From: Sasha Levin Date: Sat, 21 Oct 2023 00:51:07 +0000 (-0400) Subject: Fixes for 6.5 X-Git-Tag: v4.14.328~74 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=209c811311b4eccea499dd2e91ab31df14b278bd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.5 Signed-off-by: Sasha Levin --- diff --git a/queue-6.5/accel-ivpu-don-t-flood-dmesg-with-vpu-ready-message.patch b/queue-6.5/accel-ivpu-don-t-flood-dmesg-with-vpu-ready-message.patch new file mode 100644 index 00000000000..ebfadb99cfb --- /dev/null +++ b/queue-6.5/accel-ivpu-don-t-flood-dmesg-with-vpu-ready-message.patch @@ -0,0 +1,38 @@ +From 304b50ff58f0cf7ad6056906af18db4688196022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 14:11:33 +0200 +Subject: accel/ivpu: Don't flood dmesg with VPU ready message + +From: Jacek Lawrynowicz + +[ Upstream commit 002652555022728c42b5517c6c11265b8c3ab827 ] + +Use ivpu_dbg() to print the VPU ready message so it doesn't pollute +the dmesg. + +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Stanislaw Gruszka +Reviewed-by: Jeffrey Hugo +Signed-off-by: Stanislaw Gruszka +Link: https://patchwork.freedesktop.org/patch/msgid/20230925121137.872158-3-stanislaw.gruszka@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/accel/ivpu/ivpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c +index 8396db2b52030..09dee5be20700 100644 +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -303,7 +303,7 @@ static int ivpu_wait_for_ready(struct ivpu_device *vdev) + } + + if (!ret) +- ivpu_info(vdev, "VPU ready message received successfully\n"); ++ ivpu_dbg(vdev, PM, "VPU ready message received successfully\n"); + else + ivpu_hw_diagnose_failure(vdev); + +-- +2.40.1 + diff --git a/queue-6.5/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch b/queue-6.5/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch new file mode 100644 index 00000000000..74dd6806235 --- /dev/null +++ b/queue-6.5/arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch @@ -0,0 +1,44 @@ +From 0be23f2de483d12d9121ca364ee85bd33ca380c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 07:07:38 +0300 +Subject: ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for + mapphone + +From: Tony Lindgren + +[ Upstream commit 5ad37b5e30433afa7a5513e3eb61f69fa0976785 ] + +On mapphone devices we may get lots of noise on the micro-USB port in debug +uart mode until the phy-cpcap-usb driver probes. Let's limit the noise by +using overrun-throttle-ms. + +Note that there is also a related separate issue where the charger cable +connected may cause random sysrq requests until phy-cpcap-usb probes that +still remains. + +Cc: Ivaylo Dimitrov +Cc: Carl Philipp Klemm +Cc: Merlijn Wajer +Cc: Pavel Machek +Reviewed-by: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi +index d69f0f4b4990d..d2d516d113baa 100644 +--- a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi ++++ b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi +@@ -640,6 +640,7 @@ &uart1 { + &uart3 { + interrupts-extended = <&wakeupgen GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH + &omap4_pmx_core 0x17c>; ++ overrun-throttle-ms = <500>; + }; + + &uart4 { +-- +2.40.1 + diff --git a/queue-6.5/arm64-dts-mediatek-fix-mediatek-merge-mute-and-media.patch b/queue-6.5/arm64-dts-mediatek-fix-mediatek-merge-mute-and-media.patch new file mode 100644 index 00000000000..f2a4607338a --- /dev/null +++ b/queue-6.5/arm64-dts-mediatek-fix-mediatek-merge-mute-and-media.patch @@ -0,0 +1,74 @@ +From 3f1c288c0e2c6c8801aacdc16d4e109b11793b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 14:56:34 -0500 +Subject: arm64: dts: mediatek: Fix "mediatek,merge-mute" and + "mediatek,merge-fifo-en" types + +From: Rob Herring + +[ Upstream commit 5f8456b1faefb06fcf6028dced9f37aa880c779d ] + +"mediatek,merge-mute" and "mediatek,merge-fifo-en" properties are defined +and used as boolean properties which in DT have no value. + +Signed-off-by: Rob Herring +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230830195650.704737-1-robh@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +index 43011bc41da77..54c674c45b49a 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +@@ -2958,7 +2958,7 @@ merge1: vpp-merge@1c10c000 { + clock-names = "merge","merge_async"; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; + mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xc000 0x1000>; +- mediatek,merge-mute = <1>; ++ mediatek,merge-mute; + resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE0_DL_ASYNC>; + }; + +@@ -2971,7 +2971,7 @@ merge2: vpp-merge@1c10d000 { + clock-names = "merge","merge_async"; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; + mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xd000 0x1000>; +- mediatek,merge-mute = <1>; ++ mediatek,merge-mute; + resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE1_DL_ASYNC>; + }; + +@@ -2984,7 +2984,7 @@ merge3: vpp-merge@1c10e000 { + clock-names = "merge","merge_async"; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; + mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xe000 0x1000>; +- mediatek,merge-mute = <1>; ++ mediatek,merge-mute; + resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE2_DL_ASYNC>; + }; + +@@ -2997,7 +2997,7 @@ merge4: vpp-merge@1c10f000 { + clock-names = "merge","merge_async"; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; + mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xf000 0x1000>; +- mediatek,merge-mute = <1>; ++ mediatek,merge-mute; + resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE3_DL_ASYNC>; + }; + +@@ -3010,7 +3010,7 @@ merge5: vpp-merge@1c110000 { + clock-names = "merge","merge_async"; + power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>; + mediatek,gce-client-reg = <&gce0 SUBSYS_1c11XXXX 0x0000 0x1000>; +- mediatek,merge-fifo-en = <1>; ++ mediatek,merge-fifo-en; + resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE4_DL_ASYNC>; + }; + +-- +2.40.1 + diff --git a/queue-6.5/ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch b/queue-6.5/ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch new file mode 100644 index 00000000000..9a27ac9c5bf --- /dev/null +++ b/queue-6.5/ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch @@ -0,0 +1,60 @@ +From ce942b70117d945d169645c1b503f9921e48e8df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 08:46:22 +0900 +Subject: ata: libata-core: Fix compilation warning in ata_dev_config_ncq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +[ Upstream commit ed518d9ba980dc0d27c7d1dea1e627ba001d1977 ] + +The 24 bytes length allocated to the ncq_desc string in +ata_dev_config_lba() for ata_dev_config_ncq() to use is too short, +causing the following gcc compilation warnings when compiling with W=1: + +drivers/ata/libata-core.c: In function ‘ata_dev_configure’: +drivers/ata/libata-core.c:2378:56: warning: ‘%d’ directive output may be truncated writing between 1 and 2 bytes into a region of size between 1 and 11 [-Wformat-truncation=] + 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth, + | ^~ +In function ‘ata_dev_config_ncq’, + inlined from ‘ata_dev_config_lba’ at drivers/ata/libata-core.c:2649:8, + inlined from ‘ata_dev_configure’ at drivers/ata/libata-core.c:2952:9: +drivers/ata/libata-core.c:2378:41: note: directive argument in the range [1, 32] + 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth, + | ^~~~~~~~~~~~~~~~~~~~~ +drivers/ata/libata-core.c:2378:17: note: ‘snprintf’ output between 16 and 31 bytes into a destination of size 24 + 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 2379 | ddepth, aa_desc); + | ~~~~~~~~~~~~~~~~ + +Avoid these warnings and the potential truncation by changing the size +of the ncq_desc string to 32 characters. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Tested-by: Geert Uytterhoeven +Reviewed-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 2a21f4d9500db..97a842b57a751 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2624,7 +2624,7 @@ static int ata_dev_config_lba(struct ata_device *dev) + { + const u16 *id = dev->id; + const char *lba_desc; +- char ncq_desc[24]; ++ char ncq_desc[32]; + int ret; + + dev->flags |= ATA_DFLAG_LBA; +-- +2.40.1 + diff --git a/queue-6.5/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch b/queue-6.5/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch new file mode 100644 index 00000000000..6f7eeb448bb --- /dev/null +++ b/queue-6.5/ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch @@ -0,0 +1,55 @@ +From 93df695d95e4b84e91fcd9c2a27a794c77e33304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 09:08:40 +0900 +Subject: ata: libata-eh: Fix compilation warning in ata_eh_link_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +[ Upstream commit 49728bdc702391902a473b9393f1620eea32acb0 ] + +The 6 bytes length of the tries_buf string in ata_eh_link_report() is +too short and results in a gcc compilation warning with W-!: + +drivers/ata/libata-eh.c: In function ‘ata_eh_link_report’: +drivers/ata/libata-eh.c:2371:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 4 [-Wformat-truncation=] + 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d", + | ^~ +drivers/ata/libata-eh.c:2371:56: note: directive argument in the range [-2147483648, 4] + 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d", + | ^~~~~~ +drivers/ata/libata-eh.c:2371:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 6 + 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 2372 | ap->eh_tries); + | ~~~~~~~~~~~~~ + +Avoid this warning by increasing the string size to 16B. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Tested-by: Geert Uytterhoeven +Reviewed-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 150e7ab62d1ae..e7c4edb04f8ed 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2366,7 +2366,7 @@ static void ata_eh_link_report(struct ata_link *link) + struct ata_eh_context *ehc = &link->eh_context; + struct ata_queued_cmd *qc; + const char *frozen, *desc; +- char tries_buf[6] = ""; ++ char tries_buf[16] = ""; + int tag, nr_failed = 0; + + if (ehc->i.flags & ATA_EHI_QUIET) +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-avoid-redundant-authentication.patch b/queue-6.5/bluetooth-avoid-redundant-authentication.patch new file mode 100644 index 00000000000..5b862889caf --- /dev/null +++ b/queue-6.5/bluetooth-avoid-redundant-authentication.patch @@ -0,0 +1,106 @@ +From 6cf292f54db42da2d6ef594886f64e5410c57074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 04:39:34 +0000 +Subject: Bluetooth: Avoid redundant authentication + +From: Ying Hsu + +[ Upstream commit 1d8e801422d66e4b8c7b187c52196bef94eed887 ] + +While executing the Android 13 CTS Verifier Secure Server test on a +ChromeOS device, it was observed that the Bluetooth host initiates +authentication for an RFCOMM connection after SSP completes. +When this happens, some Intel Bluetooth controllers, like AC9560, would +disconnect with "Connection Rejected due to Security Reasons (0x0e)". + +Historically, BlueZ did not mandate this authentication while an +authenticated combination key was already in use for the connection. +This behavior was changed since commit 7b5a9241b780 +("Bluetooth: Introduce requirements for security level 4"). +So, this patch addresses the aforementioned disconnection issue by +restoring the previous behavior. + +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 63 ++++++++++++++++++++++------------------ + 1 file changed, 35 insertions(+), 28 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index d75bb9a1d4acf..41250e4b94dff 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -2400,34 +2400,41 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type, + if (!test_bit(HCI_CONN_AUTH, &conn->flags)) + goto auth; + +- /* An authenticated FIPS approved combination key has sufficient +- * security for security level 4. */ +- if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 && +- sec_level == BT_SECURITY_FIPS) +- goto encrypt; +- +- /* An authenticated combination key has sufficient security for +- security level 3. */ +- if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 || +- conn->key_type == HCI_LK_AUTH_COMBINATION_P256) && +- sec_level == BT_SECURITY_HIGH) +- goto encrypt; +- +- /* An unauthenticated combination key has sufficient security for +- security level 1 and 2. */ +- if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 || +- conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) && +- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW)) +- goto encrypt; +- +- /* A combination key has always sufficient security for the security +- levels 1 or 2. High security level requires the combination key +- is generated using maximum PIN code length (16). +- For pre 2.1 units. */ +- if (conn->key_type == HCI_LK_COMBINATION && +- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW || +- conn->pin_length == 16)) +- goto encrypt; ++ switch (conn->key_type) { ++ case HCI_LK_AUTH_COMBINATION_P256: ++ /* An authenticated FIPS approved combination key has ++ * sufficient security for security level 4 or lower. ++ */ ++ if (sec_level <= BT_SECURITY_FIPS) ++ goto encrypt; ++ break; ++ case HCI_LK_AUTH_COMBINATION_P192: ++ /* An authenticated combination key has sufficient security for ++ * security level 3 or lower. ++ */ ++ if (sec_level <= BT_SECURITY_HIGH) ++ goto encrypt; ++ break; ++ case HCI_LK_UNAUTH_COMBINATION_P192: ++ case HCI_LK_UNAUTH_COMBINATION_P256: ++ /* An unauthenticated combination key has sufficient security ++ * for security level 2 or lower. ++ */ ++ if (sec_level <= BT_SECURITY_MEDIUM) ++ goto encrypt; ++ break; ++ case HCI_LK_COMBINATION: ++ /* A combination key has always sufficient security for the ++ * security levels 2 or lower. High security level requires the ++ * combination key is generated using maximum PIN code length ++ * (16). For pre 2.1 units. ++ */ ++ if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16) ++ goto encrypt; ++ break; ++ default: ++ break; ++ } + + auth: + if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-btusb-add-shutdown-function-for-qca6174.patch b/queue-6.5/bluetooth-btusb-add-shutdown-function-for-qca6174.patch new file mode 100644 index 00000000000..e367cc91fd0 --- /dev/null +++ b/queue-6.5/bluetooth-btusb-add-shutdown-function-for-qca6174.patch @@ -0,0 +1,34 @@ +From 829056195e3e6e684ca8d81f1758f56c9af2adf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 14:46:26 +0800 +Subject: Bluetooth: btusb: add shutdown function for QCA6174 + +From: Rocky Liao + +[ Upstream commit 187f8b648cc16f07c66ab1d89d961bdcff779bf7 ] + +We should send hci reset command before bt turn off, which can reset bt +firmware status. + +Signed-off-by: Rocky Liao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index dfdfb72d350fe..ca9e2a210fff2 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4348,6 +4348,7 @@ static int btusb_probe(struct usb_interface *intf, + + if (id->driver_info & BTUSB_QCA_ROME) { + data->setup_on_usb = btusb_setup_qca; ++ hdev->shutdown = btusb_shutdown_qca; + hdev->set_bdaddr = btusb_set_bdaddr_ath3012; + hdev->cmd_timeout = btusb_qca_cmd_timeout; + set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_core-fix-build-warnings.patch b/queue-6.5/bluetooth-hci_core-fix-build-warnings.patch new file mode 100644 index 00000000000..b245dae96fc --- /dev/null +++ b/queue-6.5/bluetooth-hci_core-fix-build-warnings.patch @@ -0,0 +1,78 @@ +From f31692ed5e91accd9c8de539c5b57c60d7242344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 14:42:27 -0700 +Subject: Bluetooth: hci_core: Fix build warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +[ Upstream commit dcda165706b9fbfd685898d46a6749d7d397e0c0 ] + +This fixes the following warnings: + +net/bluetooth/hci_core.c: In function ‘hci_register_dev’: +net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may +be truncated writing between 1 and 10 bytes into a region of size 5 +[-Wformat-truncation=] + 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id); + | ^~ +net/bluetooth/hci_core.c:2620:50: note: directive argument in the range +[0, 2147483647] + 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id); + | ^~~~~~~ +net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and +14 bytes into a destination of size 8 + 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 2 +- + net/bluetooth/hci_core.c | 8 +++++--- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 87e063250d142..abb7cb5db9457 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -350,7 +350,7 @@ struct hci_dev { + struct list_head list; + struct mutex lock; + +- char name[8]; ++ const char *name; + unsigned long flags; + __u16 id; + __u8 bus; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 26a265d9c59cd..63d4d38863acb 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2617,7 +2617,11 @@ int hci_register_dev(struct hci_dev *hdev) + if (id < 0) + return id; + +- snprintf(hdev->name, sizeof(hdev->name), "hci%d", id); ++ error = dev_set_name(&hdev->dev, "hci%u", id); ++ if (error) ++ return error; ++ ++ hdev->name = dev_name(&hdev->dev); + hdev->id = id; + + BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); +@@ -2639,8 +2643,6 @@ int hci_register_dev(struct hci_dev *hdev) + if (!IS_ERR_OR_NULL(bt_debugfs)) + hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs); + +- dev_set_name(&hdev->dev, "%s", hdev->name); +- + error = device_add(&hdev->dev); + if (error < 0) + goto err_wqueue; +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch b/queue-6.5/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch new file mode 100644 index 00000000000..9d7985ddf84 --- /dev/null +++ b/queue-6.5/bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch @@ -0,0 +1,74 @@ +From 6d2f426f4a9436ed3164ec7d2936857b912a39f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 13:59:59 -0700 +Subject: Bluetooth: hci_event: Fix using memcmp when comparing keys + +From: Luiz Augusto von Dentz + +[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ] + +memcmp is not consider safe to use with cryptographic secrets: + + 'Do not use memcmp() to compare security critical data, such as + cryptographic secrets, because the required CPU time depends on the + number of equal bytes.' + +While usage of memcmp for ZERO_KEY may not be considered a security +critical data, it can lead to more usage of memcmp with pairing keys +which could introduce more security problems. + +Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data") +Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 9d8aa6ad23dc2..dd70fd5313840 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -26,6 +26,8 @@ + /* Bluetooth HCI event handling. */ + + #include ++#include ++#include + + #include + #include +@@ -4730,7 +4732,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, + goto unlock; + + /* Ignore NULL link key against CVE-2020-26555 */ +- if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { ++ if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { + bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", + &ev->bdaddr); + hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); +@@ -5270,8 +5272,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn) + * available, then do not declare that OOB data is + * present. + */ +- if (!memcmp(data->rand256, ZERO_KEY, 16) || +- !memcmp(data->hash256, ZERO_KEY, 16)) ++ if (!crypto_memneq(data->rand256, ZERO_KEY, 16) || ++ !crypto_memneq(data->hash256, ZERO_KEY, 16)) + return 0x00; + + return 0x02; +@@ -5281,8 +5283,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn) + * not supported by the hardware, then check that if + * P-192 data values are present. + */ +- if (!memcmp(data->rand192, ZERO_KEY, 16) || +- !memcmp(data->hash192, ZERO_KEY, 16)) ++ if (!crypto_memneq(data->rand192, ZERO_KEY, 16) || ++ !crypto_memneq(data->hash192, ZERO_KEY, 16)) + return 0x00; + + return 0x01; +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_sync-always-check-if-connection-is-ali.patch b/queue-6.5/bluetooth-hci_sync-always-check-if-connection-is-ali.patch new file mode 100644 index 00000000000..358d6689b1b --- /dev/null +++ b/queue-6.5/bluetooth-hci_sync-always-check-if-connection-is-ali.patch @@ -0,0 +1,104 @@ +From b7bbe510c0454e4829cb714de5dd786eae4e42f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Sep 2023 15:53:32 +0300 +Subject: Bluetooth: hci_sync: always check if connection is alive before + deleting + +From: Pauli Virtanen + +[ Upstream commit a239110ee8e0b0aafa265f0d54f7a16744855e70 ] + +In hci_abort_conn_sync it is possible that conn is deleted concurrently +by something else, also e.g. when waiting for hdev->lock. This causes +double deletion of the conn, so UAF or conn_hash.list corruption. + +Fix by having all code paths check that the connection is still in +conn_hash before deleting it, while holding hdev->lock which prevents +any races. + +Log (when powering off while BAP streaming, occurs rarely): +======================================================================= +kernel BUG at lib/list_debug.c:56! +... + ? __list_del_entry_valid (lib/list_debug.c:56) + hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth + hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth + ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth] + ? lock_release+0x1d5/0x3c0 + ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth] + ? __pfx_lock_release+0x10/0x10 + ? __kmem_cache_free+0x14d/0x2e0 + hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth] + ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth] + ? hci_clear_adv_sync+0x14f/0x170 [bluetooth] + ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] + hci_set_powered_sync+0x293/0x450 [bluetooth] +======================================================================= + +Fixes: 94d9ba9f9888 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index d21127e992c0f..360813ab0c4db 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -5374,6 +5374,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) + { + int err = 0; + u16 handle = conn->handle; ++ bool disconnect = false; + struct hci_conn *c; + + switch (conn->state) { +@@ -5389,24 +5390,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) + break; + case BT_OPEN: + case BT_BOUND: +- hci_dev_lock(hdev); +- hci_conn_failed(conn, reason); +- hci_dev_unlock(hdev); +- return 0; ++ break; + default: +- hci_dev_lock(hdev); +- conn->state = BT_CLOSED; +- hci_disconn_cfm(conn, reason); +- hci_conn_del(conn); +- hci_dev_unlock(hdev); +- return 0; ++ disconnect = true; ++ break; + } + + hci_dev_lock(hdev); + +- /* Check if the connection hasn't been cleanup while waiting +- * commands to complete. +- */ ++ /* Check if the connection has been cleaned up concurrently */ + c = hci_conn_hash_lookup_handle(hdev, handle); + if (!c || c != conn) { + err = 0; +@@ -5418,7 +5410,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) + * or in case of LE it was still scanning so it can be cleanup + * safely. + */ +- hci_conn_failed(conn, reason); ++ if (disconnect) { ++ conn->state = BT_CLOSED; ++ hci_disconn_cfm(conn, reason); ++ hci_conn_del(conn); ++ } else { ++ hci_conn_failed(conn, reason); ++ } + + unlock: + hci_dev_unlock(hdev); +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_sync-delete-cis-in-bt_open-connect-bou.patch b/queue-6.5/bluetooth-hci_sync-delete-cis-in-bt_open-connect-bou.patch new file mode 100644 index 00000000000..19c70d461cb --- /dev/null +++ b/queue-6.5/bluetooth-hci_sync-delete-cis-in-bt_open-connect-bou.patch @@ -0,0 +1,67 @@ +From 6182f8d0628c5259552c58e96a4f2842bde2e0da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 00:25:25 +0300 +Subject: Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when + aborting + +From: Pauli Virtanen + +[ Upstream commit 2889bdd0a9a195533c2103e7b39ab0de844d72f6 ] + +Dropped CIS that are in state BT_OPEN/BT_BOUND, and in state BT_CONNECT +with HCI_CONN_CREATE_CIS unset, should be cleaned up immediately. +Closing CIS ISO sockets should result to the hci_conn be deleted, so +that potentially pending CIG removal can run. + +hci_abort_conn cannot refer to them by handle, since their handle is +still unset if Set CIG Parameters has not yet completed. + +This fixes CIS not being terminated if the socket is shut down +immediately after connection, so that the hci_abort_conn runs before Set +CIG Parameters completes. See new BlueZ test "ISO Connect Close - Success" + +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: a239110ee8e0 ("Bluetooth: hci_sync: always check if connection is alive before deleting") +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 73cdd051dd464..d21127e992c0f 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -5302,6 +5302,10 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn, + if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) + return hci_disconnect_sync(hdev, conn, reason); + ++ /* CIS with no Create CIS sent have nothing to cancel */ ++ if (bacmp(&conn->dst, BDADDR_ANY)) ++ return HCI_ERROR_LOCAL_HOST_TERM; ++ + /* There is no way to cancel a BIS without terminating the BIG + * which is done later on connection cleanup. + */ +@@ -5384,13 +5388,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) + err = hci_reject_conn_sync(hdev, conn, reason); + break; + case BT_OPEN: +- /* Cleanup bises that failed to be established */ +- if (test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags)) { +- hci_dev_lock(hdev); +- hci_conn_failed(conn, reason); +- hci_dev_unlock(hdev); +- } +- break; ++ case BT_BOUND: ++ hci_dev_lock(hdev); ++ hci_conn_failed(conn, reason); ++ hci_dev_unlock(hdev); ++ return 0; + default: + hci_dev_lock(hdev); + conn->state = BT_CLOSED; +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_sync-fix-not-handling-iso_link-in-hci_.patch b/queue-6.5/bluetooth-hci_sync-fix-not-handling-iso_link-in-hci_.patch new file mode 100644 index 00000000000..582a0f6a672 --- /dev/null +++ b/queue-6.5/bluetooth-hci_sync-fix-not-handling-iso_link-in-hci_.patch @@ -0,0 +1,175 @@ +From 865d000cbbe5f7e7ed259eb5562ca0e535a3760d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 15:55:47 -0700 +Subject: Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync + +From: Luiz Augusto von Dentz + +[ Upstream commit 04a51d616929eb96b7a3e547bc11d3bb46af2c9f ] + +ISO_LINK connections where not being handled properly on +hci_abort_conn_sync which sometimes resulted in sending the wrong +commands, or in case of having the reject command being sent by the +socket code (iso.c) which is sort of a layer violation. + +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error") +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 23 +++++++++++++++++++---- + net/bluetooth/hci_sync.c | 34 ++++++++++++++++++++++++++++++++++ + net/bluetooth/iso.c | 14 -------------- + 3 files changed, 53 insertions(+), 18 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 41250e4b94dff..4e9654fe89c9e 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1277,7 +1277,12 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) + + static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + { +- struct hci_conn *conn = data; ++ struct hci_conn *conn; ++ u16 handle = PTR_ERR(data); ++ ++ conn = hci_conn_hash_lookup_handle(hdev, handle); ++ if (!conn) ++ return; + + bt_dev_dbg(hdev, "err %d", err); + +@@ -1302,10 +1307,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + + static int hci_connect_le_sync(struct hci_dev *hdev, void *data) + { +- struct hci_conn *conn = data; ++ struct hci_conn *conn; ++ u16 handle = PTR_ERR(data); ++ ++ conn = hci_conn_hash_lookup_handle(hdev, handle); ++ if (!conn) ++ return 0; + + bt_dev_dbg(hdev, "conn %p", conn); + ++ conn->state = BT_CONNECT; ++ + return hci_le_create_conn_sync(hdev, conn); + } + +@@ -1375,10 +1387,10 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + conn->sec_level = BT_SECURITY_LOW; + conn->conn_timeout = conn_timeout; + +- conn->state = BT_CONNECT; + clear_bit(HCI_CONN_SCANNING, &conn->flags); + +- err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn, ++ err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, ++ ERR_PTR(conn->handle), + create_le_conn_complete); + if (err) { + hci_conn_del(conn); +@@ -2905,6 +2917,9 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + /* If the connection is pending check the command opcode since that + * might be blocking on hci_cmd_sync_work while waiting its respective + * event so we need to hci_cmd_sync_cancel to cancel it. ++ * ++ * hci_connect_le serializes the connection attempts so only one ++ * connection can be in BT_CONNECT at time. + */ + if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { + switch (hci_skb_event(hdev->sent_cmd)) { +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6aaecd6e656bc..caf4263ef9b77 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -5290,6 +5290,24 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn, + if (conn->type == LE_LINK) + return hci_le_connect_cancel_sync(hdev, conn, reason); + ++ if (conn->type == ISO_LINK) { ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E ++ * page 1857: ++ * ++ * If this command is issued for a CIS on the Central and the ++ * CIS is successfully terminated before being established, ++ * then an HCI_LE_CIS_Established event shall also be sent for ++ * this CIS with the Status Operation Cancelled by Host (0x44). ++ */ ++ if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags)) ++ return hci_disconnect_sync(hdev, conn, reason); ++ ++ /* There is no way to cancel a BIS without terminating the BIG ++ * which is done later on connection cleanup. ++ */ ++ return 0; ++ } ++ + if (hdev->hci_ver < BLUETOOTH_VER_1_2) + return 0; + +@@ -5316,11 +5334,27 @@ static int hci_reject_sco_sync(struct hci_dev *hdev, struct hci_conn *conn, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } + ++static int hci_le_reject_cis_sync(struct hci_dev *hdev, struct hci_conn *conn, ++ u8 reason) ++{ ++ struct hci_cp_le_reject_cis cp; ++ ++ memset(&cp, 0, sizeof(cp)); ++ cp.handle = cpu_to_le16(conn->handle); ++ cp.reason = reason; ++ ++ return __hci_cmd_sync_status(hdev, HCI_OP_LE_REJECT_CIS, ++ sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++} ++ + static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, + u8 reason) + { + struct hci_cp_reject_conn_req cp; + ++ if (conn->type == ISO_LINK) ++ return hci_le_reject_cis_sync(hdev, conn, reason); ++ + if (conn->type == SCO_LINK || conn->type == ESCO_LINK) + return hci_reject_sco_sync(hdev, conn, reason); + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 42f7b257bdfbc..c8460eb7f5c0b 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -622,18 +622,6 @@ static void iso_sock_kill(struct sock *sk) + sock_put(sk); + } + +-static void iso_conn_defer_reject(struct hci_conn *conn) +-{ +- struct hci_cp_le_reject_cis cp; +- +- BT_DBG("conn %p", conn); +- +- memset(&cp, 0, sizeof(cp)); +- cp.handle = cpu_to_le16(conn->handle); +- cp.reason = HCI_ERROR_REJ_BAD_ADDR; +- hci_send_cmd(conn->hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); +-} +- + static void __iso_sock_close(struct sock *sk) + { + BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket); +@@ -658,8 +646,6 @@ static void __iso_sock_close(struct sock *sk) + break; + + case BT_CONNECT2: +- if (iso_pi(sk)->conn->hcon) +- iso_conn_defer_reject(iso_pi(sk)->conn->hcon); + iso_chan_del(sk, ECONNRESET); + break; + case BT_CONNECT: +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-hci_sync-introduce-ptr_uint-uint_ptr-macro.patch b/queue-6.5/bluetooth-hci_sync-introduce-ptr_uint-uint_ptr-macro.patch new file mode 100644 index 00000000000..d4573279a79 --- /dev/null +++ b/queue-6.5/bluetooth-hci_sync-introduce-ptr_uint-uint_ptr-macro.patch @@ -0,0 +1,143 @@ +From ddb95109cc3114a580eb4c6380911262b7226375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 16:23:41 -0700 +Subject: Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros + +From: Luiz Augusto von Dentz + +[ Upstream commit a1f6c3aef13c9e7f8d459bd464e9e34da1342c0c ] + +This introduces PTR_UINT/UINT_PTR macros and replace the use of +PTR_ERR/ERR_PTR. + +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_sync.h | 3 +++ + net/bluetooth/hci_conn.c | 19 ++++++++++--------- + net/bluetooth/hci_sync.c | 4 ++-- + 3 files changed, 15 insertions(+), 11 deletions(-) + +diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h +index b516a0f4a55b8..57eeb07aeb251 100644 +--- a/include/net/bluetooth/hci_sync.h ++++ b/include/net/bluetooth/hci_sync.h +@@ -5,6 +5,9 @@ + * Copyright (C) 2021 Intel Corporation + */ + ++#define UINT_PTR(_handle) ((void *)((uintptr_t)_handle)) ++#define PTR_UINT(_ptr) ((uintptr_t)((void *)_ptr)) ++ + typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data); + typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data, + int err); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 4e9654fe89c9e..6d6192f514d0f 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -874,7 +874,7 @@ static void bis_cleanup(struct hci_conn *conn) + + static int remove_cig_sync(struct hci_dev *hdev, void *data) + { +- u8 handle = PTR_ERR(data); ++ u8 handle = PTR_UINT(data); + + return hci_le_remove_cig_sync(hdev, handle); + } +@@ -883,7 +883,8 @@ static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle) + { + bt_dev_dbg(hdev, "handle 0x%2.2x", handle); + +- return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL); ++ return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle), ++ NULL); + } + + static void find_cis(struct hci_conn *conn, void *data) +@@ -1278,7 +1279,7 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle) + static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + { + struct hci_conn *conn; +- u16 handle = PTR_ERR(data); ++ u16 handle = PTR_UINT(data); + + conn = hci_conn_hash_lookup_handle(hdev, handle); + if (!conn) +@@ -1308,7 +1309,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err) + static int hci_connect_le_sync(struct hci_dev *hdev, void *data) + { + struct hci_conn *conn; +- u16 handle = PTR_ERR(data); ++ u16 handle = PTR_UINT(data); + + conn = hci_conn_hash_lookup_handle(hdev, handle); + if (!conn) +@@ -1390,7 +1391,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + clear_bit(HCI_CONN_SCANNING, &conn->flags); + + err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, +- ERR_PTR(conn->handle), ++ UINT_PTR(conn->handle), + create_le_conn_complete); + if (err) { + hci_conn_del(conn); +@@ -1767,7 +1768,7 @@ static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos) + + static int set_cig_params_sync(struct hci_dev *hdev, void *data) + { +- u8 cig_id = PTR_ERR(data); ++ u8 cig_id = PTR_UINT(data); + struct hci_conn *conn; + struct bt_iso_qos *qos; + struct iso_cig_params pdu; +@@ -1877,7 +1878,7 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos) + + done: + if (hci_cmd_sync_queue(hdev, set_cig_params_sync, +- ERR_PTR(qos->ucast.cig), NULL) < 0) ++ UINT_PTR(qos->ucast.cig), NULL) < 0) + return false; + + return true; +@@ -2891,7 +2892,7 @@ u32 hci_conn_get_phy(struct hci_conn *conn) + static int abort_conn_sync(struct hci_dev *hdev, void *data) + { + struct hci_conn *conn; +- u16 handle = PTR_ERR(data); ++ u16 handle = PTR_UINT(data); + + conn = hci_conn_hash_lookup_handle(hdev, handle); + if (!conn) +@@ -2931,6 +2932,6 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + } + } + +- return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle), ++ return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle), + NULL); + } +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index caf4263ef9b77..73cdd051dd464 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6545,7 +6545,7 @@ int hci_get_random_address(struct hci_dev *hdev, bool require_privacy, + + static int _update_adv_data_sync(struct hci_dev *hdev, void *data) + { +- u8 instance = PTR_ERR(data); ++ u8 instance = PTR_UINT(data); + + return hci_update_adv_data_sync(hdev, instance); + } +@@ -6553,5 +6553,5 @@ static int _update_adv_data_sync(struct hci_dev *hdev, void *data) + int hci_update_adv_data(struct hci_dev *hdev, u8 instance) + { + return hci_cmd_sync_queue(hdev, _update_adv_data_sync, +- ERR_PTR(instance), NULL); ++ UINT_PTR(instance), NULL); + } +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-iso-fix-invalid-context-error.patch b/queue-6.5/bluetooth-iso-fix-invalid-context-error.patch new file mode 100644 index 00000000000..ec149615515 --- /dev/null +++ b/queue-6.5/bluetooth-iso-fix-invalid-context-error.patch @@ -0,0 +1,65 @@ +From 65ecc0e066f4e0d2dc0d4c22f6bb07ba3b47f9d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 10:52:57 +0300 +Subject: Bluetooth: ISO: Fix invalid context error + +From: Iulia Tanasescu + +[ Upstream commit acab8ff29a2a226409cfe04e6d2e0896928c1b3a ] + +This moves the hci_le_terminate_big_sync call from rx_work +to cmd_sync_work, to avoid calling sleeping function from +an invalid context. + +Reported-by: syzbot+c715e1bd8dfbcb1ab176@syzkaller.appspotmail.com +Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes") +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d331027363313..9d8aa6ad23dc2 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6978,6 +6978,14 @@ static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, + hci_dev_unlock(hdev); + } + ++static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data) ++{ ++ u8 handle = PTR_UINT(data); ++ ++ return hci_le_terminate_big_sync(hdev, handle, ++ HCI_ERROR_LOCAL_HOST_TERM); ++} ++ + static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -7022,16 +7030,17 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, + rcu_read_lock(); + } + ++ rcu_read_unlock(); ++ + if (!ev->status && !i) + /* If no BISes have been connected for the BIG, + * terminate. This is in case all bound connections + * have been closed before the BIG creation + * has completed. + */ +- hci_le_terminate_big_sync(hdev, ev->handle, +- HCI_ERROR_LOCAL_HOST_TERM); ++ hci_cmd_sync_queue(hdev, hci_iso_term_big_sync, ++ UINT_PTR(ev->handle), NULL); + +- rcu_read_unlock(); + hci_dev_unlock(hdev); + } + +-- +2.40.1 + diff --git a/queue-6.5/btrfs-error-out-when-cowing-block-using-a-stale-tran.patch b/queue-6.5/btrfs-error-out-when-cowing-block-using-a-stale-tran.patch new file mode 100644 index 00000000000..2aa71271ef2 --- /dev/null +++ b/queue-6.5/btrfs-error-out-when-cowing-block-using-a-stale-tran.patch @@ -0,0 +1,83 @@ +From 56ca3238a6c6f1e8c8c98f67fe375b2e1437a521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 12:09:21 +0100 +Subject: btrfs: error out when COWing block using a stale transaction + +From: Filipe Manana + +[ Upstream commit 48774f3bf8b4dd3b1a0e155825c9ce48483db14c ] + +At btrfs_cow_block() we have these checks to verify we are not using a +stale transaction (a past transaction with an unblocked state or higher), +and the only thing we do is to trigger a WARN with a message and a stack +trace. This however is a critical problem, highly unexpected and if it +happens it's most likely due to a bug, so we should error out and turn the +fs into error state so that such issue is much more easily noticed if it's +triggered. + +The problem is critical because using such stale transaction will lead to +not persisting the extent buffer used for the COW operation, as allocating +a tree block adds the range of the respective extent buffer to the +->dirty_pages iotree of the transaction, and a stale transaction, in the +unlocked state or higher, will not flush dirty extent buffers anymore, +therefore resulting in not persisting the tree block and resource leaks +(not cleaning the dirty_pages iotree for example). + +So do the following changes: + +1) Return -EUCLEAN if we find a stale transaction; + +2) Turn the fs into error state, with error -EUCLEAN, so that no + transaction can be committed, and generate a stack trace; + +3) Combine both conditions into a single if statement, as both are related + and have the same error message; + +4) Mark the check as unlikely, since this is not expected to ever happen. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index a4cb4b6429870..7afd0a6495f37 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -686,14 +686,22 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + btrfs_err(fs_info, + "COW'ing blocks on a fs root that's being dropped"); + +- if (trans->transaction != fs_info->running_transaction) +- WARN(1, KERN_CRIT "trans %llu running %llu\n", +- trans->transid, +- fs_info->running_transaction->transid); +- +- if (trans->transid != fs_info->generation) +- WARN(1, KERN_CRIT "trans %llu running %llu\n", +- trans->transid, fs_info->generation); ++ /* ++ * COWing must happen through a running transaction, which always ++ * matches the current fs generation (it's a transaction with a state ++ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs ++ * into error state to prevent the commit of any transaction. ++ */ ++ if (unlikely(trans->transaction != fs_info->running_transaction || ++ trans->transid != fs_info->generation)) { ++ btrfs_abort_transaction(trans, -EUCLEAN); ++ btrfs_crit(fs_info, ++"unexpected transaction when attempting to COW block %llu on root %llu, transaction %llu running transaction %llu fs generation %llu", ++ buf->start, btrfs_root_id(root), trans->transid, ++ fs_info->running_transaction->transid, ++ fs_info->generation); ++ return -EUCLEAN; ++ } + + if (!should_cow_block(trans, root, buf)) { + *cow_ret = buf; +-- +2.40.1 + diff --git a/queue-6.5/btrfs-error-out-when-reallocating-block-for-defrag-u.patch b/queue-6.5/btrfs-error-out-when-reallocating-block-for-defrag-u.patch new file mode 100644 index 00000000000..8247ebda8d3 --- /dev/null +++ b/queue-6.5/btrfs-error-out-when-reallocating-block-for-defrag-u.patch @@ -0,0 +1,78 @@ +From 039d1e895086421c2ff1c61f16c771613e6b734f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 12:09:23 +0100 +Subject: btrfs: error out when reallocating block for defrag using a stale + transaction + +From: Filipe Manana + +[ Upstream commit e36f94914021e58ee88a8856c7fdf35adf9c7ee1 ] + +At btrfs_realloc_node() we have these checks to verify we are not using a +stale transaction (a past transaction with an unblocked state or higher), +and the only thing we do is to trigger two WARN_ON(). This however is a +critical problem, highly unexpected and if it happens it's most likely due +to a bug, so we should error out and turn the fs into error state so that +such issue is much more easily noticed if it's triggered. + +The problem is critical because in btrfs_realloc_node() we COW tree blocks, +and using such stale transaction will lead to not persisting the extent +buffers used for the COW operations, as allocating tree block adds the +range of the respective extent buffers to the ->dirty_pages iotree of the +transaction, and a stale transaction, in the unlocked state or higher, +will not flush dirty extent buffers anymore, therefore resulting in not +persisting the tree block and resource leaks (not cleaning the dirty_pages +iotree for example). + +So do the following changes: + +1) Return -EUCLEAN if we find a stale transaction; + +2) Turn the fs into error state, with error -EUCLEAN, so that no + transaction can be committed, and generate a stack trace; + +3) Combine both conditions into a single if statement, as both are related + and have the same error message; + +4) Mark the check as unlikely, since this is not expected to ever happen. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index db1f3bc7f3284..da519c1b6ad08 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -817,8 +817,22 @@ int btrfs_realloc_node(struct btrfs_trans_handle *trans, + int progress_passed = 0; + struct btrfs_disk_key disk_key; + +- WARN_ON(trans->transaction != fs_info->running_transaction); +- WARN_ON(trans->transid != fs_info->generation); ++ /* ++ * COWing must happen through a running transaction, which always ++ * matches the current fs generation (it's a transaction with a state ++ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs ++ * into error state to prevent the commit of any transaction. ++ */ ++ if (unlikely(trans->transaction != fs_info->running_transaction || ++ trans->transid != fs_info->generation)) { ++ btrfs_abort_transaction(trans, -EUCLEAN); ++ btrfs_crit(fs_info, ++"unexpected transaction when attempting to reallocate parent %llu for root %llu, transaction %llu running transaction %llu fs generation %llu", ++ parent->start, btrfs_root_id(root), trans->transid, ++ fs_info->running_transaction->transid, ++ fs_info->generation); ++ return -EUCLEAN; ++ } + + parent_nritems = btrfs_header_nritems(parent); + blocksize = fs_info->nodesize; +-- +2.40.1 + diff --git a/queue-6.5/btrfs-error-when-cowing-block-from-a-root-that-is-be.patch b/queue-6.5/btrfs-error-when-cowing-block-from-a-root-that-is-be.patch new file mode 100644 index 00000000000..ee88435d254 --- /dev/null +++ b/queue-6.5/btrfs-error-when-cowing-block-from-a-root-that-is-be.patch @@ -0,0 +1,59 @@ +From ca2a5edf6951d491cb9e419a485733ad5498040c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 12:09:22 +0100 +Subject: btrfs: error when COWing block from a root that is being deleted + +From: Filipe Manana + +[ Upstream commit a2caab29884397e583d09be6546259a83ebfbdb1 ] + +At btrfs_cow_block() we check if the block being COWed belongs to a root +that is being deleted and if so we log an error message. However this is +an unexpected case and it indicates a bug somewhere, so we should return +an error and abort the transaction. So change this in the following ways: + +1) Abort the transaction with -EUCLEAN, so that if the issue ever happens + it can easily be noticed; + +2) Change the logged message level from error to critical, and change the + message itself to print the block's logical address and the ID of the + root; + +3) Return -EUCLEAN to the caller; + +4) As this is an unexpected scenario, that should never happen, mark the + check as unlikely, allowing the compiler to potentially generate better + code. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 7afd0a6495f37..db1f3bc7f3284 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -682,9 +682,13 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + u64 search_start; + int ret; + +- if (test_bit(BTRFS_ROOT_DELETING, &root->state)) +- btrfs_err(fs_info, +- "COW'ing blocks on a fs root that's being dropped"); ++ if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { ++ btrfs_abort_transaction(trans, -EUCLEAN); ++ btrfs_crit(fs_info, ++ "attempt to COW block %llu on root %llu that is being deleted", ++ buf->start, btrfs_root_id(root)); ++ return -EUCLEAN; ++ } + + /* + * COWing must happen through a running transaction, which always +-- +2.40.1 + diff --git a/queue-6.5/btrfs-fix-race-when-refilling-delayed-refs-block-res.patch b/queue-6.5/btrfs-fix-race-when-refilling-delayed-refs-block-res.patch new file mode 100644 index 00000000000..fbdeebcee4d --- /dev/null +++ b/queue-6.5/btrfs-fix-race-when-refilling-delayed-refs-block-res.patch @@ -0,0 +1,108 @@ +From 178be444b4e1f87dc6190ec8c9b121ca211bb3e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 18:20:18 +0100 +Subject: btrfs: fix race when refilling delayed refs block reserve + +From: Filipe Manana + +[ Upstream commit 2ed45c0f1879079b30248568c515cf60fc668d8a ] + +If we have two (or more) tasks attempting to refill the delayed refs block +reserve we can end up with the delayed block reserve being over reserved, +that is, with a reserved space greater than its size. If this happens, we +are holding to more reserved space than necessary for a while. + +The race happens like this: + +1) The delayed refs block reserve has a size of 8M and a reserved space of + 6M for example; + +2) Task A calls btrfs_delayed_refs_rsv_refill(); + +3) Task B also calls btrfs_delayed_refs_rsv_refill(); + +4) Task A sees there's a 2M difference between the size and the reserved + space of the delayed refs rsv, so it will reserve 2M of space by + calling btrfs_reserve_metadata_bytes(); + +5) Task B also sees that 2M difference, and like task A, it reserves + another 2M of metadata space; + +6) Both task A and task B increase the reserved space of block reserve + by 2M, by calling btrfs_block_rsv_add_bytes(), so the block reserve + ends up with a size of 8M and a reserved space of 10M; + +7) The extra, over reserved space will eventually be freed by some task + calling btrfs_delayed_refs_rsv_release() -> btrfs_block_rsv_release() + -> block_rsv_release_bytes(), as there we will detect the over reserve + and release that space. + +So fix this by checking if we still need to add space to the delayed refs +block reserve after reserving the metadata space, and if we don't, just +release that space immediately. + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-ref.c | 37 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 34 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c +index 6a13cf00218bc..1043f66cc130d 100644 +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -163,6 +163,8 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info, + struct btrfs_block_rsv *block_rsv = &fs_info->delayed_refs_rsv; + u64 limit = btrfs_calc_delayed_ref_bytes(fs_info, 1); + u64 num_bytes = 0; ++ u64 refilled_bytes; ++ u64 to_free; + int ret = -ENOSPC; + + spin_lock(&block_rsv->lock); +@@ -178,9 +180,38 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info, + ret = btrfs_reserve_metadata_bytes(fs_info, block_rsv, num_bytes, flush); + if (ret) + return ret; +- btrfs_block_rsv_add_bytes(block_rsv, num_bytes, false); +- trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv", +- 0, num_bytes, 1); ++ ++ /* ++ * We may have raced with someone else, so check again if we the block ++ * reserve is still not full and release any excess space. ++ */ ++ spin_lock(&block_rsv->lock); ++ if (block_rsv->reserved < block_rsv->size) { ++ u64 needed = block_rsv->size - block_rsv->reserved; ++ ++ if (num_bytes >= needed) { ++ block_rsv->reserved += needed; ++ block_rsv->full = true; ++ to_free = num_bytes - needed; ++ refilled_bytes = needed; ++ } else { ++ block_rsv->reserved += num_bytes; ++ to_free = 0; ++ refilled_bytes = num_bytes; ++ } ++ } else { ++ to_free = num_bytes; ++ refilled_bytes = 0; ++ } ++ spin_unlock(&block_rsv->lock); ++ ++ if (to_free > 0) ++ btrfs_space_info_free_bytes_may_use(fs_info, block_rsv->space_info, ++ to_free); ++ ++ if (refilled_bytes > 0) ++ trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv", 0, ++ refilled_bytes, 1); + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.5/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch b/queue-6.5/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch new file mode 100644 index 00000000000..e89e9db708b --- /dev/null +++ b/queue-6.5/btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch @@ -0,0 +1,106 @@ +From 8568c507117e70a1f74e00e11b560d5b84a2f6bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 15:47:27 -0400 +Subject: btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Josef Bacik + +[ Upstream commit 9147b9ded499d9853bdf0e9804b7eaa99c4429ed ] + +Jens reported the following warnings from -Wmaybe-uninitialized recent +Linus' branch. + + In file included from ./include/asm-generic/rwonce.h:26, + from ./arch/arm64/include/asm/rwonce.h:71, + from ./include/linux/compiler.h:246, + from ./include/linux/export.h:5, + from ./include/linux/linkage.h:7, + from ./include/linux/kernel.h:17, + from fs/btrfs/ioctl.c:6: + In function ‘instrument_copy_from_user_before’, + inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3, + inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7, + inlined from ‘btrfs_ioctl_space_info’ at fs/btrfs/ioctl.c:2999:6, + inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4616:10: + ./include/linux/kasan-checks.h:38:27: warning: ‘space_args’ may be used + uninitialized [-Wmaybe-uninitialized] + 38 | #define kasan_check_write __kasan_check_write + ./include/linux/instrumented.h:129:9: note: in expansion of macro + ‘kasan_check_write’ + 129 | kasan_check_write(to, n); + | ^~~~~~~~~~~~~~~~~ + ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’: + ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const + volatile void *’ to ‘__kasan_check_write’ declared here + 20 | bool __kasan_check_write(const volatile void *p, unsigned int + size); + | ^~~~~~~~~~~~~~~~~~~ + fs/btrfs/ioctl.c:2981:39: note: ‘space_args’ declared here + 2981 | struct btrfs_ioctl_space_args space_args; + | ^~~~~~~~~~ + In function ‘instrument_copy_from_user_before’, + inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3, + inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7, + inlined from ‘_btrfs_ioctl_send’ at fs/btrfs/ioctl.c:4343:9, + inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4658:10: + ./include/linux/kasan-checks.h:38:27: warning: ‘args32’ may be used + uninitialized [-Wmaybe-uninitialized] + 38 | #define kasan_check_write __kasan_check_write + ./include/linux/instrumented.h:129:9: note: in expansion of macro + ‘kasan_check_write’ + 129 | kasan_check_write(to, n); + | ^~~~~~~~~~~~~~~~~ + ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’: + ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const + volatile void *’ to ‘__kasan_check_write’ declared here + 20 | bool __kasan_check_write(const volatile void *p, unsigned int + size); + | ^~~~~~~~~~~~~~~~~~~ + fs/btrfs/ioctl.c:4341:49: note: ‘args32’ declared here + 4341 | struct btrfs_ioctl_send_args_32 args32; + | ^~~~~~ + +This was due to his config options and having KASAN turned on, +which adds some extra checks around copy_from_user(), which then +triggered the -Wmaybe-uninitialized checker for these cases. + +Fix the warnings by initializing the different structs we're copying +into. + +Reported-by: Jens Axboe +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index d27b0d86b8e2c..bf35b6fce8f07 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2978,7 +2978,7 @@ static void get_block_group_info(struct list_head *groups_list, + static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info, + void __user *arg) + { +- struct btrfs_ioctl_space_args space_args; ++ struct btrfs_ioctl_space_args space_args = { 0 }; + struct btrfs_ioctl_space_info space; + struct btrfs_ioctl_space_info *dest; + struct btrfs_ioctl_space_info *dest_orig; +@@ -4338,7 +4338,7 @@ static int _btrfs_ioctl_send(struct inode *inode, void __user *argp, bool compat + + if (compat) { + #if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT) +- struct btrfs_ioctl_send_args_32 args32; ++ struct btrfs_ioctl_send_args_32 args32 = { 0 }; + + ret = copy_from_user(&args32, argp, sizeof(args32)); + if (ret) +-- +2.40.1 + diff --git a/queue-6.5/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch b/queue-6.5/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch new file mode 100644 index 00000000000..bcde8741a1f --- /dev/null +++ b/queue-6.5/btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch @@ -0,0 +1,57 @@ +From 2b9bc11590cff977f28b4c8b3c5f54a3fb622992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 12:15:24 -0400 +Subject: btrfs: initialize start_slot in btrfs_log_prealloc_extents +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Josef Bacik + +[ Upstream commit b4c639f699349880b7918b861e1bd360442ec450 ] + +Jens reported a compiler warning when using +CONFIG_CC_OPTIMIZE_FOR_SIZE=y that looks like this + + fs/btrfs/tree-log.c: In function ‘btrfs_log_prealloc_extents’: + fs/btrfs/tree-log.c:4828:23: warning: ‘start_slot’ may be used + uninitialized [-Wmaybe-uninitialized] + 4828 | ret = copy_items(trans, inode, dst_path, path, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 4829 | start_slot, ins_nr, 1, 0); + | ~~~~~~~~~~~~~~~~~~~~~~~~~ + fs/btrfs/tree-log.c:4725:13: note: ‘start_slot’ was declared here + 4725 | int start_slot; + | ^~~~~~~~~~ + +The compiler is incorrect, as we only use this code when ins_len > 0, +and when ins_len > 0 we have start_slot properly initialized. However +we generally find the -Wmaybe-uninitialized warnings valuable, so +initialize start_slot to get rid of the warning. + +Reported-by: Jens Axboe +Tested-by: Jens Axboe +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 365a1cc0a3c35..a00e7a0bc713d 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4722,7 +4722,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct extent_buffer *leaf; + int slot; + int ins_nr = 0; +- int start_slot; ++ int start_slot = 0; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) +-- +2.40.1 + diff --git a/queue-6.5/btrfs-prevent-transaction-block-reserve-underflow-wh.patch b/queue-6.5/btrfs-prevent-transaction-block-reserve-underflow-wh.patch new file mode 100644 index 00000000000..37db8981577 --- /dev/null +++ b/queue-6.5/btrfs-prevent-transaction-block-reserve-underflow-wh.patch @@ -0,0 +1,112 @@ +From 12b0f13348c1f95959887bc74f88e36f5b53e837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 18:20:19 +0100 +Subject: btrfs: prevent transaction block reserve underflow when starting + transaction + +From: Filipe Manana + +[ Upstream commit a7ddeeb079505961355cf0106154da0110f1fdff ] + +When starting a transaction, with a non-zero number of items, we reserve +metadata space for that number of items and for delayed refs by doing a +call to btrfs_block_rsv_add(), with the transaction block reserve passed +as the block reserve argument. This reserves metadata space and adds it +to the transaction block reserve. Later we migrate the space we reserved +for delayed references from the transaction block reserve into the delayed +refs block reserve, by calling btrfs_migrate_to_delayed_refs_rsv(). + +btrfs_migrate_to_delayed_refs_rsv() decrements the number of bytes to +migrate from the source block reserve, and this however may result in an +underflow in case the space added to the transaction block reserve ended +up being used by another task that has not reserved enough space for its +own use - examples are tasks doing reflinks or hole punching because they +end up calling btrfs_replace_file_extents() -> btrfs_drop_extents() and +may need to modify/COW a variable number of leaves/paths, so they keep +trying to use space from the transaction block reserve when they need to +COW an extent buffer, and may end up trying to use more space then they +have reserved (1 unit/path only for removing file extent items). + +This can be avoided by simply reserving space first without adding it to +the transaction block reserve, then add the space for delayed refs to the +delayed refs block reserve and finally add the remaining reserved space +to the transaction block reserve. This also makes the code a bit shorter +and simpler. So just do that. + +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-ref.c | 9 +-------- + fs/btrfs/delayed-ref.h | 1 - + fs/btrfs/transaction.c | 6 +++--- + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c +index 1043f66cc130d..9fe4ccca50a06 