msi_req_v2( + } + + static u32 hv_compose_msi_req_v3( +- struct pci_create_interrupt3 *int_pkt, const struct cpumask *affinity, ++ struct pci_create_interrupt3 *int_pkt, int cpu, + u32 slot, u32 vector, u16 vector_count) + { +- int cpu; +- + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE3; + int_pkt->wslot.slot = slot; + int_pkt->int_desc.vector = vector; + int_pkt->int_desc.reserved = 0; + int_pkt->int_desc.vector_count = vector_count; + int_pkt->int_desc.delivery_mode = DELIVERY_MODE; +- cpu = hv_compose_msi_req_get_cpu(affinity); + int_pkt->int_desc.processor_array[0] = + hv_cpu_number_to_vp_number(cpu); + int_pkt->int_desc.processor_count = 1; +@@ -1715,12 +1762,18 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + struct pci_create_interrupt3 v3; + } int_pkts; + } __packed ctxt; ++ bool multi_msi; + u64 trans_id; + u32 size; + int ret; ++ int cpu; ++ ++ msi_desc = irq_data_get_msi_desc(data); ++ multi_msi = !msi_desc->pci.msi_attrib.is_msix && ++ msi_desc->nvec_used > 1; + + /* Reuse the previous allocation */ +- if (data->chip_data) { ++ if (data->chip_data && multi_msi) { + int_desc = data->chip_data; + msg->address_hi = int_desc->address >> 32; + msg->address_lo = int_desc->address & 0xffffffff; +@@ -1728,7 +1781,6 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + return; + } + +- msi_desc = irq_data_get_msi_desc(data); + pdev = msi_desc_to_pci_dev(msi_desc); + dest = irq_data_get_effective_affinity_mask(data); + pbus = pdev->bus; +@@ -1738,11 +1790,18 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + if (!hpdev) + goto return_null_message; + ++ /* Free any previous message that might have already been composed. */ ++ if (data->chip_data && !multi_msi) { ++ int_desc = data->chip_data; ++ data->chip_data = NULL; ++ hv_int_desc_free(hpdev, int_desc); ++ } ++ + int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC); + if (!int_desc) + goto drop_reference; + +- if (!msi_desc->pci.msi_attrib.is_msix && msi_desc->nvec_used > 1) { ++ if (multi_msi) { + /* + * If this is not the first MSI of Multi MSI, we already have + * a mapping. Can exit early. +@@ -1767,9 +1826,11 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + */ + vector = 32; + vector_count = msi_desc->nvec_used; ++ cpu = hv_compose_multi_msi_req_get_cpu(); + } else { + vector = hv_msi_get_int_vector(data); + vector_count = 1; ++ cpu = hv_compose_msi_req_get_cpu(dest); + } + + /* +@@ -1785,7 +1846,6 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + switch (hbus->protocol_version) { + case PCI_PROTOCOL_VERSION_1_1: + size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1, +- dest, + hpdev->desc.win_slot.slot, + (u8)vector, + vector_count); +@@ -1794,7 +1854,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + case PCI_PROTOCOL_VERSION_1_2: + case PCI_PROTOCOL_VERSION_1_3: + size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2, +- dest, ++ cpu, + hpdev->desc.win_slot.slot, + (u8)vector, + vector_count); +@@ -1802,7 +1862,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) + + case PCI_PROTOCOL_VERSION_1_4: + size = hv_compose_msi_req_v3(&ctxt.int_pkts.v3, +- dest, ++ cpu, + hpdev->desc.win_slot.slot, + vector, + vector_count); +-- +2.35.1 + diff --git a/queue-6.0/power-supply-ab8500-defer-thermal-zone-probe.patch b/queue-6.0/power-supply-ab8500-defer-thermal-zone-probe.patch new file mode 100644 index 00000000000..b2d2b05f51c --- /dev/null +++ b/queue-6.0/power-supply-ab8500-defer-thermal-zone-probe.patch @@ -0,0 +1,49 @@ +From c042e11e847dc6b22306281815236292311e5b10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Oct 2022 21:55:54 +0100 +Subject: power: supply: ab8500: Defer thermal zone probe + +From: Linus Walleij + +[ Upstream commit 767e684367e4759d9855b184045b7a9d6b19acd2 ] + +The call thermal_zone_get_zone_by_name() used to return the +thermal zone right away, but recent refactorings in the +thermal core has changed this so the thermal zone used by +the battery is probed later, and the call returns -ENODEV. + +This was always quite fragile. If we get -ENODEV, then +return a -EPROBE_DEFER and try again later. + +Cc: phone-devel@vger.kernel.org +Fixes: 2b0e7ac0841b ("power: supply: ab8500: Integrate thermal zone") +Signed-off-by: Linus Walleij +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/ab8500_btemp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/ab8500_btemp.c b/drivers/power/supply/ab8500_btemp.c +index 863fabe05bdc..307ee6f71042 100644 +--- a/drivers/power/supply/ab8500_btemp.c ++++ b/drivers/power/supply/ab8500_btemp.c +@@ -725,7 +725,14 @@ static int ab8500_btemp_probe(struct platform_device *pdev) + /* Get thermal zone and ADC */ + di->tz = thermal_zone_get_zone_by_name("battery-thermal"); + if (IS_ERR(di->tz)) { +- return dev_err_probe(dev, PTR_ERR(di->tz), ++ ret = PTR_ERR(di->tz); ++ /* ++ * This usually just means we are probing before the thermal ++ * zone, so just defer. ++ */ ++ if (ret == -ENODEV) ++ ret = -EPROBE_DEFER; ++ return dev_err_probe(dev, ret, + "failed to get battery thermal zone\n"); + } + di->bat_ctrl = devm_iio_channel_get(dev, "bat_ctrl"); +-- +2.35.1 + diff --git a/queue-6.0/power-supply-ip5xxx-fix-integer-overflow-in-current_.patch b/queue-6.0/power-supply-ip5xxx-fix-integer-overflow-in-current_.patch new file mode 100644 index 00000000000..dcfdb79f349 --- /dev/null +++ b/queue-6.0/power-supply-ip5xxx-fix-integer-overflow-in-current_.patch @@ -0,0 +1,41 @@ +From 2b16a3b1c9108e9665ae8f6ff1440e499077fbf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 00:40:52 +0200 +Subject: power: supply: ip5xxx: Fix integer overflow in current_now + calculation + +From: Ondrej Jirman + +[ Upstream commit f9be5cb6c1f0191f8bcf4413b7e17e58e8dfaaa1 ] + +When current is larger than ~2A, the multiplication in current_now +property overflows and the kernel reports invalid negative current +value. Change the numerator and denominator while preserving their +ratio to allow up to +-6A before the overflow. + +Fixes: 75853406fa27 ("power: supply: Add a driver for Injoinic power bank ICs") +Signed-off-by: Ondrej Jirman +Reviewed-by: Samuel Holland +[use 149197/200 instead of 261095/350 as suggested by Samuel] +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/ip5xxx_power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/ip5xxx_power.c b/drivers/power/supply/ip5xxx_power.c +index 218e8e689a3f..00221e9c0bfc 100644 +--- a/drivers/power/supply/ip5xxx_power.c ++++ b/drivers/power/supply/ip5xxx_power.c +@@ -352,7 +352,7 @@ static int ip5xxx_battery_get_property(struct power_supply *psy, + ret = ip5xxx_battery_read_adc(ip5xxx, IP5XXX_BATIADC_DAT0, + IP5XXX_BATIADC_DAT1, &raw); + +- val->intval = DIV_ROUND_CLOSEST(raw * 745985, 1000); ++ val->intval = DIV_ROUND_CLOSEST(raw * 149197, 200); + return 0; + + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: +-- +2.35.1 + diff --git a/queue-6.0/regulator-core-fix-kobject-release-warning-and-memor.patch b/queue-6.0/regulator-core-fix-kobject-release-warning-and-memor.patch new file mode 100644 index 00000000000..63e0fd35aa3 --- /dev/null +++ b/queue-6.0/regulator-core-fix-kobject-release-warning-and-memor.patch @@ -0,0 +1,75 @@ +From 025abbf188552a266d0839a73cc04aa35cf4de47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:43:39 +0800 +Subject: regulator: core: fix kobject release warning and memory leak in + regulator_register() + +From: Zeng Heng + +[ Upstream commit 5f4b204b6b8153923d5be8002c5f7082985d153f ] + +Here is a warning report about lack of registered release() +from kobject lib: + +Device '(null)' does not have a release() function, it is broken and must be fixed. +WARNING: CPU: 0 PID: 48430 at drivers/base/core.c:2332 device_release+0x104/0x120 +Call Trace: + kobject_put+0xdc/0x180 + put_device+0x1b/0x30 + regulator_register+0x651/0x1170 + devm_regulator_register+0x4f/0xb0 + +When regulator_register() returns fail and directly goto `clean` symbol, +rdev->dev has not registered release() function yet (which is registered +by regulator_class in the following), so rdev needs to be freed manually. +If rdev->dev.of_node is not NULL, which means the of_node has gotten by +regulator_of_get_init_data(), it needs to call of_node_put() to avoid +refcount leak. + +Otherwise, only calling put_device() would lead memory leak of rdev +in further: + +unreferenced object 0xffff88810d0b1000 (size 2048): + comm "107-i2c-rtq6752", pid 48430, jiffies 4342258431 (age 1341.780s) + backtrace: + kmalloc_trace+0x22/0x110 + regulator_register+0x184/0x1170 + devm_regulator_register+0x4f/0xb0 + +When regulator_register() returns fail and goto `wash` symbol, +rdev->dev has registered release() function, so directly call +put_device() to cleanup everything. + +Fixes: d3c731564e09 ("regulator: plug of_node leak in regulator_register()'s error path") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221116074339.1024240-1-zengheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index c3871565fd7d..5f82a996dbea 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5616,11 +5616,15 @@ regulator_register(const struct regulator_desc *regulator_desc, + mutex_lock(®ulator_list_mutex); + regulator_ena_gpio_free(rdev); + mutex_unlock(®ulator_list_mutex); ++ put_device(&rdev->dev); ++ rdev = NULL; + clean: + if (dangling_of_gpiod) + gpiod_put(config->ena_gpiod); ++ if (rdev && rdev->dev.of_node) ++ of_node_put(rdev->dev.of_node); ++ kfree(rdev); + kfree(config); +- put_device(&rdev->dev); + rinse: + if (dangling_cfg_gpiod) + gpiod_put(cfg->ena_gpiod); +-- +2.35.1 + diff --git a/queue-6.0/regulator-core-fix-uaf-in-destroy_regulator.patch b/queue-6.0/regulator-core-fix-uaf-in-destroy_regulator.patch new file mode 100644 index 00000000000..2e4f4e601ae --- /dev/null +++ b/queue-6.0/regulator-core-fix-uaf-in-destroy_regulator.patch @@ -0,0 +1,132 @@ +From c9f9a8792ad418097f85dd96ee1bbeb27e789bd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:37:06 +0800 +Subject: regulator: core: fix UAF in destroy_regulator() + +From: Yang Yingliang + +[ Upstream commit 1f386d6894d0f1b7de8ef640c41622ddd698e7ab ] + +I got a UAF report as following: + +================================================================== +BUG: KASAN: use-after-free in __lock_acquire+0x935/0x2060 +Read of size 8 at addr ffff88810e838220 by task python3/268 +Call Trace: + + dump_stack_lvl+0x67/0x83 + print_report+0x178/0x4b0 + kasan_report+0x90/0x190 + __lock_acquire+0x935/0x2060 + lock_acquire+0x156/0x400 + _raw_spin_lock+0x2a/0x40 + lockref_get+0x11/0x30 + simple_recursive_removal+0x41/0x440 + debugfs_remove.part.12+0x32/0x50 + debugfs_remove+0x29/0x30 + _regulator_put.cold.54+0x3e/0x27f + regulator_put+0x1f/0x30 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + +Allocated by task 37: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + __kasan_slab_alloc+0x5d/0x70 + slab_post_alloc_hook+0x62/0x510 + kmem_cache_alloc_lru+0x222/0x5a0 + __d_alloc+0x31/0x440 + d_alloc+0x30/0xf0 + d_alloc_parallel+0xc4/0xd20 + __lookup_slow+0x15e/0x2f0 + lookup_one_len+0x13a/0x150 + start_creating+0xea/0x190 + debugfs_create_dir+0x1e/0x210 + create_regulator+0x254/0x4e0 + _regulator_get+0x2a1/0x467 + _devm_regulator_get+0x5a/0xb0 + regulator_virtual_probe+0xb9/0x1a0 + +Freed by task 30: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x102/0x190 + kmem_cache_free+0xf6/0x600 + rcu_core+0x54c/0x12b0 + __do_softirq+0xf2/0x5e3 + +Last potentially related work creation: + kasan_save_stack+0x1c/0x40 + __kasan_record_aux_stack+0x98/0xb0 + call_rcu+0x42/0x700 + dentry_free+0x6c/0xd0 + __dentry_kill+0x23b/0x2d0 + dput.part.31+0x431/0x780 + simple_recursive_removal+0xa9/0x440 + debugfs_remove.part.12+0x32/0x50 + debugfs_remove+0x29/0x30 + regulator_unregister+0xe3/0x230 + release_nodes+0x6a/0xa0 + +================================================================== + +Here is how happened: + +processor A processor B +regulator_register() + rdev_init_debugfs() + rdev->debugfs = debugfs_create_dir() + devm_regulator_get() + rdev = regulator_dev_lookup() + create_regulator(rdev) + // using rdev->debugfs as parent + debugfs_create_dir(rdev->debugfs) + +mfd_remove_devices_fn() + release_nodes() + regulator_unregister() + // free rdev->debugfs + debugfs_remove_recursive(rdev->debugfs) + release_nodes() + destroy_regulator() + debugfs_remove_recursive() <- causes UAF + +In devm_regulator_get(), after getting rdev, the refcount +is get, so fix this by moving debugfs_remove_recursive() +to regulator_dev_release(), then it can be proctected by +the refcount, the 'rdev->debugfs' can not be freed until +the refcount is 0. + +Fixes: 5de705194e98 ("regulator: Add basic per consumer debugfs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221116033706.3595812-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 5f82a996dbea..c0f368f1b49f 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5138,6 +5138,7 @@ static void regulator_dev_release(struct device *dev) + { + struct regulator_dev *rdev = dev_get_drvdata(dev); + ++ debugfs_remove_recursive(rdev->debugfs); + kfree(rdev->constraints); + of_node_put(rdev->dev.of_node); + kfree(rdev); +@@ -5653,7 +5654,6 @@ void regulator_unregister(struct regulator_dev *rdev) + + mutex_lock(®ulator_list_mutex); + +- debugfs_remove_recursive(rdev->debugfs); + WARN_ON(rdev->open_count); + regulator_remove_coupling(rdev); + unset_regulator_supplies(rdev); +-- +2.35.1 + diff --git a/queue-6.0/regulator-rt5759-fix-oob-in-validate_desc.patch b/queue-6.0/regulator-rt5759-fix-oob-in-validate_desc.patch new file mode 100644 index 00000000000..46a0d33f974 --- /dev/null +++ b/queue-6.0/regulator-rt5759-fix-oob-in-validate_desc.patch @@ -0,0 +1,54 @@ +From ff85ee52d9b11cb51f5ad95614fe73fe5a00de1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 17:29:43 +0800 +Subject: regulator: rt5759: fix OOB in validate_desc() + +From: Yang Yingliang + +[ Upstream commit 7920e0fbced429ab18ad4402e3914146a6a0921b ] + +I got the following OOB report: + + BUG: KASAN: slab-out-of-bounds in validate_desc+0xba/0x109 + Read of size 8 at addr ffff888107db8ff0 by task python3/253 + Call Trace: + + dump_stack_lvl+0x67/0x83 + print_report+0x178/0x4b0 + kasan_report+0x90/0x190 + validate_desc+0xba/0x109 + gpiod_set_value_cansleep+0x40/0x5a + regulator_ena_gpio_ctrl+0x93/0xfc + _regulator_do_enable.cold.61+0x89/0x163 + set_machine_constraints+0x140a/0x159c + regulator_register.cold.73+0x762/0x10cd + devm_regulator_register+0x57/0xb0 + rt5759_probe+0x3a0/0x4ac [rt5759_regulator] + +The desc used in validate_desc() is passed from 'reg_cfg.ena_gpiod', +which is not initialized. Fix this by initializing 'reg_cfg' to 0. + +Fixes: 7b36ddb208bd ("regulator: rt5759: Add support for Richtek RT5759 DCDC converter") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221116092943.1668326-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rt5759-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/rt5759-regulator.c b/drivers/regulator/rt5759-regulator.c +index 6b96899eb27e..8488417f4b2c 100644 +--- a/drivers/regulator/rt5759-regulator.c ++++ b/drivers/regulator/rt5759-regulator.c +@@ -243,6 +243,7 @@ static int rt5759_regulator_register(struct rt5759_priv *priv) + if (priv->chip_type == CHIP_TYPE_RT5759A) + reg_desc->uV_step = RT5759A_STEP_UV; + ++ memset(®_cfg, 0, sizeof(reg_cfg)); + reg_cfg.dev = priv->dev; + reg_cfg.of_node = np; + reg_cfg.init_data = of_get_regulator_init_data(priv->dev, np, reg_desc); +-- +2.35.1 + diff --git a/queue-6.0/regulator-twl6030-re-add-twl6032_subclass.patch b/queue-6.0/regulator-twl6030-re-add-twl6032_subclass.patch new file mode 100644 index 00000000000..f824d271f39 --- /dev/null +++ b/queue-6.0/regulator-twl6030-re-add-twl6032_subclass.patch @@ -0,0 +1,47 @@ +From 01f822afe59810dde285365818c62300117094a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 23:12:07 +0100 +Subject: regulator: twl6030: re-add TWL6032_SUBCLASS + +From: Andreas Kemnade + +[ Upstream commit 3d6c982b26db94cc21bc9f7784f63e8286b7be62 ] + +In former times, info->feature was populated via the parent driver +by pdata/regulator_init_data->driver_data for all regulators when +USB_PRODUCT_ID_LSB indicates a TWL6032. +Today, the information is not set, so re-add it at the regulator +definitions. + +Fixes: 25d82337705e2 ("regulator: twl: make driver DT only") +Signed-off-by: Andreas Kemnade +Link: https://lore.kernel.org/r/20221120221208.3093727-2-andreas@kemnade.info +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/twl6030-regulator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/regulator/twl6030-regulator.c b/drivers/regulator/twl6030-regulator.c +index 430265c404d6..7c7e3648ea4b 100644 +--- a/drivers/regulator/twl6030-regulator.c ++++ b/drivers/regulator/twl6030-regulator.c +@@ -530,6 +530,7 @@ static const struct twlreg_info TWL6030_INFO_##label = { \ + #define TWL6032_ADJUSTABLE_LDO(label, offset) \ + static const struct twlreg_info TWL6032_INFO_##label = { \ + .base = offset, \ ++ .features = TWL6032_SUBCLASS, \ + .desc = { \ + .name = #label, \ + .id = TWL6032_REG_##label, \ +@@ -562,6 +563,7 @@ static const struct twlreg_info TWLFIXED_INFO_##label = { \ + #define TWL6032_ADJUSTABLE_SMPS(label, offset) \ + static const struct twlreg_info TWLSMPS_INFO_##label = { \ + .base = offset, \ ++ .features = TWL6032_SUBCLASS, \ + .desc = { \ + .name = #label, \ + .id = TWL6032_REG_##label, \ +-- +2.35.1 + diff --git a/queue-6.0/rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch b/queue-6.0/rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch new file mode 100644 index 00000000000..3fb601618c5 --- /dev/null +++ b/queue-6.0/rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch @@ -0,0 +1,173 @@ +From 9403af24c1668ac7399b73a7fce210467644e468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 14:02:28 +0000 +Subject: rxrpc: Fix race between conn bundle lookup and bundle removal + [ZDI-CAN-15975] + +From: David Howells + +[ Upstream commit 3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5 ] + +After rxrpc_unbundle_conn() has removed a connection from a bundle, it +checks to see if there are any conns with available channels and, if not, +removes and attempts to destroy the bundle. + +Whilst it does check after grabbing client_bundles_lock that there are no +connections attached, this races with rxrpc_look_up_bundle() retrieving the +bundle, but not attaching a connection for the connection to be attached +later. + +There is therefore a window in which the bundle can get destroyed before we +manage to attach a new connection to it. + +Fix this by adding an "active" counter to struct rxrpc_bundle: + + (1) rxrpc_connect_call() obtains an active count by prepping/looking up a + bundle and ditches it before returning. + + (2) If, during rxrpc_connect_call(), a connection is added to the bundle, + this obtains an active count, which is held until the connection is + discarded. + + (3) rxrpc_deactivate_bundle() is created to drop an active count on a + bundle and destroy it when the active count reaches 0. The active + count is checked inside client_bundles_lock() to prevent a race with + rxrpc_look_up_bundle(). + + (4) rxrpc_unbundle_conn() then calls rxrpc_deactivate_bundle(). + +Fixes: 245500d853e9 ("rxrpc: Rewrite the client connection manager") +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-15975 +Signed-off-by: David Howells +Tested-by: zdi-disclosures@trendmicro.com +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-internal.h | 1 + + net/rxrpc/conn_client.c | 38 +++++++++++++++++++++++--------------- + 2 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index 62c70709d798..e0123efa2a62 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -399,6 +399,7 @@ enum rxrpc_conn_proto_state { + struct rxrpc_bundle { + struct rxrpc_conn_parameters params; + refcount_t ref; ++ atomic_t active; /* Number of active users */ + unsigned int debug_id; + bool try_upgrade; /* True if the bundle is attempting upgrade */ + bool alloc_conn; /* True if someone's getting a conn */ +diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c +index 3c9eeb5b750c..bdb335cb2d05 100644 +--- a/net/rxrpc/conn_client.c ++++ b/net/rxrpc/conn_client.c +@@ -40,6 +40,8 @@ __read_mostly unsigned long rxrpc_conn_idle_client_fast_expiry = 2 * HZ; + DEFINE_IDR(rxrpc_client_conn_ids); + static DEFINE_SPINLOCK(rxrpc_conn_id_lock); + ++static void rxrpc_deactivate_bundle(struct rxrpc_bundle *bundle); ++ + /* + * Get a connection ID and epoch for a client connection from the global pool. + * The connection struct pointer is then recorded in the idr radix tree. The +@@ -123,6 +125,7 @@ static struct rxrpc_bundle *rxrpc_alloc_bundle(struct rxrpc_conn_parameters *cp, + bundle->params = *cp; + rxrpc_get_peer(bundle->params.peer); + refcount_set(&bundle->ref, 1); ++ atomic_set(&bundle->active, 1); + spin_lock_init(&bundle->channel_lock); + INIT_LIST_HEAD(&bundle->waiting_calls); + } +@@ -149,7 +152,7 @@ void rxrpc_put_bundle(struct rxrpc_bundle *bundle) + + dead = __refcount_dec_and_test(&bundle->ref, &r); + +- _debug("PUT B=%x %d", d, r); ++ _debug("PUT B=%x %d", d, r - 1); + if (dead) + rxrpc_free_bundle(bundle); + } +@@ -338,6 +341,7 @@ static struct rxrpc_bundle *rxrpc_look_up_bundle(struct rxrpc_conn_parameters *c + rxrpc_free_bundle(candidate); + found_bundle: + rxrpc_get_bundle(bundle); ++ atomic_inc(&bundle->active); + spin_unlock(&local->client_bundles_lock); + _leave(" = %u [found]", bundle->debug_id); + return bundle; +@@ -435,6 +439,7 @@ static void rxrpc_add_conn_to_bundle(struct rxrpc_bundle *bundle, gfp_t gfp) + if (old) + trace_rxrpc_client(old, -1, rxrpc_client_replace); + candidate->bundle_shift = shift; ++ atomic_inc(&bundle->active); + bundle->conns[i] = candidate; + for (j = 0; j < RXRPC_MAXCALLS; j++) + set_bit(shift + j, &bundle->avail_chans); +@@ -725,6 +730,7 @@ int rxrpc_connect_call(struct rxrpc_sock *rx, + smp_rmb(); + + out_put_bundle: ++ rxrpc_deactivate_bundle(bundle); + rxrpc_put_bundle(bundle); + out: + _leave(" = %d", ret); +@@ -900,9 +906,8 @@ void rxrpc_disconnect_client_call(struct rxrpc_bundle *bundle, struct rxrpc_call + static void rxrpc_unbundle_conn(struct rxrpc_connection *conn) + { + struct rxrpc_bundle *bundle = conn->bundle; +- struct rxrpc_local *local = bundle->params.local; + unsigned int bindex; +- bool need_drop = false, need_put = false; ++ bool need_drop = false; + int i; + + _enter("C=%x", conn->debug_id); +@@ -921,15 +926,22 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn) + } + spin_unlock(&bundle->channel_lock); + +- /* If there are no more connections, remove the bundle */ +- if (!bundle->avail_chans) { +- _debug("maybe unbundle"); +- spin_lock(&local->client_bundles_lock); ++ if (need_drop) { ++ rxrpc_deactivate_bundle(bundle); ++ rxrpc_put_connection(conn); ++ } ++} + +- for (i = 0; i < ARRAY_SIZE(bundle->conns); i++) +- if (bundle->conns[i]) +- break; +- if (i == ARRAY_SIZE(bundle->conns) && !bundle->params.exclusive) { ++/* ++ * Drop the active count on a bundle. ++ */ ++static void rxrpc_deactivate_bundle(struct rxrpc_bundle *bundle) ++{ ++ struct rxrpc_local *local = bundle->params.local; ++ bool need_put = false; ++ ++ if (atomic_dec_and_lock(&bundle->active, &local->client_bundles_lock)) { ++ if (!bundle->params.exclusive) { + _debug("erase bundle"); + rb_erase(&bundle->local_node, &local->client_bundles); + need_put = true; +@@ -939,10 +951,6 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn) + if (need_put) + rxrpc_put_bundle(bundle); + } +- +- if (need_drop) +- rxrpc_put_connection(conn); +- _leave(""); + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/s390-ap-fix-memory-leak-in-ap_init_qci_info.patch b/queue-6.0/s390-ap-fix-memory-leak-in-ap_init_qci_info.patch new file mode 100644 index 00000000000..bec81f9a480 --- /dev/null +++ b/queue-6.0/s390-ap-fix-memory-leak-in-ap_init_qci_info.patch @@ -0,0 +1,42 @@ +From 272391e8709498bb3fa9c8f4e38bf8d62cb574c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 11:08:29 +0000 +Subject: s390/ap: fix memory leak in ap_init_qci_info() + +From: Wei Yongjun + +[ Upstream commit 9ac74f0666ceab0b1047e9d59be846a3345e4e98 ] + +If kzalloc() for 'ap_qci_info_old' failed, 'ap_qci_info' shold be +freed before return. Otherwise it is a memory leak. + +Link: https://lore.kernel.org/r/20221114110830.542246-1-weiyongjun@huaweicloud.com +Fixes: 283915850a44 ("s390/ap: notify drivers on config changed and scan complete callbacks") +Signed-off-by: Wei Yongjun +Signed-off-by: Harald Freudenberger +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/ap_bus.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c +index 59ac98f2bd27..b02c631f3b71 100644 +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -233,8 +233,11 @@ static void __init ap_init_qci_info(void) + if (!ap_qci_info) + return; + ap_qci_info_old = kzalloc(sizeof(*ap_qci_info_old), GFP_KERNEL); +- if (!ap_qci_info_old) ++ if (!ap_qci_info_old) { ++ kfree(ap_qci_info); ++ ap_qci_info = NULL; + return; ++ } + if (ap_fetch_qci_info(ap_qci_info) != 0) { + kfree(ap_qci_info); + kfree(ap_qci_info_old); +-- +2.35.1 + diff --git a/queue-6.0/s390-crashdump-fix-tod-programmable-field-size.patch b/queue-6.0/s390-crashdump-fix-tod-programmable-field-size.patch new file mode 100644 index 00000000000..9dd138b8959 --- /dev/null +++ b/queue-6.0/s390-crashdump-fix-tod-programmable-field-size.patch @@ -0,0 +1,61 @@ +From 731ddf139d57e96d09c846bc98241acf6a81757d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 13:05:39 +0100 +Subject: s390/crashdump: fix TOD programmable field size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Carstens + +[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ] + +The size of the TOD programmable field was incorrectly increased from +four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU +save area handling"). +This leads to an elf notes section NT_S390_TODPREG which has a size of +eight instead of four bytes in case of kdump, however even worse is +that the contents is incorrect: it is supposed to contain only the +contents of the TOD programmable field, but in fact contains a mix of +the TOD programmable field (32 bit upper bits) and parts of the CPU +timer register (lower 32 bits). + +Fix this by simply changing the size of the todpreg field within the +save area structure. This will implicitly also fix the size of the +corresponding elf notes sections. + +This also gets rid of this compile time warning: + +in function ‘fortify_memcpy_chk’, + inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2: +./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’ + declared with attribute warning: detected read beyond size of field + (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 413 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling") +Reviewed-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/crash_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c +index bad8f47fc5d6..c1b2b0d4af77 100644 +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -45,7 +45,7 @@ struct save_area { + u64 fprs[16]; + u32 fpc; + u32 prefix; +- u64 todpreg; ++ u32 todpreg; + u64 timer; + u64 todcmp; + u64 vxrs_low[16]; +-- +2.35.1 + diff --git a/queue-6.0/s390-dasd-fix-no-record-found-for-raw_track_access.patch b/queue-6.0/s390-dasd-fix-no-record-found-for-raw_track_access.patch new file mode 100644 index 00000000000..9c15436de44 --- /dev/null +++ b/queue-6.0/s390-dasd-fix-no-record-found-for-raw_track_access.patch @@ -0,0 +1,75 @@ +From ef980eda3f3b9fc4dc7fffb28d67a5309af56a18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:07:18 +0100 +Subject: s390/dasd: fix no record found for raw_track_access + +From: Stefan Haberland + +[ Upstream commit 590ce6d96d6a224b470a3862c33a483d5022bfdb ] + +For DASD devices in raw_track_access mode only full track images are +read and written. +For this purpose it is not necessary to do search operation in the +locate record extended function. The documentation even states that +this might fail if the searched record is not found on a track. + +Currently the driver sets a value of 1 in the search field for the first +record after record zero. This is the default for disks not in +raw_track_access mode but record 1 might be missing on a completely +empty track. + +There has not been any problem with this on IBM storage servers but it +might lead to errors with DASD devices on other vendors storage servers. + +Fix this by setting the search field to 0. Record zero is always available +even on a completely empty track. + +Fixes: e4dbb0f2b5dd ("[S390] dasd: Add support for raw ECKD access.") +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Link: https://lore.kernel.org/r/20221123160719.3002694-4-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 3cc93e2e4e15..2dec81e7e6ab 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4681,7 +4681,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + struct dasd_device *basedev; + struct req_iterator iter; + struct dasd_ccw_req *cqr; +- unsigned int first_offs; + unsigned int trkcount; + unsigned long *idaws; + unsigned int size; +@@ -4715,7 +4714,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + last_trk = (blk_rq_pos(req) + blk_rq_sectors(req) - 1) / + DASD_RAW_SECTORS_PER_TRACK; + trkcount = last_trk - first_trk + 1; +- first_offs = 0; + + if (rq_data_dir(req) == READ) + cmd = DASD_ECKD_CCW_READ_TRACK; +@@ -4759,13 +4757,13 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev, + + if (use_prefix) { + prefix_LRE(ccw++, data, first_trk, last_trk, cmd, basedev, +- startdev, 1, first_offs + 1, trkcount, 0, 0); ++ startdev, 1, 0, trkcount, 0, 0); + } else { + define_extent(ccw++, data, first_trk, last_trk, cmd, basedev, 0); + ccw[-1].flags |= CCW_FLAG_CC; + + data += sizeof(struct DE_eckd_data); +- locate_record_ext(ccw++, data, first_trk, first_offs + 1, ++ locate_record_ext(ccw++, data, first_trk, 0, + trkcount, cmd, basedev, 0, 0); + } + +-- +2.35.1 + diff --git a/queue-6.0/scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch b/queue-6.0/scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch new file mode 100644 index 00000000000..5d5a7958e3b --- /dev/null +++ b/queue-6.0/scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch @@ -0,0 +1,148 @@ +From 00411eff666d48e8783c9b1634fe9a46acdc2a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 10:48:42 -0800 +Subject: scsi: storvsc: Fix handling of srb_status and capacity change events + +From: Michael Kelley + +[ Upstream commit b8a5376c321b4669f7ffabc708fd30c3970f3084 ] + +Current handling of the srb_status is incorrect. Commit 52e1b3b3daa9 +("scsi: storvsc: Correctly handle multiple flags in srb_status") +is based on srb_status being a set of flags, when in fact only the +2 high order bits are flags and the remaining 6 bits are an integer +status. Because the integer values of interest mostly look like flags, +the code actually works when treated that way. + +But in the interest of correctness going forward, fix this by treating +the low 6 bits of srb_status as an integer status code. Add handling +for SRB_STATUS_INVALID_REQUEST, which was the original intent of commit +52e1b3b3daa9. Furthermore, treat the ERROR, ABORTED, and INVALID_REQUEST +srb status codes as essentially equivalent for the cases we care about. +There's no harm in doing so, and it isn't always clear which status code +current or older versions of Hyper-V report for particular conditions. + +Treating the srb status codes as equivalent has the additional benefit +of ensuring that capacity change events result in an immediate rescan +so that the new size is known to Linux. Existing code checks SCSI +sense data for capacity change events when the srb status is ABORTED. +But capacity change events are also being observed when Hyper-V reports +the srb status as ERROR. Without the immediate rescan, the new size +isn't known until something else causes a rescan (such as running +fdisk to expand a partition), and in the meantime, tools such as "lsblk" +continue to report the old size. + +Fixes: 52e1b3b3daa9 ("scsi: storvsc: Correctly handle multiple flags in srb_status") +Reported-by: Juan Tian +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1668019722-1983-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 69 +++++++++++++++++++------------------- + 1 file changed, 34 insertions(+), 35 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 8ced292c4b96..d93604318ecd 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -300,16 +300,21 @@ enum storvsc_request_type { + }; + + /* +- * SRB status codes and masks; a subset of the codes used here. ++ * SRB status codes