From: Sasha Levin Date: Thu, 14 Sep 2023 01:14:24 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.10.195~53^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3459de3f7e35fb6dfd6ee935590d9b1fbe95fd5c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_unix-fix-data-race-around-sk-sk_err.patch b/queue-5.10/af_unix-fix-data-race-around-sk-sk_err.patch new file mode 100644 index 00000000000..22b982539ad --- /dev/null +++ b/queue-5.10/af_unix-fix-data-race-around-sk-sk_err.patch @@ -0,0 +1,42 @@ +From dee2371c7849d5fbdf35123f5ef0cf1ccce706e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:08 -0700 +Subject: af_unix: Fix data race around sk->sk_err. + +From: Kuniyuki Iwashima + +[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ] + +As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be +read locklessly by unix_dgram_sendmsg(). + +Let's use READ_ONCE() for sk_err as well. + +Note that the writer side is marked by commit cc04410af7de ("af_unix: +annotate lockless accesses to sk->sk_err"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index a971385a95d92..fcb998dc2dc68 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2317,7 +2317,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + break; + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; +- if (sk->sk_err) ++ if (READ_ONCE(sk->sk_err)) + break; + timeo = schedule_timeout(timeo); + } +-- +2.40.1 + diff --git a/queue-5.10/af_unix-fix-data-race-around-unix_tot_inflight.patch b/queue-5.10/af_unix-fix-data-race-around-unix_tot_inflight.patch new file mode 100644 index 00000000000..8e99b48b7dc --- /dev/null +++ b/queue-5.10/af_unix-fix-data-race-around-unix_tot_inflight.patch @@ -0,0 +1,84 @@ +From f28afac504ba587fb662ec78ad6c9002be43e9a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:06 -0700 +Subject: af_unix: Fix data-race around unix_tot_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ] + +unix_tot_inflight is changed under spin_lock(unix_gc_lock), but +unix_release_sock() reads it locklessly. + +Let's use READ_ONCE() for unix_tot_inflight. + +Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: +annote lockless accesses to unix_tot_inflight & gc_in_progress") + +BUG: KCSAN: data-race in unix_inflight / unix_release_sock + +write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: + unix_inflight+0x130/0x180 net/unix/scm.c:64 + unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1832 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 + __sys_sendmsg+0x94/0x140 net/socket.c:2576 + __do_sys_sendmsg net/socket.c:2585 [inline] + __se_sys_sendmsg net/socket.c:2583 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: + unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 + unix_release+0x59/0x80 net/unix/af_unix.c:1058 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1385 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 8d941cbba5cb7..237488b1b58b6 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -587,7 +587,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + * What the above comment does talk about? --ANK(980817) + */ + +- if (unix_tot_inflight) ++ if (READ_ONCE(unix_tot_inflight)) + unix_gc(); /* Garbage collect fds */ + } + +-- +2.40.1 + diff --git a/queue-5.10/af_unix-fix-data-races-around-sk-sk_shutdown.patch b/queue-5.10/af_unix-fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 00000000000..540e9931634 --- /dev/null +++ b/queue-5.10/af_unix-fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,96 @@ +From 53eadec008d40c910d7f2e63a42de439200c9651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:07 -0700 +Subject: af_unix: Fix data-races around sk->sk_shutdown. + +From: Kuniyuki Iwashima + +[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ] + +sk->sk_shutdown is changed under unix_state_lock(sk), but +unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly. + + sock_alloc_send_pskb + `- sock_wait_for_wmem + +Let's use READ_ONCE() there. + +Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix: +Fix data races around sk->sk_shutdown."). + +BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock + +write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1053 + __sock_release+0x7d/0x170 net/socket.c:654 + sock_close+0x19/0x30 net/socket.c:1386 + __fput+0x2a3/0x680 fs/file_table.c:384 + ____fput+0x15/0x20 fs/file_table.c:412 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0: + sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767 + unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index e2d45631c15d7..a971385a95d92 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2315,7 +2315,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf)) + break; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; + if (sk->sk_err) + break; +@@ -2345,7 +2345,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + goto failure; + + err = -EPIPE; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto failure; + + if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf)) +-- +2.40.1 + diff --git a/queue-5.10/af_unix-fix-data-races-around-user-unix_inflight.patch b/queue-5.10/af_unix-fix-data-races-around-user-unix_inflight.patch new file mode 100644 index 00000000000..9e638b2d036 --- /dev/null +++ b/queue-5.10/af_unix-fix-data-races-around-user-unix_inflight.patch @@ -0,0 +1,105 @@ +From c18a17aa7ffed51bf634e6a5cf151a42b14960b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:05 -0700 +Subject: af_unix: Fix data-races around user->unix_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ] + +user->unix_inflight is changed under spin_lock(unix_gc_lock), +but too_many_unix_fds() reads it locklessly. + +Let's annotate the write/read accesses to user->unix_inflight. + +BUG: KCSAN: data-race in unix_attach_fds / unix_inflight + +write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: + unix_inflight+0x157/0x180 net/unix/scm.c:66 + unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: + too_many_unix_fds net/unix/scm.c:101 [inline] + unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x000000000000000c -> 0x000000000000000d + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Acked-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/scm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/unix/scm.c b/net/unix/scm.c +index aa27a02478dc1..e8e2a00bb0f58 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -63,7 +63,7 @@ void unix_inflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } +- user->unix_inflight++; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1); + spin_unlock(&unix_gc_lock); + } + +@@ -84,7 +84,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } +- user->unix_inflight--; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1); + spin_unlock(&unix_gc_lock); + } + +@@ -98,7 +98,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) + { + struct user_struct *user = current_user(); + +- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE))) + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return false; + } +-- +2.40.1 + diff --git a/queue-5.10/backlight-gpio_backlight-drop-output-gpio-direction-.patch b/queue-5.10/backlight-gpio_backlight-drop-output-gpio-direction-.patch new file mode 100644 index 00000000000..6d3499b0c03 --- /dev/null +++ b/queue-5.10/backlight-gpio_backlight-drop-output-gpio-direction-.patch @@ -0,0 +1,42 @@ +From f4e84fd0dfc1036afe2b941455b95df472627b98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 09:29:03 +0000 +Subject: backlight: gpio_backlight: Drop output GPIO direction check for + initial power state + +From: Ying Liu + +[ Upstream commit fe1328b5b2a087221e31da77e617f4c2b70f3b7f ] + +So, let's drop output GPIO direction check and only check GPIO value to set +the initial power state. + +Fixes: 706dc68102bc ("backlight: gpio: Explicitly set the direction of the GPIO") +Signed-off-by: Liu Ying +Reviewed-by: Andy Shevchenko +Acked-by: Linus Walleij +Acked-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20230721093342.1532531-1-victor.liu@nxp.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/gpio_backlight.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/gpio_backlight.c b/drivers/video/backlight/gpio_backlight.c +index 5c5c99f7979e3..30ec5b6845335 100644 +--- a/drivers/video/backlight/gpio_backlight.c ++++ b/drivers/video/backlight/gpio_backlight.c +@@ -87,8 +87,7 @@ static int gpio_backlight_probe(struct platform_device *pdev) + /* Not booted with device tree or no phandle link to the node */ + bl->props.power = def_value ? FB_BLANK_UNBLANK + : FB_BLANK_POWERDOWN; +- else if (gpiod_get_direction(gbl->gpiod) == 0 && +- gpiod_get_value_cansleep(gbl->gpiod) == 0) ++ else if (gpiod_get_value_cansleep(gbl->gpiod) == 0) + bl->props.power = FB_BLANK_POWERDOWN; + else + bl->props.power = FB_BLANK_UNBLANK; +-- +2.40.1 + diff --git a/queue-5.10/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch b/queue-5.10/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch new file mode 100644 index 00000000000..c557918a911 --- /dev/null +++ b/queue-5.10/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch @@ -0,0 +1,74 @@ +From 2cb6b6b543cdf4a5f778dd13ed89adc31a09c064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 18:35:16 -0700 +Subject: drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() + +From: Sean Christopherson + +[ Upstream commit a90c367e5af63880008e21dd199dac839e0e9e0f ] + +Drop intel_vgpu_reset_gtt() as it no longer has any callers. In addition +to eliminating dead code, this eliminates the last possible scenario where +__kvmgt_protect_table_find() can be reached without holding vgpu_lock. +Requiring vgpu_lock to be held when calling __kvmgt_protect_table_find() +will allow a protecting the gfn hash with vgpu_lock without too much fuss. + +No functional change intended. + +Fixes: ba25d977571e ("drm/i915/gvt: Do not destroy ppgtt_mm during vGPU D3->D0.") +Reviewed-by: Yan Zhao +Tested-by: Yongwei Ma +Reviewed-by: Zhi Wang +Link: https://lore.kernel.org/r/20230729013535.1070024-11-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/gtt.c | 18 ------------------ + drivers/gpu/drm/i915/gvt/gtt.h | 1 - + 2 files changed, 19 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c +index 2029f8521a5dc..0d31a0db305d5 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -2870,24 +2870,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old) + ggtt_invalidate(gvt->gt); + } + +-/** +- * intel_vgpu_reset_gtt - reset the all GTT related status +- * @vgpu: a vGPU +- * +- * This function is called from vfio core to reset reset all +- * GTT related status, including GGTT, PPGTT, scratch page. +- * +- */ +-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu) +-{ +- /* Shadow pages are only created when there is no page +- * table tracking data, so remove page tracking data after +- * removing the shadow pages. +- */ +- intel_vgpu_destroy_all_ppgtt_mm(vgpu); +- intel_vgpu_reset_ggtt(vgpu, true); +-} +- + /** + * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries + * @gvt: intel gvt device +diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h +index b0e173f2d9904..89ffb52cafa04 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.h ++++ b/drivers/gpu/drm/i915/gvt/gtt.h +@@ -215,7 +215,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old); + void intel_vgpu_invalidate_ppgtt(struct intel_vgpu *vgpu); + + int intel_gvt_init_gtt(struct intel_gvt *gvt); +-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu); + void intel_gvt_clean_gtt(struct