100644 +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -103,24 +103,17 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans) + * Transfer bytes to our delayed refs rsv. + * + * @fs_info: the filesystem +- * @src: source block rsv to transfer from + * @num_bytes: number of bytes to transfer + * +- * This transfers up to the num_bytes amount from the src rsv to the ++ * This transfers up to the num_bytes amount, previously reserved, to the + * delayed_refs_rsv. Any extra bytes are returned to the space info. + */ + void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info, +- struct btrfs_block_rsv *src, + u64 num_bytes) + { + struct btrfs_block_rsv *delayed_refs_rsv = &fs_info->delayed_refs_rsv; + u64 to_free = 0; + +- spin_lock(&src->lock); +- src->reserved -= num_bytes; +- src->size -= num_bytes; +- spin_unlock(&src->lock); +- + spin_lock(&delayed_refs_rsv->lock); + if (delayed_refs_rsv->size > delayed_refs_rsv->reserved) { + u64 delta = delayed_refs_rsv->size - +diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h +index b8e14b0ba5f16..fd9bf2b709c0e 100644 +--- a/fs/btrfs/delayed-ref.h ++++ b/fs/btrfs/delayed-ref.h +@@ -407,7 +407,6 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans); + int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info, + enum btrfs_reserve_flush_enum flush); + void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info, +- struct btrfs_block_rsv *src, + u64 num_bytes); + bool btrfs_check_space_for_delayed_refs(struct btrfs_fs_info *fs_info); + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 5bbd288b9cb54..0554ca2a8e3ba 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -625,14 +625,14 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, + reloc_reserved = true; + } + +- ret = btrfs_block_rsv_add(fs_info, rsv, num_bytes, flush); ++ ret = btrfs_reserve_metadata_bytes(fs_info, rsv, num_bytes, flush); + if (ret) + goto reserve_fail; + if (delayed_refs_bytes) { +- btrfs_migrate_to_delayed_refs_rsv(fs_info, rsv, +- delayed_refs_bytes); ++ btrfs_migrate_to_delayed_refs_rsv(fs_info, delayed_refs_bytes); + num_bytes -= delayed_refs_bytes; + } ++ btrfs_block_rsv_add_bytes(rsv, num_bytes, true); + + if (rsv->space_info->force_alloc) + do_chunk_alloc = true; +-- +2.40.1 + diff --git a/queue-6.5/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch b/queue-6.5/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch new file mode 100644 index 00000000000..5f0d78898b5 --- /dev/null +++ b/queue-6.5/btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch @@ -0,0 +1,51 @@ +From 45c29b924747efcc70c11234f813959b8d68ab3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 18:20:23 +0100 +Subject: btrfs: return -EUCLEAN for delayed tree ref with a ref count not + equals to 1 + +From: Filipe Manana + +[ Upstream commit 1bf76df3fee56d6637718e267f7c34ed70d0c7dc ] + +When running a delayed tree reference, if we find a ref count different +from 1, we return -EIO. This isn't an IO error, as it indicates either a +bug in the delayed refs code or a memory corruption, so change the error +code from -EIO to -EUCLEAN. Also tag the branch as 'unlikely' as this is +not expected to ever happen, and change the error message to print the +tree block's bytenr without the parenthesis (and there was a missing space +between the 'block' word and the opening parenthesis), for consistency as +that's the style we used everywhere else. + +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 0917c5f39e3d0..2cf8d646085c2 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -1715,12 +1715,12 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans, + parent = ref->parent; + ref_root = ref->root; + +- if (node->ref_mod != 1) { ++ if (unlikely(node->ref_mod != 1)) { + btrfs_err(trans->fs_info, +- "btree block(%llu) has %d references rather than 1: action %d ref_root %llu parent %llu", ++ "btree block %llu has %d references rather than 1: action %d ref_root %llu parent %llu", + node->bytenr, node->ref_mod, node->action, ref_root, + parent); +- return -EIO; ++ return -EUCLEAN; + } + if (node->action == BTRFS_ADD_DELAYED_REF && insert_reserved) { + BUG_ON(!extent_op || !extent_op->update_flags); +-- +2.40.1 + diff --git a/queue-6.5/cpufreq-schedutil-update-next_freq-when-cpufreq_limi.patch b/queue-6.5/cpufreq-schedutil-update-next_freq-when-cpufreq_limi.patch new file mode 100644 index 00000000000..4f3b4917882 --- /dev/null +++ b/queue-6.5/cpufreq-schedutil-update-next_freq-when-cpufreq_limi.patch @@ -0,0 +1,69 @@ +From 00a3e540993685226292b6223c4bd84c38a671f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:05:27 +0800 +Subject: cpufreq: schedutil: Update next_freq when cpufreq_limits change + +From: Xuewen Yan + +[ Upstream commit 9e0bc36ab07c550d791bf17feeb479f1dfc42d89 ] + +When cpufreq's policy is 'single', there is a scenario that will +cause sg_policy's next_freq to be unable to update. + +When the CPU's util is always max, the cpufreq will be max, +and then if we change the policy's scaling_max_freq to be a +lower freq, indeed, the sg_policy's next_freq need change to +be the lower freq, however, because the cpu_is_busy, the next_freq +would keep the max_freq. + +For example: + +The cpu7 is a single CPU: + + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # while true;do done& [1] 4737 + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # taskset -p 80 4737 + pid 4737's current affinity mask: ff + pid 4737's new affinity mask: 80 + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq + 2301000 + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_cur_freq + 2301000 + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # echo 2171000 > scaling_max_freq + unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq + 2171000 + +At this time, the sg_policy's next_freq would stay at 2301000, which +is wrong. + +To fix this, add a check for the ->need_freq_update flag. + +[ mingo: Clarified the changelog. ] + +Co-developed-by: Guohua Yan +Signed-off-by: Xuewen Yan +Signed-off-by: Guohua Yan +Signed-off-by: Ingo Molnar +Acked-by: "Rafael J. Wysocki" +Link: https://lore.kernel.org/r/20230719130527.8074-1-xuewen.yan@unisoc.com +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 4492608b7d7f1..458d359f5991c 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -350,7 +350,8 @@ static void sugov_update_single_freq(struct update_util_data *hook, u64 time, + * Except when the rq is capped by uclamp_max. + */ + if (!uclamp_rq_is_capped(cpu_rq(sg_cpu->cpu)) && +- sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq) { ++ sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq && ++ !sg_policy->need_freq_update) { + next_f = sg_policy->next_freq; + + /* Restore cached freq as next_freq has changed */ +-- +2.40.1 + diff --git a/queue-6.5/drm-amd-pm-add-unique_id-for-gc-11.0.3.patch b/queue-6.5/drm-amd-pm-add-unique_id-for-gc-11.0.3.patch new file mode 100644 index 00000000000..66d8866173d --- /dev/null +++ b/queue-6.5/drm-amd-pm-add-unique_id-for-gc-11.0.3.patch @@ -0,0 +1,34 @@ +From bc1443a459e7b6a30b5851dacfe03b8a6907f7f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 12:25:26 +0800 +Subject: drm/amd/pm: add unique_id for gc 11.0.3 + +From: Kenneth Feng + +[ Upstream commit 4953856f280b2b606089a72a93a1e9212a3adaca ] + +add unique_id for gc 11.0.3 + +Signed-off-by: Kenneth Feng +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +index d68fe5474676b..7f7a476b6829c 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -2077,6 +2077,7 @@ static int default_attr_update(struct amdgpu_device *adev, struct amdgpu_device_ + case IP_VERSION(11, 0, 0): + case IP_VERSION(11, 0, 1): + case IP_VERSION(11, 0, 2): ++ case IP_VERSION(11, 0, 3): + *states = ATTR_STATE_SUPPORTED; + break; + default: +-- +2.40.1 + diff --git a/queue-6.5/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch b/queue-6.5/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch new file mode 100644 index 00000000000..771e85f0557 --- /dev/null +++ b/queue-6.5/drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch @@ -0,0 +1,59 @@ +From dabf378b73246574d9667b16270e51b4d65c230f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Oct 2023 13:47:10 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for One Mix 2S + +From: Kai Uwe Broulik + +[ Upstream commit cbb7eb2dbd9472816e42a1b0fdb51af49abbf812 ] + +The One Mix 2S is a mini laptop with a 1200x1920 portrait screen +mounted in a landscape oriented clamshell case. Because of the too +generic DMI strings this entry is also doing bios-date matching. + +Signed-off-by: Kai Uwe Broulik +Reviewed-by: Hans de Goede +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20231001114710.336172-1-foss-linux@broulik.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 0cb646cb04ee1..d5c15292ae937 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -38,6 +38,14 @@ static const struct drm_dmi_panel_orientation_data gpd_micropc = { + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, + }; + ++static const struct drm_dmi_panel_orientation_data gpd_onemix2s = { ++ .width = 1200, ++ .height = 1920, ++ .bios_dates = (const char * const []){ "05/21/2018", "10/26/2018", ++ "03/04/2019", NULL }, ++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, ++}; ++ + static const struct drm_dmi_panel_orientation_data gpd_pocket = { + .width = 1200, + .height = 1920, +@@ -401,6 +409,14 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "LTH17"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* One Mix 2S (generic strings, also match on bios date) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Default string"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"), ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), ++ }, ++ .driver_data = (void *)&gpd_onemix2s, + }, + {} + }; +-- +2.40.1 + diff --git a/queue-6.5/fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch b/queue-6.5/fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch new file mode 100644 index 00000000000..acd9d6a2549 --- /dev/null +++ b/queue-6.5/fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch @@ -0,0 +1,86 @@ +From 5c5a033d3a2ad2ef0d5b100aca246e15811d245c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 22:51:31 -0600 +Subject: fs-writeback: do not requeue a clean inode having skipped pages + +From: Chunhai Guo + +[ Upstream commit be049c3a088d512187407b7fd036cecfab46d565 ] + +When writing back an inode and performing an fsync on it concurrently, a +deadlock issue may arise as shown below. In each writeback iteration, a +clean inode is requeued to the wb->b_dirty queue due to non-zero +pages_skipped, without anything actually being written. This causes an +infinite loop and prevents the plug from being flushed, resulting in a +deadlock. We now avoid requeuing the clean inode to prevent this issue. + + wb_writeback fsync (inode-Y) +blk_start_plug(&plug) +for (;;) { + iter i-1: some reqs with page-X added into plug->mq_list // f2fs node page-X with PG_writeback + filemap_fdatawrite + __filemap_fdatawrite_range // write inode-Y with sync_mode WB_SYNC_ALL + do_writepages + f2fs_write_data_pages + __f2fs_write_data_pages // wb_sync_req[DATA]++ for WB_SYNC_ALL + f2fs_write_cache_pages + f2fs_write_single_data_page + f2fs_do_write_data_page + f2fs_outplace_write_data + f2fs_update_data_blkaddr + f2fs_wait_on_page_writeback + wait_on_page_writeback // wait for f2fs node page-X + iter i: + progress = __writeback_inodes_wb(wb, work) + . writeback_sb_inodes + . __writeback_single_inode // write inode-Y with sync_mode WB_SYNC_NONE + . . do_writepages + . . f2fs_write_data_pages + . . . __f2fs_write_data_pages // skip writepages due to (wb_sync_req[DATA]>0) + . . . wbc->pages_skipped += get_dirty_pages(inode) // wbc->pages_skipped = 1 + . if (!(inode->i_state & I_DIRTY_ALL)) // i_state = I_SYNC | I_SYNC_QUEUED + . total_wrote++; // total_wrote = 1 + . requeue_inode // requeue inode-Y to wb->b_dirty queue due to non-zero pages_skipped + if (progress) // progress = 1 + continue; + iter i+1: + queue_io + // similar process with iter i, infinite for-loop ! +} +blk_finish_plug(&plug) // flush plug won't be called + +Signed-off-by: Chunhai Guo +Reviewed-by: Jan Kara +Message-Id: <20230916045131.957929-1-guochunhai@vivo.com> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index aca4b48113945..d532a93e980d7 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1535,10 +1535,15 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb, + + if (wbc->pages_skipped) { + /* +- * writeback is not making progress due to locked +- * buffers. Skip this inode for now. ++ * Writeback is not making progress due to locked buffers. ++ * Skip this inode for now. Although having skipped pages ++ * is odd for clean inodes, it can happen for some ++ * filesystems so handle that gracefully. + */ +- redirty_tail_locked(inode, wb); ++ if (inode->i_state & I_DIRTY_ALL) ++ redirty_tail_locked(inode, wb); ++ else ++ inode_cgwb_move_to_attached(inode, wb); + return; + } + +-- +2.40.1 + diff --git a/queue-6.5/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch b/queue-6.5/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch new file mode 100644 index 00000000000..f6d2915cdf6 --- /dev/null +++ b/queue-6.5/gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch @@ -0,0 +1,64 @@ +From e4b6cbdf2c225ba49f481bb91cb100872f428f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 10:29:14 +0000 +Subject: gpio: timberdale: Fix potential deadlock on &tgpio->lock + +From: Chengfeng Ye + +[ Upstream commit 9e8bc2dda5a7a8e2babc9975f4b11c9a6196e490 ] + +As timbgpio_irq_enable()/timbgpio_irq_disable() callback could be +executed under irq context, it could introduce double locks on +&tgpio->lock if it preempts other execution units requiring +the same locks. + +timbgpio_gpio_set() +--> timbgpio_update_bit() +--> spin_lock(&tgpio->lock) + + --> timbgpio_irq_disable() + --> spin_lock_irqsave(&tgpio->lock) + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +To prevent the potential deadlock, the patch uses spin_lock_irqsave() +on &tgpio->lock inside timbgpio_gpio_set() to prevent the possible +deadlock scenario. + +Signed-off-by: Chengfeng Ye +Reviewed-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-timberdale.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-timberdale.c b/drivers/gpio/gpio-timberdale.c +index de14949a3fe5a..92c1f2baa4bff 100644 +--- a/drivers/gpio/gpio-timberdale.c ++++ b/drivers/gpio/gpio-timberdale.c +@@ -43,9 +43,10 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index, + unsigned offset, bool enabled) + { + struct timbgpio *tgpio = gpiochip_get_data(gpio); ++ unsigned long flags; + u32 reg; + +- spin_lock(&tgpio->lock); ++ spin_lock_irqsave(&tgpio->lock, flags); + reg = ioread32(tgpio->membase + offset); + + if (enabled) +@@ -54,7 +55,7 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index, + reg &= ~(1 << index); + + iowrite32(reg, tgpio->membase + offset); +- spin_unlock(&tgpio->lock); ++ spin_unlock_irqrestore(&tgpio->lock, flags); + + return 0; + } +-- +2.40.1 + diff --git a/queue-6.5/hid-add-quirk-to-ignore-the-touchscreen-battery-on-h.patch b/queue-6.5/hid-add-quirk-to-ignore-the-touchscreen-battery-on-h.patch new file mode 100644 index 00000000000..5033c647280 --- /dev/null +++ b/queue-6.5/hid-add-quirk-to-ignore-the-touchscreen-battery-on-h.patch @@ -0,0 +1,51 @@ +From af142d97ef13db798a0aa127cecd5499957e1415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 21:07:00 +0200 +Subject: HID: Add quirk to ignore the touchscreen battery on HP ENVY + 15-eu0556ng + +From: Fabian Vogt + +[ Upstream commit b009aa38a380becd98cc4e01c9b7626a11cb4905 ] + +Like various other devices using similar hardware, this model reports a +perpetually empty battery (0-1%). + +Join the others and apply HID_BATTERY_QUIRK_IGNORE. + +Signed-off-by: Fabian Vogt +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-input.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 8a310f8ff20f5..cc0d0186a0d95 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -425,6 +425,7 @@ + #define I2C_DEVICE_ID_HP_SPECTRE_X360_13T_AW100 0x29F5 + #define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V1 0x2BED + #define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2 0x2BEE ++#define I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG 0x2D02 + + #define USB_VENDOR_ID_ELECOM 0x056e + #define USB_DEVICE_ID_ELECOM_BM084 0x0061 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 40a5645f8fe81..5e2f721855e59 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -406,6 +406,8 @@ static const struct hid_device_id hid_battery_quirks[] = { + HID_BATTERY_QUIRK_IGNORE }, + { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2), + HID_BATTERY_QUIRK_IGNORE }, ++ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG), ++ HID_BATTERY_QUIRK_IGNORE }, + {} + }; + +-- +2.40.1 + diff --git a/queue-6.5/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch b/queue-6.5/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch new file mode 100644 index 00000000000..b816aa2acad --- /dev/null +++ b/queue-6.5/hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch @@ -0,0 +1,40 @@ +From b79724a120faba7fd2cb830b87ef25a3ba4f8b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 10:40:59 +0800 +Subject: HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event + +From: Ma Ke + +[ Upstream commit ffe3b7837a2bb421df84d0177481db9f52c93a71 ] + +There is a slab-out-of-bounds Write bug in hid-holtek-kbd driver. +The problem is the driver assumes the device must have an input +but some malicious devices violate this assumption. + +Fix this by checking hid_device's input is non-empty before its usage. + +Signed-off-by: Ma Ke +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-holtek-kbd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c +index 403506b9697e7..b346d68a06f5a 100644 +--- a/drivers/hid/hid-holtek-kbd.c ++++ b/drivers/hid/hid-holtek-kbd.c +@@ -130,6 +130,10 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type, + return -ENODEV; + + boot_hid = usb_get_intfdata(boot_interface); ++ if (list_empty(&boot_hid->inputs)) { ++ hid_err(hid, "no inputs found\n"); ++ return -ENODEV; ++ } + boot_hid_input = list_first_entry(&boot_hid->inputs, + struct hid_input, list); + +-- +2.40.1 + diff --git a/queue-6.5/hid-logitech-hidpp-add-bluetooth-id-for-the-logitech.patch b/queue-6.5/hid-logitech-hidpp-add-bluetooth-id-for-the-logitech.patch new file mode 100644 index 00000000000..ced4802854b --- /dev/null +++ b/queue-6.5/hid-logitech-hidpp-add-bluetooth-id-for-the-logitech.patch @@ -0,0 +1,37 @@ +From 96152aea283d4cd04ed9662707475b56e1a0cc97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 00:24:38 +0200 +Subject: HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon + mouse + +From: Hans de Goede + +[ Upstream commit 2d866603e25b1ce7e536839f62d1faae1c03d92f ] + +Using hidpp for the M720 adds battery info reporting and hires +scrolling support. + +Signed-off-by: Hans de Goede +Signed-off-by: Bastien Nocera +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 1c00e4121c7ef..08b68f8476dbb 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4676,6 +4676,8 @@ static const struct hid_device_id hidpp_devices[] = { + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb008) }, + { /* MX Master mouse over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb012) }, ++ { /* M720 Triathlon mouse over Bluetooth */ ++ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb015) }, + { /* MX Ergo trackball over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01d) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01e) }, +-- +2.40.1 + diff --git a/queue-6.5/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch b/queue-6.5/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch new file mode 100644 index 00000000000..0547284416a --- /dev/null +++ b/queue-6.5/hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch @@ -0,0 +1,39 @@ +From 5164c02c2210bd9a3d8c38c0e78bb10701735335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Sep 2023 16:18:43 +0000 +Subject: HID: multitouch: Add required quirk for Synaptics 0xcd7e device + +From: Rahul Rameshbabu + +[ Upstream commit 1437e4547edf41689d7135faaca4222ef0081bc1 ] + +Register the Synaptics device as a special multitouch device with certain +quirks that may improve usability of the touchpad device. + +Reported-by: Rain +Closes: https://lore.kernel.org/linux-input/2bbb8e1d-1793-4df1-810f-cb0137341ff4@app.fastmail.com/ +Signed-off-by: Rahul Rameshbabu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 521b2ffb42449..8db4ae05febc8 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2144,6 +2144,10 @@ static const struct hid_device_id mt_devices[] = { + USB_DEVICE_ID_MTP_STM)}, + + /* Synaptics devices */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_SYNAPTICS, 0xcd7e) }, ++ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_SYNAPTICS, 0xce08) }, +-- +2.40.1 + diff --git a/queue-6.5/hid-nintendo-reinitialize-usb-pro-controller-after-r.patch b/queue-6.5/hid-nintendo-reinitialize-usb-pro-controller-after-r.patch new file mode 100644 index 00000000000..8fb1c9b23d4 --- /dev/null +++ b/queue-6.5/hid-nintendo-reinitialize-usb-pro-controller-after-r.patch @@ -0,0 +1,265 @@ +From 1c83d1145acea995e95597cde563d50cf377ad9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Sep 2023 16:06:01 +0200 +Subject: HID: nintendo: reinitialize USB Pro Controller after resuming from + suspend + +From: Martino Fontana + +[ Upstream commit 95ea4d9fd385fe335b989f22d409df079a042b7a ] + +When suspending the computer, a Switch Pro Controller connected via USB will +lose its internal status. However, because the USB connection was technically +never lost, when resuming the computer, the driver will attempt to communicate +with the controller as if nothing happened (and fail). +Because of this, the user was forced to manually disconnect the controller +(or to press the sync button on the controller to power it off), so that it +can be re-initialized. + +With this patch, the controller will be automatically re-initialized after +resuming from suspend. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216233 + +Signed-off-by: Martino Fontana +Reviewed-by: Daniel J. Ogorchock +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-nintendo.c | 175 ++++++++++++++++++++++--------------- + 1 file changed, 103 insertions(+), 72 deletions(-) + +diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c +index 250f5d2f888ab..10468f727e5bb 100644 +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -2088,7 +2088,9 @@ static int joycon_read_info(struct joycon_ctlr *ctlr) + struct joycon_input_report *report; + + req.subcmd_id = JC_SUBCMD_REQ_DEV_INFO; ++ mutex_lock(&ctlr->output_mutex); + ret = joycon_send_subcmd(ctlr, &req, 0, HZ); ++ mutex_unlock(&ctlr->output_mutex); + if (ret) { + hid_err(ctlr->hdev, "Failed to get joycon info; ret=%d\n", ret); + return ret; +@@ -2117,6 +2119,85 @@ static int joycon_read_info(struct joycon_ctlr *ctlr) + return 0; + } + ++static int joycon_init(struct hid_device *hdev) ++{ ++ struct joycon_ctlr *ctlr = hid_get_drvdata(hdev); ++ int ret = 0; ++ ++ mutex_lock(&ctlr->output_mutex); ++ /* if handshake command fails, assume ble pro controller */ ++ if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) && ++ !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) { ++ hid_dbg(hdev, "detected USB controller\n"); ++ /* set baudrate for improved latency */ ++ ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ); ++ if (ret) { ++ hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret); ++ goto out_unlock; ++ } ++ /* handshake */ ++ ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ); ++ if (ret) { ++ hid_err(hdev, "Failed handshake; ret=%d\n", ret); ++ goto out_unlock; ++ } ++ /* ++ * Set no timeout (to keep controller in USB mode). ++ * This doesn't send a response, so ignore the timeout. ++ */ ++ joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10); ++ } else if (jc_type_is_chrggrip(ctlr)) { ++ hid_err(hdev, "Failed charging grip handshake\n"); ++ ret = -ETIMEDOUT; ++ goto out_unlock; ++ } ++ ++ /* get controller calibration data, and parse it */ ++ ret = joycon_request_calibration(ctlr); ++ if (ret) { ++ /* ++ * We can function with default calibration, but it may be ++ * inaccurate. Provide a warning, and continue on. ++ */ ++ hid_warn(hdev, "Analog stick positions may be inaccurate\n"); ++ } ++ ++ /* get IMU calibration data, and parse it */ ++ ret = joycon_request_imu_calibration(ctlr); ++ if (ret) { ++ /* ++ * We can function with default calibration, but it may be ++ * inaccurate. Provide a warning, and continue on. ++ */ ++ hid_warn(hdev, "Unable to read IMU calibration data\n"); ++ } ++ ++ /* Set the reporting mode to 0x30, which is the full report mode */ ++ ret = joycon_set_report_mode(ctlr); ++ if (ret) { ++ hid_err(hdev, "Failed to set report mode; ret=%d\n", ret); ++ goto out_unlock; ++ } ++ ++ /* Enable rumble */ ++ ret = joycon_enable_rumble(ctlr); ++ if (ret) { ++ hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret); ++ goto out_unlock; ++ } ++ ++ /* Enable the IMU */ ++ ret = joycon_enable_imu(ctlr); ++ if (ret) { ++ hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret); ++ goto out_unlock; ++ } ++ ++out_unlock: ++ mutex_unlock(&ctlr->output_mutex); ++ return ret; ++} ++ + /* Common handler for parsing inputs */ + static int joycon_ctlr_read_handler(struct joycon_ctlr *ctlr, u8 *data, + int size) +@@ -2248,85 +2329,19 @@ static int nintendo_hid_probe(struct hid_device *hdev, + + hid_device_io_start(hdev); + +- /* Initialize the controller */ +- mutex_lock(&ctlr->output_mutex); +- /* if handshake command fails, assume ble pro controller */ +- if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) && +- !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) { +- hid_dbg(hdev, "detected USB controller\n"); +- /* set baudrate for improved latency */ +- ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ); +- if (ret) { +- hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret); +- goto err_mutex; +- } +- /* handshake */ +- ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ); +- if (ret) { +- hid_err(hdev, "Failed handshake; ret=%d\n", ret); +- goto err_mutex; +- } +- /* +- * Set no timeout (to keep controller in USB mode). +- * This doesn't send a response, so ignore the timeout. +- */ +- joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10); +- } else if (jc_type_is_chrggrip(ctlr)) { +- hid_err(hdev, "Failed charging grip handshake\n"); +- ret = -ETIMEDOUT; +- goto err_mutex; +- } +- +- /* get controller calibration data, and parse it */ +- ret = joycon_request_calibration(ctlr); ++ ret = joycon_init(hdev); + if (ret) { +- /* +- * We can function with default calibration, but it may be +- * inaccurate. Provide a warning, and continue on. +- */ +- hid_warn(hdev, "Analog stick positions may be inaccurate\n"); +- } +- +- /* get IMU calibration data, and parse it */ +- ret = joycon_request_imu_calibration(ctlr); +- if (ret) { +- /* +- * We can function with default calibration, but it may be +- * inaccurate. Provide a warning, and continue on. +- */ +- hid_warn(hdev, "Unable to read IMU calibration data\n"); +- } +- +- /* Set the reporting mode to 0x30, which is the full report mode */ +- ret = joycon_set_report_mode(ctlr); +- if (ret) { +- hid_err(hdev, "Failed to set report mode; ret=%d\n", ret); +- goto err_mutex; +- } +- +- /* Enable rumble */ +- ret = joycon_enable_rumble(ctlr); +- if (ret) { +- hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret); +- goto err_mutex; +- } +- +- /* Enable the IMU */ +- ret = joycon_enable_imu(ctlr); +- if (ret) { +- hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret); +- goto err_mutex; ++ hid_err(hdev, "Failed to initialize controller; ret=%d\n", ret); ++ goto err_close; + } + + ret = joycon_read_info(ctlr); + if (ret) { + hid_err(hdev, "Failed to retrieve controller info; ret=%d\n", + ret); +- goto err_mutex; ++ goto err_close; + } + +- mutex_unlock(&ctlr->output_mutex); +- + /* Initialize the leds */ + ret = joycon_leds_create(ctlr); + if (ret) { +@@ -2352,8 +2367,6 @@ static int nintendo_hid_probe(struct hid_device *hdev, + hid_dbg(hdev, "probe - success\n"); + return 0; + +-err_mutex: +- mutex_unlock(&ctlr->output_mutex); + err_close: + hid_hw_close(hdev); + err_stop: +@@ -2383,6 +2396,20 @@ static void nintendo_hid_remove(struct hid_device *hdev) + hid_hw_stop(hdev); + } + ++#ifdef CONFIG_PM ++ ++static int nintendo_hid_resume(struct hid_device *hdev) ++{ ++ int ret = joycon_init(hdev); ++ ++ if (ret) ++ hid_err(hdev, "Failed to restore controller after resume"); ++ ++ return ret; ++} ++ ++#endif ++ + static const struct hid_device_id nintendo_hid_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_NINTENDO, + USB_DEVICE_ID_NINTENDO_PROCON) }, +@@ -2404,6 +2431,10 @@ static struct hid_driver nintendo_hid_driver = { + .probe = nintendo_hid_probe, + .remove = nintendo_hid_remove, + .raw_event = nintendo_hid_event, ++ ++#ifdef CONFIG_PM ++ .resume = nintendo_hid_resume, ++#endif + }; + module_hid_driver(nintendo_hid_driver); + +-- +2.40.1 + diff --git a/queue-6.5/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch b/queue-6.5/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch new file mode 100644 index 00000000000..ce634ad740f --- /dev/null +++ b/queue-6.5/i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch @@ -0,0 +1,37 @@ +From 9d3f40668aabe2f20cd22b19125d6ac52c93d25d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 23:54:06 +0200 +Subject: i2c: mux: Avoid potential false error message in i2c_mux_add_adapter + +From: Heiner Kallweit + +[ Upstream commit b13e59e74ff71a1004e0508107e91e9a84fd7388 ] + +I2C_CLASS_DEPRECATED is a flag and not an actual class. +There's nothing speaking against both, parent and child, having +I2C_CLASS_DEPRECATED set. Therefore exclude it from the check. + +Signed-off-by: Heiner Kallweit +Acked-by: Peter Rosin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-mux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c +index 313904be5f3bd..57ff09f18c371 100644 +--- a/drivers/i2c/i2c-mux.c ++++ b/drivers/i2c/i2c-mux.c +@@ -341,7 +341,7 @@ int i2c_mux_add_adapter(struct i2c_mux_core *muxc, + priv->adap.lock_ops = &i2c_parent_lock_ops; + + /* Sanity check on class */ +- if (i2c_mux_parent_classes(parent) & class) ++ if (i2c_mux_parent_classes(parent) & class & ~I2C_CLASS_DEPRECATED) + dev_err(&parent->dev, + "Segment %d behind mux can't share classes with ancestors\n", + chan_id); +-- +2.40.1 + diff --git a/queue-6.5/iio-light-vcnl4000-don-t-power-on-off-chip-in-config.patch b/queue-6.5/iio-light-vcnl4000-don-t-power-on-off-chip-in-config.patch new file mode 100644 index 00000000000..8e00b1ae701 --- /dev/null +++ b/queue-6.5/iio-light-vcnl4000-don-t-power-on-off-chip-in-config.patch @@ -0,0 +1,64 @@ +From ab58fb6285dfd2ec47f73c95d974d091f5795188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 14:43:01 +0200 +Subject: iio: light: vcnl4000: Don't power on/off chip in config +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: MÃ¥rten Lindahl + +[ Upstream commit 7e87ab38eed09c9dec56da361d74158159ae84a3 ] + +After enabling/disabling interrupts on the vcnl4040 chip the als and/or +ps sensor is powered on or off depending on the interrupt enable bits. +This is made as a last step in write_event_config. + +But there is no reason to do this as the runtime PM handles the power +state of the sensors. Interfering with this may impact sensor readings. + +Consider the following: + 1. Userspace makes sensor data reading which triggers RPM resume + (sensor powered on) and a RPM suspend timeout. The timeout is 2000ms + before RPM suspend powers the sensor off if no new reading is made + within the timeout period. + 2. Userspace disables interrupts => powers sensor off + 3. Userspace reads sensor data = 0 because sensor is off and the + suspend timeout has not passed. For each new reading made within the + timeout period the timeout is renewed with 2000ms and RPM will not + make a new resume (device was not suspended). So the sensor will + not be powered on. + 4. No further userspace reading for 2000ms ends RPM suspend timeout and + triggers suspend (powers off already powered off sensor). + +Powering sensor off in (2) makes all consecutive readings made within +2000ms to the previous reading (3) return invalid data. + +Skip setting power state when writing new event config. + +Fixes: 546676121cb9 ("iio: light: vcnl4000: Add interrupt support for vcnl4040") +Fixes: bc292aaf9cb4 ("iio: light: vcnl4000: add illuminance irq vcnl4040/4200") +Signed-off-by: MÃ¥rten Lindahl +Link: https://lore.kernel.org/r/20230907-vcnl4000-pm-fix-v2-1-298e01f54db4@axis.