From: Sasha Levin Date: Sun, 3 Mar 2024 15:56:43 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v4.19.309~92^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4de9e183a8fccff71bce614b7d29ecd30217edce;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/afs-fix-endless-loop-in-directory-parsing.patch b/queue-6.1/afs-fix-endless-loop-in-directory-parsing.patch new file mode 100644 index 00000000000..166aca481af --- /dev/null +++ b/queue-6.1/afs-fix-endless-loop-in-directory-parsing.patch @@ -0,0 +1,68 @@ +From 519ae9b92f5b9be2440bd1a9c2b6f051c782f10d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 13:15:02 +0000 +Subject: afs: Fix endless loop in directory parsing + +From: David Howells + +[ Upstream commit 5f7a07646655fb4108da527565dcdc80124b14c4 ] + +If a directory has a block with only ".__afsXXXX" files in it (from +uncompleted silly-rename), these .__afsXXXX files are skipped but without +advancing the file position in the dir_context. This leads to +afs_dir_iterate() repeating the block again and again. + +Fix this by making the code that skips the .__afsXXXX file also manually +advance the file position. + +The symptoms are a soft lookup: + + watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737] + ... + RIP: 0010:afs_dir_iterate_block+0x39/0x1fd + ... + ? watchdog_timer_fn+0x1a6/0x213 + ... + ? asm_sysvec_apic_timer_interrupt+0x16/0x20 + ? afs_dir_iterate_block+0x39/0x1fd + afs_dir_iterate+0x10a/0x148 + afs_readdir+0x30/0x4a + iterate_dir+0x93/0xd3 + __do_sys_getdents64+0x6b/0xd4 + +This is almost certainly the actual fix for: + + https://bugzilla.kernel.org/show_bug.cgi?id=218496 + +Fixes: 57e9d49c5452 ("afs: Hide silly-rename files from userspace") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/786185.1708694102@warthog.procyon.org.uk +Reviewed-by: Marc Dionne +cc: Marc Dionne +cc: Markus Suvanto +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index cf811b77ee671..6e2c967fae6fc 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -478,8 +478,10 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode, + dire->u.name[0] == '.' && + ctx->actor != afs_lookup_filldir && + ctx->actor != afs_lookup_one_filldir && +- memcmp(dire->u.name, ".__afs", 6) == 0) ++ memcmp(dire->u.name, ".__afs", 6) == 0) { ++ ctx->pos = blkoff + next * sizeof(union afs_xdr_dirent); + continue; ++ } + + /* found the next entry */ + if (!dir_emit(ctx, dire->u.name, nlen, +-- +2.43.0 + diff --git a/queue-6.1/alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch b/queue-6.1/alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch new file mode 100644 index 00000000000..a9b97156694 --- /dev/null +++ b/queue-6.1/alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch @@ -0,0 +1,35 @@ +From dee539f3770a47e2be5266503287b12c722adbd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 10:21:56 +0100 +Subject: ALSA: Drop leftover snd-rtctimer stuff from Makefile + +From: Takashi Iwai + +[ Upstream commit 4df49712eb54141be00a9312547436d55677f092 ] + +We forgot to remove the line for snd-rtctimer from Makefile while +dropping the functionality. Get rid of the stale line. + +Fixes: 34ce71a96dcb ("ALSA: timer: remove legacy rtctimer") +Link: https://lore.kernel.org/r/20240221092156.28695-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/core/Makefile b/sound/core/Makefile +index 2762f03d9b7bc..a7a1590b29526 100644 +--- a/sound/core/Makefile ++++ b/sound/core/Makefile +@@ -30,7 +30,6 @@ snd-ctl-led-objs := control_led.o + snd-rawmidi-objs := rawmidi.o + snd-timer-objs := timer.o + snd-hrtimer-objs := hrtimer.o +-snd-rtctimer-objs := rtctimer.o + snd-hwdep-objs := hwdep.o + snd-seq-device-objs := seq_device.o + +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-avoid-potential-use-after-free-in-hci_erro.patch b/queue-6.1/bluetooth-avoid-potential-use-after-free-in-hci_erro.patch new file mode 100644 index 00000000000..b0c77b80b07 --- /dev/null +++ b/queue-6.1/bluetooth-avoid-potential-use-after-free-in-hci_erro.patch @@ -0,0 +1,66 @@ +From aa808383ac193acc16ffb1d1206a312c111397e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 11:56:32 +0000 +Subject: Bluetooth: Avoid potential use-after-free in hci_error_reset + +From: Ying Hsu + +[ Upstream commit 2449007d3f73b2842c9734f45f0aadb522daf592 ] + +While handling the HCI_EV_HARDWARE_ERROR event, if the underlying +BT controller is not responding, the GPIO reset mechanism would +free the hci_dev and lead to a use-after-free in hci_error_reset. + +Here's the call trace observed on a ChromeOS device with Intel AX201: + queue_work_on+0x3e/0x6c + __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ] + ? init_wait_entry+0x31/0x31 + __hci_cmd_sync+0x16/0x20 [bluetooth ] + hci_error_reset+0x4f/0xa4 [bluetooth ] + process_one_work+0x1d8/0x33f + worker_thread+0x21b/0x373 + kthread+0x13a/0x152 + ? pr_cont_work+0x54/0x54 + ? kthread_blkcg+0x31/0x31 + ret_from_fork+0x1f/0x30 + +This patch holds the reference count on the hci_dev while processing +a HCI_EV_HARDWARE_ERROR event to avoid potential crash. + +Fixes: c7741d16a57c ("Bluetooth: Perform a power cycle when receiving hardware error event") +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 6a1db678d032f..a8932d449eb63 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1049,6 +1049,7 @@ static void hci_error_reset(struct work_struct *work) + { + struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset); + ++ hci_dev_hold(hdev); + BT_DBG("%s", hdev->name); + + if (hdev->hw_error) +@@ -1056,10 +1057,10 @@ static void hci_error_reset(struct work_struct *work) + else + bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code); + +- if (hci_dev_do_close(hdev)) +- return; ++ if (!hci_dev_do_close(hdev)) ++ hci_dev_do_open(hdev); + +- hci_dev_do_open(hdev); ++ hci_dev_put(hdev); + } + + void hci_uuids_clear(struct hci_dev *hdev) +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-btqca-add-wcn3988-support.patch b/queue-6.1/bluetooth-btqca-add-wcn3988-support.patch new file mode 100644 index 00000000000..2b5c5c24396 --- /dev/null +++ b/queue-6.1/bluetooth-btqca-add-wcn3988-support.patch @@ -0,0 +1,127 @@ +From 1163c073645181fbfdb2a9a929d10b2f9a68979f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:56:29 +0200 +Subject: Bluetooth: btqca: Add WCN3988 support + +From: Luca Weiss + +[ Upstream commit f904feefe60c28b6852d5625adc4a2c39426a2d9 ] + +Add support for the Bluetooth chip codenamed APACHE which is part of +WCN3988. + +The firmware for this chip has a slightly different naming scheme +compared to most others. For ROM Version 0x0200 we need to use +apbtfw10.tlv + apnv10.bin and for ROM version 0x201 apbtfw11.tlv + +apnv11.bin + +Signed-off-by: Luca Weiss +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 13 +++++++++++-- + drivers/bluetooth/btqca.h | 12 ++++++++++-- + drivers/bluetooth/hci_qca.c | 12 ++++++++++++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index d40a6041c48cd..d775402b33df3 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -594,14 +594,20 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + /* Firmware files to download are based on ROM version. + * ROM version is derived from last two bytes of soc_ver. + */ +- rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); ++ if (soc_type == QCA_WCN3988) ++ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else ++ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + + if (soc_type == QCA_WCN6750) + qca_send_patch_config_cmd(hdev); + + /* Download rampatch file */ + config.type = TLV_TYPE_PATCH; +- if (qca_is_wcn399x(soc_type)) { ++ if (soc_type == QCA_WCN3988) { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apbtfw%02x.tlv", rom_ver); ++ } else if (qca_is_wcn399x(soc_type)) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/crbtfw%02x.tlv", rom_ver); + } else if (soc_type == QCA_QCA6390) { +@@ -636,6 +642,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + if (firmware_name) + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); ++ else if (soc_type == QCA_WCN3988) ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apnv%02x.bin", rom_ver); + else if (qca_is_wcn399x(soc_type)) { + if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { + snprintf(config.fwname, sizeof(config.fwname), +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index