intel_gvt *gvt); + + struct intel_vgpu_mm *intel_gvt_find_ppgtt_mm(struct intel_vgpu *vgpu, +-- +2.40.1 + diff --git a/queue-5.10/drm-i915-gvt-save-restore-hw-status-to-support-gvt-s.patch b/queue-5.10/drm-i915-gvt-save-restore-hw-status-to-support-gvt-s.patch new file mode 100644 index 00000000000..7d975ef2770 --- /dev/null +++ b/queue-5.10/drm-i915-gvt-save-restore-hw-status-to-support-gvt-s.patch @@ -0,0 +1,346 @@ +From 698b78e313bd8910f7d396332b01fc3c1164e043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 12:53:08 +0800 +Subject: drm/i915/gvt: Save/restore HW status to support GVT suspend/resume + +From: Colin Xu + +[ Upstream commit 5f60b12edcd0c2e83650a6f9aa4a969bd9fc5732 ] + +This patch save/restore necessary GVT info during i915 suspend/resume so +that GVT enabled QEMU VM can continue running. + +Only GGTT and fence regs are saved/restored now. GVT will save GGTT +entries on each host_entry update, restore the saved dirty entries +and re-init fence regs in resume routine. + +V2: +- Change kzalloc/kfree to vzalloc/vfree since the space allocated +from kmalloc may not enough for all saved GGTT entries. +- Keep gvt suspend/resume wrapper in intel_gvt.h/intel_gvt.c and +move the actual implementation to gvt.h/gvt.c. (zhenyu) +- Check gvt config on and active with intel_gvt_active(). (zhenyu) + +V3: (zhenyu) +- Incorrect copy length. Should be num entries * entry size. +- Use memcpy_toio()/memcpy_fromio() instead of memcpy for iomem. +- Add F_PM_SAVE flags to indicate which MMIOs to save/restore for PM. + +V4: +Rebase. + +V5: +Fail intel_gvt_save_ggtt as -ENOMEM if fail to alloc memory to save +ggtt. Free allocated ggtt_entries on failure. + +V6: +Save host entry to per-vGPU gtt.ggtt_mm on each host_entry update. + +V7: +Restore GGTT entry based on present bit. +Split fence restore and mmio restore in different functions. + +Reviewed-by: Zhenyu Wang +Signed-off-by: Hang Yuan +Signed-off-by: Colin Xu +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20201027045308.158955-1-colin.xu@intel.com +Stable-dep-of: a90c367e5af6 ("drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/gtt.c | 64 +++++++++++++++++++++++++++++ + drivers/gpu/drm/i915/gvt/gtt.h | 4 ++ + drivers/gpu/drm/i915/gvt/gvt.c | 9 ++++ + drivers/gpu/drm/i915/gvt/gvt.h | 3 ++ + drivers/gpu/drm/i915/gvt/handlers.c | 44 ++++++++++++++++++-- + drivers/gpu/drm/i915/gvt/mmio.h | 4 ++ + drivers/gpu/drm/i915/intel_gvt.c | 15 +++++++ + drivers/gpu/drm/i915/intel_gvt.h | 5 +++ + 8 files changed, 145 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c +index 0201f9b5f87e7..2029f8521a5dc 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -636,9 +636,18 @@ static void ggtt_set_host_entry(struct intel_vgpu_mm *mm, + struct intel_gvt_gtt_entry *entry, unsigned long index) + { + struct intel_gvt_gtt_pte_ops *pte_ops = mm->vgpu->gvt->gtt.pte_ops; ++ unsigned long offset = index; + + GEM_BUG_ON(mm->type != INTEL_GVT_MM_GGTT); + ++ if (vgpu_gmadr_is_aperture(mm->vgpu, index << I915_GTT_PAGE_SHIFT)) { ++ offset -= (vgpu_aperture_gmadr_base(mm->vgpu) >> PAGE_SHIFT); ++ mm->ggtt_mm.host_ggtt_aperture[offset] = entry->val64; ++ } else if (vgpu_gmadr_is_hidden(mm->vgpu, index << I915_GTT_PAGE_SHIFT)) { ++ offset -= (vgpu_hidden_gmadr_base(mm->vgpu) >> PAGE_SHIFT); ++ mm->ggtt_mm.host_ggtt_hidden[offset] = entry->val64; ++ } ++ + pte_ops->set_entry(NULL, entry, index, false, 0, mm->vgpu); + } + +@@ -1953,6 +1962,21 @@ static struct intel_vgpu_mm *intel_vgpu_create_ggtt_mm(struct intel_vgpu *vgpu) + return ERR_PTR(-ENOMEM); + } + ++ mm->ggtt_mm.host_ggtt_aperture = vzalloc((vgpu_aperture_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); ++ if (!mm->ggtt_mm.host_ggtt_aperture) { ++ vfree(mm->ggtt_mm.virtual_ggtt); ++ vgpu_free_mm(mm); ++ return ERR_PTR(-ENOMEM); ++ } ++ ++ mm->ggtt_mm.host_ggtt_hidden = vzalloc((vgpu_hidden_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); ++ if (!mm->ggtt_mm.host_ggtt_hidden) { ++ vfree(mm->ggtt_mm.host_ggtt_aperture); ++ vfree(mm->ggtt_mm.virtual_ggtt); ++ vgpu_free_mm(mm); ++ return ERR_PTR(-ENOMEM); ++ } ++ + return mm; + } + +@@ -1980,6 +2004,8 @@ void _intel_vgpu_mm_release(struct kref *mm_ref) + invalidate_ppgtt_mm(mm); + } else { + vfree(mm->ggtt_mm.virtual_ggtt); ++ vfree(mm->ggtt_mm.host_ggtt_aperture); ++ vfree(mm->ggtt_mm.host_ggtt_hidden); + } + + vgpu_free_mm(mm); +@@ -2861,3 +2887,41 @@ void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu) + intel_vgpu_destroy_all_ppgtt_mm(vgpu); + intel_vgpu_reset_ggtt(vgpu, true); + } ++ ++/** ++ * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries ++ * @gvt: intel gvt device ++ * ++ * This function is called at driver resume stage to restore ++ * GGTT entries of every vGPU. ++ * ++ */ ++void intel_gvt_restore_ggtt(struct intel_gvt *gvt) ++{ ++ struct intel_vgpu *vgpu; ++ struct intel_vgpu_mm *mm; ++ int id; ++ gen8_pte_t pte; ++ u32 idx, num_low, num_hi, offset; ++ ++ /* Restore dirty host ggtt for all vGPUs */ ++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) { ++ mm = vgpu->gtt.ggtt_mm; ++ ++ num_low = vgpu_aperture_sz(vgpu) >> PAGE_SHIFT; ++ offset = vgpu_aperture_gmadr_base(vgpu) >> PAGE_SHIFT; ++ for (idx = 0; idx < num_low; idx++) { ++ pte = mm->ggtt_mm.host_ggtt_aperture[idx]; ++ if (pte & _PAGE_PRESENT) ++ write_pte64(vgpu->gvt->gt->ggtt, offset + idx, pte); ++ } ++ ++ num_hi = vgpu_hidden_sz(vgpu) >> PAGE_SHIFT; ++ offset = vgpu_hidden_gmadr_base(vgpu) >> PAGE_SHIFT; ++ for (idx = 0; idx < num_hi; idx++) { ++ pte = mm->ggtt_mm.host_ggtt_hidden[idx]; ++ if (pte & _PAGE_PRESENT) ++ write_pte64(vgpu->gvt->gt->ggtt, offset + idx, pte); ++ } ++ } ++} +diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h +index 52d0d88abd86a..b0e173f2d9904 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.h ++++ b/drivers/gpu/drm/i915/gvt/gtt.h +@@ -164,6 +164,9 @@ struct intel_vgpu_mm { + } ppgtt_mm; + struct { + void *virtual_ggtt; ++ /* Save/restore for PM */ ++ u64 *host_ggtt_aperture; ++ u64 *host_ggtt_hidden; + struct list_head partial_pte_list; + } ggtt_mm; + }; +@@ -280,5 +283,6 @@ int intel_vgpu_emulate_ggtt_mmio_write(struct intel_vgpu *vgpu, + unsigned int off, void *p_data, unsigned int bytes); + + void intel_vgpu_destroy_all_ppgtt_mm(struct intel_vgpu *vgpu); ++void intel_gvt_restore_ggtt(struct intel_gvt *gvt); + + #endif /* _GVT_GTT_H_ */ +diff --git a/drivers/gpu/drm/i915/gvt/gvt.c b/drivers/gpu/drm/i915/gvt/gvt.c +index 5c9ef8e58a087..87f22a88925ce 100644 +--- a/drivers/gpu/drm/i915/gvt/gvt.c ++++ b/drivers/gpu/drm/i915/gvt/gvt.c +@@ -405,6 +405,15 @@ int intel_gvt_init_device(struct drm_i915_private *i915) + return ret; + } + ++int ++intel_gvt_pm_resume(struct intel_gvt *gvt) ++{ ++ intel_gvt_restore_fence(gvt); ++ intel_gvt_restore_mmio(gvt); ++ intel_gvt_restore_ggtt(gvt); ++ return 0; ++} ++ + int + intel_gvt_register_hypervisor(struct intel_gvt_mpt *m) + { +diff --git a/drivers/gpu/drm/i915/gvt/gvt.h b/drivers/gpu/drm/i915/gvt/gvt.h +index a81cf0f01e78e..b3d6355dd797d 100644 +--- a/drivers/gpu/drm/i915/gvt/gvt.h ++++ b/drivers/gpu/drm/i915/gvt/gvt.h +@@ -255,6 +255,8 @@ struct intel_gvt_mmio { + #define F_CMD_ACCESS (1 << 3) + /* This reg has been accessed by a VM */ + #define F_ACCESSED (1 << 4) ++/* This reg requires save & restore during host PM suspend/resume */ ++#define F_PM_SAVE (1 << 5) + /* This reg could be accessed by unaligned address */ + #define F_UNALIGN (1 << 6) + /* This reg is in GVT's mmio save-restor list and in hardware +@@ -685,6 +687,7 @@ void intel_gvt_debugfs_remove_vgpu(struct intel_vgpu *vgpu); + void intel_gvt_debugfs_init(struct intel_gvt *gvt); + void intel_gvt_debugfs_clean(struct intel_gvt *gvt); + ++int intel_gvt_pm_resume(struct intel_gvt *gvt); + + #include "trace.h" + #include "mpt.h" +diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c +index 606e6c315fe24..55ce7aaabf893 100644 +--- a/drivers/gpu/drm/i915/gvt/handlers.c ++++ b/drivers/gpu/drm/i915/gvt/handlers.c +@@ -3135,9 +3135,10 @@ static int init_skl_mmio_info(struct intel_gvt *gvt) + MMIO_DFH(TRVATTL3PTRDW(2), D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL); + MMIO_DFH(TRVATTL3PTRDW(3), D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL); + MMIO_DFH(TRVADR, D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL); +- MMIO_DFH(TRTTE, D_SKL_PLUS, F_CMD_ACCESS, +- NULL, gen9_trtte_write); +- MMIO_DH(_MMIO(0x4dfc), D_SKL_PLUS, NULL, gen9_trtt_chicken_write); ++ MMIO_DFH(TRTTE, D_SKL_PLUS, F_CMD_ACCESS | F_PM_SAVE, ++ NULL, gen9_trtte_write); ++ MMIO_DFH(_MMIO(0x4dfc), D_SKL_PLUS, F_PM_SAVE, ++ NULL, gen9_trtt_chicken_write); + + MMIO_D(_MMIO(0x46430), D_SKL_PLUS); + +@@ -3686,3 +3687,40 @@ int intel_vgpu_mmio_reg_rw(struct intel_vgpu *vgpu, unsigned int offset, + intel_vgpu_default_mmio_read(vgpu, offset, pdata, bytes) : + intel_vgpu_default_mmio_write(vgpu, offset, pdata, bytes); + } ++ ++void intel_gvt_restore_fence(struct intel_gvt *gvt) ++{ ++ struct intel_vgpu *vgpu; ++ int i, id; ++ ++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) { ++ mmio_hw_access_pre(gvt->gt); ++ for (i = 0; i < vgpu_fence_sz(vgpu); i++) ++ intel_vgpu_write_fence(vgpu, i, vgpu_vreg64(vgpu, fence_num_to_offset(i))); ++ mmio_hw_access_post(gvt->gt); ++ } ++} ++ ++static inline int mmio_pm_restore_handler(struct intel_gvt *gvt, ++ u32 offset, void *data) ++{ ++ struct intel_vgpu *vgpu = data; ++ struct drm_i915_private *dev_priv = gvt->gt->i915; ++ ++ if (gvt->mmio.mmio_attribute[offset >> 2] & F_PM_SAVE) ++ I915_WRITE(_MMIO(offset), vgpu_vreg(vgpu, offset)); ++ ++ return 0; ++} ++ ++void intel_gvt_restore_mmio(struct intel_gvt *gvt) ++{ ++ struct intel_vgpu *vgpu; ++ int id; ++ ++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) { ++ mmio_hw_access_pre(gvt->gt); ++ intel_gvt_for_each_tracked_mmio(gvt, mmio_pm_restore_handler, vgpu); ++ mmio_hw_access_post(gvt->gt); ++ } ++} +diff --git a/drivers/gpu/drm/i915/gvt/mmio.h b/drivers/gpu/drm/i915/gvt/mmio.h +index cc4812648bf4a..9e862dc73579b 100644 +--- a/drivers/gpu/drm/i915/gvt/mmio.h ++++ b/drivers/gpu/drm/i915/gvt/mmio.h +@@ -104,4 +104,8 @@ int intel_vgpu_mmio_reg_rw(struct intel_vgpu *vgpu, unsigned int offset, + + int intel_vgpu_mask_mmio_write(struct intel_vgpu *vgpu, unsigned int offset, + void *p_data, unsigned int bytes); ++ ++void intel_gvt_restore_fence(struct intel_gvt *gvt); ++void intel_gvt_restore_mmio(struct intel_gvt *gvt); ++ + #endif +diff --git a/drivers/gpu/drm/i915/intel_gvt.c b/drivers/gpu/drm/i915/intel_gvt.c +index 99fe8aef1c67f..4e70c1a9ef2ed 100644 +--- a/drivers/gpu/drm/i915/intel_gvt.c ++++ b/drivers/gpu/drm/i915/intel_gvt.c +@@ -24,6 +24,7 @@ + #include "i915_drv.h" + #include "i915_vgpu.h" + #include "intel_gvt.h" ++#include "gvt/gvt.h" + + /** + * DOC: Intel GVT-g host support +@@ -147,3 +148,17 @@ void intel_gvt_driver_remove(struct drm_i915_private *dev_priv) + + intel_gvt_clean_device(dev_priv); + } ++ ++/** ++ * intel_gvt_resume - GVT resume routine wapper ++ * ++ * @dev_priv: drm i915 private * ++ * ++ * This function is called at the i915 driver resume stage to restore required ++ * HW status for GVT so that vGPU can continue running after resumed. ++ */ ++void intel_gvt_resume(struct drm_i915_private *dev_priv) ++{ ++ if (intel_gvt_active(dev_priv)) ++ intel_gvt_pm_resume(dev_priv->gvt); ++} +diff --git a/drivers/gpu/drm/i915/intel_gvt.h b/drivers/gpu/drm/i915/intel_gvt.h +index 502fad8a8652c..d7d3fb6186fdd 100644 +--- a/drivers/gpu/drm/i915/intel_gvt.h ++++ b/drivers/gpu/drm/i915/intel_gvt.h +@@ -33,6 +33,7 @@ int intel_gvt_init_device(struct drm_i915_private *dev_priv); + void intel_gvt_clean_device(struct drm_i915_private *dev_priv); + int intel_gvt_init_host(void); + void intel_gvt_sanitize_options(struct drm_i915_private *dev_priv); ++void intel_gvt_resume(struct drm_i915_private *dev_priv); + #else + static inline int intel_gvt_init(struct drm_i915_private *dev_priv) + { +@@ -46,6 +47,10 @@ static inline void intel_gvt_driver_remove(struct drm_i915_private *dev_priv) + static inline void intel_gvt_sanitize_options(struct drm_i915_private *dev_priv) + { + } ++ ++static inline void intel_gvt_resume(struct drm_i915_private *dev_priv) ++{ ++} + #endif + + #endif /* _INTEL_GVT_H_ */ +-- +2.40.1 + diff --git a/queue-5.10/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch b/queue-5.10/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch new file mode 100644 index 00000000000..db7bc171d80 --- /dev/null +++ b/queue-5.10/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch @@ -0,0 +1,35 @@ +From ac2a1f2eaf8c3e25c21c8f0665f7c7be2fe13c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 20:33:17 +0300 +Subject: idr: fix param name in idr_alloc_cyclic() doc + +From: Ariel Marcovitch + +[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ] + +The relevant parameter is 'start' and not 'nextid' + +Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext") +Signed-off-by: Ariel Marcovitch +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/idr.c b/lib/idr.c +index 7ecdfdb5309e7..13f2758c23773 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc); + * @end: The maximum ID (exclusive). + * @gfp: Memory allocation flags. + * +- * Allocates an unused ID in the range specified by @nextid and @end. If ++ * Allocates an unused ID in the range specified by @start and @end. If + * @end is <= 0, it is treated as one larger than %INT_MAX. This allows + * callers to use @start + N as @end as long as N is within integer range. + * The search for an unused ID will start at the last ID allocated and will +-- +2.40.1 + diff --git a/queue-5.10/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.10/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..a4fc86c8712 --- /dev/null +++ b/queue-5.10/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From 4fc3fe521d3cf36b7fdb8b05ad46975e3b633525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:58 +0200 +Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igb devices can use as low as 64 descriptors. +This change will unify igb with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Olga Zaborska +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index e6d2800a8abc5..da0e3897e6831 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -34,11 +34,11 @@ struct igb_adapter; + /* TX/RX descriptor defines */ + #define IGB_DEFAULT_TXD 256 + #define IGB_DEFAULT_TX_WORK 128 +-#define IGB_MIN_TXD 80 ++#define IGB_MIN_TXD 64 + #define IGB_MAX_TXD 4096 + + #define IGB_DEFAULT_RXD 256 +-#define IGB_MIN_RXD 80 ++#define IGB_MIN_RXD 64 + #define IGB_MAX_RXD 4096 + + #define IGB_DEFAULT_ITR 3 /* dynamic */ +-- +2.40.1 + diff --git a/queue-5.10/igb-disable-virtualization-features-on-82580.patch b/queue-5.10/igb-disable-virtualization-features-on-82580.patch new file mode 100644 index 00000000000..c3edb92f05c --- /dev/null +++ b/queue-5.10/igb-disable-virtualization-features-on-82580.patch @@ -0,0 +1,40 @@ +From a6788d663e9c78793c424a559e3c6755be767af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 14:19:13 +0200 +Subject: igb: disable virtualization features on 82580 + +From: Corinna Vinschen + +[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ] + +Disable virtualization features on 82580 just as on i210/i211. +This avoids that virt functions are acidentally called on 82850. + +Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices") +Signed-off-by: Corinna Vinschen +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 1143800c889ac..01176c86be125 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3857,8 +3857,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter) + struct pci_dev *pdev = adapter->pdev; + struct e1000_hw *hw = &adapter->hw; + +- /* Virtualization features not supported on i210 family. */ +- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) ++ /* Virtualization features not supported on i210 and 82580 family. */ ++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) || ++ (hw->mac.type == e1000_82580)) + return; + + /* Of the below we really only want the effect of getting +-- +2.40.1 + diff --git a/queue-5.10/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch b/queue-5.10/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch new file mode 100644 index 00000000000..691f4d78cc1 --- /dev/null +++ b/queue-5.10/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch @@ -0,0 +1,44 @@ +From 79a2a358e89c4d31ba2788db086d8153c12ae203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:57 +0200 +Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igbvf devices can use as low as 64 descriptors. +This change will unify igbvf with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions") +Signed-off-by: Olga Zaborska +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h +index 975eb47ee04df..b39fca9827dc2 100644 +--- a/drivers/net/ethernet/intel/igbvf/igbvf.h ++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h +@@ -39,11 +39,11 @@ enum latency_range { + /* Tx/Rx descriptor defines */ + #define IGBVF_DEFAULT_TXD 256 + #define IGBVF_MAX_TXD 4096 +-#define IGBVF_MIN_TXD 80 ++#define IGBVF_MIN_TXD 64 + + #define IGBVF_DEFAULT_RXD 256 + #define IGBVF_MAX_RXD 4096 +-#define IGBVF_MIN_RXD 80 ++#define IGBVF_MIN_RXD 64 + + #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */ + #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */ +-- +2.40.1 + diff --git a/queue-5.10/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.10/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..2844f724642 --- /dev/null +++ b/queue-5.10/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From baa5878e1cd553f38fac3bcaf1bc7096ae7c00e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:56 +0200 +Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igc devices can use as low as 64 descriptors. +This change will unify igc with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Olga Zaborska +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 33f64c80335d3..31af08ceb36b9 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -319,11 +319,11 @@ static inline u32 igc_rss_type(const union igc_adv_rx_desc *rx_desc) + /* TX/RX descriptor defines */ + #define IGC_DEFAULT_TXD 256 + #define IGC_DEFAULT_TX_WORK 128 +-#define IGC_MIN_TXD 80 ++#define IGC_MIN_TXD 64 + #define IGC_MAX_TXD 4096 + + #define IGC_DEFAULT_RXD 256 +-#define IGC_MIN_RXD 80 ++#define IGC_MIN_RXD 64 + #define IGC_MAX_RXD 4096 + + /* Supported Rx Buffer Sizes */ +-- +2.40.1 + diff --git a/queue-5.10/ip_tunnels-use-dev_stats_inc.patch b/queue-5.10/ip_tunnels-use-dev_stats_inc.patch new file mode 100644 index 00000000000..e625ae99453 --- /dev/null +++ b/queue-5.10/ip_tunnels-use-dev_stats_inc.patch @@ -0,0 +1,128 @@ +From 65fbda4f9d9aa2b1ab6b9b09b481d3bf7ed5abf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 13:40:46 +0000 +Subject: ip_tunnels: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ] + +syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1] + +This can run from multiple cpus without mutual exclusion. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +[1] +BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit + +read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000018830 -> 0x0000000000018831 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0 + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 1ddd401a8981f..58d8e6260aa13 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -455,15 +455,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); + put_cpu_ptr(tstats); ++ return; ++ } ++ ++ if (pkt_len < 0) { ++ DEV_STATS_INC(dev, tx_errors); ++ DEV_STATS_INC(dev, tx_aborted_errors); + } else { +- struct net_device_stats *err_stats = &dev->stats; +- +- if (pkt_len < 0) { +- err_stats->tx_errors++; +- err_stats->tx_aborted_errors++; +- } else { +- err_stats->tx_dropped++; +- } ++ DEV_STATS_INC(dev, tx_dropped); + } + } + +-- +2.40.1 + diff --git a/queue-5.10/ipv4-annotate-data-races-around-fi-fib_dead.patch b/queue-5.10/ipv4-annotate-data-races-around-fi-fib_dead.patch new file mode 100644 index 00000000000..f6d2efc6ef4 --- /dev/null +++ b/queue-5.10/ipv4-annotate-data-races-around-fi-fib_dead.patch @@ -0,0 +1,136 @@ +From 0f7bb78e9c6641c32cbf62d712695dadcff3502b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:55:20 +0000 +Subject: ipv4: annotate data-races around fi->fib_dead + +From: Eric Dumazet + +[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ] + +syzbot complained about a data-race in fib_table_lookup() [1] + +Add appropriate annotations to document it. + +[1] +BUG: KCSAN: data-race in fib_release_info / fib_table_lookup + +write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0: +fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281 +fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777 +fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106 +fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317 +fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448 +notifier_call_chain kernel/notifier.c:93 [inline] +blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388 +__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432 +inet_del_ifa net/ipv4/devinet.c:469 [inline] +inetdev_destroy net/ipv4/devinet.c:322 [inline] +inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1962 [inline] +call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037 +dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673 +do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837 +rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177 +rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445 +netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549 +rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914 +sock_sendmsg_nosec net/socket.c:725 [inline] +sock_sendmsg net/socket.c:748 [inline] +sock_write_iter+0x1aa/0x230 net/socket.c:1129 +do_iter_write+0x4b4/0x7b0 fs/read_write.c:860 +vfs_writev+0x1a8/0x320 fs/read_write.c:933 +do_writev+0xf8/0x220 fs/read_write.c:976 +__do_sys_writev fs/read_write.c:1049 [inline] +__se_sys_writev fs/read_write.c:1046 [inline] +__x64_sys_writev+0x45/0x50 fs/read_write.c:1046 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1: +fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585 +fib_lookup include/net/ip_fib.h:383 [inline] +ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751 +ip_route_output_key_hash net/ipv4/route.c:2641 [inline] +__ip_route_output_key include/net/route.h:134 [inline] +ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869 +send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61 +wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175 +wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200 +wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] +wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51 +process_one_work+0x434/0x860 kernel/workqueue.c:2600 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0 + +Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 5 ++++- + net/ipv4/fib_trie.c | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 4e94796ccdbd1..ed20d6ac10dc2 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -278,7 +278,8 @@ void fib_release_info(struct fib_info *fi) + hlist_del(&nexthop_nh->nh_hash); + } endfor_nexthops(fi) + } +- fi->fib_dead = 1; ++ /* Paired with READ_ONCE() from fib_table_lookup() */ ++ WRITE_ONCE(fi->fib_dead, 1); + fib_info_put(fi); + } + spin_unlock_bh(&fib_info_lock); +@@ -1599,6 +1600,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + link_it: + ofi = fib_find_info(fi); + if (ofi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + ofi->fib_treeref++; +@@ -1637,6 +1639,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + + failure: + if (fi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index d11fb16234a6a..456240d2adc11 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1534,7 +1534,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp, + } + if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos) + continue; +- if (fi->fib_dead) ++ /* Paired with WRITE_ONCE() in fib_release_info() */ ++ if (READ_ONCE(fi->fib_dead)) + continue; + if (fa->fa_info->fib_scope < flp->flowi4_scope) + continue; +-- +2.40.1 + diff --git a/queue-5.10/ipv4-ignore-dst-hint-for-multipath-routes.patch b/queue-5.10/ipv4-ignore-dst-hint-for-multipath-routes.patch new file mode 100644 index 00000000000..6ab599ebffe --- /dev/null +++ b/queue-5.10/ipv4-ignore-dst-hint-for-multipath-routes.patch @@ -0,0 +1,71 @@ +From 54a1949646cf264e32e441334ec438c27877c792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 10:03:30 +0200 +Subject: ipv4: ignore dst hint for multipath routes + +From: Sriram Yagnaraman + +[ Upstream commit 6ac66cb03ae306c2e288a9be18226310529f5b25 ] + +Route hints when the nexthop is part of a multipath group causes packets +in the same receive batch to be sent to the same nexthop irrespective of +the multipath hash of the packet. So, do not extract route hint for +packets whose destination is part of a multipath group. + +A new SKB flag IPSKB_MULTIPATH is introduced for this purpose, set the +flag when route is looked up in ip_mkroute_input() and use it in +ip_extract_route_hint() to check for the existence of the flag. + +Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive") +Signed-off-by: Sriram Yagnaraman +Reviewed-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 1 + + net/ipv4/ip_input.c | 3 ++- + net/ipv4/route.c | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 8d1173577fb5c..9be2efe00f2c0 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -56,6 +56,7 @@ struct inet_skb_parm { + #define IPSKB_FRAG_PMTU BIT(6) + #define IPSKB_L3SLAVE BIT(7) + #define IPSKB_NOPOLICY BIT(8) ++#define IPSKB_MULTIPATH BIT(9) + + u16 frag_max_size; + }; +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c +index eccd7897e7aa6..372579686162b 100644 +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -566,7 +566,8 @@ static void ip_sublist_rcv_finish(struct list_head *head) + static struct sk_buff *ip_extract_route_hint(const struct net *net, + struct sk_buff *skb, int rt_type) + { +- if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST) ++ if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST || ++ IPCB(skb)->flags & IPSKB_MULTIPATH) + return NULL; + + return skb; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 374647693d7ac..3ddeb4fc0d08a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2066,6 +2066,7 @@ static int ip_mkroute_input(struct sk_buff *skb, + int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys); + + fib_select_multipath(res, h); ++ IPCB(skb)->flags |= IPSKB_MULTIPATH; + } + #endif + +-- +2.40.1 + diff --git a/queue-5.10/kcm-destroy-mutex-in-kcm_exit_net.patch b/queue-5.10/kcm-destroy-mutex-in-kcm_exit_net.patch new file mode 100644 index 00000000000..b2cfd4c1345 --- /dev/null +++ b/queue-5.10/kcm-destroy-mutex-in-kcm_exit_net.patch @@ -0,0 +1,37 @@ +From b7e5b43a814fd1eb0921e6214e82a77c4ac9f5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 02:07:08 +0900 +Subject: kcm: Destroy mutex in kcm_exit_net() + +From: Shigeru Yoshida + +[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ] + +kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially +needed if CONFIG_DEBUG_MUTEXES is enabled. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 32b516ab9c475..71608a6def988 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1982,6 +1982,8 @@ static __net_exit void kcm_exit_net(struct net *net) + * that all multiplexors and psocks have been destroyed. + */ + WARN_ON(!list_empty(&knet->mux_list)); ++ ++ mutex_destroy(&knet->mutex); + } + + static struct pernet_operations kcm_net_ops = { +-- +2.40.1 + diff --git a/queue-5.10/kconfig-fix-possible-buffer-overflow.patch b/queue-5.10/kconfig-fix-possible-buffer-overflow.patch new file mode 100644 index 00000000000..8f151168aa1 --- /dev/null +++ b/queue-5.10/kconfig-fix-possible-buffer-overflow.patch @@ -0,0 +1,38 @@ +From 4c94458c53b99ba78d95a5dcca2b2cf3fa396151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 17:59:14 +0800 +Subject: kconfig: fix possible buffer overflow + +From: Konstantin Meskhidze + +[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ] + +Buffer 'new_argv' is accessed without bound check after accessing with +bound check via 'new_argc' index. + +Fixes: e298f3b49def ("kconfig: add built-in function support") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/preprocess.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c +index 748da578b418c..d1f5bcff4b62d 100644 +--- a/scripts/kconfig/preprocess.c ++++ b/scripts/kconfig/preprocess.c +@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[]) + + p++; + } ++ ++ if (new_argc >= FUNCTION_MAX_ARGS) ++ pperror("too many function arguments"); + new_argv[new_argc++] = prev; + + /* +-- +2.40.1 + diff --git a/queue-5.10/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch b/queue-5.10/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch new file mode 100644 index 00000000000..6d58c8ce0ae --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch @@ -0,0 +1,136 @@ +From 3fed057784702a805b47c0aa3ad014f65f5e18e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 00:53:36 +0300 +Subject: net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software + and offload + +From: Vladimir Oltean + +[ Upstream commit 954ad9bf13c4f95a4958b5f8433301f2ab99e1f5 ] + +More careful measurement of the tc-cbs bandwidth shows that the stream +bandwidth (effectively idleslope) increases, there is a larger and +larger discrepancy between the rate limit obtained by the software +Qdisc, and the rate limit obtained by its offloaded counterpart. + +The discrepancy becomes so large, that e.g. at an idleslope of 40000 +(40Mbps), the offloaded cbs does not actually rate limit anything, and +traffic will pass at line rate through a 100 Mbps port. + +The reason for the discrepancy is that the hardware documentation I've +been following is incorrect. UM11040.pdf (for SJA1105P/Q/R/S) states +about IDLE_SLOPE that it is "the rate (in unit of bytes/sec) at which +the credit counter is increased". + +Cross-checking with UM10944.pdf (for SJA1105E/T) and UM11107.pdf +(for SJA1110), the wording is different: "This field specifies the +value, in bytes per second times link speed, by which the credit counter +is increased". + +So there's an extra scaling for link speed that the driver is currently +not accounting for, and apparently (empirically), that link speed is +expressed in Kbps. + +I've pondered whether to pollute the sja1105_mac_link_up() +implementation with CBS shaper reprogramming, but I don't think it is +worth it. IMO, the UAPI exposed by tc-cbs requires user space to +recalculate the sendslope anyway, since the formula for that depends on +port_transmit_rate (see man tc-cbs), which is not an invariant from tc's +perspective. + +So we use the offload->sendslope and offload->idleslope to deduce the +original port_transmit_rate from the CBS formula, and use that value to +scale the offload->sendslope and offload->idleslope to values that the +hardware understands. + +Some numerical data points: + + 40Mbps stream, max interfering frame size 1500, port speed 100M + --------------------------------------------------------------- + + tc-cbs parameters: + idleslope 40000 sendslope -60000 locredit -900 hicredit 600 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 600 600 + credit_lo 900 900 + send_slope 7500000 75 + idle_slope 5000000 50 + + 40Mbps stream, max interfering frame size 1500, port speed 1G + ------------------------------------------------------------- + + tc-cbs parameters: + idleslope 40000 sendslope -960000 locredit -1440 hicredit 60 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 60 60 + credit_lo 1440 1440 + send_slope 120000000 120 + idle_slope 5000000 5 + + 5.12Mbps stream, max interfering frame size 1522, port speed 100M + ----------------------------------------------------------------- + + tc-cbs parameters: + idleslope 5120 sendslope -94880 locredit -1444 hicredit 77 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 77 77 + credit_lo 1444 1444 + send_slope 11860000 118 + idle_slope 640000 6 + +Tested on SJA1105T, SJA1105S and SJA1110A, at 1Gbps and 100Mbps. + +Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") +Reported-by: Yanan Yang +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index c03d76c108686..4c0ee13126e4f 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1725,6 +1725,7 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + { + struct sja1105_private *priv = ds->priv; + struct sja1105_cbs_entry *cbs; ++ s64 port_transmit_rate_kbps; + int index; + + if (!offload->enable) +@@ -1742,9 +1743,17 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + */ + cbs->credit_hi = offload->hicredit; + cbs->credit_lo = abs(offload->locredit); +- /* User space is in kbits/sec, hardware in bytes/sec */ +- cbs->idle_slope = offload->idleslope * BYTES_PER_KBIT; +- cbs->send_slope = abs(offload->sendslope * BYTES_PER_KBIT); ++ /* User space is in kbits/sec, while the hardware in bytes/sec times ++ * link speed. Since the given offload->sendslope is good only for the ++ * current link speed anyway, and user space is likely to reprogram it ++ * when that changes, don't even bother to track the port's link speed, ++ * but deduce the port transmit rate from idleslope - sendslope. ++ */ ++ port_transmit_rate_kbps = offload->idleslope - offload->sendslope; ++ cbs->idle_slope = div_s64(offload->idleslope * BYTES_PER_KBIT, ++ port_transmit_rate_kbps); ++ cbs->send_slope = div_s64(abs(offload->sendslope * BYTES_PER_KBIT), ++ port_transmit_rate_kbps); + /* Convert the negative values from 64-bit 2's complement + * to 32-bit 2's complement (for the case of 0x80000000 whose + * negative is still negative). +-- +2.40.1 + diff --git a/queue-5.10/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch b/queue-5.10/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch new file mode 100644 index 00000000000..2ac27f3456e --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch @@ -0,0 +1,81 @@ +From 1430563fb3d76f118184df9ee917df20ba9a995d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 00:53:37 +0300 +Subject: net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too + many times + +From: Vladimir Oltean + +[ Upstream commit 894cafc5c62ccced758077bd4e970dc714c42637 ] + +After running command [2] too many times in a row: + +[1] $ tc qdisc add dev sw2p0 root handle 