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/vcnl4000.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iio/light/vcnl4000.c b/drivers/iio/light/vcnl4000.c +index 7c7362e288213..66433886b7b03 100644 +--- a/drivers/iio/light/vcnl4000.c ++++ b/drivers/iio/light/vcnl4000.c +@@ -994,7 +994,6 @@ static int vcnl4040_write_event_config(struct iio_dev *indio_dev, + + out: + mutex_unlock(&data->vcnl4000_lock); +- data->chip_spec->set_power_state(data, data->ps_int != 0); + + return ret; + } +-- +2.40.1 + diff --git a/queue-6.5/io-wq-fully-initialize-wqe-before-calling-cpuhp_stat.patch b/queue-6.5/io-wq-fully-initialize-wqe-before-calling-cpuhp_stat.patch new file mode 100644 index 00000000000..5889afc08e7 --- /dev/null +++ b/queue-6.5/io-wq-fully-initialize-wqe-before-calling-cpuhp_stat.patch @@ -0,0 +1,109 @@ +From 4feaa27fa7f0ae8652ed81af2fed83edccb95dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 13:55:31 -0400 +Subject: io-wq: fully initialize wqe before calling + cpuhp_state_add_instance_nocalls() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jeff Moyer + +[ Upstream commit 0f8baa3c9802fbfe313c901e1598397b61b91ada ] + +I received a bug report with the following signature: + +[ 1759.937637] BUG: unable to handle page fault for address: ffffffffffffffe8 +[ 1759.944564] #PF: supervisor read access in kernel mode +[ 1759.949732] #PF: error_code(0x0000) - not-present page +[ 1759.954901] PGD 7ab615067 P4D 7ab615067 PUD 7ab617067 PMD 0 +[ 1759.960596] Oops: 0000 1 PREEMPT SMP PTI +[ 1759.964804] CPU: 15 PID: 109 Comm: cpuhp/15 Kdump: loaded Tainted: G X ------- — 5.14.0-362.3.1.el9_3.x86_64 #1 +[ 1759.976609] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018 +[ 1759.985181] RIP: 0010:io_wq_for_each_worker.isra.0+0x24/0xa0 +[ 1759.990877] Code: 90 90 90 90 90 90 0f 1f 44 00 00 41 56 41 55 41 54 55 48 8d 6f 78 53 48 8b 47 78 48 39 c5 74 4f 49 89 f5 49 89 d4 48 8d 58 e8 <8b> 13 85 d2 74 32 8d 4a 01 89 d0 f0 0f b1 0b 75 5c 09 ca 78 3d 48 +[ 1760.009758] RSP: 0000:ffffb6f403603e20 EFLAGS: 00010286 +[ 1760.015013] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000000 +[ 1760.022188] RDX: ffffb6f403603e50 RSI: ffffffffb11e95b0 RDI: ffff9f73b09e9400 +[ 1760.029362] RBP: ffff9f73b09e9478 R08: 000000000000000f R09: 0000000000000000 +[ 1760.036536] R10: ffffffffffffff00 R11: ffffb6f403603d80 R12: ffffb6f403603e50 +[ 1760.043712] R13: ffffffffb11e95b0 R14: ffffffffb28531e8 R15: ffff9f7a6fbdf548 +[ 1760.050887] FS: 0000000000000000(0000) GS:ffff9f7a6fbc0000(0000) knlGS:0000000000000000 +[ 1760.059025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1760.064801] CR2: ffffffffffffffe8 CR3: 00000007ab610002 CR4: 00000000007706e0 +[ 1760.071976] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1760.079150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1760.086325] PKRU: 55555554 +[ 1760.089044] Call Trace: +[ 1760.091501] +[ 1760.093612] ? show_trace_log_lvl+0x1c4/0x2df +[ 1760.097995] ? show_trace_log_lvl+0x1c4/0x2df +[ 1760.102377] ? __io_wq_cpu_online+0x54/0xb0 +[ 1760.106584] ? __die_body.cold+0x8/0xd +[ 1760.110356] ? page_fault_oops+0x134/0x170 +[ 1760.114479] ? kernelmode_fixup_or_oops+0x84/0x110 +[ 1760.119298] ? exc_page_fault+0xa8/0x150 +[ 1760.123247] ? asm_exc_page_fault+0x22/0x30 +[ 1760.127458] ? __pfx_io_wq_worker_affinity+0x10/0x10 +[ 1760.132453] ? __pfx_io_wq_worker_affinity+0x10/0x10 +[ 1760.137446] ? io_wq_for_each_worker.isra.0+0x24/0xa0 +[ 1760.142527] __io_wq_cpu_online+0x54/0xb0 +[ 1760.146558] cpuhp_invoke_callback+0x109/0x460 +[ 1760.151029] ? __pfx_io_wq_cpu_offline+0x10/0x10 +[ 1760.155673] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 1760.160320] cpuhp_thread_fun+0x8d/0x140 +[ 1760.164266] smpboot_thread_fn+0xd3/0x1a0 +[ 1760.168297] kthread+0xdd/0x100 +[ 1760.171457] ? __pfx_kthread+0x10/0x10 +[ 1760.175225] ret_from_fork+0x29/0x50 +[ 1760.178826] +[ 1760.181022] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc vfat fat dm_multipath intel_rapl_msr intel_rapl_common isst_if_common ipmi_ssif nfit libnvdimm mgag200 i2c_algo_bit ioatdma drm_shmem_helper drm_kms_helper acpi_ipmi syscopyarea x86_pkg_temp_thermal sysfillrect ipmi_si intel_powerclamp sysimgblt ipmi_devintf coretemp acpi_power_meter ipmi_msghandler rapl pcspkr dca intel_pch_thermal intel_cstate ses lpc_ich intel_uncore enclosure hpilo mei_me mei acpi_tad fuse drm xfs sd_mod sg bnx2x nvme nvme_core crct10dif_pclmul crc32_pclmul nvme_common ghash_clmulni_intel smartpqi tg3 t10_pi mdio uas libcrc32c crc32c_intel scsi_transport_sas usb_storage hpwdt wmi dm_mirror dm_region_hash dm_log dm_mod +[ 1760.248623] CR2: ffffffffffffffe8 + +A cpu hotplug callback was issued before wq->all_list was initialized. +This results in a null pointer dereference. The fix is to fully setup +the io_wq before calling cpuhp_state_add_instance_nocalls(). + +Signed-off-by: Jeff Moyer +Link: https://lore.kernel.org/r/x49y1ghnecs.fsf@segfault.boston.devel.redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io-wq.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c +index 2c03bc881edfd..fbab9b2727fde 100644 +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1130,9 +1130,6 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data) + wq = kzalloc(sizeof(struct io_wq), GFP_KERNEL); + if (!wq) + return ERR_PTR(-ENOMEM); +- ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node); +- if (ret) +- goto err_wq; + + refcount_inc(&data->hash->refs); + wq->hash = data->hash; +@@ -1165,13 +1162,14 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data) + wq->task = get_task_struct(data->task); + atomic_set(&wq->worker_refs, 1); + init_completion(&wq->worker_done); ++ ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node); ++ if (ret) ++ goto err; ++ + return wq; + err: + io_wq_put_hash(data->hash); +- cpuhp_state_remove_instance_nocalls(io_wq_online, &wq->cpuhp_node); +- + free_cpumask_var(wq->cpu_mask); +-err_wq: + kfree(wq); + return ERR_PTR(ret); + } +-- +2.40.1 + diff --git a/queue-6.5/ipv4-fib-send-notify-when-delete-source-address-rout.patch b/queue-6.5/ipv4-fib-send-notify-when-delete-source-address-rout.patch new file mode 100644 index 00000000000..615f6620b26 --- /dev/null +++ b/queue-6.5/ipv4-fib-send-notify-when-delete-source-address-rout.patch @@ -0,0 +1,112 @@ +From 5a9ad11bc741f418763acbc252a8d899afcd8805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 15:55:08 +0800 +Subject: ipv4/fib: send notify when delete source address routes + +From: Hangbin Liu + +[ Upstream commit 4b2b606075e50cdae62ab2356b0a1e206947c354 ] + +After deleting an interface address in fib_del_ifaddr(), the function +scans the fib_info list for stray entries and calls fib_flush() and +fib_table_flush(). Then the stray entries will be deleted silently and no +RTM_DELROUTE notification will be sent. + +This lack of notification can make routing daemons, or monitor like +`ip monitor route` miss the routing changes. e.g. + ++ ip link add dummy1 type dummy ++ ip link add dummy2 type dummy ++ ip link set dummy1 up ++ ip link set dummy2 up ++ ip addr add 192.168.5.5/24 dev dummy1 ++ ip route add 7.7.7.0/24 dev dummy2 src 192.168.5.5 ++ ip -4 route +7.7.7.0/24 dev dummy2 scope link src 192.168.5.5 +192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5 ++ ip monitor route ++ ip addr del 192.168.5.5/24 dev dummy1 +Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5 +Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5 +Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5 + +As Ido reminded, fib_table_flush() isn't only called when an address is +deleted, but also when an interface is deleted or put down. The lack of +notification in these cases is deliberate. And commit 7c6bb7d2faaf +("net/ipv6: Add knob to skip DELROUTE message on device down") introduced +a sysctl to make IPv6 behave like IPv4 in this regard. So we can't send +the route delete notify blindly in fib_table_flush(). + +To fix this issue, let's add a new flag in "struct fib_info" to track the +deleted prefer source address routes, and only send notify for them. + +After update: ++ ip monitor route ++ ip addr del 192.168.5.5/24 dev dummy1 +Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5 +Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5 +Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5 +Deleted 7.7.7.0/24 dev dummy2 scope link src 192.168.5.5 + +Suggested-by: Thomas Haller +Signed-off-by: Hangbin Liu +Acked-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230922075508.848925-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip_fib.h | 1 + + net/ipv4/fib_semantics.c | 1 + + net/ipv4/fib_trie.c | 4 ++++ + 3 files changed, 6 insertions(+) + +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index f0c13864180e2..15de07d365405 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -154,6 +154,7 @@ struct fib_info { + int fib_nhs; + bool fib_nh_is_v6; + bool nh_updated; ++ bool pfsrc_removed; + struct nexthop *nh; + struct rcu_head rcu; + struct fib_nh fib_nh[]; +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 894d8ac6b9d0e..5eb1b8d302bbd 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1891,6 +1891,7 @@ int fib_sync_down_addr(struct net_device *dev, __be32 local) + continue; + if (fi->fib_prefsrc == local) { + fi->fib_flags |= RTNH_F_DEAD; ++ fi->pfsrc_removed = true; + ret++; + } + } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index d13fb9e76b971..9bdfdab906fe0 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2027,6 +2027,7 @@ void fib_table_flush_external(struct fib_table *tb) + int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + { + struct trie *t = (struct trie *)tb->tb_data; ++ struct nl_info info = { .nl_net = net }; + struct key_vector *pn = t->kv; + unsigned long cindex = 1; + struct hlist_node *tmp; +@@ -2089,6 +2090,9 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + + fib_notify_alias_delete(net, n->key, &n->leaf, fa, + NULL); ++ if (fi->pfsrc_removed) ++ rtmsg_fib(RTM_DELROUTE, htonl(n->key), fa, ++ KEYLENGTH - fa->fa_slen, tb->tb_id, &info, 0); + hlist_del_rcu(&fa->fa_list); + fib_release_info(fa->fa_info); + alias_free_mem_rcu(fa); +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5-e-switch-register-event-handler-before-armi.patch b/queue-6.5/net-mlx5-e-switch-register-event-handler-before-armi.patch new file mode 100644 index 00000000000..f915aa2f825 --- /dev/null +++ b/queue-6.5/net-mlx5-e-switch-register-event-handler-before-armi.patch @@ -0,0 +1,91 @@ +From 749a8c06548582ef24307408371bfe77bd65b2ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Aug 2023 13:31:53 +0300 +Subject: net/mlx5: E-switch, register event handler before arming the event + +From: Shay Drory + +[ Upstream commit 7624e58a8b3a251e3e5108b32f2183b34453db32 ] + +Currently, mlx5 is registering event handler for vport context change +event some time after arming the event. this can lead to missing an +event, which will result in wrong rules in the FDB. +Hence, register the event handler before arming the event. + +This solution is valid since FW is sending vport context change event +only on vports which SW armed, and SW arming the vport when enabling +it, which is done after the FDB has been created. + +Fixes: 6933a9379559 ("net/mlx5: E-Switch, Use async events chain") +Signed-off-by: Shay Drory +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 6e9b1b183190d..51afb97b9e452 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1022,11 +1022,8 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev) + return ERR_PTR(err); + } + +-static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw) ++static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + { +- MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE); +- mlx5_eq_notifier_register(esw->dev, &esw->nb); +- + if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) { + MLX5_NB_INIT(&esw->esw_funcs.nb, mlx5_esw_funcs_changed_handler, + ESW_FUNCTIONS_CHANGED); +@@ -1034,13 +1031,11 @@ static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw) + } + } + +-static void mlx5_eswitch_event_handlers_unregister(struct mlx5_eswitch *esw) ++static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { + if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); + +- mlx5_eq_notifier_unregister(esw->dev, &esw->nb); +- + flush_workqueue(esw->work_queue); + } + +@@ -1419,6 +1414,9 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + + mlx5_eswitch_update_num_of_vfs(esw, num_vfs); + ++ MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE); ++ mlx5_eq_notifier_register(esw->dev, &esw->nb); ++ + if (esw->mode == MLX5_ESWITCH_LEGACY) { + err = esw_legacy_enable(esw); + } else { +@@ -1431,7 +1429,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs) + + esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED; + +- mlx5_eswitch_event_handlers_register(esw); ++ mlx5_eswitch_event_handler_register(esw); + + esw_info(esw->dev, "Enable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n", + esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS", +@@ -1558,7 +1556,8 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw) + */ + mlx5_esw_mode_change_notify(esw, MLX5_ESWITCH_LEGACY); + +- mlx5_eswitch_event_handlers_unregister(esw); ++ mlx5_eq_notifier_unregister(esw->dev, &esw->nb); ++ mlx5_eswitch_event_handler_unregister(esw); + + esw_info(esw->dev, "Disable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n", + esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS", +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch b/queue-6.5/net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch new file mode 100644 index 00000000000..5afa3317b1e --- /dev/null +++ b/queue-6.5/net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch @@ -0,0 +1,50 @@ +From 1263f8d35d84879bab0cc8eb74339db0767ad18a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 21:48:30 +0300 +Subject: net/mlx5: Handle fw tracer change ownership event based on MTRC + +From: Maher Sanalla + +[ Upstream commit 92fd39634541eb0a11bf1bafbc8ba92d6ddb8dba ] + +Currently, whenever fw issues a change ownership event, the PF that owns +the fw tracer drops its ownership directly and the other PFs try to pick +up the ownership via what MTRC register suggests. + +In some cases, driver releases the ownership of the tracer and reacquires +it later on. Whenever the driver releases ownership of the tracer, fw +issues a change ownership event. This event can be delayed and come after +driver has reacquired ownership of the tracer. Thus the late event will +trigger the tracer owner PF to release the ownership again and lead to a +scenario where no PF is owning the tracer. + +To prevent the scenario described above, when handling a change +ownership event, do not drop ownership of the tracer directly, instead +read the fw MTRC register to retrieve the up-to-date owner of the tracer +and set it accordingly in driver level. + +Fixes: f53aaa31cce7 ("net/mlx5: FW tracer, implement tracer logic") +Signed-off-by: Maher Sanalla +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 7c0f2adbea000..ad789349c06e6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -848,7 +848,7 @@ static void mlx5_fw_tracer_ownership_change(struct work_struct *work) + + mlx5_core_dbg(tracer->dev, "FWTracer: ownership changed, current=(%d)\n", tracer->owner); + if (tracer->owner) { +- tracer->owner = false; ++ mlx5_fw_tracer_ownership_acquire(tracer); + return; + } + +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-don-t-offload-internal-port-if-filter-devi.patch b/queue-6.5/net-mlx5e-don-t-offload-internal-port-if-filter-devi.patch new file mode 100644 index 00000000000..7546d9989fd --- /dev/null +++ b/queue-6.5/net-mlx5e-don-t-offload-internal-port-if-filter-devi.patch @@ -0,0 +1,46 @@ +From ccfcc99f7c365dfe4ef8804767004c156d2e9fb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 02:28:47 +0000 +Subject: net/mlx5e: Don't offload internal port if filter device is out device + +From: Jianbo Liu + +[ Upstream commit 06b4eac9c4beda520b8a4dbbb8e33dba9d1c8fba ] + +In the cited commit, if the routing device is ovs internal port, the +out device is set to uplink, and packets go out after encapsulation. + +If filter device is uplink, it can trigger the following syndrome: +mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 3966): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0xcdb051), err(-22) + +Fix this issue by not offloading internal port if filter device is out +device. In this case, packets are not forwarded to the root table to +be processed, the termination table is used instead to forward them +from uplink to uplink. + +Fixes: 100ad4e2d758 ("net/mlx5e: Offload internal port as encap route device") +Signed-off-by: Jianbo Liu +Reviewed-by: Ariel Levkovich +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +index 1730f6a716eea..b10e40e1a9c14 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c +@@ -24,7 +24,8 @@ static int mlx5e_set_int_port_tunnel(struct mlx5e_priv *priv, + + route_dev = dev_get_by_index(dev_net(e->out_dev), e->route_dev_ifindex); + +- if (!route_dev || !netif_is_ovs_master(route_dev)) ++ if (!route_dev || !netif_is_ovs_master(route_dev) || ++ attr->parse_attr->filter_dev == e->out_dev) + goto out; + + err = mlx5e_set_fwd_to_int_port_actions(priv, attr, e->route_dev_ifindex, +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-fix-vf-representors-reporting-zero-counter.patch b/queue-6.5/net-mlx5e-fix-vf-representors-reporting-zero-counter.patch new file mode 100644 index 00000000000..209d440c56b --- /dev/null +++ b/queue-6.5/net-mlx5e-fix-vf-representors-reporting-zero-counter.patch @@ -0,0 +1,91 @@ +From d68608aa198d301df50f1dacc84351884f754835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 18:26:47 +0300 +Subject: net/mlx5e: Fix VF representors reporting zero counters to "ip -s" + command + +From: Amir Tzin + +[ Upstream commit 80f1241484dd1b1d4eab1a0211d52ec2bd83e2f1 ] + +Although vf_vport entry of struct mlx5e_stats is never updated, its +values are mistakenly copied to the caller structure in the VF +representor .ndo_get_stat_64 callback mlx5e_rep_get_stats(). Remove +redundant entry and use the updated one, rep_stats, instead. + +Fixes: 64b68e369649 ("net/mlx5: Refactor and expand rep vport stat group") +Reviewed-by: Patrisious Haddad +Signed-off-by: Amir Tzin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 11 ++++++++++- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +++-- + 3 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 5bdd2d09a8d5c..0cd44ef190058 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -704,7 +704,7 @@ mlx5e_rep_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + + /* update HW stats in background for next time */ + mlx5e_queue_update_stats(priv); +- memcpy(stats, &priv->stats.vf_vport, sizeof(*stats)); ++ mlx5e_stats_copy_rep_stats(stats, &priv->stats.rep_stats); + } + + static int mlx5e_rep_change_mtu(struct net_device *netdev, int new_mtu) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +index 1ff8a06027dcf..67938b4ea1b90 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h +@@ -475,11 +475,20 @@ struct mlx5e_stats { + struct mlx5e_vnic_env_stats vnic; + struct mlx5e_vport_stats vport; + struct mlx5e_pport_stats pport; +- struct rtnl_link_stats64 vf_vport; + struct mlx5e_pcie_stats pcie; + struct mlx5e_rep_stats rep_stats; + }; + ++static inline void mlx5e_stats_copy_rep_stats(struct rtnl_link_stats64 *vf_vport, ++ struct mlx5e_rep_stats *rep_stats) ++{ ++ memset(vf_vport, 0, sizeof(*vf_vport)); ++ vf_vport->rx_packets = rep_stats->vport_rx_packets; ++ vf_vport->tx_packets = rep_stats->vport_tx_packets; ++ vf_vport->rx_bytes = rep_stats->vport_rx_bytes; ++ vf_vport->tx_bytes = rep_stats->vport_tx_bytes; ++} ++ + extern mlx5e_stats_grp_t mlx5e_nic_stats_grps[]; + unsigned int mlx5e_nic_stats_grps_num(struct mlx5e_priv *priv); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 4b22a91482cec..5797d8607633e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -4931,7 +4931,8 @@ static int scan_tc_matchall_fdb_actions(struct mlx5e_priv *priv, + if (err) + return err; + +- rpriv->prev_vf_vport_stats = priv->stats.vf_vport; ++ mlx5e_stats_copy_rep_stats(&rpriv->prev_vf_vport_stats, ++ &priv->stats.rep_stats); + break; + default: + NL_SET_ERR_MSG_MOD(extack, "mlx5 supports only police action for matchall"); +@@ -4971,7 +4972,7 @@ void mlx5e_tc_stats_matchall(struct mlx5e_priv *priv, + u64 dbytes; + u64 dpkts; + +- cur_stats = priv->stats.vf_vport; ++ mlx5e_stats_copy_rep_stats(&cur_stats, &priv->stats.rep_stats); + dpkts = cur_stats.rx_packets - rpriv->prev_vf_vport_stats.rx_packets; + dbytes = cur_stats.rx_bytes - rpriv->prev_vf_vport_stats.rx_bytes; + rpriv->prev_vf_vport_stats = cur_stats; +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch b/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch new file mode 100644 index 00000000000..e9d6d695b29 --- /dev/null +++ b/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch @@ -0,0 +1,69 @@ +From 951bdb85da9f5b09f6d953b408bfdc644ecbd1dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 14:05:29 +0300 +Subject: net/mlx5e: RX, Fix page_pool allocation failure recovery for striding + rq + +From: Dragos Tatulea + +[ Upstream commit be43b7489a3c4702799e50179da69c3df7d6899b ] + +When a page allocation fails during refill in mlx5e_post_rx_mpwqes, the +page will be released again on the next refill call. This triggers the +page_pool negative page fragment count warning below: + + [ 2436.447717] WARNING: CPU: 1 PID: 2419 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + ... + [ 2436.447895] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 2436.447991] Call Trace: + [ 2436.447975] mlx5e_post_rx_mpwqes+0x1d5/0xcf0 [mlx5_core] + [ 2436.447994] + [ 2436.447996] ? __warn+0x7d/0x120 + [ 2436.448009] ? mlx5e_handle_rx_cqe_mpwrq+0x109/0x1d0 [mlx5_core] + [ 2436.448002] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 2436.448044] ? mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] + [ 2436.448061] ? report_bug+0x155/0x180 + [ 2436.448065] ? handle_bug+0x36/0x70 + [ 2436.448067] ? exc_invalid_op+0x13/0x60 + [ 2436.448070] ? asm_exc_invalid_op+0x16/0x20 + [ 2436.448079] mlx5e_napi_poll+0x122/0x6b0 [mlx5_core] + [ 2436.448077] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 2436.448113] ? generic_exec_single+0x35/0x100 + [ 2436.448117] __napi_poll+0x25/0x1a0 + [ 2436.448120] net_rx_action+0x28a/0x300 + [ 2436.448122] __do_softirq+0xcd/0x279 + [ 2436.448126] irq_exit_rcu+0x6a/0x90 + [ 2436.448128] sysvec_apic_timer_interrupt+0x6e/0x90 + [ 2436.448130] + +This patch fixes the striding rq case by setting the skip flag on all +the wqe pages that were expected to have new pages allocated. + +Fixes: 4c2a13236807 ("net/mlx5e: RX, Defer page release in striding rq for better recycling") +Tested-by: Chris Mason +Reported-by: Chris Mason +Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com +Signed-off-by: Dragos Tatulea +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 41d37159e027b..0b558db1a9455 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -816,6 +816,8 @@ static int mlx5e_alloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix) + mlx5e_page_release_fragmented(rq, frag_page); + } + ++ bitmap_fill(wi->skip_release_bitmap, rq->mpwqe.pages_per_wqe); ++ + err: + rq->stats->buff_alloc_err++; + +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch-32687 b/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch-32687 new file mode 100644 index 00000000000..b2142564c0e --- /dev/null +++ b/queue-6.5/net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch-32687 @@ -0,0 +1,111 @@ +From dbf09386026a5d75f89f47d9f3c92de026fad3f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 17:31:49 +0300 +Subject: net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy + rq + +From: Dragos Tatulea + +[ Upstream commit ef9369e9c30846f5e052a11ccc70e1f6b8dc557a ] + +When a page allocation fails during refill in mlx5e_refill_rx_wqes, the +page will be released again on the next refill call. This triggers the +page_pool negative page fragment count warning below: + + [ 338.326070] WARNING: CPU: 4 PID: 0 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + ... + [ 338.328993] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 338.329094] Call Trace: + [ 338.329097] + [ 338.329100] ? __warn+0x7d/0x120 + [ 338.329105] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 338.329173] ? report_bug+0x155/0x180 + [ 338.329179] ? handle_bug+0x3c/0x60 + [ 338.329183] ? exc_invalid_op+0x13/0x60 + [ 338.329187] ? asm_exc_invalid_op+0x16/0x20 + [ 338.329192] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core] + [ 338.329259] mlx5e_post_rx_wqes+0x210/0x5a0 [mlx5_core] + [ 338.329327] ? mlx5e_poll_rx_cq+0x88/0x6f0 [mlx5_core] + [ 338.329394] mlx5e_napi_poll+0x127/0x6b0 [mlx5_core] + [ 338.329461] __napi_poll+0x25/0x1a0 + [ 338.329465] net_rx_action+0x28a/0x300 + [ 338.329468] __do_softirq+0xcd/0x279 + [ 338.329473] irq_exit_rcu+0x6a/0x90 + [ 338.329477] common_interrupt+0x82/0xa0 + [ 338.329482] + +This patch fixes the legacy rq case by releasing all allocated fragments +and then setting the skip flag on all released fragments. It is +important to note that the number of released fragments will be higher +than the number of allocated fragments when an allocation error occurs. + +Fixes: 3f93f82988bc ("net/mlx5e: RX, Defer page release in legacy rq for better recycling") +Tested-by: Chris Mason +Reported-by: Chris Mason +Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com +Signed-off-by: Dragos Tatulea +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rx.c | 33 ++++++++++++++----- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 0b558db1a9455..5df970e6e29d5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -457,26 +457,41 @@ static int mlx5e_alloc_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk) + static int mlx5e_refill_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk) + { + int remaining = wqe_bulk; +- int i = 0; ++ int total_alloc = 0; ++ int refill_alloc; ++ int refill; + + /* The WQE bulk is split into smaller bulks that are sized + * according to the page pool cache refill size to avoid overflowing + * the page pool cache due to too many page releases at once. + */ + do { +- int refill = min_t(u16, rq->wqe.info.refill_unit, remaining); +- int alloc_count; ++ refill = min_t(u16, rq->wqe.info.refill_unit, remaining); + +- mlx5e_free_rx_wqes(rq, ix + i, refill); +- alloc_count = mlx5e_alloc_rx_wqes(rq, ix + i, refill); +- i += alloc_count; +- if (unlikely(alloc_count != refill)) +- break; ++ mlx5e_free_rx_wqes(rq, ix + total_alloc, refill); ++ refill_alloc = mlx5e_alloc_rx_wqes(rq, ix + total_alloc, refill); ++ if (unlikely(refill_alloc != refill)) ++ goto err_free; + ++ total_alloc += refill_alloc; + remaining -= refill; + } while (remaining); + +- return i; ++ return total_alloc; ++ ++err_free: ++ mlx5e_free_rx_wqes(rq, ix, total_alloc + refill_alloc); ++ ++ for (int i = 0; i < total_alloc + refill; i++) { ++ int j = mlx5_wq_cyc_ctr2ix(&rq->wqe.wq, ix + i); ++ struct mlx5e_wqe_frag_info *frag; ++ ++ frag = get_frag(rq, j); ++ for (int k = 0; k < rq->wqe.info.num_frags; k++, frag++) ++ frag->flags |= BIT(MLX5E_WQE_FRAG_SKIP_RELEASE); ++ } ++ ++ return 0; + } + + static void +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-take-rtnl-lock-before-triggering-netdev-no.patch b/queue-6.5/net-mlx5e-take-rtnl-lock-before-triggering-netdev-no.patch new file mode 100644 index 00000000000..41bc09c3203 --- /dev/null +++ b/queue-6.5/net-mlx5e-take-rtnl-lock-before-triggering-netdev-no.patch @@ -0,0 +1,143 @@ +From d1238c12445f52f3100e7eb32243487f13ba7b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 10:06:24 +0300 +Subject: net/mlx5e: Take RTNL lock before triggering netdev notifiers + +From: Lama Kayal + +[ Upstream commit c51c673462a266fb813cf189f8190798a12d3124 ] + +Hold RTNL lock when calling xdp_set_features() with a registered netdev, +as the call triggers the netdev notifiers. This could happen when +switching from nic profile to uplink representor for example. + +Similar logic which fixed a similar scenario was previously introduced in +the following commit: +commit 72cc65497065 net/mlx5e: Take RTNL lock when needed before calling +xdp_set_features(). + +This fixes the following assertion and warning call trace: + +RTNL: assertion failed at net/core/dev.c (1961) +WARNING: CPU: 13 PID: 2529 at net/core/dev.c:1961 +call_netdevice_notifiers_info+0x7c/0x80 +Modules linked in: rpcrdma rdma_ucm ib_iser libiscsi +scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib +ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink +nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 +auth_rpcgss oid_registry overlay mlx5_core zram zsmalloc fuse +CPU: 13 PID: 2529 Comm: devlink Not tainted +6.5.0_for_upstream_min_debug_2023_09_07_20_04 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80 +Code: 8f ff 80 3d 77 0d 16 01 00 75 c5 ba a9 07 00 00 48 +c7 c6 c4 bb 0d 82 48 c7 c7 18 c8 06 82 c6 05 5b 0d 16 01 01 e8 44 f6 8c +ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec +RSP: 0018:ffff88819930f7f0 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffffffff8309f740 RCX: 0000000000000027 +RDX: ffff88885fb5b5c8 RSI: 0000000000000001 RDI: ffff88885fb5b5c0 +RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003 +R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff88819930f810 +R13: ffff88810b7fea40 R14: ffff8881154e8fd8 R15: ffff888107e881a0 +FS: 00007f3ad248f800(0000) GS:ffff88885fb40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000563b85f164e0 CR3: 0000000113b5c006 CR4: 0000000000370ea0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __warn+0x79/0x120 + ? call_netdevice_notifiers_info+0x7c/0x80 + ? report_bug+0x17c/0x190 + ? handle_bug+0x3c/0x60 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? call_netdevice_notifiers_info+0x7c/0x80 + call_netdevice_notifiers+0x2e/0x50 + mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core] + mlx5e_build_rep_params+0x97/0x130 [mlx5_core] + mlx5e_init_ul_rep+0x9f/0x100 [mlx5_core] + mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core] + mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core] + mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core] + mlx5e_vport_rep_load+0x329/0x4a0 [mlx5_core] + mlx5_esw_offloads_rep_load+0x9e/0xf0 [mlx5_core] + esw_offloads_enable+0x4bc/0xe90 [mlx5_core] + mlx5_eswitch_enable_locked+0x3c8/0x570 [mlx5_core] + ? kmalloc_trace+0x25/0x80 + mlx5_devlink_eswitch_mode_set+0x224/0x680 [mlx5_core] + ? devlink_get_from_attrs_lock+0x9e/0x110 + devlink_nl_cmd_eswitch_set_doit+0x60/0xe0 + genl_family_rcv_msg_doit+0xd0/0x120 + genl_rcv_msg+0x180/0x2b0 + ? devlink_get_from_attrs_lock+0x110/0x110 + ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290 + ? devlink_pernet_pre_exit+0xf0/0xf0 + ? genl_family_rcv_msg_dumpit+0xf0/0xf0 + netlink_rcv_skb+0x54/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x1fc/0x2c0 + netlink_sendmsg+0x232/0x4a0 + sock_sendmsg+0x38/0x60 + ? _copy_from_user+0x2a/0x60 + __sys_sendto+0x110/0x160 + ? handle_mm_fault+0x161/0x260 + ? do_user_addr_fault+0x276/0x620 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f3ad231340a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 +0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f +05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffd70aad4b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000c36b00 RCX:00007f3ad231340a +RDX: 0000000000000038 RSI: 0000000000c36b00 RDI: 0000000000000003 +RBP: 0000000000c36910 R08: 00007f3ad2625200 R09: 000000000000000c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001 + +---[ end trace 0000000000000000 ]--- +------------[ cut here ]------------ + +Fixes: 4d5ab0ad964d ("net/mlx5e: take into account device reconfiguration for xdp_features flag") +Signed-off-by: Lama Kayal +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 99b3843396f33..5bdd2d09a8d5c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -772,6 +772,7 @@ static int mlx5e_rep_max_nch_limit(struct mlx5_core_dev *mdev) + + static void mlx5e_build_rep_params(struct net_device *netdev) + { ++ const bool take_rtnl = netdev->reg_state == NETREG_REGISTERED; + struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5e_rep_priv *rpriv = priv->ppriv; + struct mlx5_eswitch_rep *rep = rpriv->rep; +@@ -797,8 +798,15 @@ static void mlx5e_build_rep_params(struct net_device *netdev) + /* RQ */ + mlx5e_build_rq_params(mdev, params); + ++ /* If netdev is already registered (e.g. move from nic profile to uplink, ++ * RTNL lock must be held before triggering netdev notifiers. ++ */ ++ if (take_rtnl) ++ rtnl_lock(); + /* update XDP supported features */ + mlx5e_set_xdp_feature(netdev); ++ if (take_rtnl) ++ rtnl_unlock(); + + /* CQ moderation params */ + params->rx_dim_enabled = MLX5_CAP_GEN(mdev, cq_moderation); +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-xdp-fix-xdp_redirect-mpwqe-page-fragment-l.patch b/queue-6.5/net-mlx5e-xdp-fix-xdp_redirect-mpwqe-page-fragment-l.patch new file mode 100644 index 00000000000..a319cba4315 --- /dev/null +++ b/queue-6.5/net-mlx5e-xdp-fix-xdp_redirect-mpwqe-page-fragment-l.patch @@ -0,0 +1,52 @@ +From f68cfbdf7627eb23955163f4131ba02a4e5439ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 17:50:18 +0300 +Subject: net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on + shutdown + +From: Dragos Tatulea + +[ Upstream commit aaab619ccd07a32e5b29aa7e59b20de1dcc7a29e ] + +When mlx5e_xdp_xmit is called without the XDP_XMIT_FLUSH set it is +possible that it leaves a mpwqe session open. That is ok during runtime: +the session will be closed on the next call to mlx5e_xdp_xmit. But +having a mpwqe session still open at XDP sq close time is problematic: +the pc counter is not updated before flushing the contents of the +xdpi_fifo. This results in leaking page fragments. + +The fix is to always close the mpwqe session at the end of +mlx5e_xdp_xmit, regardless of the XDP_XMIT_FLUSH flag being set or not. + +Fixes: 5e0d2eef771e ("net/mlx5e: XDP, Support Enhanced Multi-Packet TX WQE") +Signed-off-by: Dragos Tatulea +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +index 40589cebb7730..4fd4c9febab95 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +@@ -873,11 +873,11 @@ int mlx5e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, + } + + out: +- if (flags & XDP_XMIT_FLUSH) { +- if (sq->mpwqe.wqe) +- mlx5e_xdp_mpwqe_complete(sq); ++ if (sq->mpwqe.wqe) ++ mlx5e_xdp_mpwqe_complete(sq); ++ ++ if (flags & XDP_XMIT_FLUSH) + mlx5e_xmit_xdp_doorbell(sq); +- } + + return nxmit; + } +-- +2.40.1 + diff --git a/queue-6.5/net-move-altnames-together-with-the-netdevice.patch b/queue-6.5/net-move-altnames-together-with-the-netdevice.patch new file mode 100644 index 00000000000..5b5c0a408bc --- /dev/null +++ b/queue-6.5/net-move-altnames-together-with-the-netdevice.patch @@ -0,0 +1,101 @@ +From a4b3867e7b8f208e720e8084fce3a8c783f35150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 18:38:16 -0700 +Subject: net: move altnames together with the netdevice + +From: Jakub Kicinski + +[ Upstream commit 8e15aee621618a3ee3abecaf1fd8c1428098b7ef ] + +The altname nodes are currently not moved to the new netns +when netdevice itself moves: + + [ ~]# ip netns add test + [ ~]# ip -netns test link add name eth0 type dummy + [ ~]# ip -netns test link property add dev eth0 altname some-name + [ ~]# ip -netns test link show dev some-name + 2: eth0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 1e:67:ed:19:3d:24 brd ff:ff:ff:ff:ff:ff + altname some-name + [ ~]# ip -netns test link set dev eth0 netns 1 + [ ~]# ip link + ... + 3: eth0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff + altname some-name + [ ~]# ip li show dev some-name + Device "some-name" does not exist. + +Remove them from the hash table when device is unlisted +and add back when listed again. + +Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames") +Reviewed-by: Jiri Pirko +Signed-off-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index a450234f68a54..b1ba00e57a1ab 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -379,6 +379,7 @@ static void netdev_name_node_alt_flush(struct net_device *dev) + /* Device list insertion */ + static void list_netdevice(struct net_device *dev) + { ++ struct netdev_name_node *name_node; + struct net *net = dev_net(dev); + + ASSERT_RTNL(); +@@ -389,6 +390,10 @@ static void list_netdevice(struct net_device *dev) + hlist_add_head_rcu(&dev->index_hlist, + dev_index_hash(net, dev->ifindex)); + write_unlock(&dev_base_lock); ++ ++ netdev_for_each_altname(dev, name_node) ++ netdev_name_node_add(net, name_node); ++ + /* We reserved the ifindex, this can't fail */ + WARN_ON(xa_store(&net->dev_by_index, dev->ifindex, dev, GFP_KERNEL)); + +@@ -400,12 +405,16 @@ static void list_netdevice(struct net_device *dev) + */ + static void unlist_netdevice(struct net_device *dev, bool lock) + { ++ struct netdev_name_node *name_node; + struct net *net = dev_net(dev); + + ASSERT_RTNL(); + + xa_erase(&net->dev_by_index, dev->ifindex); + ++ netdev_for_each_altname(dev, name_node) ++ netdev_name_node_del(name_node); ++ + /* Unlink dev from the device chain */ + if (lock) + write_lock(&dev_base_lock); +@@ -10873,7 +10882,6 @@ void unregister_netdevice_many_notify(struct list_head *head, + synchronize_net(); + + list_for_each_entry(dev, head, unreg_list) { +- struct netdev_name_node *name_node; + struct sk_buff *skb = NULL; + + /* Shutdown queueing discipline. */ +@@ -10901,9 +10909,6 @@ void unregister_netdevice_many_notify(struct list_head *head, + dev_uc_flush(dev); + dev_mc_flush(dev); + +- netdev_for_each_altname(dev, name_node) +- netdev_name_node_del(name_node); +- synchronize_rcu(); + netdev_name_node_alt_flush(dev); + netdev_name_node_free(dev->name_node); + +-- +2.40.1 + diff --git a/queue-6.5/net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch b/queue-6.5/net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch new file mode 100644 index 00000000000..09d45dee612 --- /dev/null +++ b/queue-6.5/net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch @@ -0,0 +1,105 @@ +From 61576515c6913e1ae2c4e7c01d832b985f66500e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 15:48:51 +0800 +Subject: net/smc: fix smc clc failed issue when netdevice not in init_net + +From: Albert Huang + +[ Upstream commit c68681ae46eaaa1640b52fe366d21a93b2185df5 ] + +If the netdevice is within a container and communicates externally +through network technologies such as VxLAN, we won't be able to find +routing information in the init_net namespace. To address this issue, +we need to add a struct net parameter to the smc_ib_find_route function. +This allow us to locate the routing information within the corresponding +net namespace, ensuring the correct completion of the SMC CLC interaction. + +Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment") +Signed-off-by: Albert Huang +Reviewed-by: Dust Li +Reviewed-by: Wenjia Zhang +Link: https://lore.kernel.org/r/20231011074851.95280-1-huangjie.albert@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 3 ++- + net/smc/smc_ib.c | 7 ++++--- + net/smc/smc_ib.h | 2 +- + 3 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index fa7b8015cd7bb..01bd576ffa5e1 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + (struct smc_clc_msg_accept_confirm_v2 *)aclc; + struct smc_clc_first_contact_ext *fce = + smc_get_clc_first_contact_ext(clc_v2, false); ++ struct net *net = sock_net(&smc->sk); + int rc; + + if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1) +@@ -1208,7 +1209,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + memcpy(ini->smcrv2.nexthop_mac, &aclc->r0.lcl.mac, ETH_ALEN); + ini->smcrv2.uses_gateway = false; + } else { +- if (smc_ib_find_route(smc->clcsock->sk->sk_rcv_saddr, ++ if (smc_ib_find_route(net, smc->clcsock->sk->sk_rcv_saddr, + smc_ib_gid_to_ipv4(aclc->r0.lcl.gid), + ini->smcrv2.nexthop_mac, + &ini->smcrv2.uses_gateway)) +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index 9b66d6aeeb1ae..89981dbe46c94 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -193,7 +193,7 @@ bool smc_ib_port_active(struct smc_ib_device *smcibdev, u8 ibport) + return smcibdev->pattr[ibport - 1].state == IB_PORT_ACTIVE; + } + +-int smc_ib_find_route(__be32 saddr, __be32 daddr, ++int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr, + u8 nexthop_mac[], u8 *uses_gateway) + { + struct neighbour *neigh = NULL; +@@ -205,7 +205,7 @@ int smc_ib_find_route(__be32 saddr, __be32 daddr, + + if (daddr == cpu_to_be32(INADDR_NONE)) + goto out; +- rt = ip_route_output_flow(&init_net, &fl4, NULL); ++ rt = ip_route_output_flow(net, &fl4, NULL); + if (IS_ERR(rt)) + goto out; + if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET) +@@ -235,6 +235,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev, + if (smcrv2 && attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP && + smc_ib_gid_to_ipv4((u8 *)&attr->gid) != cpu_to_be32(INADDR_NONE)) { + struct in_device *in_dev = __in_dev_get_rcu(ndev); ++ struct net *net = dev_net(ndev); + const struct in_ifaddr *ifa; + bool subnet_match = false; + +@@ -248,7 +249,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev, + } + if (!subnet_match) + goto out; +- if (smcrv2->daddr && smc_ib_find_route(smcrv2->saddr, ++ if (smcrv2->daddr && smc_ib_find_route(net, smcrv2->saddr, + smcrv2->daddr, + smcrv2->nexthop_mac, + &smcrv2->uses_gateway)) +diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h +index 034295676e881..ebcb05ede7f55 100644 +--- a/net/smc/smc_ib.h ++++ b/net/smc/smc_ib.h +@@ -113,7 +113,7 @@ void smc_ib_sync_sg_for_device(struct smc_link *lnk, + int smc_ib_determine_gid(struct smc_ib_device *smcibdev, u8 ibport, + unsigned short vlan_id, u8 gid[], u8 *sgid_index, + struct smc_init_info_smcrv2 *smcrv2); +-int smc_ib_find_route(__be32 saddr, __be32 daddr, ++int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr, + u8 nexthop_mac[], u8 *uses_gateway); + bool smc_ib_is_valid_local_systemid(void); + int smcr_nl_get_device(struct sk_buff *skb, struct netlink_callback *cb); +-- +2.40.1 + diff --git a/queue-6.5/net-smc-support-smc-release-version-negotiation-in-c.patch b/queue-6.5/net-smc-support-smc-release-version-negotiation-in-c.patch new file mode 100644 index 00000000000..23d2faab294 --- /dev/null +++ b/queue-6.5/net-smc-support-smc-release-version-negotiation-in-c.patch @@ -0,0 +1,243 @@ +From a1e70723561808918567b223a81c29b808e3b664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 21:20:27 +0800 +Subject: net/smc: support smc release version negotiation in clc handshake + +From: Guangguan Wang + +[ Upstream commit 1e700948c9db0d09f691f715e8f4b947e51e35b5 ] + +Support smc release version negotiation in clc handshake based on +SMC v2, where no negotiation process for different releases, but +for different versions. The latest smc release version was updated +to v2.1. And currently there are two release versions of SMCv2, v2.0 +and v2.1. In the release version negotiation, client sends the preferred +release version by CLC Proposal Message, server makes decision for which +release version to use based on the client preferred release version and +self-supported release version (here choose the minimum release version +of the client preferred and server latest supported), then the decision +returns to client by CLC Accept Message. Client confirms the decision by +CLC Confirm Message. + +Client Server + Proposal(preferred release version) + ------------------------------------> + + Accept(accpeted release version) + min(client preferred, server latest supported) + <------------------------------------ + + Confirm(accpeted release version) + ------------------------------------> + +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Reviewed-by: Jan Karcher +Signed-off-by: David S. Miller +Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 21 +++++++++++++++++---- + net/smc/smc.h | 5 ++++- + net/smc/smc_clc.c | 14 +++++++------- + net/smc/smc_clc.h | 23 ++++++++++++++++++++++- + net/smc/smc_core.h | 1 + + 5 files changed, 51 insertions(+), 13 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index c0e4e587b4994..077e5864fc441 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1198,8 +1198,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + struct smc_clc_msg_accept_confirm_v2 *clc_v2 = + (struct smc_clc_msg_accept_confirm_v2 *)aclc; + struct smc_clc_first_contact_ext *fce = +- (struct smc_clc_first_contact_ext *) +- (((u8 *)clc_v2) + sizeof(*clc_v2)); ++ smc_get_clc_first_contact_ext(clc_v2, false); + + if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1) + return 0; +@@ -1218,6 +1217,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + return SMC_CLC_DECL_NOINDIRECT; + } + } ++ ++ ini->release_nr = fce->release; ++ + return 0; + } + +@@ -1386,6 +1388,13 @@ static int smc_connect_ism(struct smc_sock *smc, + struct smc_clc_msg_accept_confirm_v2 *aclc_v2 = + (struct smc_clc_msg_accept_confirm_v2 *)aclc; + ++ if (ini->first_contact_peer) { ++ struct smc_clc_first_contact_ext *fce = ++ smc_get_clc_first_contact_ext(aclc_v2, true); ++ ++ ini->release_nr = fce->release; ++ } ++ + rc = smc_v2_determine_accepted_chid(aclc_v2, ini); + if (rc) + return rc; +@@ -1420,7 +1429,7 @@ static int smc_connect_ism(struct smc_sock *smc, + } + + rc = smc_clc_send_confirm(smc, ini->first_contact_local, +- aclc->hdr.version, eid, NULL); ++ aclc->hdr.version, eid, ini); + if (rc) + goto connect_abort; + mutex_unlock(&smc_server_lgr_pending); +@@ -1996,6 +2005,10 @@ static int smc_listen_v2_check(struct smc_sock *new_smc, + } + } + ++ ini->release_nr = pclc_v2_ext->hdr.flag.release; ++ if (pclc_v2_ext->hdr.flag.release > SMC_RELEASE) ++ ini->release_nr = SMC_RELEASE; ++ + out: + if (!ini->smcd_version && !ini->smcr_version) + return rc; +@@ -2443,7 +2456,7 @@ static void smc_listen_work(struct work_struct *work) + /* send SMC Accept CLC message */ + accept_version = ini->is_smcd ? ini->smcd_version : ini->smcr_version; + rc = smc_clc_send_accept(new_smc, ini->first_contact_local, +- accept_version, ini->negotiated_eid); ++ accept_version, ini->negotiated_eid, ini); + if (rc) + goto out_unlock; + +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 1f2b912c43d10..24745fde4ac26 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -21,7 +21,10 @@ + + #define SMC_V1 1 /* SMC version V1 */ + #define SMC_V2 2 /* SMC version V2 */ +-#define SMC_RELEASE 0 ++ ++#define SMC_RELEASE_0 0 ++#define SMC_RELEASE_1 1 ++#define SMC_RELEASE SMC_RELEASE_1 /* the latest release version */ + + #define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */ + #define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */ +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index c90d9e5dda540..fb0be0817e8a5 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -420,11 +420,11 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc) + return true; + } + +-static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len) ++static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len, int release_nr) + { + memset(fce, 0, sizeof(*fce)); + fce->os_type = SMC_CLC_OS_LINUX; +- fce->release = SMC_RELEASE; ++ fce->release = release_nr; + memcpy(fce->hostname, smc_hostname, sizeof(smc_hostname)); + (*len) += sizeof(*fce); + } +@@ -1019,7 +1019,7 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc, + memcpy(clc_v2->d1.eid, eid, SMC_MAX_EID_LEN); + len = SMCD_CLC_ACCEPT_CONFIRM_LEN_V2; + if (first_contact) +- smc_clc_fill_fce(&fce, &len); ++ smc_clc_fill_fce(&fce, &len, ini->release_nr); + clc_v2->hdr.length = htons(len); + } + memcpy(trl.eyecatcher, SMCD_EYECATCHER, +@@ -1063,10 +1063,10 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc, + memcpy(clc_v2->r1.eid, eid, SMC_MAX_EID_LEN); + len = SMCR_CLC_ACCEPT_CONFIRM_LEN_V2; + if (first_contact) { +- smc_clc_fill_fce(&fce, &len); ++ smc_clc_fill_fce(&fce, &len, ini->release_nr); + fce.v2_direct = !link->lgr->uses_gateway; + memset(&gle, 0, sizeof(gle)); +- if (ini && clc->hdr.type == SMC_CLC_CONFIRM) { ++ if (clc->hdr.type == SMC_CLC_CONFIRM) { + gle.gid_cnt = ini->smcrv2.gidlist.len; + len += sizeof(gle); + len += gle.gid_cnt * sizeof(gle.gid[0]); +@@ -1141,7 +1141,7 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact, + + /* send CLC ACCEPT message across internal TCP socket */ + int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact, +- u8 version, u8 *negotiated_eid) ++ u8 version, u8 *negotiated_eid, struct smc_init_info *ini) + { + struct smc_clc_msg_accept_confirm_v2 aclc_v2; + int len; +@@ -1149,7 +1149,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact, + memset(&aclc_v2, 0, sizeof(aclc_v2)); + aclc_v2.hdr.type = SMC_CLC_ACCEPT; + len = smc_clc_send_confirm_accept(new_smc, &aclc_v2, srv_first_contact, +- version, negotiated_eid, NULL); ++ version, negotiated_eid, ini); + if (len < ntohs(aclc_v2.hdr.length)) + len = len >= 0 ? -EPROTO : -new_smc->clcsock->sk->sk_err; + +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index 5fee545c9a109..b923e89acafb0 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -370,6 +370,27 @@ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext) + ntohs(prop_v2ext->hdr.smcd_v2_ext_offset)); + } + ++static inline struct smc_clc_first_contact_ext * ++smc_get_clc_first_contact_ext(struct smc_clc_msg_accept_confirm_v2 *clc_v2, ++ bool is_smcd) ++{ ++ int clc_v2_len; ++ ++ if (clc_v2->hdr.version == SMC_V1 || ++ !(clc_v2->hdr.typev2 & SMC_FIRST_CONTACT_MASK)) ++ return NULL; ++ ++ if (is_smcd) ++ clc_v2_len = ++ offsetofend(struct smc_clc_msg_accept_confirm_v2, d1); ++ else ++ clc_v2_len = ++ offsetofend(struct smc_clc_msg_accept_confirm_v2, r1); ++ ++ return (struct smc_clc_first_contact_ext *)(((u8 *)clc_v2) + ++ clc_v2_len); ++} ++ + struct smcd_dev; + struct smc_init_info; + +@@ -382,7 +403,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini); + int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact, + u8 version, u8 *eid, struct smc_init_info *ini); + int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact, +- u8 version, u8 *negotiated_eid); ++ u8 version, u8 *negotiated_eid, struct smc_init_info *ini); + void smc_clc_init(void) __init; + void smc_clc_exit(void); + void smc_clc_get_hostname(u8 **host); +diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h +index 1645fba0d2d38..5bbc16f851e05 100644 +--- a/net/smc/smc_core.h ++++ b/net/smc/smc_core.h +@@ -374,6 +374,7 @@ struct smc_init_info { + u8 is_smcd; + u8 smc_type_v1; + u8 smc_type_v2; ++ u8 release_nr; + u8 first_contact_peer; + u8 first_contact_local; + unsigned short vlan_id; +-- +2.40.1 + diff --git a/queue-6.5/net-smc-support-smc-v2.x-features-validate.patch b/queue-6.5/net-smc-support-smc-v2.x-features-validate.patch new file mode 100644 index 00000000000..feeb334b808 --- /dev/null +++ b/queue-6.5/net-smc-support-smc-v2.x-features-validate.patch @@ -0,0 +1,179 @@ +From 6a0b0a9ecf20c93587831891cd4b1f11447de56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 21:20:29 +0800 +Subject: net/smc: support smc v2.x features validate + +From: Guangguan Wang + +[ Upstream commit 6ac1e6563f5915cd38b6bc6a8b26964b2252f751 ] + +Support SMC v2.x features validate for SMC v2.1. This is the frame +code for SMC v2.x features validate, and will take effects only when +the negotiated release version is v2.1 or later. + +For Server, v2.x features' validation should be done in smc_clc_srv_ +v2x_features_validate when receiving v2.1 or later CLC Proposal Message, +such as max conns, max links negotiation, the decision of the final +value of max conns and max links should be made in this function. +And final check for server when receiving v2.1 or later CLC Confirm +Message should be done in smc_clc_v2x_features_confirm_check. + +For client, v2.x features' validation should be done in smc_clc_clnt_ +v2x_features_validate when receiving v2.1 or later CLC Accept Message, +for example, the decision to accpt the accepted value or to decline +should be made in this function. + +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Reviewed-by: Jan Karcher +Signed-off-by: David S. Miller +Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net") +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 18 ++++++++++++++++++ + net/smc/smc_clc.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + net/smc/smc_clc.h | 7 +++++++ + 3 files changed, 71 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 077e5864fc441..fa7b8015cd7bb 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + (struct smc_clc_msg_accept_confirm_v2 *)aclc; + struct smc_clc_first_contact_ext *fce = + smc_get_clc_first_contact_ext(clc_v2, false); ++ int rc; + + if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1) + return 0; +@@ -1219,6 +1220,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, + } + + ini->release_nr = fce->release; ++ rc = smc_clc_clnt_v2x_features_validate(fce, ini); ++ if (rc) ++ return rc; + + return 0; + } +@@ -1393,6 +1397,9 @@ static int smc_connect_ism(struct smc_sock *smc, + smc_get_clc_first_contact_ext(aclc_v2, true); + + ini->release_nr = fce->release; ++ rc = smc_clc_clnt_v2x_features_validate(fce, ini); ++ if (rc) ++ return rc; + } + + rc = smc_v2_determine_accepted_chid(aclc_v2, ini); +@@ -2443,6 +2450,10 @@ static void smc_listen_work(struct work_struct *work) + if (rc) + goto out_decl; + ++ rc = smc_clc_srv_v2x_features_validate(pclc, ini); ++ if (rc) ++ goto out_decl; ++ + mutex_lock(&smc_server_lgr_pending); + smc_close_init(new_smc); + smc_rx_init(new_smc); +@@ -2475,6 +2486,13 @@ static void smc_listen_work(struct work_struct *work) + goto out_decl; + } + ++ rc = smc_clc_v2x_features_confirm_check(cclc, ini); ++ if (rc) { ++ if (!ini->is_smcd) ++ goto out_unlock; ++ goto out_decl; ++ } ++ + /* finish worker */ + if (!ini->is_smcd) { + rc = smc_listen_rdma_finish(new_smc, cclc, +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index fb0be0817e8a5..f50d1b019a80f 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -1156,6 +1156,52 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact, + return len > 0 ? 0 : len; + } + ++int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc, ++ struct smc_init_info *ini) ++{ ++ struct smc_clc_v2_extension *pclc_v2_ext; ++ ++ if ((!(ini->smcd_version & SMC_V2) && !(ini->smcr_version & SMC_V2)) || ++ ini->release_nr < SMC_RELEASE_1) ++ return 0; ++ ++ pclc_v2_ext = smc_get_clc_v2_ext(pclc); ++ if (!pclc_v2_ext) ++ return SMC_CLC_DECL_NOV2EXT; ++ ++ return 0; ++} ++ ++int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce, ++ struct smc_init_info *ini) ++{ ++ if (ini->release_nr < SMC_RELEASE_1) ++ return 0; ++ ++ return 0; ++} ++ ++int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc, ++ struct smc_init_info *ini) ++{ ++ struct smc_clc_msg_accept_confirm_v2 *clc_v2 = ++ (struct smc_clc_msg_accept_confirm_v2 *)cclc; ++ struct smc_clc_first_contact_ext *fce = ++ smc_get_clc_first_contact_ext(clc_v2, ini->is_smcd); ++ ++ if (cclc->hdr.version == SMC_V1 || ++ !(cclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK)) ++ return 0; ++ ++ if (ini->release_nr != fce->release) ++ return SMC_CLC_DECL_RELEASEERR; ++ ++ if (fce->release < SMC_RELEASE_1) ++ return 0; ++ ++ return 0; ++} ++ + void smc_clc_get_hostname(u8 **host) + { + *host = &smc_hostname[0]; +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index b923e89acafb0..32fa56bfa06d5 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -45,6 +45,7 @@ + #define SMC_CLC_DECL_NOSEID 0x03030006 /* peer sent no SEID */ + #define SMC_CLC_DECL_NOSMCD2DEV 0x03030007 /* no SMC-Dv2 device found */ + #define SMC_CLC_DECL_NOUEID 0x03030008 /* peer sent no UEID */ ++#define SMC_CLC_DECL_RELEASEERR 0x03030009 /* release version negotiate failed */ + #define SMC_CLC_DECL_MODEUNSUPP 0x03040000 /* smc modes do not match (R or D)*/ + #define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */ + #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */ +@@ -404,6 +405,12 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact, + u8 version, u8 *eid, struct smc_init_info *ini); + int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact, + u8 version, u8 *negotiated_eid, struct smc_init_info *ini); ++int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc, ++ struct smc_init_info *ini); ++int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce, ++ struct smc_init_info *ini); ++int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc, ++ struct smc_init_info *ini); + void smc_clc_init(void) __init; + void smc_clc_exit(void); + void smc_clc_get_hostname(u8 **host); +-- +2.40.1 + diff --git a/queue-6.5/net-store-netdevs-in-an-xarray.patch b/queue-6.5/net-store-netdevs-in-an-xarray.patch new file mode 100644 index 00000000000..09707b33ec5 --- /dev/null +++ b/queue-6.5/net-store-netdevs-in-an-xarray.patch @@ -0,0 +1,273 @@ +From 3e438fc7e62173a7f73219f1e7a2a4012ea1d0d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 11:55:29 -0700 +Subject: net: store netdevs in an xarray + +From: Jakub Kicinski + +[ Upstream commit 759ab1edb56c88906830fd6b2e7b12514dd32758 ] + +Iterating over the netdev hash table for netlink dumps is hard. +Dumps are done in "chunks" so we need to save the position +after each chunk, so we know where to restart from. Because +netdevs are stored in a hash table we remember which bucket +we were in and how many devices we dumped. + +Since we don't hold any locks across the "chunks" - devices may +come and go while we're dumping. If that happens we may miss +a device (if device is deleted from the bucket we were in). +We indicate to user space that this may have happened by setting +NLM_F_DUMP_INTR. User space is supposed to dump again (I think) +if it sees that. Somehow I doubt most user space gets this right.. + +To illustrate let's look at an example: + + System state: + start: # [A, B, C] + del: B # [A, C] + +with the hash table we may dump [A, B], missing C completely even +tho it existed both before and after the "del B". + +Add an xarray and use it to allocate ifindexes. This way we +can iterate ifindexes in order, without the worry that we'll +skip one. We may still generate a dump of a state which "never +existed", for example for a set of values and sequence of ops: + + System state: + start: # [A, B] + add: C # [A, C, B] + del: B # [A, C] + +we may generate a dump of [A], if C got an index between A and B. +System has never been in such state. But I'm 90% sure that's perfectly +fine, important part is that we can't _miss_ devices which exist before +and after. User space which wants to mirror kernel's state subscribes +to notifications and does periodic dumps so it will know that C exists +from the notification about its creation or from the next dump +(next dump is _guaranteed_ to include C, if it doesn't get removed). + +To avoid any perf regressions keep the hash table for now. Most +net namespaces have very few devices and microbenchmarking 1M lookups +on Skylake I get the following results (not counting loopback +to number of devs): + + #devs | hash | xa | delta + 2 | 18.3 | 20.1 | + 9.8% + 16 | 18.3 | 20.1 | + 9.5% + 64 | 18.3 | 26.3 | +43.8% + 128 | 20.4 | 26.3 | +28.6% + 256 | 20.0 | 26.4 | +32.1% + 1024 | 26.6 | 26.7 | + 0.2% + 8192 |541.3 | 33.5 | -93.8% + +No surprises since the hash table has 256 entries. +The microbenchmark scans indexes in order, if the pattern is more +random xa starts to win at 512 devices already. But that's a lot +of devices, in practice. + +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20230726185530.2247698-2-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: 8e15aee62161 ("net: move altnames together with the netdevice") +Signed-off-by: Sasha Levin +--- + include/net/net_namespace.h | 4 +- + net/core/dev.c | 82 ++++++++++++++++++++++++------------- + 2 files changed, 57 insertions(+), 29 deletions(-) + +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 78beaa765c733..9f6add96de2d7 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + + struct user_namespace; + struct proc_dir_entry; +@@ -69,7 +70,7 @@ struct net { + atomic_t dev_unreg_count; + + unsigned int dev_base_seq; /* protected by rtnl_mutex */ +- int ifindex; ++ u32 ifindex; + + spinlock_t nsid_lock; + atomic_t fnhe_genid; +@@ -110,6 +111,7 @@ struct net { + + struct hlist_head *dev_name_head; + struct hlist_head *dev_index_head; ++ struct xarray dev_by_index; + struct raw_notifier_head netdev_chain; + + /* Note that @hash_mix can be read millions times per second, +diff --git a/net/core/dev.c b/net/core/dev.c +index 45ec18d8b0f6b..a450234f68a54 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -389,6 +389,8 @@ static void list_netdevice(struct net_device *dev) + hlist_add_head_rcu(&dev->index_hlist, + dev_index_hash(net, dev->ifindex)); + write_unlock(&dev_base_lock); ++ /* We reserved the ifindex, this can't fail */ ++ WARN_ON(xa_store(&net->dev_by_index, dev->ifindex, dev, GFP_KERNEL)); + + dev_base_seq_inc(net); + } +@@ -398,8 +400,12 @@ static void list_netdevice(struct net_device *dev) + */ + static void unlist_netdevice(struct net_device *dev, bool lock) + { ++ struct net *net = dev_net(dev); ++ + ASSERT_RTNL(); + ++ xa_erase(&net->dev_by_index, dev->ifindex); ++ + /* Unlink dev from the device chain */ + if (lock) + write_lock(&dev_base_lock); +@@ -9529,23 +9535,35 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack, + } + + /** +- * dev_new_index - allocate an ifindex +- * @net: the applicable net namespace ++ * dev_index_reserve() - allocate an ifindex in a namespace ++ * @net: the applicable net namespace ++ * @ifindex: requested ifindex, pass %0 to get one allocated ++ * ++ * Allocate a ifindex for a new device. Caller must either use the ifindex ++ * to store the device (via list_netdevice()) or call dev_index_release() ++ * to give the index up. + * +- * Returns a suitable unique value for a new device interface +- * number. The caller must hold the rtnl semaphore or the +- * dev_base_lock to be sure it remains unique. ++ * Return: a suitable unique value for a new device interface number or -errno. + */ +-static int dev_new_index(struct net *net) ++static int dev_index_reserve(struct net *net, u32 ifindex) + { +- int ifindex = net->ifindex; ++ int err; + +- for (;;) { +- if (++ifindex <= 0) +- ifindex = 1; +- if (!__dev_get_by_index(net, ifindex)) +- return net->ifindex = ifindex; +- } ++ if (!ifindex) ++ err = xa_alloc_cyclic(&net->dev_by_index, &ifindex, NULL, ++ xa_limit_31b, &net->ifindex, GFP_KERNEL); ++ else ++ err = xa_insert(&net->dev_by_index, ifindex, NULL, GFP_KERNEL); ++ if (err < 0) ++ return err; ++ ++ return ifindex; ++} ++ ++static void dev_index_release(struct net *net, int ifindex) ++{ ++ /* Expect only unused indexes, unlist_netdevice() removes the used */ ++ WARN_ON(xa_erase(&net->dev_by_index, ifindex)); + } + + /* Delayed registration/unregisteration */ +@@ -10015,11 +10033,10 @@ int register_netdevice(struct net_device *dev) + goto err_uninit; + } + +- ret = -EBUSY; +- if (!dev->ifindex) +- dev->ifindex = dev_new_index(net); +- else if (__dev_get_by_index(net, dev->ifindex)) ++ ret = dev_index_reserve(net, dev->ifindex); ++ if (ret < 0) + goto err_uninit; ++ dev->ifindex = ret; + + /* Transfer changeable features to wanted_features and enable + * software offloads (GSO and GRO). +@@ -10066,7 +10083,7 @@ int register_netdevice(struct net_device *dev) + ret = call_netdevice_notifiers(NETDEV_POST_INIT, dev); + ret = notifier_to_errno(ret); + if (ret) +- goto err_uninit; ++ goto err_ifindex_release; + + ret = netdev_register_kobject(dev); + write_lock(&dev_base_lock); +@@ -10122,6 +10139,8 @@ int register_netdevice(struct net_device *dev) + + err_uninit_notify: + call_netdevice_notifiers(NETDEV_PRE_UNINIT, dev); ++err_ifindex_release: ++ dev_index_release(net, dev->ifindex); + err_uninit: + if (dev->netdev_ops->ndo_uninit) + dev->netdev_ops->ndo_uninit(dev); +@@ -11009,9 +11028,19 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net, + goto out; + + /* Check that new_ifindex isn't used yet. */ +- err = -EBUSY; +- if (new_ifindex && __dev_get_by_index(net, new_ifindex)) +- goto out; ++ if (new_ifindex) { ++ err = dev_index_reserve(net, new_ifindex); ++ if (err < 0) ++ goto out; ++ } else { ++ /* If there is an ifindex conflict assign a new one */ ++ err = dev_index_reserve(net, dev->ifindex); ++ if (err == -EBUSY) ++ err = dev_index_reserve(net, 0); ++ if (err < 0) ++ goto out; ++ new_ifindex = err; ++ } + + /* + * And now a mini version of register_netdevice unregister_netdevice. +@@ -11039,13 +11068,6 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net, + rcu_barrier(); + + new_nsid = peernet2id_alloc(dev_net(dev), net, GFP_KERNEL); +- /* If there is an ifindex conflict assign a new one */ +- if (!new_ifindex) { +- if (__dev_get_by_index(net, dev->ifindex)) +- new_ifindex = dev_new_index(net); +- else +- new_ifindex = dev->ifindex; +- } + + rtmsg_ifinfo_newnet(RTM_DELLINK, dev, ~0U, GFP_KERNEL, &new_nsid, + new_ifindex); +@@ -11226,6 +11248,9 @@ static int __net_init netdev_init(struct net *net) + if (net->dev_index_head == NULL) + goto err_idx; + ++ net->ifindex = 1; ++ xa_init_flags(&net->dev_by_index, XA_FLAGS_ALLOC); ++ + RAW_INIT_NOTIFIER_HEAD(&net->netdev_chain); + + return 0; +@@ -11323,6 +11348,7 @@ static void __net_exit netdev_exit(struct net *net) + { + kfree(net->dev_name_head); + kfree(net->dev_index_head); ++ xa_destroy(&net->dev_by_index); + if (net != &init_net) + WARN_ON_ONCE(!list_empty(&net->dev_base_head)); + } +-- +2.40.1 + diff --git a/queue-6.5/net-tls-split-tls_rx_reader_lock.patch b/queue-6.5/net-tls-split-tls_rx_reader_lock.patch new file mode 100644 index 00000000000..f4a34a0a5e7 --- /dev/null +++ b/queue-6.5/net-tls-split-tls_rx_reader_lock.patch @@ -0,0 +1,102 @@ +From c0578fe3ab6f4656528ea0923aec4e7d36a47c15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 21:15:55 +0200 +Subject: net/tls: split tls_rx_reader_lock + +From: Hannes Reinecke + +[ Upstream commit f9ae3204fb45d0749befc1cdff50f691c7461e5a ] + +Split tls_rx_reader_{lock,unlock} into an 'acquire/release' and +the actual locking part. +With that we can use the tls_rx_reader_lock in situations where +the socket is already locked. + +Suggested-by: Sagi Grimberg +Signed-off-by: Hannes Reinecke +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230726191556.41714-6-hare@suse.de +Signed-off-by: Jakub Kicinski +Stable-dep-of: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index e047abc600893..a83f474933033 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1845,13 +1845,10 @@ tls_read_flush_backlog(struct sock *sk, struct tls_prot_info *prot, + return sk_flush_backlog(sk); + } + +-static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx, +- bool nonblock) ++static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx, ++ bool nonblock) + { + long timeo; +- int err; +- +- lock_sock(sk); + + timeo = sock_rcvtimeo(sk, nonblock); + +@@ -1865,26 +1862,30 @@ static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx, + !READ_ONCE(ctx->reader_present), &wait); + remove_wait_queue(&ctx->wq, &wait); + +- if (timeo <= 0) { +- err = -EAGAIN; +- goto err_unlock; +- } +- if (signal_pending(current)) { +- err = sock_intr_errno(timeo); +- goto err_unlock; +- } ++ if (timeo <= 0) ++ return -EAGAIN; ++ if (signal_pending(current)) ++ return sock_intr_errno(timeo); + } + + WRITE_ONCE(ctx->reader_present, 1); + + return 0; ++} + +-err_unlock: +- release_sock(sk); ++static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx, ++ bool nonblock) ++{ ++ int err; ++ ++ lock_sock(sk); ++ err = tls_rx_reader_acquire(sk, ctx, nonblock); ++ if (err) ++ release_sock(sk); + return err; + } + +-static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx) ++static void tls_rx_reader_release(struct sock *sk, struct tls_sw_context_rx *ctx) + { + if (unlikely(ctx->reader_contended)) { + if (wq_has_sleeper(&ctx->wq)) +@@ -1896,6 +1897,11 @@ static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx) + } + + WRITE_ONCE(ctx->reader_present, 0); ++} ++ ++static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx) ++{ ++ tls_rx_reader_release(sk, ctx); + release_sock(sk); + } + +-- +2.40.1 + diff --git a/queue-6.5/netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch b/queue-6.5/netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch new file mode 100644 index 00000000000..11c45378d3d --- /dev/null +++ b/queue-6.5/netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch @@ -0,0 +1,42 @@ +From 5134a5b5531b39ff0a1cc717f8397b1f2ec35970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 13:12:58 +0200 +Subject: netfilter: nf_tables: do not remove elements if set backend + implements .abort + +From: Pablo Neira Ayuso + +[ Upstream commit ebd032fa881882fef2acb9da1bbde48d8233241d ] + +pipapo set backend maintains two copies of the datastructure, removing +the elements from the copy that is going to be discarded slows down +the abort path significantly, from several minutes to few seconds after +this patch. + +Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e43d9508e7a9c..0d48d2e27a1ad 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10336,7 +10336,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + break; + } + te = (struct nft_trans_elem *)trans->data; +- nft_setelem_remove(net, te->set, &te->elem); ++ if (!te->set->ops->abort || ++ nft_setelem_is_catchall(te->set, &te->elem)) ++ nft_setelem_remove(net, te->set, &te->elem); ++ + if (!nft_setelem_is_catchall(te->set, &te->elem)) + atomic_dec(&te->set->nelems); + +-- +2.40.1 + diff --git a/queue-6.5/netfilter-nf_tables-revert-do-not-remove-elements-if.patch b/queue-6.5/netfilter-nf_tables-revert-do-not-remove-elements-if.patch new file mode 100644 index 00000000000..56235ea46f7 --- /dev/null +++ b/queue-6.5/netfilter-nf_tables-revert-do-not-remove-elements-if.patch @@ -0,0 +1,41 @@ +From 3538f84c2bad0acbf3bd5116110d8d96f8f78fe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 13:18:39 +0200 +Subject: netfilter: nf_tables: revert do not remove elements if set backend + implements .abort + +From: Pablo Neira Ayuso + +[ Upstream commit f86fb94011aeb3b26337fc22204ca726aeb8bc24 ] + +nf_tables_abort_release() path calls nft_set_elem_destroy() for +NFT_MSG_NEWSETELEM which releases the element, however, a reference to +the element still remains in the working copy. + +Fixes: ebd032fa8818 ("netfilter: nf_tables: do not remove elements if set backend implements .abort") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0d48d2e27a1ad..e43d9508e7a9c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10336,10 +10336,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + break; + } + te = (struct nft_trans_elem *)trans->data; +- if (!te->set->ops->abort || +- nft_setelem_is_catchall(te->set, &te->elem)) +- nft_setelem_remove(net, te->set, &te->elem); +- ++ nft_setelem_remove(net, te->set, &te->elem); + if (!nft_setelem_is_catchall(te->set, &te->elem)) + atomic_dec(&te->set->nelems); + +-- +2.40.1 + diff --git a/queue-6.5/nfs-decrement-nrequests-counter-before-releasing-the.patch b/queue-6.5/nfs-decrement-nrequests-counter-before-releasing-the.patch new file mode 100644 index 00000000000..a248dfd938d --- /dev/null +++ b/queue-6.5/nfs-decrement-nrequests-counter-before-releasing-the.patch @@ -0,0 +1,107 @@ +From c3a654796f04f8b227949ab242ee8e2640ea8abd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 09:17:28 -0400 +Subject: nfs: decrement nrequests counter before releasing the req + +From: Jeff Layton + +[ Upstream commit dd1b2026323a2d075ac553cecfd7a0c23c456c59 ] + +I hit this panic in testing: + +[ 6235.500016] run fstests generic/464 at 2023-09-18 22:51:24 +[ 6288.410761] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 6288.412174] #PF: supervisor read access in kernel mode +[ 6288.413160] #PF: error_code(0x0000) - not-present page +[ 6288.413992] PGD 0 P4D 0 +[ 6288.414603] Oops: 0000 [#1] PREEMPT SMP PTI +[ 6288.415419] CPU: 0 PID: 340798 Comm: kworker/u18:8 Not tainted 6.6.0-rc1-gdcf620ceebac #95 +[ 6288.416538] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +[ 6288.417701] Workqueue: nfsiod rpc_async_release [sunrpc] +[ 6288.418676] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs] +[ 6288.419836] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b +[ 6288.422389] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246 +[ 6288.423234] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000 +[ 6288.424351] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840 +[ 6288.425345] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff +[ 6288.426334] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4 +[ 6288.427353] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0 +[ 6288.428358] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000 +[ 6288.429513] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6288.430427] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0 +[ 6288.431553] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6288.432715] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6288.433698] PKRU: 55555554 +[ 6288.434196] Call Trace: +[ 6288.434667] +[ 6288.435132] ? __die+0x1f/0x70 +[ 6288.435723] ? page_fault_oops+0x159/0x450 +[ 6288.436389] ? try_to_wake_up+0x98/0x5d0 +[ 6288.437044] ? do_user_addr_fault+0x65/0x660 +[ 6288.437728] ? exc_page_fault+0x7a/0x180 +[ 6288.438368] ? asm_exc_page_fault+0x22/0x30 +[ 6288.439137] ? nfs_inode_remove_request+0xc8/0x150 [nfs] +[ 6288.440112] ? nfs_inode_remove_request+0xa0/0x150 [nfs] +[ 6288.440924] nfs_commit_release_pages+0x16e/0x340 [nfs] +[ 6288.441700] ? __pfx_call_transmit+0x10/0x10 [sunrpc] +[ 6288.442475] ? _raw_spin_lock_irqsave+0x23/0x50 +[ 6288.443161] nfs_commit_release+0x15/0x40 [nfs] +[ 6288.443926] rpc_free_task+0x36/0x60 [sunrpc] +[ 6288.444741] rpc_async_release+0x29/0x40 [sunrpc] +[ 6288.445509] process_one_work+0x171/0x340 +[ 6288.446135] worker_thread+0x277/0x3a0 +[ 6288.446724] ? __pfx_worker_thread+0x10/0x10 +[ 6288.447376] kthread+0xf0/0x120 +[ 6288.447903] ? __pfx_kthread+0x10/0x10 +[ 6288.448500] ret_from_fork+0x2d/0x50 +[ 6288.449078] ? __pfx_kthread+0x10/0x10 +[ 6288.449665] ret_from_fork_asm+0x1b/0x30 +[ 6288.450283] +[ 6288.450688] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc nls_iso8859_1 nls_cp437 vfat fat 9p netfs ext4 kvm_intel crc16 mbcache jbd2 joydev kvm xfs irqbypass virtio_net pcspkr net_failover psmouse failover 9pnet_virtio cirrus drm_shmem_helper virtio_balloon drm_kms_helper button evdev drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic virtio_blk nvme aesni_intel crypto_simd cryptd nvme_core t10_pi i6300esb crc64_rocksoft_generic crc64_rocksoft crc64 virtio_pci virtio virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4 +[ 6288.460211] CR2: 0000000000000000 +[ 6288.460787] ---[ end trace 0000000000000000 ]--- +[ 6288.461571] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs] +[ 6288.462500] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b +[ 6288.465136] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246 +[ 6288.465963] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000 +[ 6288.467035] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840 +[ 6288.468093] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff +[ 6288.469121] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4 +[ 6288.470109] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0 +[ 6288.471106] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000 +[ 6288.472216] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6288.473059] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0 +[ 6288.474096] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 6288.475097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 6288.476148] PKRU: 55555554 +[ 6288.476665] note: kworker/u18:8[340798] exited with irqs disabled + +Once we've released "req", it's not safe to dereference it anymore. +Decrement the nrequests counter before dropping the reference. + +Signed-off-by: Jeff Layton +Reviewed-by: Benjamin Coddington +Tested-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 8c1ee1a1a28f1..7720b5e43014b 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -802,8 +802,8 @@ static void nfs_inode_remove_request(struct nfs_page *req) + } + + if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) { +- nfs_release_request(req); + atomic_long_dec(&NFS_I(nfs_page_to_inode(req))->nrequests); ++ nfs_release_request(req); + } + } + +-- +2.40.1 + diff --git a/queue-6.5/overlayfs-set-ctime-when-setting-mtime-and-atime.patch b/queue-6.5/overlayfs-set-ctime-when-setting-mtime-and-atime.patch new file mode 100644 index 00000000000..6c4d29ed3ce --- /dev/null +++ b/queue-6.5/overlayfs-set-ctime-when-setting-mtime-and-atime.patch @@ -0,0 +1,47 @@ +From 1eb264b5616a1cdaff309ce21e91addbccd2f6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 09:33:12 -0400 +Subject: overlayfs: set ctime when setting mtime and atime + +From: Jeff Layton + +[ Upstream commit 03dbab3bba5f009d053635c729d1244f2c8bad38 ] + +Nathan reported that he was seeing the new warning in +setattr_copy_mgtime pop when starting podman containers. Overlayfs is +trying to set the atime and mtime via notify_change without also +setting the ctime. + +POSIX states that when the atime and mtime are updated via utimes() that +we must also update the ctime to the current time. The situation with +overlayfs copy-up is analogies, so add ATTR_CTIME to the bitmask. +notify_change will fill in the value. + +Reported-by: Nathan Chancellor +Signed-off-by: Jeff Layton +Tested-by: Nathan Chancellor +Acked-by: Christian Brauner +Acked-by: Amir Goldstein +Message-Id: <20230913-ctime-v1-1-c6bc509cbc27@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/overlayfs/copy_up.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 986d37a4c2750..ab32c6b28d400 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -337,7 +337,7 @@ static int ovl_set_timestamps(struct ovl_fs *ofs, struct dentry *upperdentry, + { + struct iattr attr = { + .ia_valid = +- ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET, ++ ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME, + .ia_atime = stat->atime, + .ia_mtime = stat->mtime, + }; +-- +2.40.1 + diff --git a/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-bush-b.patch b/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-bush-b.patch new file mode 100644 index 00000000000..8ded145f4fd --- /dev/null +++ b/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-bush-b.patch @@ -0,0 +1,68 @@ +From 88479bb9290af2dc9092ca5091fc6e9338f66a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 18:46:32 +0200 +Subject: platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows + tablet + +From: Tomasz Swiatek + +[ Upstream commit 34c271e778c1d8589ee9c833eee5ecb6fbb03149 ] + +Add touchscreen info for the BUSH Bush Windows tablet. + +It was tested using gslx680_ts_acpi module and on patched kernel +installed on device. + +Link: https://github.com/onitake/gsl-firmware/pull/215 +Link: https://github.com/systemd/systemd/pull/29268 +Signed-off-by: Tomasz Swiatek +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index f9301a9382e74..363a9848e2b88 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -42,6 +42,21 @@ static const struct ts_dmi_data archos_101_cesium_educ_data = { + .properties = archos_101_cesium_educ_props, + }; + ++static const struct property_entry bush_bush_windows_tablet_props[] = { ++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1850), ++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1280), ++ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"), ++ PROPERTY_ENTRY_U32("silead,max-fingers", 10), ++ PROPERTY_ENTRY_BOOL("silead,home-button"), ++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-bush-bush-windows-tablet.fw"), ++ { } ++}; ++ ++static const struct ts_dmi_data bush_bush_windows_tablet_data = { ++ .acpi_name = "MSSL1680:00", ++ .properties = bush_bush_windows_tablet_props, ++}; ++ + static const struct property_entry chuwi_hi8_props[] = { + PROPERTY_ENTRY_U32("touchscreen-size-x", 1665), + PROPERTY_ENTRY_U32("touchscreen-size-y", 1140), +@@ -1070,6 +1085,13 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "ARCHOS 101 Cesium Educ"), + }, + }, ++ { ++ /* Bush Windows tablet */ ++ .driver_data = (void *)&bush_bush_windows_tablet_data, ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "Bush Windows tablet"), ++ }, ++ }, + { + /* Chuwi Hi8 */ + .driver_data = (void *)&chuwi_hi8_data, +-- +2.40.1 + diff --git a/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-positi.patch b/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-positi.patch new file mode 100644 index 00000000000..b00f743940a --- /dev/null +++ b/queue-6.5/platform-x86-touchscreen_dmi-add-info-for-the-positi.patch @@ -0,0 +1,65 @@ +From 69800a37a42f898fdc5c80d9a2ad6e9739fb5e19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 19:59:00 -0400 +Subject: platform/x86: touchscreen_dmi: Add info for the Positivo C4128B + +From: Renan Guilherme Lebre Ramos + +[ Upstream commit aa7dcba3bae6869122828b144a3cfd231718089d ] + +Add information for the Positivo C4128B, a notebook/tablet convertible. + +Link: https://github.com/onitake/gsl-firmware/pull/217 +Signed-off-by: Renan Guilherme Lebre Ramos +Link: https://lore.kernel.org/r/20231004235900.426240-1-japareaggae@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index 363a9848e2b88..0c67337726984 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -771,6 +771,21 @@ static const struct ts_dmi_data pipo_w11_data = { + .properties = pipo_w11_props, + }; + ++static const struct property_entry positivo_c4128b_props[] = { ++ PROPERTY_ENTRY_U32("touchscreen-min-x", 4), ++ PROPERTY_ENTRY_U32("touchscreen-min-y", 13), ++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1915), ++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1269), ++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-positivo-c4128b.fw"), ++ PROPERTY_ENTRY_U32("silead,max-fingers", 10), ++ { } ++}; ++ ++static const struct ts_dmi_data positivo_c4128b_data = { ++ .acpi_name = "MSSL1680:00", ++ .properties = positivo_c4128b_props, ++}; ++ + static const struct property_entry pov_mobii_wintab_p800w_v20_props[] = { + PROPERTY_ENTRY_U32("touchscreen-min-x", 32), + PROPERTY_ENTRY_U32("touchscreen-min-y", 16), +@@ -1502,6 +1517,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_MATCH(DMI_BIOS_VERSION, "MOMO.G.WI71C.MABMRBA02"), + }, + }, ++ { ++ /* Positivo C4128B */ ++ .driver_data = (void *)&positivo_c4128b_data, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "C4128B-1"), ++ }, ++ }, + { + /* Point of View mobii wintab p800w (v2.0) */ + .driver_data = (void *)&pov_mobii_wintab_p800w_v20_data, +-- +2.40.1 + diff --git a/queue-6.5/pwr-mlxbf-extend-kconfig-to-include-gpio-mlxbf3-depe.patch b/queue-6.5/pwr-mlxbf-extend-kconfig-to-include-gpio-mlxbf3-depe.patch new file mode 100644 index 00000000000..3fe2b28659d --- /dev/null +++ b/queue-6.5/pwr-mlxbf-extend-kconfig-to-include-gpio-mlxbf3-depe.patch @@ -0,0 +1,41 @@ +From 7f49a77116344f24e5597542928436b6fa10c0b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 09:37:43 -0400 +Subject: pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency + +From: David Thompson + +[ Upstream commit 82f07f1acf417b81e793145c167dd5e156024de4 ] + +The BlueField power handling driver (pwr-mlxbf.c) provides +functionality for both BlueField-2 and BlueField-3 based +platforms. This driver also depends on the SoC-specific +BlueField GPIO driver, whether gpio-mlxbf2 or gpio-mlxbf3. +This patch extends the Kconfig definition to include the +dependency on the gpio-mlxbf3 driver, if applicable. + +Signed-off-by: David Thompson +Reviewed-by: Asmaa Mnebhi +Link: https://lore.kernel.org/r/20230823133743.31275-1-davthompson@nvidia.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/reset/Kconfig b/drivers/power/reset/Kconfig +index fff07b2bd77b9..62f592e617339 100644 +--- a/drivers/power/reset/Kconfig ++++ b/drivers/power/reset/Kconfig +@@ -307,7 +307,7 @@ config NVMEM_REBOOT_MODE + + config POWER_MLXBF + tristate "Mellanox BlueField power handling driver" +- depends on (GPIO_MLXBF2 && ACPI) ++ depends on (GPIO_MLXBF2 || GPIO_MLXBF3) && ACPI + help + This driver supports reset or low power mode handling for Mellanox BlueField. + +-- +2.40.1 + diff --git a/queue-6.5/regulator-core-revert-fix-kobject-release-warning-an.patch b/queue-6.5/regulator-core-revert-fix-kobject-release-warning-an.patch new file mode 100644 index 00000000000..a32de45e272 --- /dev/null +++ b/queue-6.5/regulator-core-revert-fix-kobject-release-warning-an.patch @@ -0,0 +1,50 @@ +From 80b46e09c202e7438bbe28a47f581378c7b01d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 00:50:27 +0200 +Subject: regulator/core: Revert "fix kobject release warning and memory leak + in regulator_register()" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit 6e800968f6a715c0661716d2ec5e1f56ed9f9c08 ] + +This reverts commit 5f4b204b6b8153923d5be8002c5f7082985d153f. + +Since rdev->dev now has a release() callback, the proper way of freeing +the initialized device can be restored. + +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/d7f469f3f7b1f0e1d52f9a7ede3f3c5703382090.1695077303.