From: Sasha Levin Date: Sun, 24 Sep 2023 19:27:42 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.5.6~103 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d09f72973b97a2bc45748454fa771eec97e1b12;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/alsa-hda-realtek-splitting-the-ux3402-into-two-separ.patch b/queue-6.1/alsa-hda-realtek-splitting-the-ux3402-into-two-separ.patch new file mode 100644 index 00000000000..e8f4a2d89ee --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-splitting-the-ux3402-into-two-separ.patch @@ -0,0 +1,38 @@ +From bc87f9ccfb96c0bd70737a6b2997141f6afff8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 10:33:43 +0500 +Subject: ALSA: hda/realtek: Splitting the UX3402 into two separate models + +From: Knyazev Arseniy + +[ Upstream commit 07058dceb038a4b0dd49af07118b6b2a685bb4a6 ] + +UX3402VA and UX3402ZA models require different hex values, so comibining +them into one model is incorrect. + +Fixes: 491a4ccd8a02 ("ALSA: hda/realtek: Add quirk for ASUS Zenbook using CS35L41") +Signed-off-by: Knyazev Arseniy +Link: https://lore.kernel.org/r/20230913053343.119798-1-poseaydone@ya.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f70e0ad81607e..57e07aa4e136c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9657,7 +9657,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1d1f, "ASUS ROG Strix G17 2023 (G713PV)", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE), +- SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402ZA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x16a3, "ASUS UX3402VA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), + SND_PCI_QUIRK(0x1043, 0x1e12, "ASUS UM3402", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1e51, "ASUS Zephyrus M15", ALC294_FIXUP_ASUS_GU502_PINS), +-- +2.40.1 + diff --git a/queue-6.1/asoc-hdaudio.c-add-missing-check-for-devm_kstrdup.patch b/queue-6.1/asoc-hdaudio.c-add-missing-check-for-devm_kstrdup.patch new file mode 100644 index 00000000000..b0cc2398b5e --- /dev/null +++ b/queue-6.1/asoc-hdaudio.c-add-missing-check-for-devm_kstrdup.patch @@ -0,0 +1,44 @@ +From bccf0a68daf5413f71a814108897294cc71b5c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 02:13:44 +0000 +Subject: ASoC: hdaudio.c: Add missing check for devm_kstrdup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +[ Upstream commit c04efbfd76d23157e64e6d6147518c187ab4233a ] + +Because of the potential failure of the devm_kstrdup(), the +dl[i].codecs->name could be NULL. +Therefore, we need to check it and return -ENOMEM in order to transfer +the error. + +Fixes: 97030a43371e ("ASoC: Intel: avs: Add HDAudio machine board") +Signed-off-by: Chen Ni +Reviewed-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230915021344.3078-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/boards/hdaudio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/intel/avs/boards/hdaudio.c b/sound/soc/intel/avs/boards/hdaudio.c +index 073663ba140d0..a65939f30ac47 100644 +--- a/sound/soc/intel/avs/boards/hdaudio.c ++++ b/sound/soc/intel/avs/boards/hdaudio.c +@@ -54,6 +54,9 @@ static int avs_create_dai_links(struct device *dev, struct hda_codec *codec, int + return -ENOMEM; + + dl[i].codecs->name = devm_kstrdup(dev, cname, GFP_KERNEL); ++ if (!dl[i].codecs->name) ++ return -ENOMEM; ++ + dl[i].codecs->dai_name = pcm->name; + dl[i].num_codecs = 1; + dl[i].num_cpus = 1; +-- +2.40.1 + diff --git a/queue-6.1/asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch b/queue-6.1/asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch new file mode 100644 index 00000000000..35de2f3cd21 --- /dev/null +++ b/queue-6.1/asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch @@ -0,0 +1,41 @@ +From 03eea913c65b8b8ff0a9340e1af0ffb3c87d4a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 14:02:11 +0800 +Subject: ASoC: imx-audmix: Fix return error with devm_clk_get() + +From: Shengjiu Wang + +[ Upstream commit b19a5733de255cabba5feecabf6e900638b582d1 ] + +The devm_clk_get() can return -EPROBE_DEFER error, +modify the error code to be -EINVAL is not correct, which +cause the -EPROBE_DEFER error is not correctly handled. + +This patch is to fix the return error code. + +Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver") +Signed-off-by: Shengjiu Wang +Reviewed-by: Daniel Baluta +Link: https://lore.kernel.org/r/1694757731-18308-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c +index d8e99b263ab21..cbe24d5b4e46a 100644 +--- a/sound/soc/fsl/imx-audmix.c ++++ b/sound/soc/fsl/imx-audmix.c +@@ -320,7 +320,7 @@ static int imx_audmix_probe(struct platform_device *pdev) + if (IS_ERR(priv->cpu_mclk)) { + ret = PTR_ERR(priv->cpu_mclk); + dev_err(&cpu_pdev->dev, "failed to get DAI mclk1: %d\n", ret); +- return -EINVAL; ++ return ret; + } + + priv->audmix_pdev = audmix_pdev; +-- +2.40.1 + diff --git a/queue-6.1/asoc-meson-spdifin-start-hw-on-dai-probe.patch b/queue-6.1/asoc-meson-spdifin-start-hw-on-dai-probe.patch new file mode 100644 index 00000000000..e1466768af3 --- /dev/null +++ b/queue-6.1/asoc-meson-spdifin-start-hw-on-dai-probe.patch @@ -0,0 +1,107 @@ +From e1e87488719bbb37519d17aeab096b2cdcded3d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 11:05:04 +0200 +Subject: ASoC: meson: spdifin: start hw on dai probe + +From: Jerome Brunet + +[ Upstream commit aedf323b66b2b875137422ecb7d2525179759076 ] + +For spdif input to report the locked rate correctly, even when no capture +is running, the HW and reference clock must be started as soon as +the dai is probed. + +Fixes: 5ce5658375e6 ("ASoC: meson: add axg spdif input") +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230907090504.12700-1-jbrunet@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-spdifin.c | 49 ++++++++++++----------------------- + 1 file changed, 17 insertions(+), 32 deletions(-) + +diff --git a/sound/soc/meson/axg-spdifin.c b/sound/soc/meson/axg-spdifin.c +index e2cc4c4be7586..97e81ec4a78ce 100644 +--- a/sound/soc/meson/axg-spdifin.c ++++ b/sound/soc/meson/axg-spdifin.c +@@ -112,34 +112,6 @@ static int axg_spdifin_prepare(struct snd_pcm_substream *substream, + return 0; + } + +-static int axg_spdifin_startup(struct snd_pcm_substream *substream, +- struct snd_soc_dai *dai) +-{ +- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai); +- int ret; +- +- ret = clk_prepare_enable(priv->refclk); +- if (ret) { +- dev_err(dai->dev, +- "failed to enable spdifin reference clock\n"); +- return ret; +- } +- +- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, +- SPDIFIN_CTRL0_EN); +- +- return 0; +-} +- +-static void axg_spdifin_shutdown(struct snd_pcm_substream *substream, +- struct snd_soc_dai *dai) +-{ +- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai); +- +- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0); +- clk_disable_unprepare(priv->refclk); +-} +- + static void axg_spdifin_write_mode_param(struct regmap *map, int mode, + unsigned int val, + unsigned int num_per_reg, +@@ -251,25 +223,38 @@ static int axg_spdifin_dai_probe(struct snd_soc_dai *dai) + ret = axg_spdifin_sample_mode_config(dai, priv); + if (ret) { + dev_err(dai->dev, "mode configuration failed\n"); +- clk_disable_unprepare(priv->pclk); +- return ret; ++ goto pclk_err; + } + ++ ret = clk_prepare_enable(priv->refclk); ++ if (ret) { ++ dev_err(dai->dev, ++ "failed to enable spdifin reference clock\n"); ++ goto pclk_err; ++ } ++ ++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, ++ SPDIFIN_CTRL0_EN); ++ + return 0; ++ ++pclk_err: ++ clk_disable_unprepare(priv->pclk); ++ return ret; + } + + static int axg_spdifin_dai_remove(struct snd_soc_dai *dai) + { + struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai); + ++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0); ++ clk_disable_unprepare(priv->refclk); + clk_disable_unprepare(priv->pclk); + return 0; + } + + static const struct snd_soc_dai_ops axg_spdifin_ops = { + .prepare = axg_spdifin_prepare, +- .startup = axg_spdifin_startup, +- .shutdown = axg_spdifin_shutdown, + }; + + static int axg_spdifin_iec958_info(struct snd_kcontrol *kcontrol, +-- +2.40.1 + diff --git a/queue-6.1/asoc-rt5640-fix-irq-not-being-free-ed-for-hda-jack-d.patch b/queue-6.1/asoc-rt5640-fix-irq-not-being-free-ed-for-hda-jack-d.patch new file mode 100644 index 00000000000..3d912395ed6 --- /dev/null +++ b/queue-6.1/asoc-rt5640-fix-irq-not-being-free-ed-for-hda-jack-d.patch @@ -0,0 +1,40 @@ +From 3ae0a19fce9f27b5220c5a16f9e77d957de730db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 13:32:44 +0200 +Subject: ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode + +From: Hans de Goede + +[ Upstream commit 8c8bf3df6b7c0ed1c4dd373b23eb0ce13a63f452 ] + +Set "rt5640->irq_requested = true" after a successful request_irq() +in rt5640_enable_hda_jack_detect(), so that rt5640_disable_jack_detect() +properly frees the IRQ. + +This fixes the IRQ not being freed on rmmod / driver unbind. + +Fixes: 2b9c8d2b3c89 ("ASoC: rt5640: Add the HDA header support") +Cc: Oder Chiou +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230912113245.320159-6-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5640.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index 0f8e6dd214b0d..37ea4d854cb58 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2624,6 +2624,7 @@ static void rt5640_enable_hda_jack_detect( + rt5640->irq = -ENXIO; + return; + } ++ rt5640->irq_requested = true; + + /* sync initial jack state */ + queue_delayed_work(system_long_wq, &rt5640->jack_work, 0); +-- +2.40.1 + diff --git a/queue-6.1/asoc-rt5640-revert-fix-sleep-in-atomic-context.patch b/queue-6.1/asoc-rt5640-revert-fix-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..f70c76fe623 --- /dev/null +++ b/queue-6.1/asoc-rt5640-revert-fix-sleep-in-atomic-context.patch @@ -0,0 +1,77 @@ +From 95662378ce0fae5877548b048b530b58191fe18f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 13:32:40 +0200 +Subject: ASoC: rt5640: Revert "Fix sleep in atomic context" + +From: Hans de Goede + +[ Upstream commit fa6a0c0c1dd53b3949ca56bf7213648dfd6a62ee ] + +Commit 70a6404ff610 ("ASoC: rt5640: Fix sleep in atomic context") +not only switched from request_irq() to request_threaded_irq(), +to fix the sleep in atomic context issue, but it also added +devm management of the IRQ by actually switching to +devm_request_threaded_irq() (without any explanation in the commit +message for this change). + +This is wrong since the IRQ was already explicitly managed by +the driver. On unbind the ASoC core will call rt5640_set_jack(NULL) +which in turn will call rt5640_disable_jack_detect() which +frees the IRQ already. So now we have a double free. + +Besides the unexplained switch to devm being wrong, the actual fix +for the sleep in atomic context issue also is not the best solution. + +The only thing which rt5640_irq() does is cancel + (re-)queue +the jack_work delayed_work. This can be done in a single non sleeping +call by replacing queue_delayed_work() with mod_delayed_work(), +which does not sleep. Using mod_delayed_work() is a much better fix +then adding a thread which does nothing other then queuing a work-item. + +This patch is a straight revert of the troublesome changes, the switch +to mod_delayed_work() is done in a separate follow-up patch. + +Fixes: 70a6404ff610 ("ASoC: rt5640: Fix sleep in atomic context") +Cc: Sameer Pujar +Cc: Oder Chiou +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230912113245.320159-2-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5640.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index a7071d0a2562f..0f8e6dd214b0d 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2562,10 +2562,9 @@ static void rt5640_enable_jack_detect(struct snd_soc_component *component, + if (jack_data && jack_data->use_platform_clock) + rt5640->use_platform_clock = jack_data->use_platform_clock; + +- ret = devm_request_threaded_irq(component->dev, rt5640->irq, +- NULL, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, +- "rt5640", rt5640); ++ ret = request_irq(rt5640->irq, rt5640_irq, ++ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640_disable_jack_detect(component); +@@ -2618,9 +2617,8 @@ static void rt5640_enable_hda_jack_detect( + + rt5640->jack = jack; + +- ret = devm_request_threaded_irq(component->dev, rt5640->irq, +- NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, +- "rt5640", rt5640); ++ ret = request_irq(rt5640->irq, rt5640_irq, ++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640->irq = -ENXIO; +-- +2.40.1 + diff --git a/queue-6.1/asoc-sof-core-only-call-sof_ops_free-on-remove-if-th.patch b/queue-6.1/asoc-sof-core-only-call-sof_ops_free-on-remove-if-th.patch new file mode 100644 index 00000000000..09548cd37e9 --- /dev/null +++ b/queue-6.1/asoc-sof-core-only-call-sof_ops_free-on-remove-if-th.patch @@ -0,0 +1,45 @@ +From e700b53f38a0499556cc1daa68ecd2ecb42c8250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:40:15 +0300 +Subject: ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was + successful + +From: Peter Ujfalusi + +[ Upstream commit 31bb7bd9ffee50d09ec931998b823a86132ab807 ] + +All the fail paths during probe will free up the ops, on remove we should +only free it if the probe was successful. + +Fixes: bc433fd76fae ("ASoC: SOF: Add ops_free") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Rander Wang +Link: https://lore.kernel.org/r/20230915124015.19637-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/sof/core.c b/sound/soc/sof/core.c +index 75a1e2c6539f2..eaa16755a2704 100644 +--- a/sound/soc/sof/core.c ++++ b/sound/soc/sof/core.c +@@ -461,10 +461,9 @@ int snd_sof_device_remove(struct device *dev) + snd_sof_ipc_free(sdev); + snd_sof_free_debug(sdev); + snd_sof_remove(sdev); ++ sof_ops_free(sdev); + } + +- sof_ops_free(sdev); +- + /* release firmware */ + snd_sof_fw_unload(sdev); + +-- +2.40.1 + diff --git a/queue-6.1/bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch b/queue-6.1/bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch new file mode 100644 index 00000000000..ec493e42b66 --- /dev/null +++ b/queue-6.1/bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch @@ -0,0 +1,62 @@ +From 7cdab4978bb55df29c1c3caee19c91a2451ed95d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 17:36:10 +0200 +Subject: bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI + +From: Sebastian Andrzej Siewior + +[ Upstream commit edc0140cc3b7b91874ebe70eb7d2a851e8817ccc ] + +bnxt_poll_nitroa0() invokes bnxt_rx_pkt() which can run a XDP program +which in turn can return XDP_REDIRECT. bnxt_rx_pkt() is also used by +__bnxt_poll_work() which flushes (xdp_do_flush()) the packets after each +round. bnxt_poll_nitroa0() lacks