From fa0f4d06d488e2a50f70c88d448eddc34da4beb8 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 5 Aug 2023 16:49:59 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...arm64-dts-freescale-fix-vpu-g2-clock.patch | 37 ++ ...-venice-gw7903-disable-disp_blk_ctrl.patch | 42 ++ ...-venice-gw7904-disable-disp_blk_ctrl.patch | 43 ++ ...-var-som-add-missing-pull-up-for-onb.patch | 47 ++ ...e-imx8mm-correction-in-gpio-line-nam.patch | 51 ++ ...phycore-imx8mm-label-typo-fix-of-vpu.patch | 37 ++ ...ix-max_mtu-setting-for-multi-buf-xdp.patch | 72 +++ ...ix-page-pool-logic-for-page-size-64k.patch | 193 ++++++++ ...heck-for-sk_diag_bpf_storage_req_map.patch | 49 ++ ...e-skb-as-well-when-clean-up-ptr_ring.patch | 85 ++++ ...ve-preempt_disable-in-sock_map_sk_ac.patch | 59 +++ ...primary-bvec-selection-on-deduplicat.patch | 70 +++ ...rm_scmi-fix-chan_free-cleanup-on-smc.patch | 89 ++++ ...ix-use-of-uninitialised-results-stru.patch | 62 +++ ...dma-vsi-removal-during-queue-rebuild.patch | 73 +++ ...kb_under_panic-in-ip6mr_cache_report.patch | 77 +++ .../kvm-s390-fix-sthyi-error-handling.patch | 78 +++ ...around-const_eval-test-build-failure.patch | 106 ++++ ...ci-fix-potential-deadlock-on-hc-lock.patch | 88 ++++ ...-data-race-annotation-for-sk_ll_usec.patch | 36 ++ ...data-race-annotations-around-sk-sk_p.patch | 63 +++ ...ng-read_once-sk-sk_rcvbuf-annotation.patch | 36 ++ ...-read_once-sk-sk_rcvlowat-annotation.patch | 36 ++ ...ng-read_once-sk-sk_sndbuf-annotation.patch | 36 ++ ...tate-data-race-around-sk-sk_txrehash.patch | 52 ++ ...nnotate-data-races-around-sk-sk_mark.patch | 448 +++++++++++++++++ ...a-races-around-sk-sk_max_pacing_rate.patch | 54 +++ ...ate-data-races-around-sk-sk_priority.patch | 184 +++++++ ...data-races-around-sk-sk_reserved_mem.patch | 58 +++ ...correct-policy-to-parse-dcb_attr_bcn.patch | 103 ++++ ...-fix-value-check-in-bcm_sf2_sw_probe.patch | 52 ++ ...le-clk-prepare-error-in-korina_probe.patch | 43 ++ ...-error-checking-of-irq_of_parse_and_.patch | 54 +++ ...memory-leak-in-mlx5dr_cmd_create_ref.patch | 44 ++ ...ential-memory-leak-in-mlx5e_init_rep.patch | 48 ++ ...re-make-find_closest_ft-more-generic.patch | 120 +++++ ...-skip-the-fts-in-the-same-fs_type_pr.patch | 196 ++++++++ ...ash-moving-to-switchdev-mode-when-nt.patch | 82 ++++ ...uble-free-in-macsec_fs_tx_create_cry.patch | 40 ++ ...turn-value-check-in-mlx5e_ipsec_remo.patch | 39 ++ ...epresentor-neigh-cleanup-to-profile-.patch | 176 +++++++ ...ore-phy-mode-on-synquacer-in-dt-mode.patch | 61 +++ ...-no-longer-copy-tcf_result-on-update.patch | 50 ++ ...ute-no-longer-copy-tcf_result-on-upd.patch | 50 ++ ...cls_u32-fix-match-key-mis-addressing.patch | 145 ++++++ ...2-no-longer-copy-tcf_result-on-updat.patch | 50 ++ ...-limit-tca_taprio_attr_sched_cycle_t.patch | 176 +++++++ ..._from_different_cu-skip-if-there-is-.patch | 66 +++ ...lback-to-previous-version-on-same-ma.patch | 66 +++ ...ing-in-a-tasklet-while-getting-stats.patch | 452 ++++++++++++++++++ ...nl_bridge_setlink-checks-ifla_bridge.patch | 66 +++ ...on-t-call-dev_close-dev_open-down-up.patch | 104 ++++ queue-6.1/series | 61 +++ ...otate-data-races-around-tm-tcpm_lock.patch | 51 ++ ...notate-data-races-around-tm-tcpm_net.patch | 66 +++ ...tate-data-races-around-tm-tcpm_stamp.patch | 88 ++++ ...otate-data-races-around-tm-tcpm_vals.patch | 85 ++++ .../tcp_metrics-fix-addr_same-helper.patch | 46 ++ ...data-race-in-tcpm_suck_dst-vs-fastop.patch | 85 ++++ queue-6.1/vxlan-fix-nexthop-hash-size.patch | 175 +++++++ ...80211-fix-return-value-in-scan-logic.patch | 43 ++ ...se-the-same-return-type-for-has_zero.patch | 74 +++ 62 files changed, 5418 insertions(+) create mode 100644 queue-6.1/arm64-dts-freescale-fix-vpu-g2-clock.patch create mode 100644 queue-6.1/arm64-dts-imx8mm-venice-gw7903-disable-disp_blk_ctrl.patch create mode 100644 queue-6.1/arm64-dts-imx8mm-venice-gw7904-disable-disp_blk_ctrl.patch create mode 100644 queue-6.1/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch create mode 100644 queue-6.1/arm64-dts-phycore-imx8mm-correction-in-gpio-line-nam.patch create mode 100644 queue-6.1/arm64-dts-phycore-imx8mm-label-typo-fix-of-vpu.patch create mode 100644 queue-6.1/bnxt_en-fix-max_mtu-setting-for-multi-buf-xdp.patch create mode 100644 queue-6.1/bnxt_en-fix-page-pool-logic-for-page-size-64k.patch create mode 100644 queue-6.1/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch create mode 100644 queue-6.1/bpf-cpumap-handle-skb-as-well-when-clean-up-ptr_ring.patch create mode 100644 queue-6.1/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch create mode 100644 queue-6.1/erofs-fix-wrong-primary-bvec-selection-on-deduplicat.patch create mode 100644 queue-6.1/firmware-arm_scmi-fix-chan_free-cleanup-on-smc.patch create mode 100644 queue-6.1/firmware-smccc-fix-use-of-uninitialised-results-stru.patch create mode 100644 queue-6.1/ice-fix-rdma-vsi-removal-during-queue-rebuild.patch create mode 100644 queue-6.1/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch create mode 100644 queue-6.1/kvm-s390-fix-sthyi-error-handling.patch create mode 100644 queue-6.1/lib-bitmap-workaround-const_eval-test-build-failure.patch create mode 100644 queue-6.1/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch create mode 100644 queue-6.1/net-add-missing-data-race-annotation-for-sk_ll_usec.patch create mode 100644 queue-6.1/net-add-missing-data-race-annotations-around-sk-sk_p.patch create mode 100644 queue-6.1/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch create mode 100644 queue-6.1/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch create mode 100644 queue-6.1/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch create mode 100644 queue-6.1/net-annotate-data-race-around-sk-sk_txrehash.patch create mode 100644 queue-6.1/net-annotate-data-races-around-sk-sk_mark.patch create mode 100644 queue-6.1/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch create mode 100644 queue-6.1/net-annotate-data-races-around-sk-sk_priority.patch create mode 100644 queue-6.1/net-annotate-data-races-around-sk-sk_reserved_mem.patch create mode 100644 queue-6.1/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch create mode 100644 queue-6.1/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch create mode 100644 queue-6.1/net-korina-handle-clk-prepare-error-in-korina_probe.patch create mode 100644 queue-6.1/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch create mode 100644 queue-6.1/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch create mode 100644 queue-6.1/net-mlx5-fix-potential-memory-leak-in-mlx5e_init_rep.patch create mode 100644 queue-6.1/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch create mode 100644 queue-6.1/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch create mode 100644 queue-6.1/net-mlx5e-fix-crash-moving-to-switchdev-mode-when-nt.patch create mode 100644 queue-6.1/net-mlx5e-fix-double-free-in-macsec_fs_tx_create_cry.patch create mode 100644 queue-6.1/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch create mode 100644 queue-6.1/net-mlx5e-move-representor-neigh-cleanup-to-profile-.patch create mode 100644 queue-6.1/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch create mode 100644 queue-6.1/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch create mode 100644 queue-6.1/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch create mode 100644 queue-6.1/net-sched-cls_u32-fix-match-key-mis-addressing.patch create mode 100644 queue-6.1/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch create mode 100644 queue-6.1/net-sched-taprio-limit-tca_taprio_attr_sched_cycle_t.patch create mode 100644 queue-6.1/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch create mode 100644 queue-6.1/prestera-fix-fallback-to-previous-version-on-same-ma.patch create mode 100644 queue-6.1/qed-fix-scheduling-in-a-tasklet-while-getting-stats.patch create mode 100644 queue-6.1/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch create mode 100644 queue-6.1/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch create mode 100644 queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch create mode 100644 queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch create mode 100644 queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch create mode 100644 queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch create mode 100644 queue-6.1/tcp_metrics-fix-addr_same-helper.patch create mode 100644 queue-6.1/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch create mode 100644 queue-6.1/vxlan-fix-nexthop-hash-size.patch create mode 100644 queue-6.1/wifi-cfg80211-fix-return-value-in-scan-logic.patch create mode 100644 queue-6.1/word-at-a-time-use-the-same-return-type-for-has_zero.patch diff --git a/queue-6.1/arm64-dts-freescale-fix-vpu-g2-clock.patch b/queue-6.1/arm64-dts-freescale-fix-vpu-g2-clock.patch new file mode 100644 index 00000000000..d868a3e1dcd --- /dev/null +++ b/queue-6.1/arm64-dts-freescale-fix-vpu-g2-clock.patch @@ -0,0 +1,37 @@ +From 40688407df5aea6fe04e6e078123f8eea50884b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 11:42:00 +0200 +Subject: arm64: dts: freescale: Fix VPU G2 clock + +From: Benjamin Gaignard + +[ Upstream commit b27bfc5103c72f84859bd32731b6a09eafdeda05 ] + +Set VPU G2 clock to 300MHz like described in documentation. +This fixes pixels error occurring with large resolution ( >= 2560x1600) +HEVC test stream when using the postprocessor to produce NV12. + +Fixes: 4ac7e4a81272 ("arm64: dts: imx8mq: Enable both G1 and G2 VPU's with vpu-blk-ctrl") +Signed-off-by: Benjamin Gaignard +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 4724ed0cbff94..bf8f02c1535c1 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -756,7 +756,7 @@ + <&clk IMX8MQ_SYS1_PLL_800M>, + <&clk IMX8MQ_VPU_PLL>; + assigned-clock-rates = <600000000>, +- <600000000>, ++ <300000000>, + <800000000>, + <0>; + }; +-- +2.40.1 + diff --git a/queue-6.1/arm64-dts-imx8mm-venice-gw7903-disable-disp_blk_ctrl.patch b/queue-6.1/arm64-dts-imx8mm-venice-gw7903-disable-disp_blk_ctrl.patch new file mode 100644 index 00000000000..e07fbdaab0b --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-venice-gw7903-disable-disp_blk_ctrl.patch @@ -0,0 +1,42 @@ +From 1e2a78cc582501e61663c8092ec5f6d9bae6b931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 08:39:45 -0700 +Subject: arm64: dts: imx8mm-venice-gw7903: disable disp_blk_ctrl + +From: Tim Harvey + +[ Upstream commit 3e7d3c5e13b05dda9db92d98803a626378e75438 ] + +The GW7903 does not connect the VDD_MIPI power rails thus MIPI is +disabled. However we must also disable disp_blk_ctrl as it uses the +pgc_mipi power domain and without it being disabled imx8m-blk-ctrl will +fail to probe: +imx8m-blk-ctrl 32e28000.blk-ctrl: error -ETIMEDOUT: failed to attach power domain "mipi-dsi" +imx8m-blk-ctrl: probe of 32e28000.blk-ctrl failed with error -110 + +Fixes: a72ba91e5bc7 ("arm64: dts: imx: Add i.mx8mm Gateworks gw7903 dts support") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dts b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dts +index 8e861b920d09e..7c9b60f4da922 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7903.dts +@@ -559,6 +559,10 @@ + status = "okay"; + }; + ++&disp_blk_ctrl { ++ status = "disabled"; ++}; ++ + &pgc_mipi { + status = "disabled"; + }; +-- +2.40.1 + diff --git a/queue-6.1/arm64-dts-imx8mm-venice-gw7904-disable-disp_blk_ctrl.patch b/queue-6.1/arm64-dts-imx8mm-venice-gw7904-disable-disp_blk_ctrl.patch new file mode 100644 index 00000000000..68c2c808a40 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mm-venice-gw7904-disable-disp_blk_ctrl.patch @@ -0,0 +1,43 @@ +From aab53bc8568a5af771336259fa340537192e1616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 08:40:30 -0700 +Subject: arm64: dts: imx8mm-venice-gw7904: disable disp_blk_ctrl + +From: Tim Harvey + +[ Upstream commit f7a0b57524cf811ac06257a5099f1b7c19ee7310 ] + +The GW7904 does not connect the VDD_MIPI power rails thus MIPI is +disabled. However we must also disable disp_blk_ctrl as it uses the +pgc_mipi power domain and without it being disabled imx8m-blk-ctrl will +fail to probe: +imx8m-blk-ctrl 32e28000.blk-ctrl: error -ETIMEDOUT: failed to attach +power domain "mipi-dsi" +imx8m-blk-ctrl: probe of 32e28000.blk-ctrl failed with error -110 + +Fixes: b999bdaf0597 ("arm64: dts: imx: Add i.mx8mm Gateworks gw7904 dts support") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-venice-gw7904.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7904.dts b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7904.dts +index a67771d021464..46a07dfc0086c 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7904.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw7904.dts +@@ -617,6 +617,10 @@ + status = "okay"; + }; + ++&disp_blk_ctrl { ++ status = "disabled"; ++}; ++ + &pgc_mipi { + status = "disabled"; + }; +-- +2.40.1 + diff --git a/queue-6.1/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch b/queue-6.1/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch new file mode 100644 index 00000000000..2be467d3c4d --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch @@ -0,0 +1,47 @@ +From f5014ac686977af21f53350d991b15030f015078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 09:48:00 -0400 +Subject: arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset + pinmux + +From: Hugo Villeneuve + +[ Upstream commit 253be5b53c2792fb4384f8005b05421e6f040ee3 ] + +For SOMs with an onboard PHY, the RESET_N pull-up resistor is +currently deactivated in the pinmux configuration. When the pinmux +code selects the GPIO function for this pin, with a default direction +of input, this prevents the RESET_N pin from being taken to the proper +3.3V level (deasserted), and this results in the PHY being not +detected since it is held in reset. + +Taken from RESET_N pin description in ADIN13000 datasheet: + This pin requires a 1K pull-up resistor to AVDD_3P3. + +Activate the pull-up resistor to fix the issue. + +Fixes: ade0176dd8a0 ("arm64: dts: imx8mn-var-som: Add Variscite VAR-SOM-MX8MN System on Module") +Signed-off-by: Hugo Villeneuve +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +index d053ef302fb82..faafefe562e4b 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +@@ -351,7 +351,7 @@ + MX8MN_IOMUXC_ENET_RXC_ENET1_RGMII_RXC 0x91 + MX8MN_IOMUXC_ENET_RX_CTL_ENET1_RGMII_RX_CTL 0x91 + MX8MN_IOMUXC_ENET_TX_CTL_ENET1_RGMII_TX_CTL 0x1f +- MX8MN_IOMUXC_GPIO1_IO09_GPIO1_IO9 0x19 ++ MX8MN_IOMUXC_GPIO1_IO09_GPIO1_IO9 0x159 + >; + }; + +-- +2.40.1 + diff --git a/queue-6.1/arm64-dts-phycore-imx8mm-correction-in-gpio-line-nam.patch b/queue-6.1/arm64-dts-phycore-imx8mm-correction-in-gpio-line-nam.patch new file mode 100644 index 00000000000..84fbb03b08c --- /dev/null +++ b/queue-6.1/arm64-dts-phycore-imx8mm-correction-in-gpio-line-nam.patch @@ -0,0 +1,51 @@ +From 05dfd7852700461034e0a2f956d20f31b1e5a503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 11:50:09 +0200 +Subject: arm64: dts: phycore-imx8mm: Correction in gpio-line-names + +From: Yashwanth Varakala + +[ Upstream commit 1ef0aa137a96c5f0564f2db0c556a4f0f60ce8f5 ] + +Remove unused nINT_ETHPHY entry from gpio-line-names in gpio1 nodes of +phyCORE-i.MX8MM and phyBOARD-Polis-i.MX8MM devicetrees. + +Fixes: ae6847f26ac9 ("arm64: dts: freescale: Add phyBOARD-Polis-i.MX8MM support") +Signed-off-by: Yashwanth Varakala +Signed-off-by: Cem Tenruh +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-phyboard-polis-rdk.dts | 2 +- + arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-phyboard-polis-rdk.dts b/arch/arm64/boot/dts/freescale/imx8mm-phyboard-polis-rdk.dts +index 4a3df2b77b0be..6720ddf597839 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-phyboard-polis-rdk.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-phyboard-polis-rdk.dts +@@ -141,7 +141,7 @@ + }; + + &gpio1 { +- gpio-line-names = "nINT_ETHPHY", "LED_RED", "WDOG_INT", "X_RTC_INT", ++ gpio-line-names = "", "LED_RED", "WDOG_INT", "X_RTC_INT", + "", "", "", "RESET_ETHPHY", + "CAN_nINT", "CAN_EN", "nENABLE_FLATLINK", "", + "USB_OTG_VBUS_EN", "", "LED_GREEN", "LED_BLUE"; +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi +index 3e5e7d861882f..9d9b103c79c77 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi +@@ -111,7 +111,7 @@ + }; + + &gpio1 { +- gpio-line-names = "nINT_ETHPHY", "", "WDOG_INT", "X_RTC_INT", ++ gpio-line-names = "", "", "WDOG_INT", "X_RTC_INT", + "", "", "", "RESET_ETHPHY", + "", "", "nENABLE_FLATLINK"; + }; +-- +2.40.1 + diff --git a/queue-6.1/arm64-dts-phycore-imx8mm-label-typo-fix-of-vpu.patch b/queue-6.1/arm64-dts-phycore-imx8mm-label-typo-fix-of-vpu.patch new file mode 100644 index 00000000000..26eb40545fc --- /dev/null +++ b/queue-6.1/arm64-dts-phycore-imx8mm-label-typo-fix-of-vpu.patch @@ -0,0 +1,37 @@ +From 0f51da94b28555a5daf57aa7bc5f02ab056de85f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 11:50:07 +0200 +Subject: arm64: dts: phycore-imx8mm: Label typo-fix of VPU + +From: Yashwanth Varakala + +[ Upstream commit cddeefc1663294fb74b31ff5029a83c0e819ff3a ] + +Corrected the label of the VPU regulator node (buck 3) +from reg_vdd_gpu to reg_vdd_vpu. + +Fixes: ae6847f26ac9 ("arm64: dts: freescale: Add phyBOARD-Polis-i.MX8MM support") +Signed-off-by: Yashwanth Varakala +Signed-off-by: Cem Tenruh +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi +index 995b44efb1b65..3e5e7d861882f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-phycore-som.dtsi +@@ -210,7 +210,7 @@ + }; + }; + +- reg_vdd_gpu: buck3 { ++ reg_vdd_vpu: buck3 { + regulator-always-on; + regulator-boot-on; + regulator-max-microvolt = <1000000>; +-- +2.40.1 + diff --git a/queue-6.1/bnxt_en-fix-max_mtu-setting-for-multi-buf-xdp.patch b/queue-6.1/bnxt_en-fix-max_mtu-setting-for-multi-buf-xdp.patch new file mode 100644 index 00000000000..a15d9bf22e4 --- /dev/null +++ b/queue-6.1/bnxt_en-fix-max_mtu-setting-for-multi-buf-xdp.patch @@ -0,0 +1,72 @@ +From 9a2123dabf91f654ca7d543f24c90ad814e2bdbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 07:20:43 -0700 +Subject: bnxt_en: Fix max_mtu setting for multi-buf XDP + +From: Michael Chan + +[ Upstream commit 08450ea98ae98d5a35145b675b76db616046ea11 ] + +The existing code does not allow the MTU to be set to the maximum even +after an XDP program supporting multiple buffers is attached. Fix it +to set the netdev->max_mtu to the maximum value if the attached XDP +program supports mutiple buffers, regardless of the current MTU value. + +Also use a local variable dev instead of repeatedly using bp->dev. + +Fixes: 1dc4c557bfed ("bnxt: adding bnxt_xdp_build_skb to build skb from multibuffer xdp_buff") +Reviewed-by: Somnath Kotur +Reviewed-by: Ajit Khaparde +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Link: https://lore.kernel.org/r/20230731142043.58855-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 9bd18c2b10bc6..969db3c45d176 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4027,26 +4027,29 @@ void bnxt_set_ring_params(struct bnxt *bp) + */ + int bnxt_set_rx_skb_mode(struct bnxt *bp, bool page_mode) + { ++ struct net_device *dev = bp->dev; ++ + if (page_mode) { + bp->flags &= ~BNXT_FLAG_AGG_RINGS; + bp->flags |= BNXT_FLAG_RX_PAGE_MODE; + +- if (bp->dev->mtu > BNXT_MAX_PAGE_MODE_MTU) { ++ if (bp->xdp_prog->aux->xdp_has_frags) ++ dev->max_mtu = min_t(u16, bp->max_mtu, BNXT_MAX_MTU); ++ else ++ dev->max_mtu = ++ min_t(u16, bp->max_mtu, BNXT_MAX_PAGE_MODE_MTU); ++ if (dev->mtu > BNXT_MAX_PAGE_MODE_MTU) { + bp->flags |= BNXT_FLAG_JUMBO; + bp->rx_skb_func = bnxt_rx_multi_page_skb; +- bp->dev->max_mtu = +- min_t(u16, bp->max_mtu, BNXT_MAX_MTU); + } else { + bp->flags |= BNXT_FLAG_NO_AGG_RINGS; + bp->rx_skb_func = bnxt_rx_page_skb; +- bp->dev->max_mtu = +- min_t(u16, bp->max_mtu, BNXT_MAX_PAGE_MODE_MTU); + } + bp->rx_dir = DMA_BIDIRECTIONAL; + /* Disable LRO or GRO_HW */ +- netdev_update_features(bp->dev); ++ netdev_update_features(dev); + } else { +- bp->dev->max_mtu = bp->max_mtu; ++ dev->max_mtu = bp->max_mtu; + bp->flags &= ~BNXT_FLAG_RX_PAGE_MODE; + bp->rx_dir = DMA_FROM_DEVICE; + bp->rx_skb_func = bnxt_rx_skb; +-- +2.40.1 + diff --git a/queue-6.1/bnxt_en-fix-page-pool-logic-for-page-size-64k.patch b/queue-6.1/bnxt_en-fix-page-pool-logic-for-page-size-64k.patch new file mode 100644 index 00000000000..1174a65e31c --- /dev/null +++ b/queue-6.1/bnxt_en-fix-page-pool-logic-for-page-size-64k.patch @@ -0,0 +1,193 @@ +From 52c02fc6fe5524363b6e461a65664b8a6e1fca9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 07:20:42 -0700 +Subject: bnxt_en: Fix page pool logic for page size >= 64K + +From: Somnath Kotur + +[ Upstream commit f6974b4c2d8e1062b5a52228ee47293c15b4ee1e ] + +The RXBD length field on all bnxt chips is 16-bit and so we cannot +support a full page when the native page size is 64K or greater. +The non-XDP (non page pool) code path has logic to handle this but +the XDP page pool code path does not handle this. Add the missing +logic to use page_pool_dev_alloc_frag() to allocate 32K chunks if +the page size is 64K or greater. + +Fixes: 9f4b28301ce6 ("bnxt: XDP multibuffer enablement") +Link: https://lore.kernel.org/netdev/20230728231829.235716-2-michael.chan@broadcom.com/ +Reviewed-by: Andy Gospodarek +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Link: https://lore.kernel.org/r/20230731142043.58855-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 42 ++++++++++++------- + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 6 +-- + 2 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 6469fb8a42a89..9bd18c2b10bc6 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -721,17 +721,24 @@ static void bnxt_tx_int(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts) + + static struct page *__bnxt_alloc_rx_page(struct bnxt *bp, dma_addr_t *mapping, + struct bnxt_rx_ring_info *rxr, ++ unsigned int *offset, + gfp_t gfp) + { + struct device *dev = &bp->pdev->dev; + struct page *page; + +- page = page_pool_dev_alloc_pages(rxr->page_pool); ++ if (PAGE_SIZE > BNXT_RX_PAGE_SIZE) { ++ page = page_pool_dev_alloc_frag(rxr->page_pool, offset, ++ BNXT_RX_PAGE_SIZE); ++ } else { ++ page = page_pool_dev_alloc_pages(rxr->page_pool); ++ *offset = 0; ++ } + if (!page) + return NULL; + +- *mapping = dma_map_page_attrs(dev, page, 0, PAGE_SIZE, bp->rx_dir, +- DMA_ATTR_WEAK_ORDERING); ++ *mapping = dma_map_page_attrs(dev, page, *offset, BNXT_RX_PAGE_SIZE, ++ bp->rx_dir, DMA_ATTR_WEAK_ORDERING); + if (dma_mapping_error(dev, *mapping)) { + page_pool_recycle_direct(rxr->page_pool, page); + return NULL; +@@ -771,15 +778,16 @@ int bnxt_alloc_rx_data(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + dma_addr_t mapping; + + if (BNXT_RX_PAGE_MODE(bp)) { ++ unsigned int offset; + struct page *page = +- __bnxt_alloc_rx_page(bp, &mapping, rxr, gfp); ++ __bnxt_alloc_rx_page(bp, &mapping, rxr, &offset, gfp); + + if (!page) + return -ENOMEM; + + mapping += bp->rx_dma_offset; + rx_buf->data = page; +- rx_buf->data_ptr = page_address(page) + bp->rx_offset; ++ rx_buf->data_ptr = page_address(page) + offset + bp->rx_offset; + } else { + u8 *data = __bnxt_alloc_rx_frag(bp, &mapping, gfp); + +@@ -839,7 +847,7 @@ static inline int bnxt_alloc_rx_page(struct bnxt *bp, + unsigned int offset = 0; + + if (BNXT_RX_PAGE_MODE(bp)) { +- page = __bnxt_alloc_rx_page(bp, &mapping, rxr, gfp); ++ page = __bnxt_alloc_rx_page(bp, &mapping, rxr, &offset, gfp); + + if (!page) + return -ENOMEM; +@@ -986,15 +994,15 @@ static struct sk_buff *bnxt_rx_multi_page_skb(struct bnxt *bp, + return NULL; + } + dma_addr -= bp->rx_dma_offset; +- dma_unmap_page_attrs(&bp->pdev->dev, dma_addr, PAGE_SIZE, bp->rx_dir, +- DMA_ATTR_WEAK_ORDERING); +- skb = build_skb(page_address(page), PAGE_SIZE); ++ dma_unmap_page_attrs(&bp->pdev->dev, dma_addr, BNXT_RX_PAGE_SIZE, ++ bp->rx_dir, DMA_ATTR_WEAK_ORDERING); ++ skb = build_skb(data_ptr - bp->rx_offset, BNXT_RX_PAGE_SIZE); + if (!skb) { + page_pool_recycle_direct(rxr->page_pool, page); + return NULL; + } + skb_mark_for_recycle(skb); +- skb_reserve(skb, bp->rx_dma_offset); ++ skb_reserve(skb, bp->rx_offset); + __skb_put(skb, len); + + return skb; +@@ -1020,8 +1028,8 @@ static struct sk_buff *bnxt_rx_page_skb(struct bnxt *bp, + return NULL; + } + dma_addr -= bp->rx_dma_offset; +- dma_unmap_page_attrs(&bp->pdev->dev, dma_addr, PAGE_SIZE, bp->rx_dir, +- DMA_ATTR_WEAK_ORDERING); ++ dma_unmap_page_attrs(&bp->pdev->dev, dma_addr, BNXT_RX_PAGE_SIZE, ++ bp->rx_dir, DMA_ATTR_WEAK_ORDERING); + + if (unlikely(!payload)) + payload = eth_get_headlen(bp->dev, data_ptr, len); +@@ -1034,7 +1042,7 @@ static struct sk_buff *bnxt_rx_page_skb(struct bnxt *bp, + + skb_mark_for_recycle(skb); + off = (void *)data_ptr - page_address(page); +- skb_add_rx_frag(skb, 0, page, off, len, PAGE_SIZE); ++ skb_add_rx_frag(skb, 0, page, off, len, BNXT_RX_PAGE_SIZE); + memcpy(skb->data - NET_IP_ALIGN, data_ptr - NET_IP_ALIGN, + payload + NET_IP_ALIGN); + +@@ -1169,7 +1177,7 @@ static struct sk_buff *bnxt_rx_agg_pages_skb(struct bnxt *bp, + + skb->data_len += total_frag_len; + skb->len += total_frag_len; +- skb->truesize += PAGE_SIZE * agg_bufs; ++ skb->truesize += BNXT_RX_PAGE_SIZE * agg_bufs; + return skb; + } + +@@ -2972,8 +2980,8 @@ static void bnxt_free_one_rx_ring_skbs(struct bnxt *bp, int ring_nr) + rx_buf->data = NULL; + if (BNXT_RX_PAGE_MODE(bp)) { + mapping -= bp->rx_dma_offset; +- dma_unmap_page_attrs(&pdev->dev, mapping, PAGE_SIZE, +- bp->rx_dir, ++ dma_unmap_page_attrs(&pdev->dev, mapping, ++ BNXT_RX_PAGE_SIZE, bp->rx_dir, + DMA_ATTR_WEAK_ORDERING); + page_pool_recycle_direct(rxr->page_pool, data); + } else { +@@ -3241,6 +3249,8 @@ static int bnxt_alloc_rx_page_pool(struct bnxt *bp, + pp.nid = dev_to_node(&bp->pdev->dev); + pp.dev = &bp->pdev->dev; + pp.dma_dir = DMA_BIDIRECTIONAL; ++ if (PAGE_SIZE > BNXT_RX_PAGE_SIZE) ++ pp.flags |= PP_FLAG_PAGE_FRAG; + + rxr->page_pool = page_pool_create(&pp); + if (IS_ERR(rxr->page_pool)) { +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +index 36d5202c0aeec..aa56db138d6b5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +@@ -180,8 +180,8 @@ void bnxt_xdp_buff_init(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + u16 cons, u8 *data_ptr, unsigned int len, + struct xdp_buff *xdp) + { ++ u32 buflen = BNXT_RX_PAGE_SIZE; + struct bnxt_sw_rx_bd *rx_buf; +- u32 buflen = PAGE_SIZE; + struct pci_dev *pdev; + dma_addr_t mapping; + u32 offset; +@@ -297,7 +297,7 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons, + rx_buf = &rxr->rx_buf_ring[cons]; + mapping = rx_buf->mapping - bp->rx_dma_offset; + dma_unmap_page_attrs(&pdev->dev, mapping, +- PAGE_SIZE, bp->rx_dir, ++ BNXT_RX_PAGE_SIZE, bp->rx_dir, + DMA_ATTR_WEAK_ORDERING); + + /* if we are unable to allocate a new buffer, abort and reuse */ +@@ -478,7 +478,7 @@ bnxt_xdp_build_skb(struct bnxt *bp, struct sk_buff *skb, u8 num_frags, + } + xdp_update_skb_shared_info(skb, num_frags, + sinfo->xdp_frags_size, +- PAGE_SIZE * sinfo->nr_frags, ++ BNXT_RX_PAGE_SIZE * sinfo->nr_frags, + xdp_buff_is_frag_pfmemalloc(xdp)); + return skb; + } +-- +2.40.1 + diff --git a/queue-6.1/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch b/queue-6.1/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch new file mode 100644 index 00000000000..8e13ed505ac --- /dev/null +++ b/queue-6.1/bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch @@ -0,0 +1,49 @@ +From 310e656bb160d6e96c94f398a5226cff19d486e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:33:30 +0800 +Subject: bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing + +From: Lin Ma + +[ Upstream commit bcc29b7f5af6797702c2306a7aacb831fc5ce9cb ] + +The nla_for_each_nested parsing in function bpf_sk_storage_diag_alloc +does not check the length of the nested attribute. This can lead to an +out-of-attribute read and allow a malformed nlattr (e.g., length 0) to +be viewed as a 4 byte integer. + +This patch adds an additional check when the nlattr is getting counted. +This makes sure the latter nla_get_u32 can access the attributes with +the correct length. + +Fixes: 1ed4d92458a9 ("bpf: INET_DIAG support in bpf_sk_storage") +Suggested-by: Jakub Kicinski +Signed-off-by: Lin Ma +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230725023330.422856-1-linma@zju.edu.cn +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/core/bpf_sk_storage.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c +index 94374d529ea42..ad01b1bea52e4 100644 +--- a/net/core/bpf_sk_storage.c ++++ b/net/core/bpf_sk_storage.c +@@ -531,8 +531,11 @@ bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs) + return ERR_PTR(-EPERM); + + nla_for_each_nested(nla, nla_stgs, rem) { +- if (nla_type(nla) == SK_DIAG_BPF_STORAGE_REQ_MAP_FD) ++ if (nla_type(nla) == SK_DIAG_BPF_STORAGE_REQ_MAP_FD) { ++ if (nla_len(nla) != sizeof(u32)) ++ return ERR_PTR(-EINVAL); + nr_maps++; ++ } + } + + diag = kzalloc(struct_size(diag, maps, nr_maps), GFP_KERNEL); +-- +2.40.1 + diff --git a/queue-6.1/bpf-cpumap-handle-skb-as-well-when-clean-up-ptr_ring.patch b/queue-6.1/bpf-cpumap-handle-skb-as-well-when-clean-up-ptr_ring.patch new file mode 100644 index 00000000000..7e1b69772a0 --- /dev/null +++ b/queue-6.1/bpf-cpumap-handle-skb-as-well-when-clean-up-ptr_ring.patch @@ -0,0 +1,85 @@ +From fc5a512af4b6a4bff0cf7019a2255f166938d283 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 17:51:07 +0800 +Subject: bpf, cpumap: Handle skb as well when clean up ptr_ring + +From: Hou Tao + +[ Upstream commit 7c62b75cd1a792e14b037fa4f61f9b18914e7de1 ] + +The following warning was reported when running xdp_redirect_cpu with +both skb-mode and stress-mode enabled: + + ------------[ cut here ]------------ + Incorrect XDP memory type (-2128176192) usage + WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405 + Modules linked in: + CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + Workqueue: events __cpu_map_entry_free + RIP: 0010:__xdp_return+0x1e4/0x4a0 + ...... + Call Trace: + + ? show_regs+0x65/0x70 + ? __warn+0xa5/0x240 + ? __xdp_return+0x1e4/0x4a0 + ...... + xdp_return_frame+0x4d/0x150 + __cpu_map_entry_free+0xf9/0x230 + process_one_work+0x6b0/0xb80 + worker_thread+0x96/0x720 + kthread+0x1a5/0x1f0 + ret_from_fork+0x3a/0x70 + ret_from_fork_asm+0x1b/0x30 + + +The reason for the warning is twofold. One is due to the kthread +cpu_map_kthread_run() is stopped prematurely. Another one is +__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in +ptr_ring as XDP frames. + +Prematurely-stopped kthread will be fixed by the preceding patch and +ptr_ring will be empty when __cpu_map_ring_cleanup() is called. But +as the comments in __cpu_map_ring_cleanup() said, handling and freeing +skbs in ptr_ring as well to "catch any broken behaviour gracefully". + +Fixes: 11941f8a8536 ("bpf: cpumap: Implement generic cpumap") +Signed-off-by: Hou Tao +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/20230729095107.1722450-3-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/cpumap.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c +index 09141351d5457..e5888d401d799 100644 +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -134,11 +134,17 @@ static void __cpu_map_ring_cleanup(struct ptr_ring *ring) + * invoked cpu_map_kthread_stop(). Catch any broken behaviour + * gracefully and warn once. + */ +- struct xdp_frame *xdpf; ++ void *ptr; + +- while ((xdpf = ptr_ring_consume(ring))) +- if (WARN_ON_ONCE(xdpf)) +- xdp_return_frame(xdpf); ++ while ((ptr = ptr_ring_consume(ring))) { ++ WARN_ON_ONCE(1); ++ if (unlikely(__ptr_test_bit(0, &ptr))) { ++ __ptr_clear_bit(0, &ptr); ++ kfree_skb(ptr); ++ continue; ++ } ++ xdp_return_frame(ptr); ++ } + } + + static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu) +-- +2.40.1 + diff --git a/queue-6.1/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch b/queue-6.1/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch new file mode 100644 index 00000000000..98051d42aef --- /dev/null +++ b/queue-6.1/bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch @@ -0,0 +1,59 @@ +From 0d2a51643358f53a17344d1f234e396d1e68b99e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 08:44:11 +0200 +Subject: bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire + +From: Tomas Glozar + +[ Upstream commit 13d2618b48f15966d1adfe1ff6a1985f5eef40ba ] + +Disabling preemption in sock_map_sk_acquire conflicts with GFP_ATOMIC +allocation later in sk_psock_init_link on PREEMPT_RT kernels, since +GFP_ATOMIC might sleep on RT (see bpf: Make BPF and PREEMPT_RT co-exist +patchset notes for details). + +This causes calling bpf_map_update_elem on BPF_MAP_TYPE_SOCKMAP maps to +BUG (sleeping function called from invalid context) on RT kernels. + +preempt_disable was introduced together with lock_sk and rcu_read_lock +in commit 99ba2b5aba24e ("bpf: sockhash, disallow bpf_tcp_close and update +in parallel"), probably to match disabled migration of BPF programs, and +is no longer necessary. + +Remove preempt_disable to fix BUG in sock_map_update_common on RT. + +Signed-off-by: Tomas Glozar +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/all/20200224140131.461979697@linutronix.de/ +Fixes: 99ba2b5aba24 ("bpf: sockhash, disallow bpf_tcp_close and update in parallel") +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20230728064411.305576-1-tglozar@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index d382672018928..c84e5073c0b66 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -117,7 +117,6 @@ static void sock_map_sk_acquire(struct sock *sk) + __acquires(&sk->sk_lock.slock) + { + lock_sock(sk); +- preempt_disable(); + rcu_read_lock(); + } + +@@ -125,7 +124,6 @@ static void sock_map_sk_release(struct sock *sk) + __releases(&sk->sk_lock.slock) + { + rcu_read_unlock(); +- preempt_enable(); + release_sock(sk); + } + +-- +2.40.1 + diff --git a/queue-6.1/erofs-fix-wrong-primary-bvec-selection-on-deduplicat.patch b/queue-6.1/erofs-fix-wrong-primary-bvec-selection-on-deduplicat.patch new file mode 100644 index 00000000000..9dce6807cb2 --- /dev/null +++ b/queue-6.1/erofs-fix-wrong-primary-bvec-selection-on-deduplicat.patch @@ -0,0 +1,70 @@ +From b54e9bdfd5f9f3e58da198b9c3fa6ec295dada52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 14:54:59 +0800 +Subject: erofs: fix wrong primary bvec selection on deduplicated extents + +From: Gao Xiang + +[ Upstream commit 94c43de73521d8ed7ebcfc6191d9dace1cbf7caa ] + +When handling deduplicated compressed data, there can be multiple +decompressed extents pointing to the same compressed data in one shot. + +In such cases, the bvecs which belong to the longest extent will be +selected as the primary bvecs for real decompressors to decode and the +other duplicated bvecs will be directly copied from the primary bvecs. + +Previously, only relative offsets of the longest extent were checked to +decompress the primary bvecs. On rare occasions, it can be incorrect +if there are several extents with the same start relative offset. +As a result, some short bvecs could be selected for decompression and +then cause data corruption. + +For example, as Shijie Sun reported off-list, considering the following +extents of a file: + 117: 903345.. 915250 | 11905 : 385024.. 389120 | 4096 +... + 119: 919729.. 930323 | 10594 : 385024.. 389120 | 4096 +... + 124: 968881.. 980786 | 11905 : 385024.. 389120 | 4096 + +The start relative offset is the same: 2225, but extent 119 (919729.. +930323) is shorter than the others. + +Let's restrict the bvec length in addition to the start offset if bvecs +are not full. + +Reported-by: Shijie Sun +Fixes: 5c2a64252c5d ("erofs: introduce partial-referenced pclusters") +Tested-by Shijie Sun +Reviewed-by: Yue Hu +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20230719065459.60083-1-hsiangkao@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 533e612b6a486..361f3c29897e8 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -989,10 +989,11 @@ static void z_erofs_do_decompressed_bvec(struct z_erofs_decompress_backend *be, + struct z_erofs_bvec *bvec) + { + struct z_erofs_bvec_item *item; ++ unsigned int pgnr; + +- if (!((bvec->offset + be->pcl->pageofs_out) & ~PAGE_MASK)) { +- unsigned int pgnr; +- ++ if (!((bvec->offset + be->pcl->pageofs_out) & ~PAGE_MASK) && ++ (bvec->end == PAGE_SIZE || ++ bvec->offset + bvec->end == be->pcl->length)) { + pgnr = (bvec->offset + be->pcl->pageofs_out) >> PAGE_SHIFT; + DBG_BUGON(pgnr >= be->nr_pages); + if (!be->decompressed_pages[pgnr]) { +-- +2.40.1 + diff --git a/queue-6.1/firmware-arm_scmi-fix-chan_free-cleanup-on-smc.patch b/queue-6.1/firmware-arm_scmi-fix-chan_free-cleanup-on-smc.patch new file mode 100644 index 00000000000..770f1acebfd --- /dev/null +++ b/queue-6.1/firmware-arm_scmi-fix-chan_free-cleanup-on-smc.patch @@ -0,0 +1,89 @@ +From fa4657aacd98f9e984bf18e68755419c7a01590c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 18:35:33 +0100 +Subject: firmware: arm_scmi: Fix chan_free cleanup on SMC + +From: Cristian Marussi + +[ Upstream commit d1ff11d7ad8704f8d615f6446041c221b2d2ec4d ] + +SCMI transport based on SMC can optionally use an additional IRQ to +signal message completion. The associated interrupt handler is currently +allocated using devres but on shutdown the core SCMI stack will call +.chan_free() well before any managed cleanup is invoked by devres. +As a consequence, the arrival of a late reply to an in-flight pending +transaction could still trigger the interrupt handler well after the +SCMI core has cleaned up the channels, with unpleasant results. + +Inhibit further message processing on the IRQ path by explicitly freeing +the IRQ inside .chan_free() callback itself. + +Fixes: dd820ee21d5e ("firmware: arm_scmi: Augment SMC/HVC to allow optional interrupt") +Reported-by: Bjorn Andersson +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20230719173533.2739319-1-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/smc.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/smc.c b/drivers/firmware/arm_scmi/smc.c +index 87a7b13cf868b..dc383d874ee3a 100644 +--- a/drivers/firmware/arm_scmi/smc.c ++++ b/drivers/firmware/arm_scmi/smc.c +@@ -23,6 +23,7 @@ + /** + * struct scmi_smc - Structure representing a SCMI smc transport + * ++ * @irq: An optional IRQ for completion + * @cinfo: SCMI channel info + * @shmem: Transmit/Receive shared memory area + * @shmem_lock: Lock to protect access to Tx/Rx shared memory area. +@@ -33,6 +34,7 @@ + */ + + struct scmi_smc { ++ int irq; + struct scmi_chan_info *cinfo; + struct scmi_shared_mem __iomem *shmem; + /* Protect access to shmem area */ +@@ -106,7 +108,7 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev, + struct resource res; + struct device_node *np; + u32 func_id; +- int ret, irq; ++ int ret; + + if (!tx) + return -ENODEV; +@@ -142,11 +144,10 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev, + * completion of a message is signaled by an interrupt rather than by + * the return of the SMC call. + */ +- irq = of_irq_get_byname(cdev->of_node, "a2p"); +- if (irq > 0) { +- ret = devm_request_irq(dev, irq, smc_msg_done_isr, +- IRQF_NO_SUSPEND, +- dev_name(dev), scmi_info); ++ scmi_info->irq = of_irq_get_byname(cdev->of_node, "a2p"); ++ if (scmi_info->irq > 0) { ++ ret = request_irq(scmi_info->irq, smc_msg_done_isr, ++ IRQF_NO_SUSPEND, dev_name(dev), scmi_info); + if (ret) { + dev_err(dev, "failed to setup SCMI smc irq\n"); + return ret; +@@ -168,6 +169,10 @@ static int smc_chan_free(int id, void *p, void *data) + struct scmi_chan_info *cinfo = p; + struct scmi_smc *scmi_info = cinfo->transport_info; + ++ /* Ignore any possible further reception on the IRQ path */ ++ if (scmi_info->irq > 0) ++ free_irq(scmi_info->irq, scmi_info); ++ + cinfo->transport_info = NULL; + scmi_info->cinfo = NULL; + +-- +2.40.1 + diff --git a/queue-6.1/firmware-smccc-fix-use-of-uninitialised-results-stru.patch b/queue-6.1/firmware-smccc-fix-use-of-uninitialised-results-stru.patch new file mode 100644 index 00000000000..9019e79b844 --- /dev/null +++ b/queue-6.1/firmware-smccc-fix-use-of-uninitialised-results-stru.patch @@ -0,0 +1,62 @@ +From 29b02d734f48d1c65cfe0bcfa20f12892b8bff93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 18:17:02 +0100 +Subject: firmware: smccc: Fix use of uninitialised results structure + +From: Punit Agrawal + +[ Upstream commit d05799d7b4a39fa71c65aa277128ac7c843ffcdc ] + +Commit 35727af2b15d ("irqchip/gicv3: Workaround for NVIDIA erratum +T241-FABRIC-4") moved the initialisation of the SoC version to +arm_smccc_version_init() but forgot to update the results structure +and it's usage. + +Fix the use of the uninitialised results structure and update the +error strings. + +Fixes: 35727af2b15d ("irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4") +Signed-off-by: Punit Agrawal +Cc: Sudeep Holla +Cc: Marc Zyngier +Cc: Vikram Sethi +Cc: Shanker Donthineni +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230717171702.424253-1-punit.agrawal@bytedance.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/smccc/soc_id.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/smccc/soc_id.c b/drivers/firmware/smccc/soc_id.c +index 890eb454599a3..1990263fbba0e 100644 +--- a/drivers/firmware/smccc/soc_id.c ++++ b/drivers/firmware/smccc/soc_id.c +@@ -34,7 +34,6 @@ static struct soc_device_attribute *soc_dev_attr; + + static int __init smccc_soc_init(void) + { +- struct arm_smccc_res res; + int soc_id_rev, soc_id_version; + static char soc_id_str[20], soc_id_rev_str[12]; + static char soc_id_jep106_id_str[12]; +@@ -49,13 +48,13 @@ static int __init smccc_soc_init(void) + } + + if (soc_id_version < 0) { +- pr_err("ARCH_SOC_ID(0) returned error: %lx\n", res.a0); ++ pr_err("Invalid SoC Version: %x\n", soc_id_version); + return -EINVAL; + } + + soc_id_rev = arm_smccc_get_soc_id_revision(); + if (soc_id_rev < 0) { +- pr_err("ARCH_SOC_ID(1) returned error: %lx\n", res.a0); ++ pr_err("Invalid SoC Revision: %x\n", soc_id_rev); + return -EINVAL; + } + +-- +2.40.1 + diff --git a/queue-6.1/ice-fix-rdma-vsi-removal-during-queue-rebuild.patch b/queue-6.1/ice-fix-rdma-vsi-removal-during-queue-rebuild.patch new file mode 100644 index 00000000000..638a83a6b3b --- /dev/null +++ b/queue-6.1/ice-fix-rdma-vsi-removal-during-queue-rebuild.patch @@ -0,0 +1,73 @@ +From afc77307831c2befd80474f34cf0a0a96a89db0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 10:12:43 -0700 +Subject: ice: Fix RDMA VSI removal during queue rebuild + +From: Rafal Rogalski + +[ Upstream commit 4b31fd4d77ffa430d0b74ba1885ea0a41594f202 ] + +During qdisc create/delete, it is necessary to rebuild the queue +of VSIs. An error occurred because the VSIs created by RDMA were +still active. + +Added check if RDMA is active. If yes, it disallows qdisc changes +and writes a message in the system logs. + +Fixes: 348048e724a0 ("ice: Implement iidc operations") +Signed-off-by: Rafal Rogalski +Signed-off-by: Mateusz Palczewski +Signed-off-by: Kamil Maziarz +Tested-by: Bharathi Sreenivas +Signed-off-by: Tony Nguyen +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20230728171243.2446101-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 8f77088900e94..a771e597795d3 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -8777,6 +8777,7 @@ ice_setup_tc(struct net_device *netdev, enum tc_setup_type type, + { + struct ice_netdev_priv *np = netdev_priv(netdev); + struct ice_pf *pf = np->vsi->back; ++ bool locked = false; + int err; + + switch (type) { +@@ -8786,10 +8787,27 @@ ice_setup_tc(struct net_device *netdev, enum tc_setup_type type, + ice_setup_tc_block_cb, + np, np, true); + case TC_SETUP_QDISC_MQPRIO: ++ if (pf->adev) { ++ mutex_lock(&pf->adev_mutex); ++ device_lock(&pf->adev->dev); ++ locked = true; ++ if (pf->adev->dev.driver) { ++ netdev_err(netdev, "Cannot change qdisc when RDMA is active\n"); ++ err = -EBUSY; ++ goto adev_unlock; ++ } ++ } ++ + /* setup traffic classifier for receive side */ + mutex_lock(&pf->tc_mutex); + err = ice_setup_tc_mqprio_qdisc(netdev, type_data); + mutex_unlock(&pf->tc_mutex); ++ ++adev_unlock: ++ if (locked) { ++ device_unlock(&pf->adev->dev); ++ mutex_unlock(&pf->adev_mutex); ++ } + return err; + default: + return -EOPNOTSUPP; +-- +2.40.1 + diff --git a/queue-6.1/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch b/queue-6.1/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch new file mode 100644 index 00000000000..7198153ebe4 --- /dev/null +++ b/queue-6.1/ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch @@ -0,0 +1,77 @@ +From 275fcff90a4567ab092c12bad2a0876b99ca0f5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 14:43:18 +0800 +Subject: ip6mr: Fix skb_under_panic in ip6mr_cache_report() + +From: Yue Haibing + +[ Upstream commit 30e0191b16e8a58e4620fa3e2839ddc7b9d4281c ] + +skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4 + head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:192! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN + CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Workqueue: ipv6_addrconf addrconf_dad_work + RIP: 0010:skb_panic+0x152/0x1d0 + Call Trace: + + skb_push+0xc4/0xe0 + ip6mr_cache_report+0xd69/0x19b0 + reg_vif_xmit+0x406/0x690 + dev_hard_start_xmit+0x17e/0x6e0 + __dev_queue_xmit+0x2d6a/0x3d20 + vlan_dev_hard_start_xmit+0x3ab/0x5c0 + dev_hard_start_xmit+0x17e/0x6e0 + __dev_queue_xmit+0x2d6a/0x3d20 + neigh_connected_output+0x3ed/0x570 + ip6_finish_output2+0x5b5/0x1950 + ip6_finish_output+0x693/0x11c0 + ip6_output+0x24b/0x880 + NF_HOOK.constprop.0+0xfd/0x530 + ndisc_send_skb+0x9db/0x1400 + ndisc_send_rs+0x12a/0x6c0 + addrconf_dad_completed+0x3c9/0xea0 + addrconf_dad_work+0x849/0x1420 + process_one_work+0xa22/0x16e0 + worker_thread+0x679/0x10c0 + ret_from_fork+0x28/0x60 + ret_from_fork_asm+0x11/0x20 + +When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit(). +reg_vif_xmit() + ip6mr_cache_report() + skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4 +And skb_push declared as: + void *skb_push(struct sk_buff *skb, unsigned int len); + skb->data -= len; + //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850 +skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails. + +Fixes: 14fb64e1f449 ("[IPV6] MROUTE: Support PIM-SM (SSM).") +Signed-off-by: Yue Haibing +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index facdc78a43e5c..27fb5479988af 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1073,7 +1073,7 @@ static int ip6mr_cache_report(const struct mr_table *mrt, struct sk_buff *pkt, + And all this only to mangle msg->im6_msgtype and + to set msg->im6_mbz to "mbz" :-) + */ +- skb_push(skb, -skb_network_offset(pkt)); ++ __skb_pull(skb, skb_network_offset(pkt)); + + skb_push(skb, sizeof(*msg)); + skb_reset_transport_header(skb); +-- +2.40.1 + diff --git a/queue-6.1/kvm-s390-fix-sthyi-error-handling.patch b/queue-6.1/kvm-s390-fix-sthyi-error-handling.patch new file mode 100644 index 00000000000..3d44d0946fd --- /dev/null +++ b/queue-6.1/kvm-s390-fix-sthyi-error-handling.patch @@ -0,0 +1,78 @@ +From 72023c12d9e183f0e0bc68d8bc04a7adcbb648a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 20:29:39 +0200 +Subject: KVM: s390: fix sthyi error handling + +From: Heiko Carstens + +[ Upstream commit 0c02cc576eac161601927b41634f80bfd55bfa9e ] + +Commit 9fb6c9b3fea1 ("s390/sthyi: add cache to store hypervisor info") +added cache handling for store hypervisor info. This also changed the +possible return code for sthyi_fill(). + +Instead of only returning a condition code like the sthyi instruction would +do, it can now also return a negative error value (-ENOMEM). handle_styhi() +was not changed accordingly. In case of an error, the negative error value +would incorrectly injected into the guest PSW. + +Add proper error handling to prevent this, and update the comment which +describes the possible return values of sthyi_fill(). + +Fixes: 9fb6c9b3fea1 ("s390/sthyi: add cache to store hypervisor info") +Reviewed-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20230727182939.2050744-1-hca@linux.ibm.