b884095bcd9d0..fc6cf314eb0ef 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -142,6 +142,7 @@ enum qca_btsoc_type { + QCA_INVALID = -1, + QCA_AR3002, + QCA_ROME, ++ QCA_WCN3988, + QCA_WCN3990, + QCA_WCN3998, + QCA_WCN3991, +@@ -162,8 +163,15 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); + int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); + static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) + { +- return soc_type == QCA_WCN3990 || soc_type == QCA_WCN3991 || +- soc_type == QCA_WCN3998; ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ return true; ++ default: ++ return false; ++ } + } + static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) + { +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index f217c2821b9fb..746eb096c037c 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1832,6 +1832,17 @@ static const struct hci_uart_proto qca_proto = { + .dequeue = qca_dequeue, + }; + ++static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = { ++ .soc_type = QCA_WCN3988, ++ .vregs = (struct qca_vreg []) { ++ { "vddio", 15000 }, ++ { "vddxo", 80000 }, ++ { "vddrf", 300000 }, ++ { "vddch0", 450000 }, ++ }, ++ .num_vregs = 4, ++}; ++ + static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { + .soc_type = QCA_WCN3990, + .vregs = (struct qca_vreg []) { +@@ -2357,6 +2368,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = { + { .compatible = "qcom,qca6174-bt" }, + { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390}, + { .compatible = "qcom,qca9377-bt" }, ++ { .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988}, + { .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990}, + { .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991}, + { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998}, +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch b/queue-6.1/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch new file mode 100644 index 00000000000..ac4c6eccfa4 --- /dev/null +++ b/queue-6.1/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch @@ -0,0 +1,40 @@ +From 03fc58faee410cd98fd3aa7f7194872c41ddf6cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 18:43:23 +0800 +Subject: Bluetooth: btqca: use le32_to_cpu for ver.soc_id + +From: Min-Hua Chen + +[ Upstream commit 8153b738bc547878a017889d2b1cf8dd2de0e0c6 ] + +Use le32_to_cpu for ver.soc_id to fix the following +sparse warning. + +drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted +__le32 degrades to integer + +Signed-off-by: Min-Hua Chen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Jakub Kicinski +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 4cb541096b934..d40a6041c48cd 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -637,7 +637,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); + else if (qca_is_wcn399x(soc_type)) { +- if (ver.soc_id == QCA_WCN3991_SOC_ID) { ++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/crnv%02xu.bin", rom_ver); + } else { +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-enforce-validation-on-max-value-of-connect.patch b/queue-6.1/bluetooth-enforce-validation-on-max-value-of-connect.patch new file mode 100644 index 00000000000..cc42d8cbeb7 --- /dev/null +++ b/queue-6.1/bluetooth-enforce-validation-on-max-value-of-connect.patch @@ -0,0 +1,68 @@ +From 404f14510cfb2a493b2f701c87a2d61f0554a87d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 14:50:28 +0800 +Subject: Bluetooth: Enforce validation on max value of connection interval + +From: Kai-Heng Feng + +[ Upstream commit e4b019515f950b4e6e5b74b2e1bb03a90cb33039 ] + +Right now Linux BT stack cannot pass test case "GAP/CONN/CPUP/BV-05-C +'Connection Parameter Update Procedure Invalid Parameters Central +Responder'" in Bluetooth Test Suite revision GAP.TS.p44. [0] + +That was revoled by commit c49a8682fc5d ("Bluetooth: validate BLE +connection interval updates"), but later got reverted due to devices +like keyboards and mice may require low connection interval. + +So only validate the max value connection interval to pass the Test +Suite, and let devices to request low connection interval if needed. + +[0] https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=229869 + +Fixes: 68d19d7d9957 ("Revert "Bluetooth: validate BLE connection interval updates"") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 4 ++++ + net/bluetooth/l2cap_core.c | 8 +++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index f79aaef5a276d..452d839c152fc 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6719,6 +6719,10 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + ++ if (max > hcon->le_conn_max_interval) ++ return send_conn_param_neg_reply(hdev, handle, ++ HCI_ERROR_INVALID_LL_PARAMS); ++ + if (hci_check_conn_params(min, max, latency, timeout)) + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 81f5974e5eb5a..b4cba55be5ad9 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5614,7 +5614,13 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, + + memset(&rsp, 0, sizeof(rsp)); + +- err = hci_check_conn_params(min, max, latency, to_multiplier); ++ if (max > hcon->le_conn_max_interval) { ++ BT_DBG("requested connection interval exceeds current bounds."); ++ err = -EINVAL; ++ } else { ++ err = hci_check_conn_params(min, max, latency, to_multiplier); ++ } ++ + if (err) + rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); + else +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_event-fix-handling-of-hci_ev_io_capa_r.patch b/queue-6.1/bluetooth-hci_event-fix-handling-of-hci_ev_io_capa_r.patch new file mode 100644 index 00000000000..ff8dd48787a --- /dev/null +++ b/queue-6.1/bluetooth-hci_event-fix-handling-of-hci_ev_io_capa_r.patch @@ -0,0 +1,42 @@ +From 5f969efe80f799398a27ff90aa29f9a688c272f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 09:02:47 -0500 +Subject: Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST + +From: Luiz Augusto von Dentz + +[ Upstream commit 7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865 ] + +If we received HCI_EV_IO_CAPA_REQUEST while +HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote +does support SSP since otherwise this event shouldn't be generated. + +Link: https://lore.kernel.org/linux-bluetooth/CABBYNZ+9UdG1cMZVmdtN3U2aS16AKMCyTARZZyFX7xTEDWcMOw@mail.gmail.com/T/#t +Fixes: c7f59461f5a7 ("Bluetooth: Fix a refcnt underflow problem for hci_conn") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index b18f5e5df8ad0..f79aaef5a276d 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5282,9 +5282,12 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, + hci_dev_lock(hdev); + + conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); +- if (!conn || !hci_conn_ssp_enabled(conn)) ++ if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) + goto unlock; + ++ /* Assume remote supports SSP since it has triggered this event */ ++ set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); ++ + hci_conn_hold(conn); + + if (!hci_dev_test_flag(hdev, HCI_MGMT)) +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_event-fix-wrongly-recorded-wakeup-bd_a.patch b/queue-6.1/bluetooth-hci_event-fix-wrongly-recorded-wakeup-bd_a.patch new file mode 100644 index 00000000000..57928ea2fc6 --- /dev/null +++ b/queue-6.1/bluetooth-hci_event-fix-wrongly-recorded-wakeup-bd_a.patch @@ -0,0 +1,42 @@ +From 07d439d78d8aeb039e169ca37317b95fada4aef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 19:03:23 +0800 +Subject: Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR + +From: Zijun Hu + +[ Upstream commit 61a5ab72edea7ebc3ad2c6beea29d966f528ebfb ] + +hci_store_wake_reason() wrongly parses event HCI_Connection_Request +as HCI_Connection_Complete and HCI_Connection_Complete as +HCI_Connection_Request, so causes recording wakeup BD_ADDR error and +potential stability issue, fix it by using the correct field. + +Fixes: 2f20216c1d6f ("Bluetooth: Emit controller suspend and resume events") +Signed-off-by: Zijun Hu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 56ecc5f97b916..b18f5e5df8ad0 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -7245,10 +7245,10 @@ static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, + * keep track of the bdaddr of the connection event that woke us up. + */ + if (event == HCI_EV_CONN_REQUEST) { +- bacpy(&hdev->wake_addr, &conn_complete->bdaddr); ++ bacpy(&hdev->wake_addr, &conn_request->bdaddr); + hdev->wake_addr_type = BDADDR_BREDR; + } else if (event == HCI_EV_CONN_COMPLETE) { +- bacpy(&hdev->wake_addr, &conn_request->bdaddr); ++ bacpy(&hdev->wake_addr, &conn_complete->bdaddr); + hdev->wake_addr_type = BDADDR_BREDR; + } else if (event == HCI_EV_LE_META) { + struct hci_ev_le_meta *le_ev = (void *)skb->data; +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_qca-add-support-for-qti-bluetooth-chip.patch b/queue-6.1/bluetooth-hci_qca-add-support-for-qti-bluetooth-chip.patch new file mode 100644 index 00000000000..c808488d9f0 --- /dev/null +++ b/queue-6.1/bluetooth-hci_qca-add-support-for-qti-bluetooth-chip.patch @@ -0,0 +1,275 @@ +From 5dd01d270ff28b938961b4e41a7bb4a5bab519cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Mar 2023 18:38:10 -0500 +Subject: Bluetooth: hci_qca: Add support for QTI Bluetooth chip wcn6855 + +From: Steev Klimaszewski + +[ Upstream commit 095327fede005f4b14d40b2183b2f7965c739dbd ] + +Add regulators, GPIOs and changes required to power on/off wcn6855. +Add support for firmware download for wcn6855 which is in the +linux-firmware repository as hpbtfw21.tlv and hpnv21.bin. + +Based on the assumption that this is similar to the wcn6750 + +Tested-on: BTFW.HSP.2.1.0-00538-VER_PATCHZ-1 + +Signed-off-by: Steev Klimaszewski +Reviewed-by: Bjorn Andersson +Tested-by: Bjorn Andersson +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 14 ++++++++- + drivers/bluetooth/btqca.h | 10 +++++++ + drivers/bluetooth/hci_qca.c | 57 ++++++++++++++++++++++++++++--------- + 3 files changed, 66 insertions(+), 15 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index d7d0c9de3dc31..4cb541096b934 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -614,6 +614,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + config.type = ELF_TYPE_PATCH; + snprintf(config.fwname, sizeof(config.fwname), + "qca/msbtfw%02x.mbn", rom_ver); ++ } else if (soc_type == QCA_WCN6855) { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hpbtfw%02x.tlv", rom_ver); + } else { + snprintf(config.fwname, sizeof(config.fwname), + "qca/rampatch_%08x.bin", soc_ver); +@@ -648,6 +651,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + else if (soc_type == QCA_WCN6750) + snprintf(config.fwname, sizeof(config.fwname), + "qca/msnv%02x.bin", rom_ver); ++ else if (soc_type == QCA_WCN6855) ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hpnv%02x.bin", rom_ver); + else + snprintf(config.fwname, sizeof(config.fwname), + "qca/nvm_%08x.bin", soc_ver); +@@ -685,11 +691,17 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + return err; + } + +- if (soc_type == QCA_WCN3991 || soc_type == QCA_WCN6750) { ++ switch (soc_type) { ++ case QCA_WCN3991: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + /* get fw build info */ + err = qca_read_fw_build_info(hdev); + if (err < 0) + return err; ++ break; ++ default: ++ break; + } + + bt_dev_info(hdev, "QCA setup on UART is completed"); +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index 61e9a50e66ae1..b884095bcd9d0 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -147,6 +147,7 @@ enum qca_btsoc_type { + QCA_WCN3991, + QCA_QCA6390, + QCA_WCN6750, ++ QCA_WCN6855, + }; + + #if IS_ENABLED(CONFIG_BT_QCA) +@@ -168,6 +169,10 @@ static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) + { + return soc_type == QCA_WCN6750; + } ++static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) ++{ ++ return soc_type == QCA_WCN6855; ++} + + #else + +@@ -206,6 +211,11 @@ static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) + return false; + } + ++static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) ++{ ++ return false; ++} ++ + static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + { + return -EOPNOTSUPP; +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 0e908a337e534..f217c2821b9fb 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1315,7 +1315,8 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) + + /* Give the controller time to process the request */ + if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu))) ++ qca_is_wcn6750(qca_soc_type(hu)) || ++ qca_is_wcn6855(qca_soc_type(hu))) + usleep_range(1000, 10000); + else + msleep(300); +@@ -1392,7 +1393,8 @@ static unsigned int qca_get_speed(struct hci_uart *hu, + static int qca_check_speeds(struct hci_uart *hu) + { + if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu))) { ++ qca_is_wcn6750(qca_soc_type(hu)) || ++ qca_is_wcn6855(qca_soc_type(hu))) { + if (!qca_get_speed(hu, QCA_INIT_SPEED) && + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +@@ -1426,7 +1428,8 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + * changing the baudrate of chip and host. + */ + if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type)) ++ qca_is_wcn6750(soc_type) || ++ qca_is_wcn6855(soc_type)) + hci_uart_set_flow_control(hu, true); + + if (soc_type == QCA_WCN3990) { +@@ -1444,7 +1447,8 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + + error: + if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type)) ++ qca_is_wcn6750(soc_type) || ++ qca_is_wcn6855(soc_type)) + hci_uart_set_flow_control(hu, false); + + if (soc_type == QCA_WCN3990) { +@@ -1680,7 +1684,8 @@ static int qca_power_on(struct hci_dev *hdev) + return 0; + + if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type)) { ++ qca_is_wcn6750(soc_type) || ++ qca_is_wcn6855(soc_type)) { + ret = qca_regulator_init(hu); + } else { + qcadev = serdev_device_get_drvdata(hu->serdev); +@@ -1721,7 +1726,8 @@ static int qca_setup(struct hci_uart *hu) + + bt_dev_info(hdev, "setting up %s", + qca_is_wcn399x(soc_type) ? "wcn399x" : +- (soc_type == QCA_WCN6750) ? "wcn6750" : "ROME/QCA6390"); ++ (soc_type == QCA_WCN6750) ? "wcn6750" : ++ (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390"); + + qca->memdump_state = QCA_MEMDUMP_IDLE; + +@@ -1733,7 +1739,8 @@ static int qca_setup(struct hci_uart *hu) + clear_bit(QCA_SSR_TRIGGERED, &qca->flags); + + if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type)) { ++ qca_is_wcn6750(soc_type) || ++ qca_is_wcn6855(soc_type)) { + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); + hci_set_aosp_capable(hdev); + +@@ -1755,7 +1762,8 @@ static int qca_setup(struct hci_uart *hu) + } + + if (!(qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type))) { ++ qca_is_wcn6750(soc_type) || ++ qca_is_wcn6855(soc_type))) { + /* Get QCA version information */ + ret = qca_read_soc_version(hdev, &ver, soc_type); + if (ret) +@@ -1881,6 +1889,20 @@ static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = { + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + ++static const struct qca_device_data qca_soc_data_wcn6855 = { ++ .soc_type = QCA_WCN6855, ++ .vregs = (struct qca_vreg []) { ++ { "vddio", 5000 }, ++ { "vddbtcxmx", 126000 }, ++ { "vddrfacmn", 12500 }, ++ { "vddrfa0p8", 102000 }, ++ { "vddrfa1p7", 302000 }, ++ { "vddrfa1p2", 257000 }, ++ }, ++ .num_vregs = 6, ++ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, ++}; ++ + static void qca_power_shutdown(struct hci_uart *hu) + { + struct qca_serdev *qcadev; +@@ -1910,7 +1932,7 @@ static void qca_power_shutdown(struct hci_uart *hu) + host_set_baudrate(hu, 2400); + qca_send_power_pulse(hu, false); + qca_regulator_disable(qcadev); +- } else if (soc_type == QCA_WCN6750) { ++ } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) { + gpiod_set_value_cansleep(qcadev->bt_en, 0); + msleep(100); + qca_regulator_disable(qcadev); +@@ -2045,7 +2067,8 @@ static int qca_serdev_probe(struct serdev_device *serdev) + + if (data && + (qca_is_wcn399x(data->soc_type) || +- qca_is_wcn6750(data->soc_type))) { ++ qca_is_wcn6750(data->soc_type) || ++ qca_is_wcn6855(data->soc_type))) { + qcadev->btsoc_type = data->soc_type; + qcadev->bt_power = devm_kzalloc(&serdev->dev, + sizeof(struct qca_power), +@@ -2065,14 +2088,18 @@ static int qca_serdev_probe(struct serdev_device *serdev) + + qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", + GPIOD_OUT_LOW); +- if (IS_ERR_OR_NULL(qcadev->bt_en) && data->soc_type == QCA_WCN6750) { ++ if (IS_ERR_OR_NULL(qcadev->bt_en) && ++ (data->soc_type == QCA_WCN6750 || ++ data->soc_type == QCA_WCN6855)) { + dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n"); + power_ctrl_enabled = false; + } + + qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl", + GPIOD_IN); +- if (IS_ERR_OR_NULL(qcadev->sw_ctrl) && data->soc_type == QCA_WCN6750) ++ if (IS_ERR_OR_NULL(qcadev->sw_ctrl) && ++ (data->soc_type == QCA_WCN6750 || ++ data->soc_type == QCA_WCN6855)) + dev_warn(&serdev->dev, "failed to acquire SW_CTRL gpio\n"); + + qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL); +@@ -2148,8 +2175,9 @@ static void qca_serdev_remove(struct serdev_device *serdev) + struct qca_power *power = qcadev->bt_power; + + if ((qca_is_wcn399x(qcadev->btsoc_type) || +- qca_is_wcn6750(qcadev->btsoc_type)) && +- power->vregs_on) ++ qca_is_wcn6750(qcadev->btsoc_type) || ++ qca_is_wcn6855(qcadev->btsoc_type)) && ++ power->vregs_on) + qca_power_shutdown(&qcadev->serdev_hu); + else if (qcadev->susclk) + clk_disable_unprepare(qcadev->susclk); +@@ -2333,6 +2361,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = { + { .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991}, + { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998}, + { .compatible = "qcom,wcn6750-bt", .data = &qca_soc_data_wcn6750}, ++ { .compatible = "qcom,wcn6855-bt", .data = &qca_soc_data_wcn6855}, + { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch b/queue-6.1/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch new file mode 100644 index 00000000000..7511e98c66a --- /dev/null +++ b/queue-6.1/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch @@ -0,0 +1,82 @@ +From 564408b8e777b62ae04a2f807bb64c3e90e0cb0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 12:13:53 +0100 +Subject: Bluetooth: hci_qca: mark OF related data as maybe unused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 44fac8a2fd2f72ee98ee41e6bc9ecc7765b5d3cc ] + +The driver can be compile tested with !CONFIG_OF making certain data +unused: + + drivers/bluetooth/hci_qca.c:1869:37: error: ‘qca_soc_data_wcn6750’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1853:37: error: ‘qca_soc_data_wcn3998’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1841:37: error: ‘qca_soc_data_wcn3991’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1830:37: error: ‘qca_soc_data_wcn3990’ + defined but not used [-Werror=unused-const-variable=] + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 76ceb8a0183d1..0e908a337e534 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1824,7 +1824,7 @@ static const struct hci_uart_proto qca_proto = { + .dequeue = qca_dequeue, + }; + +-static const struct qca_device_data qca_soc_data_wcn3990 = { ++static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { + .soc_type = QCA_WCN3990, + .vregs = (struct qca_vreg []) { + { "vddio", 15000 }, +@@ -1835,7 +1835,7 @@ static const struct qca_device_data qca_soc_data_wcn3990 = { + .num_vregs = 4, + }; + +-static const struct qca_device_data qca_soc_data_wcn3991 = { ++static const struct qca_device_data qca_soc_data_wcn3991 __maybe_unused = { + .soc_type = QCA_WCN3991, + .vregs = (struct qca_vreg []) { + { "vddio", 15000 }, +@@ -1847,7 +1847,7 @@ static const struct qca_device_data qca_soc_data_wcn3991 = { + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + +-static const struct qca_device_data qca_soc_data_wcn3998 = { ++static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = { + .soc_type = QCA_WCN3998, + .vregs = (struct qca_vreg []) { + { "vddio", 10000 }, +@@ -1858,13 +1858,13 @@ static const struct qca_device_data qca_soc_data_wcn3998 = { + .num_vregs = 4, + }; + +-static const struct qca_device_data qca_soc_data_qca6390 = { ++static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = { + .soc_type = QCA_QCA6390, + .num_vregs = 0, + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + +-static const struct qca_device_data qca_soc_data_wcn6750 = { ++static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = { + .soc_type = QCA_WCN6750, + .vregs = (struct qca_vreg []) { + { "vddio", 5000 }, +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_qca-set-bda-quirk-bit-if-fwnode-exists.patch b/queue-6.1/bluetooth-hci_qca-set-bda-quirk-bit-if-fwnode-exists.patch new file mode 100644 index 00000000000..14f9e0cbb80 --- /dev/null +++ b/queue-6.1/bluetooth-hci_qca-set-bda-quirk-bit-if-fwnode-exists.patch @@ -0,0 +1,62 @@ +From 7787ab098a8b35e7104bdcfad6ba84de3f79fd85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 20:00:42 +0530 +Subject: Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT + +From: Janaki Ramaiah Thota + +[ Upstream commit 7dcd3e014aa7faeeaf4047190b22d8a19a0db696 ] + +BT adapter going into UNCONFIGURED state during BT turn ON when +devicetree has no local-bd-address node. + +Bluetooth will not work out of the box on such devices, to avoid this +problem, added check to set HCI_QUIRK_USE_BDADDR_PROPERTY based on +local-bd-address node entry. + +When this quirk is not set, the public Bluetooth address read by host +from controller though HCI Read BD Address command is +considered as valid. + +Fixes: e668eb1e1578 ("Bluetooth: hci_core: Don't stop BT if the BD address missing in dts") +Signed-off-by: Janaki Ramaiah Thota +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 43abdaf92a0ed..8bfef7f81b417 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -7,6 +7,7 @@ + * + * Copyright (C) 2007 Texas Instruments, Inc. + * Copyright (c) 2010, 2012, 2018 The Linux Foundation. All rights reserved. ++ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * + * Acknowledgements: + * This file is based on hci_ll.c, which was... +@@ -1844,7 +1845,17 @@ static int qca_setup(struct hci_uart *hu) + case QCA_WCN6750: + case QCA_WCN6855: + case QCA_WCN7850: +- set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); ++ ++ /* Set BDA quirk bit for reading BDA value from fwnode property ++ * only if that property exist in DT. ++ */ ++ if (fwnode_property_present(dev_fwnode(hdev->dev.parent), "local-bd-address")) { ++ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); ++ bt_dev_info(hdev, "setting quirk bit to read BDA from fwnode later"); ++ } else { ++ bt_dev_dbg(hdev, "local-bd-address` is not present in the devicetree so not setting quirk bit for BDA"); ++ } ++ + hci_set_aosp_capable(hdev); + + ret = qca_read_soc_version(hdev, &ver, soc_type); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_sync-check-the-correct-flag-before-sta.patch b/queue-6.1/bluetooth-hci_sync-check-the-correct-flag-before-sta.patch new file mode 100644 index 00000000000..e25939c516d --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-check-the-correct-flag-before-sta.patch @@ -0,0 +1,49 @@ +From d70ad0142ab8c48fc00071719ae0f409f2004948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 19:08:08 +0100 +Subject: Bluetooth: hci_sync: Check the correct flag before starting a scan +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit 6b3899be24b16ff8ee0cb25f0bd59b01b15ba1d1 ] + +There's a very confusing mistake in the code starting a HCI inquiry: We're +calling hci_dev_test_flag() to test for HCI_INQUIRY, but hci_dev_test_flag() +checks hdev->dev_flags instead of hdev->flags. HCI_INQUIRY is a bit that's +set on hdev->flags, not on hdev->dev_flags though. + +HCI_INQUIRY equals the integer 7, and in hdev->dev_flags, 7 means +HCI_BONDABLE, so we were actually checking for HCI_BONDABLE here. + +The mistake is only present in the synchronous code for starting an inquiry, +not in the async one. Also devices are typically bondable while doing an +inquiry, so that might be the reason why nobody noticed it so far. + +Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") +Signed-off-by: Jonas Dreßler +Reviewed-by: Simon Horman +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 45d19294aa772..13ed6cbfade3e 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -5482,7 +5482,7 @@ static int hci_inquiry_sync(struct hci_dev *hdev, u8 length) + + bt_dev_dbg(hdev, ""); + +- if (hci_dev_test_flag(hdev, HCI_INQUIRY)) ++ if (test_bit(HCI_INQUIRY, &hdev->flags)) + return 0; + + hci_dev_lock(hdev); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_sync-fix-accept_list-when-attempting-t.patch b/queue-6.1/bluetooth-hci_sync-fix-accept_list-when-attempting-t.patch new file mode 100644 index 00000000000..fe18dab6bcb --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-accept_list-when-attempting-t.patch @@ -0,0 +1,42 @@ +From ad8e2d681ab959503b31e15cfc8ddbcab8d4da7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 10:43:26 -0500 +Subject: Bluetooth: hci_sync: Fix accept_list when attempting to suspend + +From: Luiz Augusto von Dentz + +[ Upstream commit e5469adb2a7e930d96813316592302d9f8f1df4e ] + +During suspend, only wakeable devices can be in acceptlist, so if the +device was previously added it needs to be removed otherwise the device +can end up waking up the system prematurely. + +Fixes: 3b42055388c3 ("Bluetooth: hci_sync: Fix attempting to suspend with unfiltered passive scan") +Signed-off-by: Clancy Shang +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Paul Menzel +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 13ed6cbfade3e..a337340464567 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2251,8 +2251,11 @@ static int hci_le_add_accept_list_sync(struct hci_dev *hdev, + + /* During suspend, only wakeable devices can be in acceptlist */ + if (hdev->suspended && +- !