this feature. +xdp_do_flush() should be invoked before leaving the NAPI callback. + +Invoke xdp_do_flush() after a redirect in bnxt_poll_nitroa0() NAPI. + +Cc: Michael Chan +Fixes: f18c2b77b2e4e ("bnxt_en: optimized XDP_REDIRECT support") +Reviewed-by: Andy Gospodarek +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Michael Chan +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 969db3c45d176..e81cb825dff4c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -2654,6 +2654,7 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget) + struct rx_cmp_ext *rxcmp1; + u32 cp_cons, tmp_raw_cons; + u32 raw_cons = cpr->cp_raw_cons; ++ bool flush_xdp = false; + u32 rx_pkts = 0; + u8 event = 0; + +@@ -2688,6 +2689,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget) + rx_pkts++; + else if (rc == -EBUSY) /* partial completion */ + break; ++ if (event & BNXT_REDIRECT_EVENT) ++ flush_xdp = true; + } else if (unlikely(TX_CMP_TYPE(txcmp) == + CMPL_BASE_TYPE_HWRM_DONE)) { + bnxt_hwrm_handler(bp, txcmp); +@@ -2707,6 +2710,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget) + + if (event & BNXT_AGG_EVENT) + bnxt_db_write(bp, &rxr->rx_agg_db, rxr->rx_agg_prod); ++ if (flush_xdp) ++ xdp_do_flush(); + + if (!bnxt_has_work(bp, cpr) && rx_pkts < budget) { + napi_complete_done(napi, rx_pkts); +-- +2.40.1 + diff --git a/queue-6.1/bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch b/queue-6.1/bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch new file mode 100644 index 00000000000..861351576e7 --- /dev/null +++ b/queue-6.1/bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch @@ -0,0 +1,79 @@ +From 0409d723b90c4918cda35753a90ff34043b58419 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 15:28:14 +0200 +Subject: bpf: Avoid deadlock when using queue and stack maps from NMI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit a34a9f1a19afe9c60ca0ea61dfeee63a1c2baac8 ] + +Sysbot discovered that the queue and stack maps can deadlock if they are +being used from a BPF program that can be called from NMI context (such as +one that is attached to a perf HW counter event). To fix this, add an +in_nmi() check and use raw_spin_trylock() in NMI context, erroring out if +grabbing the lock fails. + +Fixes: f1a2e44a3aec ("bpf: add queue and stack maps") +Reported-by: Hsin-Wei Hung +Tested-by: Hsin-Wei Hung +Co-developed-by: Hsin-Wei Hung +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20230911132815.717240-1-toke@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/queue_stack_maps.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c +index 8a5e060de63bc..a8fe640318c6c 100644 +--- a/kernel/bpf/queue_stack_maps.c ++++ b/kernel/bpf/queue_stack_maps.c +@@ -102,7 +102,12 @@ static int __queue_map_get(struct bpf_map *map, void *value, bool delete) + int err = 0; + void *ptr; + +- raw_spin_lock_irqsave(&qs->lock, flags); ++ if (in_nmi()) { ++ if (!raw_spin_trylock_irqsave(&qs->lock, flags)) ++ return -EBUSY; ++ } else { ++ raw_spin_lock_irqsave(&qs->lock, flags); ++ } + + if (queue_stack_map_is_empty(qs)) { + memset(value, 0, qs->map.value_size); +@@ -132,7 +137,12 @@ static int __stack_map_get(struct bpf_map *map, void *value, bool delete) + void *ptr; + u32 index; + +- raw_spin_lock_irqsave(&qs->lock, flags); ++ if (in_nmi()) { ++ if (!raw_spin_trylock_irqsave(&qs->lock, flags)) ++ return -EBUSY; ++ } else { ++ raw_spin_lock_irqsave(&qs->lock, flags); ++ } + + if (queue_stack_map_is_empty(qs)) { + memset(value, 0, qs->map.value_size); +@@ -197,7 +207,12 @@ static int queue_stack_map_push_elem(struct bpf_map *map, void *value, + if (flags & BPF_NOEXIST || flags > BPF_EXIST) + return -EINVAL; + +- raw_spin_lock_irqsave(&qs->lock, irq_flags); ++ if (in_nmi()) { ++ if (!raw_spin_trylock_irqsave(&qs->lock, irq_flags)) ++ return -EBUSY; ++ } else { ++ raw_spin_lock_irqsave(&qs->lock, irq_flags); ++ } + + if (queue_stack_map_is_full(qs)) { + if (!replace) { +-- +2.40.1 + diff --git a/queue-6.1/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch b/queue-6.1/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch new file mode 100644 index 00000000000..4f62ae72d06 --- /dev/null +++ b/queue-6.1/dccp-fix-dccp_v4_err-dccp_v6_err-again.patch @@ -0,0 +1,132 @@ +From be1462fe96d264adf6c5d5da64dc58d490aab879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 19:00:35 +0000 +Subject: dccp: fix dccp_v4_err()/dccp_v6_err() again + +From: Eric Dumazet + +[ Upstream commit 6af289746a636f71f4c0535a9801774118486c7a ] + +dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr", +not in the "byte 7" as Jann claimed. + +We need to make sure the ICMP messages are big enough, +using more standard ways (no more assumptions). + +syzbot reported: +BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] +BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline] +BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 +pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] +pskb_may_pull include/linux/skbuff.h:2681 [inline] +dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 +icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867 +icmpv6_rcv+0x19d5/0x30d0 +ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 +ip6_input_finish net/ipv6/ip6_input.c:483 [inline] +NF_HOOK include/linux/netfilter.h:304 [inline] +ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 +ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:304 [inline] +ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 +__netif_receive_skb_one_core net/core/dev.c:5523 [inline] +__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 +netif_receive_skb_internal net/core/dev.c:5723 [inline] +netif_receive_skb+0x58/0x660 net/core/dev.c:5782 +tun_rx_batched+0x83b/0x920 +tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002 +tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 +call_write_iter include/linux/fs.h:1985 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x8ef/0x15c0 fs/read_write.c:584 +ksys_write+0x20f/0x4c0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x93/0xd0 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 +slab_alloc_node mm/slub.c:3478 [inline] +kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 +kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 +__alloc_skb+0x318/0x740 net/core/skbuff.c:650 +alloc_skb include/linux/skbuff.h:1286 [inline] +alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313 +sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795 +tun_alloc_skb drivers/net/tun.c:1531 [inline] +tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846 +tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 +call_write_iter include/linux/fs.h:1985 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x8ef/0x15c0 fs/read_write.c:584 +ksys_write+0x20f/0x4c0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x93/0xd0 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 + +Fixes: 977ad86c2a1b ("dccp: Fix out of bounds access in DCCP error handler") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jann Horn +Reviewed-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 9 ++------- + net/dccp/ipv6.c | 9 ++------- + 2 files changed, 4 insertions(+), 14 deletions(-) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 8f5d3c0881118..247179d4c8865 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -255,13 +255,8 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info) + int err; + struct net *net = dev_net(skb->dev); + +- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, +- * which is in byte 7 of the dccp header. +- * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us. +- * +- * Later on, we want to access the sequence number fields, which are +- * beyond 8 bytes, so we have to pskb_may_pull() ourselves. +- */ ++ if (!pskb_may_pull(skb, offset + sizeof(*dh))) ++ return -EINVAL; + dh = (struct dccp_hdr *)(skb->data + offset); + if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) + return -EINVAL; +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 2b09e2644b13f..6fb34eaf1237a 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -83,13 +83,8 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + __u64 seq; + struct net *net = dev_net(skb->dev); + +- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, +- * which is in byte 7 of the dccp header. +- * Our caller (icmpv6_notify()) already pulled 8 bytes for us. +- * +- * Later on, we want to access the sequence number fields, which are +- * beyond 8 bytes, so we have to pskb_may_pull() ourselves. +- */ ++ if (!pskb_may_pull(skb, offset + sizeof(*dh))) ++ return -EINVAL; + dh = (struct dccp_hdr *)(skb->data + offset); + if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) + return -EINVAL; +-- +2.40.1 + diff --git a/queue-6.1/i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch b/queue-6.1/i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch new file mode 100644 index 00000000000..709384c98e0 --- /dev/null +++ b/queue-6.1/i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch @@ -0,0 +1,89 @@ +From aa92afb8a1f6ade6b78711eefca24cb9e66aec4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 17:44:57 +0200 +Subject: i40e: Fix VF VLAN offloading when port VLAN is configured + +From: Ivan Vecera + +[ Upstream commit d0d362ffa33da4acdcf7aee2116ceef8c8fef658 ] + +If port VLAN is configured on a VF then any other VLANs on top of this VF +are broken. + +During i40e_ndo_set_vf_port_vlan() call the i40e driver reset the VF and +iavf driver asks PF (using VIRTCHNL_OP_GET_VF_RESOURCES) for VF capabilities +but this reset occurs too early, prior setting of vf->info.pvid field +and because this field can be zero during i40e_vc_get_vf_resources_msg() +then VIRTCHNL_VF_OFFLOAD_VLAN capability is reported to iavf driver. + +This is wrong because iavf driver should not report VLAN offloading +capability when port VLAN is configured as i40e does not support QinQ +offloading. + +Fix the issue by moving VF reset after setting of vf->port_vlan_id +field. + +Without this patch: +$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs +$ ip link set enp2s0f0 vf 0 vlan 3 +$ ip link set enp2s0f0v0 up +$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4 +$ ip link set vlan4 up +... +$ ethtool -k enp2s0f0v0 | grep vlan-offload +rx-vlan-offload: on +tx-vlan-offload: on +$ dmesg -l err | grep iavf +[1292500.742914] iavf 0000:02:02.0: Failed to add VLAN filter, error IAVF_ERR_INVALID_QP_ID + +With this patch: +$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs +$ ip link set enp2s0f0 vf 0 vlan 3 +$ ip link set enp2s0f0v0 up +$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4 +$ ip link set vlan4 up +... +$ ethtool -k enp2s0f0v0 | grep vlan-offload +rx-vlan-offload: off [requested on] +tx-vlan-offload: off [requested on] +$ dmesg -l err | grep iavf + +Fixes: f9b4b6278d51 ("i40e: Reset the VF upon conflicting VLAN configuration") +Signed-off-by: Ivan Vecera +Reviewed-by: Jesse Brandeburg +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index cb7cf672f6971..547e67d9470b7 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -4397,9 +4397,7 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id, + goto error_pvid; + + i40e_vlan_stripping_enable(vsi); +- i40e_vc_reset_vf(vf, true); +- /* During reset the VF got a new VSI, so refresh a pointer. */ +- vsi = pf->vsi[vf->lan_vsi_idx]; ++ + /* Locked once because multiple functions below iterate list */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + +@@ -4485,6 +4483,10 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id, + */ + vf->port_vlan_id = le16_to_cpu(vsi->info.pvid); + ++ i40e_vc_reset_vf(vf, true); ++ /* During reset the VF got a new VSI, so refresh a pointer. */ ++ vsi = pf->vsi[vf->lan_vsi_idx]; ++ + ret = i40e_config_vf_promiscuous_mode(vf, vsi->id, allmulti, alluni); + if (ret) { + dev_err(&pf->pdev->dev, "Unable to config vf promiscuous mode\n"); +-- +2.40.1 + diff --git a/queue-6.1/i915-pmu-move-execlist-stats-initialization-to-execl.patch b/queue-6.1/i915-pmu-move-execlist-stats-initialization-to-execl.patch new file mode 100644 index 00000000000..af350775223 --- /dev/null +++ b/queue-6.1/i915-pmu-move-execlist-stats-initialization-to-execl.patch @@ -0,0 +1,55 @@ +From 6e2e106229cdcf6481da1bcfa5949e2e19847f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 14:22:47 -0700 +Subject: i915/pmu: Move execlist stats initialization to execlist specific + setup + +From: Umesh Nerlige Ramappa + +[ Upstream commit c524cd40e8a2a1a36f4898eaf2024beefeb815f3 ] + +engine->stats is a union of execlist and guc stat objects. When execlist +specific fields are initialized, the initial state of guc stats is +affected. This results in bad busyness values when using GuC mode. Move +the execlist initialization from common code to execlist specific code. + +Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Alan Previn +Link: https://patchwork.freedesktop.org/patch/msgid/20230912212247.1828681-1-umesh.nerlige.ramappa@intel.com +(cherry picked from commit 4485bd519f5d6d620a29d0547ff3c982bdeeb468) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 1 - + drivers/gpu/drm/i915/gt/intel_execlists_submission.