and masks. In the 8-bit field, the two high order bits ++ * are flags, while the remaining 6 bits are an integer status code. The ++ * definitions here include only the subset of the integer status codes that ++ * are tested for in this driver. + */ +- + #define SRB_STATUS_AUTOSENSE_VALID 0x80 + #define SRB_STATUS_QUEUE_FROZEN 0x40 +-#define SRB_STATUS_INVALID_LUN 0x20 +-#define SRB_STATUS_SUCCESS 0x01 +-#define SRB_STATUS_ABORTED 0x02 +-#define SRB_STATUS_ERROR 0x04 +-#define SRB_STATUS_DATA_OVERRUN 0x12 ++ ++/* SRB status integer codes */ ++#define SRB_STATUS_SUCCESS 0x01 ++#define SRB_STATUS_ABORTED 0x02 ++#define SRB_STATUS_ERROR 0x04 ++#define SRB_STATUS_INVALID_REQUEST 0x06 ++#define SRB_STATUS_DATA_OVERRUN 0x12 ++#define SRB_STATUS_INVALID_LUN 0x20 + + #define SRB_STATUS(status) \ + (status & ~(SRB_STATUS_AUTOSENSE_VALID | SRB_STATUS_QUEUE_FROZEN)) +@@ -966,38 +971,25 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb, + void (*process_err_fn)(struct work_struct *work); + struct hv_host_device *host_dev = shost_priv(host); + +- /* +- * In some situations, Hyper-V sets multiple bits in the +- * srb_status, such as ABORTED and ERROR. So process them +- * individually, with the most specific bits first. +- */ +- +- if (vm_srb->srb_status & SRB_STATUS_INVALID_LUN) { +- set_host_byte(scmnd, DID_NO_CONNECT); +- process_err_fn = storvsc_remove_lun; +- goto do_work; +- } ++ switch (SRB_STATUS(vm_srb->srb_status)) { ++ case SRB_STATUS_ERROR: ++ case SRB_STATUS_ABORTED: ++ case SRB_STATUS_INVALID_REQUEST: ++ if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID) { ++ /* Check for capacity change */ ++ if ((asc == 0x2a) && (ascq == 0x9)) { ++ process_err_fn = storvsc_device_scan; ++ /* Retry the I/O that triggered this. */ ++ set_host_byte(scmnd, DID_REQUEUE); ++ goto do_work; ++ } + +- if (vm_srb->srb_status & SRB_STATUS_ABORTED) { +- if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID && +- /* Capacity data has changed */ +- (asc == 0x2a) && (ascq == 0x9)) { +- process_err_fn = storvsc_device_scan; + /* +- * Retry the I/O that triggered this. ++ * Otherwise, let upper layer deal with the ++ * error when sense message is present + */ +- set_host_byte(scmnd, DID_REQUEUE); +- goto do_work; +- } +- } +- +- if (vm_srb->srb_status & SRB_STATUS_ERROR) { +- /* +- * Let upper layer deal with error when +- * sense message is present. +- */ +- if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID) + return; ++ } + + /* + * If there is an error; offline the device since all +@@ -1020,6 +1012,13 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb, + default: + set_host_byte(scmnd, DID_ERROR); + } ++ return; ++ ++ case SRB_STATUS_INVALID_LUN: ++ set_host_byte(scmnd, DID_NO_CONNECT); ++ process_err_fn = storvsc_remove_lun; ++ goto do_work; ++ + } + return; + +-- +2.35.1 + diff --git a/queue-6.0/selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch b/queue-6.0/selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch new file mode 100644 index 00000000000..35e9f8a7c42 --- /dev/null +++ b/queue-6.0/selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch @@ -0,0 +1,52 @@ +From 477fd82f0a20f48442f8229106fc7daf2dd26b4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 14:10:46 -0800 +Subject: selftests: mptcp: fix mibit vs mbit mix up + +From: Matthieu Baerts + +[ Upstream commit 3de88b95c4d436d78afc0266a0bed76c35ddeb62 ] + +The estimated time was supposing the rate was expressed in mibit +(bit * 1024^2) but it is in mbit (bit * 1000^2). + +This makes the threshold higher but in a more realistic way to avoid +false positives reported by CI instances. + +Before this patch, the thresholds were at 7561/4005ms and now they are +at 7906/4178ms. + +While at it, also fix a typo in the linked comment, spotted by Mat. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/310 +Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests") +Suggested-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/simult_flows.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/simult_flows.sh b/tools/testing/selftests/net/mptcp/simult_flows.sh +index ffa13a957a36..40aeb5a71a2a 100755 +--- a/tools/testing/selftests/net/mptcp/simult_flows.sh ++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh +@@ -247,9 +247,10 @@ run_test() + tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 + tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 + +- # time is measured in ms, account for transfer size, affegated link speed ++ # time is measured in ms, account for transfer size, aggregated link speed + # and header overhead (10%) +- local time=$((size * 8 * 1000 * 10 / (( $rate1 + $rate2) * 1024 *1024 * 9) )) ++ # ms byte -> bit 10% mbit -> kbit -> bit 10% ++ local time=$((1000 * size * 8 * 10 / ((rate1 + rate2) * 1000 * 1000 * 9) )) + + # mptcp_connect will do some sleeps to allow the mp_join handshake + # completion (see mptcp_connect): 200ms on each side, add some slack +-- +2.35.1 + diff --git a/queue-6.0/selftests-mptcp-gives-slow-test-case-more-time.patch b/queue-6.0/selftests-mptcp-gives-slow-test-case-more-time.patch new file mode 100644 index 00000000000..fb8ea44e031 --- /dev/null +++ b/queue-6.0/selftests-mptcp-gives-slow-test-case-more-time.patch @@ -0,0 +1,61 @@ +From fe569da15ba7d9824a42099dec5426f49422fb28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 14:10:44 -0800 +Subject: selftests: mptcp: gives slow test-case more time + +From: Paolo Abeni + +[ Upstream commit 22b29557aef3c9d673c887911b504c6d47009de4 ] + +On slow or busy VM, some test-cases still fail because the +data transfer completes before the endpoint manipulation +actually took effect. + +Address the issue by artificially increasing the runtime for +the relevant test-cases. + +Fixes: ef360019db40 ("selftests: mptcp: signal addresses testcases") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/309 +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index ff83ef426df5..e52b79440123 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2105,7 +2105,7 @@ remove_tests() + pm_nl_set_limits $ns2 1 3 + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow +- run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 slow ++ run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 speed_10 + chk_join_nr 3 3 3 + chk_add_nr 1 1 + chk_rm_nr 2 2 +@@ -2118,7 +2118,7 @@ remove_tests() + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal + pm_nl_add_endpoint $ns1 10.0.4.1 flags signal + pm_nl_set_limits $ns2 3 3 +- run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow ++ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10 + chk_join_nr 3 3 3 + chk_add_nr 3 3 + chk_rm_nr 3 3 invert +@@ -2131,7 +2131,7 @@ remove_tests() + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal + pm_nl_add_endpoint $ns1 10.0.14.1 flags signal + pm_nl_set_limits $ns2 3 3 +- run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow ++ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10 + chk_join_nr 1 1 1 + chk_add_nr 3 3 + chk_rm_nr 3 1 invert +-- +2.35.1 + diff --git a/queue-6.0/selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch b/queue-6.0/selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch new file mode 100644 index 00000000000..6fabef08a5e --- /dev/null +++ b/queue-6.0/selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch @@ -0,0 +1,74 @@ +From bf5c39536989746e8d070ee77deecc70bea85d72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 14:10:45 -0800 +Subject: selftests: mptcp: run mptcp_sockopt from a new netns + +From: Matthieu Baerts + +[ Upstream commit 7e68d31020f18f8d695d5f143fc16cdaa96166cb ] + +Not running it from a new netns causes issues if some MPTCP settings are +modified, e.g. if MPTCP is disabled from the sysctl knob, if multiple +addresses are available and added to the MPTCP path-manager, etc. + +In these cases, the created connection will not behave as expected, e.g. +unable to create an MPTCP socket, more than one subflow is seen, etc. + +A new "sandbox" net namespace is now created and used to run +mptcp_sockopt from this controlled environment. + +Fixes: ce9979129a0b ("selftests: mptcp: add mptcp getsockopt test cases") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts +Signed-off-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +index 0879da915014..80d36f7cfee8 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh +@@ -35,8 +35,9 @@ init() + + ns1="ns1-$rndh" + ns2="ns2-$rndh" ++ ns_sbox="ns_sbox-$rndh" + +- for netns in "$ns1" "$ns2";do ++ for netns in "$ns1" "$ns2" "$ns_sbox";do + ip netns add $netns || exit $ksft_skip + ip -net $netns link set lo up + ip netns exec $netns sysctl -q net.mptcp.enabled=1 +@@ -73,7 +74,7 @@ init() + + cleanup() + { +- for netns in "$ns1" "$ns2"; do ++ for netns in "$ns1" "$ns2" "$ns_sbox"; do + ip netns del $netns + done + rm -f "$cin" "$cout" +@@ -243,7 +244,7 @@ do_mptcp_sockopt_tests() + { + local lret=0 + +- ./mptcp_sockopt ++ ip netns exec "$ns_sbox" ./mptcp_sockopt + lret=$? + + if [ $lret -ne 0 ]; then +@@ -252,7 +253,7 @@ do_mptcp_sockopt_tests() + return + fi + +- ./mptcp_sockopt -6 ++ ip netns exec "$ns_sbox" ./mptcp_sockopt -6 + lret=$? + + if [ $lret -ne 0 ]; then +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 8b836af5610..4fcef768f4b 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -41,3 +41,119 @@ alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch mips-pic32-treat-port-as-signed-integer.patch io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch +xfrm-fix-disable_policy-on-ipv4-early-demux.patch +arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch +xfrm-replay-fix-esn-wrap-around-for-gso.patch +af_key-fix-send_acquire-race-with-pfkey_register.patch +power-supply-ip5xxx-fix-integer-overflow-in-current_.patch +power-supply-ab8500-defer-thermal-zone-probe.patch +arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch +asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch +asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch +asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch +asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch +asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch +asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch +x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch +scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch +pci-hv-only-reuse-existing-irte-allocation-for-multi.patch +arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch +asoc-max98373-add-checks-for-devm_kcalloc.patch +regulator-core-fix-kobject-release-warning-and-memor.patch +regulator-rt5759-fix-oob-in-validate_desc.patch +spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch +regulator-core-fix-uaf-in-destroy_regulator.patch +bus-sunxi-rsb-remove-the-shutdown-callback.patch +bus-sunxi-rsb-support-atomic-transfers.patch +tee-optee-fix-possible-memory-leak-in-optee_register.patch +spi-tegra210-quad-fix-duplicate-resource-error.patch +arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch +selftests-mptcp-gives-slow-test-case-more-time.patch +selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch +selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch +net-liquidio-simplify-if-expression.patch +net-neigh-decrement-the-family-specific-qlen.patch +ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch +rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch +net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch +nfc-nci-fix-race-with-opening-and-closing.patch +net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch +9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch +netfilter-conntrack-fix-data-races-around-ct-mark.patch +netfilter-nf_tables-do-not-set-up-extensions-for-end.patch +iavf-fix-a-crash-during-reset-task.patch +iavf-do-not-restart-tx-queues-after-reset-task-failu.patch +iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch +iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch +arm-mxs-fix-memory-leak-in-mxs_machine_init.patch +arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch +net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch +net-mlx4-check-retval-of-mlx4_bitmap_init.patch +net-mvpp2-fix-possible-invalid-pointer-dereference.patch +net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch +octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch +net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch +nfp-fill-splittable-of-devlink_port_attrs-correctly.patch +nfp-add-port-from-netdev-validation-for-eeprom-acces.patch +bonding-fix-icmpv6-header-handling-when-receiving-ip.patch +macsec-fix-invalid-error-code-set.patch +drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch +drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch +drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch +netfilter-ipset-regression-in-ip_set_hash_ip.c.patch +net-mlx5-do-not-query-pci-info-while-pci-disabled.patch +net-mlx5-fix-fw-tracer-timestamp-calculation.patch +net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch +net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch +net-mlx5-fix-handling-of-entry-refcount-when-command.patch +net-mlx5-e-switch-set-correctly-vport-destination.patch +net-mlx5-fix-sync-reset-event-handler-error-flow.patch +net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch +net-phy-at803x-fix-error-return-code-in-at803x_probe.patch +tipc-set-con-sock-in-tipc_conn_alloc.patch +tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch +tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch +zonefs-fix-race-between-modprobe-and-mount.patch +xfrm-fix-oops-in-__xfrm_state_delete.patch +xfrm-fix-ignored-return-value-in-xfrm6_init.patch +net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch +sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch +net-sparx5-fix-error-handling-in-sparx5_port_open.patch +net-sched-allow-act_ct-to-be-built-without-nf_nat.patch +nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch +regulator-twl6030-re-add-twl6032_subclass.patch +bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch +dma-buf-fix-racing-conflict-of-dma_heap_add.patch +tsnep-fix-rotten-packets.patch +cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch +netfilter-ipset-restore-allowing-64-clashing-element.patch +netfilter-flowtable_offload-add-missing-locking.patch +fs-do-not-update-freeing-inode-i_io_list.patch +blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch +test_kprobes-fix-implicit-declaration-error-of-test_.patch +dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch +net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch +net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch +net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch +net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch +ipv4-fix-error-return-code-in-fib_table_insert.patch +arcnet-fix-potential-memory-leak-in-com20020_probe.patch +net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch +net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch +s390-ap-fix-memory-leak-in-ap_init_qci_info.patch +s390-dasd-fix-no-record-found-for-raw_track_access.patch +fscache-fix-oob-read-in-__fscache_acquire_volume.patch +nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch +nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch +nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch +net-marvell-prestera-add-missing-unregister_netdev-i.patch +net-enetc-cache-accesses-to-priv-si-hw.patch +net-enetc-preserve-tx-ring-priority-across-reconfigu.patch +octeontx2-pf-add-check-for-devm_kcalloc.patch +net-wwan-t7xx-fix-the-acpi-memory-leak.patch +virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch +octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch +net-thunderx-fix-the-acpi-memory-leak.patch +s390-crashdump-fix-tod-programmable-field-size.patch +io_uring-filetable-fix-file-reference-underflow.patch +io_uring-poll-fix-poll_refs-race-with-cancelation.patch diff --git a/queue-6.0/sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch b/queue-6.0/sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch new file mode 100644 index 00000000000..3cacbadd54f --- /dev/null +++ b/queue-6.0/sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch @@ -0,0 +1,38 @@ +From e876771de81ea88eb1c3c4994e01626c211e5887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 15:50:09 +0800 +Subject: sfc: fix potential memleak in __ef100_hard_start_xmit() + +From: Zhang Changzhong + +[ Upstream commit aad98abd5cb8133507f22654f56bcb443aaa2d89 ] + +The __ef100_hard_start_xmit() returns NETDEV_TX_OK without freeing skb +in error handling case, add dev_kfree_skb_any() to fix it. + +Fixes: 51b35a454efd ("sfc: skeleton EF100 PF driver") +Signed-off-by: Zhang Changzhong +Acked-by: Martin Habets +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1668671409-10909-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef100_netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c +index 17b9d37218cb..4c33c3b5f32b 100644 +--- a/drivers/net/ethernet/sfc/ef100_netdev.c ++++ b/drivers/net/ethernet/sfc/ef100_netdev.c +@@ -217,6 +217,7 @@ netdev_tx_t __ef100_hard_start_xmit(struct sk_buff *skb, + skb->len, skb->data_len, channel->channel); + if (!efx->n_channels || !efx->n_tx_channels || !channel) { + netif_stop_queue(net_dev); ++ dev_kfree_skb_any(skb); + goto err; + } + +-- +2.35.1 + diff --git a/queue-6.0/spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch b/queue-6.0/spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch new file mode 100644 index 00000000000..5831c07eb96 --- /dev/null +++ b/queue-6.0/spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch @@ -0,0 +1,47 @@ +From f7241f155d060a82288e0ab59eb0ee5d640ddf35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 17:32:04 +0800 +Subject: spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld() + +From: Xiongfeng Wang + +[ Upstream commit 804313b64e412a81b0b3389a10e7622452004aa6 ] + +pci_get_device() will increase the reference count for the returned +pci_dev. Since 'dma_dev' is only used to filter the channel in +dw_spi_dma_chan_filer() after using it we need to call pci_dev_put() to +decrease the reference count. Also add pci_dev_put() for the error case. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Signed-off-by: Xiongfeng Wang +Acked-by: Serge Semin +Link: https://lore.kernel.org/r/20221116093204.46700-1-wangxiongfeng2@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c +index 1322b8cce5b7..ababb910b391 100644 +--- a/drivers/spi/spi-dw-dma.c ++++ b/drivers/spi/spi-dw-dma.c +@@ -128,12 +128,15 @@ static int dw_spi_dma_init_mfld(struct device *dev, struct dw_spi *dws) + + dw_spi_dma_sg_burst_init(dws); + ++ pci_dev_put(dma_dev); ++ + return 0; + + free_rxchan: + dma_release_channel(dws->rxchan); + dws->rxchan = NULL; + err_exit: ++ pci_dev_put(dma_dev); + return -EBUSY; + } + +-- +2.35.1 + diff --git a/queue-6.0/spi-tegra210-quad-fix-duplicate-resource-error.patch b/queue-6.0/spi-tegra210-quad-fix-duplicate-resource-error.patch new file mode 100644 index 00000000000..4078e33f934 --- /dev/null +++ b/queue-6.0/spi-tegra210-quad-fix-duplicate-resource-error.patch @@ -0,0 +1,42 @@ +From 74098bfbf6d561738dbeb85457b8c234fabe7f21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 12:33:20 +0530 +Subject: spi: tegra210-quad: Fix duplicate resource error + +From: Krishna Yarlagadda + +[ Upstream commit 2197aa6b0aa236b9896a09b9d08d6924d18b84f6 ] + +controller data alloc is done with client device data causing duplicate +resource error. Allocate memory using controller device when using devm + +Fixes: f89d2cc3967a ("spi: tegra210-quad: use devm call for cdata memory") + +Signed-off-by: Krishna Yarlagadda +Reviewed-by: Jon Hunter +Tested-by: Jon Hunter +Link: https://lore.kernel.org/r/20221117070320.18720-1-kyarlagadda@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 10f0c5a6e0dc..9f356612ba7e 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -924,8 +924,9 @@ static int tegra_qspi_start_transfer_one(struct spi_device *spi, + static struct tegra_qspi_client_data *tegra_qspi_parse_cdata_dt(struct spi_device *spi) + { + struct tegra_qspi_client_data *cdata; ++ struct tegra_qspi *tqspi = spi_master_get_devdata(spi->master); + +- cdata = devm_kzalloc(&spi->dev, sizeof(*cdata), GFP_KERNEL); ++ cdata = devm_kzalloc(tqspi->dev, sizeof(*cdata), GFP_KERNEL); + if (!cdata) + return NULL; + +-- +2.35.1 + diff --git a/queue-6.0/tee-optee-fix-possible-memory-leak-in-optee_register.patch b/queue-6.0/tee-optee-fix-possible-memory-leak-in-optee_register.patch new file mode 100644 index 00000000000..61efefa2260 --- /dev/null +++ b/queue-6.0/tee-optee-fix-possible-memory-leak-in-optee_register.patch @@ -0,0 +1,41 @@ +From 65e10427888380aa71e8110b8a01296fbcc8bad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 22:01:24 +0800 +Subject: tee: optee: fix possible memory leak in optee_register_device() + +From: Yang Yingliang + +[ Upstream commit cce616e012c215d65c15e5d1afa73182dea49389 ] + +If device_register() returns error in optee_register_device(), +the name allocated by dev_set_name() need be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(), +and optee_device is freed in optee_release_device(). + +Fixes: c3fa24af9244 ("tee: optee: add TEE bus device enumeration support") +Signed-off-by: Yang Yingliang +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/optee/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tee/optee/device.c b/drivers/tee/optee/device.c +index f3947be13e2e..64f0e047c23d 100644 +--- a/drivers/tee/optee/device.c ++++ b/drivers/tee/optee/device.c +@@ -80,7 +80,7 @@ static int optee_register_device(const uuid_t *device_uuid) + rc = device_register(&optee_device->dev); + if (rc) { + pr_err("device registration failed, err: %d\n", rc); +- kfree(optee_device); ++ put_device(&optee_device->dev); + } + + return rc; +-- +2.35.1 + diff --git a/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_.patch b/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_.patch new file mode 100644 index 00000000000..0f7032fbd72 --- /dev/null +++ b/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_.patch @@ -0,0 +1,49 @@ +From e3a2dc6aa55c599d683542158592648717d09312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 11:06:20 +0800 +Subject: test_kprobes: fix implicit declaration error of test_kprobes + +From: Li Hua + +[ Upstream commit de3db3f883a82c4800f4af0ae2cc3b96a408ee9b ] + +If KPROBES_SANITY_TEST and ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled, but +STACKTRACE is not set. Build failed as below: + +lib/test_kprobes.c: In function `stacktrace_return_handler': +lib/test_kprobes.c:228:8: error: implicit declaration of function `stack_trace_save'; did you mean `stacktrace_driver'? [-Werror=implicit-function-declaration] + ret = stack_trace_save(stack_buf, STACK_BUF_SIZE, 0); + ^~~~~~~~~~~~~~~~ + stacktrace_driver +cc1: all warnings being treated as errors +scripts/Makefile.build:250: recipe for target 'lib/test_kprobes.o' failed +make[2]: *** [lib/test_kprobes.o] Error 1 + +To fix this error, Select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled. + +Link: https://lkml.kernel.org/r/20221121030620.63181-1-hucool.lihua@huawei.com +Fixes: 1f6d3a8f5e39 ("kprobes: Add a test case for stacktrace from kretprobe handler") +Signed-off-by: Li Hua +Acked-by: Masami Hiramatsu (Google) +Cc: Steven Rostedt (VMware) +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index cb131fad117c..997d23641448 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -2095,6 +2095,7 @@ config KPROBES_SANITY_TEST + depends on DEBUG_KERNEL + depends on KPROBES + depends on KUNIT ++ select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE + default KUNIT_ALL_TESTS + help + This option provides for testing basic kprobes functionality on +-- +2.35.1 + diff --git a/queue-6.0/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/queue-6.0/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..33485efcd2a --- /dev/null +++ b/queue-6.0/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,84 @@ +From 8593526f6388b13cae2cf18b269a4dbfa2817fe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: tipc: add an extra conn_get in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit a7b42969d63f47320853a802efd879fbdc4e010e ] + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index b0f9aa521670..e3b427a70398 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -484,6 +485,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -583,10 +585,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.35.1 + diff --git a/queue-6.0/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch b/queue-6.0/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch new file mode 100644 index 00000000000..20dc643a32e --- /dev/null +++ b/queue-6.0/tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch @@ -0,0 +1,41 @@ +From 8f2a99331d690acddf5b6b48ae0655901ae85691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 15:28:32 +0800 +Subject: tipc: check skb_linearize() return value in tipc_disc_rcv() + +From: YueHaibing + +[ Upstream commit cd0f6421162201e4b22ce757a1966729323185eb ] + +If skb_linearize() fails in tipc_disc_rcv(), we need to free the skb instead of +handle it. + +Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values") +Signed-off-by: YueHaibing +Acked-by: Jon Maloy +Link: https://lore.kernel.org/r/20221119072832.7896-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/discover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/discover.c b/net/tipc/discover.c +index e8630707901e..e8dcdf267c0c 100644 +--- a/net/tipc/discover.c ++++ b/net/tipc/discover.c +@@ -211,7 +211,10 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb, + u32 self; + int err; + +- skb_linearize(skb); ++ if (skb_linearize(skb)) { ++ kfree_skb(skb); ++ return; ++ } + hdr = buf_msg(skb); + + if (caps & TIPC_NODE_ID128) +-- +2.35.1 + diff --git a/queue-6.0/tipc-set-con-sock-in-tipc_conn_alloc.patch b/queue-6.0/tipc-set-con-sock-in-tipc_conn_alloc.patch new file mode 100644 index 00000000000..49af9e65244 --- /dev/null +++ b/queue-6.0/tipc-set-con-sock-in-tipc_conn_alloc.patch @@ -0,0 +1,106 @@ +From 7e9335d9ca87109b511eb3cb4989f6321fda2f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:45:00 -0500 +Subject: tipc: set con sock in tipc_conn_alloc + +From: Xin Long + +[ Upstream commit 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 ] + +A crash was reported by Wei Chen: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:tipc_conn_close+0x12/0x100 + Call Trace: + tipc_topsrv_exit_net+0x139/0x320 + ops_exit_list.isra.9+0x49/0x80 + cleanup_net+0x31a/0x540 + process_one_work+0x3fa/0x9f0 + worker_thread+0x42/0x5c0 + +It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), +con is allocated in conn_idr then its sock is set: + + con = tipc_conn_alloc(); + ... <----[1] + con->sock = newsock; + +If tipc_conn_close() is called in anytime of [1], the null-pointer-def +is triggered by con->sock->sk due to con->sock is not yet set. + +This patch fixes it by moving the con->sock setting to tipc_conn_alloc() +under s->idr_lock. So that con->sock can never be NULL when getting the +con from s->conn_idr. It will be also safer to move con->server and flag +CF_CONNECTED setting under s->idr_lock, as they should all be set before +tipc_conn_alloc() is called. + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: Wei Chen +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/topsrv.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index d92ec92f0b71..b0f9aa521670 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -176,7 +176,7 @@ static void tipc_conn_close(struct tipc_conn *con) + conn_put(con); + } + +-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) ++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) + { + struct tipc_conn *con; + int ret; +@@ -202,10 +202,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) + } + con->conid = ret; + s->idr_in_use++; +- spin_unlock_bh(&s->idr_lock); + + set_bit(CF_CONNECTED, &con->flags); + con->server = s; ++ con->sock = sock; ++ spin_unlock_bh(&s->idr_lock); + + return con; + } +@@ -467,7 +468,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + ret = kernel_accept(lsock, &newsock, O_NONBLOCK); + if (ret < 0) + return; +- con = tipc_conn_alloc(srv); ++ con = tipc_conn_alloc(srv, newsock); + if (IS_ERR(con)) { + ret = PTR_ERR(con); + sock_release(newsock); +@@ -479,7 +480,6 @@ static void tipc_topsrv_accept(struct work_struct *work) + newsk->sk_data_ready = tipc_conn_data_ready; + newsk->sk_write_space = tipc_conn_write_space; + newsk->sk_user_data = con; +- con->sock = newsock; + write_unlock_bh(&newsk->sk_callback_lock); + + /* Wake up receive process in case of 'SYN+' message */ +@@ -577,12 +577,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + sub.filter = filter; + *(u64 *)&sub.usr_handle = (u64)port; + +- con = tipc_conn_alloc(tipc_topsrv(net)); ++ con = tipc_conn_alloc(tipc_topsrv(net), NULL); + if (IS_ERR(con)) + return false; + + *conid = con->conid; +- con->sock = NULL; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); + if (rc >= 0) + return true; +-- +2.35.1 + diff --git a/queue-6.0/tsnep-fix-rotten-packets.patch b/queue-6.0/tsnep-fix-rotten-packets.patch new file mode 100644 index 00000000000..39593d246da --- /dev/null +++ b/queue-6.0/tsnep-fix-rotten-packets.patch @@ -0,0 +1,125 @@ +From 70f281401e14f9d20458d8fa333d57740f33819b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 22:18:25 +0100 +Subject: tsnep: Fix rotten packets + +From: Gerhard Engleder + +[ Upstream commit 2dc4ac91f845b690ddf2ad39172c3698b2769fa2 ] + +If PTP synchronisation is done every second, then sporadic the interval +is higher than one second: + +ptp4l[696.582]: master offset -17 s2 freq -1891 path delay 573 +ptp4l[697.582]: master offset -22 s2 freq -1901 path delay 573 +ptp4l[699.368]: master offset -1 s2 freq -1887 path delay 573 + ^^^^^^^ Should be 698.582! + +This problem is caused by rotten packets, which are received after +polling but before interrupts are enabled again. This can be fixed by +checking for pending work and rescheduling if necessary after interrupts +has been enabled again. + +Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver") +Signed-off-by: Gerhard Engleder +Link: https://lore.kernel.org/r/20221119211825.81805-1-gerhard@engleder-embedded.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/engleder/tsnep_main.c | 57 +++++++++++++++++++++- + 1 file changed, 56 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c +index a5f7152a1716..6a2617cc5490 100644 +--- a/drivers/net/ethernet/engleder/tsnep_main.c ++++ b/drivers/net/ethernet/engleder/tsnep_main.c +@@ -504,6 +504,27 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget) + return (budget != 0); + } + ++static bool tsnep_tx_pending(struct tsnep_tx *tx) ++{ ++ unsigned long flags; ++ struct tsnep_tx_entry *entry; ++ bool pending = false; ++ ++ spin_lock_irqsave(&tx->lock, flags); ++ ++ if (tx->read != tx->write) { ++ entry = &tx->entry[tx->read]; ++ if ((__le32_to_cpu(entry->desc_wb->properties) & ++ TSNEP_TX_DESC_OWNER_MASK) == ++ (entry->properties & TSNEP_TX_DESC_OWNER_MASK)) ++ pending = true; ++ } ++ ++ spin_unlock_irqrestore(&tx->lock, flags); ++ ++ return pending; ++} ++ + static int tsnep_tx_open(struct tsnep_adapter *adapter, void __iomem *addr, + struct tsnep_tx *tx) + { +@@ -751,6 +772,19 @@ static int tsnep_rx_poll(struct tsnep_rx *rx, struct napi_struct *napi, + return done; + } + ++static bool tsnep_rx_pending(struct tsnep_rx *rx) ++{ ++ struct tsnep_rx_entry *entry; ++ ++ entry = &rx->entry[rx->read]; ++ if ((__le32_to_cpu(entry->desc_wb->properties) & ++ TSNEP_DESC_OWNER_COUNTER_MASK) == ++ (entry->properties & TSNEP_DESC_OWNER_COUNTER_MASK)) ++ return true; ++ ++ return false; ++} ++ + static int tsnep_rx_open(struct tsnep_adapter *adapter, void __iomem *addr, + struct tsnep_rx *rx) + { +@@ -795,6 +829,17 @@ static void tsnep_rx_close(struct tsnep_rx *rx) + tsnep_rx_ring_cleanup(rx); + } + ++static bool tsnep_pending(struct tsnep_queue *queue) ++{ ++ if (queue->tx && tsnep_tx_pending(queue->tx)) ++ return true; ++ ++ if (queue->rx && tsnep_rx_pending(queue->rx)) ++ return true; ++ ++ return false; ++} ++ + static int tsnep_poll(struct napi_struct *napi, int budget) + { + struct tsnep_queue *queue = container_of(napi, struct tsnep_queue, +@@ -815,9 +860,19 @@ static int tsnep_poll(struct napi_struct *napi, int budget) + if (!complete) + return budget; + +- if (likely(napi_complete_done(napi, done))) ++ if (likely(napi_complete_done(napi, done))) { + tsnep_enable_irq(queue->adapter, queue->irq_mask); + ++ /* reschedule if work is already pending, prevent rotten packets ++ * which are transmitted or received after polling but before ++ * interrupt enable ++ */ ++ if (tsnep_pending(queue)) { ++ tsnep_disable_irq(queue->adapter, queue->irq_mask); ++ napi_schedule(napi); ++ } ++ } ++ + return min(done, budget - 1); + } + +-- +2.35.1 + diff --git a/queue-6.0/virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch b/queue-6.0/virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch new file mode 100644 index 00000000000..2c941d76abb --- /dev/null +++ b/queue-6.0/virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch @@ -0,0 +1,85 @@ +From 3e369b6b4a4d52c75e81457fb2f1685c529ee137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 23:00:46 +0800 +Subject: virtio_net: Fix probe failed when modprobe virtio_net + +From: Li Zetao + +[ Upstream commit b0686565946368892c2cdf92f102392e24823588 ] + +When doing the following test steps, an error was found: + step 1: modprobe virtio_net succeeded + # modprobe virtio_net <-- OK + + step 2: fault injection in register_netdevice() + # modprobe -r virtio_net <-- OK + # ... + FAULT_INJECTION: forcing a failure. + name failslab, interval 1, probability 0, space 0, times 0 + CPU: 0 PID: 3521 Comm: modprobe + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + Call Trace: + + ... + should_failslab+0xa/0x20 + ... + dev_set_name+0xc0/0x100 + netdev_register_kobject+0xc2/0x340 + register_netdevice+0xbb9/0x1320 + virtnet_probe+0x1d72/0x2658 [virtio_net] + ... + + virtio_net: probe of virtio0 failed with error -22 + + step 3: modprobe virtio_net failed + # modprobe virtio_net <-- failed + virtio_net: probe of virtio0 failed with error -2 + +The root cause of the problem is that the queues are not +disable on the error handling path when register_netdevice() +fails in virtnet_probe(), resulting in an error "-ENOENT" +returned in the next modprobe call in setup_vq(). + +virtio_pci_modern_device uses virtqueues to send or +receive message, and "queue_enable" records whether the +queues are available. In vp_modern_find_vqs(), all queues +will be selected and activated, but once queues are enabled +there is no way to go back except reset. + +Fix it by reset virtio device on error handling path. This +makes error handling follow the same order as normal device +cleanup in virtnet_remove() which does: unregister, destroy +failover, then reset. And that flow is better tested than +error handling so we can be reasonably sure it works well. + +Fixes: 024655555021 ("virtio_net: fix use after free on allocation failure") +Signed-off-by: Li Zetao +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20221122150046.3910638-1-lizetao1@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 9cce7dec7366..f5c88d232b11 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3933,12 +3933,11 @@ static int virtnet_probe(struct virtio_device *vdev) + return 0; + + free_unregister_netdev: +- virtio_reset_device(vdev); +- + unregister_netdev(dev); + free_failover: + net_failover_destroy(vi->failover); + free_vqs: ++ virtio_reset_device(vdev); + cancel_delayed_work_sync(&vi->refill); + free_receive_page_frags(vi); + virtnet_del_vqs(vi); +-- +2.35.1 + diff --git a/queue-6.0/x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch b/queue-6.0/x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch new file mode 100644 index 00000000000..227da423a92 --- /dev/null +++ b/queue-6.0/x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch @@ -0,0 +1,125 @@ +From 9f472512579b132a4350e4692588f95c8d903d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 20:06:01 +0100 +Subject: x86/hyperv: Restore VP assist page after cpu offlining/onlining + +From: Vitaly Kuznetsov + +[ Upstream commit ee6815416380bc069b7dcbdff0682d4c53617527 ] + +Commit e5d9b714fe40 ("x86/hyperv: fix root partition faults when writing +to VP assist page MSR") moved 'wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE)' under +'if (*hvp)' condition. This works for root partition as hv_cpu_die() +does memunmap() and sets 'hv_vp_assist_page[cpu]' to NULL but breaks +non-root partitions as hv_cpu_die() doesn't free 'hv_vp_assist_page[cpu]' +for them. This causes VP assist page to remain unset after CPU +offline/online cycle: + +$ rdmsr -p 24 0x40000073 + 10212f001 +$ echo 0 > /sys/devices/system/cpu/cpu24/online +$ echo 1 > /sys/devices/system/cpu/cpu24/online +$ rdmsr -p 24 0x40000073 + 0 + +Fix the issue by always writing to HV_X64_MSR_VP_ASSIST_PAGE in +hv_cpu_init(). Note, checking 'if (!*hvp)', for root partition is +pointless as hv_cpu_die() always sets 'hv_vp_assist_page[cpu]' to +NULL (and it's also NULL initially). + +Note: the fact that 'hv_vp_assist_page[cpu]' is reset to NULL may +present a (potential) issue for KVM. While Hyper-V uses +CPUHP_AP_ONLINE_DYN stage in CPU hotplug, KVM uses CPUHP_AP_KVM_STARTING +which comes earlier in CPU teardown sequence. It is theoretically +possible that Enlightened VMCS is still in use. It is unclear if the +issue is real and if using KVM with Hyper-V root partition is even +possible. + +While on it, drop the unneeded smp_processor_id() call from hv_cpu_init(). + +Fixes: e5d9b714fe40 ("x86/hyperv: fix root partition faults when writing to VP assist page MSR") +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20221103190601.399343-1-vkuznets@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 54 +++++++++++++++++++-------------------- + 1 file changed, 26 insertions(+), 28 deletions(-) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index 3de6d8b53367..a0165df3c4d8 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -77,7 +77,7 @@ static int hyperv_init_ghcb(void) + static int hv_cpu_init(unsigned int cpu) + { + union hv_vp_assist_msr_contents msr = { 0 }; +- struct hv_vp_assist_page **hvp = &hv_vp_assist_page[smp_processor_id()]; ++ struct hv_vp_assist_page **hvp = &hv_vp_assist_page[cpu]; + int ret; + + ret = hv_common_cpu_init(cpu); +@@ -87,34 +87,32 @@ static int hv_cpu_init(unsigned int cpu) + if (!hv_vp_assist_page) + return 0; + +- if (!*hvp) { +- if (hv_root_partition) { +- /* +- * For root partition we get the hypervisor provided VP assist +- * page, instead of allocating a new page. +- */ +- rdmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64); +- *hvp = memremap(msr.pfn << +- HV_X64_MSR_VP_ASSIST_PAGE_ADDRESS_SHIFT, +- PAGE_SIZE, MEMREMAP_WB); +- } else { +- /* +- * The VP assist page is an "overlay" page (see Hyper-V TLFS's +- * Section 5.2.1 "GPA Overlay Pages"). Here it must be zeroed +- * out to make sure we always write the EOI MSR in +- * hv_apic_eoi_write() *after* the EOI optimization is disabled +- * in hv_cpu_die(), otherwise a CPU may not be stopped in the +- * case of CPU offlining and the VM will hang. +- */ ++ if (hv_root_partition) { ++ /* ++ * For root partition we get the hypervisor provided VP assist ++ * page, instead of allocating a new page. ++ */ ++ rdmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64); ++ *hvp = memremap(msr.pfn << HV_X64_MSR_VP_ASSIST_PAGE_ADDRESS_SHIFT, ++ PAGE_SIZE, MEMREMAP_WB); ++ } else { ++ /* ++ * The VP assist page is an "overlay" page (see Hyper-V TLFS's ++ * Section 5.2.1 "GPA Overlay Pages"). Here it must be zeroed ++ * out to make sure we always write the EOI MSR in ++ * hv_apic_eoi_write() *after* the EOI optimization is disabled ++ * in hv_cpu_die(), otherwise a CPU may not be stopped in the ++ * case of CPU offlining and the VM will hang. ++ */ ++ if (!*hvp) + *hvp = __vmalloc(PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); +- if (*hvp) +- msr.pfn = vmalloc_to_pfn(*hvp); +- } +- WARN_ON(!(*hvp)); +- if (*hvp) { +- msr.enable = 1; +- wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64); +- } ++ if (*hvp) ++ msr.pfn = vmalloc_to_pfn(*hvp); ++ ++ } ++ if (!WARN_ON(!(*hvp))) { ++ msr.enable = 1; ++ wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64); + } + + return hyperv_init_ghcb(); +-- +2.35.1 + diff --git a/queue-6.0/xfrm-fix-disable_policy-on-ipv4-early-demux.patch b/queue-6.0/xfrm-fix-disable_policy-on-ipv4-early-demux.patch new file mode 100644 index 00000000000..46eafd85fa3 --- /dev/null +++ b/queue-6.0/xfrm-fix-disable_policy-on-ipv4-early-demux.patch @@ -0,0 +1,54 @@ +From f7895586258e5e2dfd2dc17693d6d2b0997fa426 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Oct 2022 22:16:43 +0300 +Subject: xfrm: fix "disable_policy" on ipv4 early demux + +From: Eyal Birger + +[ Upstream commit 3a5913183aa1b14148c723bda030e6102ad73008 ] + +The commit in the "Fixes" tag tried to avoid a case where policy check +is ignored due to dst caching in next hops. + +However, when the traffic is locally consumed, the dst may be cached +in a local TCP or UDP socket as part of early demux. In this case the +"disable_policy" flag is not checked as ip_route_input_noref() was only +called before caching, and thus, packets after the initial packet in a +flow will be dropped if not matching policies. + +Fix by checking the "disable_policy" flag also when a valid dst is +already available. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216557 +Reported-by: Monil Patel +Fixes: e6175a2ed1f1 ("xfrm: fix "disable_policy" flag use when arriving from different devices") +Signed-off-by: Eyal Birger + +---- + +v2: use dev instead of skb->dev +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_input.