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 2820badc7a126..3137e40fcd3e0 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5724,15 +5724,11 @@ regulator_register(struct device *dev, + mutex_lock(®ulator_list_mutex); + regulator_ena_gpio_free(rdev); + mutex_unlock(®ulator_list_mutex); +- put_device(&rdev->dev); +- rdev = NULL; + clean: + if (dangling_of_gpiod) + gpiod_put(config->ena_gpiod); +- if (rdev && rdev->dev.of_node) +- of_node_put(rdev->dev.of_node); +- kfree(rdev); + kfree(config); ++ put_device(&rdev->dev); + rinse: + if (dangling_cfg_gpiod) + gpiod_put(cfg->ena_gpiod); +-- +2.40.1 + diff --git a/queue-6.5/rfkill-sync-before-userspace-visibility-changes.patch b/queue-6.5/rfkill-sync-before-userspace-visibility-changes.patch new file mode 100644 index 00000000000..f59cc73faf9 --- /dev/null +++ b/queue-6.5/rfkill-sync-before-userspace-visibility-changes.patch @@ -0,0 +1,128 @@ +From e7e9be2f877114220b79f912d7c34e7dd1b29783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 15:45:17 +0200 +Subject: rfkill: sync before userspace visibility/changes + +From: Johannes Berg + +[ Upstream commit 2c3dfba4cf84ac4f306cc6653b37b6dd6859ae9d ] + +If userspace quickly opens /dev/rfkill after a new +instance was created, it might see the old state of +the instance from before the sync work runs and may +even _change_ the state, only to have the sync work +change it again. + +Fix this by doing the sync inline where needed, not +just for /dev/rfkill but also for sysfs. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/rfkill/core.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index 01fca7a10b4bb..08630896b6c88 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -48,6 +48,7 @@ struct rfkill { + bool persistent; + bool polling_paused; + bool suspended; ++ bool need_sync; + + const struct rfkill_ops *ops; + void *data; +@@ -368,6 +369,17 @@ static void rfkill_set_block(struct rfkill *rfkill, bool blocked) + rfkill_event(rfkill); + } + ++static void rfkill_sync(struct rfkill *rfkill) ++{ ++ lockdep_assert_held(&rfkill_global_mutex); ++ ++ if (!rfkill->need_sync) ++ return; ++ ++ rfkill_set_block(rfkill, rfkill_global_states[rfkill->type].cur); ++ rfkill->need_sync = false; ++} ++ + static void rfkill_update_global_state(enum rfkill_type type, bool blocked) + { + int i; +@@ -730,6 +742,10 @@ static ssize_t soft_show(struct device *dev, struct device_attribute *attr, + { + struct rfkill *rfkill = to_rfkill(dev); + ++ mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); ++ mutex_unlock(&rfkill_global_mutex); ++ + return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0); + } + +@@ -751,6 +767,7 @@ static ssize_t soft_store(struct device *dev, struct device_attribute *attr, + return -EINVAL; + + mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); + rfkill_set_block(rfkill, state); + mutex_unlock(&rfkill_global_mutex); + +@@ -783,6 +800,10 @@ static ssize_t state_show(struct device *dev, struct device_attribute *attr, + { + struct rfkill *rfkill = to_rfkill(dev); + ++ mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); ++ mutex_unlock(&rfkill_global_mutex); ++ + return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state)); + } + +@@ -805,6 +826,7 @@ static ssize_t state_store(struct device *dev, struct device_attribute *attr, + return -EINVAL; + + mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); + rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED); + mutex_unlock(&rfkill_global_mutex); + +@@ -1032,14 +1054,10 @@ static void rfkill_uevent_work(struct work_struct *work) + + static void rfkill_sync_work(struct work_struct *work) + { +- struct rfkill *rfkill; +- bool cur; +- +- rfkill = container_of(work, struct rfkill, sync_work); ++ struct rfkill *rfkill = container_of(work, struct rfkill, sync_work); + + mutex_lock(&rfkill_global_mutex); +- cur = rfkill_global_states[rfkill->type].cur; +- rfkill_set_block(rfkill, cur); ++ rfkill_sync(rfkill); + mutex_unlock(&rfkill_global_mutex); + } + +@@ -1087,6 +1105,7 @@ int __must_check rfkill_register(struct rfkill *rfkill) + round_jiffies_relative(POLL_INTERVAL)); + + if (!rfkill->persistent || rfkill_epo_lock_active) { ++ rfkill->need_sync = true; + schedule_work(&rfkill->sync_work); + } else { + #ifdef CONFIG_RFKILL_INPUT +@@ -1171,6 +1190,7 @@ static int rfkill_fop_open(struct inode *inode, struct file *file) + ev = kzalloc(sizeof(*ev), GFP_KERNEL); + if (!ev) + goto free; ++ rfkill_sync(rfkill); + rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); + list_add_tail(&ev->list, &data->events); + } +-- +2.40.1 + diff --git a/queue-6.5/series b/queue-6.5/series index 4d5c722a181..e0f11f02bce 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -93,3 +93,75 @@ net-mdio-mux-fix-c45-access-returning-eio-after-api-change.patch net-avoid-uaf-on-deleted-altname.patch net-fix-ifname-in-netlink-ntf-during-netns-move.patch net-check-for-altname-conflicts-when-changing-netdev-s-netns.patch +iio-light-vcnl4000-don-t-power-on-off-chip-in-config.patch +pwr-mlxbf-extend-kconfig-to-include-gpio-mlxbf3-depe.patch +arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch +arm64-dts-mediatek-fix-mediatek-merge-mute-and-media.patch +fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch +btrfs-fix-race-when-refilling-delayed-refs-block-res.patch +btrfs-prevent-transaction-block-reserve-underflow-wh.patch +btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch +btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch +i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch +overlayfs-set-ctime-when-setting-mtime-and-atime.patch +accel-ivpu-don-t-flood-dmesg-with-vpu-ready-message.patch +gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch +ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch +ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch +tracing-relax-trace_event_eval_update-execution-with.patch +wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch +wifi-cfg80211-validate-ap-phy-operation-before-start.patch +wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch +rfkill-sync-before-userspace-visibility-changes.patch +hid-logitech-hidpp-add-bluetooth-id-for-the-logitech.patch +hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch +bluetooth-btusb-add-shutdown-function-for-qca6174.patch +bluetooth-avoid-redundant-authentication.patch +bluetooth-hci_core-fix-build-warnings.patch +wifi-cfg80211-fix-6ghz-scan-configuration.patch +wifi-mac80211-work-around-cisco-ap-9115-vht-mpdu-len.patch +wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch +wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch +regulator-core-revert-fix-kobject-release-warning-an.patch +sunrpc-fail-quickly-when-server-does-not-recognize-t.patch +sunrpc-tls-lock-the-lower_xprt-during-the-tls-handsh.patch +nfs-decrement-nrequests-counter-before-releasing-the.patch +sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch +ipv4-fib-send-notify-when-delete-source-address-rout.patch +drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch +btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch +btrfs-error-out-when-cowing-block-using-a-stale-tran.patch +btrfs-error-when-cowing-block-from-a-root-that-is-be.patch +btrfs-error-out-when-reallocating-block-for-defrag-u.patch +platform-x86-touchscreen_dmi-add-info-for-the-bush-b.patch +drm-amd-pm-add-unique_id-for-gc-11.0.3.patch +hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch +hid-nintendo-reinitialize-usb-pro-controller-after-r.patch +hid-add-quirk-to-ignore-the-touchscreen-battery-on-h.patch +platform-x86-touchscreen_dmi-add-info-for-the-positi.patch +cpufreq-schedutil-update-next_freq-when-cpufreq_limi.patch +io-wq-fully-initialize-wqe-before-calling-cpuhp_stat.patch +bluetooth-hci_sync-fix-not-handling-iso_link-in-hci_.patch +bluetooth-hci_sync-introduce-ptr_uint-uint_ptr-macro.patch +bluetooth-iso-fix-invalid-context-error.patch +bluetooth-hci_sync-delete-cis-in-bt_open-connect-bou.patch +bluetooth-hci_sync-always-check-if-connection-is-ali.patch +netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch +net-mlx5-e-switch-register-event-handler-before-armi.patch +net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch +net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch +net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch-32687 +net-mlx5e-xdp-fix-xdp_redirect-mpwqe-page-fragment-l.patch +net-mlx5e-take-rtnl-lock-before-triggering-netdev-no.patch +net-mlx5e-don-t-offload-internal-port-if-filter-devi.patch +net-mlx5e-fix-vf-representors-reporting-zero-counter.patch +net-tls-split-tls_rx_reader_lock.patch +tcp-allow-again-tcp_disconnect-when-threads-are-wait.patch +net-smc-support-smc-release-version-negotiation-in-c.patch +net-smc-support-smc-v2.x-features-validate.patch +net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch +bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch +netfilter-nf_tables-revert-do-not-remove-elements-if.patch +tcp_bpf-properly-release-resources-on-error-paths.patch +net-store-netdevs-in-an-xarray.patch +net-move-altnames-together-with-the-netdevice.patch diff --git a/queue-6.5/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch b/queue-6.5/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch new file mode 100644 index 00000000000..3f67cd7c7be --- /dev/null +++ b/queue-6.5/sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch @@ -0,0 +1,73 @@ +From 7ae14a798864f2ba60966526852451a98f0ab319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 09:50:39 -0700 +Subject: sky2: Make sure there is at least one frag_addr available + +From: Kees Cook + +[ Upstream commit 6a70e5cbedaf8ad10528ac9ac114f3ec20f422df ] + +In the pathological case of building sky2 with 16k PAGE_SIZE, the +frag_addr[] array would never be used, so the original code was correct +that size should be 0. But the compiler now gets upset with 0 size arrays +in places where it hasn't eliminated the code that might access such an +array (it can't figure out that in this case an rx skb with fragments +would never be created). To keep the compiler happy, make sure there is +at least 1 frag_addr in struct rx_ring_info: + + In file included from include/linux/skbuff.h:28, + from include/net/net_namespace.h:43, + from include/linux/netdevice.h:38, + from drivers/net/ethernet/marvell/sky2.c:18: + drivers/net/ethernet/marvell/sky2.c: In function 'sky2_rx_unmap_skb': + include/linux/dma-mapping.h:416:36: warning: array subscript i is outside array bounds of 'dma_addr_t[0]' {aka 'long long unsigned int[]'} [-Warray-bounds=] + 416 | #define dma_unmap_page(d, a, s, r) dma_unmap_page_attrs(d, a, s, r, 0) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/net/ethernet/marvell/sky2.c:1257:17: note: in expansion of macro 'dma_unmap_page' + 1257 | dma_unmap_page(&pdev->dev, re->frag_addr[i], + | ^~~~~~~~~~~~~~ + In file included from drivers/net/ethernet/marvell/sky2.c:41: + drivers/net/ethernet/marvell/sky2.h:2198:25: note: while referencing 'frag_addr' + 2198 | dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT]; + | ^~~~~~~~~ + +With CONFIG_PAGE_SIZE_16KB=y, PAGE_SHIFT == 14, so: + + #define ETH_JUMBO_MTU 9000 + +causes "ETH_JUMBO_MTU >> PAGE_SHIFT" to be 0. Use "?: 1" to solve this build warning. + +Cc: Mirko Lindner +Cc: Stephen Hemminger +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202309191958.UBw1cjXk-lkp@intel.com/ +Reviewed-by: Alexander Lobakin +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/sky2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h +index ddec1627f1a7b..8d0bacf4e49cc 100644 +--- a/drivers/net/ethernet/marvell/sky2.h ++++ b/drivers/net/ethernet/marvell/sky2.h +@@ -2195,7 +2195,7 @@ struct rx_ring_info { + struct sk_buff *skb; + dma_addr_t data_addr; + DEFINE_DMA_UNMAP_LEN(data_size); +- dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT]; ++ dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT ?: 1]; + }; + + enum flow_control { +-- +2.40.1 + diff --git a/queue-6.5/sunrpc-fail-quickly-when-server-does-not-recognize-t.patch b/queue-6.5/sunrpc-fail-quickly-when-server-does-not-recognize-t.patch new file mode 100644 index 00000000000..f4bb21ebeb4 --- /dev/null +++ b/queue-6.5/sunrpc-fail-quickly-when-server-does-not-recognize-t.patch @@ -0,0 +1,87 @@ +From e18117f24271eb5a06d938c44d09accb8f1fbb61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 16:05:26 -0400 +Subject: SUNRPC: Fail quickly when server does not recognize TLS + +From: Chuck Lever + +[ Upstream commit 5623ecfcbec165f040a23248d39680f0cc5c0854 ] + +rpcauth_checkverf() should return a distinct error code when a +server recognizes the AUTH_TLS probe but does not support TLS so +that the client's header decoder can respond appropriately and +quickly. No retries are necessary is in this case, since the server +has already affirmatively answered "TLS is unsupported". + +Suggested-by: Trond Myklebust +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth.c | 11 ++++++++--- + net/sunrpc/auth_tls.c | 4 ++-- + net/sunrpc/clnt.c | 10 +++++++++- + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c +index 2f16f9d179662..814b0169f9723 100644 +--- a/net/sunrpc/auth.c ++++ b/net/sunrpc/auth.c +@@ -769,9 +769,14 @@ int rpcauth_wrap_req(struct rpc_task *task, struct xdr_stream *xdr) + * @task: controlling RPC task + * @xdr: xdr_stream containing RPC Reply header + * +- * On success, @xdr is updated to point past the verifier and +- * zero is returned. Otherwise, @xdr is in an undefined state +- * and a negative errno is returned. ++ * Return values: ++ * %0: Verifier is valid. @xdr now points past the verifier. ++ * %-EIO: Verifier is corrupted or message ended early. ++ * %-EACCES: Verifier is intact but not valid. ++ * %-EPROTONOSUPPORT: Server does not support the requested auth type. ++ * ++ * When a negative errno is returned, @xdr is left in an undefined ++ * state. + */ + int + rpcauth_checkverf(struct rpc_task *task, struct xdr_stream *xdr) +diff --git a/net/sunrpc/auth_tls.c b/net/sunrpc/auth_tls.c +index de7678f8a23d2..87f570fd3b00e 100644 +--- a/net/sunrpc/auth_tls.c ++++ b/net/sunrpc/auth_tls.c +@@ -129,9 +129,9 @@ static int tls_validate(struct rpc_task *task, struct xdr_stream *xdr) + if (*p != rpc_auth_null) + return -EIO; + if (xdr_stream_decode_opaque_inline(xdr, &str, starttls_len) != starttls_len) +- return -EIO; ++ return -EPROTONOSUPPORT; + if (memcmp(str, starttls_token, starttls_len)) +- return -EIO; ++ return -EPROTONOSUPPORT; + return 0; + } + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index be6be7d785315..9fb0ccabc1a26 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2721,7 +2721,15 @@ rpc_decode_header(struct rpc_task *task, struct xdr_stream *xdr) + + out_verifier: + trace_rpc_bad_verifier(task); +- goto out_garbage; ++ switch (error) { ++ case -EPROTONOSUPPORT: ++ goto out_err; ++ case -EACCES: ++ /* Re-encode with a fresh cred */ ++ fallthrough; ++ default: ++ goto out_garbage; ++ } + + out_msg_denied: + error = -EACCES; +-- +2.40.1 + diff --git a/queue-6.5/sunrpc-tls-lock-the-lower_xprt-during-the-tls-handsh.patch b/queue-6.5/sunrpc-tls-lock-the-lower_xprt-during-the-tls-handsh.patch new file mode 100644 index 00000000000..a85ff8f746a --- /dev/null +++ b/queue-6.5/sunrpc-tls-lock-the-lower_xprt-during-the-tls-handsh.patch @@ -0,0 +1,93 @@ +From b43b2a4cfcbfb2deda3af3b5f379748515b3b1e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 17:03:22 -0400 +Subject: SUNRPC/TLS: Lock the lower_xprt during the tls handshake + +From: Anna Schumaker + +[ Upstream commit 26e8bfa30dac2ccd29dd25f391dfc73475c33329 ] + +Otherwise we run the risk of having the lower_xprt freed from underneath +us, causing an oops that looks like this: + +[ 224.150698] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[ 224.150951] #PF: supervisor read access in kernel mode +[ 224.151117] #PF: error_code(0x0000) - not-present page +[ 224.151278] PGD 0 P4D 0 +[ 224.151361] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 224.151499] CPU: 2 PID: 99 Comm: kworker/u10:6 Not tainted 6.6.0-rc3-g6465e260f487 #41264 a00b0960990fb7bc6d6a330ee03588b67f08a47b +[ 224.151977] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022 +[ 224.152216] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc] +[ 224.152434] RIP: 0010:xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc] +[ 224.152643] Code: 00 00 48 8b 7c 24 08 e9 f3 01 00 00 48 83 7b c0 00 0f 85 d2 01 00 00 49 8d 84 24 f8 05 00 00 48 89 44 24 10 48 8b 00 48 89 c5 <4c> 8b 68 18 66 41 83 3f 0a 75 71 45 31 ff 4c 89 ef 31 f6 e8 5c 76 +[ 224.153246] RSP: 0018:ffffb00ec060fd18 EFLAGS: 00010246 +[ 224.153427] RAX: 0000000000000000 RBX: ffff8c06c2e53e40 RCX: 0000000000000001 +[ 224.153652] RDX: ffff8c073bca2408 RSI: 0000000000000282 RDI: ffff8c06c259ee00 +[ 224.153868] RBP: 0000000000000000 R08: ffffffff9da55aa0 R09: 0000000000000001 +[ 224.154084] R10: 00000034306c30f1 R11: 0000000000000002 R12: ffff8c06c2e51800 +[ 224.154300] R13: ffff8c06c355d400 R14: 0000000004208160 R15: ffff8c06c2e53820 +[ 224.154521] FS: 0000000000000000(0000) GS:ffff8c073bd00000(0000) knlGS:0000000000000000 +[ 224.154763] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 224.154940] CR2: 0000000000000018 CR3: 0000000062c1e000 CR4: 0000000000750ee0 +[ 224.155157] PKRU: 55555554 +[ 224.155244] Call Trace: +[ 224.155325] +[ 224.155395] ? __die_body+0x68/0xb0 +[ 224.155507] ? page_fault_oops+0x34c/0x3a0 +[ 224.155635] ? _raw_spin_unlock_irqrestore+0xe/0x40 +[ 224.155793] ? exc_page_fault+0x7a/0x1b0 +[ 224.155916] ? asm_exc_page_fault+0x26/0x30 +[ 224.156047] ? xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8] +[ 224.156367] ? xs_tcp_tls_setup_socket+0x2fe/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8] +[ 224.156697] ? __pfx_xs_tls_handshake_done+0x10/0x10 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8] +[ 224.157013] process_scheduled_works+0x24e/0x450 +[ 224.157158] worker_thread+0x21c/0x2d0 +[ 224.157275] ? __pfx_worker_thread+0x10/0x10 +[ 224.157409] kthread+0xe8/0x110 +[ 224.157510] ? __pfx_kthread+0x10/0x10 +[ 224.157628] ret_from_fork+0x37/0x50 +[ 224.157741] ? __pfx_kthread+0x10/0x10 +[ 224.157859] ret_from_fork_asm+0x1b/0x30 +[ 224.157983] + +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtsock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 9f010369100a2..f392718951b1e 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2645,6 +2645,10 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work) + rcu_read_lock(); + lower_xprt = rcu_dereference(lower_clnt->cl_xprt); + rcu_read_unlock(); ++ ++ if (wait_on_bit_lock(&lower_xprt->state, XPRT_LOCKED, TASK_KILLABLE)) ++ goto out_unlock; ++ + status = xs_tls_handshake_sync(lower_xprt, &upper_xprt->xprtsec); + if (status) { + trace_rpc_tls_not_started(upper_clnt, upper_xprt); +@@ -2654,6 +2658,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work) + status = xs_tcp_tls_finish_connecting(lower_xprt, upper_transport); + if (status) + goto out_close; ++ xprt_release_write(lower_xprt, NULL); + + trace_rpc_socket_connect(upper_xprt, upper_transport->sock, 0); + if (!xprt_test_and_set_connected(upper_xprt)) { +@@ -2675,6 +2680,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work) + return; + + out_close: ++ xprt_release_write(lower_xprt, NULL); + rpc_shutdown_client(lower_clnt); + + /* xprt_force_disconnect() wakes tasks with a fixed tk_status code. +-- +2.40.1 + diff --git a/queue-6.5/tcp-allow-again-tcp_disconnect-when-threads-are-wait.patch b/queue-6.5/tcp-allow-again-tcp_disconnect-when-threads-are-wait.patch new file mode 100644 index 00000000000..b8b93ba632d --- /dev/null +++ b/queue-6.5/tcp-allow-again-tcp_disconnect-when-threads-are-wait.patch @@ -0,0 +1,484 @@ +From aabe6025e66f79bddb81c90b12297b780ff6cf4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 09:20:55 +0200 +Subject: tcp: allow again tcp_disconnect() when threads are waiting + +From: Paolo Abeni + +[ Upstream commit 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2 ] + +As reported by Tom, .NET and applications build on top of it rely +on connect(AF_UNSPEC) to async cancel pending I/O operations on TCP +socket. + +The blamed commit below caused a regression, as such cancellation +can now fail. + +As suggested by Eric, this change addresses the problem explicitly +causing blocking I/O operation to terminate immediately (with an error) +when a concurrent disconnect() is executed. + +Instead of tracking the number of threads blocked on a given socket, +track the number of disconnect() issued on such socket. If such counter +changes after a blocking operation releasing and re-acquiring the socket +lock, error out the current operation. + +Fixes: 4faeee0cf8a5 ("tcp: deny tcp_disconnect() when threads are waiting") +Reported-by: Tom Deseyn +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1886305 +Suggested-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/f3b95e47e3dbed840960548aebaa8d954372db41.1697008693.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../chelsio/inline_crypto/chtls/chtls_io.c | 36 +++++++++++++++---- + include/net/sock.h | 10 +++--- + net/core/stream.c | 12 ++++--- + net/ipv4/af_inet.c | 10 ++++-- + net/ipv4/inet_connection_sock.c | 1 - + net/ipv4/tcp.c | 16 ++++----- + net/ipv4/tcp_bpf.c | 4 +++ + net/mptcp/protocol.c | 7 ---- + net/tls/tls_main.c | 10 ++++-- + net/tls/tls_sw.c | 19 ++++++---- + 10 files changed, 80 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c +index 5fc64e47568a9..d567e42e17601 100644 +--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c ++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c +@@ -911,7 +911,7 @@ static int csk_wait_memory(struct chtls_dev *cdev, + struct sock *sk, long *timeo_p) + { + DEFINE_WAIT_FUNC(wait, woken_wake_function); +- int err = 0; ++ int ret, err = 0; + long current_timeo; + long vm_wait = 0; + bool noblock; +@@ -942,10 +942,13 @@ static int csk_wait_memory(struct chtls_dev *cdev, + + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); + sk->sk_write_pending++; +- sk_wait_event(sk, ¤t_timeo, sk->sk_err || +- (sk->sk_shutdown & SEND_SHUTDOWN) || +- (csk_mem_free(cdev, sk) && !vm_wait), &wait); ++ ret = sk_wait_event(sk, ¤t_timeo, sk->sk_err || ++ (sk->sk_shutdown & SEND_SHUTDOWN) || ++ (csk_mem_free(cdev, sk) && !vm_wait), ++ &wait); + sk->sk_write_pending--; ++ if (ret < 0) ++ goto do_error; + + if (vm_wait) { + vm_wait -= current_timeo; +@@ -1348,6 +1351,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + int copied = 0; + int target; + long timeo; ++ int ret; + + buffers_freed = 0; + +@@ -1423,7 +1427,11 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (copied >= target) + break; + chtls_cleanup_rbuf(sk, copied); +- sk_wait_data(sk, &timeo, NULL); ++ ret = sk_wait_data(sk, &timeo, NULL); ++ if (ret < 0) { ++ copied = copied ? : ret; ++ goto unlock; ++ } + continue; + found_ok_skb: + if (!skb->len) { +@@ -1518,6 +1526,8 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + + if (buffers_freed) + chtls_cleanup_rbuf(sk, copied); ++ ++unlock: + release_sock(sk); + return copied; + } +@@ -1534,6 +1544,7 @@ static int peekmsg(struct sock *sk, struct msghdr *msg, + int copied = 0; + size_t avail; /* amount of available data in current skb */ + long timeo; ++ int ret; + + lock_sock(sk); + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); +@@ -1585,7 +1596,12 @@ static int peekmsg(struct sock *sk, struct msghdr *msg, + release_sock(sk); + lock_sock(sk); + } else { +- sk_wait_data(sk, &timeo, NULL); ++ ret = sk_wait_data(sk, &timeo, NULL); ++ if (ret < 0) { ++ /* here 'copied' is 0 due to previous checks */ ++ copied = ret; ++ break; ++ } + } + + if (unlikely(peek_seq != tp->copied_seq)) { +@@ -1656,6 +1672,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + int copied = 0; + long timeo; + int target; /* Read at least this many bytes */ ++ int ret; + + buffers_freed = 0; + +@@ -1747,7 +1764,11 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (copied >= target) + break; + chtls_cleanup_rbuf(sk, copied); +- sk_wait_data(sk, &timeo, NULL); ++ ret = sk_wait_data(sk, &timeo, NULL); ++ if (ret < 0) { ++ copied = copied ? : ret; ++ goto unlock; ++ } + continue; + + found_ok_skb: +@@ -1816,6 +1837,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (buffers_freed) + chtls_cleanup_rbuf(sk, copied); + ++unlock: + release_sock(sk); + return copied; + } +diff --git a/include/net/sock.h b/include/net/sock.h +index 4e787285fc66b..fc189910e63fc 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -336,7 +336,7 @@ struct sk_filter; + * @sk_cgrp_data: cgroup data for this cgroup + * @sk_memcg: this socket's memory cgroup association + * @sk_write_pending: a write to stream socket waits to start +- * @sk_wait_pending: number of threads blocked on this socket ++ * @sk_disconnects: number of disconnect operations performed on this sock + * @sk_state_change: callback to indicate change in the state of the sock + * @sk_data_ready: callback to indicate there is data to be processed + * @sk_write_space: callback to indicate there is bf sending space available +@@ -429,7 +429,7 @@ struct sock { + unsigned int sk_napi_id; + #endif + int sk_rcvbuf; +- int sk_wait_pending; ++ int sk_disconnects; + + struct sk_filter __rcu *sk_filter; + union { +@@ -1189,8 +1189,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + } + + #define sk_wait_event(__sk, __timeo, __condition, __wait) \ +- ({ int __rc; \ +- __sk->sk_wait_pending++; \ ++ ({ int __rc, __dis = __sk->sk_disconnects; \ + release_sock(__sk); \ + __rc = __condition; \ + if (!__rc) { \ +@@ -1200,8 +1199,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + } \ + sched_annotate_sleep(); \ + lock_sock(__sk); \ +- __sk->sk_wait_pending--; \ +- __rc = __condition; \ ++ __rc = __dis == __sk->sk_disconnects ? __condition : -EPIPE; \ + __rc; \ + }) + +diff --git a/net/core/stream.c b/net/core/stream.c +index f5c4e47df1650..96fbcb9bbb30a 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -117,7 +117,7 @@ EXPORT_SYMBOL(sk_stream_wait_close); + */ + int sk_stream_wait_memory(struct sock *sk, long *timeo_p) + { +- int err = 0; ++ int ret, err = 0; + long vm_wait = 0; + long current_timeo = *timeo_p; + DEFINE_WAIT_FUNC(wait, woken_wake_function); +@@ -142,11 +142,13 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p) + + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); + sk->sk_write_pending++; +- sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) || +- (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) || +- (sk_stream_memory_free(sk) && +- !vm_wait), &wait); ++ ret = sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) || ++ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) || ++ (sk_stream_memory_free(sk) && !vm_wait), ++ &wait); + sk->sk_write_pending--; ++ if (ret < 0) ++ goto do_error; + + if (vm_wait) { + vm_wait -= current_timeo; +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 02736b83c3032..0c0ae021b7ff5 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -587,7 +587,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + + add_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending += writebias; +- sk->sk_wait_pending++; + + /* Basic assumption: if someone sets sk->sk_err, he _must_ + * change state of the socket from TCP_SYN_*. +@@ -603,7 +602,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + } + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending -= writebias; +- sk->sk_wait_pending--; + return timeo; + } + +@@ -632,6 +630,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr, + return -EINVAL; + + if (uaddr->sa_family == AF_UNSPEC) { ++ sk->sk_disconnects++; + err = sk->sk_prot->disconnect(sk, flags); + sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED; + goto out; +@@ -686,6 +685,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr, + int writebias = (sk->sk_protocol == IPPROTO_TCP) && + tcp_sk(sk)->fastopen_req && + tcp_sk(sk)->fastopen_req->data ? 