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index b458547e1fc6e..07967adce16aa 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -541,7 +541,6 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id, + DRIVER_CAPS(i915)->has_logical_contexts = true; + + ewma__engine_latency_init(&engine->latency); +- seqcount_init(&engine->stats.execlists.lock); + + ATOMIC_INIT_NOTIFIER_HEAD(&engine->context_status_notifier); + +diff --git a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c +index fc4a846289855..f903ee1ce06e7 100644 +--- a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c ++++ b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c +@@ -3546,6 +3546,8 @@ int intel_execlists_submission_setup(struct intel_engine_cs *engine) + logical_ring_default_vfuncs(engine); + logical_ring_default_irqs(engine); + ++ seqcount_init(&engine->stats.execlists.lock); ++ + if (engine->flags & I915_ENGINE_HAS_RCS_REG_STATE) + rcs_submission_override(engine); + +-- +2.40.1 + diff --git a/queue-6.1/iavf-add-iavf_schedule_aq_request-helper.patch b/queue-6.1/iavf-add-iavf_schedule_aq_request-helper.patch new file mode 100644 index 00000000000..32357a4e2e8 --- /dev/null +++ b/queue-6.1/iavf-add-iavf_schedule_aq_request-helper.patch @@ -0,0 +1,82 @@ +From 3de5cbde64461a73acb570fcb03ddb632dff8174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 17:02:50 +0200 +Subject: iavf: add iavf_schedule_aq_request() helper + +From: Petr Oros + +[ Upstream commit ed4cad33df9e272feaa6698b33359b29c2929564 ] + +Add helper for set iavf aq request AVF_FLAG_AQ_* and immediately +schedule watchdog_task. Helper will be used in cases where it is +necessary to run aq requests asap + +Signed-off-by: Petr Oros +Co-developed-by: Michal Schmidt +Signed-off-by: Michal Schmidt +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Stable-dep-of: 5f3d319a2486 ("iavf: schedule a request immediately after add/delete vlan") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + drivers/net/ethernet/intel/iavf/iavf_main.c | 10 ++++------ + 3 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 543931c06bb17..06cfd567866c2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -521,7 +521,7 @@ void iavf_down(struct iavf_adapter *adapter); + int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); + void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); +-void iavf_schedule_request_stats(struct iavf_adapter *adapter); ++void iavf_schedule_aq_request(struct iavf_adapter *adapter, u64 flags); + void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index fe912b1c468ef..c13b4fa659ee9 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -362,7 +362,7 @@ static void iavf_get_ethtool_stats(struct net_device *netdev, + unsigned int i; + + /* Explicitly request stats refresh */ +- iavf_schedule_request_stats(adapter); ++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_REQUEST_STATS); + + iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index a02e8d6a4d1d6..ee04670b77b33 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -322,15 +322,13 @@ void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) + } + + /** +- * iavf_schedule_request_stats - Set the flags and schedule statistics request ++ * iavf_schedule_aq_request - Set the flags and schedule aq request + * @adapter: board private structure +- * +- * Sets IAVF_FLAG_AQ_REQUEST_STATS flag so iavf_watchdog_task() will explicitly +- * request and refresh ethtool stats ++ * @flags: requested aq flags + **/ +-void iavf_schedule_request_stats(struct iavf_adapter *adapter) ++void iavf_schedule_aq_request(struct iavf_adapter *adapter, u64 flags) + { +- adapter->aq_required |= IAVF_FLAG_AQ_REQUEST_STATS; ++ adapter->aq_required |= flags; + mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + +-- +2.40.1 + diff --git a/queue-6.1/iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch b/queue-6.1/iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch new file mode 100644 index 00000000000..97ba9ae30b7 --- /dev/null +++ b/queue-6.1/iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch @@ -0,0 +1,83 @@ +From 3c866251cb6333cd2ea1eedffea04861ffb988fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 14:59:40 +0200 +Subject: iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set + +From: Radoslaw Tyl + +[ Upstream commit c8de44b577eb540e8bfea55afe1d0904bb571b7a ] + +Prevent schedule operations for adminq during device remove and when +__IAVF_IN_REMOVE_TASK flag is set. Currently, the iavf_down function +adds operations for adminq that shouldn't be processed when the device +is in the __IAVF_REMOVE state. + +Reproduction: + +echo 4 > /sys/bus/pci/devices/0000:17:00.0/sriov_numvfs +ip link set dev ens1f0 vf 0 trust on +ip link set dev ens1f0 vf 1 trust on +ip link set dev ens1f0 vf 2 trust on +ip link set dev ens1f0 vf 3 trust on + +ip link set dev ens1f0 vf 0 mac 00:22:33:44:55:66 +ip link set dev ens1f0 vf 1 mac 00:22:33:44:55:67 +ip link set dev ens1f0 vf 2 mac 00:22:33:44:55:68 +ip link set dev ens1f0 vf 3 mac 00:22:33:44:55:69 + +echo 0000:17:02.0 > /sys/bus/pci/devices/0000\:17\:02.0/driver/unbind +echo 0000:17:02.1 > /sys/bus/pci/devices/0000\:17\:02.1/driver/unbind +echo 0000:17:02.2 > /sys/bus/pci/devices/0000\:17\:02.2/driver/unbind +echo 0000:17:02.3 > /sys/bus/pci/devices/0000\:17\:02.3/driver/unbind +sleep 10 +echo 0000:17:02.0 > /sys/bus/pci/drivers/iavf/bind +echo 0000:17:02.1 > /sys/bus/pci/drivers/iavf/bind +echo 0000:17:02.2 > /sys/bus/pci/drivers/iavf/bind +echo 0000:17:02.3 > /sys/bus/pci/drivers/iavf/bind + +modprobe vfio-pci +echo 8086 154c > /sys/bus/pci/drivers/vfio-pci/new_id + +qemu-system-x86_64 -accel kvm -m 4096 -cpu host \ +-drive file=centos9.qcow2,if=none,id=virtio-disk0 \ +-device virtio-blk-pci,drive=virtio-disk0,bootindex=0 -smp 4 \ +-device vfio-pci,host=17:02.0 -net none \ +-device vfio-pci,host=17:02.1 -net none \ +-device vfio-pci,host=17:02.2 -net none \ +-device vfio-pci,host=17:02.3 -net none \ +-daemonize -vnc :5 + +Current result: +There is a probability that the mac of VF in guest is inconsistent with +it in host + +Expected result: +When passthrough NIC VF to guest, the VF in guest should always get +the same mac as it in host. + +Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") +Signed-off-by: Radoslaw Tyl +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 22bc57ee24228..a02e8d6a4d1d6 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1433,7 +1433,8 @@ void iavf_down(struct iavf_adapter *adapter) + iavf_clear_fdir_filters(adapter); + iavf_clear_adv_rss_conf(adapter); + +- if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED)) { ++ if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) && ++ !(test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section))) { + /* cancel any current operation */ + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + /* Schedule operations to close down the HW. Don't wait +-- +2.40.1 + diff --git a/queue-6.1/iavf-schedule-a-request-immediately-after-add-delete.patch b/queue-6.1/iavf-schedule-a-request-immediately-after-add-delete.patch new file mode 100644 index 00000000000..d0f66b1da53 --- /dev/null +++ b/queue-6.1/iavf-schedule-a-request-immediately-after-add-delete.patch @@ -0,0 +1,62 @@ +From 3aa053b82d38fc1748350c87b56c3e1aff8f9879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 17:02:51 +0200 +Subject: iavf: schedule a request immediately after add/delete vlan + +From: Petr Oros + +[ Upstream commit 5f3d319a248654a805bafc9e7094bcea47dac6c7 ] + +When the iavf driver wants to reconfigure the VLAN filters +(iavf_add_vlan, iavf_del_vlan), it sets a flag in +aq_required: + adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; +or: + adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER; + +This is later processed by the watchdog_task, but it runs periodically +every 2 seconds, so it can be a long time before it processes the request. + +In the worst case, the interface is unable to receive traffic for more +than 2 seconds for no objective reason. + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Petr Oros +Co-developed-by: Michal Schmidt +Signed-off-by: Michal Schmidt +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Reviewed-by: Ahmed Zaki +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index ee04670b77b33..a39f7f0d6ab0b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -829,7 +829,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter, + list_add_tail(&f->list, &adapter->vlan_filter_list); + f->state = IAVF_VLAN_ADD; + adapter->num_vlan_filters++; +- adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER; ++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER); + } + + clearout: +@@ -851,7 +851,7 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan) + f = iavf_find_vlan(adapter, vlan); + if (f) { + f->state = IAVF_VLAN_REMOVE; +- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER; ++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_DEL_VLAN_FILTER); + } + + spin_unlock_bh(&adapter->mac_vlan_list_lock); +-- +2.40.1 + diff --git a/queue-6.1/igc-expose-tx-usecs-coalesce-setting-to-user.patch b/queue-6.1/igc-expose-tx-usecs-coalesce-setting-to-user.patch new file mode 100644 index 00000000000..0ab64382131 --- /dev/null +++ b/queue-6.1/igc-expose-tx-usecs-coalesce-setting-to-user.patch @@ -0,0 +1,130 @@ +From d8f2a3c9d43860d84e7139db65ce1afa763e21ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 10:03:31 -0700 +Subject: igc: Expose tx-usecs coalesce setting to user + +From: Muhammad Husaini Zulkifli + +[ Upstream commit 1703b2e0de653b459ca6230be32ce7f2ea0ae7ee ] + +When users attempt to obtain the coalesce setting using the +ethtool command, current code always returns 0 for tx-usecs. +This is because I225/6 always uses a queue pair setting, hence +tx_coalesce_usecs does not return a value during the +igc_ethtool_get_coalesce() callback process. The pair queue +condition checking in igc_ethtool_get_coalesce() is removed by +this patch so that the user gets information of the value of tx-usecs. + +Even if i225/6 is using queue pair setting, there is no harm in +notifying the user of the tx-usecs. The implementation of the current +code may have previously been a copy of the legacy code i210. +Since I225 has the queue pair setting enabled, tx-usecs will always adhere +to the user-set rx-usecs value. An error message will appear when the user +attempts to set the tx-usecs value for the input parameters because, +by default, they should only set the rx-usecs value. + +This patch also adds the helper function to get the +previous rx coalesce value similar to tx coalesce. + +How to test: +User can get the coalesce value using ethtool command. + +Example command: +Get: ethtool -c + +Previous output: + +rx-usecs: 3 +rx-frames: n/a +rx-usecs-irq: n/a +rx-frames-irq: n/a + +tx-usecs: 0 +tx-frames: n/a +tx-usecs-irq: n/a +tx-frames-irq: n/a + +New output: + +rx-usecs: 3 +rx-frames: n/a +rx-usecs-irq: n/a +rx-frames-irq: n/a + +tx-usecs: 3 +tx-frames: n/a +tx-usecs-irq: n/a +tx-frames-irq: n/a + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Muhammad Husaini Zulkifli +Tested-by: Naama Meir +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230919170331.1581031-1-anthony.l.nguyen@intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 31 ++++++++++++-------- + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index 511fc3f412087..9166fde40c772 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -867,6 +867,18 @@ static void igc_ethtool_get_stats(struct net_device *netdev, + spin_unlock(&adapter->stats64_lock); + } + ++static int igc_ethtool_get_previous_rx_coalesce(struct igc_adapter *adapter) ++{ ++ return (adapter->rx_itr_setting <= 3) ? ++ adapter->rx_itr_setting : adapter->rx_itr_setting >> 2; ++} ++ ++static int igc_ethtool_get_previous_tx_coalesce(struct igc_adapter *adapter) ++{ ++ return (adapter->tx_itr_setting <= 3) ? ++ adapter->tx_itr_setting : adapter->tx_itr_setting >> 2; ++} ++ + static int igc_ethtool_get_coalesce(struct net_device *netdev, + struct ethtool_coalesce *ec, + struct kernel_ethtool_coalesce *kernel_coal, +@@ -874,17 +886,8 @@ static int igc_ethtool_get_coalesce(struct net_device *netdev, + { + struct igc_adapter *adapter = netdev_priv(netdev); + +- if (adapter->rx_itr_setting <= 3) +- ec->rx_coalesce_usecs = adapter->rx_itr_setting; +- else +- ec->rx_coalesce_usecs = adapter->rx_itr_setting >> 2; +- +- if (!(adapter->flags & IGC_FLAG_QUEUE_PAIRS)) { +- if (adapter->tx_itr_setting <= 3) +- ec->tx_coalesce_usecs = adapter->tx_itr_setting; +- else +- ec->tx_coalesce_usecs = adapter->tx_itr_setting >> 2; +- } ++ ec->rx_coalesce_usecs = igc_ethtool_get_previous_rx_coalesce(adapter); ++ ec->tx_coalesce_usecs = igc_ethtool_get_previous_tx_coalesce(adapter); + + return 0; + } +@@ -909,8 +912,12 @@ static int igc_ethtool_set_coalesce(struct net_device *netdev, + ec->tx_coalesce_usecs == 2) + return -EINVAL; + +- if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) && ec->tx_coalesce_usecs) ++ if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) && ++ ec->tx_coalesce_usecs != igc_ethtool_get_previous_tx_coalesce(adapter)) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Queue Pair mode enabled, both Rx and Tx coalescing controlled by rx-usecs"); + return -EINVAL; ++ } + + /* If ITR is disabled, disable DMAC */ + if (ec->rx_coalesce_usecs == 0) { +-- +2.40.1 + diff --git a/queue-6.1/igc-fix-infinite-initialization-loop-with-early-xdp-.patch b/queue-6.1/igc-fix-infinite-initialization-loop-with-early-xdp-.patch new file mode 100644 index 00000000000..23267ba2f38 --- /dev/null +++ b/queue-6.1/igc-fix-infinite-initialization-loop-with-early-xdp-.patch @@ -0,0 +1,55 @@ +From b29c26a819b5c9f7a368eb70eeaa0d25c565a588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 11:06:15 -0700 +Subject: igc: Fix infinite initialization loop with early XDP redirect + +From: Vinicius Costa Gomes + +[ Upstream commit cb47b1f679c4d83a5fa5f1852e472f844e41a3da ] + +When an XDP redirect happens before the link is ready, that +transmission will not finish and will timeout, causing an adapter +reset. If the redirects do not stop, the adapter will not stop +resetting. + +Wait for the driver to signal that there's a carrier before allowing +transmissions to proceed. + +Previous code was relying that when __IGC_DOWN is cleared, the NIC is +ready to transmit as all the queues are ready, what happens is that +the carrier presence will only be signaled later, after the watchdog +workqueue has a chance to run. And during this interval (between +clearing __IGC_DOWN and the watchdog running) if any transmission +happens the timeout is emitted (detected by igc_tx_timeout()) which +causes the reset, with the potential for the infinite loop. + +Fixes: 4ff320361092 ("igc: Add support for XDP_REDIRECT action") +Reported-by: Ferenc Fejes +Closes: https://lore.kernel.org/netdev/0caf33cf6adb3a5bf137eeaa20e89b167c9986d5.camel@ericsson.com/ +Signed-off-by: Vinicius Costa Gomes +Tested-by: Ferenc Fejes +Reviewed-by: Maciej Fijalkowski +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 2f3947cf513bd..1ac836a55cd31 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -6322,7 +6322,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, + struct igc_ring *ring; + int i, drops; + +- if (unlikely(test_bit(__IGC_DOWN, &adapter->state))) ++ if (unlikely(!netif_carrier_ok(dev))) + return -ENETDOWN; + + if (unlikely(flags & ~XDP_XMIT_FLAGS_MASK)) +-- +2.40.1 + diff --git a/queue-6.1/ionic-fix-16bit-math-issue-when-page_size-64kb.patch b/queue-6.1/ionic-fix-16bit-math-issue-when-page_size-64kb.patch new file mode 100644 index 00000000000..604f6553900 --- /dev/null +++ b/queue-6.1/ionic-fix-16bit-math-issue-when-page_size-64kb.patch @@ -0,0 +1,83 @@ +From 8ea2572fe318811bad5bc6f1a59c49541ca89d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 18:02:52 -0400 +Subject: ionic: fix 16bit math issue when PAGE_SIZE >= 64KB + +From: David Christensen + +[ Upstream commit 8f6b846b0a86c3cbae8a25b772651cfc2270ad0a ] + +The ionic device supports a maximum buffer length of 