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c +index 1b512390b3cf..e880ce77322a 100644 +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -366,6 +366,11 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, + iph->tos, dev); + if (unlikely(err)) + goto drop_error; ++ } else { ++ struct in_device *in_dev = __in_dev_get_rcu(dev); ++ ++ if (in_dev && IN_DEV_ORCONF(in_dev, NOPOLICY)) ++ IPCB(skb)->flags |= IPSKB_NOPOLICY; + } + + #ifdef CONFIG_IP_ROUTE_CLASSID +-- +2.35.1 + diff --git a/queue-6.0/xfrm-fix-ignored-return-value-in-xfrm6_init.patch b/queue-6.0/xfrm-fix-ignored-return-value-in-xfrm6_init.patch new file mode 100644 index 00000000000..113676ef13a --- /dev/null +++ b/queue-6.0/xfrm-fix-ignored-return-value-in-xfrm6_init.patch @@ -0,0 +1,59 @@ +From 4f1b3542a6934c578fb7e0e845f1a6111713d762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:07:13 +0800 +Subject: xfrm: Fix ignored return value in xfrm6_init() + +From: Chen Zhongjin + +[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ] + +When IPv6 module initializing in xfrm6_init(), register_pernet_subsys() +is possible to fail but its return value is ignored. + +If IPv6 initialization fails later and xfrm6_fini() is called, +removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref: + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 330 Comm: insmod +RIP: 0010:unregister_pernet_operations+0xc9/0x450 +Call Trace: + + unregister_pernet_subsys+0x31/0x3e + xfrm6_fini+0x16/0x30 [ipv6] + ip6_route_init+0xcd/0x128 [ipv6] + inet6_init+0x29c/0x602 [ipv6] + ... + +Fix it by catching the error return value of register_pernet_subsys(). + +Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces") +Signed-off-by: Chen Zhongjin +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_policy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index 4a4b0e49ec92..ea435eba3053 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -287,9 +287,13 @@ int __init xfrm6_init(void) + if (ret) + goto out_state; + +- register_pernet_subsys(&xfrm6_net_ops); ++ ret = register_pernet_subsys(&xfrm6_net_ops); ++ if (ret) ++ goto out_protocol; + out: + return ret; ++out_protocol: ++ xfrm6_protocol_fini(); + out_state: + xfrm6_state_fini(); + out_policy: +-- +2.35.1 + diff --git a/queue-6.0/xfrm-fix-oops-in-__xfrm_state_delete.patch b/queue-6.0/xfrm-fix-oops-in-__xfrm_state_delete.patch new file mode 100644 index 00000000000..9a42b529a8a --- /dev/null +++ b/queue-6.0/xfrm-fix-oops-in-__xfrm_state_delete.patch @@ -0,0 +1,119 @@ +From 843ef277be0c7f40e3ac2f998851c10cacc50111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 11:18:48 +0100 +Subject: xfrm: Fix oops in __xfrm_state_delete() + +From: Thomas Jarosch + +[ Upstream commit b97df039a68b2f3e848e238df5d5d06343ea497b ] + +Kernel 5.14 added a new "byseq" index to speed +up xfrm_state lookups by sequence number in commit +fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") + +While the patch was thorough, the function pfkey_send_new_mapping() +in net/af_key.c also modifies x->km.seq and never added +the current xfrm_state to the "byseq" index. + +This leads to the following kernel Ooops: + BUG: kernel NULL pointer dereference, address: 0000000000000000 + .. + RIP: 0010:__xfrm_state_delete+0xc9/0x1c0 + .. + Call Trace: + + xfrm_state_delete+0x1e/0x40 + xfrm_del_sa+0xb0/0x110 [xfrm_user] + xfrm_user_rcv_msg+0x12d/0x270 [xfrm_user] + ? remove_entity_load_avg+0x8a/0xa0 + ? copy_to_user_state_extra+0x580/0x580 [xfrm_user] + netlink_rcv_skb+0x51/0x100 + xfrm_netlink_rcv+0x30/0x50 [xfrm_user] + netlink_unicast+0x1a6/0x270 + netlink_sendmsg+0x22a/0x480 + __sys_sendto+0x1a6/0x1c0 + ? __audit_syscall_entry+0xd8/0x130 + ? __audit_syscall_exit+0x249/0x2b0 + __x64_sys_sendto+0x23/0x30 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x61/0xcb + +Exact location of the crash in __xfrm_state_delete(): + if (x->km.seq) + hlist_del_rcu(&x->byseq); + +The hlist_node "byseq" was never populated. + +The bug only triggers if a new NAT traversal mapping (changed IP or port) +is detected in esp_input_done2() / esp6_input_done2(), which in turn +indirectly calls pfkey_send_new_mapping() *if* the kernel is compiled +with CONFIG_NET_KEY and "af_key" is active. + +The PF_KEYv2 message SADB_X_NAT_T_NEW_MAPPING is not part of RFC 2367. +Various implementations have been examined how they handle +the "sadb_msg_seq" header field: + +- racoon (Android): does not process SADB_X_NAT_T_NEW_MAPPING +- strongswan: does not care about sadb_msg_seq +- openswan: does not care about sadb_msg_seq + +There is no standard how PF_KEYv2 sadb_msg_seq should be populated +for SADB_X_NAT_T_NEW_MAPPING and it's not used in popular +implementations either. Herbert Xu suggested we should just +use the current km.seq value as is. This fixes the root cause +of the oops since we no longer modify km.seq itself. + +The update of "km.seq" looks like a copy'n'paste error +from pfkey_send_acquire(). SADB_ACQUIRE must indeed assign a unique km.seq +number according to RFC 2367. It has been verified that code paths +involving pfkey_send_acquire() don't cause the same Oops. + +PF_KEYv2 SADB_X_NAT_T_NEW_MAPPING support was originally added here: + https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git + + commit cbc3488685b20e7b2a98ad387a1a816aada569d8 + Author: Derek Atkins + AuthorDate: Wed Apr 2 13:21:02 2003 -0800 + + [IPSEC]: Implement UDP Encapsulation framework. + + In particular, implement ESPinUDP encapsulation for IPsec + Nat Traversal. + +A note on triggering the bug: I was not able to trigger it using VMs. +There is one VPN using a high latency link on our production VPN server +that triggered it like once a day though. + +Link: https://github.com/strongswan/strongswan/issues/992 +Link: https://lore.kernel.org/netdev/00959f33ee52c4b3b0084d42c430418e502db554.1652340703.git.antony.antony@secunet.com/T/ +Link: https://lore.kernel.org/netdev/20221027142455.3975224-1-chenzhihao@meizu.com/T/ + +Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") +Reported-by: Roth Mark +Reported-by: Zhihao Chen +Tested-by: Roth Mark +Signed-off-by: Thomas Jarosch +Acked-by: Antony Antony +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 213287814328..95edcbedf6ef 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3394,7 +3394,7 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + hdr->sadb_msg_len = size / sizeof(uint64_t); + hdr->sadb_msg_errno = 0; + hdr->sadb_msg_reserved = 0; +- hdr->sadb_msg_seq = x->km.seq = get_acqseq(); ++ hdr->sadb_msg_seq = x->km.seq; + hdr->sadb_msg_pid = 0; + + /* SA */ +-- +2.35.1 + diff --git a/queue-6.0/xfrm-replay-fix-esn-wrap-around-for-gso.patch b/queue-6.0/xfrm-replay-fix-esn-wrap-around-for-gso.patch new file mode 100644 index 00000000000..df9904ece2b --- /dev/null +++ b/queue-6.0/xfrm-replay-fix-esn-wrap-around-for-gso.patch @@ -0,0 +1,103 @@ +From 077c9a443722578c9646cc69d8fcf22586195633 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 08:34:47 +0200 +Subject: xfrm: replay: Fix ESN wrap around for GSO + +From: Christian Langrock + +[ Upstream commit 4b549ccce941798703f159b227aa28c716aa78fa ] + +When using GSO it can happen that the wrong seq_hi is used for the last +packets before the wrap around. This can lead to double usage of a +sequence number. To avoid this, we should serialize this last GSO +packet. + +Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading") +Co-developed-by: Steffen Klassert +Signed-off-by: Christian Langrock +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 3 +++ + net/ipv6/esp6_offload.c | 3 +++ + net/xfrm/xfrm_device.c | 15 ++++++++++++++- + net/xfrm/xfrm_replay.c | 2 +- + 4 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 170152772d33..3969fa805679 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -314,6 +314,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_ + xo->seq.low += skb_shinfo(skb)->gso_segs; + } + ++ if (xo->seq.low < seq) ++ xo->seq.hi++; ++ + esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32)); + + ip_hdr(skb)->tot_len = htons(skb->len); +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 79d43548279c..242f4295940e 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -346,6 +346,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features + xo->seq.low += skb_shinfo(skb)->gso_segs; + } + ++ if (xo->seq.low < seq) ++ xo->seq.hi++; ++ + esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32)); + + len = skb->len - sizeof(struct ipv6hdr); +diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c +index 637ca8838436..9af6bf1652e4 100644 +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -97,6 +97,18 @@ static void xfrm_outer_mode_prep(struct xfrm_state *x, struct sk_buff *skb) + } + } + ++static inline bool xmit_xfrm_check_overflow(struct sk_buff *skb) ++{ ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ __u32 seq = xo->seq.low; ++ ++ seq += skb_shinfo(skb)->gso_segs; ++ if (unlikely(seq < xo->seq.low)) ++ return true; ++ ++ return false; ++} ++ + struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again) + { + int err; +@@ -134,7 +146,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur + return skb; + } + +- if (skb_is_gso(skb) && unlikely(x->xso.dev != dev)) { ++ if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) || ++ unlikely(xmit_xfrm_check_overflow(skb)))) { + struct sk_buff *segs; + + /* Packet got rerouted, fixup features and segment it. */ +diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c +index 9277d81b344c..49dd788859d8 100644 +--- a/net/xfrm/xfrm_replay.c ++++ b/net/xfrm/xfrm_replay.c +@@ -714,7 +714,7 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff + oseq += skb_shinfo(skb)->gso_segs; + } + +- if (unlikely(oseq < replay_esn->oseq)) { ++ if (unlikely(xo->seq.low < replay_esn->oseq)) { + XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi; + xo->seq.hi = oseq_hi; + replay_esn->oseq_hi = oseq_hi; +-- +2.35.1 + diff --git a/queue-6.0/zonefs-fix-race-between-modprobe-and-mount.patch b/queue-6.0/zonefs-fix-race-between-modprobe-and-mount.patch new file mode 100644 index 00000000000..ea0121b75cc --- /dev/null +++ b/queue-6.0/zonefs-fix-race-between-modprobe-and-mount.patch @@ -0,0 +1,80 @@ +From db3322723a7af513bbf8c73d9476e48dac0034fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 18:57:59 +0800 +Subject: zonefs: Fix race between modprobe and mount + +From: Zhang Xiaoxu + +[ Upstream commit 4e45886956a20942800259f326a04417292ae314 ] + +There is a race between modprobe and mount as below: + + modprobe zonefs | mount -t zonefs +--------------------------------|------------------------- + zonefs_init | + register_filesystem [1] | + | zonefs_fill_super [2] + zonefs_sysfs_init [3] | + +1. register zonefs suceess, then +2. user can mount the zonefs +3. if sysfs initialize failed, the module initialize failed. + +Then the mount process maybe some error happened since the module +initialize failed. + +Let's register zonefs after all dependency resource ready. And +reorder the dependency resource release in module exit. + +Fixes: 9277a6d4fbd4 ("zonefs: Export open zone resource information through sysfs") +Signed-off-by: Zhang Xiaoxu +Reviewed-by: Johannes Thumshirn +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + fs/zonefs/super.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/zonefs/super.c b/fs/zonefs/super.c +index 860f0b1032c6..625749fbedf4 100644 +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -1905,18 +1905,18 @@ static int __init zonefs_init(void) + if (ret) + return ret; + +- ret = register_filesystem(&zonefs_type); ++ ret = zonefs_sysfs_init(); + if (ret) + goto destroy_inodecache; + +- ret = zonefs_sysfs_init(); ++ ret = register_filesystem(&zonefs_type); + if (ret) +- goto unregister_fs; ++ goto sysfs_exit; + + return 0; + +-unregister_fs: +- unregister_filesystem(&zonefs_type); ++sysfs_exit: ++ zonefs_sysfs_exit(); + destroy_inodecache: + zonefs_destroy_inodecache(); + +@@ -1925,9 +1925,9 @@ static int __init zonefs_init(void) + + static void __exit zonefs_exit(void) + { ++ unregister_filesystem(&zonefs_type); + zonefs_sysfs_exit(); + zonefs_destroy_inodecache(); +- unregister_filesystem(&zonefs_type); + } + + MODULE_AUTHOR("Damien Le Moal"); +-- +2.35.1 + -- 2.47.3