1 : 0; ++ int dis = sk->sk_disconnects; + + /* Error code is set above */ + if (!timeo || !inet_wait_for_connect(sk, timeo, writebias)) +@@ -694,6 +694,11 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr, + err = sock_intr_errno(timeo); + if (signal_pending(current)) + goto out; ++ ++ if (dis != sk->sk_disconnects) { ++ err = -EPIPE; ++ goto out; ++ } + } + + /* Connection was closed by RST, timeout, ICMP error +@@ -715,6 +720,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr, + sock_error: + err = sock_error(sk) ? : -ECONNABORTED; + sock->state = SS_UNCONNECTED; ++ sk->sk_disconnects++; + if (sk->sk_prot->disconnect(sk, flags)) + sock->state = SS_DISCONNECTING; + goto out; +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index aeebe88166899..394a498c28232 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1145,7 +1145,6 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + if (newsk) { + struct inet_connection_sock *newicsk = inet_csk(newsk); + +- newsk->sk_wait_pending = 0; + inet_sk_set_state(newsk, TCP_SYN_RECV); + newicsk->icsk_bind_hash = NULL; + newicsk->icsk_bind2_hash = NULL; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 9cfc07d1e4252..9bdc1b2eaf734 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -829,7 +829,9 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, + */ + if (!skb_queue_empty(&sk->sk_receive_queue)) + break; +- sk_wait_data(sk, &timeo, NULL); ++ ret = sk_wait_data(sk, &timeo, NULL); ++ if (ret < 0) ++ break; + if (signal_pending(current)) { + ret = sock_intr_errno(timeo); + break; +@@ -2442,7 +2444,11 @@ static int tcp_recvmsg_locked(struct sock *sk, struct msghdr *msg, size_t len, + __sk_flush_backlog(sk); + } else { + tcp_cleanup_rbuf(sk, copied); +- sk_wait_data(sk, &timeo, last); ++ err = sk_wait_data(sk, &timeo, last); ++ if (err < 0) { ++ err = copied ? : err; ++ goto out; ++ } + } + + if ((flags & MSG_PEEK) && +@@ -2966,12 +2972,6 @@ int tcp_disconnect(struct sock *sk, int flags) + int old_state = sk->sk_state; + u32 seq; + +- /* Deny disconnect if other threads are blocked in sk_wait_event() +- * or inet_wait_for_connect(). +- */ +- if (sk->sk_wait_pending) +- return -EBUSY; +- + if (old_state != TCP_CLOSE) + tcp_set_state(sk, TCP_CLOSE); + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 3272682030015..ba2e921881248 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -307,6 +307,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + } + + data = tcp_msg_wait_data(sk, psock, timeo); ++ if (data < 0) ++ return data; + if (data && !sk_psock_queue_empty(psock)) + goto msg_bytes_ready; + copied = -EAGAIN; +@@ -351,6 +353,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + data = tcp_msg_wait_data(sk, psock, timeo); ++ if (data < 0) ++ return data; + if (data) { + if (!sk_psock_queue_empty(psock)) + goto msg_bytes_ready; +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index d2a47c6f9655b..0850d6a43049c 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3063,12 +3063,6 @@ static int mptcp_disconnect(struct sock *sk, int flags) + { + struct mptcp_sock *msk = mptcp_sk(sk); + +- /* Deny disconnect if other threads are blocked in sk_wait_event() +- * or inet_wait_for_connect(). +- */ +- if (sk->sk_wait_pending) +- return -EBUSY; +- + /* We are on the fastopen error path. We can't call straight into the + * subflows cleanup code due to lock nesting (we are already under + * msk->firstsocket lock). +@@ -3139,7 +3133,6 @@ struct sock *mptcp_sk_clone_init(const struct sock *sk, + inet_sk(nsk)->pinet6 = mptcp_inet6_sk(nsk); + #endif + +- nsk->sk_wait_pending = 0; + __mptcp_init_sock(nsk); + + msk = mptcp_sk(nsk); +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 4a8ee2f6badb9..f3d3fc1c32676 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -96,8 +96,8 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx) + + int wait_on_pending_writer(struct sock *sk, long *timeo) + { +- int rc = 0; + DEFINE_WAIT_FUNC(wait, woken_wake_function); ++ int ret, rc = 0; + + add_wait_queue(sk_sleep(sk), &wait); + while (1) { +@@ -111,9 +111,13 @@ int wait_on_pending_writer(struct sock *sk, long *timeo) + break; + } + +- if (sk_wait_event(sk, timeo, +- !READ_ONCE(sk->sk_write_pending), &wait)) ++ ret = sk_wait_event(sk, timeo, ++ !READ_ONCE(sk->sk_write_pending), &wait); ++ if (ret) { ++ if (ret < 0) ++ rc = ret; + break; ++ } + } + remove_wait_queue(sk_sleep(sk), &wait); + return rc; +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index a83f474933033..ce925f3a52492 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1288,6 +1288,7 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock, + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); + DEFINE_WAIT_FUNC(wait, woken_wake_function); ++ int ret = 0; + long timeo; + + timeo = sock_rcvtimeo(sk, nonblock); +@@ -1299,6 +1300,9 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock, + if (sk->sk_err) + return sock_error(sk); + ++ if (ret < 0) ++ return ret; ++ + if (!skb_queue_empty(&sk->sk_receive_queue)) { + tls_strp_check_rcv(&ctx->strp); + if (tls_strp_msg_ready(ctx)) +@@ -1317,10 +1321,10 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock, + released = true; + add_wait_queue(sk_sleep(sk), &wait); + sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); +- sk_wait_event(sk, &timeo, +- tls_strp_msg_ready(ctx) || +- !sk_psock_queue_empty(psock), +- &wait); ++ ret = sk_wait_event(sk, &timeo, ++ tls_strp_msg_ready(ctx) || ++ !sk_psock_queue_empty(psock), ++ &wait); + sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); + remove_wait_queue(sk_sleep(sk), &wait); + +@@ -1849,6 +1853,7 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx, + bool nonblock) + { + long timeo; ++ int ret; + + timeo = sock_rcvtimeo(sk, nonblock); + +@@ -1858,14 +1863,16 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx, + ctx->reader_contended = 1; + + add_wait_queue(&ctx->wq, &wait); +- sk_wait_event(sk, &timeo, +- !READ_ONCE(ctx->reader_present), &wait); ++ ret = sk_wait_event(sk, &timeo, ++ !READ_ONCE(ctx->reader_present), &wait); + remove_wait_queue(&ctx->wq, &wait); + + if (timeo <= 0) + return -EAGAIN; + if (signal_pending(current)) + return sock_intr_errno(timeo); ++ if (ret < 0) ++ return ret; + } + + WRITE_ONCE(ctx->reader_present, 1); +-- +2.40.1 + diff --git a/queue-6.5/tcp_bpf-properly-release-resources-on-error-paths.patch b/queue-6.5/tcp_bpf-properly-release-resources-on-error-paths.patch new file mode 100644 index 00000000000..bd65b17e20a --- /dev/null +++ b/queue-6.5/tcp_bpf-properly-release-resources-on-error-paths.patch @@ -0,0 +1,79 @@ +From da2fd0bab1de2ea6cb6c0357146981df7650e537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 17:49:51 +0200 +Subject: tcp_bpf: properly release resources on error paths + +From: Paolo Abeni + +[ Upstream commit 68b54aeff804acceb02f228ea2e28419272c1fb9 ] + +In the blamed commit below, I completely forgot to release the acquired +resources before erroring out in the TCP BPF code, as reported by Dan. + +Address the issues by replacing the bogus return with a jump to the +relevant cleanup code. + +Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") +Reported-by: Dan Carpenter +Signed-off-by: Paolo Abeni +Acked-by: Jakub Sitnicki +Reviewed-by: Eric Dumazet +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/8f99194c698bcef12666f0a9a999c58f8b1cb52c.1697557782.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index ba2e921881248..53b0d62fd2c2d 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -307,8 +307,10 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + } + + data = tcp_msg_wait_data(sk, psock, timeo); +- if (data < 0) +- return data; ++ if (data < 0) { ++ copied = data; ++ goto unlock; ++ } + if (data && !sk_psock_queue_empty(psock)) + goto msg_bytes_ready; + copied = -EAGAIN; +@@ -319,6 +321,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + tcp_rcv_space_adjust(sk); + if (copied > 0) + __tcp_cleanup_rbuf(sk, copied); ++ ++unlock: + release_sock(sk); + sk_psock_put(sk, psock); + return copied; +@@ -353,8 +357,10 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + data = tcp_msg_wait_data(sk, psock, timeo); +- if (data < 0) +- return data; ++ if (data < 0) { ++ ret = data; ++ goto unlock; ++ } + if (data) { + if (!sk_psock_queue_empty(psock)) + goto msg_bytes_ready; +@@ -365,6 +371,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + copied = -EAGAIN; + } + ret = copied; ++ ++unlock: + release_sock(sk); + sk_psock_put(sk, psock); + return ret; +-- +2.40.1 + diff --git a/queue-6.5/tracing-relax-trace_event_eval_update-execution-with.patch b/queue-6.5/tracing-relax-trace_event_eval_update-execution-with.patch new file mode 100644 index 00000000000..aa7665be8d7 --- /dev/null +++ b/queue-6.5/tracing-relax-trace_event_eval_update-execution-with.patch @@ -0,0 +1,55 @@ +From 2975ea8d6e6511801c5d71a8e3be11db92ac63cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 21:16:37 +0200 +Subject: tracing: relax trace_event_eval_update() execution with + cond_resched() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 23cce5f25491968b23fb9c399bbfb25f13870cd9 ] + +When kernel is compiled without preemption, the eval_map_work_func() +(which calls trace_event_eval_update()) will not be preempted up to its +complete execution. This can actually cause a problem since if another +CPU call stop_machine(), the call will have to wait for the +eval_map_work_func() function to finish executing in the workqueue +before being able to be scheduled. This problem was observe on a SMP +system at boot time, when the CPU calling the initcalls executed +clocksource_done_booting() which in the end calls stop_machine(). We +observed a 1 second delay because one CPU was executing +eval_map_work_func() and was not preempted by the stop_machine() task. + +Adding a call to cond_resched() in trace_event_eval_update() allows +other tasks to be executed and thus continue working asynchronously +like before without blocking any pending task at boot time. + +Link: https://lore.kernel.org/linux-trace-kernel/20230929191637.416931-1-cleger@rivosinc.com + +Cc: Masami Hiramatsu +Signed-off-by: Clément Léger +Tested-by: Atish Patra +Reviewed-by: Atish Patra +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 0cf84a7449f5b..9841589b4af7f 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -2777,6 +2777,7 @@ void trace_event_eval_update(struct trace_eval_map **map, int len) + update_event_fields(call, map[i]); + } + } ++ cond_resched(); + } + up_write(&trace_event_sem); + } +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch b/queue-6.5/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch new file mode 100644 index 00000000000..0688ad42844 --- /dev/null +++ b/queue-6.5/wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch @@ -0,0 +1,38 @@ +From 7285a8e899d71c983638e12fd378601034992ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 17:18:56 +0200 +Subject: wifi: cfg80211: avoid leaking stack data into trace + +From: Benjamin Berg + +[ Upstream commit 334bf33eec5701a1e4e967bcb7cc8611a998334b ] + +If the structure is not initialized then boolean types might be copied +into the tracing data without being initialised. This causes data from +the stack to leak into the trace and also triggers a UBSAN failure which +can easily be avoided here. + +Signed-off-by: Benjamin Berg +Link: https://lore.kernel.org/r/20230925171855.a9271ef53b05.I8180bae663984c91a3e036b87f36a640ba409817@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 3d286f3a60e60..bf968cdbfbb51 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -8502,7 +8502,7 @@ static int nl80211_update_mesh_config(struct sk_buff *skb, + struct cfg80211_registered_device *rdev = info->user_ptr[0]; + struct net_device *dev = info->user_ptr[1]; + struct wireless_dev *wdev = dev->ieee80211_ptr; +- struct mesh_config cfg; ++ struct mesh_config cfg = {}; + u32 mask; + int err; + +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-fix-6ghz-scan-configuration.patch b/queue-6.5/wifi-cfg80211-fix-6ghz-scan-configuration.patch new file mode 100644 index 00000000000..1663f5b4e5e --- /dev/null +++ b/queue-6.5/wifi-cfg80211-fix-6ghz-scan-configuration.patch @@ -0,0 +1,40 @@ +From 79e95c5bbf1450c9d81090470c6990cdc5f47977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 14:10:54 +0300 +Subject: wifi: cfg80211: Fix 6GHz scan configuration + +From: Ilan Peer + +[ Upstream commit 0914468adf92296c4cba8a2134e06e3dea150f2e ] + +When the scan request includes a non broadcast BSSID, when adding the +scan parameters for 6GHz collocated scanning, do not include entries +that do not match the given BSSID. + +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230918140607.6d31d2a96baf.I6c4e3e3075d1d1878ee41f45190fdc6b86f18708@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 0cf1ce7b69342..939deecf0bbef 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -908,6 +908,10 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) + !cfg80211_find_ssid_match(ap, request)) + continue; + ++ if (!is_broadcast_ether_addr(request->bssid) && ++ !ether_addr_equal(request->bssid, ap->bssid)) ++ continue; ++ + if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid) + continue; + +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-validate-ap-phy-operation-before-start.patch b/queue-6.5/wifi-cfg80211-validate-ap-phy-operation-before-start.patch new file mode 100644 index 00000000000..f43feb0d68b --- /dev/null +++ b/queue-6.5/wifi-cfg80211-validate-ap-phy-operation-before-start.patch @@ -0,0 +1,66 @@ +From 748ceee21e02fa09fd1aa27f2d59548583e518e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 12:18:57 +0530 +Subject: wifi: cfg80211: validate AP phy operation before starting it + +From: Aditya Kumar Singh + +[ Upstream commit 5112fa502708aaaf80acb78273fc8625f221eb11 ] + +Many regulatories can have HE/EHT Operation as not permitted. In such +cases, AP should not be allowed to start if it is using a channel +having the no operation flag set. However, currently there is no such +check in place. + +Fix this issue by validating such IEs sent during start AP against the +channel flags. + +Signed-off-by: Aditya Kumar Singh +Reviewed-by: Jeff Johnson +Link: https://lore.kernel.org/r/20230905064857.1503-1-quic_adisi@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 705d1cf048309..3d286f3a60e60 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5910,6 +5910,21 @@ static void nl80211_send_ap_started(struct wireless_dev *wdev, + nlmsg_free(msg); + } + ++static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params) ++{ ++ struct ieee80211_channel *channel = params->chandef.chan; ++ ++ if ((params->he_cap || params->he_oper) && ++ (channel->flags & IEEE80211_CHAN_NO_HE)) ++ return -EOPNOTSUPP; ++ ++ if ((params->eht_cap || params->eht_oper) && ++ (channel->flags & IEEE80211_CHAN_NO_EHT)) ++ return -EOPNOTSUPP; ++ ++ return 0; ++} ++ + static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + { + struct cfg80211_registered_device *rdev = info->user_ptr[0]; +@@ -6179,6 +6194,10 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + if (err) + goto out_unlock; + ++ err = nl80211_validate_ap_phy_operation(params); ++ if (err) ++ goto out_unlock; ++ + if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]) + params->flags = nla_get_u32( + info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]); +-- +2.40.1 + diff --git a/queue-6.5/wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch b/queue-6.5/wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch new file mode 100644 index 00000000000..59b1a8d471a --- /dev/null +++ b/queue-6.5/wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch @@ -0,0 +1,46 @@ +From 46a855090c7738d8a2a29a65581b1200b1d5fe4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 13:56:05 -0700 +Subject: wifi: iwlwifi: Ensure ack flag is properly cleared. + +From: Ben Greear + +[ Upstream commit e8fbe99e87877f0412655f40d7c45bf8471470ac ] + +Debugging indicates that nothing else is clearing the info->flags, +so some frames were flagged as ACKed when they should not be. +Explicitly clear the ack flag to ensure this does not happen. + +Signed-off-by: Ben Greear +Acked-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230808205605.4105670-1-greearb@candelatech.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 36d70d589aedd..898dca3936435 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1612,6 +1612,7 @@ static void iwl_mvm_rx_tx_cmd_single(struct iwl_mvm *mvm, + iwl_trans_free_tx_cmd(mvm->trans, info->driver_data[1]); + + memset(&info->status, 0, sizeof(info->status)); ++ info->flags &= ~(IEEE80211_TX_STAT_ACK | IEEE80211_TX_STAT_TX_FILTERED); + + /* inform mac80211 about what happened with the frame */ + switch (status & TX_STATUS_MSK) { +@@ -1964,6 +1965,8 @@ static void iwl_mvm_tx_reclaim(struct iwl_mvm *mvm, int sta_id, int tid, + */ + if (!is_flush) + info->flags |= IEEE80211_TX_STAT_ACK; ++ else ++ info->flags &= ~IEEE80211_TX_STAT_ACK; + } + + /* +-- +2.40.1 + diff --git a/queue-6.5/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch b/queue-6.5/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch new file mode 100644 index 00000000000..25c47057da4 --- /dev/null +++ b/queue-6.5/wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch @@ -0,0 +1,110 @@ +From 27f524271e1fa4e74d1a1bda1f13cb12b3eff711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 02:47:51 -0400 +Subject: wifi: mac80211: allow transmitting EAPOL frames with tainted key + +From: Wen Gong + +[ Upstream commit 61304336c67358d49a989e5e0060d8c99bad6ca8 ] + +Lower layer device driver stop/wake TX by calling ieee80211_stop_queue()/ +ieee80211_wake_queue() while hw scan. Sometimes hw scan and PTK rekey are +running in parallel, when M4 sent from wpa_supplicant arrive while the TX +queue is stopped, then the M4 will pending send, and then new key install +from wpa_supplicant. After TX queue wake up by lower layer device driver, +the M4 will be dropped by below call stack. + +When key install started, the current key flag is set KEY_FLAG_TAINTED in +ieee80211_pairwise_rekey(), and then mac80211 wait key install complete by +lower layer device driver. Meanwhile ieee80211_tx_h_select_key() will return +TX_DROP for the M4 in step 12 below, and then ieee80211_free_txskb() called +by ieee80211_tx_dequeue(), so the M4 will not send and free, then the rekey +process failed becaue AP not receive M4. Please see details in steps below. + +There are a interval between KEY_FLAG_TAINTED set for current key flag and +install key complete by lower layer device driver, the KEY_FLAG_TAINTED is +set in this interval, all packet including M4 will be dropped in this +interval, the interval is step 8~13 as below. + +issue steps: + TX thread install key thread +1. stop_queue -idle- +2. sending M4 -idle- +3. M4 pending -idle- +4. -idle- starting install key from wpa_supplicant +5. -idle- =>ieee80211_key_replace() +6. -idle- =>ieee80211_pairwise_rekey() and set + currently key->flags |= KEY_FLAG_TAINTED +7. -idle- =>ieee80211_key_enable_hw_accel() +8. -idle- =>drv_set_key() and waiting key install + complete from lower layer device driver +9. wake_queue -waiting state- +10. re-sending M4 -waiting state- +11. =>ieee80211_tx_h_select_key() -waiting state- +12. drop M4 by KEY_FLAG_TAINTED -waiting state- +13. -idle- install key complete with success/fail + success: clear flag KEY_FLAG_TAINTED + fail: start disconnect + +Hence add check in step 11 above to allow the EAPOL send out in the +interval. If lower layer device driver use the old key/cipher to encrypt +the M4, then AP received/decrypt M4 correctly, after M4 send out, lower +layer device driver install the new key/cipher to hardware and return +success. + +If lower layer device driver use new key/cipher to send the M4, then AP +will/should drop the M4, then it is same result with this issue, AP will/ +should kick out station as well as this issue. + +issue log: +kworker/u16:4-5238 [000] 6456.108926: stop_queue: phy1 queue:0, reason:0 +wpa_supplicant-961 [003] 6456.119737: rdev_tx_control_port: wiphy_name=phy1 name=wlan0 ifindex=6 dest=ARRAY[9e, 05, 31, 20, 9b, d0] proto=36488 unencrypted=0 +wpa_supplicant-961 [003] 6456.119839: rdev_return_int_cookie: phy1, returned 0, cookie: 504 +wpa_supplicant-961 [003] 6456.120287: rdev_add_key: phy1, netdev:wlan0(6), key_index: 0, mode: 0, pairwise: true, mac addr: 9e:05:31:20:9b:d0 +wpa_supplicant-961 [003] 6456.120453: drv_set_key: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 cipher:0xfac04, flags=0x9, keyidx=0, hw_key_idx=0 +kworker/u16:9-3829 [001] 6456.168240: wake_queue: phy1 queue:0, reason:0 +kworker/u16:9-3829 [001] 6456.168255: drv_wake_tx_queue: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 ac:0 tid:7 +kworker/u16:9-3829 [001] 6456.168305: cfg80211_control_port_tx_status: wdev(1), cookie: 504, ack: false +wpa_supplicant-961 [003] 6459.167982: drv_return_int: phy1 - -110 + +issue call stack: +nl80211_frame_tx_status+0x230/0x340 [cfg80211] +cfg80211_control_port_tx_status+0x1c/0x28 [cfg80211] +ieee80211_report_used_skb+0x374/0x3e8 [mac80211] +ieee80211_free_txskb+0x24/0x40 [mac80211] +ieee80211_tx_dequeue+0x644/0x954 [mac80211] +ath10k_mac_tx_push_txq+0xac/0x238 [ath10k_core] +ath10k_mac_op_wake_tx_queue+0xac/0xe0 [ath10k_core] +drv_wake_tx_queue+0x80/0x168 [mac80211] +__ieee80211_wake_txqs+0xe8/0x1c8 [mac80211] +_ieee80211_wake_txqs+0xb4/0x120 [mac80211] +ieee80211_wake_txqs+0x48/0x80 [mac80211] +tasklet_action_common+0xa8/0x254 +tasklet_action+0x2c/0x38 +__do_softirq+0xdc/0x384 + +Signed-off-by: Wen Gong +Link: https://lore.kernel.org/r/20230801064751.25803-1-quic_wgong@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 7fe7280e84374..d45d4be63dd87 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -665,7 +665,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx) + } + + if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED && +- !ieee80211_is_deauth(hdr->frame_control))) ++ !ieee80211_is_deauth(hdr->frame_control)) && ++ tx->skb->protocol != tx->sdata->control_port_protocol) + return TX_DROP; + + if (!skip_hw && tx->key && +-- +2.40.1 + diff --git a/queue-6.5/wifi-mac80211-work-around-cisco-ap-9115-vht-mpdu-len.patch b/queue-6.5/wifi-mac80211-work-around-cisco-ap-9115-vht-mpdu-len.patch new file mode 100644 index 00000000000..d87f470bdd6 --- /dev/null +++ b/queue-6.5/wifi-mac80211-work-around-cisco-ap-9115-vht-mpdu-len.patch @@ -0,0 +1,177 @@ +From 392f090f5f6710d8f283bed8e1e1b59bb608040f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 14:10:55 +0300 +Subject: wifi: mac80211: work around Cisco AP 9115 VHT MPDU length + +From: Johannes Berg + +[ Upstream commit 084cf2aeca97566db4fa15d55653c1cba2db83ed ] + +Cisco AP module 9115 with FW 17.3 has a bug and sends a too +large maximum MPDU length in the association response +(indicating 12k) that it cannot actually process. + +Work around that by taking the minimum between what's in the +association response and the BSS elements (from beacon or +probe response). + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230918140607.d1966a9a532e.I090225babb7cd4d1081ee9acd40e7de7e41c15ae@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 ++- + net/mac80211/ibss.c | 2 +- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/mesh_plink.c | 2 +- + net/mac80211/mlme.c | 27 +++++++++++++++++++++++++-- + net/mac80211/vht.c | 16 ++++++++++++++-- + 6 files changed, 44 insertions(+), 7 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index e883c41a2163b..0e3a1753a51c6 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1860,7 +1860,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + /* VHT can override some HT caps such as the A-MSDU max length */ + if (params->vht_capa) + ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband, +- params->vht_capa, link_sta); ++ params->vht_capa, NULL, ++ link_sta); + + if (params->he_capa) + ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband, +diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c +index e1900077bc4b9..5542c93edfba0 100644 +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1072,7 +1072,7 @@ static void ieee80211_update_sta_info(struct ieee80211_sub_if_data *sdata, + &chandef); + memcpy(&cap_ie, elems->vht_cap_elem, sizeof(cap_ie)); + ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband, +- &cap_ie, ++ &cap_ie, NULL, + &sta->deflink); + if (memcmp(&cap, &sta->sta.deflink.vht_cap, sizeof(cap))) + rates_updated |= true; +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index f8cd94ba55ccc..2cce9eba6a120 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2142,6 +2142,7 @@ void + ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata, + struct ieee80211_supported_band *sband, + const struct ieee80211_vht_cap *vht_cap_ie, ++ const struct ieee80211_vht_cap *vht_cap_ie2, + struct link_sta_info *link_sta); + enum ieee80211_sta_rx_bandwidth + ieee80211_sta_cap_rx_bw(struct link_sta_info *link_sta); +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index f3d5bb0a59f10..a1e526419e9d2 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -451,7 +451,7 @@ static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata, + changed |= IEEE80211_RC_BW_CHANGED; + + ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband, +- elems->vht_cap_elem, ++ elems->vht_cap_elem, NULL, + &sta->deflink); + + ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband, elems->he_cap, +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 24b2833e0e475..0c9198997482b 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4202,10 +4202,33 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link, + elems->ht_cap_elem, + link_sta); + +- if (elems->vht_cap_elem && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT)) ++ if (elems->vht_cap_elem && ++ !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT)) { ++ const struct ieee80211_vht_cap *bss_vht_cap = NULL; ++ const struct cfg80211_bss_ies *ies; ++ ++ /* ++ * Cisco AP module 9115 with FW 17.3 has a bug and sends a ++ * too large maximum MPDU length in the association response ++ * (indicating 12k) that it cannot actually process ... ++ * Work around that. ++ */ ++ rcu_read_lock(); ++ ies = rcu_dereference(cbss->ies); ++ if (ies) { ++ const struct element *elem; ++ ++ elem = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ++ ies->data, ies->len); ++ if (elem && elem->datalen >= sizeof(*bss_vht_cap)) ++ bss_vht_cap = (const void *)elem->data; ++ } ++ + ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband, + elems->vht_cap_elem, +- link_sta); ++ bss_vht_cap, link_sta); ++ rcu_read_unlock(); ++ } + + if (elems->he_operation && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_HE) && + elems->he_cap) { +diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c +index c1250aa478083..b3a5c3e96a720 100644 +--- a/net/mac80211/vht.c ++++ b/net/mac80211/vht.c +@@ -4,7 +4,7 @@ + * + * Portions of this file + * Copyright(c) 2015 - 2016 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2022 Intel Corporation ++ * Copyright (C) 2018 - 2023 Intel Corporation + */ + + #include +@@ -116,12 +116,14 @@ void + ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata, + struct ieee80211_supported_band *sband, + const struct ieee80211_vht_cap *vht_cap_ie, ++ const struct ieee80211_vht_cap *vht_cap_ie2, + struct link_sta_info *link_sta) + { + struct ieee80211_sta_vht_cap *vht_cap = &link_sta->pub->vht_cap; + struct ieee80211_sta_vht_cap own_cap; + u32 cap_info, i; + bool have_80mhz; ++ u32 mpdu_len; + + memset(vht_cap, 0, sizeof(*vht_cap)); + +@@ -317,11 +319,21 @@ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata, + + link_sta->pub->bandwidth = ieee80211_sta_cur_vht_bw(link_sta); + ++ /* ++ * Work around the Cisco 9115 FW 17.3 bug by taking the min of ++ * both reported MPDU lengths. ++ */ ++ mpdu_len = vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK; ++ if (vht_cap_ie2) ++ mpdu_len = min_t(u32, mpdu_len, ++ le32_get_bits(vht_cap_ie2->vht_cap_info, ++ IEEE80211_VHT_CAP_MAX_MPDU_MASK)); ++ + /* + * FIXME - should the amsdu len be per link? store per link + * and maintain a minimum? + */ +- switch (vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK) { ++ switch (mpdu_len) { + case IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454: + link_sta->pub->agg.max_amsdu_len = IEEE80211_MAX_MPDU_LEN_VHT_11454; + break; +-- +2.40.1 + diff --git a/queue-6.5/wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch b/queue-6.5/wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch new file mode 100644 index 00000000000..92042a0cdc4 --- /dev/null +++ b/queue-6.5/wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch @@ -0,0 +1,62 @@ +From 38c31cd6cb6751aad892de84b53bc5b8c16e19c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 21:10:45 -0600 +Subject: wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len + +From: Gustavo A. R. Silva + +[ Upstream commit d5a93b7d2877aae4ba7590ad6cb65f8d33079489 ] + +Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before +decoding data from `event_buf`. + +This prevents any malicious or buggy firmware from overflowing +`event_buf` through large values for `tlv_len` and `tlv_bitmap_len`. + +Suggested-by: Dan Williams +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d4f8780527d551552ee96f17a0229e02e1c200d1.1692931954.git.gustavoars@kernel.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +index d1d3632a3ed7b..4ab3a14567b65 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, + while (tlv_buf_left >= sizeof(*tlv_rxba)) { + tlv_type = le16_to_cpu(tlv_rxba->header.type); + tlv_len = le16_to_cpu(tlv_rxba->header.len); ++ if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) { ++ mwifiex_dbg(priv->adapter, WARN, ++ "TLV size (%zu) overflows event_buf buf_left=%d\n", ++ size_add(sizeof(tlv_rxba->header), tlv_len), ++ tlv_buf_left); ++ return; ++ } ++ + if (tlv_type != TLV_TYPE_RXBA_SYNC) { + mwifiex_dbg(priv->adapter, ERROR, + "Wrong TLV id=0x%x\n", tlv_type); +@@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, + + tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num); + tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len); ++ if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) { ++ mwifiex_dbg(priv->adapter, WARN, ++ "TLV size (%zu) overflows event_buf buf_left=%d\n", ++ size_add(sizeof(*tlv_rxba), tlv_bitmap_len), ++ tlv_buf_left); ++ return; ++ } ++ + mwifiex_dbg(priv->adapter, INFO, + "%pM tid=%d seq_num=%d bitmap_len=%d\n", + tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num, +-- +2.40.1 +