16 bits (see +ionic_rxq_desc or ionic_rxq_sg_elem). When adding new buffers to +the receive rings, the function ionic_rx_fill() uses 16bit math when +calculating the number of pages to allocate for an RX descriptor, +given the interface's MTU setting. If the system PAGE_SIZE >= 64KB, +and the buf_info->page_offset is 0, the remain_len value will never +decrement from the original MTU value and the frag_len value will +always be 0, causing additional pages to be allocated as scatter- +gather elements unnecessarily. + +A similar math issue exists in ionic_rx_frags(), but no failures +have been observed here since a 64KB page should not normally +require any scatter-gather elements at any legal Ethernet MTU size. + +Fixes: 4b0a7539a372 ("ionic: implement Rx page reuse") +Signed-off-by: David Christensen +Reviewed-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 + + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +index ad8a2a4453b76..93a4258421667 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +@@ -180,6 +180,7 @@ typedef void (*ionic_desc_cb)(struct ionic_queue *q, + struct ionic_desc_info *desc_info, + struct ionic_cq_info *cq_info, void *cb_arg); + ++#define IONIC_MAX_BUF_LEN ((u16)-1) + #define IONIC_PAGE_SIZE PAGE_SIZE + #define IONIC_PAGE_SPLIT_SZ (PAGE_SIZE / 2) + #define IONIC_PAGE_GFP_MASK (GFP_ATOMIC | __GFP_NOWARN |\ +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index f8f5eb1307681..4684b9f194a68 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -207,7 +207,8 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q, + return NULL; + } + +- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset); ++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN, ++ IONIC_PAGE_SIZE - buf_info->page_offset)); + len -= frag_len; + + dma_sync_single_for_cpu(dev, +@@ -444,7 +445,8 @@ void ionic_rx_fill(struct ionic_queue *q) + + /* fill main descriptor - buf[0] */ + desc->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset); +- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset); ++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN, ++ IONIC_PAGE_SIZE - buf_info->page_offset)); + desc->len = cpu_to_le16(frag_len); + remain_len -= frag_len; + buf_info++; +@@ -463,7 +465,9 @@ void ionic_rx_fill(struct ionic_queue *q) + } + + sg_elem->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset); +- frag_len = min_t(u16, remain_len, IONIC_PAGE_SIZE - buf_info->page_offset); ++ frag_len = min_t(u16, remain_len, min_t(u32, IONIC_MAX_BUF_LEN, ++ IONIC_PAGE_SIZE - ++ buf_info->page_offset)); + sg_elem->len = cpu_to_le16(frag_len); + remain_len -= frag_len; + buf_info++; +-- +2.40.1 + diff --git a/queue-6.1/ipv4-fix-null-deref-in-ipv4_link_failure.patch b/queue-6.1/ipv4-fix-null-deref-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..81d6bbddcdd --- /dev/null +++ b/queue-6.1/ipv4-fix-null-deref-in-ipv4_link_failure.patch @@ -0,0 +1,53 @@ +From 580c183e137d6767aa52e891473ab9084e0678dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 22:12:57 -0700 +Subject: ipv4: fix null-deref in ipv4_link_failure + +From: Kyle Zeng + +[ Upstream commit 0113d9c9d1ccc07f5a3710dac4aa24b6d711278c ] + +Currently, we assume the skb is associated with a device before calling +__ip_options_compile, which is not always the case if it is re-routed by +ipvs. +When skb->dev is NULL, dev_net(skb->dev) will become null-dereference. +This patch adds a check for the edge case and switch to use the net_device +from the rtable when skb->dev is NULL. + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Suggested-by: David Ahern +Signed-off-by: Kyle Zeng +Cc: Stephen Suryaputra +Cc: Vadim Fedorenko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index a04ffc128e22b..84a0a71a6f4e7 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1213,6 +1213,7 @@ EXPORT_INDIRECT_CALLABLE(ipv4_dst_check); + + static void ipv4_send_dest_unreach(struct sk_buff *skb) + { ++ struct net_device *dev; + struct ip_options opt; + int res; + +@@ -1230,7 +1231,8 @@ static void ipv4_send_dest_unreach(struct sk_buff *skb) + opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); + + rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ dev = skb->dev ? skb->dev : skb_rtable(skb)->dst.dev; ++ res = __ip_options_compile(dev_net(dev), &opt, skb, NULL); + rcu_read_unlock(); + + if (res) +-- +2.40.1 + diff --git a/queue-6.1/locking-seqlock-do-the-lockdep-annotation-before-loc.patch b/queue-6.1/locking-seqlock-do-the-lockdep-annotation-before-loc.patch new file mode 100644 index 00000000000..f880740d040 --- /dev/null +++ b/queue-6.1/locking-seqlock-do-the-lockdep-annotation-before-loc.patch @@ -0,0 +1,59 @@ +From 903286a67bee0861e2722bd1ab8bea07ca022b2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 12:46:27 +0200 +Subject: locking/seqlock: Do the lockdep annotation before locking in + do_write_seqcount_begin_nested() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 41b43b6c6e30a832c790b010a06772e793bca193 ] + +It was brought up by Tetsuo that the following sequence: + + write_seqlock_irqsave() + printk_deferred_enter() + +could lead to a deadlock if the lockdep annotation within +write_seqlock_irqsave() triggers. + +The problem is that the sequence counter is incremented before the lockdep +annotation is performed. The lockdep splat would then attempt to invoke +printk() but the reader side, of the same seqcount, could have a +tty_port::lock acquired waiting for the sequence number to become even again. + +The other lockdep annotations come before the actual locking because "we +want to see the locking error before it happens". There is no reason why +seqcount should be different here. + +Do the lockdep annotation first then perform the locking operation (the +sequence increment). + +Fixes: 1ca7d67cf5d5a ("seqcount: Add lockdep functionality to seqcount/seqlock structures") +Reported-by: Tetsuo Handa +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20230920104627._DTHgPyA@linutronix.de + +Closes: https://lore.kernel.org/20230621130641.-5iueY1I@linutronix.de +Signed-off-by: Sasha Levin +--- + include/linux/seqlock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index 3926e90279477..d778af83c8f36 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -512,8 +512,8 @@ do { \ + + static inline void do_write_seqcount_begin_nested(seqcount_t *s, int subclass) + { +- do_raw_write_seqcount_begin(s); + seqcount_acquire(&s->dep_map, subclass, 0, _RET_IP_); ++ do_raw_write_seqcount_begin(s); + } + + /** +-- +2.40.1 + diff --git a/queue-6.1/net-bridge-use-dev_stats_inc.patch b/queue-6.1/net-bridge-use-dev_stats_inc.patch new file mode 100644 index 00000000000..3b4dc10b205 --- /dev/null +++ b/queue-6.1/net-bridge-use-dev_stats_inc.patch @@ -0,0 +1,139 @@ +From 6eb155e875281f19242eb0517dbdedc02112b71d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 09:13:51 +0000 +Subject: net: bridge: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 44bdb313da57322c9b3c108eb66981c6ec6509f4 ] + +syzbot/KCSAN reported data-races in br_handle_frame_finish() [1] +This function can run from multiple cpus without mutual exclusion. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +Handles updates to dev->stats.tx_dropped while we are at it. + +[1] +BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish + +read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1: +br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 +br_nf_hook_thresh+0x1ed/0x220 +br_nf_pre_routing_finish_ipv6+0x50f/0x540 +NF_HOOK include/linux/netfilter.h:304 [inline] +br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 +br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 +nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] +nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] +br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 +__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 +__netif_receive_skb_one_core net/core/dev.c:5521 [inline] +__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 +process_backlog+0x21f/0x380 net/core/dev.c:5965 +__napi_poll+0x60/0x3b0 net/core/dev.c:6527 +napi_poll net/core/dev.c:6594 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6727 +__do_softirq+0xc1/0x265 kernel/softirq.c:553 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:388 +ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0: +br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 +br_nf_hook_thresh+0x1ed/0x220 +br_nf_pre_routing_finish_ipv6+0x50f/0x540 +NF_HOOK include/linux/netfilter.h:304 [inline] +br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 +br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 +nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] +nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] +br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 +__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 +__netif_receive_skb_one_core net/core/dev.c:5521 [inline] +__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 +process_backlog+0x21f/0x380 net/core/dev.c:5965 +__napi_poll+0x60/0x3b0 net/core/dev.c:6527 +napi_poll net/core/dev.c:6594 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6727 +__do_softirq+0xc1/0x265 kernel/softirq.c:553 +do_softirq+0x5e/0x90 kernel/softirq.c:454 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 +__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] +_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210 +spin_unlock_bh include/linux/spinlock.h:396 [inline] +batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356 +batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560 +process_one_work kernel/workqueue.c:2630 [inline] +process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703 +worker_thread+0x525/0x730 kernel/workqueue.c:2784 +kthread+0x1d7/0x210 kernel/kthread.c:388 +ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +value changed: 0x00000000000d7190 -> 0x00000000000d7191 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0 + +Fixes: 1c29fc4989bc ("[BRIDGE]: keep track of received multicast packets") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Cc: Nikolay Aleksandrov +Cc: bridge@lists.linux-foundation.org +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_forward.c | 4 ++-- + net/bridge/br_input.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index bd54f17e3c3d8..4e3394a7d7d45 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -124,7 +124,7 @@ static int deliver_clone(const struct net_bridge_port *prev, + + skb = skb_clone(skb, GFP_ATOMIC); + if (!skb) { +- dev->stats.tx_dropped++; ++ DEV_STATS_INC(dev, tx_dropped); + return -ENOMEM; + } + +@@ -263,7 +263,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb, + + skb = skb_copy(skb, GFP_ATOMIC); + if (!skb) { +- dev->stats.tx_dropped++; ++ DEV_STATS_INC(dev, tx_dropped); + return; + } + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 68b3e850bcb9d..6bb272894c960 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -164,12 +164,12 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + if ((mdst && mdst->host_joined) || + br_multicast_is_router(brmctx, skb)) { + local_rcv = true; +- br->dev->stats.multicast++; ++ DEV_STATS_INC(br->dev, multicast); + } + mcast_hit = true; + } else { + local_rcv = true; +- br->dev->stats.multicast++; ++ DEV_STATS_INC(br->dev, multicast); + } + break; + case BR_PKT_UNICAST: +-- +2.40.1 + diff --git a/queue-6.1/net-core-fix-eth_p_1588-flow-dissector.patch b/queue-6.1/net-core-fix-eth_p_1588-flow-dissector.patch new file mode 100644 index 00000000000..0eb36aeec93 --- /dev/null +++ b/queue-6.1/net-core-fix-eth_p_1588-flow-dissector.patch @@ -0,0 +1,123 @@ +From 996c403f26e33abc5ac1f70e568030cee2988057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 09:39:05 +0300 +Subject: net/core: Fix ETH_P_1588 flow dissector + +From: Sasha Neftin + +[ Upstream commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3 ] + +When a PTP ethernet raw frame with a size of more than 256 bytes followed +by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation +is wrong. For example: hdr->message_length takes the wrong value (0xffff) +and it does not replicate real header length. In this case, 'nhoff' value +was overridden and the PTP header was badly dissected. This leads to a +kernel crash. + +net/core: flow_dissector +net/core flow dissector nhoff = 0x0000000e +net/core flow dissector hdr->message_length = 0x0000ffff +net/core flow dissector nhoff = 0x0001000d (u16 overflow) +... +skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 +skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Using the size of the ptp_header struct will allow the corrected +calculation of the nhoff value. + +net/core flow dissector nhoff = 0x0000000e +net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) +... +skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff +skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Kernel trace: +[ 74.984279] ------------[ cut here ]------------ +[ 74.989471] kernel BUG at include/linux/skbuff.h:2440! +[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 +[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 +[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130 +[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 +[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 +[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 +[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 +[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 +[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 +[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 +[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 +[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 +[ 75.121980] PKRU: 55555554 +[ 75.125035] Call Trace: +[ 75.127792] +[ 75.130063] ? eth_get_headlen+0xa4/0xc0 +[ 75.134472] igc_process_skb_fields+0xcd/0x150 +[ 75.139461] igc_poll+0xc80/0x17b0 +[ 75.143272] __napi_poll+0x27/0x170 +[ 75.147192] net_rx_action+0x234/0x280 +[ 75.151409] __do_softirq+0xef/0x2f4 +[ 75.155424] irq_exit_rcu+0xc7/0x110 +[ 75.159432] common_interrupt+0xb8/0xd0 +[ 75.163748] +[ 75.166112] +[ 75.168473] asm_common_interrupt+0x22/0x40 +[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350 +[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 +[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 +[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f +[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 +[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 +[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 +[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 +[ 75.245635] ? cpuidle_enter_state+0xc7/0x350 +[ 75.250518] cpuidle_enter+0x29/0x40 +[ 75.254539] do_idle+0x1d9/0x260 +[ 75.258166] cpu_startup_entry+0x19/0x20 +[ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb +[ 75.268259] +[ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs +[ 75.342736] ---[ end trace 3785f9f360400e3a ]--- +[ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130 +[ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 +[ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 +[ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 +[ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 +[ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 +[ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 +[ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 +[ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 +[ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 +[ 75.443410] PKRU: 55555554 +[ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt +[ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: 4f1cc51f3488 ("net: flow_dissector: Parse PTP L2 packet header") +Signed-off-by: Sasha Neftin +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 3288490590f27..0c85c8a9e752f 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -1366,7 +1366,7 @@ bool __skb_flow_dissect(const struct net *net, + break; + } + +- nhoff += ntohs(hdr->message_length); ++ nhoff += sizeof(struct ptp_header); + fdret = FLOW_DISSECT_RET_OUT_GOOD; + break; + } +-- +2.40.1 + diff --git a/queue-6.1/net-ena-flush-xdp-packets-on-error.patch b/queue-6.1/net-ena-flush-xdp-packets-on-error.patch new file mode 100644 index 00000000000..514d6137c00 --- /dev/null +++ b/queue-6.1/net-ena-flush-xdp-packets-on-error.patch @@ -0,0 +1,48 @@ +From 861379702c677287bc96ec069a6229106a441b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 17:36:09 +0200 +Subject: net: ena: Flush XDP packets on error. + +From: Sebastian Andrzej Siewior + +[ Upstream commit 6f411fb5ca9419090bee6a0a46425e0a5060b734 ] + +xdp_do_flush() should be invoked before leaving the NAPI poll function +after a XDP-redirect. This is not the case if the driver leaves via +the error path (after having a redirect in one of its previous +iterations). + +Invoke xdp_do_flush() also in the error path. + +Cc: Arthur Kiyanovski +Cc: David Arinzon +Cc: Noam Dagan +Cc: Saeed Bishara +Cc: Shay Agroskin +Fixes: a318c70ad152b ("net: ena: introduce XDP redirect implementation") +Acked-by: Arthur Kiyanovski +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 5ce01ac72637e..42a66b74c1e5b 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1778,6 +1778,9 @@ static int ena_clean_rx_irq(struct ena_ring *rx_ring, struct napi_struct *napi, + return work_done; + + error: ++ if (xdp_flags & ENA_XDP_REDIRECT) ++ xdp_do_flush(); ++ + adapter = netdev_priv(rx_ring->netdev); + + if (rc == -ENOSPC) { +-- +2.40.1 + diff --git a/queue-6.1/net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch b/queue-6.1/net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch new file mode 100644 index 00000000000..3a8c23ce032 --- /dev/null +++ b/queue-6.1/net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch @@ -0,0 +1,48 @@ +From 92a66a09d660a118b1bf27a4107cd75762a8630e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:48:40 +0800 +Subject: net: hns3: add 5ms delay before clear firmware reset irq source + +From: Jie Wang + +[ Upstream commit 0770063096d5da4a8e467b6e73c1646a75589628 ] + +Currently the reset process in hns3 and firmware watchdog init process is +asynchronous. we think firmware watchdog initialization is completed +before hns3 clear the firmware interrupt source. However, firmware +initialization may not complete early. + +so we add delay before hns3 clear firmware interrupt source and 5 ms delay +is enough to avoid second firmware reset interrupt. + +Fixes: c1a81619d73a ("net: hns3: Add mailbox interrupt handling to PF driver") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index e44c5076262ba..3e1d202d60ce1 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -3662,9 +3662,14 @@ static u32 hclge_check_event_cause(struct hclge_dev *hdev, u32 *clearval) + static void hclge_clear_event_cause(struct hclge_dev *hdev, u32 event_type, + u32 regclr) + { ++#define HCLGE_IMP_RESET_DELAY 5 ++ + switch (event_type) { + case HCLGE_VECTOR0_EVENT_PTP: + case HCLGE_VECTOR0_EVENT_RST: ++ if (regclr == BIT(HCLGE_VECTOR0_IMPRESET_INT_B)) ++ mdelay(HCLGE_IMP_RESET_DELAY); ++ + hclge_write_dev(&hdev->hw, HCLGE_MISC_RESET_STS_REG, regclr); + break; + case HCLGE_VECTOR0_EVENT_MBX: +-- +2.40.1 + diff --git a/queue-6.1/net-hns3-add-cmdq-check-for-vf-periodic-service-task.patch b/queue-6.1/net-hns3-add-cmdq-check-for-vf-periodic-service-task.patch new file mode 100644 index 00000000000..4571b39ac0a --- /dev/null +++ b/queue-6.1/net-hns3-add-cmdq-check-for-vf-periodic-service-task.patch @@ -0,0 +1,38 @@ +From 5bc7244e64553dfc0e152717ae14497b4f3d83ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:48:36 +0800 +Subject: net: hns3: add cmdq check for vf periodic service task + +From: Jie Wang + +[ Upstream commit bd3caddf299a640efb66c6022efed7fe744db626 ] + +When the vf cmdq is disabled, there is no need to keep these task running. +So this patch skip these task when the cmdq is disabled. + +Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index b1b14850e958f..72cf5145e15a2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1909,7 +1909,8 @@ static void hclgevf_periodic_service_task(struct hclgevf_dev *hdev) + unsigned long delta = round_jiffies_relative(HZ); + struct hnae3_handle *handle = &hdev->nic; + +- if (test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state)) ++ if (test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state) || ++ test_bit(HCLGE_COMM_STATE_CMD_DISABLE, &hdev->hw.hw.comm_state)) + return; + + if (time_is_after_jiffies(hdev->last_serv_processed + HZ)) { +-- +2.40.1 + diff --git a/queue-6.1/net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch b/queue-6.1/net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch new file mode 100644 index 00000000000..bd3f5daf0c7 --- /dev/null +++ b/queue-6.1/net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch @@ -0,0 +1,43 @@ +From 9fba7b18c0f78ee64a3512a52a570691661530ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:48:39 +0800 +Subject: net: hns3: fix fail to delete tc flower rules during reset issue + +From: Jijie Shao + +[ Upstream commit 1a7be66e4685b8541546222c305cce9710718a88 ] + +Firmware does not respond driver commands during reset +Therefore, rule will fail to delete while the firmware is resetting + +So, if failed to delete rule, set rule state to TO_DEL, +and the rule will be deleted when periodic task being scheduled. + +Fixes: 0205ec041ec6 ("net: hns3: add support for hw tc offload of tc flower") +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index a8019eac2b33e..e44c5076262ba 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -7454,6 +7454,12 @@ static int hclge_del_cls_flower(struct hnae3_handle *handle, + ret = hclge_fd_tcam_config(hdev, HCLGE_FD_STAGE_1, true, rule->location, + NULL, false); + if (ret) { ++ /* if tcam config fail, set rule state to TO_DEL, ++ * so the rule will be deleted when periodic ++ * task being scheduled. ++ */ ++ hclge_update_fd_list(hdev, HCLGE_FD_TO_DEL, rule->location, NULL); ++ set_bit(HCLGE_STATE_FD_TBL_CHANGED, &hdev->state); + spin_unlock_bh(&hdev->fd_rule_lock); + return ret; + } +-- +2.40.1 + diff --git a/queue-6.1/net-hns3-fix-gre-checksum-offload-issue.patch b/queue-6.1/net-hns3-fix-gre-checksum-offload-issue.patch new file mode 100644 index 00000000000..ba44fcafa94 --- /dev/null +++ b/queue-6.1/net-hns3-fix-gre-checksum-offload-issue.patch @@ -0,0 +1,46 @@ +From e6a81b15a3a20f29eda43b77fdda96f486934b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:48:37 +0800 +Subject: net: hns3: fix GRE checksum offload issue + +From: Jie Wang + +[ Upstream commit f9f651261130cdcb7adc9a3e365b356bc2749ab3 ] + +The device_version V3 hardware can't offload the checksum for IP in GRE +packets, but can do it for NvGRE. So default to disable the checksum and +GSO offload for GRE, but keep the ability to enable it when only using +NvGRE. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 8aae179554a81..04c9baca1b0f8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -3352,6 +3352,15 @@ static void hns3_set_default_feature(struct net_device *netdev) + NETIF_F_HW_TC); + + netdev->hw_enc_features |= netdev->vlan_features | NETIF_F_TSO_MANGLEID; ++ ++ /* The device_version V3 hardware can't offload the checksum for IP in ++ * GRE packets, but can do it for NvGRE. So default to disable the ++ * checksum and GSO offload for GRE. ++ */ ++ if (ae_dev->dev_version > HNAE3_DEVICE_VERSION_V2) { ++ netdev->features &= ~NETIF_F_GSO_GRE; ++ netdev->features &= ~NETIF_F_GSO_GRE_CSUM; ++ } + } + + static int hns3_alloc_buffer(struct hns3_enet_ring *ring, +-- +2.40.1 + diff --git a/queue-6.1/net-hns3-only-enable-unicast-promisc-when-mac-table-.patch b/queue-6.1/net-hns3-only-enable-unicast-promisc-when-mac-table-.patch new file mode 100644 index 00000000000..440547355da --- /dev/null +++ b/queue-6.1/net-hns3-only-enable-unicast-promisc-when-mac-table-.patch @@ -0,0 +1,39 @@ +From 4df20bc8429da824cebb3404b40f72f455ae620c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:48:38 +0800 +Subject: net: hns3: only enable unicast promisc when mac table full + +From: Jian Shen + +[ Upstream commit f2ed304922a55690529bcca59678dd92d7466ce8 ] + +Currently, the driver will enable unicast promisc for the function +once configure mac address fail. It's unreasonable when the failure +is caused by using same mac address with other functions. So only +enable unicast promisc when mac table full. + +Fixes: c631c696823c ("net: hns3: refactor the promisc mode setting") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 884e45fb6b72e..a8019eac2b33e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -8930,7 +8930,7 @@ static void hclge_update_overflow_flags(struct hclge_vport *vport, + if (mac_type == HCLGE_MAC_ADDR_UC) { + if (is_all_added) + vport->overflow_promisc_flags &= ~HNAE3_OVERFLOW_UPE; +- else ++ else if (hclge_is_umv_space_full(vport, true)) + vport->overflow_promisc_flags |= HNAE3_OVERFLOW_UPE; + } else { + if (is_all_added) +-- +2.40.1 + diff --git a/queue-6.1/net-hsr-properly-parse-hsrv1-supervisor-frames.patch b/queue-6.1/net-hsr-properly-parse-hsrv1-supervisor-frames.patch new file mode 100644 index 00000000000..b1f38767f5a --- /dev/null +++ b/queue-6.1/net-hsr-properly-parse-hsrv1-supervisor-frames.patch @@ -0,0 +1,58 @@ +From 5727e444a85b2c442d169c5fd0dc2e5fca578f39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 20:10:02 +0200 +Subject: net: hsr: Properly parse HSRv1 supervisor frames. + +From: Lukasz Majewski + +[ Upstream commit 295de650d3aaf9e50258465c5f1c84b465d836f6 ] + +While adding support for parsing the redbox supervision frames, the +author added `pull_size' and `total_pull_size' to track the amount of +bytes that were pulled from the skb during while parsing the skb so it +can be reverted/ pushed back at the end. +In the process probably copy&paste error occurred and for the HSRv1 case +the ethhdr was used instead of the hsr_tag. Later the hsr_tag was used +instead of hsr_sup_tag. The later error didn't matter because both +structs have the size so HSRv0 was still working. It broke however HSRv1 +parsing because struct ethhdr is larger than struct hsr_tag. + +Reinstate the old pulling flow and pull first ethhdr, hsr_tag in v1 case +followed by hsr_sup_tag. + +[bigeasy: commit message] + +Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")' +Suggested-by: Tristram.Ha@microchip.com +Signed-off-by: Lukasz Majewski +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index a16f0445023aa..0b01998780952 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -295,13 +295,13 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame) + + /* And leave the HSR tag. */ + if (ethhdr->h_proto == htons(ETH_P_HSR)) { +- pull_size = sizeof(struct ethhdr); ++ pull_size = sizeof(struct hsr_tag); + skb_pull(skb, pull_size); + total_pull_size += pull_size; + } + + /* And leave the HSR sup tag. */ +- pull_size = sizeof(struct hsr_tag); ++ pull_size = sizeof(struct hsr_sup_tag); + skb_pull(skb, pull_size); + total_pull_size += pull_size; + +-- +2.40.1 + diff --git a/queue-6.1/net-rds-fix-possible-null-pointer-dereference.patch b/queue-6.1/net-rds-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..21d61332fdf --- /dev/null +++ b/queue-6.1/net-rds-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,48 @@ +From 3f24ea750b5a2f43fffae415875cce17a64aac01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 16:56:23 +0300 +Subject: net: rds: Fix possible NULL-pointer dereference + +From: Artem Chernyshev + +[ Upstream commit f1d95df0f31048f1c59092648997686e3f7d9478 ] + +In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists +before dereferencing it as rdma_set_service_type() argument + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: fd261ce6a30e ("rds: rdma: update rdma transport for tos") +Signed-off-by: Artem Chernyshev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/rdma_transport.