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/sthyi.c | 6 +++--- + arch/s390/kvm/intercept.c | 9 ++++++--- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/sthyi.c b/arch/s390/kernel/sthyi.c +index 4d141e2c132e5..2ea7f208f0e73 100644 +--- a/arch/s390/kernel/sthyi.c ++++ b/arch/s390/kernel/sthyi.c +@@ -459,9 +459,9 @@ static int sthyi_update_cache(u64 *rc) + * + * Fills the destination with system information returned by the STHYI + * instruction. The data is generated by emulation or execution of STHYI, +- * if available. The return value is the condition code that would be +- * returned, the rc parameter is the return code which is passed in +- * register R2 + 1. ++ * if available. The return value is either a negative error value or ++ * the condition code that would be returned, the rc parameter is the ++ * return code which is passed in register R2 + 1. + */ + int sthyi_fill(void *dst, u64 *rc) + { +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index ee7478a601442..b37bb960bfaf0 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -389,8 +389,8 @@ static int handle_partial_execution(struct kvm_vcpu *vcpu) + */ + int handle_sthyi(struct kvm_vcpu *vcpu) + { +- int reg1, reg2, r = 0; +- u64 code, addr, cc = 0, rc = 0; ++ int reg1, reg2, cc = 0, r = 0; ++ u64 code, addr, rc = 0; + struct sthyi_sctns *sctns = NULL; + + if (!test_kvm_facility(vcpu->kvm, 74)) +@@ -421,7 +421,10 @@ int handle_sthyi(struct kvm_vcpu *vcpu) + return -ENOMEM; + + cc = sthyi_fill(sctns, &rc); +- ++ if (cc < 0) { ++ free_page((unsigned long)sctns); ++ return cc; ++ } + out: + if (!cc) { + if (kvm_s390_pv_cpu_is_protected(vcpu)) { +-- +2.40.1 + diff --git a/queue-6.1/lib-bitmap-workaround-const_eval-test-build-failure.patch b/queue-6.1/lib-bitmap-workaround-const_eval-test-build-failure.patch new file mode 100644 index 00000000000..a5e48181edd --- /dev/null +++ b/queue-6.1/lib-bitmap-workaround-const_eval-test-build-failure.patch @@ -0,0 +1,106 @@ +From 4b3871264abb0a1444618dd7d57b6bcc58e9b206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 12:17:03 -0700 +Subject: lib/bitmap: workaround const_eval test build failure + +From: Yury Norov + +[ Upstream commit 2356d198d2b4ddec24efea98271cb3be230bc787 ] + +When building with Clang, and when KASAN and GCOV_PROFILE_ALL are both +enabled, the test fails to build [1]: + +>> lib/test_bitmap.c:920:2: error: call to '__compiletime_assert_239' declared with 'error' attribute: BUILD_BUG_ON failed: !__builtin_constant_p(res) + BUILD_BUG_ON(!__builtin_constant_p(res)); + ^ + include/linux/build_bug.h:50:2: note: expanded from macro 'BUILD_BUG_ON' + BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) + ^ + include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG' + #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) + ^ + include/linux/compiler_types.h:352:2: note: expanded from macro 'compiletime_assert' + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + ^ + include/linux/compiler_types.h:340:2: note: expanded from macro '_compiletime_assert' + __compiletime_assert(condition, msg, prefix, suffix) + ^ + include/linux/compiler_types.h:333:4: note: expanded from macro '__compiletime_assert' + prefix ## suffix(); \ + ^ + :185:1: note: expanded from here + __compiletime_assert_239 + +Originally it was attributed to s390, which now looks seemingly wrong. The +issue is not related to bitmap code itself, but it breaks build for a given +configuration. + +Disabling the const_eval test under that config may potentially hide other +bugs. Instead, workaround it by disabling GCOV for the test_bitmap unless +the compiler will get fixed. + +[1] https://github.com/ClangBuiltLinux/linux/issues/1874 + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202307171254.yFcH97ej-lkp@intel.com/ +Fixes: dc34d5036692 ("lib: test_bitmap: add compile-time optimization/evaluations assertions") +Co-developed-by: Nathan Chancellor +Signed-off-by: Nathan Chancellor +Signed-off-by: Yury Norov +Reviewed-by: Nick Desaulniers +Reviewed-by: Alexander Lobakin +Signed-off-by: Sasha Levin +--- + lib/Makefile | 6 ++++++ + lib/test_bitmap.c | 8 ++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/lib/Makefile b/lib/Makefile +index 59bd7c2f793a7..5ffe72ec99797 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -81,8 +81,14 @@ obj-$(CONFIG_TEST_STATIC_KEYS) += test_static_key_base.o + obj-$(CONFIG_TEST_DYNAMIC_DEBUG) += test_dynamic_debug.o + obj-$(CONFIG_TEST_PRINTF) += test_printf.o + obj-$(CONFIG_TEST_SCANF) += test_scanf.o ++ + obj-$(CONFIG_TEST_BITMAP) += test_bitmap.o + obj-$(CONFIG_TEST_STRSCPY) += test_strscpy.o ++ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_KASAN),yy) ++# FIXME: Clang breaks test_bitmap_const_eval when KASAN and GCOV are enabled ++GCOV_PROFILE_test_bitmap.o := n ++endif ++ + obj-$(CONFIG_TEST_UUID) += test_uuid.o + obj-$(CONFIG_TEST_XARRAY) += test_xarray.o + obj-$(CONFIG_TEST_MAPLE_TREE) += test_maple_tree.o +diff --git a/lib/test_bitmap.c b/lib/test_bitmap.c +index a8005ad3bd589..37a9108c4f588 100644 +--- a/lib/test_bitmap.c ++++ b/lib/test_bitmap.c +@@ -1149,6 +1149,10 @@ static void __init test_bitmap_print_buf(void) + } + } + ++/* ++ * FIXME: Clang breaks compile-time evaluations when KASAN and GCOV are enabled. ++ * To workaround it, GCOV is force-disabled in Makefile for this configuration. ++ */ + static void __init test_bitmap_const_eval(void) + { + DECLARE_BITMAP(bitmap, BITS_PER_LONG); +@@ -1174,11 +1178,7 @@ static void __init test_bitmap_const_eval(void) + * the compiler is fixed. + */ + bitmap_clear(bitmap, 0, BITS_PER_LONG); +-#if defined(__s390__) && defined(__clang__) +- if (!const_test_bit(7, bitmap)) +-#else + if (!test_bit(7, bitmap)) +-#endif + bitmap_set(bitmap, 5, 2); + + /* Equals to `unsigned long bitopvar = BIT(20)` */ +-- +2.40.1 + diff --git a/queue-6.1/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch b/queue-6.1/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch new file mode 100644 index 00000000000..cb6ee4d92a1 --- /dev/null +++ b/queue-6.1/misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch @@ -0,0 +1,88 @@ +From 5e24b7b5e945a641369958edfd71c404bc1737c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 08:56:19 +0000 +Subject: mISDN: hfcpci: Fix potential deadlock on &hc->lock + +From: Chengfeng Ye + +[ Upstream commit 56c6be35fcbed54279df0a2c9e60480a61841d6f ] + +As &hc->lock is acquired by both timer _hfcpci_softirq() and hardirq +hfcpci_int(), the timer should disable irq before lock acquisition +otherwise deadlock could happen if the timmer is preemtped by the hadr irq. + +Possible deadlock scenario: +hfcpci_softirq() (timer) + -> _hfcpci_softirq() + -> spin_lock(&hc->lock); + + -> hfcpci_int() + -> spin_lock(&hc->lock); (deadlock here) + +This flaw was found by an experimental static analysis tool I am developing +for irq-related deadlock. + +The tentative patch fixes the potential deadlock by spin_lock_irq() +in timer. + +Fixes: b36b654a7e82 ("mISDN: Create /sys/class/mISDN") +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230727085619.7419-1-dg573847474@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index c0331b2680108..fe391de1aba32 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -839,7 +839,7 @@ hfcpci_fill_fifo(struct bchannel *bch) + *z1t = cpu_to_le16(new_z1); /* now send data */ + if (bch->tx_idx < bch->tx_skb->len) + return; +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + if (get_next_bframe(bch)) + goto next_t_frame; + return; +@@ -895,7 +895,7 @@ hfcpci_fill_fifo(struct bchannel *bch) + } + bz->za[new_f1].z1 = cpu_to_le16(new_z1); /* for next buffer */ + bz->f1 = new_f1; /* next frame */ +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + get_next_bframe(bch); + } + +@@ -1119,7 +1119,7 @@ tx_birq(struct bchannel *bch) + if (bch->tx_skb && bch->tx_idx < bch->tx_skb->len) + hfcpci_fill_fifo(bch); + else { +- dev_kfree_skb(bch->tx_skb); ++ dev_kfree_skb_any(bch->tx_skb); + if (get_next_bframe(bch)) + hfcpci_fill_fifo(bch); + } +@@ -2277,7 +2277,7 @@ _hfcpci_softirq(struct device *dev, void *unused) + return 0; + + if (hc->hw.int_m2 & HFCPCI_IRQ_ENABLE) { +- spin_lock(&hc->lock); ++ spin_lock_irq(&hc->lock); + bch = Sel_BCS(hc, hc->hw.bswapped ? 2 : 1); + if (bch && bch->state == ISDN_P_B_RAW) { /* B1 rx&tx */ + main_rec_hfcpci(bch); +@@ -2288,7 +2288,7 @@ _hfcpci_softirq(struct device *dev, void *unused) + main_rec_hfcpci(bch); + tx_birq(bch); + } +- spin_unlock(&hc->lock); ++ spin_unlock_irq(&hc->lock); + } + return 0; + } +-- +2.40.1 + diff --git a/queue-6.1/net-add-missing-data-race-annotation-for-sk_ll_usec.patch b/queue-6.1/net-add-missing-data-race-annotation-for-sk_ll_usec.patch new file mode 100644 index 00000000000..6db63e37e75 --- /dev/null +++ b/queue-6.1/net-add-missing-data-race-annotation-for-sk_ll_usec.patch @@ -0,0 +1,36 @@ +From 0e07071ee1f159362c193adc7fc00205b7909eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:17 +0000 +Subject: net: add missing data-race annotation for sk_ll_usec + +From: Eric Dumazet + +[ Upstream commit e5f0d2dd3c2faa671711dac6d3ff3cef307bcfe3 ] + +In a prior commit I forgot that sk_getsockopt() reads +sk->sk_ll_usec without holding a lock. + +Fixes: 0dbffbb5335a ("net: annotate data race around sk_ll_usec") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 61bbe6263f98e..ff52d51dfe2c5 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1845,7 +1845,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + + #ifdef CONFIG_NET_RX_BUSY_POLL + case SO_BUSY_POLL: +- v.val = sk->sk_ll_usec; ++ v.val = READ_ONCE(sk->sk_ll_usec); + break; + case SO_PREFER_BUSY_POLL: + v.val = READ_ONCE(sk->sk_prefer_busy_poll); +-- +2.40.1 + diff --git a/queue-6.1/net-add-missing-data-race-annotations-around-sk-sk_p.patch b/queue-6.1/net-add-missing-data-race-annotations-around-sk-sk_p.patch new file mode 100644 index 00000000000..c8287cf27d2 --- /dev/null +++ b/queue-6.1/net-add-missing-data-race-annotations-around-sk-sk_p.patch @@ -0,0 +1,63 @@ +From 9b95590e4bfa31cce58ceb99de433948d7732510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:16 +0000 +Subject: net: add missing data-race annotations around sk->sk_peek_off + +From: Eric Dumazet + +[ Upstream commit 11695c6e966b0ec7ed1d16777d294cef865a5c91 ] + +sk_getsockopt() runs locklessly, thus we need to annotate the read +of sk->sk_peek_off. + +While we are at it, add corresponding annotations to sk_set_peek_off() +and unix_set_peek_off(). + +Fixes: b9bb53f3836f ("sock: convert sk_peek_offset functions to WRITE_ONCE") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + net/unix/af_unix.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 4dd13d34e4740..61bbe6263f98e 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1815,7 +1815,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + if (!sock->ops->set_peek_off) + return -EOPNOTSUPP; + +- v.val = sk->sk_peek_off; ++ v.val = READ_ONCE(sk->sk_peek_off); + break; + case SO_NOFCS: + v.val = sock_flag(sk, SOCK_NOFCS); +@@ -3119,7 +3119,7 @@ EXPORT_SYMBOL(__sk_mem_reclaim); + + int sk_set_peek_off(struct sock *sk, int val) + { +- sk->sk_peek_off = val; ++ WRITE_ONCE(sk->sk_peek_off, val); + return 0; + } + EXPORT_SYMBOL_GPL(sk_set_peek_off); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5b19b6c53a2cb..78fa620a63981 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -779,7 +779,7 @@ static int unix_set_peek_off(struct sock *sk, int val) + if (mutex_lock_interruptible(&u->iolock)) + return -EINTR; + +- sk->sk_peek_off = val; ++ WRITE_ONCE(sk->sk_peek_off, val); + mutex_unlock(&u->iolock); + + return 0; +-- +2.40.1 + diff --git a/queue-6.1/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch b/queue-6.1/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch new file mode 100644 index 00000000000..059e720388f --- /dev/null +++ b/queue-6.1/net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch @@ -0,0 +1,36 @@ +From a44a1d7d7d029cb3add71d4326f5072132928f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:14 +0000 +Subject: net: add missing READ_ONCE(sk->sk_rcvbuf) annotation + +From: Eric Dumazet + +[ Upstream commit b4b553253091cafe9ec38994acf42795e073bef5 ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_rcvbuf locklessly. + +Fixes: ebb3b78db7bf ("tcp: annotate sk->sk_rcvbuf lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 04306ccdf9081..1a2ec2c4cfe26 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1628,7 +1628,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_RCVBUF: +- v.val = sk->sk_rcvbuf; ++ v.val = READ_ONCE(sk->sk_rcvbuf); + break; + + case SO_REUSEADDR: +-- +2.40.1 + diff --git a/queue-6.1/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch b/queue-6.1/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch new file mode 100644 index 00000000000..cf4791c39df --- /dev/null +++ b/queue-6.1/net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch @@ -0,0 +1,36 @@ +From ee7a3b7c306392673a303225f1dab542af0eb85e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:11 +0000 +Subject: net: add missing READ_ONCE(sk->sk_rcvlowat) annotation + +From: Eric Dumazet + +[ Upstream commit e6d12bdb435d23ff6c1890c852d85408a2f496ee ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_rcvlowat locklessly. + +Fixes: eac66402d1c3 ("net: annotate sk->sk_rcvlowat lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 86e88de1238b1..1b1fe67b94d4f 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1717,7 +1717,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_RCVLOWAT: +- v.val = sk->sk_rcvlowat; ++ v.val = READ_ONCE(sk->sk_rcvlowat); + break; + + case SO_SNDLOWAT: +-- +2.40.1 + diff --git a/queue-6.1/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch b/queue-6.1/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch new file mode 100644 index 00000000000..f1cae078933 --- /dev/null +++ b/queue-6.1/net-add-missing-read_once-sk-sk_sndbuf-annotation.patch @@ -0,0 +1,36 @@ +From c6e4c79966a888f2cb0ae2a34b90553e02ee30e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:13 +0000 +Subject: net: add missing READ_ONCE(sk->sk_sndbuf) annotation + +From: Eric Dumazet + +[ Upstream commit 74bc084327c643499474ba75df485607da37dd6e ] + +In a prior commit, I forgot to change sk_getsockopt() +when reading sk->sk_sndbuf locklessly. + +Fixes: e292f05e0df7 ("tcp: annotate sk->sk_sndbuf lockless reads") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 1b1fe67b94d4f..04306ccdf9081 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1624,7 +1624,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_SNDBUF: +- v.val = sk->sk_sndbuf; ++ v.val = READ_ONCE(sk->sk_sndbuf); + break; + + case SO_RCVBUF: +-- +2.40.1 + diff --git a/queue-6.1/net-annotate-data-race-around-sk-sk_txrehash.patch b/queue-6.1/net-annotate-data-race-around-sk-sk_txrehash.patch new file mode 100644 index 00000000000..881ef3acd50 --- /dev/null +++ b/queue-6.1/net-annotate-data-race-around-sk-sk_txrehash.patch @@ -0,0 +1,52 @@ +From d9f44a6f07319eb5d4120c8201995b917682b036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:09 +0000 +Subject: net: annotate data-race around sk->sk_txrehash + +From: Eric Dumazet + +[ Upstream commit c76a0328899bbe226f8adeb88b8da9e4167bd316 ] + +sk_getsockopt() runs locklessly. This means sk->sk_txrehash +can be read while other threads are changing its value. + +Other locations were handled in commit cb6cd2cec799 +("tcp: Change SYN ACK retransmit behaviour to account for rehash") + +Fixes: 26859240e4ee ("txhash: Add socket option to control TX hash rethink behavior") +Signed-off-by: Eric Dumazet +Cc: Akhmat Karakotov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 9483820833c5b..77abd69c56dde 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1521,7 +1521,9 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + } + if ((u8)val == SOCK_TXREHASH_DEFAULT) + val = READ_ONCE(sock_net(sk)->core.sysctl_txrehash); +- /* Paired with READ_ONCE() in tcp_rtx_synack() */ ++ /* Paired with READ_ONCE() in tcp_rtx_synack() ++ * and sk_getsockopt(). ++ */ + WRITE_ONCE(sk->sk_txrehash, (u8)val); + break; + +@@ -1927,7 +1929,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_TXREHASH: +- v.val = sk->sk_txrehash; ++ /* Paired with WRITE_ONCE() in sk_setsockopt() */ ++ v.val = READ_ONCE(sk->sk_txrehash); + break; + + default: +-- +2.40.1 + diff --git a/queue-6.1/net-annotate-data-races-around-sk-sk_mark.patch b/queue-6.1/net-annotate-data-races-around-sk-sk_mark.patch new file mode 100644 index 00000000000..6f7be8f0fdb --- /dev/null +++ b/queue-6.1/net-annotate-data-races-around-sk-sk_mark.patch @@ -0,0 +1,448 @@ +From 5dbd00280b6ba2dd2bda088bc571582836890cd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:15 +0000 +Subject: net: annotate data-races around sk->sk_mark + +From: Eric Dumazet + +[ Upstream commit 3c5b4d69c358a9275a8de98f87caf6eda644b086 ] + +sk->sk_mark is often read while another thread could change the value. + +Fixes: 4a19ec5800fc ("[NET]: Introducing socket mark socket option.") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/inet_sock.h | 7 ++++--- + include/net/ip.h | 2 +- + include/net/route.h | 4 ++-- + net/core/sock.c | 4 ++-- + net/dccp/ipv6.c | 4 ++-- + net/ipv4/inet_diag.c | 4 ++-- + net/ipv4/ip_output.c | 4 ++-- + net/ipv4/route.c | 4 ++-- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv6/ping.c | 2 +- + net/ipv6/raw.c | 4 ++-- + net/ipv6/route.c | 7 ++++--- + net/ipv6/tcp_ipv6.c | 6 +++--- + net/ipv6/udp.c | 4 ++-- + net/l2tp/l2tp_ip6.c | 2 +- + net/mptcp/sockopt.c | 2 +- + net/netfilter/nft_socket.c | 2 +- + net/netfilter/xt_socket.c | 4 ++-- + net/packet/af_packet.c | 6 +++--- + net/smc/af_smc.c | 2 +- + net/xdp/xsk.c | 2 +- + net/xfrm/xfrm_policy.c | 2 +- + 22 files changed, 41 insertions(+), 39 deletions(-) + +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index 51857117ac099..c8ef3b881f03d 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -107,11 +107,12 @@ static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) + + static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff *skb) + { +- if (!sk->sk_mark && +- READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) ++ u32 mark = READ_ONCE(sk->sk_mark); ++ ++ if (!mark && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) + return skb->mark; + +- return sk->sk_mark; ++ return mark; + } + + static inline int inet_request_bound_dev_if(const struct sock *sk, +diff --git a/include/net/ip.h b/include/net/ip.h +index 83a1a9bc3ceb1..530e7257e4389 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -93,7 +93,7 @@ static inline void ipcm_init_sk(struct ipcm_cookie *ipcm, + { + ipcm_init(ipcm); + +- ipcm->sockc.mark = inet->sk.sk_mark; ++ ipcm->sockc.mark = READ_ONCE(inet->sk.sk_mark); + ipcm->sockc.tsflags = inet->sk.sk_tsflags; + ipcm->oif = READ_ONCE(inet->sk.sk_bound_dev_if); + ipcm->addr = inet->inet_saddr; +diff --git a/include/net/route.h b/include/net/route.h +index fe00b0a2e4759..af8431b25f800 100644 +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -171,7 +171,7 @@ static inline struct rtable *ip_route_output_ports(struct net *net, struct flowi + __be16 dport, __be16 sport, + __u8 proto, __u8 tos, int oif) + { +- flowi4_init_output(fl4, oif, sk ? sk->sk_mark : 0, tos, ++ flowi4_init_output(fl4, oif, sk ? READ_ONCE(sk->sk_mark) : 0, tos, + RT_SCOPE_UNIVERSE, proto, + sk ? inet_sk_flowi_flags(sk) : 0, + daddr, saddr, dport, sport, sock_net_uid(net, sk)); +@@ -304,7 +304,7 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, + if (inet_sk(sk)->transparent) + flow_flags |= FLOWI_FLAG_ANYSRC; + +- flowi4_init_output(fl4, oif, sk->sk_mark, ip_sock_rt_tos(sk), ++ flowi4_init_output(fl4, oif, READ_ONCE(sk->sk_mark), ip_sock_rt_tos(sk), + ip_sock_rt_scope(sk), protocol, flow_flags, dst, + src, dport, sport, sk->sk_uid); + } +diff --git a/net/core/sock.c b/net/core/sock.c +index 1a2ec2c4cfe26..4dd13d34e4740 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -977,7 +977,7 @@ EXPORT_SYMBOL(sock_set_rcvbuf); + static void __sock_set_mark(struct sock *sk, u32 val) + { + if (val != sk->sk_mark) { +- sk->sk_mark = val; ++ WRITE_ONCE(sk->sk_mark, val); + sk_dst_reset(sk); + } + } +@@ -1796,7 +1796,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + return security_socket_getpeersec_stream(sock, optval.user, optlen.user, len); + + case SO_MARK: +- v.val = sk->sk_mark; ++ v.val = READ_ONCE(sk->sk_mark); + break; + + case SO_RCVMARK: +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index c0fd8f5f3b94e..b51ce6f8ceba0 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -237,8 +237,8 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); +- err = ip6_xmit(sk, skb, &fl6, sk->sk_mark, opt, np->tclass, +- sk->sk_priority); ++ err = ip6_xmit(sk, skb, &fl6, READ_ONCE(sk->sk_mark), opt, ++ np->tclass, sk->sk_priority); + rcu_read_unlock(); + err = net_xmit_eval(err); + } +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index b812eb36f0e36..f7426926a1041 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -150,7 +150,7 @@ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb, + } + #endif + +- if (net_admin && nla_put_u32(skb, INET_DIAG_MARK, sk->sk_mark)) ++ if (net_admin && nla_put_u32(skb, INET_DIAG_MARK, READ_ONCE(sk->sk_mark))) + goto errout; + + if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) || +@@ -799,7 +799,7 @@ int inet_diag_bc_sk(const struct nlattr *bc, struct sock *sk) + entry.ifindex = sk->sk_bound_dev_if; + entry.userlocks = sk_fullsock(sk) ? sk->sk_userlocks : 0; + if (sk_fullsock(sk)) +- entry.mark = sk->sk_mark; ++ entry.mark = READ_ONCE(sk->sk_mark); + else if (sk->sk_state == TCP_NEW_SYN_RECV) + entry.mark = inet_rsk(inet_reqsk(sk))->ir_mark; + else if (sk->sk_state == TCP_TIME_WAIT) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 7b4ab545c06e0..99d8cdbfd9ab5 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -184,7 +184,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, + + skb->priority = sk->sk_priority; + if (!skb->mark) +- skb->mark = sk->sk_mark; ++ skb->mark = READ_ONCE(sk->sk_mark); + + /* Send it out. */ + return ip_local_out(net, skb->sk, skb); +@@ -527,7 +527,7 @@ int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, + + /* TODO : should we use skb->sk here instead of sk ? */ + skb->priority = sk->sk_priority; +- skb->mark = sk->sk_mark; ++ skb->mark = READ_ONCE(sk->sk_mark); + + res = ip_local_out(net, sk, skb); + rcu_read_unlock(); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index cd1fa9f70f1a1..51bd9a50a1d1d 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -518,7 +518,7 @@ static void __build_flow_key(const struct net *net, struct flowi4 *fl4, + const struct inet_sock *inet = inet_sk(sk); + + oif = sk->sk_bound_dev_if; +- mark = sk->sk_mark; ++ mark = READ_ONCE(sk->sk_mark); + tos = ip_sock_rt_tos(sk); + scope = ip_sock_rt_scope(sk); + prot = inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol; +@@ -552,7 +552,7 @@ static void build_sk_flow_key(struct flowi4 *fl4, const struct sock *sk) + inet_opt = rcu_dereference(inet->inet_opt); + if (inet_opt && inet_opt->opt.srr) + daddr = inet_opt->opt.faddr; +- flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark, ++ flowi4_init_output(fl4, sk->sk_bound_dev_if, READ_ONCE(sk->sk_mark), + ip_sock_rt_tos(sk) & IPTOS_RT_MASK, + ip_sock_rt_scope(sk), + inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 9a8d59e9303a0..23b4f93afb28d 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -931,7 +931,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + ctl_sk = this_cpu_read(ipv4_tcp_sk); + sock_net_set(ctl_sk, net); + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? +- inet_twsk(sk)->tw_mark : sk->sk_mark; ++ inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark); + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); +diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c +index 4651aaf70db4f..4d5a27dd9a4b2 100644 +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -120,7 +120,7 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + ipcm6_init_sk(&ipc6, np); + ipc6.sockc.tsflags = sk->sk_tsflags; +- ipc6.sockc.mark = sk->sk_mark; ++ ipc6.sockc.mark = READ_ONCE(sk->sk_mark); + + fl6.flowi6_oif = oif; + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 33852fc38ad91..e8675e5b5d00b 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -772,12 +772,12 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + */ + memset(&fl6, 0, sizeof(fl6)); + +- fl6.flowi6_mark = sk->sk_mark; ++ fl6.flowi6_mark = READ_ONCE(sk->sk_mark); + fl6.flowi6_uid = sk->sk_uid; + + ipcm6_init(&ipc6); + ipc6.sockc.tsflags = sk->sk_tsflags; +- ipc6.sockc.mark = sk->sk_mark; ++ ipc6.sockc.mark = fl6.flowi6_mark; + + if (sin6) { + if (addr_len < SIN6_LEN_RFC2133) +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 0b060cb8681f0..960ab43a49c46 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2952,7 +2952,8 @@ void ip6_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, __be32 mtu) + if (!oif && skb->dev) + oif = l3mdev_master_ifindex(skb->dev); + +- ip6_update_pmtu(skb, sock_net(sk), mtu, oif, sk->sk_mark, sk->sk_uid); ++ ip6_update_pmtu(skb, sock_net(sk), mtu, oif, READ_ONCE(sk->sk_mark), ++ sk->sk_uid); + + dst = __sk_dst_get(sk); + if (!dst || !dst->obsolete || +@@ -3173,8 +3174,8 @@ void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif) + + void ip6_sk_redirect(struct sk_buff *skb, struct sock *sk) + { +- ip6_redirect(skb, sock_net(sk), sk->sk_bound_dev_if, sk->sk_mark, +- sk->sk_uid); ++ ip6_redirect(skb, sock_net(sk), sk->sk_bound_dev_if, ++ READ_ONCE(sk->sk_mark), sk->sk_uid); + } + EXPORT_SYMBOL_GPL(ip6_sk_redirect); + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index