1: mqprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 +[2] $ tc qdisc replace dev sw2p0 parent 1:1 cbs offload 1 \ + idleslope 120000 sendslope -880000 locredit -1320 hicredit 180 + +(aka more than priv->info->num_cbs_shapers times) + +we start seeing the following error message: + +Error: Specified device failed to setup cbs hardware offload. + +This comes from the fact that ndo_setup_tc(TC_SETUP_QDISC_CBS) presents +the same API for the qdisc create and replace cases, and the sja1105 +driver fails to distinguish between the 2. Thus, it always thinks that +it must allocate the same shaper for a {port, queue} pair, when it may +instead have to replace an existing one. + +Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 4c0ee13126e4f..4362fe0f346d2 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1691,6 +1691,18 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port, + + #define BYTES_PER_KBIT (1000LL / 8) + ++static int sja1105_find_cbs_shaper(struct sja1105_private *priv, ++ int port, int prio) ++{ ++ int i; ++ ++ for (i = 0; i < priv->info->num_cbs_shapers; i++) ++ if (priv->cbs[i].port == port && priv->cbs[i].prio == prio) ++ return i; ++ ++ return -1; ++} ++ + static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv) + { + int i; +@@ -1731,9 +1743,14 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + if (!offload->enable) + return sja1105_delete_cbs_shaper(priv, port, offload->queue); + +- index = sja1105_find_unused_cbs_shaper(priv); +- if (index < 0) +- return -ENOSPC; ++ /* The user may be replacing an existing shaper */ ++ index = sja1105_find_cbs_shaper(priv, port, offload->queue); ++ if (index < 0) { ++ /* That isn't the case - see if we can allocate a new one */ ++ index = sja1105_find_unused_cbs_shaper(priv); ++ if (index < 0) ++ return -ENOSPC; ++ } + + cbs = &priv->cbs[index]; + cbs->port = port; +-- +2.40.1 + diff --git a/queue-5.10/net-hns3-fix-the-port-information-display-when-sfp-i.patch b/queue-5.10/net-hns3-fix-the-port-information-display-when-sfp-i.patch new file mode 100644 index 00000000000..f865bd3d6c1 --- /dev/null +++ b/queue-5.10/net-hns3-fix-the-port-information-display-when-sfp-i.patch @@ -0,0 +1,39 @@ +From 8039bf933c603d1af5672bdaa2fde0395ab3434d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:17 +0800 +Subject: net: hns3: fix the port information display when sfp is absent + +From: Yisen Zhuang + +[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ] + +When sfp is absent or unidentified, the port type should be +displayed as PORT_OTHERS, rather than PORT_FIBRE. + +Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type") +Signed-off-by: Yisen Zhuang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index cd0d7a546957a..d35f4b2b480e6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -704,7 +704,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev, + hns3_get_ksettings(h, cmd); + break; + case HNAE3_MEDIA_TYPE_FIBER: +- if (module_type == HNAE3_MODULE_TYPE_CR) ++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN) ++ cmd->base.port = PORT_OTHER; ++ else if (module_type == HNAE3_MODULE_TYPE_CR) + cmd->base.port = PORT_DA; + else + cmd->base.port = PORT_FIBRE; +-- +2.40.1 + diff --git a/queue-5.10/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch b/queue-5.10/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch new file mode 100644 index 00000000000..2dad7bcdb81 --- /dev/null +++ b/queue-5.10/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch @@ -0,0 +1,40 @@ +From 6b644c15e541d8c5599a239eef9776eaa2a76f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 22:41:27 -0600 +Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr + +From: Alex Henrie + +[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ] + +The existing code incorrectly casted a negative value (the result of a +subtraction) to an unsigned value without checking. For example, if +/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred +lifetime would jump to 4 billion seconds. On my machine and network the +shortest lifetime that avoided underflow was 3 seconds. + +Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") +Signed-off-by: Alex Henrie +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 9b414681500a5..0eafe26c05f77 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1359,7 +1359,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block) + * idev->desync_factor if it's larger + */ + cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft); +- max_desync_factor = min_t(__u32, ++ max_desync_factor = min_t(long, + idev->cnf.max_desync_factor, + cnf_temp_preferred_lft - regen_advance); + +-- +2.40.1 + diff --git a/queue-5.10/net-read-sk-sk_family-once-in-sk_mc_loop.patch b/queue-5.10/net-read-sk-sk_family-once-in-sk_mc_loop.patch new file mode 100644 index 00000000000..ba41ac6e997 --- /dev/null +++ b/queue-5.10/net-read-sk-sk_family-once-in-sk_mc_loop.patch @@ -0,0 +1,87 @@ +From 5fd56ac5e556e7abf3a68831409bb36b0e6963b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 10:12:44 +0000 +Subject: net: read sk->sk_family once in sk_mc_loop() + +From: Eric Dumazet + +[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ] + +syzbot is playing with IPV6_ADDRFORM quite a lot these days, +and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() + +We have many more similar issues to fix. + +WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 +Modules linked in: +CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +Workqueue: events_power_efficient gc_worker +RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 +Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 +RSP: 0018:ffffc90000388530 EFLAGS: 00010246 +RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 +RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 +RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 +R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 +R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 +FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4925 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 +[] qdisc_restart net/sched/sch_generic.c:407 [inline] +[] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 +[] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 +[] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 +[] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 +[] invoke_softirq kernel/softirq.c:430 [inline] +[] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 +[] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 + +Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 742356cfd07c4..e2d45631c15d7 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -690,7 +690,8 @@ bool sk_mc_loop(struct sock *sk) + return false; + if (!sk) + return true; +- switch (sk->sk_family) { ++ /* IPV6_ADDRFORM can change sk->sk_family under us. */ ++ switch (READ_ONCE(sk->sk_family)) { + case AF_INET: + return inet_sk(sk)->mc_loop; + #if IS_ENABLED(CONFIG_IPV6) +-- +2.40.1 + diff --git a/queue-5.10/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch b/queue-5.10/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch new file mode 100644 index 00000000000..c03d1d6df5d --- /dev/null +++ b/queue-5.10/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch @@ -0,0 +1,115 @@ +From 51982e792f6c52f3b9b2615f86819c5b1ebd7634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 12:35:41 +0000 +Subject: net/sched: fq_pie: avoid stalls in fq_pie_timer() + +From: Eric Dumazet + +[ Upstream commit 8c21ab1bae945686c602c5bfa4e3f3352c2452c5 ] + +When setting a high number of flows (limit being 65536), +fq_pie_timer() is currently using too much time as syzbot reported. + +Add logic to yield the cpu every 2048 flows (less than 150 usec +on debug kernels). +It should also help by not blocking qdisc fast paths for too long. +Worst case (65536 flows) would need 31 jiffies for a complete scan. + +Relevant extract from syzbot report: + +rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/. +rcu: blocking rcu_node structures (internal RCU debug): +Sending NMI from CPU 1 to CPUs 0: +NMI backtrace for cpu 0 +CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] +RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236 +Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b +RSP: 0018:ffffc90000007bb8 EFLAGS: 00000206 +RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0 +RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + + + pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415 + fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387 + call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 + +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Link: https://lore.kernel.org/lkml/00000000000017ad3f06040bf394@google.com/ +Reported-by: syzbot+e46fbd5289363464bc13@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Reviewed-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230829123541.3745013-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_fq_pie.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index 4f6b5b6fba3ed..a5b63158f081c 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -61,6 +61,7 @@ struct fq_pie_sched_data { + struct pie_params p_params; + u32 ecn_prob; + u32 flows_cnt; ++ u32 flows_cursor; + u32 quantum; + u32 memory_limit; + u32 new_flow_count; +@@ -378,21 +379,31 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + static void fq_pie_timer(struct timer_list *t) + { + struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer); ++ unsigned long next, tupdate; + struct Qdisc *sch = q->sch; + spinlock_t *root_lock; /* to lock qdisc for probability calculations */ +- u32 idx; ++ int max_cnt, i; + + root_lock = qdisc_lock(qdisc_root_sleeping(sch)); + spin_lock(root_lock); + +- for (idx = 0; idx < q->flows_cnt; idx++) +- pie_calculate_probability(&q->p_params, &q->flows[idx].vars, +- q->flows[idx].backlog); +- +- /* reset the timer to fire after 'tupdate' jiffies. */ +- if (q->p_params.tupdate) +- mod_timer(&q->adapt_timer, jiffies + q->p_params.tupdate); ++ /* Limit this expensive loop to 2048 flows per round. */ ++ max_cnt = min_t(int, q->flows_cnt - q->flows_cursor, 2048); ++ for (i = 0; i < max_cnt; i++) { ++ pie_calculate_probability(&q->p_params, ++ &q->flows[q->flows_cursor].vars, ++ q->flows[q->flows_cursor].backlog); ++ q->flows_cursor++; ++ } + ++ tupdate = q->p_params.tupdate; ++ next = 0; ++ if (q->flows_cursor >= q->flows_cnt) { ++ q->flows_cursor = 0; ++ next = tupdate; ++ } ++ if (tupdate) ++ mod_timer(&q->adapt_timer, jiffies + next); + spin_unlock(root_lock); + } + +-- +2.40.1 + diff --git a/queue-5.10/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch b/queue-5.10/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch new file mode 100644 index 00000000000..052c94427dd --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch @@ -0,0 +1,242 @@ +From f5ab5d42e2ffca7a805a7619c4ca34a6ff800f2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:22:37 -0400 +Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue() + +From: valis + +[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ] + +When the plug qdisc is used as a class of the qfq qdisc it could trigger a +UAF. This issue can be reproduced with following commands: + + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 + +and boom: + +[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0 +[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144 +[ 285.355903] +[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4 +[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +[ 285.358376] Call Trace: +[ 285.358773] +[ 285.359109] dump_stack_lvl+0x44/0x60 +[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0 +[ 285.360611] kasan_report+0x10c/0x120 +[ 285.361195] ? qfq_dequeue+0xa7/0x7f0 +[ 285.361780] qfq_dequeue+0xa7/0x7f0 +[ 285.362342] __qdisc_run+0xf1/0x970 +[ 285.362903] net_tx_action+0x28e/0x460 +[ 285.363502] __do_softirq+0x11b/0x3de +[ 285.364097] do_softirq.part.0+0x72/0x90 +[ 285.364721] +[ 285.365072] +[ 285.365422] __local_bh_enable_ip+0x77/0x90 +[ 285.366079] __dev_queue_xmit+0x95f/0x1550 +[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10 +[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 285.368259] ? __build_skb_around+0x129/0x190 +[ 285.368960] ? ip_generic_getfrag+0x12c/0x170 +[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10 +[ 285.370390] ? csum_partial+0x8/0x20 +[ 285.370961] ? raw_getfrag+0xe5/0x140 +[ 285.371559] ip_finish_output2+0x539/0xa40 +[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10 +[ 285.372954] ip_output+0x113/0x1e0 +[ 285.373512] ? __pfx_ip_output+0x10/0x10 +[ 285.374130] ? icmp_out_count+0x49/0x60 +[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10 +[ 285.375457] ip_push_pending_frames+0xf3/0x100 +[ 285.376173] raw_sendmsg+0xef5/0x12d0 +[ 285.376760] ? do_syscall_64+0x40/0x90 +[ 285.377359] ? __static_call_text_end+0x136578/0x136578 +[ 285.378173] ? do_syscall_64+0x40/0x90 +[ 285.378772] ? kasan_enable_current+0x11/0x20 +[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10 +[ 285.380137] ? __sock_create+0x13e/0x270 +[ 285.380673] ? __sys_socket+0xf3/0x180 +[ 285.381174] ? __x64_sys_socket+0x3d/0x50 +[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.382425] ? __rcu_read_unlock+0x48/0x70 +[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380 +[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10 +[ 285.384295] ? preempt_count_sub+0x14/0xc0 +[ 285.384844] ? __list_del_entry_valid+0x76/0x140 +[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0 +[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10 +[ 285.386645] ? release_sock+0xa0/0xd0 +[ 285.387148] ? preempt_count_sub+0x14/0xc0 +[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0 +[ 285.388341] ? aa_sk_perm+0x177/0x390 +[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10 +[ 285.389441] ? check_stack_object+0x22/0x70 +[ 285.390032] ? inet_send_prepare+0x2f/0x120 +[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10 +[ 285.391172] sock_sendmsg+0xcc/0xe0 +[ 285.391667] __sys_sendto+0x190/0x230 +[ 285.392168] ? __pfx___sys_sendto+0x10/0x10 +[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30 +[ 285.393328] ? set_normalized_timespec64+0x57/0x70 +[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40 +[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160 +[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10 +[ 285.395908] ? _copy_to_user+0x3e/0x60 +[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.397734] ? do_syscall_64+0x71/0x90 +[ 285.398258] __x64_sys_sendto+0x74/0x90 +[ 285.398786] do_syscall_64+0x64/0x90 +[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.400605] ? do_syscall_64+0x71/0x90 +[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.401807] RIP: 0033:0x495726 +[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09 +[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726 +[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000 +[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c +[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634 +[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000 +[ 285.410403] +[ 285.410704] +[ 285.410929] Allocated by task 144: +[ 285.411402] kasan_save_stack+0x1e/0x40 +[ 285.411926] kasan_set_track+0x21/0x30 +[ 285.412442] __kasan_slab_alloc+0x55/0x70 +[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0 +[ 285.413567] __alloc_skb+0x1b4/0x230 +[ 285.414060] __ip_append_data+0x17f7/0x1b60 +[ 285.414633] ip_append_data+0x97/0xf0 +[ 285.415144] raw_sendmsg+0x5a8/0x12d0 +[ 285.415640] sock_sendmsg+0xcc/0xe0 +[ 285.416117] __sys_sendto+0x190/0x230 +[ 285.416626] __x64_sys_sendto+0x74/0x90 +[ 285.417145] do_syscall_64+0x64/0x90 +[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.418306] +[ 285.418531] Freed by task 144: +[ 285.418960] kasan_save_stack+0x1e/0x40 +[ 285.419469] kasan_set_track+0x21/0x30 +[ 285.419988] kasan_save_free_info+0x27/0x40 +[ 285.420556] ____kasan_slab_free+0x109/0x1a0 +[ 285.421146] kmem_cache_free+0x1c2/0x450 +[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870 +[ 285.422333] __netif_receive_skb_one_core+0x97/0x140 +[ 285.423003] process_backlog+0x100/0x2f0 +[ 285.423537] __napi_poll+0x5c/0x2d0 +[ 285.424023] net_rx_action+0x2be/0x560 +[ 285.424510] __do_softirq+0x11b/0x3de +[ 285.425034] +[ 285.425254] The buggy address belongs to the object at ffff8880bad31280 +[ 285.425254] which belongs to the cache skbuff_head_cache of size 224 +[ 285.426993] The buggy address is located 40 bytes inside of +[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360) +[ 285.428572] +[ 285.428798] The buggy address belongs to the physical page: +[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31 +[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1) +[ 285.431447] page_type: 0xffffffff() +[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000 +[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 285.433562] page dumped because: kasan: bad access detected +[ 285.434144] +[ 285.434320] Memory state around the buggy address: +[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 285.436777] ^ +[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.438126] ================================================================== +[ 285.438662] Disabling lock debugging due to kernel taint + +Fix this by: +1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a +function compatible with non-work-conserving qdiscs +2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: valis +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_plug.c | 2 +- + net/sched/sch_qfq.c | 22 +++++++++++++++++----- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c +index cbc2ebca4548c..339990bb59817 100644 +--- a/net/sched/sch_plug.c ++++ b/net/sched/sch_plug.c +@@ -210,7 +210,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = { + .priv_size = sizeof(struct plug_sched_data), + .enqueue = plug_enqueue, + .dequeue = plug_dequeue, +- .peek = qdisc_peek_head, ++ .peek = qdisc_peek_dequeued, + .init = plug_init, + .change = plug_change, + .reset = qdisc_reset_queue, +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index d5a1e4b237b18..ebf9f473c9392 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -979,10 +979,13 @@ static void qfq_update_eligible(struct qfq_sched *q) + } + + /* Dequeue head packet of the head class in the DRR queue of the aggregate. */ +-static void agg_dequeue(struct qfq_aggregate *agg, +- struct qfq_class *cl, unsigned int len) ++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, ++ struct qfq_class *cl, unsigned int len) + { +- qdisc_dequeue_peeked(cl->qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc); ++ ++ if (!skb) ++ return NULL; + + cl->deficit -= (int) len; + +@@ -992,6 +995,8 @@ static void agg_dequeue(struct qfq_aggregate *agg, + cl->deficit += agg->lmax; + list_move_tail(&cl->alist, &agg->active); + } ++ ++ return skb; + } + + static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, +@@ -1137,11 +1142,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) + if (!skb) + return NULL; + +- qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; ++ ++ skb = agg_dequeue(in_serv_agg, cl, len); ++ ++ if (!skb) { ++ sch->q.qlen++; ++ return NULL; ++ } ++ ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + +- agg_dequeue(in_serv_agg, cl, len); + /* If lmax is lowered, through qfq_change_class, for a class + * owning pending packets with larger size than the new value + * of lmax, then the following condition may hold. +-- +2.40.1 + diff --git a/queue-5.10/netfilter-nfnetlink_osf-avoid-oob-read.patch b/queue-5.10/netfilter-nfnetlink_osf-avoid-oob-read.patch new file mode 100644 index 00000000000..cdc6a2ddee9 --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_osf-avoid-oob-read.patch @@ -0,0 +1,59 @@ +From d9a8903f2b281a996b0df040ae6afe8f4b28b115 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 10:50:20 -0300 +Subject: netfilter: nfnetlink_osf: avoid OOB read + +From: Wander Lairson Costa + +[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ] + +The opt_num field is controlled by user mode and is not currently +validated inside the kernel. An attacker can take advantage of this to +trigger an OOB read and potentially leak information. + +BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 +Read of size 2 at addr ffff88804bc64272 by task poc/6431 + +CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1 +Call Trace: + nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 + nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281 + nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47 + expr_call_ops_eval net/netfilter/nf_tables_core.c:214 + nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264 + nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23 + [..] + +Also add validation to genre, subtype and version fields. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 9dbaa5ce24e51..573a372e760f4 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl, + + f = nla_data(osf_attrs[OSF_ATTR_FINGER]); + ++ if (f->opt_num > ARRAY_SIZE(f->opt)) ++ return -EINVAL; ++ ++ if (!memchr(f->genre, 0, MAXGENRELEN) || ++ !memchr(f->subtype, 0, MAXGENRELEN) || ++ !memchr(f->version, 0, MAXGENRELEN)) ++ return -EINVAL; ++ + kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL); + if (!kf) + return -ENOMEM; +-- +2.40.1 + diff --git a/queue-5.10/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch b/queue-5.10/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch new file mode 100644 index 00000000000..acb2fdefc04 --- /dev/null +++ b/queue-5.10/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch @@ -0,0 +1,114 @@ +From 609366315a3590a8b48720d42b2e6dc66434f2f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 18:22:14 -0300 +Subject: perf annotate bpf: Don't enclose non-debug code with an assert() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ] + +In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we +started using NDEBUG=1 when DEBUG=1 isn't present, so code that is +enclosed with assert() is not called. + +In dd317df072071903 ("perf build: Make binutil libraries opt in") we +stopped linking against binutils-devel, for licensing reasons. + +Recently people asked me why annotation of BPF programs wasn't working, +i.e. this: + + $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb + +was returning: + + case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF: + scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation"); + +This was on a fedora rpm, so its new enough that I had to try to test by +rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me. + +This combination made this libopcode function not to be called: + + assert(bfd_check_format(bfdf, bfd_object)); + +Changing it to: + + if (!bfd_check_format(bfdf, bfd_object)) + abort(); + +Made it work, looking at this "check" function made me realize it +changes the 'bfdf' internal