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c +index d36f3f6b43510..b15cf316b23a2 100644 +--- a/net/rds/rdma_transport.c ++++ b/net/rds/rdma_transport.c +@@ -86,11 +86,13 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, + break; + + case RDMA_CM_EVENT_ADDR_RESOLVED: +- rdma_set_service_type(cm_id, conn->c_tos); +- rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32); +- /* XXX do we need to clean up if this fails? */ +- ret = rdma_resolve_route(cm_id, +- RDS_RDMA_RESOLVE_TIMEOUT_MS); ++ if (conn) { ++ rdma_set_service_type(cm_id, conn->c_tos); ++ rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32); ++ /* XXX do we need to clean up if this fails? */ ++ ret = rdma_resolve_route(cm_id, ++ RDS_RDMA_RESOLVE_TIMEOUT_MS); ++ } + break; + + case RDMA_CM_EVENT_ROUTE_RESOLVED: +-- +2.40.1 + diff --git a/queue-6.1/netfilter-bpf-adjust-timeouts-of-non-confirmed-cts-i.patch b/queue-6.1/netfilter-bpf-adjust-timeouts-of-non-confirmed-cts-i.patch new file mode 100644 index 00000000000..a551001bb92 --- /dev/null +++ b/queue-6.1/netfilter-bpf-adjust-timeouts-of-non-confirmed-cts-i.patch @@ -0,0 +1,52 @@ +From faded7ba99e8dec27e8bdd6b141356ca8bac203a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 03:07:43 +0200 +Subject: netfilter, bpf: Adjust timeouts of non-confirmed CTs in + bpf_ct_insert_entry() + +From: Ilya Leoshkevich + +[ Upstream commit 837723b22a63cfbff584655b009b9d488d0e9087 ] + +bpf_nf testcase fails on s390x: bpf_skb_ct_lookup() cannot find the entry +that was added by bpf_ct_insert_entry() within the same BPF function. + +The reason is that this entry is deleted by nf_ct_gc_expired(). + +The CT timeout starts ticking after the CT confirmation; therefore +nf_conn.timeout is initially set to the timeout value, and +__nf_conntrack_confirm() sets it to the deadline value. + +bpf_ct_insert_entry() sets IPS_CONFIRMED_BIT, but does not adjust the +timeout, making its value meaningless and causing false positives. + +Fix the problem by making bpf_ct_insert_entry() adjust the timeout, +like __nf_conntrack_confirm(). + +Fixes: 2cdaa3eefed8 ("netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Cc: Florian Westphal +Link: https://lore.kernel.org/bpf/20230830011128.1415752-3-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c +index 8639e7efd0e22..816283f0aa593 100644 +--- a/net/netfilter/nf_conntrack_bpf.c ++++ b/net/netfilter/nf_conntrack_bpf.c +@@ -384,6 +384,8 @@ struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i) + struct nf_conn *nfct = (struct nf_conn *)nfct_i; + int err; + ++ if (!nf_ct_is_confirmed(nfct)) ++ nfct->timeout += nfct_time_stamp; + nfct->status |= IPS_CONFIRMED; + err = nf_conntrack_hash_check_insert(nfct); + if (err < 0) { +-- +2.40.1 + diff --git a/queue-6.1/netfilter-conntrack-fix-extension-size-table.patch b/queue-6.1/netfilter-conntrack-fix-extension-size-table.patch new file mode 100644 index 00000000000..f26eb924b05 --- /dev/null +++ b/queue-6.1/netfilter-conntrack-fix-extension-size-table.patch @@ -0,0 +1,43 @@ +From f063f17c8a4f6a73d357795b66a5771f2c15bf5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 10:56:07 +0200 +Subject: netfilter: conntrack: fix extension size table + +From: Florian Westphal + +[ Upstream commit 4908d5af16676b9d2901830551c2af911e452524 ] + +The size table is incorrect due to copypaste error, +this reserves more size than needed. + +TSTAMP reserved 32 instead of 16 bytes. +TIMEOUT reserved 16 instead of 8 bytes. + +Fixes: 5f31edc0676b ("netfilter: conntrack: move extension sizes into core") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_extend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c +index 0b513f7bf9f39..dd62cc12e7750 100644 +--- a/net/netfilter/nf_conntrack_extend.c ++++ b/net/netfilter/nf_conntrack_extend.c +@@ -40,10 +40,10 @@ static const u8 nf_ct_ext_type_len[NF_CT_EXT_NUM] = { + [NF_CT_EXT_ECACHE] = sizeof(struct nf_conntrack_ecache), + #endif + #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP +- [NF_CT_EXT_TSTAMP] = sizeof(struct nf_conn_acct), ++ [NF_CT_EXT_TSTAMP] = sizeof(struct nf_conn_tstamp), + #endif + #ifdef CONFIG_NF_CONNTRACK_TIMEOUT +- [NF_CT_EXT_TIMEOUT] = sizeof(struct nf_conn_tstamp), ++ [NF_CT_EXT_TIMEOUT] = sizeof(struct nf_conn_timeout), + #endif + #ifdef CONFIG_NF_CONNTRACK_LABELS + [NF_CT_EXT_LABELS] = sizeof(struct nf_conn_labels), +-- +2.40.1 + diff --git a/queue-6.1/netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch b/queue-6.1/netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch new file mode 100644 index 00000000000..bed1cd132a9 --- /dev/null +++ b/queue-6.1/netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch @@ -0,0 +1,64 @@ +From fb05cf0a062630a15f39117556f18fc62869883f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 20:04:45 +0200 +Subject: netfilter: ipset: Fix race between IPSET_CMD_CREATE and + IPSET_CMD_SWAP + +From: Jozsef Kadlecsik + +[ Upstream commit 7433b6d2afd512d04398c73aa984d1e285be125b ] + +Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP +in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a +wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it. + +The race is caused by using the wrong reference counter, i.e. the ref counter instead +of ref_netlink. + +Fixes: 24e227896bbf ("netfilter: ipset: Add schedule point in call_ad().") +Reported-by: Kyle Zeng +Closes: https://lore.kernel.org/netfilter-devel/ZPZqetxOmH+w%2Fmyc@westworld/#r +Tested-by: Kyle Zeng +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 9a6b64779e644..20eede37d5228 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -682,6 +682,14 @@ __ip_set_put(struct ip_set *set) + /* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need + * a separate reference counter + */ ++static void ++__ip_set_get_netlink(struct ip_set *set) ++{ ++ write_lock_bh(&ip_set_ref_lock); ++ set->ref_netlink++; ++ write_unlock_bh(&ip_set_ref_lock); ++} ++ + static void + __ip_set_put_netlink(struct ip_set *set) + { +@@ -1695,11 +1703,11 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, + + do { + if (retried) { +- __ip_set_get(set); ++ __ip_set_get_netlink(set); + nfnl_unlock(NFNL_SUBSYS_IPSET); + cond_resched(); + nfnl_lock(NFNL_SUBSYS_IPSET); +- __ip_set_put(set); ++ __ip_set_put_netlink(set); + } + + ip_set_lock(set); +-- +2.40.1 + diff --git a/queue-6.1/netfilter-nf_tables-disable-toggling-dormant-table-s.patch b/queue-6.1/netfilter-nf_tables-disable-toggling-dormant-table-s.patch new file mode 100644 index 00000000000..79ba1fecc44 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-disable-toggling-dormant-table-s.patch @@ -0,0 +1,59 @@ +From fff6386e451fcba42d5a0fce3a7fb70b49cf9f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:18:11 +0200 +Subject: netfilter: nf_tables: disable toggling dormant table state more than + once + +From: Florian Westphal + +[ Upstream commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 ] + +nft -f -< +Cc: Bing-Jhong Billy Jheng +Cc: info@starlabs.sg +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 521f8c3cb6987..1d6a37430ff6b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1211,6 +1211,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + flags & NFT_TABLE_F_OWNER)) + return -EOPNOTSUPP; + ++ /* No dormant off/on/off/on games in single transaction */ ++ if (ctx->table->flags & __NFT_TABLE_F_UPDATE) ++ return -EINVAL; ++ + trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, + sizeof(struct nft_trans_table)); + if (trans == NULL) +-- +2.40.1 + diff --git a/queue-6.1/netfilter-nf_tables-disallow-element-removal-on-anon.patch b/queue-6.1/netfilter-nf_tables-disallow-element-removal-on-anon.patch new file mode 100644 index 00000000000..a71f763ca4e --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-disallow-element-removal-on-anon.patch @@ -0,0 +1,58 @@ +From c27a5eaa0299d448926560d23679aed40de05225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Sep 2023 19:04:45 +0200 +Subject: netfilter: nf_tables: disallow element removal on anonymous sets + +From: Pablo Neira Ayuso + +[ Upstream commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 ] + +Anonymous sets need to be populated once at creation and then they are +bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound +anonymous set before commit phase"), otherwise transaction reports +EINVAL. + +Userspace does not need to delete elements of anonymous sets that are +not yet bound, reject this with EOPNOTSUPP. + +From flush command path, skip anonymous sets, they are expected to be +bound already. Otherwise, EINVAL is hit at the end of this transaction +for unbound sets. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b22f2d9ee4afc..521f8c3cb6987 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1437,8 +1437,7 @@ static int nft_flush_table(struct nft_ctx *ctx) + if (!nft_is_active_next(ctx->net, set)) + continue; + +- if (nft_set_is_anonymous(set) && +- !list_empty(&set->bindings)) ++ if (nft_set_is_anonymous(set)) + continue; + + err = nft_delset(ctx, set); +@@ -6907,8 +6906,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb, + if (IS_ERR(set)) + return PTR_ERR(set); + +- if (!list_empty(&set->bindings) && +- (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS))) ++ if (nft_set_is_anonymous(set)) ++ return -EOPNOTSUPP; ++ ++ if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT)) + return -EBUSY; + + nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); +-- +2.40.1 + diff --git a/queue-6.1/octeon_ep-fix-tx-dma-unmap-len-values-in-sg.patch b/queue-6.1/octeon_ep-fix-tx-dma-unmap-len-values-in-sg.patch new file mode 100644 index 00000000000..d58a888841c --- /dev/null +++ b/queue-6.1/octeon_ep-fix-tx-dma-unmap-len-values-in-sg.patch @@ -0,0 +1,124 @@ +From 3e571ba42a91488e004b880b6cc72f25c9cd6650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 01:41:56 -0700 +Subject: octeon_ep: fix tx dma unmap len values in SG + +From: Shinas Rasheed + +[ Upstream commit 350db8a59eb392bf42e62b6b2a37d56b5833012b ] + +Lengths of SG pointers are kept in the following order in +the SG entries in hardware. + 63 48|47 32|31 16|15 0 + ----------------------------------------- + | Len 0 | Len 1 | Len 2 | Len 3 | + ----------------------------------------- + | Ptr 0 | + ----------------------------------------- + | Ptr 1 | + ----------------------------------------- + | Ptr 2 | + ----------------------------------------- + | Ptr 3 | + ----------------------------------------- +Dma pointers have to be unmapped based on their +respective lengths given in this format. + +Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support") +Signed-off-by: Shinas Rasheed +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeon_ep/octep_main.c | 8 ++++---- + .../net/ethernet/marvell/octeon_ep/octep_tx.c | 8 ++++---- + .../net/ethernet/marvell/octeon_ep/octep_tx.h | 16 +++++++++++++++- + 3 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index d4ec46d1c8cfb..61354f7985035 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -726,13 +726,13 @@ static netdev_tx_t octep_start_xmit(struct sk_buff *skb, + dma_map_sg_err: + if (si > 0) { + dma_unmap_single(iq->dev, sglist[0].dma_ptr[0], +- sglist[0].len[0], DMA_TO_DEVICE); +- sglist[0].len[0] = 0; ++ sglist[0].len[3], DMA_TO_DEVICE); ++ sglist[0].len[3] = 0; + } + while (si > 1) { + dma_unmap_page(iq->dev, sglist[si >> 2].dma_ptr[si & 3], +- sglist[si >> 2].len[si & 3], DMA_TO_DEVICE); +- sglist[si >> 2].len[si & 3] = 0; ++ sglist[si >> 2].len[3 - (si & 3)], DMA_TO_DEVICE); ++ sglist[si >> 2].len[3 - (si & 3)] = 0; + si--; + } + tx_buffer->gather = 0; +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c +index 5a520d37bea02..d0adb82d65c31 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c +@@ -69,12 +69,12 @@ int octep_iq_process_completions(struct octep_iq *iq, u16 budget) + compl_sg++; + + dma_unmap_single(iq->dev, tx_buffer->sglist[0].dma_ptr[0], +- tx_buffer->sglist[0].len[0], DMA_TO_DEVICE); ++ tx_buffer->sglist[0].len[3], DMA_TO_DEVICE); + + i = 1; /* entry 0 is main skb, unmapped above */ + while (frags--) { + dma_unmap_page(iq->dev, tx_buffer->sglist[i >> 2].dma_ptr[i & 3], +- tx_buffer->sglist[i >> 2].len[i & 3], DMA_TO_DEVICE); ++ tx_buffer->sglist[i >> 2].len[3 - (i & 3)], DMA_TO_DEVICE); + i++; + } + +@@ -131,13 +131,13 @@ static void octep_iq_free_pending(struct octep_iq *iq) + + dma_unmap_single(iq->dev, + tx_buffer->sglist[0].dma_ptr[0], +- tx_buffer->sglist[0].len[0], ++ tx_buffer->sglist[0].len[3], + DMA_TO_DEVICE); + + i = 1; /* entry 0 is main skb, unmapped above */ + while (frags--) { + dma_unmap_page(iq->dev, tx_buffer->sglist[i >> 2].dma_ptr[i & 3], +- tx_buffer->sglist[i >> 2].len[i & 3], DMA_TO_DEVICE); ++ tx_buffer->sglist[i >> 2].len[3 - (i & 3)], DMA_TO_DEVICE); + i++; + } + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h +index 2ef57980eb47b..21e75ff9f5e71 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h +@@ -17,7 +17,21 @@ + #define TX_BUFTYPE_NET_SG 2 + #define NUM_TX_BUFTYPES 3 + +-/* Hardware format for Scatter/Gather list */ ++/* Hardware format for Scatter/Gather list ++ * ++ * 63 48|47 32|31 16|15 0 ++ * ----------------------------------------- ++ * | Len 0 | Len 1 | Len 2 | Len 3 | ++ * ----------------------------------------- ++ * | Ptr 0 | ++ * ----------------------------------------- ++ * | Ptr 1 | ++ * ----------------------------------------- ++ * | Ptr 2 | ++ * ----------------------------------------- ++ * | Ptr 3 | ++ * ----------------------------------------- ++ */ + struct octep_tx_sglist_desc { + u16 len[4]; + dma_addr_t dma_ptr[4]; +-- +2.40.1 + diff --git a/queue-6.1/octeontx2-pf-do-xdp_do_flush-after-redirects.patch b/queue-6.1/octeontx2-pf-do-xdp_do_flush-after-redirects.patch new file mode 100644 index 00000000000..d9746852e05 --- /dev/null +++ b/queue-6.1/octeontx2-pf-do-xdp_do_flush-after-redirects.patch @@ -0,0 +1,110 @@ +From aeecbdf1531dae100c0bcbbb77e9b3fd5aa9fa2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 17:36:11 +0200 +Subject: octeontx2-pf: Do xdp_do_flush() after redirects. + +From: Sebastian Andrzej Siewior + +[ Upstream commit 70b2b6892645e58ed6f051dad7f8d1083f0ad553 ] + +xdp_do_flush() should be invoked before leaving the NAPI poll function +if XDP-redirect has been performed. + +Invoke xdp_do_flush() before leaving NAPI. + +Cc: Geetha sowjanya +Cc: Subbaraya Sundeep +Cc: Sunil Goutham +Cc: hariprasad +Fixes: 06059a1a9a4a5 ("octeontx2-pf: Add XDP support to netdev PF") +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Geethasowjanya Akula +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/nic/otx2_txrx.