d9253aa764fae..039aa51390aed 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -567,8 +567,8 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst, + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); +- err = ip6_xmit(sk, skb, fl6, skb->mark ? : sk->sk_mark, opt, +- tclass, sk->sk_priority); ++ err = ip6_xmit(sk, skb, fl6, skb->mark ? : READ_ONCE(sk->sk_mark), ++ opt, tclass, sk->sk_priority); + rcu_read_unlock(); + err = net_xmit_eval(err); + } +@@ -943,7 +943,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 + if (sk->sk_state == TCP_TIME_WAIT) + mark = inet_twsk(sk)->tw_mark; + else +- mark = sk->sk_mark; ++ mark = READ_ONCE(sk->sk_mark); + skb_set_delivery_time(buff, tcp_transmit_time(sk), true); + } + if (txhash) { +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 04f1d696503cd..27348172b25b9 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -622,7 +622,7 @@ int __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + if (type == NDISC_REDIRECT) { + if (tunnel) { + ip6_redirect(skb, sock_net(sk), inet6_iif(skb), +- sk->sk_mark, sk->sk_uid); ++ READ_ONCE(sk->sk_mark), sk->sk_uid); + } else { + ip6_sk_redirect(skb, sk); + } +@@ -1350,7 +1350,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + ipcm6_init(&ipc6); + ipc6.gso_size = READ_ONCE(up->gso_size); + ipc6.sockc.tsflags = sk->sk_tsflags; +- ipc6.sockc.mark = sk->sk_mark; ++ ipc6.sockc.mark = READ_ONCE(sk->sk_mark); + + /* destination address check */ + if (sin6) { +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 5137ea1861ce2..bce4132b0a5c8 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -519,7 +519,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + /* Get and verify the address */ + memset(&fl6, 0, sizeof(fl6)); + +- fl6.flowi6_mark = sk->sk_mark; ++ fl6.flowi6_mark = READ_ONCE(sk->sk_mark); + fl6.flowi6_uid = sk->sk_uid; + + ipcm6_init(&ipc6); +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 696ba398d699a..937bd4c556151 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -102,7 +102,7 @@ static void mptcp_sol_socket_sync_intval(struct mptcp_sock *msk, int optname, in + break; + case SO_MARK: + if (READ_ONCE(ssk->sk_mark) != sk->sk_mark) { +- ssk->sk_mark = sk->sk_mark; ++ WRITE_ONCE(ssk->sk_mark, sk->sk_mark); + sk_dst_reset(ssk); + } + break; +diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c +index 49a5348a6a14f..777561b71fcbd 100644 +--- a/net/netfilter/nft_socket.c ++++ b/net/netfilter/nft_socket.c +@@ -107,7 +107,7 @@ static void nft_socket_eval(const struct nft_expr *expr, + break; + case NFT_SOCKET_MARK: + if (sk_fullsock(sk)) { +- *dest = sk->sk_mark; ++ *dest = READ_ONCE(sk->sk_mark); + } else { + regs->verdict.code = NFT_BREAK; + return; +diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c +index 7013f55f05d1e..76e01f292aaff 100644 +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -77,7 +77,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par, + + if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && + transparent && sk_fullsock(sk)) +- pskb->mark = sk->sk_mark; ++ pskb->mark = READ_ONCE(sk->sk_mark); + + if (sk != skb->sk) + sock_gen_put(sk); +@@ -138,7 +138,7 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) + + if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && + transparent && sk_fullsock(sk)) +- pskb->mark = sk->sk_mark; ++ pskb->mark = READ_ONCE(sk->sk_mark); + + if (sk != skb->sk) + sock_gen_put(sk); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 6ab9d5b543387..30a28c1ff928a 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2053,7 +2053,7 @@ static int packet_sendmsg_spkt(struct socket *sock, struct msghdr *msg, + skb->protocol = proto; + skb->dev = dev; + skb->priority = sk->sk_priority; +- skb->mark = sk->sk_mark; ++ skb->mark = READ_ONCE(sk->sk_mark); + skb->tstamp = sockc.transmit_time; + + skb_setup_tx_timestamp(skb, sockc.tsflags); +@@ -2576,7 +2576,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + skb->protocol = proto; + skb->dev = dev; + skb->priority = po->sk.sk_priority; +- skb->mark = po->sk.sk_mark; ++ skb->mark = READ_ONCE(po->sk.sk_mark); + skb->tstamp = sockc->transmit_time; + skb_setup_tx_timestamp(skb, sockc->tsflags); + skb_zcopy_set_nouarg(skb, ph.raw); +@@ -2978,7 +2978,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + goto out_unlock; + + sockcm_init(&sockc, sk); +- sockc.mark = sk->sk_mark; ++ sockc.mark = READ_ONCE(sk->sk_mark); + if (msg->msg_controllen) { + err = sock_cmsg_send(sk, msg, &sockc); + if (unlikely(err)) +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 02d1daae77397..5ae0a54a823b5 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -447,7 +447,7 @@ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk, + nsk->sk_rcvbuf = osk->sk_rcvbuf; + nsk->sk_sndtimeo = osk->sk_sndtimeo; + nsk->sk_rcvtimeo = osk->sk_rcvtimeo; +- nsk->sk_mark = osk->sk_mark; ++ nsk->sk_mark = READ_ONCE(osk->sk_mark); + nsk->sk_priority = osk->sk_priority; + nsk->sk_rcvlowat = osk->sk_rcvlowat; + nsk->sk_bound_dev_if = osk->sk_bound_dev_if; +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 371d269d22fa0..22bf10ffbf2d1 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -504,7 +504,7 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs, + + skb->dev = dev; + skb->priority = xs->sk.sk_priority; +- skb->mark = xs->sk.sk_mark; ++ skb->mark = READ_ONCE(xs->sk.sk_mark); + skb_shinfo(skb)->destructor_arg = (void *)(long)desc->addr; + skb->destructor = xsk_destruct_skb; + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 7b1b93584bdbe..e65de78cb61bf 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2174,7 +2174,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, + + match = xfrm_selector_match(&pol->selector, fl, family); + if (match) { +- if ((sk->sk_mark & pol->mark.m) != pol->mark.v || ++ if ((READ_ONCE(sk->sk_mark) & pol->mark.m) != pol->mark.v || + pol->if_id != if_id) { + pol = NULL; + goto out; +-- +2.40.1 + diff --git a/queue-6.1/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch b/queue-6.1/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch new file mode 100644 index 00000000000..63ccc46b2ed --- /dev/null +++ b/queue-6.1/net-annotate-data-races-around-sk-sk_max_pacing_rate.patch @@ -0,0 +1,54 @@ +From 5fcb8c80a018f607a757b99ea388392719b840fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:10 +0000 +Subject: net: annotate data-races around sk->sk_max_pacing_rate + +From: Eric Dumazet + +[ Upstream commit ea7f45ef77b39e72244d282e47f6cb1ef4135cd2 ] + +sk_getsockopt() runs locklessly. This means sk->sk_max_pacing_rate +can be read while other threads are changing its value. + +Fixes: 62748f32d501 ("net: introduce SO_MAX_PACING_RATE") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 77abd69c56dde..86e88de1238b1 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1426,7 +1426,8 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + cmpxchg(&sk->sk_pacing_status, + SK_PACING_NONE, + SK_PACING_NEEDED); +- sk->sk_max_pacing_rate = ulval; ++ /* Pairs with READ_ONCE() from sk_getsockopt() */ ++ WRITE_ONCE(sk->sk_max_pacing_rate, ulval); + sk->sk_pacing_rate = min(sk->sk_pacing_rate, ulval); + break; + } +@@ -1852,12 +1853,14 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + #endif + + case SO_MAX_PACING_RATE: ++ /* The READ_ONCE() pair with the WRITE_ONCE() in sk_setsockopt() */ + if (sizeof(v.ulval) != sizeof(v.val) && len >= sizeof(v.ulval)) { + lv = sizeof(v.ulval); +- v.ulval = sk->sk_max_pacing_rate; ++ v.ulval = READ_ONCE(sk->sk_max_pacing_rate); + } else { + /* 32bit version */ +- v.val = min_t(unsigned long, sk->sk_max_pacing_rate, ~0U); ++ v.val = min_t(unsigned long, ~0U, ++ READ_ONCE(sk->sk_max_pacing_rate)); + } + break; + +-- +2.40.1 + diff --git a/queue-6.1/net-annotate-data-races-around-sk-sk_priority.patch b/queue-6.1/net-annotate-data-races-around-sk-sk_priority.patch new file mode 100644 index 00000000000..fdd204c51c1 --- /dev/null +++ b/queue-6.1/net-annotate-data-races-around-sk-sk_priority.patch @@ -0,0 +1,184 @@ +From 611a82c13b8950e982678b0b03fd71566557b672 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:18 +0000 +Subject: net: annotate data-races around sk->sk_priority + +From: Eric Dumazet + +[ Upstream commit 8bf43be799d4b242ea552a14db10456446be843e ] + +sk_getsockopt() runs locklessly. This means sk->sk_priority +can be read while other threads are changing its value. + +Other reads also happen without socket lock being held. + +Add missing annotations where needed. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 6 +++--- + net/ipv4/ip_output.c | 4 ++-- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/raw.c | 2 +- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv6/raw.c | 2 +- + net/ipv6/tcp_ipv6.c | 3 ++- + net/packet/af_packet.c | 6 +++--- + 8 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index ff52d51dfe2c5..3b5304f084ef3 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -800,7 +800,7 @@ EXPORT_SYMBOL(sock_no_linger); + void sock_set_priority(struct sock *sk, u32 priority) + { + lock_sock(sk); +- sk->sk_priority = priority; ++ WRITE_ONCE(sk->sk_priority, priority); + release_sock(sk); + } + EXPORT_SYMBOL(sock_set_priority); +@@ -1203,7 +1203,7 @@ int sk_setsockopt(struct sock *sk, int level, int optname, + if ((val >= 0 && val <= 6) || + sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) || + sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) +- sk->sk_priority = val; ++ WRITE_ONCE(sk->sk_priority, val); + else + ret = -EPERM; + break; +@@ -1670,7 +1670,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_PRIORITY: +- v.val = sk->sk_priority; ++ v.val = READ_ONCE(sk->sk_priority); + break; + + case SO_LINGER: +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 99d8cdbfd9ab5..acfe58d2f1dd7 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -182,7 +182,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk, + ip_options_build(skb, &opt->opt, daddr, rt); + } + +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + if (!skb->mark) + skb->mark = READ_ONCE(sk->sk_mark); + +@@ -526,7 +526,7 @@ int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, + skb_shinfo(skb)->gso_segs ?: 1); + + /* TODO : should we use skb->sk here instead of sk ? */ +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + skb->mark = READ_ONCE(sk->sk_mark); + + res = ip_local_out(net, sk, skb); +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index a7fd035b5b4f9..63aa52becd880 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -591,7 +591,7 @@ void __ip_sock_set_tos(struct sock *sk, int val) + } + if (inet_sk(sk)->tos != val) { + inet_sk(sk)->tos = val; +- sk->sk_priority = rt_tos2priority(val); ++ WRITE_ONCE(sk->sk_priority, rt_tos2priority(val)); + sk_dst_reset(sk); + } + } +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 86197634dcf5d..639aa5abda9dd 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -346,7 +346,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, + goto error; + skb_reserve(skb, hlen); + +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + skb->mark = sockc->mark; + skb->tstamp = sockc->transmit_time; + skb_dst_set(skb, &rt->dst); +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 23b4f93afb28d..08921b96f9728 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -933,7 +933,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark); + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? +- inet_twsk(sk)->tw_priority : sk->sk_priority; ++ inet_twsk(sk)->tw_priority : READ_ONCE(sk->sk_priority); + transmit_time = tcp_transmit_time(sk); + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index e8675e5b5d00b..df3abd9e5237c 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -612,7 +612,7 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, + skb_reserve(skb, hlen); + + skb->protocol = htons(ETH_P_IPV6); +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + skb->mark = sockc->mark; + skb->tstamp = sockc->transmit_time; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 039aa51390aed..4bdd356bb5c46 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1132,7 +1132,8 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, + READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), +- ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, ++ ipv6_get_dsfield(ipv6_hdr(skb)), 0, ++ READ_ONCE(sk->sk_priority), + READ_ONCE(tcp_rsk(req)->txhash)); + } + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 30a28c1ff928a..1681068400733 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2052,7 +2052,7 @@ static int packet_sendmsg_spkt(struct socket *sock, struct msghdr *msg, + + skb->protocol = proto; + skb->dev = dev; +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + skb->mark = READ_ONCE(sk->sk_mark); + skb->tstamp = sockc.transmit_time; + +@@ -2575,7 +2575,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + + skb->protocol = proto; + skb->dev = dev; +- skb->priority = po->sk.sk_priority; ++ skb->priority = READ_ONCE(po->sk.sk_priority); + skb->mark = READ_ONCE(po->sk.sk_mark); + skb->tstamp = sockc->transmit_time; + skb_setup_tx_timestamp(skb, sockc->tsflags); +@@ -3052,7 +3052,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + skb->protocol = proto; + skb->dev = dev; +- skb->priority = sk->sk_priority; ++ skb->priority = READ_ONCE(sk->sk_priority); + skb->mark = sockc.mark; + skb->tstamp = sockc.transmit_time; + +-- +2.40.1 + diff --git a/queue-6.1/net-annotate-data-races-around-sk-sk_reserved_mem.patch b/queue-6.1/net-annotate-data-races-around-sk-sk_reserved_mem.patch new file mode 100644 index 00000000000..5f6a878281c --- /dev/null +++ b/queue-6.1/net-annotate-data-races-around-sk-sk_reserved_mem.patch @@ -0,0 +1,58 @@ +From d1ee12009f4b548a460068a526403dfdd7fbf7ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 15:03:08 +0000 +Subject: net: annotate data-races around sk->sk_reserved_mem + +From: Eric Dumazet + +[ Upstream commit fe11fdcb4207907d80cda2e73777465d68131e66 ] + +sk_getsockopt() runs locklessly. This means sk->sk_reserved_mem +can be read while other threads are changing its value. + +Add missing annotations where they are needed. + +Fixes: 2bb2f5fb21b0 ("net: add new socket option SO_RESERVE_MEM") +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 0c1baa5517f11..9483820833c5b 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -996,7 +996,7 @@ static void sock_release_reserved_memory(struct sock *sk, int bytes) + bytes = round_down(bytes, PAGE_SIZE); + + WARN_ON(bytes > sk->sk_reserved_mem); +- sk->sk_reserved_mem -= bytes; ++ WRITE_ONCE(sk->sk_reserved_mem, sk->sk_reserved_mem - bytes); + sk_mem_reclaim(sk); + } + +@@ -1033,7 +1033,8 @@ static int sock_reserve_memory(struct sock *sk, int bytes) + } + sk->sk_forward_alloc += pages << PAGE_SHIFT; + +- sk->sk_reserved_mem += pages << PAGE_SHIFT; ++ WRITE_ONCE(sk->sk_reserved_mem, ++ sk->sk_reserved_mem + (pages << PAGE_SHIFT)); + + return 0; + } +@@ -1922,7 +1923,7 @@ int sk_getsockopt(struct sock *sk, int level, int optname, + break; + + case SO_RESERVE_MEM: +- v.val = sk->sk_reserved_mem; ++ v.val = READ_ONCE(sk->sk_reserved_mem); + break; + + case SO_TXREHASH: +-- +2.40.1 + diff --git a/queue-6.1/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch b/queue-6.1/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch new file mode 100644 index 00000000000..69214c62e68 --- /dev/null +++ b/queue-6.1/net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch @@ -0,0 +1,103 @@ +From 103ea9fe5e47c8b17a092e39bcd0598666961252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 09:32:48 +0800 +Subject: net: dcb: choose correct policy to parse DCB_ATTR_BCN + +From: Lin Ma + +[ Upstream commit 31d49ba033095f6e8158c60f69714a500922e0c3 ] + +The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], +which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB +BCN"). Please see the comment in below code + +static int dcbnl_bcn_setcfg(...) +{ + ... + ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. ) + // !!! dcbnl_pfc_up_nest for attributes + // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs + ... + for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) { + // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs + ... + value_byte = nla_get_u8(data[i]); + ... + } + ... + for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) { + // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs + ... + value_int = nla_get_u32(data[i]); + ... + } + ... +} + +That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest +attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the +following access code fetch each nlattr as dcbnl_bcn_attrs attributes. +By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find +the beginning part of these two policies are "same". + +static const struct nla_policy dcbnl_pfc_up_nest[...] = { + [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8}, + [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG}, +}; + +static const struct nla_policy dcbnl_bcn_nest[...] = { + [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8}, + [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG}, + // from here is somewhat different + [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32}, + ... + [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG}, +}; + +Therefore, the current code is buggy and this +nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use +the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0. + +Hence use the correct policy dcbnl_bcn_nest to parse the nested +tb[DCB_ATTR_BCN] TLV. + +Fixes: 859ee3c43812 ("DCB: Add support for DCB BCN") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dcb/dcbnl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c +index dc4fb699b56c3..d2981e89d3638 100644 +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -946,7 +946,7 @@ static int dcbnl_bcn_setcfg(struct net_device *netdev, struct nlmsghdr *nlh, + return -EOPNOTSUPP; + + ret = nla_parse_nested_deprecated(data, DCB_BCN_ATTR_MAX, +- tb[DCB_ATTR_BCN], dcbnl_pfc_up_nest, ++ tb[DCB_ATTR_BCN], dcbnl_bcn_nest, + NULL); + if (ret) + return ret; +-- +2.40.1 + diff --git a/queue-6.1/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch b/queue-6.1/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch new file mode 100644 index 00000000000..bf209b08295 --- /dev/null +++ b/queue-6.1/net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch @@ -0,0 +1,52 @@ +From 15e361f53e5bdfbbf0fd78348b2e09dfada0baaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 01:05:06 +0800 +Subject: net: dsa: fix value check in bcm_sf2_sw_probe() + +From: Yuanjun Gong + +[ Upstream commit dadc5b86cc9459581f37fe755b431adc399ea393 ] + +in bcm_sf2_sw_probe(), check the return value of clk_prepare_enable() +and return the error code if clk_prepare_enable() returns an +unexpected value. + +Fixes: e9ec5c3bd238 ("net: dsa: bcm_sf2: request and handle clocks") +Signed-off-by: Yuanjun Gong +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230726170506.16547-1-ruc_gongyuanjun@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/bcm_sf2.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index cde253d27bd08..72374b066f64a 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -1436,7 +1436,9 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev) + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; + + priv->clk_mdiv = devm_clk_get_optional(&pdev->dev, "sw_switch_mdiv"); + if (IS_ERR(priv->clk_mdiv)) { +@@ -1444,7 +1446,9 @@ static int bcm_sf2_sw_probe(struct platform_device *pdev) + goto out_clk; + } + +- clk_prepare_enable(priv->clk_mdiv); ++ ret = clk_prepare_enable(priv->clk_mdiv); ++ if (ret) ++ goto out_clk; + + ret = bcm_sf2_sw_rst(priv); + if (ret) { +-- +2.40.1 + diff --git a/queue-6.1/net-korina-handle-clk-prepare-error-in-korina_probe.patch b/queue-6.1/net-korina-handle-clk-prepare-error-in-korina_probe.patch new file mode 100644 index 00000000000..0776e9a159e --- /dev/null +++ b/queue-6.1/net-korina-handle-clk-prepare-error-in-korina_probe.patch @@ -0,0 +1,43 @@ +From 34ed6213354f37a0f6c4238053f5c3ba580e4cb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 17:05:35 +0800 +Subject: net: korina: handle clk prepare error in korina_probe() + +From: Yuanjun Gong + +[ Upstream commit 0b6291ad1940c403734312d0e453e8dac9148f69 ] + +in korina_probe(), the return value of clk_prepare_enable() +should be checked since it might fail. we can use +devm_clk_get_optional_enabled() instead of devm_clk_get_optional() +and clk_prepare_enable() to automatically handle the error. + +Fixes: e4cd854ec487 ("net: korina: Get mdio input clock via common clock framework") +Signed-off-by: Yuanjun Gong +Link: https://lore.kernel.org/r/20230731090535.21416-1-ruc_gongyuanjun@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 2b9335cb4bb3a..8537578e1cf1d 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1302,11 +1302,10 @@ static int korina_probe(struct platform_device *pdev) + else if (of_get_ethdev_address(pdev->dev.of_node, dev) < 0) + eth_hw_addr_random(dev); + +- clk = devm_clk_get_optional(&pdev->dev, "mdioclk"); ++ clk = devm_clk_get_optional_enabled(&pdev->dev, "mdioclk"); + if (IS_ERR(clk)) + return PTR_ERR(clk); + if (clk) { +- clk_prepare_enable(clk); + lp->mii_clock_freq = clk_get_rate(clk); + } else { + lp->mii_clock_freq = 200000000; /* max possible input clk */ +-- +2.40.1 + diff --git a/queue-6.1/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch b/queue-6.1/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch new file mode 100644 index 00000000000..2a4efb53749 --- /dev/null +++ b/queue-6.1/net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch @@ -0,0 +1,54 @@ +From 2241cb4fa8826ec85d2801c0c8d9be13d793893c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:42:32 +0300 +Subject: net: ll_temac: fix error checking of irq_of_parse_and_map() + +From: Dan Carpenter + +[ Upstream commit ef45e8400f5bb66b03cc949f76c80e2a118447de ] + +Most kernel functions return negative error codes but some irq functions +return zero on error. In this code irq_of_parse_and_map(), returns zero +and platform_get_irq() returns negative error codes. We need to handle +both cases appropriately. + +Fixes: 8425c41d1ef7 ("net: ll_temac: Extend support to non-device-tree platforms") +Signed-off-by: Dan Carpenter +Acked-by: Esben Haabendal +Reviewed-by: Yang Yingliang +Reviewed-by: Harini Katakam +Link: https://lore.kernel.org/r/3d0aef75-06e0-45a5-a2a6-2cc4738d4143@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 1066420d6a83a..6bf5e341c3c11 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1568,12 +1568,16 @@ static int temac_probe(struct platform_device *pdev) + } + + /* Error handle returned DMA RX and TX interrupts */ +- if (lp->rx_irq < 0) +- return dev_err_probe(&pdev->dev, lp->rx_irq, ++ if (lp->rx_irq <= 0) { ++ rc = lp->rx_irq ?: -EINVAL; ++ return dev_err_probe(&pdev->dev, rc, + "could not get DMA RX irq\n"); +- if (lp->tx_irq < 0) +- return dev_err_probe(&pdev->dev, lp->tx_irq, ++ } ++ if (lp->tx_irq <= 0) { ++ rc = lp->tx_irq ?: -EINVAL; ++ return dev_err_probe(&pdev->dev, rc, + "could not get DMA TX irq\n"); ++ } + + if (temac_np) { + /* Retrieve the MAC address */ +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch b/queue-6.1/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch new file mode 100644 index 00000000000..9487ec94f54 --- /dev/null +++ b/queue-6.1/net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch @@ -0,0 +1,44 @@ +From 6e0617528f692c67d1224993dac23a673927c0e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 20:15:27 +0800 +Subject: net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx + +From: Zhengchao Shao + +[ Upstream commit 5dd77585dd9d0e03dd1bceb95f0269a7eaf6b936 ] + +when mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memory +pointed by 'in' is not released, which will cause memory leak. Move memory +release after mlx5_cmd_exec. + +Fixes: 1d9186476e12 ("net/mlx5: DR, Add direct rule command utilities") +Signed-off-by: Zhengchao Shao +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 84364691a3791..d7b1a230b59e8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -538,11 +538,12 @@ int mlx5dr_cmd_create_reformat_ctx(struct mlx5_core_dev *mdev, + + err = mlx5_cmd_exec(mdev, in, inlen, out, sizeof(out)); + if (err) +- return err; ++ goto err_free_in; + + *reformat_id = MLX5_GET(alloc_packet_reformat_context_out, out, packet_reformat_id); +- kvfree(in); + ++err_free_in: ++ kvfree(in); + return