state, i.e. we better call it. + +So stop using assert() on it, just call it and abort if it fails. + +Probably it is better to propagate the error, etc, but it seems it is +unlikely to fail from the usage done so far and we really need to stop +using libopcodes, so do the quick fix above and move on. + +With it we have BPF annotation back working when built with +BUILD_NONDISTRO=1: + + ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head + No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found + Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period] + bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb + Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) { + nop + 33.33 xchg %ax,%ax + push %rbp + mov %rsp,%rbp + sub $0x180,%rsp + push %rbx + push %r13 + ⬢[acme@toolbox perf-tools-next]$ + +Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mohamed Mahmoud +Cc: Namhyung Kim +Cc: Dave Tucker +Cc: Derek Barbosa +Cc: Song Liu +Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 3081894547883..c9078cee6be01 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1718,8 +1718,11 @@ static int symbol__disassemble_bpf(struct symbol *sym, + perf_exe(tpath, sizeof(tpath)); + + bfdf = bfd_openr(tpath, NULL); +- assert(bfdf); +- assert(bfd_check_format(bfdf, bfd_object)); ++ if (bfdf == NULL) ++ abort(); ++ ++ if (!bfd_check_format(bfdf, bfd_object)) ++ abort(); + + s = open_memstream(&buf, &buf_size); + if (!s) { +@@ -1767,7 +1770,8 @@ static int symbol__disassemble_bpf(struct symbol *sym, + #else + disassemble = disassembler(bfdf); + #endif +- assert(disassemble); ++ if (disassemble == NULL) ++ abort(); + + fflush(s); + do { +-- +2.40.1 + diff --git a/queue-5.10/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch b/queue-5.10/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch new file mode 100644 index 00000000000..e1a6dcc332a --- /dev/null +++ b/queue-5.10/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch @@ -0,0 +1,85 @@ +From 9703d18081794a23fe26f8f54398d93787251b37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 09:11:21 -0300 +Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ] + +While debugging a segfault on 'perf lock contention' without an +available perf.data file I noticed that it was basically calling: + + perf_session__delete(ERR_PTR(-1)) + +Resulting in: + + (gdb) run lock contention + Starting program: /root/bin/perf lock contention + [Thread debugging using libthread_db enabled] + Using host libthread_db library "/lib64/libthread_db.so.1". + failed to open perf.data: No such file or directory (try 'perf record' first) + Initializing perf session failed + + Program received signal SIGSEGV, Segmentation fault. + 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + 2858 if (!session->auxtrace) + (gdb) p session + $1 = (struct perf_session *) 0xffffffffffffffff + (gdb) bt + #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300 + #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161 + #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604 + #4 0x0000000000501466 in run_builtin (p=0xe597a8 , argc=2, argv=0x7fffffffe200) at perf.c:322 + #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375 + #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419 + #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535 + (gdb) + +So just set it to NULL after using PTR_ERR(session) to decode the error +as perf_session__delete(NULL) is supported. + +The same problem was found in 'perf top' after an audit of all +perf_session__new() failure handling. + +Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure") +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Greg Kroah-Hartman +Cc: Jeremie Galarneau +Cc: Jiri Olsa +Cc: Kate Stewart +Cc: Mamatha Inamdar +Cc: Mukesh Ojha +Cc: Nageswara R Sastry +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Shawn Landden +Cc: Song Liu +Cc: Thomas Gleixner +Cc: Tzvetomir Stoyanov +Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 7c64134472c77..ee30372f77133 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1743,6 +1743,7 @@ int cmd_top(int argc, const char **argv) + top.session = perf_session__new(NULL, false, NULL); + if (IS_ERR(top.session)) { + status = PTR_ERR(top.session); ++ top.session = NULL; + goto out_delete_evlist; + } + +-- +2.40.1 + diff --git a/queue-5.10/pwm-lpc32xx-remove-handling-of-pwm-channels.patch b/queue-5.10/pwm-lpc32xx-remove-handling-of-pwm-channels.patch new file mode 100644 index 00000000000..b3b42e480b3 --- /dev/null +++ b/queue-5.10/pwm-lpc32xx-remove-handling-of-pwm-channels.patch @@ -0,0 +1,88 @@ +From 25286d13ddb5a5bf8462ee432b3184a0fff2465b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:52:57 +0200 +Subject: pwm: lpc32xx: Remove handling of PWM channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Zapolskiy + +[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ] + +Because LPC32xx PWM controllers have only a single output which is +registered as the only PWM device/channel per controller, it is known in +advance that pwm->hwpwm value is always 0. On basis of this fact +simplify the code by removing operations with pwm->hwpwm, there is no +controls which require channel number as input. + +Even though I wasn't aware at the time when I forward ported that patch, +this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL +before devm_pwmchip_add() is called. + +Reported-by: Dan Carpenter +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Uwe Kleine-König +Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpc32xx.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c +index 522f862eca526..504a8f506195a 100644 +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (duty_cycles > 255) + duty_cycles = 255; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~0xFFFF; + val |= (period_cycles << 8) | duty_cycles; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm) + if (ret) + return ret; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val |= PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) + struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip); + u32 val; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + clk_disable_unprepare(lpc32xx->clk); + } +@@ -121,9 +121,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev) + lpc32xx->chip.base = -1; + + /* If PWM is disabled, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ writel(val, lpc32xx->base); + + ret = pwmchip_add(&lpc32xx->chip); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-5.10/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch b/queue-5.10/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch new file mode 100644 index 00000000000..b633711d611 --- /dev/null +++ b/queue-5.10/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch @@ -0,0 +1,37 @@ +From e710993df8526e828c8ba11e4d8aa9acf40fb42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 13:59:59 +0300 +Subject: s390/zcrypt: don't leak memory if dev_set_name() fails + +From: Andy Shevchenko + +[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ] + +When dev_set_name() fails, zcdn_create() doesn't free the newly +allocated resources. Do it. + +Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Harald Freudenberger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c +index 3b9eda311c273..b518009715eeb 100644 +--- a/drivers/s390/crypto/zcrypt_api.c ++++ b/drivers/s390/crypto/zcrypt_api.c +@@ -399,6 +399,7 @@ static int zcdn_create(const char *name) + ZCRYPT_NAME "_%d", (int) MINOR(devt)); + nodename[sizeof(nodename)-1] = '\0'; + if (dev_set_name(&zcdndev->device, nodename)) { ++ kfree(zcdndev); + rc = -EINVAL; + goto unlockout; + } +-- +2.40.1 + diff --git a/queue-5.10/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch b/queue-5.10/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch new file mode 100644 index 00000000000..3e6cf9ff52f --- /dev/null +++ b/queue-5.10/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch @@ -0,0 +1,152 @@ +From 02f4bbf0acb194a92605611fdc8d4219c260edc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:45:19 +0000 +Subject: sctp: annotate data-races around sk->sk_wmem_queued + +From: Eric Dumazet + +[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ] + +sk->sk_wmem_queued can be read locklessly from sctp_poll() + +Use sk_wmem_queued_add() when the field is changed, +and add READ_ONCE() annotations in sctp_writeable() +and sctp_assocs_seq_show() + +syzbot reported: + +BUG: KCSAN: data-race in sctp_poll / sctp_wfree + +read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0: +sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147 +skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988 +skb_release_all net/core/skbuff.c:1000 [inline] +__kfree_skb+0x16/0x140 net/core/skbuff.c:1016 +consume_skb+0x57/0x180 net/core/skbuff.c:1232 +sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline] +sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530 +sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128 +sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515 +sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381 +sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline] +sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline] +sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] +sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169 +sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051 +sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80 +sctp_rcv+0x116e/0x1340 net/sctp/input.c:243 +sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +process_backlog+0x21f/0x380 net/core/dev.c:5894 +__napi_poll+0x60/0x3b0 net/core/dev.c:6460 +napi_poll net/core/dev.c:6527 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6660 +__do_softirq+0xc1/0x265 kernel/softirq.c:553 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1: +sctp_writeable net/sctp/socket.c:9304 [inline] +sctp_poll+0x265/0x410 net/sctp/socket.c:8671 +sock_poll+0x253/0x270 net/socket.c:1374 +vfs_poll include/linux/poll.h:88 [inline] +do_pollfd fs/select.c:873 [inline] +do_poll fs/select.c:921 [inline] +do_sys_poll+0x636/0xc00 fs/select.c:1015 +__do_sys_ppoll fs/select.c:1121 [inline] +__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101 +__x64_sys_ppoll+0x67/0x80 fs/select.c:1101 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00019e80 -> 0x0000cc80 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/proc.c | 2 +- + net/sctp/socket.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/proc.c b/net/sctp/proc.c +index 982a87b3e11f8..963b94517ec20 100644 +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -284,7 +284,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v) + assoc->init_retries, assoc->shutdown_retries, + assoc->rtx_data_chunks, + refcount_read(&sk->sk_wmem_alloc), +- sk->sk_wmem_queued, ++ READ_ONCE(sk->sk_wmem_queued), + sk->sk_sndbuf, + sk->sk_rcvbuf); + seq_printf(seq, "\n"); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index fa4d31b507f29..68d53e3f0d07a 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -68,7 +68,7 @@ + #include + + /* Forward declarations for internal helper functions. */ +-static bool sctp_writeable(struct sock *sk); ++static bool sctp_writeable(const struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + size_t msg_len); +@@ -138,7 +138,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk) + + refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc); + asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk); +- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk)); + sk_mem_charge(sk, chunk->skb->truesize); + } + +@@ -8900,7 +8900,7 @@ static void sctp_wfree(struct sk_buff *skb) + struct sock *sk = asoc->base.sk; + + sk_mem_uncharge(sk, skb->truesize); +- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk))); + asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk); + WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk), + &sk->sk_wmem_alloc)); +@@ -9055,9 +9055,9 @@ void sctp_write_space(struct sock *sk) + * UDP-style sockets or TCP-style sockets, this code should work. + * - Daisy + */ +-static bool sctp_writeable(struct sock *sk) ++static bool sctp_writeable(const struct sock *sk) + { +- return sk->sk_sndbuf > sk->sk_wmem_queued; ++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued); + } + + /* Wait for an association to go into ESTABLISHED state. If timeout is 0, +-- +2.40.