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index 7af223b0a37f5..5704fb75fa477 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -29,7 +29,8 @@ + static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf, + struct bpf_prog *prog, + struct nix_cqe_rx_s *cqe, +- struct otx2_cq_queue *cq); ++ struct otx2_cq_queue *cq, ++ bool *need_xdp_flush); + + static int otx2_nix_cq_op_status(struct otx2_nic *pfvf, + struct otx2_cq_queue *cq) +@@ -340,7 +341,7 @@ static bool otx2_check_rcv_errors(struct otx2_nic *pfvf, + static void otx2_rcv_pkt_handler(struct otx2_nic *pfvf, + struct napi_struct *napi, + struct otx2_cq_queue *cq, +- struct nix_cqe_rx_s *cqe) ++ struct nix_cqe_rx_s *cqe, bool *need_xdp_flush) + { + struct nix_rx_parse_s *parse = &cqe->parse; + struct nix_rx_sg_s *sg = &cqe->sg; +@@ -356,7 +357,7 @@ static void otx2_rcv_pkt_handler(struct otx2_nic *pfvf, + } + + if (pfvf->xdp_prog) +- if (otx2_xdp_rcv_pkt_handler(pfvf, pfvf->xdp_prog, cqe, cq)) ++ if (otx2_xdp_rcv_pkt_handler(pfvf, pfvf->xdp_prog, cqe, cq, need_xdp_flush)) + return; + + skb = napi_get_frags(napi); +@@ -389,6 +390,7 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf, + struct napi_struct *napi, + struct otx2_cq_queue *cq, int budget) + { ++ bool need_xdp_flush = false; + struct nix_cqe_rx_s *cqe; + int processed_cqe = 0; + +@@ -410,13 +412,15 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf, + cq->cq_head++; + cq->cq_head &= (cq->cqe_cnt - 1); + +- otx2_rcv_pkt_handler(pfvf, napi, cq, cqe); ++ otx2_rcv_pkt_handler(pfvf, napi, cq, cqe, &need_xdp_flush); + + cqe->hdr.cqe_type = NIX_XQE_TYPE_INVALID; + cqe->sg.seg_addr = 0x00; + processed_cqe++; + cq->pend_cqe--; + } ++ if (need_xdp_flush) ++ xdp_do_flush(); + + /* Free CQEs to HW */ + otx2_write64(pfvf, NIX_LF_CQ_OP_DOOR, +@@ -1323,7 +1327,8 @@ bool otx2_xdp_sq_append_pkt(struct otx2_nic *pfvf, u64 iova, int len, u16 qidx) + static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf, + struct bpf_prog *prog, + struct nix_cqe_rx_s *cqe, +- struct otx2_cq_queue *cq) ++ struct otx2_cq_queue *cq, ++ bool *need_xdp_flush) + { + unsigned char *hard_start, *data; + int qidx = cq->cq_idx; +@@ -1360,8 +1365,10 @@ static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf, + + otx2_dma_unmap_page(pfvf, iova, pfvf->rbsize, + DMA_FROM_DEVICE); +- if (!err) ++ if (!err) { ++ *need_xdp_flush = true; + return true; ++ } + put_page(page); + break; + default: +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-intel_scu_ipc-check-status-after-timeou.patch b/queue-6.1/platform-x86-intel_scu_ipc-check-status-after-timeou.patch new file mode 100644 index 00000000000..abe6e2cd212 --- /dev/null +++ b/queue-6.1/platform-x86-intel_scu_ipc-check-status-after-timeou.patch @@ -0,0 +1,94 @@ +From dbad09a6b22eb87ec1a65af5c5b37f81f3a50934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 14:27:19 -0700 +Subject: platform/x86: intel_scu_ipc: Check status after timeout in + busy_loop() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Boyd + +[ Upstream commit e0b4ab3bb92bda8d12f55842614362989d5b2cb3 ] + +It's possible for the polling loop in busy_loop() to get scheduled away +for a long time. + + status = ipc_read_status(scu); // status = IPC_STATUS_BUSY + + if (!(status & IPC_STATUS_BUSY)) + +If this happens, then the status bit could change while the task is +scheduled away and this function would never read the status again after +timing out. Instead, the function will return -ETIMEDOUT when it's +possible that scheduling didn't work out and the status bit was cleared. +Bit polling code should always check the bit being polled one more time +after the timeout in case this happens. + +Fix this by reading the status once more after the while loop breaks. +The readl_poll_timeout() macro implements all of this, and it is +shorter, so use that macro here to consolidate code and fix this. + +There were some concerns with using readl_poll_timeout() because it uses +timekeeping, and timekeeping isn't running early on or during the late +stages of system suspend or early stages of system resume, but an audit +of the code concluded that this code isn't called during those times so +it is safe to use the macro. + +Cc: Prashant Malani +Reviewed-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Reviewed-by: Kuppuswamy Sathyanarayanan +Fixes: e7b7ab3847c9 ("platform/x86: intel_scu_ipc: Sleeping is fine when polling") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230913212723.3055315-2-swboyd@chromium.org +Reviewed-by: Ilpo Järvinen +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_ipc.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c +index e7a3e34028178..96675bea88b10 100644 +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -232,19 +233,15 @@ static inline u32 ipc_data_readl(struct intel_scu_ipc_dev *scu, u32 offset) + /* Wait till scu status is busy */ + static inline int busy_loop(struct intel_scu_ipc_dev *scu) + { +- unsigned long end = jiffies + IPC_TIMEOUT; +- +- do { +- u32 status; +- +- status = ipc_read_status(scu); +- if (!(status & IPC_STATUS_BUSY)) +- return (status & IPC_STATUS_ERR) ? -EIO : 0; ++ u8 status; ++ int err; + +- usleep_range(50, 100); +- } while (time_before(jiffies, end)); ++ err = readx_poll_timeout(ipc_read_status, scu, status, !(status & IPC_STATUS_BUSY), ++ 100, jiffies_to_usecs(IPC_TIMEOUT)); ++ if (err) ++ return err; + +- return -ETIMEDOUT; ++ return (status & IPC_STATUS_ERR) ? -EIO : 0; + } + + /* Wait till ipc ioc interrupt is received or timeout in 10 HZ */ +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-intel_scu_ipc-check-status-upon-timeout.patch b/queue-6.1/platform-x86-intel_scu_ipc-check-status-upon-timeout.patch new file mode 100644 index 00000000000..3b85e331fd9 --- /dev/null +++ b/queue-6.1/platform-x86-intel_scu_ipc-check-status-upon-timeout.patch @@ -0,0 +1,64 @@ +From 862d8edc666344325b3c5ed2897e197572f1f7eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 14:27:20 -0700 +Subject: platform/x86: intel_scu_ipc: Check status upon timeout in + ipc_wait_for_interrupt() + +From: Stephen Boyd + +[ Upstream commit 427fada620733e6474d783ae6037a66eae42bf8c ] + +It's possible for the completion in ipc_wait_for_interrupt() to timeout, +simply because the interrupt was delayed in being processed. A timeout +in itself is not an error. This driver should check the status register +upon a timeout to ensure that scheduling or interrupt processing delays +don't affect the outcome of the IPC return value. + + CPU0 SCU + ---- --- + ipc_wait_for_interrupt() + wait_for_completion_timeout(&scu->cmd_complete) + [TIMEOUT] status[IPC_STATUS_BUSY]=0 + +Fix this problem by reading the status bit in all cases, regardless of +the timeout. If the completion times out, we'll assume the problem was +that the IPC_STATUS_BUSY bit was still set, but if the status bit is +cleared in the meantime we know that we hit some scheduling delay and we +should just check the error bit. + +Cc: Prashant Malani +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230913212723.3055315-3-swboyd@chromium.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_ipc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c +index 96675bea88b10..be97cfae4b0f3 100644 +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -249,10 +249,12 @@ static inline int ipc_wait_for_interrupt(struct intel_scu_ipc_dev *scu) + { + int status; + +- if (!wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT)) +- return -ETIMEDOUT; ++ wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT); + + status = ipc_read_status(scu); ++ if (status & IPC_STATUS_BUSY) ++ return -ETIMEDOUT; ++ + if (status & IPC_STATUS_ERR) + return -EIO; + +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch b/queue-6.1/platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch new file mode 100644 index 00000000000..5662d061805 --- /dev/null +++ b/queue-6.1/platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch @@ -0,0 +1,52 @@ +From ab1be404d5719a1affa920600773797bd5870639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 14:27:21 -0700 +Subject: platform/x86: intel_scu_ipc: Don't override scu in + intel_scu_ipc_dev_simple_command() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Boyd + +[ Upstream commit efce78584e583226e9a1f6cb2fb555d6ff47c3e7 ] + +Andy discovered this bug during patch review. The 'scu' argument to this +function shouldn't be overridden by the function itself. It doesn't make +any sense. Looking at the commit history, we see that commit +f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API") +removed the setting of the scu to ipcdev in other functions, but not +this one. That was an oversight. Remove this line so that we stop +overriding the scu instance that is used by this function. + +Reported-by: Andy Shevchenko +Closes: https://lore.kernel.org/r/ZPjdZ3xNmBEBvNiS@smile.fi.intel.com +Cc: Prashant Malani +Reviewed-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Fixes: f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230913212723.3055315-4-swboyd@chromium.org +Reviewed-by: Ilpo Järvinen +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_ipc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c +index be97cfae4b0f3..dfe010f1ee084 100644 +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -444,7 +444,6 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd, + mutex_unlock(&ipclock); + return -ENODEV; + } +- scu = ipcdev; + cmdval = sub << 12 | cmd; + ipc_command(scu, cmdval); + err = intel_scu_ipc_check_status(scu); +-- +2.40.1 + diff --git a/queue-6.1/platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch b/queue-6.1/platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch new file mode 100644 index 00000000000..ae9b1bf7b4a --- /dev/null +++ b/queue-6.1/platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch @@ -0,0 +1,123 @@ +From 783f59ff6cc5ad027fbf8c952c66772587a29be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 14:27:22 -0700 +Subject: platform/x86: intel_scu_ipc: Fail IPC send if still busy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Boyd + +[ Upstream commit 85e654c9f722853a595fa941dca60c157b707b86 ] + +It's possible for interrupts to get significantly delayed to the point +that callers of intel_scu_ipc_dev_command() and friends can call the +function once, hit a timeout, and call it again while the interrupt +still hasn't been processed. This driver will get seriously confused if +the interrupt is finally processed after the second IPC has been sent +with ipc_command(). It won't know which IPC has been completed. This +could be quite disastrous if calling code assumes something has happened +upon return from intel_scu_ipc_dev_simple_command() when it actually +hasn't. + +Let's avoid this scenario by simply returning -EBUSY in this case. +Hopefully higher layers will know to back off or fail gracefully when +this happens. It's all highly unlikely anyway, but it's better to be +correct here as we have no way to know which IPC the status register is +telling us about if we send a second IPC while the previous IPC is still +processing. + +Cc: Prashant Malani +Cc: Kuppuswamy Sathyanarayanan +Reviewed-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230913212723.3055315-5-swboyd@chromium.org +Reviewed-by: Ilpo Järvinen +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_ipc.c | 40 +++++++++++++++++++--------- + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c +index dfe010f1ee084..189c5460edd81 100644 +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -266,6 +266,24 @@ static int intel_scu_ipc_check_status(struct intel_scu_ipc_dev *scu) + return scu->irq > 0 ? ipc_wait_for_interrupt(scu) : busy_loop(scu); + } + ++static struct intel_scu_ipc_dev *intel_scu_ipc_get(struct intel_scu_ipc_dev *scu) ++{ ++ u8 status; ++ ++ if (!scu) ++ scu = ipcdev; ++ if (!scu) ++ return ERR_PTR(-ENODEV); ++ ++ status = ipc_read_status(scu); ++ if (status & IPC_STATUS_BUSY) { ++ dev_dbg(&scu->dev, "device is busy\n"); ++ return ERR_PTR(-EBUSY); ++ } ++ ++ return scu; ++} ++ + /* Read/Write power control(PMIC in Langwell, MSIC in PenWell) registers */ + static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data, + u32 count, u32 op, u32 id) +@@ -279,11 +297,10 @@ static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data, + memset(cbuf, 0, sizeof(cbuf)); + + mutex_lock(&ipclock); +- if (!scu) +- scu = ipcdev; +- if (!scu) { ++ scu = intel_scu_ipc_get(scu); ++ if (IS_ERR(scu)) { + mutex_unlock(&ipclock); +- return -ENODEV; ++ return PTR_ERR(scu); + } + + for (nc = 0; nc < count; nc++, offset += 2) { +@@ -438,12 +455,12 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd, + int err; + + mutex_lock(&ipclock); +- if (!scu) +- scu = ipcdev; +- if (!scu) { ++ scu = intel_scu_ipc_get(scu); ++ if (IS_ERR(scu)) { + mutex_unlock(&ipclock); +- return -ENODEV; ++ return PTR_ERR(scu); + } ++ + cmdval = sub << 12 | cmd; + ipc_command(scu, cmdval); + err = intel_scu_ipc_check_status(scu); +@@ -483,11 +500,10 @@ int intel_scu_ipc_dev_command_with_size(struct intel_scu_ipc_dev *scu, int cmd, + return -EINVAL; + + mutex_lock(&ipclock); +- if (!scu) +- scu = ipcdev; +- if (!scu) { ++ scu = intel_scu_ipc_get(scu); ++ if (IS_ERR(scu)) { + mutex_unlock(&ipclock); +- return -ENODEV; ++ return PTR_ERR(scu); + } + + memcpy(inbuf, in, inlen); +-- +2.40.1 + diff --git a/queue-6.1/powerpc-perf-hv-24x7-update-domain-value-check.patch b/queue-6.1/powerpc-perf-hv-24x7-update-domain-value-check.patch new file mode 100644 index 00000000000..79ecb1678ba --- /dev/null +++ b/queue-6.1/powerpc-perf-hv-24x7-update-domain-value-check.patch @@ -0,0 +1,63 @@ +From 0c89ef68495a35df188fe010301714b2da6f65c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Aug 2023 11:26:01 +0530 +Subject: powerpc/perf/hv-24x7: Update domain value check + +From: Kajol Jain + +[ Upstream commit 4ff3ba4db5943cac1045e3e4a3c0463ea10f6930 ] + +Valid domain value is in range 1 to HV_PERF_DOMAIN_MAX. Current code has +check for domain value greater than or equal to HV_PERF_DOMAIN_MAX. But +the check for domain value 0 is missing. + +Fix this issue by adding check for domain value 0. + +Before: + # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1 + Using CPUID 00800200 + Control descriptor is not initialized + Error: + The sys_perf_event_open() syscall returned with 5 (Input/output error) for + event (hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/). + /bin/dmesg | grep -i perf may provide additional information. + + Result from dmesg: + [ 37.819387] hv-24x7: hcall failed: [0 0x60040000 0x100 0] => ret + 0xfffffffffffffffc (-4) detail=0x2000000 failing ix=0 + +After: + # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1 + Using CPUID 00800200 + Control descriptor is not initialized + Warning: + hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ event is not supported by the kernel. + failed to read counter hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ + +Fixes: ebd4a5a3ebd9 ("powerpc/perf/hv-24x7: Minor improvements") +Reported-by: Krishan Gopal Sarawast +Signed-off-by: Kajol Jain +Tested-by: Disha Goel +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230825055601.360083-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-24x7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/hv-24x7.c b/arch/powerpc/perf/hv-24x7.c +index 33c23225fd545..7dda59923ed6a 100644 +--- a/arch/powerpc/perf/hv-24x7.c ++++ b/arch/powerpc/perf/hv-24x7.c +@@ -1431,7 +1431,7 @@ static int h_24x7_event_init(struct perf_event *event) + } + + domain = event_get_domain(event); +- if (domain >= HV_PERF_DOMAIN_MAX) { ++ if (domain == 0 || domain >= HV_PERF_DOMAIN_MAX) { + pr_devel("invalid domain %d\n", domain); + return -EINVAL; + } +-- +2.40.1 + diff --git a/queue-6.1/scsi-iscsi_tcp-restrict-to-tcp-sockets.patch b/queue-6.1/scsi-iscsi_tcp-restrict-to-tcp-sockets.patch new file mode 100644 index 00000000000..9048361b16a --- /dev/null +++ b/queue-6.1/scsi-iscsi_tcp-restrict-to-tcp-sockets.patch @@ -0,0 +1,48 @@ +From f7431b99a6f47a1fb812e5228b31486d9cfb748f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 17:11:11 +0000 +Subject: scsi: iscsi_tcp: restrict to TCP sockets + +From: Eric Dumazet + +[ Upstream commit f4f82c52a0ead5ab363d207d06f81b967d09ffb8 ] + +Nothing prevents iscsi_sw_tcp_conn_bind() to receive file descriptor +pointing to non TCP socket (af_unix for example). + +Return -EINVAL if this is attempted, instead of crashing the kernel. + +Fixes: 7ba247138907 ("[SCSI] open-iscsi/linux-iscsi-5 Initiator: Initiator code") +Signed-off-by: Eric Dumazet +Cc: Lee Duncan +Cc: Chris Leech +Cc: Mike Christie +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: open-iscsi@googlegroups.