err; + } + +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5-fix-potential-memory-leak-in-mlx5e_init_rep.patch b/queue-6.1/net-mlx5-fix-potential-memory-leak-in-mlx5e_init_rep.patch new file mode 100644 index 00000000000..773138e6d2e --- /dev/null +++ b/queue-6.1/net-mlx5-fix-potential-memory-leak-in-mlx5e_init_rep.patch @@ -0,0 +1,48 @@ +From 958c7b6d278b3ba2bb8637973bb9073190bddbd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 15:13:07 +0800 +Subject: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx + +From: Zhengchao Shao + +[ Upstream commit c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a ] + +The memory pointed to by the priv->rx_res pointer is not freed in the error +path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing +the memory in the error path, thereby making the error path identical to +mlx5e_cleanup_rep_rx(). + +Fixes: af8bbf730068 ("net/mlx5e: Convert mlx5e_flow_steering member of mlx5e_priv to pointer") +Signed-off-by: Zhengchao Shao +Reviewed-by: Simon Horman +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 9bd1a93a512d4..ff0c025db1402 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -912,7 +912,7 @@ static int mlx5e_init_rep_rx(struct mlx5e_priv *priv) + err = mlx5e_open_drop_rq(priv, &priv->drop_rq); + if (err) { + mlx5_core_err(mdev, "open drop rq failed, %d\n", err); +- return err; ++ goto err_rx_res_free; + } + + err = mlx5e_rx_res_init(priv->rx_res, priv->mdev, 0, +@@ -946,6 +946,7 @@ static int mlx5e_init_rep_rx(struct mlx5e_priv *priv) + mlx5e_rx_res_destroy(priv->rx_res); + err_close_drop_rq: + mlx5e_close_drop_rq(&priv->drop_rq); ++err_rx_res_free: + mlx5e_rx_res_free(priv->rx_res); + priv->rx_res = NULL; + err_free_fs: +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch b/queue-6.1/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch new file mode 100644 index 00000000000..c0bb2341b14 --- /dev/null +++ b/queue-6.1/net-mlx5-fs_core-make-find_closest_ft-more-generic.patch @@ -0,0 +1,120 @@ +From 79d42f50dbed550f265cacf969e885014184062d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:58:40 +0300 +Subject: net/mlx5: fs_core: Make find_closest_ft more generic + +From: Jianbo Liu + +[ Upstream commit 618d28a535a0582617465d14e05f3881736a2962 ] + +As find_closest_ft_recursive is called to find the closest FT, the +first parameter of find_closest_ft can be changed from fs_prio to +fs_node. Thus this function is extended to find the closest FT for the +nodes of any type, not only prios, but also the sub namespaces. + +Signed-off-by: Jianbo Liu +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/d3962c2b443ec8dde7a740dc742a1f052d5e256c.1690803944.git.leonro@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: c635ca45a7a2 ("net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 29 +++++++++---------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index d53749248fa09..73ef771d6a4a4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -876,18 +876,17 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + return ft; + } + +-/* If reverse is false then return the first flow table in next priority of +- * prio in the tree, else return the last flow table in the previous priority +- * of prio in the tree. ++/* If reverse is false then return the first flow table next to the passed node ++ * in the tree, else return the last flow table before the node in the tree. + */ +-static struct mlx5_flow_table *find_closest_ft(struct fs_prio *prio, bool reverse) ++static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse) + { + struct mlx5_flow_table *ft = NULL; + struct fs_node *curr_node; + struct fs_node *parent; + +- parent = prio->node.parent; +- curr_node = &prio->node; ++ parent = node->parent; ++ curr_node = node; + while (!ft && parent) { + ft = find_closest_ft_recursive(parent, &curr_node->list, reverse); + curr_node = parent; +@@ -897,15 +896,15 @@ static struct mlx5_flow_table *find_closest_ft(struct fs_prio *prio, bool revers + } + + /* Assuming all the tree is locked by mutex chain lock */ +-static struct mlx5_flow_table *find_next_chained_ft(struct fs_prio *prio) ++static struct mlx5_flow_table *find_next_chained_ft(struct fs_node *node) + { +- return find_closest_ft(prio, false); ++ return find_closest_ft(node, false); + } + + /* Assuming all the tree is locked by mutex chain lock */ +-static struct mlx5_flow_table *find_prev_chained_ft(struct fs_prio *prio) ++static struct mlx5_flow_table *find_prev_chained_ft(struct fs_node *node) + { +- return find_closest_ft(prio, true); ++ return find_closest_ft(node, true); + } + + static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, +@@ -917,7 +916,7 @@ static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, + next_ns = flow_act->action & MLX5_FLOW_CONTEXT_ACTION_FWD_NEXT_NS; + fs_get_obj(prio, next_ns ? ft->ns->node.parent : ft->node.parent); + +- return find_next_chained_ft(prio); ++ return find_next_chained_ft(&prio->node); + } + + static int connect_fts_in_prio(struct mlx5_core_dev *dev, +@@ -948,7 +947,7 @@ static int connect_prev_fts(struct mlx5_core_dev *dev, + { + struct mlx5_flow_table *prev_ft; + +- prev_ft = find_prev_chained_ft(prio); ++ prev_ft = find_prev_chained_ft(&prio->node); + if (prev_ft) { + struct fs_prio *prev_prio; + +@@ -1094,7 +1093,7 @@ static int connect_flow_table(struct mlx5_core_dev *dev, struct mlx5_flow_table + if (err) + return err; + +- next_ft = first_ft ? first_ft : find_next_chained_ft(prio); ++ next_ft = first_ft ? first_ft : find_next_chained_ft(&prio->node); + err = connect_fwd_rules(dev, ft, next_ft); + if (err) + return err; +@@ -1169,7 +1168,7 @@ static struct mlx5_flow_table *__mlx5_create_flow_table(struct mlx5_flow_namespa + + tree_init_node(&ft->node, del_hw_flow_table, del_sw_flow_table); + next_ft = unmanaged ? ft_attr->next_ft : +- find_next_chained_ft(fs_prio); ++ find_next_chained_ft(&fs_prio->node); + ft->def_miss_action = ns->def_miss_action; + ft->ns = ns; + err = root->cmds->create_flow_table(root, ft, ft_attr, next_ft); +@@ -2163,7 +2162,7 @@ static struct mlx5_flow_table *find_next_ft(struct mlx5_flow_table *ft) + + if (!list_is_last(&ft->node.list, &prio->node.children)) + return list_next_entry(ft, node.list); +- return find_next_chained_ft(prio); ++ return find_next_chained_ft(&prio->node); + } + + static int update_root_ft_destroy(struct mlx5_flow_table *ft) +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch b/queue-6.1/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch new file mode 100644 index 00000000000..7729c3a7eff --- /dev/null +++ b/queue-6.1/net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch @@ -0,0 +1,196 @@ +From 679149dcd3bb1ec7d291171f90bd7f96e988fcc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 14:58:41 +0300 +Subject: net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS + fs_prio + +From: Jianbo Liu + +[ Upstream commit c635ca45a7a2023904a1f851e99319af7b87017d ] + +In the cited commit, new type of FS_TYPE_PRIO_CHAINS fs_prio was added +to support multiple parallel namespaces for multi-chains. And we skip +all the flow tables under the fs_node of this type unconditionally, +when searching for the next or previous flow table to connect for a +new table. + +As this search function is also used for find new root table when the +old one is being deleted, it will skip the entire FS_TYPE_PRIO_CHAINS +fs_node next to the old root. However, new root table should be chosen +from it if there is any table in it. Fix it by skipping only the flow +tables in the same FS_TYPE_PRIO_CHAINS fs_node when finding the +closest FT for a fs_node. + +Besides, complete the connecting from FTs of previous priority of prio +because there should be multiple prevs after this fs_prio type is +introduced. And also the next FT should be chosen from the first flow +table next to the prio in the same FS_TYPE_PRIO_CHAINS fs_prio, if +this prio is the first child. + +Fixes: 328edb499f99 ("net/mlx5: Split FDB fast path prio to multiple namespaces") +Signed-off-by: Jianbo Liu +Reviewed-by: Paul Blakey +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/7a95754df479e722038996c97c97b062b372591f.1690803944.git.leonro@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 80 +++++++++++++++++-- + 1 file changed, 72 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 73ef771d6a4a4..e6674118bc428 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -860,7 +860,7 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + struct fs_node *iter = list_entry(start, struct fs_node, list); + struct mlx5_flow_table *ft = NULL; + +- if (!root || root->type == FS_TYPE_PRIO_CHAINS) ++ if (!root) + return NULL; + + list_for_each_advance_continue(iter, &root->children, reverse) { +@@ -876,19 +876,42 @@ static struct mlx5_flow_table *find_closest_ft_recursive(struct fs_node *root, + return ft; + } + ++static struct fs_node *find_prio_chains_parent(struct fs_node *parent, ++ struct fs_node **child) ++{ ++ struct fs_node *node = NULL; ++ ++ while (parent && parent->type != FS_TYPE_PRIO_CHAINS) { ++ node = parent; ++ parent = parent->parent; ++ } ++ ++ if (child) ++ *child = node; ++ ++ return parent; ++} ++ + /* If reverse is false then return the first flow table next to the passed node + * in the tree, else return the last flow table before the node in the tree. ++ * If skip is true, skip the flow tables in the same prio_chains prio. + */ +-static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse) ++static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool reverse, ++ bool skip) + { ++ struct fs_node *prio_chains_parent = NULL; + struct mlx5_flow_table *ft = NULL; + struct fs_node *curr_node; + struct fs_node *parent; + ++ if (skip) ++ prio_chains_parent = find_prio_chains_parent(node, NULL); + parent = node->parent; + curr_node = node; + while (!ft && parent) { +- ft = find_closest_ft_recursive(parent, &curr_node->list, reverse); ++ if (parent != prio_chains_parent) ++ ft = find_closest_ft_recursive(parent, &curr_node->list, ++ reverse); + curr_node = parent; + parent = curr_node->parent; + } +@@ -898,13 +921,13 @@ static struct mlx5_flow_table *find_closest_ft(struct fs_node *node, bool revers + /* Assuming all the tree is locked by mutex chain lock */ + static struct mlx5_flow_table *find_next_chained_ft(struct fs_node *node) + { +- return find_closest_ft(node, false); ++ return find_closest_ft(node, false, true); + } + + /* Assuming all the tree is locked by mutex chain lock */ + static struct mlx5_flow_table *find_prev_chained_ft(struct fs_node *node) + { +- return find_closest_ft(node, true); ++ return find_closest_ft(node, true, true); + } + + static struct mlx5_flow_table *find_next_fwd_ft(struct mlx5_flow_table *ft, +@@ -940,21 +963,55 @@ static int connect_fts_in_prio(struct mlx5_core_dev *dev, + return 0; + } + ++static struct mlx5_flow_table *find_closet_ft_prio_chains(struct fs_node *node, ++ struct fs_node *parent, ++ struct fs_node **child, ++ bool reverse) ++{ ++ struct mlx5_flow_table *ft; ++ ++ ft = find_closest_ft(node, reverse, false); ++ ++ if (ft && parent == find_prio_chains_parent(&ft->node, child)) ++ return ft; ++ ++ return NULL; ++} ++ + /* Connect flow tables from previous priority of prio to ft */ + static int connect_prev_fts(struct mlx5_core_dev *dev, + struct mlx5_flow_table *ft, + struct fs_prio *prio) + { ++ struct fs_node *prio_parent, *parent = NULL, *child, *node; + struct mlx5_flow_table *prev_ft; ++ int err = 0; ++ ++ prio_parent = find_prio_chains_parent(&prio->node, &child); ++ ++ /* return directly if not under the first sub ns of prio_chains prio */ ++ if (prio_parent && !list_is_first(&child->list, &prio_parent->children)) ++ return 0; + + prev_ft = find_prev_chained_ft(&prio->node); +- if (prev_ft) { ++ while (prev_ft) { + struct fs_prio *prev_prio; + + fs_get_obj(prev_prio, prev_ft->node.parent); +- return connect_fts_in_prio(dev, prev_prio, ft); ++ err = connect_fts_in_prio(dev, prev_prio, ft); ++ if (err) ++ break; ++ ++ if (!parent) { ++ parent = find_prio_chains_parent(&prev_prio->node, &child); ++ if (!parent) ++ break; ++ } ++ ++ node = child; ++ prev_ft = find_closet_ft_prio_chains(node, parent, &child, true); + } +- return 0; ++ return err; + } + + static int update_root_ft_create(struct mlx5_flow_table *ft, struct fs_prio +@@ -2156,12 +2213,19 @@ EXPORT_SYMBOL(mlx5_del_flow_rules); + /* Assuming prio->node.children(flow tables) is sorted by level */ + static struct mlx5_flow_table *find_next_ft(struct mlx5_flow_table *ft) + { ++ struct fs_node *prio_parent, *child; + struct fs_prio *prio; + + fs_get_obj(prio, ft->node.parent); + + if (!list_is_last(&ft->node.list, &prio->node.children)) + return list_next_entry(ft, node.list); ++ ++ prio_parent = find_prio_chains_parent(&prio->node, &child); ++ ++ if (prio_parent && list_is_first(&child->list, &prio_parent->children)) ++ return find_closest_ft(&prio->node, false, false); ++ + return find_next_chained_ft(&prio->node); + } + +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5e-fix-crash-moving-to-switchdev-mode-when-nt.patch b/queue-6.1/net-mlx5e-fix-crash-moving-to-switchdev-mode-when-nt.patch new file mode 100644 index 00000000000..82f948f7795 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-crash-moving-to-switchdev-mode-when-nt.patch @@ -0,0 +1,82 @@ +From 27f8e5510d8ff6d104b76ce2de4a0131db0503d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 20:11:14 +0300 +Subject: net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is + set + +From: Amir Tzin + +[ Upstream commit 3ec43c1b082a8804472430e1253544d75f4b540e ] + +Moving to switchdev mode with ntuple offload on causes the kernel to +crash since fs->arfs is freed during nic profile cleanup flow. + +Ntuple offload is not supported in switchdev mode and it is already +unset by mlx5 fix feature ndo in switchdev mode. Verify fs->arfs is +valid before disabling it. + +trace: +[] RIP: 0010:_raw_spin_lock_bh+0x17/0x30 +[] arfs_del_rules+0x44/0x1a0 [mlx5_core] +[] mlx5e_arfs_disable+0xe/0x20 [mlx5_core] +[] mlx5e_handle_feature+0x3d/0xb0 [mlx5_core] +[] ? __rtnl_unlock+0x25/0x50 +[] mlx5e_set_features+0xfe/0x160 [mlx5_core] +[] __netdev_update_features+0x278/0xa50 +[] ? netdev_run_todo+0x5e/0x2a0 +[] netdev_update_features+0x22/0x70 +[] ? _cond_resched+0x15/0x30 +[] mlx5e_attach_netdev+0x12a/0x1e0 [mlx5_core] +[] mlx5e_netdev_attach_profile+0xa1/0xc0 [mlx5_core] +[] mlx5e_netdev_change_profile+0x77/0xe0 [mlx5_core] +[] mlx5e_vport_rep_load+0x1ed/0x290 [mlx5_core] +[] mlx5_esw_offloads_rep_load+0x88/0xd0 [mlx5_core] +[] esw_offloads_load_rep.part.38+0x31/0x50 [mlx5_core] +[] esw_offloads_enable+0x6c5/0x710 [mlx5_core] +[] mlx5_eswitch_enable_locked+0x1bb/0x290 [mlx5_core] +[] mlx5_devlink_eswitch_mode_set+0x14f/0x320 [mlx5_core] +[] devlink_nl_cmd_eswitch_set_doit+0x94/0x120 +[] genl_family_rcv_msg_doit.isra.17+0x113/0x150 +[] genl_family_rcv_msg+0xb7/0x170 +[] ? devlink_nl_cmd_port_split_doit+0x100/0x100 +[] genl_rcv_msg+0x47/0xa0 +[] ? genl_family_rcv_msg+0x170/0x170 +[] netlink_rcv_skb+0x4c/0x130 +[] genl_rcv+0x24/0x40 +[] netlink_unicast+0x19a/0x230 +[] netlink_sendmsg+0x204/0x3d0 +[] sock_sendmsg+0x50/0x60 + +Fixes: 90b22b9bcd24 ("net/mlx5e: Disable Rx ntuple offload for uplink representor") +Signed-off-by: Amir Tzin +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c +index 0ae1865086ff1..dc0a0a27ac84a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c +@@ -136,6 +136,16 @@ static void arfs_del_rules(struct mlx5e_flow_steering *fs); + + int mlx5e_arfs_disable(struct mlx5e_flow_steering *fs) + { ++ /* Moving to switchdev mode, fs->arfs is freed by mlx5e_nic_profile ++ * cleanup_rx callback and it is not recreated when ++ * mlx5e_uplink_rep_profile is loaded as mlx5e_create_flow_steering() ++ * is not called by the uplink_rep profile init_rx callback. Thus, if ++ * ntuple is set, moving to switchdev flow will enter this function ++ * with fs->arfs nullified. ++ */ ++ if (!mlx5e_fs_get_arfs(fs)) ++ return 0; ++ + arfs_del_rules(fs); + + return arfs_disable(fs); +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5e-fix-double-free-in-macsec_fs_tx_create_cry.patch b/queue-6.1/net-mlx5e-fix-double-free-in-macsec_fs_tx_create_cry.patch new file mode 100644 index 00000000000..f4d07e581e3 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-double-free-in-macsec_fs_tx_create_cry.patch @@ -0,0 +1,40 @@ +From 1623489e4aae8e9fd448a96a56fb73f7f600a423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 15:06:40 +0800 +Subject: net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups + +From: Zhengchao Shao + +[ Upstream commit aeb660171b0663847fa04806a96302ac6112ad26 ] + +In function macsec_fs_tx_create_crypto_table_groups(), when the ft->g +memory is successfully allocated but the 'in' memory fails to be +allocated, the memory pointed to by ft->g is released once. And in function +macsec_fs_tx_create(), macsec_fs_tx_destroy() is called to release the +memory pointed to by ft->g again. This will cause double free problem. + +Fixes: e467b283ffd5 ("net/mlx5e: Add MACsec TX steering rules") +Signed-off-by: Zhengchao Shao +Reviewed-by: Simon Horman +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c +index 5b658a5588c64..6ecf0bf2366ad 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c +@@ -160,6 +160,7 @@ static int macsec_fs_tx_create_crypto_table_groups(struct mlx5e_flow_table *ft) + + if (!in) { + kfree(ft->g); ++ ft->g = NULL; + return -ENOMEM; + } + +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch b/queue-6.1/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch new file mode 100644 index 00000000000..108f4edb585 --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch @@ -0,0 +1,39 @@ +From cf958f0bb44d880917b2a61cd53d4866779ef049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:56:55 +0800 +Subject: net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() + +From: Yuanjun Gong + +[ Upstream commit e5bcb7564d3bd0c88613c76963c5349be9c511c5 ] + +mlx5e_ipsec_remove_trailer() should return an error code if function +pskb_trim() returns an unexpected value. + +Fixes: 2ac9cfe78223 ("net/mlx5e: IPSec, Add Innova IPSec offload TX data path") +Signed-off-by: Yuanjun Gong +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +index 6859f1c1a8319..c4a84f0a3b733 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +@@ -58,7 +58,9 @@ static int mlx5e_ipsec_remove_trailer(struct sk_buff *skb, struct xfrm_state *x) + + trailer_len = alen + plen + 2; + +- pskb_trim(skb, skb->len - trailer_len); ++ ret = pskb_trim(skb, skb->len - trailer_len); ++ if (unlikely(ret)) ++ return ret; + if (skb->protocol == htons(ETH_P_IP)) { + ipv4hdr->tot_len = htons(ntohs(ipv4hdr->tot_len) - trailer_len); + ip_send_check(ipv4hdr); +-- +2.40.1 + diff --git a/queue-6.1/net-mlx5e-move-representor-neigh-cleanup-to-profile-.patch b/queue-6.1/net-mlx5e-move-representor-neigh-cleanup-to-profile-.patch new file mode 100644 index 00000000000..96d6ac11115 --- /dev/null +++ b/queue-6.1/net-mlx5e-move-representor-neigh-cleanup-to-profile-.patch @@ -0,0 +1,176 @@ +From 1b593375dd734b2541a32d4f2662738639e7a123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 08:28:16 +0000 +Subject: net/mlx5e: Move representor neigh cleanup to profile cleanup_tx + +From: Jianbo Liu + +[ Upstream commit d03b6e6f31820b84f7449cca022047f36c42bc3f ] + +For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as +the flow is duplicated to the peer eswitch, the related neighbour +information on the peer uplink representor is created as well. + +In the cited commit, eswitch devcom unpair is moved to uplink unload +API, specifically the profile->cleanup_tx. If there is a encap rule +offloaded in ECMP mode, when one eswitch does unpair (because of +unloading the driver, for instance), and the peer rule from the peer +eswitch is going to be deleted, the use-after-free error is triggered +while accessing neigh info, as it is already cleaned up in uplink's +profile->disable, which is before its profile->cleanup_tx. + +To fix this issue, move the neigh cleanup to profile's cleanup_tx +callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh +init is moved to init_tx for symmeter. + +[ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] +[ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 + +[ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 +[ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 2453.384335] Call Trace: +[ 2453.384625] +[ 2453.384891] dump_stack_lvl+0x33/0x50 +[ 2453.385285] print_report+0xc2/0x610 +[ 2453.385667] ? __virt_addr_valid+0xb1/0x130 +[ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] +[ 2453.386757] kasan_report+0xae/0xe0 +[ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] +[ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] +[ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] +[ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] +[ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] +[ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] +[ 2453.391015] ? complete_all+0x43/0xd0 +[ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] +[ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] +[ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] +[ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] +[ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] +[ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] +[ 2453.395268] ? down_write+0xaa/0x100 +[ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] +[ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] +[ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] +[ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] +[ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] +[ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] +[ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] +[ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] +[ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] +[ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] +[ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] +[ 2453.405170] ? up_write+0x39/0x60 +[ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 +[ 2453.405985] auxiliary_bus_remove+0x2e/0x40 +[ 2453.406405] device_release_driver_internal+0x243/0x2d0 +[ 2453.406900] ? kobject_put+0x42/0x2d0 +[ 2453.407284] bus_remove_device+0x128/0x1d0 +[ 2453.407687] device_del+0x240/0x550 +[ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 +[ 2453.408511] ? kobject_put+0xfa/0x2d0 +[ 2453.408889] ? __kmem_cache_free+0x14d/0x280 +[ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] +[ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] +[ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] +[ 2453.411111] remove_one+0x89/0x130 [mlx5_core] +[ 2453.411628] pci_device_remove+0x59/0xf0 +[ 2453.412026] device_release_driver_internal+0x243/0x2d0 +[ 2453.412511] ? parse_option_str+0x14/0x90 +[ 2453.412915] driver_detach+0x7b/0xf0 +[ 2453.413289] bus_remove_driver+0xb5/0x160 +[ 2453.413685] pci_unregister_driver+0x3f/0xf0 +[ 2453.414104] mlx5_cleanup+0xc/0x20 [mlx5_core] + +Fixes: 2be5bd42a5bb ("net/mlx5: Handle pairing of E-switch via uplink un/load APIs") +Signed-off-by: Jianbo Liu +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index ff0c025db1402..bd895ef341a0b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1040,6 +1040,10 @@ static int mlx5e_init_rep_tx(struct mlx5e_priv *priv) + return err; + } + ++ err = mlx5e_rep_neigh_init(rpriv); ++ if (err) ++ goto err_neigh_init; ++ + if (rpriv->rep->vport == MLX5_VPORT_UPLINK) { + err = mlx5e_init_uplink_rep_tx(rpriv); + if (err) +@@ -1056,6 +1060,8 @@ static int mlx5e_init_rep_tx(struct mlx5e_priv *priv) + if (rpriv->rep->vport == MLX5_VPORT_UPLINK) + mlx5e_cleanup_uplink_rep_tx(rpriv); + err_init_tx: ++ mlx5e_rep_neigh_cleanup(rpriv); ++err_neigh_init: + mlx5e_destroy_tises(priv); + return err; + } +@@ -1069,22 +1075,17 @@ static void mlx5e_cleanup_rep_tx(struct mlx5e_priv *priv) + if (rpriv->rep->vport == MLX5_VPORT_UPLINK) + mlx5e_cleanup_uplink_rep_tx(rpriv); + ++ mlx5e_rep_neigh_cleanup(rpriv); + mlx5e_destroy_tises(priv); + } + + static void mlx5e_rep_enable(struct mlx5e_priv *priv) + { +- struct mlx5e_rep_priv *rpriv = priv->ppriv; +- + mlx5e_set_netdev_mtu_boundaries(priv); +- mlx5e_rep_neigh_init(rpriv); + } + + static void mlx5e_rep_disable(struct mlx5e_priv *priv) + { +- struct mlx5e_rep_priv *rpriv = priv->ppriv; +- +- mlx5e_rep_neigh_cleanup(rpriv); + } + + static int mlx5e_update_rep_rx(struct mlx5e_priv *priv) +@@ -1119,7 +1120,6 @@ static int uplink_rep_async_event(struct notifier_block *nb, unsigned long event + + static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv) + { +- struct mlx5e_rep_priv *rpriv = priv->ppriv; + struct net_device *netdev = priv->netdev; + struct mlx5_core_dev *mdev = priv->mdev; + u16 max_mtu; +@@ -1139,7 +1139,6 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv) + mlx5_notifier_register(mdev, &priv->events_nb); + mlx5e_dcbnl_initialize(priv); + mlx5e_dcbnl_init_app(priv); +- mlx5e_rep_neigh_init(rpriv); + mlx5e_rep_bridge_init(priv); + + netdev->wanted_features |= NETIF_F_HW_TC; +@@ -1154,7 +1153,6 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv) + + static void mlx5e_uplink_rep_disable(struct mlx5e_priv *priv) + { +- struct mlx5e_rep_priv *rpriv = priv->ppriv; + struct mlx5_core_dev *mdev = priv->mdev; + + rtnl_lock(); +@@ -1164,7 +1162,6 @@ static void mlx5e_uplink_rep_disable(struct mlx5e_priv *priv) + rtnl_unlock(); + + mlx5e_rep_bridge_cleanup(priv); +- mlx5e_rep_neigh_cleanup(rpriv); + mlx5e_dcbnl_delete_app(priv); + mlx5_notifier_unregister(mdev, &priv->events_nb); + mlx5e_rep_tc_disable(priv); +-- +2.40.1 + diff --git a/queue-6.1/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch b/queue-6.1/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch new file mode 100644 index 00000000000..f3595ff90ca --- /dev/null +++ b/queue-6.1/net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch @@ -0,0 +1,61 @@ +From f85ceacbf46e0fd01213152f0636870e56f74487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 11:48:32 +0100 +Subject: net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode + +From: Mark Brown + +[ Upstream commit f3bb7759a924713bc54d15f6d0d70733b5935fad ] + +As documented in acd7aaf51b20 ("netsec: ignore 'phy-mode' device +property on ACPI systems") the SocioNext SynQuacer platform ships with +firmware defining the PHY mode as RGMII even though the physical +configuration of the PHY is for TX and RX delays. Since bbc4d71d63549bc +("net: phy: realtek: fix rtl8211e rx/tx delay config") this has caused +misconfiguration of the PHY, rendering the network unusable. + +This was worked around for ACPI by ignoring the phy-mode property but +the system is also used with DT. For DT instead if we're running on a +SynQuacer force a working PHY mode, as well as the standard EDK2 +firmware with DT there are also some of these systems that use u-boot +and might not initialise the PHY if not netbooting. Newer firmware +imagaes for at least EDK2 are available from Linaro so print a warning +when doing this. + +Fixes: 533dd11a12f6 ("net: socionext: Add Synquacer NetSec driver") +Signed-off-by: Mark Brown +Acked-by: Ard Biesheuvel +Acked-by: Ilias Apalodimas +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230731-synquacer-net-v3-1-944be5f06428@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/socionext/netsec.