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 61821a2dd72..e539033e48e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -331,3 +331,37 @@ clk-qcom-gcc-mdm9615-use-proper-parent-for-pll0_vote-clock.patch soc-qcom-qmi_encdec-restrict-string-length-in-decode.patch nfs-fix-a-potential-data-corruption.patch nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch +kconfig-fix-possible-buffer-overflow.patch +backlight-gpio_backlight-drop-output-gpio-direction-.patch +perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch +x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch +perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch +watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch +pwm-lpc32xx-remove-handling-of-pwm-channels.patch +net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch +sctp-annotate-data-races-around-sk-sk_wmem_queued.patch +ipv4-annotate-data-races-around-fi-fib_dead.patch +net-read-sk-sk_family-once-in-sk_mc_loop.patch +drm-i915-gvt-save-restore-hw-status-to-support-gvt-s.patch +drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch +ipv4-ignore-dst-hint-for-multipath-routes.patch +igb-disable-virtualization-features-on-82580.patch +veth-fixing-transmit-return-status-for-dropped-packe.patch +net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch +af_unix-fix-data-races-around-user-unix_inflight.patch +af_unix-fix-data-race-around-unix_tot_inflight.patch +af_unix-fix-data-races-around-sk-sk_shutdown.patch +af_unix-fix-data-race-around-sk-sk_err.patch +net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch +kcm-destroy-mutex-in-kcm_exit_net.patch +igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch +igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch +igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch +s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch +idr-fix-param-name-in-idr_alloc_cyclic-doc.patch +ip_tunnels-use-dev_stats_inc.patch +net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch +net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch +netfilter-nfnetlink_osf-avoid-oob-read.patch +net-hns3-fix-the-port-information-display-when-sfp-i.patch +sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch diff --git a/queue-5.10/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch b/queue-5.10/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch new file mode 100644 index 00000000000..b4feed86dac --- /dev/null +++ b/queue-5.10/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch @@ -0,0 +1,121 @@ +From 04c2dd38a370d8a23e5bf05ae6d6e72014289418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:07:42 +0200 +Subject: sh: boards: Fix CEU buffer size passed to + dma_declare_coherent_memory() + +From: Petr Tesarik + +[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ] + +In all these cases, the last argument to dma_declare_coherent_memory() is +the buffer end address, but the expected value should be the size of the +reserved region. + +Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver") +Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver") +Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver") +Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver") +Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver") +Signed-off-by: Petr Tesarik +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: John Paul Adrian Glaubitz +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/boards/mach-ap325rxa/setup.c | 2 +- + arch/sh/boards/mach-ecovec24/setup.c | 6 ++---- + arch/sh/boards/mach-kfr2r09/setup.c | 2 +- + arch/sh/boards/mach-migor/setup.c | 2 +- + arch/sh/boards/mach-se/7724/setup.c | 6 ++---- + 5 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c +index bac8a058ebd7c..05bd42dde107b 100644 +--- a/arch/sh/boards/mach-ap325rxa/setup.c ++++ b/arch/sh/boards/mach-ap325rxa/setup.c +@@ -530,7 +530,7 @@ static int __init ap325rxa_devices_setup(void) + device_initialize(&ap325rxa_ceu_device.dev); + dma_declare_coherent_memory(&ap325rxa_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&ap325rxa_ceu_device); + +diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c +index bab91a99124e1..9730a992dab33 100644 +--- a/arch/sh/boards/mach-ecovec24/setup.c ++++ b/arch/sh/boards/mach-ecovec24/setup.c +@@ -1454,15 +1454,13 @@ static int __init arch_setup(void) + device_initialize(&ecovec_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[0]); + + device_initialize(&ecovec_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[1]); + + gpiod_add_lookup_table(&cn12_power_gpiod_table); +diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c +index eeb5ce341efdd..4a1caa3e7cf5a 100644 +--- a/arch/sh/boards/mach-kfr2r09/setup.c ++++ b/arch/sh/boards/mach-kfr2r09/setup.c +@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void) + device_initialize(&kfr2r09_ceu_device.dev); + dma_declare_coherent_memory(&kfr2r09_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&kfr2r09_ceu_device); + +diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c +index 6703a2122c0d6..bd4ccd9f8dd06 100644 +--- a/arch/sh/boards/mach-migor/setup.c ++++ b/arch/sh/boards/mach-migor/setup.c +@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void) + device_initialize(&migor_ceu_device.dev); + dma_declare_coherent_memory(&migor_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&migor_ceu_device); + +diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c +index 8d6541ba01865..edc7712e4a804 100644 +--- a/arch/sh/boards/mach-se/7724/setup.c ++++ b/arch/sh/boards/mach-se/7724/setup.c +@@ -940,15 +940,13 @@ static int __init devices_setup(void) + device_initialize(&ms7724se_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[0]); + + device_initialize(&ms7724se_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[1]); + + return platform_add_devices(ms7724se_devices, +-- +2.40.1 + diff --git a/queue-5.10/veth-fixing-transmit-return-status-for-dropped-packe.patch b/queue-5.10/veth-fixing-transmit-return-status-for-dropped-packe.patch new file mode 100644 index 00000000000..8acbd697760 --- /dev/null +++ b/queue-5.10/veth-fixing-transmit-return-status-for-dropped-packe.patch @@ -0,0 +1,54 @@ +From 9a9a239564824ea6558d7a37248a50a483c4845e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:09:21 +0800 +Subject: veth: Fixing transmit return status for dropped packets + +From: Liang Chen + +[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ] + +The veth_xmit function returns NETDEV_TX_OK even when packets are dropped. +This behavior leads to incorrect calculations of statistics counts, as +well as things like txq->trans_start updates. + +Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.") +Signed-off-by: Liang Chen +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 4ba86fa4d6497..743716ebebdb9 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -285,6 +285,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct veth_priv *rcv_priv, *priv = netdev_priv(dev); + struct veth_rq *rq = NULL; ++ int ret = NETDEV_TX_OK; + struct net_device *rcv; + int length = skb->len; + bool rcv_xdp = false; +@@ -311,6 +312,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + } else { + drop: + atomic64_inc(&priv->dropped); ++ ret = NET_XMIT_DROP; + } + + if (rcv_xdp) +@@ -318,7 +320,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + + rcu_read_unlock(); + +- return NETDEV_TX_OK; ++ return ret; + } + + static u64 veth_stats_tx(struct net_device *dev, u64 *packets, u64 *bytes) +-- +2.40.1 + diff --git a/queue-5.10/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch b/queue-5.10/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch new file mode 100644 index 00000000000..8e3ff4860ba --- /dev/null +++ b/queue-5.10/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch @@ -0,0 +1,40 @@ +From 15048bbb6637072056aca54521517a8ddf718f10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:32:20 +0530 +Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load + +From: Raag Jadav + +[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ] + +When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver +needs to be loaded manually, for the lack of module alias. +This causes unintended resets in cases where watchdog timer is +set-up by bootloader and the driver is not explicitly loaded. +Add MODULE_ALIAS() to load the driver automatically at boot and +avoid this issue. + +Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support") +Signed-off-by: Raag Jadav +Reviewed-by: Andy Shevchenko +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/intel-mid_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c +index 9b2173f765c8c..fb7fae750181b 100644 +--- a/drivers/watchdog/intel-mid_wdt.c ++++ b/drivers/watchdog/intel-mid_wdt.c +@@ -203,3 +203,4 @@ module_platform_driver(mid_wdt_driver); + MODULE_AUTHOR("David Cohen "); + MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:intel_mid_wdt"); +-- +2.40.1 + diff --git a/queue-5.10/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch b/queue-5.10/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch new file mode 100644 index 00000000000..1d7c71ec536 --- /dev/null +++ b/queue-5.10/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch @@ -0,0 +1,45 @@ +From aa01f78002c4e80ff04cd090e44da59c2c35bbd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 13:18:52 -0700 +Subject: x86/virt: Drop unnecessary check on extended CPUID level in + cpu_has_svm() + +From: Sean Christopherson + +[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ] + +Drop the explicit check on the extended CPUID level in cpu_has_svm(), the +kernel's cached CPUID info will leave the entire SVM leaf unset if said +leaf is not supported by hardware. Prior to using cached information, +the check was needed to avoid false positives due to Intel's rather crazy +CPUID behavior of returning the values of the maximum supported leaf if +the specified leaf is unsupported. + +Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()") +Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/virtext.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h +index 8eefa3386d8ce..331474296e6f1 100644 +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -95,12 +95,6 @@ static inline int cpu_has_svm(const char **msg) + return 0; + } + +- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) { +- if (msg) +- *msg = "can't execute cpuid_8000000a"; +- return 0; +- } +- + if (!boot_cpu_has(X86_FEATURE_SVM)) { + if (msg) + *msg = "svm not available"; +-- +2.40.1 +