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Mike Christie +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 8009eab3b7bee..56ade46309707 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -724,6 +724,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, + return -EEXIST; + } + ++ err = -EINVAL; ++ if (!sk_is_tcp(sock->sk)) ++ goto free_socket; ++ + err = iscsi_conn_bind(cls_session, cls_conn, is_leading); + if (err) + goto free_socket; +-- +2.40.1 + diff --git a/queue-6.1/selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch b/queue-6.1/selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch new file mode 100644 index 00000000000..4e7efaf9deb --- /dev/null +++ b/queue-6.1/selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch @@ -0,0 +1,55 @@ +From 42b9f91f48fcf704d5f1cfa0f7b18dec3701948f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 16:16:25 +0200 +Subject: selftests: tls: swap the TX and RX sockets in some tests + +From: Sabrina Dubroca + +[ Upstream commit c326ca98446e0ae4fee43a40acf79412b74cfedb ] + +tls.sendmsg_large and tls.sendmsg_multiple are trying to send through +the self->cfd socket (only configured with TLS_RX) and to receive through +the self->fd socket (only configured with TLS_TX), so they're not using +kTLS at all. Swap the sockets. + +Fixes: 7f657d5bf507 ("selftests: tls: add selftests for TLS sockets") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tls.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c +index c0ad8385441f2..5b80fb155d549 100644 +--- a/tools/testing/selftests/net/tls.c ++++ b/tools/testing/selftests/net/tls.c +@@ -551,11 +551,11 @@ TEST_F(tls, sendmsg_large) + + msg.msg_iov = &vec; + msg.msg_iovlen = 1; +- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), send_len); ++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), send_len); + } + + while (recvs++ < sends) { +- EXPECT_NE(recv(self->fd, mem, send_len, 0), -1); ++ EXPECT_NE(recv(self->cfd, mem, send_len, 0), -1); + } + + free(mem); +@@ -584,9 +584,9 @@ TEST_F(tls, sendmsg_multiple) + msg.msg_iov = vec; + msg.msg_iovlen = iov_len; + +- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), total_len); ++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), total_len); + buf = malloc(total_len); +- EXPECT_NE(recv(self->fd, buf, total_len, 0), -1); ++ EXPECT_NE(recv(self->cfd, buf, total_len, 0), -1); + for (i = 0; i < iov_len; i++) { + EXPECT_EQ(memcmp(test_strs[i], buf + len_cmp, + strlen(test_strs[i])), +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series index 7e22abf7b8a..f940e453414 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -34,3 +34,51 @@ netfilter-nft_set_pipapo-call-nft_trans_gc_queue_syn.patch netfilter-nft_set_pipapo-stop-gc-iteration-if-gc-tra.patch netfilter-nft_set_hash-try-later-when-gc-hits-eagain.patch netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch +asoc-meson-spdifin-start-hw-on-dai-probe.patch +netfilter-nf_tables-disallow-element-removal-on-anon.patch +bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch +asoc-rt5640-revert-fix-sleep-in-atomic-context.patch +asoc-rt5640-fix-irq-not-being-free-ed-for-hda-jack-d.patch +alsa-hda-realtek-splitting-the-ux3402-into-two-separ.patch +netfilter-conntrack-fix-extension-size-table.patch +selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch +net-core-fix-eth_p_1588-flow-dissector.patch +asoc-hdaudio.c-add-missing-check-for-devm_kstrdup.patch +asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch +octeon_ep-fix-tx-dma-unmap-len-values-in-sg.patch +iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch +asoc-sof-core-only-call-sof_ops_free-on-remove-if-th.patch +iavf-add-iavf_schedule_aq_request-helper.patch +iavf-schedule-a-request-immediately-after-add-delete.patch +i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch +netfilter-bpf-adjust-timeouts-of-non-confirmed-cts-i.patch +ionic-fix-16bit-math-issue-when-page_size-64kb.patch +igc-fix-infinite-initialization-loop-with-early-xdp-.patch +ipv4-fix-null-deref-in-ipv4_link_failure.patch +scsi-iscsi_tcp-restrict-to-tcp-sockets.patch +powerpc-perf-hv-24x7-update-domain-value-check.patch +dccp-fix-dccp_v4_err-dccp_v6_err-again.patch +x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch +net-hsr-properly-parse-hsrv1-supervisor-frames.patch +platform-x86-intel_scu_ipc-check-status-after-timeou.patch +platform-x86-intel_scu_ipc-check-status-upon-timeout.patch +platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch +platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch +x86-srso-fix-srso_show_state-side-effect.patch +x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch +net-hns3-add-cmdq-check-for-vf-periodic-service-task.patch +net-hns3-fix-gre-checksum-offload-issue.patch +net-hns3-only-enable-unicast-promisc-when-mac-table-.patch +net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch +net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch +net-bridge-use-dev_stats_inc.patch +team-fix-null-ptr-deref-when-team-device-type-is-cha.patch +net-rds-fix-possible-null-pointer-dereference.patch +netfilter-nf_tables-disable-toggling-dormant-table-s.patch +netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch +i915-pmu-move-execlist-stats-initialization-to-execl.patch +locking-seqlock-do-the-lockdep-annotation-before-loc.patch +net-ena-flush-xdp-packets-on-error.patch +bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch +octeontx2-pf-do-xdp_do_flush-after-redirects.patch +igc-expose-tx-usecs-coalesce-setting-to-user.patch diff --git a/queue-6.1/team-fix-null-ptr-deref-when-team-device-type-is-cha.patch b/queue-6.1/team-fix-null-ptr-deref-when-team-device-type-is-cha.patch new file mode 100644 index 00000000000..11881ae69a7 --- /dev/null +++ b/queue-6.1/team-fix-null-ptr-deref-when-team-device-type-is-cha.patch @@ -0,0 +1,121 @@ +From f61c876fa27a16a5c08e093b6f1d2cd85039ba66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 20:30:11 +0800 +Subject: team: fix null-ptr-deref when team device type is changed + +From: Ziyang Xuan + +[ Upstream commit 492032760127251e5540a5716a70996bacf2a3fd ] + +Get a null-ptr-deref bug as follows with reproducer [1]. + +BUG: kernel NULL pointer dereference, address: 0000000000000228 +... +RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] +... +Call Trace: + + ? __die+0x24/0x70 + ? page_fault_oops+0x82/0x150 + ? exc_page_fault+0x69/0x150 + ? asm_exc_page_fault+0x26/0x30 + ? vlan_dev_hard_header+0x35/0x140 [8021q] + ? vlan_dev_hard_header+0x8e/0x140 [8021q] + neigh_connected_output+0xb2/0x100 + ip6_finish_output2+0x1cb/0x520 + ? nf_hook_slow+0x43/0xc0 + ? ip6_mtu+0x46/0x80 + ip6_finish_output+0x2a/0xb0 + mld_sendpack+0x18f/0x250 + mld_ifc_work+0x39/0x160 + process_one_work+0x1e6/0x3f0 + worker_thread+0x4d/0x2f0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe5/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + +[1] +$ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' +$ ip link add name t-dummy type dummy +$ ip link add link t-dummy name t-dummy.100 type vlan id 100 +$ ip link add name t-nlmon type nlmon +$ ip link set t-nlmon master team0 +$ ip link set t-nlmon nomaster +$ ip link set t-dummy up +$ ip link set team0 up +$ ip link set t-dummy.100 down +$ ip link set t-dummy.100 master team0 + +When enslave a vlan device to team device and team device type is changed +from non-ether to ether, header_ops of team device is changed to +vlan_header_ops. That is incorrect and will trigger null-ptr-deref +for vlan->real_dev in vlan_dev_hard_header() because team device is not +a vlan device. + +Cache eth_header_ops in team_setup(), then assign cached header_ops to +header_ops of team net device when its type is changed from non-ether +to ether to fix the bug. + +Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") +Suggested-by: Hangbin Liu +Reviewed-by: Hangbin Liu +Signed-off-by: Ziyang Xuan +Reviewed-by: Jiri Pirko +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 10 +++++++++- + include/linux/if_team.h | 2 ++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 921ca59822b0f..556b2d1cd2aca 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2127,7 +2127,12 @@ static const struct ethtool_ops team_ethtool_ops = { + static void team_setup_by_port(struct net_device *dev, + struct net_device *port_dev) + { +- dev->header_ops = port_dev->header_ops; ++ struct team *team = netdev_priv(dev); ++ ++ if (port_dev->type == ARPHRD_ETHER) ++ dev->header_ops = team->header_ops_cache; ++ else ++ dev->header_ops = port_dev->header_ops; + dev->type = port_dev->type; + dev->hard_header_len = port_dev->hard_header_len; + dev->needed_headroom = port_dev->needed_headroom; +@@ -2174,8 +2179,11 @@ static int team_dev_type_check_change(struct net_device *dev, + + static void team_setup(struct net_device *dev) + { ++ struct team *team = netdev_priv(dev); ++ + ether_setup(dev); + dev->max_mtu = ETH_MAX_MTU; ++ team->header_ops_cache = dev->header_ops; + + dev->netdev_ops = &team_netdev_ops; + dev->ethtool_ops = &team_ethtool_ops; +diff --git a/include/linux/if_team.h b/include/linux/if_team.h +index 8de6b6e678295..34bcba5a70677 100644 +--- a/include/linux/if_team.h ++++ b/include/linux/if_team.h +@@ -189,6 +189,8 @@ struct team { + struct net_device *dev; /* associated netdevice */ + struct team_pcpu_stats __percpu *pcpu_stats; + ++ const struct header_ops *header_ops_cache; ++ + struct mutex lock; /* used for overall locking, e.g. port lists write */ + + /* +-- +2.40.1 + diff --git a/queue-6.1/x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch b/queue-6.1/x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch new file mode 100644 index 00000000000..df5f3018c61 --- /dev/null +++ b/queue-6.1/x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch @@ -0,0 +1,55 @@ +From 250617e3093f0107faaa1d062ba542f2d41c9aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 13:55:58 -0400 +Subject: x86/mm, kexec, ima: Use memblock_free_late() from + ima_free_kexec_buffer() + +From: Rik van Riel + +[ Upstream commit 34cf99c250d5cd2530b93a57b0de31d3aaf8685b ] + +The code calling ima_free_kexec_buffer() runs long after the memblock +allocator has already been torn down, potentially resulting in a use +after free in memblock_isolate_range(). + +With KASAN or KFENCE, this use after free will result in a BUG +from the idle task, and a subsequent kernel panic. + +Switch ima_free_kexec_buffer() over to memblock_free_late() to avoid +that bug. + +Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c") +Suggested-by: Mike Rappoport +Signed-off-by: Rik van Riel +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20230817135558.67274c83@imladris.surriel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/setup.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 892609cde4a20..804a252382da7 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -363,15 +363,11 @@ static void __init add_early_ima_buffer(u64 phys_addr) + #if defined(CONFIG_HAVE_IMA_KEXEC) && !defined(CONFIG_OF_FLATTREE) + int __init ima_free_kexec_buffer(void) + { +- int rc; +- + if (!ima_kexec_buffer_size) + return -ENOENT; + +- rc = memblock_phys_free(ima_kexec_buffer_phys, +- ima_kexec_buffer_size); +- if (rc) +- return rc; ++ memblock_free_late(ima_kexec_buffer_phys, ++ ima_kexec_buffer_size); + + ima_kexec_buffer_phys = 0; + ima_kexec_buffer_size = 0; +-- +2.40.1 + diff --git a/queue-6.1/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch b/queue-6.1/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch new file mode 100644 index 00000000000..a9855dc299b --- /dev/null +++ b/queue-6.1/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch @@ -0,0 +1,39 @@ +From 9a31f1b5e568c4a22555cde80efd1789a09a019e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 22:04:48 -0700 +Subject: x86/srso: Fix SBPB enablement for spec_rstack_overflow=off + +From: Josh Poimboeuf + +[ Upstream commit 01b057b2f4cc2d905a0bd92195657dbd9a7005ab ] + +If the user has requested no SRSO mitigation, other mitigations can use +the lighter-weight SBPB instead of IBPB. + +Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/b20820c3cfd1003171135ec8d762a0b957348497.1693889988.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 5f38d60532a99..263df737d5cd5 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -2414,7 +2414,7 @@ static void __init srso_select_mitigation(void) + + switch (srso_cmd) { + case SRSO_CMD_OFF: +- return; ++ goto pred_cmd; + + case SRSO_CMD_MICROCODE: + if (has_microcode) { +-- +2.40.1 + diff --git a/queue-6.1/x86-srso-fix-srso_show_state-side-effect.patch b/queue-6.1/x86-srso-fix-srso_show_state-side-effect.patch new file mode 100644 index 00000000000..927fd75e51f --- /dev/null +++ b/queue-6.1/x86-srso-fix-srso_show_state-side-effect.patch @@ -0,0 +1,44 @@ +From e584914d4c5d377365f64f967be45804e1b19dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 22:04:45 -0700 +Subject: x86/srso: Fix srso_show_state() side effect + +From: Josh Poimboeuf + +[ Upstream commit a8cf700c17d9ca6cb8ee7dc5c9330dbac3948237 ] + +Reading the 'spec_rstack_overflow' sysfs file can trigger an unnecessary +MSR write, and possibly even a (handled) exception if the microcode +hasn't been updated. + +Avoid all that by just checking X86_FEATURE_IBPB_BRTYPE instead, which +gets set by srso_select_mitigation() if the updated microcode exists. + +Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Acked-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/27d128899cb8aee9eb2b57ddc996742b0c1d776b.1693889988.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 3a893ab398a01..5f38d60532a99 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -2692,7 +2692,7 @@ static ssize_t srso_show_state(char *buf) + + return sysfs_emit(buf, "%s%s\n", + srso_strings[srso_mitigation], +- (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); ++ boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode"); + } + + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, +-- +2.40.1 +