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c +index 9b46579b5a103..b130e978366c1 100644 +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -1851,6 +1851,17 @@ static int netsec_of_probe(struct platform_device *pdev, + return err; + } + ++ /* ++ * SynQuacer is physically configured with TX and RX delays ++ * but the standard firmware claimed otherwise for a long ++ * time, ignore it. ++ */ ++ if (of_machine_is_compatible("socionext,developer-box") && ++ priv->phy_interface != PHY_INTERFACE_MODE_RGMII_ID) { ++ dev_warn(&pdev->dev, "Outdated firmware reports incorrect PHY mode, overriding\n"); ++ priv->phy_interface = PHY_INTERFACE_MODE_RGMII_ID; ++ } ++ + priv->phy_np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0); + if (!priv->phy_np) { + dev_err(&pdev->dev, "missing required property 'phy-handle'\n"); +-- +2.40.1 + diff --git a/queue-6.1/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch b/queue-6.1/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch new file mode 100644 index 00000000000..f340f64a7a2 --- /dev/null +++ b/queue-6.1/net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch @@ -0,0 +1,50 @@ +From c4948ac3560b0a564f9077a935290c54bf43641b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:01 -0400 +Subject: net/sched: cls_fw: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit 76e42ae831991c828cffa8c37736ebfb831ad5ec ] + +When fw_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: e35a8ee5993b ("net: sched: fw use RCU") +Reported-by: valis +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index 1212b057b129c..6160ef7d646ac 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -265,7 +265,6 @@ static int fw_change(struct net *net, struct sk_buff *in_skb, + return -ENOBUFS; + + fnew->id = f->id; +- fnew->res = f->res; + fnew->ifindex = f->ifindex; + fnew->tp = f->tp; + +-- +2.40.1 + diff --git a/queue-6.1/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch b/queue-6.1/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch new file mode 100644 index 00000000000..c6605708809 --- /dev/null +++ b/queue-6.1/net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch @@ -0,0 +1,50 @@ +From 5bc9980ffad88e302efceb7feda70efbfcb6e6ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:02 -0400 +Subject: net/sched: cls_route: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 ] + +When route4_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: 1109c00547fc ("net: sched: RCU cls_route") +Reported-by: valis +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_route.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 9e43b929d4ca4..306188bf2d1ff 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -511,7 +511,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + if (fold) { + f->id = fold->id; + f->iif = fold->iif; +- f->res = fold->res; + f->handle = fold->handle; + + f->tp = fold->tp; +-- +2.40.1 + diff --git a/queue-6.1/net-sched-cls_u32-fix-match-key-mis-addressing.patch b/queue-6.1/net-sched-cls_u32-fix-match-key-mis-addressing.patch new file mode 100644 index 00000000000..c0518124a69 --- /dev/null +++ b/queue-6.1/net-sched-cls_u32-fix-match-key-mis-addressing.patch @@ -0,0 +1,145 @@ +From 420551af263d4d3c876c7ea2ce1dd5ab3a9ad492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 09:51:51 -0400 +Subject: net: sched: cls_u32: Fix match key mis-addressing + +From: Jamal Hadi Salim + +[ Upstream commit e68409db995380d1badacba41ff24996bd396171 ] + +A match entry is uniquely identified with an "address" or "path" in the +form of: hashtable ID(12b):bucketid(8b):nodeid(12b). + +When creating table match entries all of hash table id, bucket id and +node (match entry id) are needed to be either specified by the user or +reasonable in-kernel defaults are used. The in-kernel default for a table id is +0x800(omnipresent root table); for bucketid it is 0x0. Prior to this fix there +was none for a nodeid i.e. the code assumed that the user passed the correct +nodeid and if the user passes a nodeid of 0 (as Mingi Cho did) then that is what +was used. But nodeid of 0 is reserved for identifying the table. This is not +a problem until we dump. The dump code notices that the nodeid is zero and +assumes it is referencing a table and therefore references table struct +tc_u_hnode instead of what was created i.e match entry struct tc_u_knode. + +Ming does an equivalent of: +tc filter add dev dummy0 parent 10: prio 1 handle 0x1000 \ +protocol ip u32 match ip src 10.0.0.1/32 classid 10:1 action ok + +Essentially specifying a table id 0, bucketid 1 and nodeid of zero +Tableid 0 is remapped to the default of 0x800. +Bucketid 1 is ignored and defaults to 0x00. +Nodeid was assumed to be what Ming passed - 0x000 + +dumping before fix shows: +~$ tc filter ls dev dummy0 parent 10: +filter protocol ip pref 1 u32 chain 0 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor -30591 + +Note that the last line reports a table instead of a match entry +(you can tell this because it says "ht divisor..."). +As a result of reporting the wrong data type (misinterpretting of struct +tc_u_knode as being struct tc_u_hnode) the divisor is reported with value +of -30591. Ming identified this as part of the heap address +(physmap_base is 0xffff8880 (-30591 - 1)). + +The fix is to ensure that when table entry matches are added and no +nodeid is specified (i.e nodeid == 0) then we get the next available +nodeid from the table's pool. + +After the fix, this is what the dump shows: +$ tc filter ls dev dummy0 parent 10: +filter protocol ip pref 1 u32 chain 0 +filter protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1 +filter protocol ip pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 10:1 not_in_hw + match 0a000001/ffffffff at 12 + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + +Reported-by: Mingi Cho +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230726135151.416917-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 56 ++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 50 insertions(+), 6 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 1280736a7b92e..0e3bb1d65be1c 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -1022,18 +1022,62 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return -EINVAL; + } + ++ /* At this point, we need to derive the new handle that will be used to ++ * uniquely map the identity of this table match entry. The ++ * identity of the entry that we need to construct is 32 bits made of: ++ * htid(12b):bucketid(8b):node/entryid(12b) ++ * ++ * At this point _we have the table(ht)_ in which we will insert this ++ * entry. We carry the table's id in variable "htid". ++ * Note that earlier code picked the ht selection either by a) the user ++ * providing the htid specified via TCA_U32_HASH attribute or b) when ++ * no such attribute is passed then the root ht, is default to at ID ++ * 0x[800][00][000]. Rule: the root table has a single bucket with ID 0. ++ * If OTOH the user passed us the htid, they may also pass a bucketid of ++ * choice. 0 is fine. For example a user htid is 0x[600][01][000] it is ++ * indicating hash bucketid of 1. Rule: the entry/node ID _cannot_ be ++ * passed via the htid, so even if it was non-zero it will be ignored. ++ * ++ * We may also have a handle, if the user passed one. The handle also ++ * carries the same addressing of htid(12b):bucketid(8b):node/entryid(12b). ++ * Rule: the bucketid on the handle is ignored even if one was passed; ++ * rather the value on "htid" is always assumed to be the bucketid. ++ */ + if (handle) { ++ /* Rule: The htid from handle and tableid from htid must match */ + if (TC_U32_HTID(handle) && TC_U32_HTID(handle ^ htid)) { + NL_SET_ERR_MSG_MOD(extack, "Handle specified hash table address mismatch"); + return -EINVAL; + } +- handle = htid | TC_U32_NODE(handle); +- err = idr_alloc_u32(&ht->handle_idr, NULL, &handle, handle, +- GFP_KERNEL); +- if (err) +- return err; +- } else ++ /* Ok, so far we have a valid htid(12b):bucketid(8b) but we ++ * need to finalize the table entry identification with the last ++ * part - the node/entryid(12b)). Rule: Nodeid _cannot be 0_ for ++ * entries. Rule: nodeid of 0 is reserved only for tables(see ++ * earlier code which processes TC_U32_DIVISOR attribute). ++ * Rule: The nodeid can only be derived from the handle (and not ++ * htid). ++ * Rule: if the handle specified zero for the node id example ++ * 0x60000000, then pick a new nodeid from the pool of IDs ++ * this hash table has been allocating from. ++ * If OTOH it is specified (i.e for example the user passed a ++ * handle such as 0x60000123), then we use it generate our final ++ * handle which is used to uniquely identify the match entry. ++ */ ++ if (!TC_U32_NODE(handle)) { ++ handle = gen_new_kid(ht, htid); ++ } else { ++ handle = htid | TC_U32_NODE(handle); ++ err = idr_alloc_u32(&ht->handle_idr, NULL, &handle, ++ handle, GFP_KERNEL); ++ if (err) ++ return err; ++ } ++ } else { ++ /* The user did not give us a handle; lets just generate one ++ * from the table's pool of nodeids. ++ */ + handle = gen_new_kid(ht, htid); ++ } + + if (tb[TCA_U32_SEL] == NULL) { + NL_SET_ERR_MSG_MOD(extack, "Selector not specified"); +-- +2.40.1 + diff --git a/queue-6.1/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch b/queue-6.1/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch new file mode 100644 index 00000000000..e4a68f8ba81 --- /dev/null +++ b/queue-6.1/net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch @@ -0,0 +1,50 @@ +From 9494711f6d53ad3a81e8de7baac03126a80beec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jul 2023 08:32:00 -0400 +Subject: net/sched: cls_u32: No longer copy tcf_result on update to avoid + use-after-free + +From: valis + +[ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ] + +When u32_change() is called on an existing filter, the whole +tcf_result struct is always copied into the new instance of the filter. + +This causes a problem when updating a filter bound to a class, +as tcf_unbind_filter() is always called on the old instance in the +success path, decreasing filter_cnt of the still referenced class +and allowing it to be deleted, leading to a use-after-free. + +Fix this by no longer copying the tcf_result struct from the old filter. + +Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers") +Reported-by: valis +Reported-by: M A Ramdhan +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Victor Nogueira +Reviewed-by: Pedro Tammela +Reviewed-by: M A Ramdhan +Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 0e3bb1d65be1c..ba93e2a6bdbb4 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -824,7 +824,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp, + + new->ifindex = n->ifindex; + new->fshift = n->fshift; +- new->res = n->res; + new->flags = n->flags; + RCU_INIT_POINTER(new->ht_down, ht); + +-- +2.40.1 + diff --git a/queue-6.1/net-sched-taprio-limit-tca_taprio_attr_sched_cycle_t.patch b/queue-6.1/net-sched-taprio-limit-tca_taprio_attr_sched_cycle_t.patch new file mode 100644 index 00000000000..eecf421a95a --- /dev/null +++ b/queue-6.1/net-sched-taprio-limit-tca_taprio_attr_sched_cycle_t.patch @@ -0,0 +1,176 @@ +From 2d0f4a3cffbd5d4179eb5065e3b6ce3688934a88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 17:07:05 -0700 +Subject: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. + +From: Kuniyuki Iwashima + +[ Upstream commit e739718444f7bf2fa3d70d101761ad83056ca628 ] + +syzkaller found zero division error [0] in div_s64_rem() called from +get_cycle_time_elapsed(), where sched->cycle_time is the divisor. + +We have tests in parse_taprio_schedule() so that cycle_time will never +be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed(). + +The problem is that the types of divisor are different; cycle_time is +s64, but the argument of div_s64_rem() is s32. + +syzkaller fed this input and 0x100000000 is cast to s32 to be 0. + + @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000} + +We use s64 for cycle_time to cast it to ktime_t, so let's keep it and +set max for cycle_time. + +While at it, we prevent overflow in setup_txtime() and add another +test in parse_taprio_schedule() to check if cycle_time overflows. + +Also, we add a new tdc test case for this issue. + +[0]: +divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Workqueue: ipv6_addrconf addrconf_dad_work +RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline] +RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline] +RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344 +Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10 +RSP: 0018:ffffc90000acf260 EFLAGS: 00010206 +RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000 +RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934 +R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800 +R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0 +PKRU: 55555554 +Call Trace: + + get_packet_txtime net/sched/sch_taprio.c:508 [inline] + taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577 + taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658 + dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732 + __dev_xmit_skb net/core/dev.c:3821 [inline] + __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169 + dev_queue_xmit include/linux/netdevice.h:3088 [inline] + neigh_resolve_output net/core/neighbour.c:1552 [inline] + neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532 + neigh_output include/net/neighbour.h:544 [inline] + ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135 + __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196 + ip6_finish_output net/ipv6/ip6_output.c:207 [inline] + NF_HOOK_COND include/linux/netfilter.h:292 [inline] + ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228 + dst_output include/net/dst.h:458 [inline] + NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303 + ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508 + ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666 + addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175 + process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597 + worker_thread+0x60f/0x1240 kernel/workqueue.c:2748 + kthread+0x2fe/0x3f0 kernel/kthread.c:389 + ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 + +Modules linked in: + +Fixes: 4cfd5779bd6e ("taprio: Add support for txtime-assist mode") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Co-developed-by: Eric Dumazet +Co-developed-by: Pedro Tammela +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 15 +++++++++-- + .../tc-testing/tc-tests/qdiscs/taprio.json | 25 +++++++++++++++++++ + 2 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index a274a9332f333..8d5eebb2dd1b1 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -769,6 +769,11 @@ static const struct nla_policy taprio_tc_policy[TCA_TAPRIO_TC_ENTRY_MAX + 1] = { + [TCA_TAPRIO_TC_ENTRY_MAX_SDU] = { .type = NLA_U32 }, + }; + ++static struct netlink_range_validation_signed taprio_cycle_time_range = { ++ .min = 0, ++ .max = INT_MAX, ++}; ++ + static const struct nla_policy taprio_policy[TCA_TAPRIO_ATTR_MAX + 1] = { + [TCA_TAPRIO_ATTR_PRIOMAP] = { + .len = sizeof(struct tc_mqprio_qopt) +@@ -777,7 +782,8 @@ static const struct nla_policy taprio_policy[TCA_TAPRIO_ATTR_MAX + 1] = { + [TCA_TAPRIO_ATTR_SCHED_BASE_TIME] = { .type = NLA_S64 }, + [TCA_TAPRIO_ATTR_SCHED_SINGLE_ENTRY] = { .type = NLA_NESTED }, + [TCA_TAPRIO_ATTR_SCHED_CLOCKID] = { .type = NLA_S32 }, +- [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME] = { .type = NLA_S64 }, ++ [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME] = ++ NLA_POLICY_FULL_RANGE_SIGNED(NLA_S64, &taprio_cycle_time_range), + [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION] = { .type = NLA_S64 }, + [TCA_TAPRIO_ATTR_FLAGS] = { .type = NLA_U32 }, + [TCA_TAPRIO_ATTR_TXTIME_DELAY] = { .type = NLA_U32 }, +@@ -913,6 +919,11 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, + return -EINVAL; + } + ++ if (cycle < 0 || cycle > INT_MAX) { ++ NL_SET_ERR_MSG(extack, "'cycle_time' is too big"); ++ return -EINVAL; ++ } ++ + new->cycle_time = cycle; + } + +@@ -1110,7 +1121,7 @@ static void setup_txtime(struct taprio_sched *q, + struct sched_gate_list *sched, ktime_t base) + { + struct sched_entry *entry; +- u32 interval = 0; ++ u64 interval = 0; + + list_for_each_entry(entry, &sched->entries, list) { + entry->next_txtime = ktime_add_ns(base, interval); +diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json +index a44455372646a..08d4861c2e782 100644 +--- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json +@@ -131,5 +131,30 @@ + "teardown": [ + "echo \"1\" > /sys/bus/netdevsim/del_device" + ] ++ }, ++ { ++ "id": "3e1e", ++ "name": "Add taprio Qdisc with an invalid cycle-time", ++ "category": [ ++ "qdisc", ++ "taprio" ++ ], ++ "plugins": { ++ "requires": "nsPlugin" ++ }, ++ "setup": [ ++ "echo \"1 1 8\" > /sys/bus/netdevsim/new_device", ++ "$TC qdisc add dev $ETH root handle 1: taprio num_tc 3 map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 queues 1@0 1@0 1@0 base-time 1000000000 sched-entry S 01 300000 flags 0x1 clockid CLOCK_TAI cycle-time 4294967296 || /bin/true", ++ "$IP link set dev $ETH up", ++ "$IP addr add 10.10.10.10/24 dev $ETH" ++ ], ++ "cmdUnderTest": "/bin/true", ++ "expExitCode": "0", ++ "verifyCmd": "$TC qdisc show dev $ETH", ++ "matchPattern": "qdisc taprio 1: root refcnt", ++ "matchCount": "0", ++ "teardown": [ ++ "echo \"1\" > /sys/bus/netdevsim/del_device" ++ ] + } + ] +-- +2.40.1 + diff --git a/queue-6.1/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch b/queue-6.1/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch new file mode 100644 index 00000000000..d4160f5f888 --- /dev/null +++ b/queue-6.1/perf-test-uprobe_from_different_cu-skip-if-there-is-.patch @@ -0,0 +1,66 @@ +From 86c3703886acee2cdc9a193e326485c3eb335d4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 17:18:12 +0200 +Subject: perf test uprobe_from_different_cu: Skip if there is no gcc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +[ Upstream commit 98ce8e4a9dcfb448b30a2d7a16190f4a00382377 ] + +Without gcc, the test will fail. + +On cleanup, ignore probe removal errors. Otherwise, in case of an error +adding the probe, the temporary directory is not removed. + +Fixes: 56cbeacf14353057 ("perf probe: Add test for regression introduced by switch to die_get_decl_file()") +Signed-off-by: Georg Müller +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Georg Müller +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230728151812.454806-2-georgmueller@gmx.net +Link: https://lore.kernel.org/r/CAP-5=fUP6UuLgRty3t2=fQsQi3k4hDMz415vWdp1x88QMvZ8ug@mail.gmail.com/ +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/shell/test_uprobe_from_different_cu.sh b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +index 00d2e0e2e0c28..319f36ebb9a40 100644 +--- a/tools/perf/tests/shell/test_uprobe_from_different_cu.sh ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -4,6 +4,12 @@ + + set -e + ++# skip if there's no gcc ++if ! [ -x "$(command -v gcc)" ]; then ++ echo "failed: no gcc compiler" ++ exit 2 ++fi ++ + temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) + + cleanup() +@@ -11,7 +17,7 @@ cleanup() + trap - EXIT TERM INT + if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then + echo "--- Cleaning up ---" +- perf probe -x ${temp_dir}/testfile -d foo ++ perf probe -x ${temp_dir}/testfile -d foo || true + rm -f "${temp_dir}/"* + rmdir "${temp_dir}" + fi +-- +2.40.1 + diff --git a/queue-6.1/prestera-fix-fallback-to-previous-version-on-same-ma.patch b/queue-6.1/prestera-fix-fallback-to-previous-version-on-same-ma.patch new file mode 100644 index 00000000000..ee9b8ea590f --- /dev/null +++ b/queue-6.1/prestera-fix-fallback-to-previous-version-on-same-ma.patch @@ -0,0 +1,66 @@ +From 89ac3da44e38957814b40ab3c4ca1fd5f4e00dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 11:23:56 +0200 +Subject: prestera: fix fallback to previous version on same major version + +From: Jonas Gorski + +[ Upstream commit b755c25fbcd568821a3bb0e0d5c2daa5fcb00bba ] + +When both supported and previous version have the same major version, +and the firmwares are missing, the driver ends in a loop requesting the +same (previous) version over and over again: + + [ 76.327413] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.1.img firmware, fall-back to previous 4.0 version + [ 76.339802] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.352162] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.364502] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.376848] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.389183] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.401522] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.413860] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + [ 76.426199] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.0.img firmware, fall-back to previous 4.0 version + ... + +Fix this by inverting the check to that we aren't yet at the previous +version, and also check the minor version. + +This also catches the case where both versions are the same, as it was +after commit bb5dbf2cc64d ("net: marvell: prestera: add firmware v4.0 +support"). + +With this fix applied: + + [ 88.499622] Prestera DX 0000:01:00.0: missing latest mrvl/prestera/mvsw_prestera_fw-v4.1.img firmware, fall-back to previous 4.0 version + [ 88.511995] Prestera DX 0000:01:00.0: failed to request previous firmware: mrvl/prestera/mvsw_prestera_fw-v4.0.img + [ 88.522403] Prestera DX: probe of 0000:01:00.0 failed with error -2 + +Fixes: 47f26018a414 ("net: marvell: prestera: try to load previous fw version") +Signed-off-by: Jonas Gorski +Acked-by: Elad Nachman +Reviewed-by: Jesse Brandeburg +Acked-by: Taras Chornyi +Link: https://lore.kernel.org/r/20230802092357.163944-1-jonas.gorski@bisdn.