(params->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) ++ !(params->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) { ++ hci_le_del_accept_list_sync(hdev, ¶ms->addr, ++ params->addr_type); + return 0; ++ } + + /* Select filter policy to accept all advertising */ + if (*num_entries >= hdev->le_accept_list_size) +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-qca-add-support-for-wcn7850.patch b/queue-6.1/bluetooth-qca-add-support-for-wcn7850.patch new file mode 100644 index 00000000000..c1fb4a5c8e5 --- /dev/null +++ b/queue-6.1/bluetooth-qca-add-support-for-wcn7850.patch @@ -0,0 +1,206 @@ +From 46abf1b182f24f8b1b1a1e10972bdd9f7eb029cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:06:48 +0200 +Subject: Bluetooth: qca: add support for WCN7850 + +From: Neil Armstrong + +[ Upstream commit e0c1278ac89b0390fe9a74f673b6f25172292db2 ] + +Add support for the WCN7850 Bluetooth chipset. + +Tested on the SM8550 QRD platform. + +Signed-off-by: Neil Armstrong +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 10 ++++++++++ + drivers/bluetooth/btqca.h | 1 + + drivers/bluetooth/hci_qca.c | 31 ++++++++++++++++++++++++++++++- + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 8331090af86ea..0211f704a358b 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -631,6 +631,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); + break; ++ case QCA_WCN7850: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hmtbtfw%02x.tlv", rom_ver); ++ break; + default: + snprintf(config.fwname, sizeof(config.fwname), + "qca/rampatch_%08x.bin", soc_ver); +@@ -679,6 +683,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpnv%02x.bin", rom_ver); + break; ++ case QCA_WCN7850: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hmtnv%02x.bin", rom_ver); ++ break; + + default: + snprintf(config.fwname, sizeof(config.fwname), +@@ -697,6 +705,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + case QCA_QCA6390: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + err = qca_disable_soc_logging(hdev); + if (err < 0) + return err; +@@ -731,6 +740,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + case QCA_WCN3991: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + /* get fw build info */ + err = qca_read_fw_build_info(hdev); + if (err < 0) +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index fe51c632d7720..03bff5c0059de 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -149,6 +149,7 @@ enum qca_btsoc_type { + QCA_QCA6390, + QCA_WCN6750, + QCA_WCN6855, ++ QCA_WCN7850, + }; + + #if IS_ENABLED(CONFIG_BT_QCA) +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index e6ead996948a8..43abdaf92a0ed 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1330,6 +1330,7 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + usleep_range(1000, 10000); + break; + +@@ -1415,6 +1416,7 @@ static int qca_check_speeds(struct hci_uart *hu) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + if (!qca_get_speed(hu, QCA_INIT_SPEED) && + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +@@ -1456,6 +1458,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + hci_uart_set_flow_control(hu, true); + break; + +@@ -1489,6 +1492,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + hci_uart_set_flow_control(hu, false); + break; + +@@ -1756,6 +1760,7 @@ static int qca_power_on(struct hci_dev *hdev) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + ret = qca_regulator_init(hu); + break; + +@@ -1813,6 +1818,10 @@ static int qca_setup(struct hci_uart *hu) + soc_name = "wcn6855"; + break; + ++ case QCA_WCN7850: ++ soc_name = "wcn7850"; ++ break; ++ + default: + soc_name = "ROME/QCA6390"; + } +@@ -1834,6 +1843,7 @@ static int qca_setup(struct hci_uart *hu) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); + hci_set_aosp_capable(hdev); + +@@ -1863,6 +1873,7 @@ static int qca_setup(struct hci_uart *hu) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + break; + + default: +@@ -2016,6 +2027,20 @@ static const struct qca_device_data qca_soc_data_wcn6855 = { + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + ++static const struct qca_device_data qca_soc_data_wcn7850 __maybe_unused = { ++ .soc_type = QCA_WCN7850, ++ .vregs = (struct qca_vreg []) { ++ { "vddio", 5000 }, ++ { "vddaon", 26000 }, ++ { "vdddig", 126000 }, ++ { "vddrfa0p8", 102000 }, ++ { "vddrfa1p2", 257000 }, ++ { "vddrfa1p9", 302000 }, ++ }, ++ .num_vregs = 6, ++ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, ++}; ++ + static void qca_power_shutdown(struct hci_uart *hu) + { + struct qca_serdev *qcadev; +@@ -2199,6 +2224,7 @@ static int qca_serdev_probe(struct serdev_device *serdev) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + qcadev->bt_power = devm_kzalloc(&serdev->dev, + sizeof(struct qca_power), + GFP_KERNEL); +@@ -2228,7 +2254,8 @@ static int qca_serdev_probe(struct serdev_device *serdev) + GPIOD_IN); + if (IS_ERR_OR_NULL(qcadev->sw_ctrl) && + (data->soc_type == QCA_WCN6750 || +- data->soc_type == QCA_WCN6855)) ++ data->soc_type == QCA_WCN6855 || ++ data->soc_type == QCA_WCN7850)) + dev_warn(&serdev->dev, "failed to acquire SW_CTRL gpio\n"); + + qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL); +@@ -2307,6 +2334,7 @@ static void qca_serdev_remove(struct serdev_device *serdev) + case QCA_WCN3998: + case QCA_WCN6750: + case QCA_WCN6855: ++ case QCA_WCN7850: + if (power->vregs_on) { + qca_power_shutdown(&qcadev->serdev_hu); + break; +@@ -2499,6 +2527,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = { + { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998}, + { .compatible = "qcom,wcn6750-bt", .data = &qca_soc_data_wcn6750}, + { .compatible = "qcom,wcn6855-bt", .data = &qca_soc_data_wcn6855}, ++ { .compatible = "qcom,wcn7850-bt", .data = &qca_soc_data_wcn7850}, + { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-qca-fix-wrong-event-type-for-patch-config-.patch b/queue-6.1/bluetooth-qca-fix-wrong-event-type-for-patch-config-.patch new file mode 100644 index 00000000000..5b6cc31f4c0 --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-wrong-event-type-for-patch-config-.patch @@ -0,0 +1,45 @@ +From b56fe97c46f43e999d56aff95a8ce0502132838b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 17:45:30 +0800 +Subject: Bluetooth: qca: Fix wrong event type for patch config command + +From: Zijun Hu + +[ Upstream commit c0dbc56077ae759f2dd602c7561480bc2b1b712c ] + +Vendor-specific command patch config has HCI_Command_Complete event as +response, but qca_send_patch_config_cmd() wrongly expects vendor-specific +event for the command, fixed by using right event type. + +Btmon log for the vendor-specific command are shown below: +< HCI Command: Vendor (0x3f|0x0000) plen 5 + 28 01 00 00 00 +> HCI Event: Command Complete (0x0e) plen 5 + Vendor (0x3f|0x0000) ncmd 1 + Status: Success (0x00) + 28 + +Fixes: 4fac8a7ac80b ("Bluetooth: btqca: sequential validation") +Signed-off-by: Zijun Hu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index c9064d34d8308..d7d0c9de3dc31 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -152,7 +152,7 @@ static int qca_send_patch_config_cmd(struct hci_dev *hdev) + bt_dev_dbg(hdev, "QCA Patch config"); + + skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, sizeof(cmd), +- cmd, HCI_EV_VENDOR, HCI_INIT_TIMEOUT); ++ cmd, 0, HCI_INIT_TIMEOUT); + if (IS_ERR(skb)) { + err = PTR_ERR(skb); + bt_dev_err(hdev, "Sending QCA Patch config failed (%d)", err); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch b/queue-6.1/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch new file mode 100644 index 00000000000..c7f4a93dd1f --- /dev/null +++ b/queue-6.1/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch @@ -0,0 +1,617 @@ +From 92a00d12e0402af8e1b3a28597174c1c942aa045 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:06:47 +0200 +Subject: Bluetooth: qca: use switch case for soc type behavior + +From: Neil Armstrong + +[ Upstream commit 691d54d0f7cb14baac1ff4af210d13c0e4897e27 ] + +Use switch/case to handle soc type specific behaviour, +the permit dropping the qca_is_xxx() inline functions +and make the code clearer and easier to update for new +SoCs. + +Suggested-by: Konrad Dybcio +Suggested-by: Luiz Augusto von Dentz +Signed-off-by: Neil Armstrong +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: 7dcd3e014aa7 ("Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 87 +++++++++----- + drivers/bluetooth/btqca.h | 36 ------ + drivers/bluetooth/hci_qca.c | 233 +++++++++++++++++++++++++++--------- + 3 files changed, 236 insertions(+), 120 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index d775402b33df3..8331090af86ea 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -604,26 +604,34 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + + /* Download rampatch file */ + config.type = TLV_TYPE_PATCH; +- if (soc_type == QCA_WCN3988) { +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/apbtfw%02x.tlv", rom_ver); +- } else if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + snprintf(config.fwname, sizeof(config.fwname), + "qca/crbtfw%02x.tlv", rom_ver); +- } else if (soc_type == QCA_QCA6390) { ++ break; ++ case QCA_WCN3988: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apbtfw%02x.tlv", rom_ver); ++ break; ++ case QCA_QCA6390: + snprintf(config.fwname, sizeof(config.fwname), + "qca/htbtfw%02x.tlv", rom_ver); +- } else if (soc_type == QCA_WCN6750) { ++ break; ++ case QCA_WCN6750: + /* Choose mbn file by default.If mbn file is not found + * then choose tlv file + */ + config.type = ELF_TYPE_PATCH; + snprintf(config.fwname, sizeof(config.fwname), + "qca/msbtfw%02x.mbn", rom_ver); +- } else if (soc_type == QCA_WCN6855) { ++ break; ++ case QCA_WCN6855: + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); +- } else { ++ break; ++ default: + snprintf(config.fwname, sizeof(config.fwname), + "qca/rampatch_%08x.bin", soc_ver); + } +@@ -639,33 +647,44 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; +- if (firmware_name) ++ if (firmware_name) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); +- else if (soc_type == QCA_WCN3988) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/apnv%02x.bin", rom_ver); +- else if (qca_is_wcn399x(soc_type)) { +- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { ++ } else { ++ switch (soc_type) { ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/crnv%02xu.bin", rom_ver); ++ } else { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/crnv%02x.bin", rom_ver); ++ } ++ break; ++ case QCA_WCN3988: + snprintf(config.fwname, sizeof(config.fwname), +- "qca/crnv%02xu.bin", rom_ver); +- } else { ++ "qca/apnv%02x.bin", rom_ver); ++ break; ++ case QCA_QCA6390: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/htnv%02x.bin", rom_ver); ++ break; ++ case QCA_WCN6750: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/msnv%02x.bin", rom_ver); ++ break; ++ case QCA_WCN6855: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hpnv%02x.bin", rom_ver); ++ break; ++ ++ default: + snprintf(config.fwname, sizeof(config.fwname), +- "qca/crnv%02x.bin", rom_ver); ++ "qca/nvm_%08x.bin", soc_ver); + } + } +- else if (soc_type == QCA_QCA6390) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/htnv%02x.bin", rom_ver); +- else if (soc_type == QCA_WCN6750) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/msnv%02x.bin", rom_ver); +- else if (soc_type == QCA_WCN6855) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/hpnv%02x.bin", rom_ver); +- else +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/nvm_%08x.bin", soc_ver); + + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + if (err < 0) { +@@ -673,16 +692,24 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + return err; + } + +- if (soc_type >= QCA_WCN3991) { ++ switch (soc_type) { ++ case QCA_WCN3991: ++ case QCA_QCA6390: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + err = qca_disable_soc_logging(hdev); + if (err < 0) + return err; ++ break; ++ default: ++ break; + } + + /* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the + * VsMsftOpCode. + */ + switch (soc_type) { ++ case QCA_WCN3988: + case QCA_WCN3990: + case QCA_WCN3991: + case QCA_WCN3998: +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index fc6cf314eb0ef..fe51c632d7720 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -161,27 +161,6 @@ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type); + int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); + int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); +-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) +-{ +- switch (soc_type) { +- case QCA_WCN3988: +- case QCA_WCN3990: +- case QCA_WCN3991: +- case QCA_WCN3998: +- return true; +- default: +- return false; +- } +-} +-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) +-{ +- return soc_type == QCA_WCN6750; +-} +-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) +-{ +- return soc_type == QCA_WCN6855; +-} +- + #else + + static inline int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) +@@ -209,21 +188,6 @@ static inline int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) + return -EOPNOTSUPP; + } + +-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- +-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- +-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- + static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + { + return -EOPNOTSUPP; +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 746eb096c037c..e6ead996948a8 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -606,9 +606,18 @@ static int qca_open(struct hci_uart *hu) + if (hu->serdev) { + qcadev = serdev_device_get_drvdata(hu->serdev); + +- if (qca_is_wcn399x(qcadev->btsoc_type) || +- qca_is_wcn6750(qcadev->btsoc_type)) ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: + hu->init_speed = qcadev->init_speed; ++ break; ++ ++ default: ++ break; ++ } + + if (qcadev->oper_speed) + hu->oper_speed = qcadev->oper_speed; +@@ -1314,12 +1323,19 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) + msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS)); + + /* Give the controller time to process the request */ +- if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu)) || +- qca_is_wcn6855(qca_soc_type(hu))) ++ switch (qca_soc_type(hu)) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + usleep_range(1000, 10000); +- else ++ break; ++ ++ default: + msleep(300); ++ } + + return 0; + } +@@ -1392,13 +1408,19 @@ static unsigned int qca_get_speed(struct hci_uart *hu, + + static int qca_check_speeds(struct hci_uart *hu) + { +- if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu)) || +- qca_is_wcn6855(qca_soc_type(hu))) { ++ switch (qca_soc_type(hu)) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + if (!qca_get_speed(hu, QCA_INIT_SPEED) && + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +- } else { ++ break; ++ ++ default: + if (!qca_get_speed(hu, QCA_INIT_SPEED) || + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +@@ -1427,14 +1449,28 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + /* Disable flow control for wcn3990 to deassert RTS while + * changing the baudrate of chip and host. + */ +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + hci_uart_set_flow_control(hu, true); ++ break; + +- if (soc_type == QCA_WCN3990) { ++ default: ++ break; ++ } ++ ++ switch (soc_type) { ++ case QCA_WCN3990: + reinit_completion(&qca->drop_ev_comp); + set_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); ++ break; ++ ++ default: ++ break; + } + + qca_baudrate = qca_get_baudrate_value(speed); +@@ -1446,12 +1482,22 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + host_set_baudrate(hu, speed); + + error: +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + hci_uart_set_flow_control(hu, false); ++ break; + +- if (soc_type == QCA_WCN3990) { ++ default: ++ break; ++ } ++ ++ switch (soc_type) { ++ case QCA_WCN3990: + /* Wait for the controller to send the vendor event + * for the baudrate change command. + */ +@@ -1463,6 +1509,10 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + } + + clear_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); ++ break; ++ ++ default: ++ break; + } + } + +@@ -1624,12 +1674,20 @@ static int qca_regulator_init(struct hci_uart *hu) + } + } + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + /* Forcefully enable wcn399x to enter in to boot mode. */ + host_set_baudrate(hu, 2400); + ret = qca_send_power_pulse(hu, false); + if (ret) + return ret; ++ break; ++ ++ default: ++ break; + } + + /* For wcn6750 need to enable gpio bt_en */ +@@ -1646,10 +1704,18 @@ static int qca_regulator_init(struct hci_uart *hu) + + qca_set_speed(hu, QCA_INIT_SPEED); + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + ret = qca_send_power_pulse(hu, true); + if (ret) + return ret; ++ break; ++ ++ default: ++ break; + } + + /* Now the device is in ready state to communicate with host. +@@ -1683,11 +1749,17 @@ static int qca_power_on(struct hci_dev *hdev) + if (!hu->serdev) + return 0; + +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + ret = qca_regulator_init(hu); +- } else { ++ break; ++ ++ default: + qcadev = serdev_device_get_drvdata(hu->serdev); + if (qcadev->bt_en) { + gpiod_set_value_cansleep(qcadev->bt_en, 1); +@@ -1710,6 +1782,7 @@ static int qca_setup(struct hci_uart *hu) + const char *firmware_name = qca_get_firmware_name(hu); + int ret; + struct qca_btsoc_version ver; ++ const char *soc_name; + + ret = qca_check_speeds(hu); + if (ret) +@@ -1724,10 +1797,26 @@ static int qca_setup(struct hci_uart *hu) + */ + set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); + +- bt_dev_info(hdev, "setting up %s", +- qca_is_wcn399x(soc_type) ? "wcn399x" : +- (soc_type == QCA_WCN6750) ? "wcn6750" : +- (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390"); ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ soc_name = "wcn399x"; ++ break; ++ ++ case QCA_WCN6750: ++ soc_name = "wcn6750"; ++ break; ++ ++ case QCA_WCN6855: ++ soc_name = "wcn6855"; ++ break; ++ ++ default: ++ soc_name = "ROME/QCA6390"; ++ } ++ bt_dev_info(hdev, "setting up %s", soc_name); + + qca->memdump_state = QCA_MEMDUMP_IDLE; + +@@ -1738,16 +1827,22 @@ static int qca_setup(struct hci_uart *hu) + + clear_bit(QCA_SSR_TRIGGERED, &qca->flags); + +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); + hci_set_aosp_capable(hdev); + + ret = qca_read_soc_version(hdev, &ver, soc_type); + if (ret) + goto out; +- } else { ++ break; ++ ++ default: + qca_set_speed(hu, QCA_INIT_SPEED); + } + +@@ -1761,9 +1856,16 @@ static int qca_setup(struct hci_uart *hu) + qca_baudrate = qca_get_baudrate_value(speed); + } + +- if (!(qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type))) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: ++ break; ++ ++ default: + /* Get QCA version information */ + ret = qca_read_soc_version(hdev, &ver, soc_type); + if (ret) +@@ -1939,11 +2041,18 @@ static void qca_power_shutdown(struct hci_uart *hu) + + qcadev = serdev_device_get_drvdata(hu->serdev); + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + host_set_baudrate(hu, 2400); + qca_send_power_pulse(hu, false); + qca_regulator_disable(qcadev); +- } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) { ++ break; ++ ++ case QCA_WCN6750: ++ case QCA_WCN6855: + gpiod_set_value_cansleep(qcadev->bt_en, 0); + msleep(100); + qca_regulator_disable(qcadev); +@@ -1951,7 +2060,9 @@ static void qca_power_shutdown(struct hci_uart *hu) + sw_ctrl_state = gpiod_get_value_cansleep(qcadev->sw_ctrl); + bt_dev_dbg(hu->hdev, "SW_CTRL is %d", sw_ctrl_state); + } +- } else if (qcadev->bt_en) { ++ break; ++ ++ default: + gpiod_set_value_cansleep(qcadev->bt_en, 0); + } + +@@ -2076,11 +2187,18 @@ static int qca_serdev_probe(struct serdev_device *serdev) + if (!qcadev->oper_speed) + BT_DBG("UART will pick default operating speed"); + +- if (data && +- (qca_is_wcn399x(data->soc_type) || +- qca_is_wcn6750(data->soc_type) || +- qca_is_wcn6855(data->soc_type))) { ++ if (data) + qcadev->btsoc_type = data->soc_type; ++ else ++ qcadev->btsoc_type = QCA_ROME; ++ ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + qcadev->bt_power = devm_kzalloc(&serdev->dev, + sizeof(struct qca_power), + GFP_KERNEL); +@@ -2124,12 +2242,9 @@ static int qca_serdev_probe(struct serdev_device *serdev) + BT_ERR("wcn3990 serdev registration failed"); + return err; + } +- } else { +- if (data) +- qcadev->btsoc_type = data->soc_type; +- else +- qcadev->btsoc_type = QCA_ROME; ++ break; + ++ default: + qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", + GPIOD_OUT_LOW); + if (IS_ERR_OR_NULL(qcadev->bt_en)) { +@@ -2185,13 +2300,23 @@ static void qca_serdev_remove(struct serdev_device *serdev) + struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev); + struct qca_power *power = qcadev->bt_power; + +- if ((qca_is_wcn399x(qcadev->btsoc_type) || +- qca_is_wcn6750(qcadev->btsoc_type) || +- qca_is_wcn6855(qcadev->btsoc_type)) && +- power->vregs_on) +- qca_power_shutdown(&qcadev->serdev_hu); +- else if (qcadev->susclk) +- clk_disable_unprepare(qcadev->susclk); ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: ++ if (power->vregs_on) { ++ qca_power_shutdown(&qcadev->serdev_hu); ++ break; ++ } ++ fallthrough; ++ ++ default: ++ if (qcadev->susclk) ++ clk_disable_unprepare(qcadev->susclk); ++ } + + hci_uart_unregister_device(&qcadev->serdev_hu); + } +-- +2.43.0 + diff --git a/queue-6.1/cpufreq-intel_pstate-fix-pstate-limits-enforcement-f.patch b/queue-6.1/cpufreq-intel_pstate-fix-pstate-limits-enforcement-f.patch new file mode 100644 index 00000000000..54c2a544b9f --- /dev/null +++ b/queue-6.1/cpufreq-intel_pstate-fix-pstate-limits-enforcement-f.patch @@ -0,0 +1,42 @@ +From 8bf1ed34de1d7c094ab6c76f6aa01539dccf19e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Feb 2024 13:30:10 -0800 +Subject: cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf + call back + +From: Doug Smythies + +[ Upstream commit f0a0fc10abb062d122db5ac4ed42f6d1ca342649 ] + +There is a loophole in pstate limit clamping for the intel_cpufreq CPU +frequency scaling driver (intel_pstate in passive mode), schedutil CPU +frequency scaling governor, HWP (HardWare Pstate) control enabled, when +the adjust_perf call back path is used. + +Fix it. + +Fixes: a365ab6b9dfb cpufreq: intel_pstate: Implement the ->adjust_perf() callback +Signed-off-by: Doug Smythies +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index abdd26f7d04c9..5771f3fc6115d 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -2952,6 +2952,9 @@ static void intel_cpufreq_adjust_perf(unsigned int cpunum, + if (min_pstate < cpu->min_perf_ratio) + min_pstate = cpu->min_perf_ratio; + ++ if (min_pstate > cpu->max_perf_ratio) ++ min_pstate = cpu->max_perf_ratio; ++ + max_pstate = min(cap_pstate, cpu->max_perf_ratio); + if (max_pstate < min_pstate) + max_pstate = min_pstate; +-- +2.43.0 + diff --git a/queue-6.1/drm-tegra-remove-existing-framebuffer-only-if-we-sup.patch b/queue-6.1/drm-tegra-remove-existing-framebuffer-only-if-we-sup.patch new file mode 100644 index 00000000000..0883040ae0a --- /dev/null +++ b/queue-6.1/drm-tegra-remove-existing-framebuffer-only-if-we-sup.patch @@ -0,0 +1,63 @@ +From 332fd231f98fdc3031f5739876d8f9d15299bd6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 16:03:33 +0100 +Subject: drm/tegra: Remove existing framebuffer only if we support display + +From: Thierry Reding + +[ Upstream commit 86bf8cfda6d2a6720fa2e6e676c98f0882c9d3d7 ] + +Tegra DRM doesn't support display on Tegra234 and later, so make sure +not to remove any existing framebuffers in that case. + +v2: - add comments explaining how this situation can come about + - clear DRIVER_MODESET and DRIVER_ATOMIC feature bits + +Fixes: 6848c291a54f ("drm/aperture: Convert drivers to aperture interfaces") +Signed-off-by: Thierry Reding +Reviewed-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240223150333.1401582-1-thierry.reding@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/drm.