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_pci.c b/drivers/net/ethernet/marvell/prestera/prestera_pci.c +index 59470d99f5228..a37dbbda8de39 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_pci.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_pci.c +@@ -702,7 +702,8 @@ static int prestera_fw_get(struct prestera_fw *fw) + + err = request_firmware_direct(&fw->bin, fw_path, fw->dev.dev); + if (err) { +- if (ver_maj == PRESTERA_SUPP_FW_MAJ_VER) { ++ if (ver_maj != PRESTERA_PREV_FW_MAJ_VER || ++ ver_min != PRESTERA_PREV_FW_MIN_VER) { + ver_maj = PRESTERA_PREV_FW_MAJ_VER; + ver_min = PRESTERA_PREV_FW_MIN_VER; + +-- +2.40.1 + diff --git a/queue-6.1/qed-fix-scheduling-in-a-tasklet-while-getting-stats.patch b/queue-6.1/qed-fix-scheduling-in-a-tasklet-while-getting-stats.patch new file mode 100644 index 00000000000..af226863f1d --- /dev/null +++ b/queue-6.1/qed-fix-scheduling-in-a-tasklet-while-getting-stats.patch @@ -0,0 +1,452 @@ +From 1942c64805e7aeaae6711f3dff05f8d88537fd3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 18:26:09 +0300 +Subject: qed: Fix scheduling in a tasklet while getting stats + +From: Konstantin Khorenko + +[ Upstream commit e346e231b42bcae6822a6326acfb7b741e9e6026 ] + +Here we've got to a situation when tasklet called usleep_range() in PTT +acquire logic, thus welcome to the "scheduling while atomic" BUG(). + + BUG: scheduling while atomic: swapper/24/0/0x00000100 + + [] schedule+0x29/0x70 + [] schedule_hrtimeout_range_clock+0xb2/0x150 + [] schedule_hrtimeout_range+0x13/0x20 + [] usleep_range+0x4f/0x70 + [] qed_ptt_acquire+0x38/0x100 [qed] + [] _qed_get_vport_stats+0x458/0x580 [qed] + [] qed_get_vport_stats+0x1c/0xd0 [qed] + [] qed_get_protocol_stats+0x93/0x100 [qed] + qed_mcp_send_protocol_stats + case MFW_DRV_MSG_GET_LAN_STATS: + case MFW_DRV_MSG_GET_FCOE_STATS: + case MFW_DRV_MSG_GET_ISCSI_STATS: + case MFW_DRV_MSG_GET_RDMA_STATS: + [] qed_mcp_handle_events+0x2d8/0x890 [qed] + qed_int_assertion + qed_int_attentions + [] qed_int_sp_dpc+0xa50/0xdc0 [qed] + [] tasklet_action+0x83/0x140 + [] __do_softirq+0x125/0x2bb + [] call_softirq+0x1c/0x30 + [] do_softirq+0x65/0xa0 + [] irq_exit+0x105/0x110 + [] do_IRQ+0x56/0xf0 + +Fix this by making caller to provide the context whether it could be in +atomic context flow or not when getting stats from QED driver. +QED driver based on the context provided decide to schedule out or not +when acquiring the PTT BAR window. + +We faced the BUG_ON() while getting vport stats, but according to the +code same issue could happen for fcoe and iscsi statistics as well, so +fixing them too. + +Fixes: 6c75424612a7 ("qed: Add support for NCSI statistics.") +Fixes: 1e128c81290a ("qed: Add support for hardware offloaded FCoE.") +Fixes: 2f2b2614e893 ("qed: Provide iSCSI statistics to management") +Cc: Sudarsana Kalluru +Cc: David Miller +Cc: Manish Chopra + +Signed-off-by: Konstantin Khorenko +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev_api.h | 16 ++++++++++++ + drivers/net/ethernet/qlogic/qed/qed_fcoe.c | 19 ++++++++++---- + drivers/net/ethernet/qlogic/qed/qed_fcoe.h | 17 ++++++++++-- + drivers/net/ethernet/qlogic/qed/qed_hw.c | 26 ++++++++++++++++--- + drivers/net/ethernet/qlogic/qed/qed_iscsi.c | 19 ++++++++++---- + drivers/net/ethernet/qlogic/qed/qed_iscsi.h | 8 ++++-- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 19 ++++++++++---- + drivers/net/ethernet/qlogic/qed/qed_l2.h | 24 +++++++++++++++++ + drivers/net/ethernet/qlogic/qed/qed_main.c | 6 ++--- + 9 files changed, 128 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev_api.h b/drivers/net/ethernet/qlogic/qed/qed_dev_api.h +index f8682356d0cf4..94d4f9413ab7a 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev_api.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev_api.h +@@ -193,6 +193,22 @@ void qed_hw_remove(struct qed_dev *cdev); + */ + struct qed_ptt *qed_ptt_acquire(struct qed_hwfn *p_hwfn); + ++/** ++ * qed_ptt_acquire_context(): Allocate a PTT window honoring the context ++ * atomicy. ++ * ++ * @p_hwfn: HW device data. ++ * @is_atomic: Hint from the caller - if the func can sleep or not. ++ * ++ * Context: The function should not sleep in case is_atomic == true. ++ * Return: struct qed_ptt. ++ * ++ * Should be called at the entry point to the driver ++ * (at the beginning of an exported function). ++ */ ++struct qed_ptt *qed_ptt_acquire_context(struct qed_hwfn *p_hwfn, ++ bool is_atomic); ++ + /** + * qed_ptt_release(): Release PTT Window. + * +diff --git a/drivers/net/ethernet/qlogic/qed/qed_fcoe.c b/drivers/net/ethernet/qlogic/qed/qed_fcoe.c +index 3764190b948eb..04602ac947087 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_fcoe.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_fcoe.c +@@ -693,13 +693,14 @@ static void _qed_fcoe_get_pstats(struct qed_hwfn *p_hwfn, + } + + static int qed_fcoe_get_stats(struct qed_hwfn *p_hwfn, +- struct qed_fcoe_stats *p_stats) ++ struct qed_fcoe_stats *p_stats, ++ bool is_atomic) + { + struct qed_ptt *p_ptt; + + memset(p_stats, 0, sizeof(*p_stats)); + +- p_ptt = qed_ptt_acquire(p_hwfn); ++ p_ptt = qed_ptt_acquire_context(p_hwfn, is_atomic); + + if (!p_ptt) { + DP_ERR(p_hwfn, "Failed to acquire ptt\n"); +@@ -973,19 +974,27 @@ static int qed_fcoe_destroy_conn(struct qed_dev *cdev, + QED_SPQ_MODE_EBLOCK, NULL); + } + ++static int qed_fcoe_stats_context(struct qed_dev *cdev, ++ struct qed_fcoe_stats *stats, ++ bool is_atomic) ++{ ++ return qed_fcoe_get_stats(QED_AFFIN_HWFN(cdev), stats, is_atomic); ++} ++ + static int qed_fcoe_stats(struct qed_dev *cdev, struct qed_fcoe_stats *stats) + { +- return qed_fcoe_get_stats(QED_AFFIN_HWFN(cdev), stats); ++ return qed_fcoe_stats_context(cdev, stats, false); + } + + void qed_get_protocol_stats_fcoe(struct qed_dev *cdev, +- struct qed_mcp_fcoe_stats *stats) ++ struct qed_mcp_fcoe_stats *stats, ++ bool is_atomic) + { + struct qed_fcoe_stats proto_stats; + + /* Retrieve FW statistics */ + memset(&proto_stats, 0, sizeof(proto_stats)); +- if (qed_fcoe_stats(cdev, &proto_stats)) { ++ if (qed_fcoe_stats_context(cdev, &proto_stats, is_atomic)) { + DP_VERBOSE(cdev, QED_MSG_STORAGE, + "Failed to collect FCoE statistics\n"); + return; +diff --git a/drivers/net/ethernet/qlogic/qed/qed_fcoe.h b/drivers/net/ethernet/qlogic/qed/qed_fcoe.h +index 19c85adf4ceb1..214e8299ecb4e 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_fcoe.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_fcoe.h +@@ -28,8 +28,20 @@ int qed_fcoe_alloc(struct qed_hwfn *p_hwfn); + void qed_fcoe_setup(struct qed_hwfn *p_hwfn); + + void qed_fcoe_free(struct qed_hwfn *p_hwfn); ++/** ++ * qed_get_protocol_stats_fcoe(): Fills provided statistics ++ * struct with statistics. ++ * ++ * @cdev: Qed dev pointer. ++ * @stats: Points to struct that will be filled with statistics. ++ * @is_atomic: Hint from the caller - if the func can sleep or not. ++ * ++ * Context: The function should not sleep in case is_atomic == true. ++ * Return: Void. ++ */ + void qed_get_protocol_stats_fcoe(struct qed_dev *cdev, +- struct qed_mcp_fcoe_stats *stats); ++ struct qed_mcp_fcoe_stats *stats, ++ bool is_atomic); + #else /* CONFIG_QED_FCOE */ + static inline int qed_fcoe_alloc(struct qed_hwfn *p_hwfn) + { +@@ -40,7 +52,8 @@ static inline void qed_fcoe_setup(struct qed_hwfn *p_hwfn) {} + static inline void qed_fcoe_free(struct qed_hwfn *p_hwfn) {} + + static inline void qed_get_protocol_stats_fcoe(struct qed_dev *cdev, +- struct qed_mcp_fcoe_stats *stats) ++ struct qed_mcp_fcoe_stats *stats, ++ bool is_atomic) + { + } + #endif /* CONFIG_QED_FCOE */ +diff --git a/drivers/net/ethernet/qlogic/qed/qed_hw.c b/drivers/net/ethernet/qlogic/qed/qed_hw.c +index 554f30b0cfd5e..6263f847b6b92 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_hw.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_hw.c +@@ -23,7 +23,10 @@ + #include "qed_reg_addr.h" + #include "qed_sriov.h" + +-#define QED_BAR_ACQUIRE_TIMEOUT 1000 ++#define QED_BAR_ACQUIRE_TIMEOUT_USLEEP_CNT 1000 ++#define QED_BAR_ACQUIRE_TIMEOUT_USLEEP 1000 ++#define QED_BAR_ACQUIRE_TIMEOUT_UDELAY_CNT 100000 ++#define QED_BAR_ACQUIRE_TIMEOUT_UDELAY 10 + + /* Invalid values */ + #define QED_BAR_INVALID_OFFSET (cpu_to_le32(-1)) +@@ -84,12 +87,22 @@ void qed_ptt_pool_free(struct qed_hwfn *p_hwfn) + } + + struct qed_ptt *qed_ptt_acquire(struct qed_hwfn *p_hwfn) ++{ ++ return qed_ptt_acquire_context(p_hwfn, false); ++} ++ ++struct qed_ptt *qed_ptt_acquire_context(struct qed_hwfn *p_hwfn, bool is_atomic) + { + struct qed_ptt *p_ptt; +- unsigned int i; ++ unsigned int i, count; ++ ++ if (is_atomic) ++ count = QED_BAR_ACQUIRE_TIMEOUT_UDELAY_CNT; ++ else ++ count = QED_BAR_ACQUIRE_TIMEOUT_USLEEP_CNT; + + /* Take the free PTT from the list */ +- for (i = 0; i < QED_BAR_ACQUIRE_TIMEOUT; i++) { ++ for (i = 0; i < count; i++) { + spin_lock_bh(&p_hwfn->p_ptt_pool->lock); + + if (!list_empty(&p_hwfn->p_ptt_pool->free_list)) { +@@ -105,7 +118,12 @@ struct qed_ptt *qed_ptt_acquire(struct qed_hwfn *p_hwfn) + } + + spin_unlock_bh(&p_hwfn->p_ptt_pool->lock); +- usleep_range(1000, 2000); ++ ++ if (is_atomic) ++ udelay(QED_BAR_ACQUIRE_TIMEOUT_UDELAY); ++ else ++ usleep_range(QED_BAR_ACQUIRE_TIMEOUT_USLEEP, ++ QED_BAR_ACQUIRE_TIMEOUT_USLEEP * 2); + } + + DP_NOTICE(p_hwfn, "PTT acquire timeout - failed to allocate PTT\n"); +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iscsi.c b/drivers/net/ethernet/qlogic/qed/qed_iscsi.c +index 511ab214eb9c8..980e7289b4814 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iscsi.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iscsi.c +@@ -999,13 +999,14 @@ static void _qed_iscsi_get_pstats(struct qed_hwfn *p_hwfn, + } + + static int qed_iscsi_get_stats(struct qed_hwfn *p_hwfn, +- struct qed_iscsi_stats *stats) ++ struct qed_iscsi_stats *stats, ++ bool is_atomic) + { + struct qed_ptt *p_ptt; + + memset(stats, 0, sizeof(*stats)); + +- p_ptt = qed_ptt_acquire(p_hwfn); ++ p_ptt = qed_ptt_acquire_context(p_hwfn, is_atomic); + if (!p_ptt) { + DP_ERR(p_hwfn, "Failed to acquire ptt\n"); + return -EAGAIN; +@@ -1336,9 +1337,16 @@ static int qed_iscsi_destroy_conn(struct qed_dev *cdev, + QED_SPQ_MODE_EBLOCK, NULL); + } + ++static int qed_iscsi_stats_context(struct qed_dev *cdev, ++ struct qed_iscsi_stats *stats, ++ bool is_atomic) ++{ ++ return qed_iscsi_get_stats(QED_AFFIN_HWFN(cdev), stats, is_atomic); ++} ++ + static int qed_iscsi_stats(struct qed_dev *cdev, struct qed_iscsi_stats *stats) + { +- return qed_iscsi_get_stats(QED_AFFIN_HWFN(cdev), stats); ++ return qed_iscsi_stats_context(cdev, stats, false); + } + + static int qed_iscsi_change_mac(struct qed_dev *cdev, +@@ -1358,13 +1366,14 @@ static int qed_iscsi_change_mac(struct qed_dev *cdev, + } + + void qed_get_protocol_stats_iscsi(struct qed_dev *cdev, +- struct qed_mcp_iscsi_stats *stats) ++ struct qed_mcp_iscsi_stats *stats, ++ bool is_atomic) + { + struct qed_iscsi_stats proto_stats; + + /* Retrieve FW statistics */ + memset(&proto_stats, 0, sizeof(proto_stats)); +- if (qed_iscsi_stats(cdev, &proto_stats)) { ++ if (qed_iscsi_stats_context(cdev, &proto_stats, is_atomic)) { + DP_VERBOSE(cdev, QED_MSG_STORAGE, + "Failed to collect ISCSI statistics\n"); + return; +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iscsi.h b/drivers/net/ethernet/qlogic/qed/qed_iscsi.h +index dec2b00259d42..974cb8d26608c 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iscsi.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_iscsi.h +@@ -39,11 +39,14 @@ void qed_iscsi_free(struct qed_hwfn *p_hwfn); + * + * @cdev: Qed dev pointer. + * @stats: Points to struct that will be filled with statistics. ++ * @is_atomic: Hint from the caller - if the func can sleep or not. + * ++ * Context: The function should not sleep in case is_atomic == true. + * Return: Void. + */ + void qed_get_protocol_stats_iscsi(struct qed_dev *cdev, +- struct qed_mcp_iscsi_stats *stats); ++ struct qed_mcp_iscsi_stats *stats, ++ bool is_atomic); + #else /* IS_ENABLED(CONFIG_QED_ISCSI) */ + static inline int qed_iscsi_alloc(struct qed_hwfn *p_hwfn) + { +@@ -56,7 +59,8 @@ static inline void qed_iscsi_free(struct qed_hwfn *p_hwfn) {} + + static inline void + qed_get_protocol_stats_iscsi(struct qed_dev *cdev, +- struct qed_mcp_iscsi_stats *stats) {} ++ struct qed_mcp_iscsi_stats *stats, ++ bool is_atomic) {} + #endif /* IS_ENABLED(CONFIG_QED_ISCSI) */ + + #endif +diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c +index 7776d3bdd459a..970b9aabbc3d7 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -1863,7 +1863,8 @@ static void __qed_get_vport_stats(struct qed_hwfn *p_hwfn, + } + + static void _qed_get_vport_stats(struct qed_dev *cdev, +- struct qed_eth_stats *stats) ++ struct qed_eth_stats *stats, ++ bool is_atomic) + { + u8 fw_vport = 0; + int i; +@@ -1872,10 +1873,11 @@ static void _qed_get_vport_stats(struct qed_dev *cdev, + + for_each_hwfn(cdev, i) { + struct qed_hwfn *p_hwfn = &cdev->hwfns[i]; +- struct qed_ptt *p_ptt = IS_PF(cdev) ? qed_ptt_acquire(p_hwfn) +- : NULL; ++ struct qed_ptt *p_ptt; + bool b_get_port_stats; + ++ p_ptt = IS_PF(cdev) ? qed_ptt_acquire_context(p_hwfn, is_atomic) ++ : NULL; + if (IS_PF(cdev)) { + /* The main vport index is relative first */ + if (qed_fw_vport(p_hwfn, 0, &fw_vport)) { +@@ -1900,6 +1902,13 @@ static void _qed_get_vport_stats(struct qed_dev *cdev, + } + + void qed_get_vport_stats(struct qed_dev *cdev, struct qed_eth_stats *stats) ++{ ++ qed_get_vport_stats_context(cdev, stats, false); ++} ++ ++void qed_get_vport_stats_context(struct qed_dev *cdev, ++ struct qed_eth_stats *stats, ++ bool is_atomic) + { + u32 i; + +@@ -1908,7 +1917,7 @@ void qed_get_vport_stats(struct qed_dev *cdev, struct qed_eth_stats *stats) + return; + } + +- _qed_get_vport_stats(cdev, stats); ++ _qed_get_vport_stats(cdev, stats, is_atomic); + + if (!cdev->reset_stats) + return; +@@ -1960,7 +1969,7 @@ void qed_reset_vport_stats(struct qed_dev *cdev) + if (!cdev->reset_stats) { + DP_INFO(cdev, "Reset stats not allocated\n"); + } else { +- _qed_get_vport_stats(cdev, cdev->reset_stats); ++ _qed_get_vport_stats(cdev, cdev->reset_stats, false); + cdev->reset_stats->common.link_change_count = 0; + } + } +diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.h b/drivers/net/ethernet/qlogic/qed/qed_l2.h +index a538cf478c14e..2d2f82c785ad2 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.h +@@ -249,8 +249,32 @@ qed_sp_eth_rx_queues_update(struct qed_hwfn *p_hwfn, + enum spq_mode comp_mode, + struct qed_spq_comp_cb *p_comp_data); + ++/** ++ * qed_get_vport_stats(): Fills provided statistics ++ * struct with statistics. ++ * ++ * @cdev: Qed dev pointer. ++ * @stats: Points to struct that will be filled with statistics. ++ * ++ * Return: Void. ++ */ + void qed_get_vport_stats(struct qed_dev *cdev, struct qed_eth_stats *stats); + ++/** ++ * qed_get_vport_stats_context(): Fills provided statistics ++ * struct with statistics. ++ * ++ * @cdev: Qed dev pointer. ++ * @stats: Points to struct that will be filled with statistics. ++ * @is_atomic: Hint from the caller - if the func can sleep or not. ++ * ++ * Context: The function should not sleep in case is_atomic == true. ++ * Return: Void. ++ */ ++void qed_get_vport_stats_context(struct qed_dev *cdev, ++ struct qed_eth_stats *stats, ++ bool is_atomic); ++ + void qed_reset_vport_stats(struct qed_dev *cdev); + + /** +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index c91898be7c030..25d9c254288b5 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -3101,7 +3101,7 @@ void qed_get_protocol_stats(struct qed_dev *cdev, + + switch (type) { + case QED_MCP_LAN_STATS: +- qed_get_vport_stats(cdev, ð_stats); ++ qed_get_vport_stats_context(cdev, ð_stats, true); + stats->lan_stats.ucast_rx_pkts = + eth_stats.common.rx_ucast_pkts; + stats->lan_stats.ucast_tx_pkts = +@@ -3109,10 +3109,10 @@ void qed_get_protocol_stats(struct qed_dev *cdev, + stats->lan_stats.fcs_err = -1; + break; + case QED_MCP_FCOE_STATS: +- qed_get_protocol_stats_fcoe(cdev, &stats->fcoe_stats); ++ qed_get_protocol_stats_fcoe(cdev, &stats->fcoe_stats, true); + break; + case QED_MCP_ISCSI_STATS: +- qed_get_protocol_stats_iscsi(cdev, &stats->iscsi_stats); ++ qed_get_protocol_stats_iscsi(cdev, &stats->iscsi_stats, true); + break; + default: + DP_VERBOSE(cdev, QED_MSG_SP, +-- +2.40.1 + diff --git a/queue-6.1/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch b/queue-6.1/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch new file mode 100644 index 00000000000..fdc98adeb9f --- /dev/null +++ b/queue-6.1/rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch @@ -0,0 +1,66 @@ +From 19624addd059d75553737072305d79d97cdae0d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 15:53:14 +0800 +Subject: rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length + +From: Lin Ma + +[ Upstream commit d73ef2d69c0dba5f5a1cb9600045c873bab1fb7f ] + +There are totally 9 ndo_bridge_setlink handlers in the current kernel, +which are 1) bnxt_bridge_setlink, 2) be_ndo_bridge_setlink 3) +i40e_ndo_bridge_setlink 4) ice_bridge_setlink 5) +ixgbe_ndo_bridge_setlink 6) mlx5e_bridge_setlink 7) +nfp_net_bridge_setlink 8) qeth_l2_bridge_setlink 9) br_setlink. + +By investigating the code, we find that 1-7 parse and use nlattr +IFLA_BRIDGE_MODE but 3 and 4 forget to do the nla_len check. This can +lead to an out-of-attribute read and allow a malformed nlattr (e.g., +length 0) to be viewed as a 2 byte integer. + +To avoid such issues, also for other ndo_bridge_setlink handlers in the +future. This patch adds the nla_len check in rtnl_bridge_setlink and +does an early error return if length mismatches. To make it works, the +break is removed from the parsing for IFLA_BRIDGE_FLAGS to make sure +this nla_for_each_nested iterates every attribute. + +Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink") +Fixes: 51616018dd1b ("i40e: Add support for getlink, setlink ndo ops") +Suggested-by: Jakub Kicinski +Signed-off-by: Lin Ma +Acked-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://lore.kernel.org/r/20230726075314.1059224-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 5625ed30a06f3..2758b3f7c0214 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -5030,13 +5030,17 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); + if (br_spec) { + nla_for_each_nested(attr, br_spec, rem) { +- if (nla_type(attr) == IFLA_BRIDGE_FLAGS) { ++ if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { + if (nla_len(attr) < sizeof(flags)) + return -EINVAL; + + have_flags = true; + flags = nla_get_u16(attr); +- break; ++ } ++ ++ if (nla_type(attr) == IFLA_BRIDGE_MODE) { ++ if (nla_len(attr) < sizeof(u16)) ++ return -EINVAL; + } + } + } +-- +2.40.1 + diff --git a/queue-6.1/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch b/queue-6.1/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch new file mode 100644 index 00000000000..0a098946d5a --- /dev/null +++ b/queue-6.1/s390-qeth-don-t-call-dev_close-dev_open-down-up.patch @@ -0,0 +1,104 @@ +From 8c23f11d1c3e9928c22d2d9791470b43305f1e7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 10:00:16 +0200 +Subject: s390/qeth: Don't call dev_close/dev_open (DOWN/UP) + +From: Alexandra Winter + +[ Upstream commit 1cfef80d4c2b2c599189f36f36320b205d9447d9 ] + +dev_close() and dev_open() are issued to change the interface state to DOWN +or UP (dev->flags IFF_UP). When the netdev is set DOWN it loses e.g its +Ipv6 addresses and routes. We don't want this in cases of device recovery +(triggered by hardware or software) or when the qeth device is set +offline. + +Setting a qeth device offline or online and device recovery actions call +netif_device_detach() and/or netif_device_attach(). That will reset or +set the LOWER_UP indication i.e. change the dev->state Bit +__LINK_STATE_PRESENT. That is enough to e.g. cause bond failovers, and +still preserves the interface settings that are handled by the network +stack. + +Don't call dev_open() nor dev_close() from the qeth device driver. Let the +network stack handle this. + +Fixes: d4560150cb47 ("s390/qeth: call dev_close() during recovery") +Signed-off-by: Alexandra Winter +Reviewed-by: Wenjia Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core.h | 1 - + drivers/s390/net/qeth_core_main.c | 2 -- + drivers/s390/net/qeth_l2_main.c | 9 ++++++--- + drivers/s390/net/qeth_l3_main.c | 8 +++++--- + 4 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index 1d195429753dd..613eab7297046 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -716,7 +716,6 @@ struct qeth_card_info { + u16 chid; + u8 ids_valid:1; /* cssid,iid,chid */ + u8 dev_addr_is_registered:1; +- u8 open_when_online:1; + u8 promisc_mode:1; + u8 use_v1_blkt:1; + u8 is_vm_nic:1; +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 8bd9fd51208c9..ae4b6d24bc902 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -5371,8 +5371,6 @@ int qeth_set_offline(struct qeth_card *card, const struct qeth_discipline *disc, + qeth_clear_ipacmd_list(card); + + rtnl_lock(); +- card->info.open_when_online = card->dev->flags & IFF_UP; +- dev_close(card->dev); + netif_device_detach(card->dev); + netif_carrier_off(card->dev); + rtnl_unlock(); +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index c6ded3fdd715c..9ef2118fc7a2a 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -2387,9 +2387,12 @@ static int qeth_l2_set_online(struct qeth_card *card, bool carrier_ok) + qeth_enable_hw_features(dev); + qeth_l2_enable_brport_features(card); + +- if (card->info.open_when_online) { +- card->info.open_when_online = 0; +- dev_open(dev, NULL); ++ if (netif_running(dev)) { ++ local_bh_disable(); ++ napi_schedule(&card->napi); ++ /* kick-start the NAPI softirq: */ ++ local_bh_enable(); ++ qeth_l2_set_rx_mode(dev); + } + rtnl_unlock(); + } +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index d8487a10cd555..c0f30cefec102 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -2017,9 +2017,11 @@ static int qeth_l3_set_online(struct qeth_card *card, bool carrier_ok) + netif_device_attach(dev); + qeth_enable_hw_features(dev); + +- if (card->info.open_when_online) { +- card->info.open_when_online = 0; +- dev_open(dev, NULL); ++ if (netif_running(dev)) { ++ local_bh_disable(); ++ napi_schedule(&card->napi); ++ /* kick-start the NAPI softirq: */ ++ local_bh_enable(); + } + rtnl_unlock(); + } +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series index db782c6c801..39a2f438ae6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -6,3 +6,64 @@ iommu-arm-smmu-v3-work-around-mmu-600-erratum-1076982.patch iommu-arm-smmu-v3-document-mmu-700-erratum-2812531.patch iommu-arm-smmu-v3-add-explicit-feature-for-nesting.patch iommu-arm-smmu-v3-document-nesting-related-errata.patch +arm64-dts-imx8mm-venice-gw7903-disable-disp_blk_ctrl.patch +arm64-dts-imx8mm-venice-gw7904-disable-disp_blk_ctrl.patch +arm64-dts-phycore-imx8mm-label-typo-fix-of-vpu.patch +arm64-dts-phycore-imx8mm-correction-in-gpio-line-nam.patch +arm64-dts-imx8mn-var-som-add-missing-pull-up-for-onb.patch +arm64-dts-freescale-fix-vpu-g2-clock.patch +firmware-smccc-fix-use-of-uninitialised-results-stru.patch +lib-bitmap-workaround-const_eval-test-build-failure.patch +firmware-arm_scmi-fix-chan_free-cleanup-on-smc.patch +word-at-a-time-use-the-same-return-type-for-has_zero.patch +kvm-s390-fix-sthyi-error-handling.patch +erofs-fix-wrong-primary-bvec-selection-on-deduplicat.patch +wifi-cfg80211-fix-return-value-in-scan-logic.patch +net-mlx5e-fix-double-free-in-macsec_fs_tx_create_cry.patch +net-mlx5-dr-fix-memory-leak-in-mlx5dr_cmd_create_ref.patch +net-mlx5-fix-potential-memory-leak-in-mlx5e_init_rep.patch +net-mlx5e-fix-return-value-check-in-mlx5e_ipsec_remo.patch +net-mlx5e-fix-crash-moving-to-switchdev-mode-when-nt.patch +net-mlx5e-move-representor-neigh-cleanup-to-profile-.patch +bpf-add-length-check-for-sk_diag_bpf_storage_req_map.patch +rtnetlink-let-rtnl_bridge_setlink-checks-ifla_bridge.patch +net-dsa-fix-value-check-in-bcm_sf2_sw_probe.patch +perf-test-uprobe_from_different_cu-skip-if-there-is-.patch +net-sched-cls_u32-fix-match-key-mis-addressing.patch +misdn-hfcpci-fix-potential-deadlock-on-hc-lock.patch +qed-fix-scheduling-in-a-tasklet-while-getting-stats.patch +net-annotate-data-races-around-sk-sk_reserved_mem.patch +net-annotate-data-race-around-sk-sk_txrehash.patch +net-annotate-data-races-around-sk-sk_max_pacing_rate.patch +net-add-missing-read_once-sk-sk_rcvlowat-annotation.patch +net-add-missing-read_once-sk-sk_sndbuf-annotation.patch +net-add-missing-read_once-sk-sk_rcvbuf-annotation.patch +net-annotate-data-races-around-sk-sk_mark.patch +net-add-missing-data-race-annotations-around-sk-sk_p.patch +net-add-missing-data-race-annotation-for-sk_ll_usec.patch +net-annotate-data-races-around-sk-sk_priority.patch +net-sched-taprio-limit-tca_taprio_attr_sched_cycle_t.patch +ice-fix-rdma-vsi-removal-during-queue-rebuild.patch +bpf-cpumap-handle-skb-as-well-when-clean-up-ptr_ring.patch +net-sched-cls_u32-no-longer-copy-tcf_result-on-updat.patch +net-sched-cls_fw-no-longer-copy-tcf_result-on-update.patch +net-sched-cls_route-no-longer-copy-tcf_result-on-upd.patch +bpf-sockmap-remove-preempt_disable-in-sock_map_sk_ac.patch +net-ll_temac-fix-error-checking-of-irq_of_parse_and_.patch +net-korina-handle-clk-prepare-error-in-korina_probe.patch +net-netsec-ignore-phy-mode-on-synquacer-in-dt-mode.patch +bnxt_en-fix-page-pool-logic-for-page-size-64k.patch +bnxt_en-fix-max_mtu-setting-for-multi-buf-xdp.patch +net-dcb-choose-correct-policy-to-parse-dcb_attr_bcn.patch +s390-qeth-don-t-call-dev_close-dev_open-down-up.patch +ip6mr-fix-skb_under_panic-in-ip6mr_cache_report.patch +vxlan-fix-nexthop-hash-size.patch +net-mlx5-fs_core-make-find_closest_ft-more-generic.patch +net-mlx5-fs_core-skip-the-fts-in-the-same-fs_type_pr.patch +prestera-fix-fallback-to-previous-version-on-same-ma.patch +tcp_metrics-fix-addr_same-helper.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch +tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch +tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch diff --git a/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch new file mode 100644 index 00000000000..201f493d61b --- /dev/null +++ b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_lock.patch @@ -0,0 +1,51 @@ +From 311b7f8f25536a01c045913c8bbd741ce799b0f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:57 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_lock + +From: Eric Dumazet + +[ Upstream commit 285ce119a3c6c4502585936650143e54c8692788 ] + +tm->tcpm_lock can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 8386165887963..131fa30049691 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -59,7 +59,8 @@ static inline struct net *tm_net(struct tcp_metrics_block *tm) + static bool tcp_metric_locked(struct tcp_metrics_block *tm, + enum tcp_metric_index idx) + { +- return tm->tcpm_lock & (1 << idx); ++ /* Paired with WRITE_ONCE() in tcpm_suck_dst() */ ++ return READ_ONCE(tm->tcpm_lock) & (1 << idx); + } + + static u32 tcp_metric_get(struct tcp_metrics_block *tm, +@@ -110,7 +111,8 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + val |= 1 << TCP_METRIC_CWND; + if (dst_metric_locked(dst, RTAX_REORDERING)) + val |= 1 << TCP_METRIC_REORDERING; +- tm->tcpm_lock = val; ++ /* Paired with READ_ONCE() in tcp_metric_locked() */ ++ WRITE_ONCE(tm->tcpm_lock, val); + + msval = dst_metric_raw(dst, RTAX_RTT); + tm->tcpm_vals[TCP_METRIC_RTT] = msval * USEC_PER_MSEC; +-- +2.40.1 + diff --git a/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch new file mode 100644 index 00000000000..0b3aeb4935a --- /dev/null +++ b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_net.patch @@ -0,0 +1,66 @@ +From 171f5ba4124482aeb9d12acf285bff769209ddb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:59 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_net + +From: Eric Dumazet + +[ Upstream commit d5d986ce42c71a7562d32c4e21e026b0f87befec ] + +tm->tcpm_net can be read or written locklessly. + +Instead of changing write_pnet() and read_pnet() and potentially +hurt performance, add the needed READ_ONCE()/WRITE_ONCE() +in tm_net() and tcpm_new(). + +Fixes: 849e8a0ca8d5 ("tcp_metrics: Add a field tcpm_net and verify it matches on lookup") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index fd4ab7a51cef2..4fd274836a48f 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -40,7 +40,7 @@ struct tcp_fastopen_metrics { + + struct tcp_metrics_block { + struct tcp_metrics_block __rcu *tcpm_next; +- possible_net_t tcpm_net; ++ struct net *tcpm_net; + struct inetpeer_addr tcpm_saddr; + struct inetpeer_addr tcpm_daddr; + unsigned long tcpm_stamp; +@@ -51,9 +51,10 @@ struct tcp_metrics_block { + struct rcu_head rcu_head; + }; + +-static inline struct net *tm_net(struct tcp_metrics_block *tm) ++static inline struct net *tm_net(const struct tcp_metrics_block *tm) + { +- return read_pnet(&tm->tcpm_net); ++ /* Paired with the WRITE_ONCE() in tcpm_new() */ ++ return READ_ONCE(tm->tcpm_net); + } + + static bool tcp_metric_locked(struct tcp_metrics_block *tm, +@@ -197,7 +198,9 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + if (!tm) + goto out_unlock; + } +- write_pnet(&tm->tcpm_net, net); ++ /* Paired with the READ_ONCE() in tm_net() */ ++ WRITE_ONCE(tm->tcpm_net, net); ++ + tm->tcpm_saddr = *saddr; + tm->tcpm_daddr = *daddr; + +-- +2.40.1 + diff --git a/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch new file mode 100644 index 00000000000..d584207b61b --- /dev/null +++ b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_stamp.patch @@ -0,0 +1,88 @@ +From 2f123c21fc62194139b97958fdfe8c09308eeb21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:56 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_stamp + +From: Eric Dumazet + +[ Upstream commit 949ad62a5d5311d36fce2e14fe5fed3f936da51c ] + +tm->tcpm_stamp can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this. + +Also constify tcpm_check_stamp() dst argument. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index c4daf0aa2d4d9..8386165887963 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -97,7 +97,7 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + u32 msval; + u32 val; + +- tm->tcpm_stamp = jiffies; ++ WRITE_ONCE(tm->tcpm_stamp, jiffies); + + val = 0; + if (dst_metric_locked(dst, RTAX_RTT)) +@@ -131,9 +131,15 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + + #define TCP_METRICS_TIMEOUT (60 * 60 * HZ) + +-static void tcpm_check_stamp(struct tcp_metrics_block *tm, struct dst_entry *dst) ++static void tcpm_check_stamp(struct tcp_metrics_block *tm, ++ const struct dst_entry *dst) + { +- if (tm && unlikely(time_after(jiffies, tm->tcpm_stamp + TCP_METRICS_TIMEOUT))) ++ unsigned long limit; ++ ++ if (!tm) ++ return; ++ limit = READ_ONCE(tm->tcpm_stamp) + TCP_METRICS_TIMEOUT; ++ if (unlikely(time_after(jiffies, limit))) + tcpm_suck_dst(tm, dst, false); + } + +@@ -174,7 +180,8 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + oldest = deref_locked(tcp_metrics_hash[hash].chain); + for (tm = deref_locked(oldest->tcpm_next); tm; + tm = deref_locked(tm->tcpm_next)) { +- if (time_before(tm->tcpm_stamp, oldest->tcpm_stamp)) ++ if (time_before(READ_ONCE(tm->tcpm_stamp), ++ READ_ONCE(oldest->tcpm_stamp))) + oldest = tm; + } + tm = oldest; +@@ -434,7 +441,7 @@ void tcp_update_metrics(struct sock *sk) + tp->reordering); + } + } +- tm->tcpm_stamp = jiffies; ++ WRITE_ONCE(tm->tcpm_stamp, jiffies); + out_unlock: + rcu_read_unlock(); + } +@@ -647,7 +654,7 @@ static int tcp_metrics_fill_info(struct sk_buff *msg, + } + + if (nla_put_msecs(msg, TCP_METRICS_ATTR_AGE, +- jiffies - tm->tcpm_stamp, ++ jiffies - READ_ONCE(tm->tcpm_stamp), + TCP_METRICS_ATTR_PAD) < 0) + goto nla_put_failure; + +-- +2.40.1 + diff --git a/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch new file mode 100644 index 00000000000..1f17f98c3b0 --- /dev/null +++ b/queue-6.1/tcp_metrics-annotate-data-races-around-tm-tcpm_vals.patch @@ -0,0 +1,85 @@ +From 1d1e8b87fb8e5ced6dee3c1197154bbbdbe88ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:58 +0000 +Subject: tcp_metrics: annotate data-races around tm->tcpm_vals[] + +From: Eric Dumazet + +[ Upstream commit 8c4d04f6b443869d25e59822f7cec88d647028a9 ] + +tm->tcpm_vals[] values can be read or written locklessly. + +Add needed READ_ONCE()/WRITE_ONCE() to document this, +and force use of tcp_metric_get() and tcp_metric_set() + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 131fa30049691..fd4ab7a51cef2 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -63,17 +63,19 @@ static bool tcp_metric_locked(struct tcp_metrics_block *tm, + return READ_ONCE(tm->tcpm_lock) & (1 << idx); + } + +-static u32 tcp_metric_get(struct tcp_metrics_block *tm, ++static u32 tcp_metric_get(const struct tcp_metrics_block *tm, + enum tcp_metric_index idx) + { +- return tm->tcpm_vals[idx]; ++ /* Paired with WRITE_ONCE() in tcp_metric_set() */ ++ return READ_ONCE(tm->tcpm_vals[idx]); + } + + static void tcp_metric_set(struct tcp_metrics_block *tm, + enum tcp_metric_index idx, + u32 val) + { +- tm->tcpm_vals[idx] = val; ++ /* Paired with READ_ONCE() in tcp_metric_get() */ ++ WRITE_ONCE(tm->tcpm_vals[idx], val); + } + + static bool addr_same(const struct inetpeer_addr *a, +@@ -115,13 +117,16 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + WRITE_ONCE(tm->tcpm_lock, val); + + msval = dst_metric_raw(dst, RTAX_RTT); +- tm->tcpm_vals[TCP_METRIC_RTT] = msval * USEC_PER_MSEC; ++ tcp_metric_set(tm, TCP_METRIC_RTT, msval * USEC_PER_MSEC); + + msval = dst_metric_raw(dst, RTAX_RTTVAR); +- tm->tcpm_vals[TCP_METRIC_RTTVAR] = msval * USEC_PER_MSEC; +- tm->tcpm_vals[TCP_METRIC_SSTHRESH] = dst_metric_raw(dst, RTAX_SSTHRESH); +- tm->tcpm_vals[TCP_METRIC_CWND] = dst_metric_raw(dst, RTAX_CWND); +- tm->tcpm_vals[TCP_METRIC_REORDERING] = dst_metric_raw(dst, RTAX_REORDERING); ++ tcp_metric_set(tm, TCP_METRIC_RTTVAR, msval * USEC_PER_MSEC); ++ tcp_metric_set(tm, TCP_METRIC_SSTHRESH, ++ dst_metric_raw(dst, RTAX_SSTHRESH)); ++ tcp_metric_set(tm, TCP_METRIC_CWND, ++ dst_metric_raw(dst, RTAX_CWND)); ++ tcp_metric_set(tm, TCP_METRIC_REORDERING, ++ dst_metric_raw(dst, RTAX_REORDERING)); + if (fastopen_clear) { + tm->tcpm_fastopen.mss = 0; + tm->tcpm_fastopen.syn_loss = 0; +@@ -667,7 +672,7 @@ static int tcp_metrics_fill_info(struct sk_buff *msg, + if (!nest) + goto nla_put_failure; + for (i = 0; i < TCP_METRIC_MAX_KERNEL + 1; i++) { +- u32 val = tm->tcpm_vals[i]; ++ u32 val = tcp_metric_get(tm, i); + + if (!val) + continue; +-- +2.40.1 + diff --git a/queue-6.1/tcp_metrics-fix-addr_same-helper.patch b/queue-6.1/tcp_metrics-fix-addr_same-helper.patch new file mode 100644 index 00000000000..89d68de7ef2 --- /dev/null +++ b/queue-6.1/tcp_metrics-fix-addr_same-helper.patch @@ -0,0 +1,46 @@ +From 95104fb3346843070f1fdbd62ac506db9705b570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:14:55 +0000 +Subject: tcp_metrics: fix addr_same() helper + +From: Eric Dumazet + +[ Upstream commit e6638094d7af6c7b9dcca05ad009e79e31b4f670 ] + +Because v4 and v6 families use separate inetpeer trees (respectively +net->ipv4.peers and net->ipv6.peers), inetpeer_addr_cmp(a, b) assumes +a & b share the same family. + +tcp_metrics use a common hash table, where entries can have different +families. + +We must therefore make sure to not call inetpeer_addr_cmp() +if the families do not match. + +Fixes: d39d14ffa24c ("net: Add helper function to compare inetpeer addresses") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 82f4575f9cd90..c4daf0aa2d4d9 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -78,7 +78,7 @@ static void tcp_metric_set(struct tcp_metrics_block *tm, + static bool addr_same(const struct inetpeer_addr *a, + const struct inetpeer_addr *b) + { +- return inetpeer_addr_cmp(a, b) == 0; ++ return (a->family == b->family) && !inetpeer_addr_cmp(a, b); + } + + struct tcpm_hash_bucket { +-- +2.40.1 + diff --git a/queue-6.1/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch b/queue-6.1/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch new file mode 100644 index 00000000000..674eaac4c60 --- /dev/null +++ b/queue-6.1/tcp_metrics-fix-data-race-in-tcpm_suck_dst-vs-fastop.patch @@ -0,0 +1,85 @@ +From 1fbd5a4eb5c08f6fbdf2e823f1ff52ff2f76136d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:15:00 +0000 +Subject: tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen + +From: Eric Dumazet + +[ Upstream commit ddf251fa2bc1d3699eec0bae6ed0bc373b8fda79 ] + +Whenever tcpm_new() reclaims an old entry, tcpm_suck_dst() +would overwrite data that could be read from tcp_fastopen_cache_get() +or tcp_metrics_fill_info(). + +We need to acquire fastopen_seqlock to maintain consistency. + +For newly allocated objects, tcpm_new() can switch to kzalloc() +to avoid an extra fastopen_seqlock acquisition. + +Fixes: 1fe4c481ba63 ("net-tcp: Fast Open client - cookie cache") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230802131500.1478140-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 4fd274836a48f..99ac5efe244d3 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -93,6 +93,7 @@ static struct tcpm_hash_bucket *tcp_metrics_hash __read_mostly; + static unsigned int tcp_metrics_hash_log __read_mostly; + + static DEFINE_SPINLOCK(tcp_metrics_lock); ++static DEFINE_SEQLOCK(fastopen_seqlock); + + static void tcpm_suck_dst(struct tcp_metrics_block *tm, + const struct dst_entry *dst, +@@ -129,11 +130,13 @@ static void tcpm_suck_dst(struct tcp_metrics_block *tm, + tcp_metric_set(tm, TCP_METRIC_REORDERING, + dst_metric_raw(dst, RTAX_REORDERING)); + if (fastopen_clear) { ++ write_seqlock(&fastopen_seqlock); + tm->tcpm_fastopen.mss = 0; + tm->tcpm_fastopen.syn_loss = 0; + tm->tcpm_fastopen.try_exp = 0; + tm->tcpm_fastopen.cookie.exp = false; + tm->tcpm_fastopen.cookie.len = 0; ++ write_sequnlock(&fastopen_seqlock); + } + } + +@@ -194,7 +197,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + } + tm = oldest; + } else { +- tm = kmalloc(sizeof(*tm), GFP_ATOMIC); ++ tm = kzalloc(sizeof(*tm), GFP_ATOMIC); + if (!tm) + goto out_unlock; + } +@@ -204,7 +207,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst, + tm->tcpm_saddr = *saddr; + tm->tcpm_daddr = *daddr; + +- tcpm_suck_dst(tm, dst, true); ++ tcpm_suck_dst(tm, dst, reclaim); + + if (likely(!reclaim)) { + tm->tcpm_next = tcp_metrics_hash[hash].chain; +@@ -556,8 +559,6 @@ bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst) + return ret; + } + +-static DEFINE_SEQLOCK(fastopen_seqlock); +- + void tcp_fastopen_cache_get(struct sock *sk, u16 *mss, + struct tcp_fastopen_cookie *cookie) + { +-- +2.40.1 + diff --git a/queue-6.1/vxlan-fix-nexthop-hash-size.patch b/queue-6.1/vxlan-fix-nexthop-hash-size.patch new file mode 100644 index 00000000000..25c13e964a5 --- /dev/null +++ b/queue-6.1/vxlan-fix-nexthop-hash-size.patch @@ -0,0 +1,175 @@ +From 0344af0a6ce135fbccd9aea5937cd4389e49df35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 16:02:08 -0400 +Subject: vxlan: Fix nexthop hash size + +From: Benjamin Poirier + +[ Upstream commit 0756384fb1bd38adb2ebcfd1307422f433a1d772 ] + +The nexthop code expects a 31 bit hash, such as what is returned by +fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash +returned by skb_get_hash() can lead to problems related to the fact that +'int hash' is a negative number when the MSB is set. + +In the case of hash threshold nexthop groups, nexthop_select_path_hthr() +will disproportionately select the first nexthop group entry. In the case +of resilient nexthop groups, nexthop_select_path_res() may do an out of +bounds access in nh_buckets[], for example: + hash = -912054133 + num_nh_buckets = 2 + bucket_index = 65535 + +which leads to the following panic: + +BUG: unable to handle page fault for address: ffffc900025910c8 +PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0 +Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI +CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +Workqueue: ipv6_addrconf addrconf_dad_work +RIP: 0010:nexthop_select_path+0x197/0xbf0 +Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 +RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 +RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 +R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 +R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 +FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0 +PKRU: 55555554 +Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x1ee/0x5c0 + ? __pfx_is_prefetch.constprop.0+0x10/0x10 + ? __pfx_page_fault_oops+0x10/0x10 + ? search_bpf_extables+0xfe/0x1c0 + ? fixup_exception+0x3b/0x470 + ? exc_page_fault+0xf6/0x110 + ? asm_exc_page_fault+0x26/0x30 + ? nexthop_select_path+0x197/0xbf0 + ? nexthop_select_path+0x197/0xbf0 + ? lock_is_held_type+0xe7/0x140 + vxlan_xmit+0x5b2/0x2340 + ? __lock_acquire+0x92b/0x3370 + ? __pfx_vxlan_xmit+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_register_lock_class+0x10/0x10 + ? skb_network_protocol+0xce/0x2d0 + ? dev_hard_start_xmit+0xca/0x350 + ? __pfx_vxlan_xmit+0x10/0x10 + dev_hard_start_xmit+0xca/0x350 + __dev_queue_xmit+0x513/0x1e20 + ? __pfx___dev_queue_xmit+0x10/0x10 + ? __pfx_lock_release+0x10/0x10 + ? mark_held_locks+0x44/0x90 + ? skb_push+0x4c/0x80 + ? eth_header+0x81/0xe0 + ? __pfx_eth_header+0x10/0x10 + ? neigh_resolve_output+0x215/0x310 + ? ip6_finish_output2+0x2ba/0xc90 + ip6_finish_output2+0x2ba/0xc90 + ? lock_release+0x236/0x3e0 + ? ip6_mtu+0xbb/0x240 + ? __pfx_ip6_finish_output2+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? lock_is_held_type+0xe7/0x140 + ip6_finish_output+0x1ee/0x780 + ip6_output+0x138/0x460 + ? __pfx_ip6_output+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_ip6_finish_output+0x10/0x10 + NF_HOOK.constprop.0+0xc0/0x420 + ? __pfx_NF_HOOK.constprop.0+0x10/0x10 + ? ndisc_send_skb+0x2c0/0x960 + ? __pfx_lock_release+0x10/0x10 + ? __local_bh_enable_ip+0x93/0x110 + ? lock_is_held_type+0xe7/0x140 + ndisc_send_skb+0x4be/0x960 + ? __pfx_ndisc_send_skb+0x10/0x10 + ? mark_held_locks+0x65/0x90 + ? find_held_lock+0x83/0xa0 + ndisc_send_ns+0xb0/0x110 + ? __pfx_ndisc_send_ns+0x10/0x10 + addrconf_dad_work+0x631/0x8e0 + ? lock_acquire+0x180/0x3f0 + ? __pfx_addrconf_dad_work+0x10/0x10 + ? mark_held_locks+0x24/0x90 + process_one_work+0x582/0x9c0 + ? __pfx_process_one_work+0x10/0x10 + ? __pfx_do_raw_spin_lock+0x10/0x10 + ? mark_held_locks+0x24/0x90 + worker_thread+0x93/0x630 + ? __kthread_parkme+0xdc/0x100 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x1a5/0x1e0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 +RIP: 0000:0x0 +Code: Unable to access opcode bytes at 0xffffffffffffffd6. +RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Modules linked in: +CR2: ffffc900025910c8 +---[ end trace 0000000000000000 ]--- +RIP: 0010:nexthop_select_path+0x197/0xbf0 +Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 +RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 +RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 +RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 +R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 +R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 +FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 0000000129d00000 CR4: 0000000000750ee0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: 0x2ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fix this problem by ensuring the MSB of hash is 0 using a right shift - the +same approach used in fib_multipath_hash() and rt6_multipath_hash(). + +Fixes: 1274e1cc4226 ("vxlan: ecmp support for mac fdb entries") +Signed-off-by: Benjamin Poirier +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/vxlan.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/vxlan.h b/include/net/vxlan.h +index 03bcc1ef0d61e..a46ec889acb73 100644 +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -548,12 +548,12 @@ static inline void vxlan_flag_attr_error(int attrtype, + } + + static inline bool vxlan_fdb_nh_path_select(struct nexthop *nh, +- int hash, ++ u32 hash, + struct vxlan_rdst *rdst) + { + struct fib_nh_common *nhc; + +- nhc = nexthop_path_fdb_result(nh, hash); ++ nhc = nexthop_path_fdb_result(nh, hash >> 1); + if (unlikely(!nhc)) + return false; + +-- +2.40.1 + diff --git a/queue-6.1/wifi-cfg80211-fix-return-value-in-scan-logic.patch b/queue-6.1/wifi-cfg80211-fix-return-value-in-scan-logic.patch new file mode 100644 index 00000000000..817c485fe9d --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-return-value-in-scan-logic.patch @@ -0,0 +1,43 @@ +From b62f99ca65a847711ffa3e85131900dca2b02d45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 23:10:43 +0300 +Subject: wifi: cfg80211: Fix return value in scan logic + +From: Ilan Peer + +[ Upstream commit fd7f08d92fcd7cc3eca0dd6c853f722a4c6176df ] + +The reporter noticed a warning when running iwlwifi: + +WARNING: CPU: 8 PID: 659 at mm/page_alloc.c:4453 __alloc_pages+0x329/0x340 + +As cfg80211_parse_colocated_ap() is not expected to return a negative +value return 0 and not a negative value if cfg80211_calc_short_ssid() +fails. + +Fixes: c8cb5b854b40f ("nl80211/cfg80211: support 6 GHz scanning") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217675 +Signed-off-by: Ilan Peer +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723201043.3007430-1-ilan.peer@intel.com +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index efe9283e98935..e5c1510c098fd 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -643,7 +643,7 @@ static int cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, + + ret = cfg80211_calc_short_ssid(ies, &ssid_elem, &s_ssid_tmp); + if (ret) +- return ret; ++ return 0; + + /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ + while (pos + sizeof(*ap_info) <= end) { +-- +2.40.1 + diff --git a/queue-6.1/word-at-a-time-use-the-same-return-type-for-has_zero.patch b/queue-6.1/word-at-a-time-use-the-same-return-type-for-has_zero.patch new file mode 100644 index 00000000000..e1b3184c542 --- /dev/null +++ b/queue-6.1/word-at-a-time-use-the-same-return-type-for-has_zero.patch @@ -0,0 +1,74 @@ +From 8f24bf2c09fdde35e773764b8ca2136d1b4787c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 15:22:17 -0700 +Subject: word-at-a-time: use the same return type for has_zero regardless of + endianness + +From: ndesaulniers@google.com + +[ Upstream commit 79e8328e5acbe691bbde029a52c89d70dcbc22f3 ] + +Compiling big-endian targets with Clang produces the diagnostic: + + fs/namei.c:2173:13: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] + } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants))); + ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + || + fs/namei.c:2173:13: note: cast one or both operands to int to silence this warning + +It appears that when has_zero was introduced, two definitions were +produced with different signatures (in particular different return +types). + +Looking at the usage in hash_name() in fs/namei.c, I suspect that +has_zero() is meant to be invoked twice per while loop iteration; using +logical-or would not update `bdata` when `a` did not have zeros. So I +think it's preferred to always return an unsigned long rather than a +bool than update the while loop in hash_name() to use a logical-or +rather than bitwise-or. + +[ Also changed powerpc version to do the same - Linus ] + +Link: https://github.com/ClangBuiltLinux/linux/issues/1832 +Link: https://lore.kernel.org/lkml/20230801-bitwise-v1-1-799bec468dc4@google.com/ +Fixes: 36126f8f2ed8 ("word-at-a-time: make the interfaces truly generic") +Debugged-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Acked-by: Heiko Carstens +Cc: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/word-at-a-time.h | 2 +- + include/asm-generic/word-at-a-time.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/word-at-a-time.h b/arch/powerpc/include/asm/word-at-a-time.h +index 46c31fb8748d5..30a12d2086871 100644 +--- a/arch/powerpc/include/asm/word-at-a-time.h ++++ b/arch/powerpc/include/asm/word-at-a-time.h +@@ -34,7 +34,7 @@ static inline long find_zero(unsigned long mask) + return leading_zero_bits >> 3; + } + +-static inline bool has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) ++static inline unsigned long has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) + { + unsigned long rhs = val | c->low_bits; + *data = rhs; +diff --git a/include/asm-generic/word-at-a-time.h b/include/asm-generic/word-at-a-time.h +index 20c93f08c9933..95a1d214108a5 100644 +--- a/include/asm-generic/word-at-a-time.h ++++ b/include/asm-generic/word-at-a-time.h +@@ -38,7 +38,7 @@ static inline long find_zero(unsigned long mask) + return (mask >> 8) ? byte : byte + 1; + } + +-static inline bool has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) ++static inline unsigned long has_zero(unsigned long val, unsigned long *data, const struct word_at_a_time *c) + { + unsigned long rhs = val | c->low_bits; + *data = rhs; +-- +2.40.1 + -- 2.47.3