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c +index 5fc55b9777cbf..6806779f8ecce 100644 +--- a/drivers/gpu/drm/tegra/drm.c ++++ b/drivers/gpu/drm/tegra/drm.c +@@ -1252,9 +1252,26 @@ static int host1x_drm_probe(struct host1x_device *dev) + + drm_mode_config_reset(drm); + +- err = drm_aperture_remove_framebuffers(&tegra_drm_driver); +- if (err < 0) +- goto hub; ++ /* ++ * Only take over from a potential firmware framebuffer if any CRTCs ++ * have been registered. This must not be a fatal error because there ++ * are other accelerators that are exposed via this driver. ++ * ++ * Another case where this happens is on Tegra234 where the display ++ * hardware is no longer part of the host1x complex, so this driver ++ * will not expose any modesetting features. ++ */ ++ if (drm->mode_config.num_crtc > 0) { ++ err = drm_aperture_remove_framebuffers(&tegra_drm_driver); ++ if (err < 0) ++ goto hub; ++ } else { ++ /* ++ * Indicate to userspace that this doesn't expose any display ++ * capabilities. ++ */ ++ drm->driver_features &= ~(DRIVER_MODESET | DRIVER_ATOMIC); ++ } + + err = tegra_drm_fb_init(drm); + if (err < 0) +-- +2.43.0 + diff --git a/queue-6.1/efi-capsule-loader-fix-incorrect-allocation-size.patch b/queue-6.1/efi-capsule-loader-fix-incorrect-allocation-size.patch new file mode 100644 index 00000000000..4ce765940e4 --- /dev/null +++ b/queue-6.1/efi-capsule-loader-fix-incorrect-allocation-size.patch @@ -0,0 +1,43 @@ +From 79e8a3468f8196a83b5da5f7c52c397002d6f348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 12:24:40 +0100 +Subject: efi/capsule-loader: fix incorrect allocation size + +From: Arnd Bergmann + +[ Upstream commit fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e ] + +gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures +is not enough for a 64-bit phys_addr_t: + +drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': +drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] + 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); + | ^ + +Use the correct type instead here. + +Fixes: f24c4d478013 ("efi/capsule-loader: Reinstate virtual capsule mapping") +Signed-off-by: Arnd Bergmann +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/capsule-loader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c +index 3e8d4b51a8140..97bafb5f70389 100644 +--- a/drivers/firmware/efi/capsule-loader.c ++++ b/drivers/firmware/efi/capsule-loader.c +@@ -292,7 +292,7 @@ static int efi_capsule_open(struct inode *inode, struct file *file) + return -ENOMEM; + } + +- cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); ++ cap_info->phys = kzalloc(sizeof(phys_addr_t), GFP_KERNEL); + if (!cap_info->phys) { + kfree(cap_info->pages); + kfree(cap_info); +-- +2.43.0 + diff --git a/queue-6.1/fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch b/queue-6.1/fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch new file mode 100644 index 00000000000..f01d9c154b4 --- /dev/null +++ b/queue-6.1/fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch @@ -0,0 +1,95 @@ +From d758dfbc3d1a06bcf39c642135f2d81903cb1448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 12:44:11 +0100 +Subject: fbcon: always restore the old font data in fbcon_do_set_font() + +From: Jiri Slaby (SUSE) + +[ Upstream commit 00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f ] + +Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when +vc_resize() failed) started restoring old font data upon failure (of +vc_resize()). But it performs so only for user fonts. It means that the +"system"/internal fonts are not restored at all. So in result, the very +first call to fbcon_do_set_font() performs no restore at all upon +failing vc_resize(). + +This can be reproduced by Syzkaller to crash the system on the next +invocation of font_get(). It's rather hard to hit the allocation failure +in vc_resize() on the first font_set(), but not impossible. Esp. if +fault injection is used to aid the execution/failure. It was +demonstrated by Sirius: + BUG: unable to handle page fault for address: fffffffffffffff8 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 + Call Trace: + + con_font_get drivers/tty/vt/vt.c:4558 [inline] + con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 + vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] + vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 + tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 + vfs_ioctl fs/ioctl.c:51 [inline] + ... + +So restore the font data in any case, not only for user fonts. Note the +later 'if' is now protected by 'old_userfont' and not 'old_data' as the +latter is always set now. (And it is supposed to be non-NULL. Otherwise +we would see the bug above again.) + +Signed-off-by: Jiri Slaby (SUSE) +Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") +Reported-and-tested-by: Ubisectech Sirius +Cc: Ubisectech Sirius +Cc: Daniel Vetter +Cc: Helge Deller +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20240208114411.14604-1-jirislaby@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcon.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index fa205be94a4b8..14498a0d13e0b 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2397,11 +2397,9 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount, + struct fbcon_ops *ops = info->fbcon_par; + struct fbcon_display *p = &fb_display[vc->vc_num]; + int resize, ret, old_userfont, old_width, old_height, old_charcount; +- char *old_data = NULL; ++ u8 *old_data = vc->vc_font.data; + + resize = (w != vc->vc_font.width) || (h != vc->vc_font.height); +- if (p->userfont) +- old_data = vc->vc_font.data; + vc->vc_font.data = (void *)(p->fontdata = data); + old_userfont = p->userfont; + if ((p->userfont = userfont)) +@@ -2435,13 +2433,13 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount, + update_screen(vc); + } + +- if (old_data && (--REFCOUNT(old_data) == 0)) ++ if (old_userfont && (--REFCOUNT(old_data) == 0)) + kfree(old_data - FONT_EXTRA_WORDS * sizeof(int)); + return 0; + + err_out: + p->fontdata = old_data; +- vc->vc_font.data = (void *)old_data; ++ vc->vc_font.data = old_data; + + if (userfont) { + p->userfont = old_userfont; +-- +2.43.0 + diff --git a/queue-6.1/igb-extend-ptp-timestamp-adjustments-to-i211.patch b/queue-6.1/igb-extend-ptp-timestamp-adjustments-to-i211.patch new file mode 100644 index 00000000000..e3fe7db5abc --- /dev/null +++ b/queue-6.1/igb-extend-ptp-timestamp-adjustments-to-i211.patch @@ -0,0 +1,62 @@ +From 3da96c1187832c8656373c8500fd6ddf5d7bf246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 10:49:41 -0800 +Subject: igb: extend PTP timestamp adjustments to i211 + +From: Oleksij Rempel + +[ Upstream commit 0bb7b09392eb74b152719ae87b1ba5e4bf910ef0 ] + +The i211 requires the same PTP timestamp adjustments as the i210, +according to its datasheet. To ensure consistent timestamping across +different platforms, this change extends the existing adjustments to +include the i211. + +The adjustment result are tested and comparable for i210 and i211 based +systems. + +Fixes: 3f544d2a4d5c ("igb: adjust PTP timestamps for Tx/Rx latency") +Signed-off-by: Oleksij Rempel +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20240227184942.362710-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ptp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index 07171e574e7d7..36e62197fba0b 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -976,7 +976,7 @@ static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + + igb_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval); + /* adjust timestamp for the TX latency based on link speed */ +- if (adapter->hw.mac.type == e1000_i210) { ++ if (hw->mac.type == e1000_i210 || hw->mac.type == e1000_i211) { + switch (adapter->link_speed) { + case SPEED_10: + adjust = IGB_I210_TX_LATENCY_10; +@@ -1022,6 +1022,7 @@ int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + ktime_t *timestamp) + { + struct igb_adapter *adapter = q_vector->adapter; ++ struct e1000_hw *hw = &adapter->hw; + struct skb_shared_hwtstamps ts; + __le64 *regval = (__le64 *)va; + int adjust = 0; +@@ -1041,7 +1042,7 @@ int igb_ptp_rx_pktstamp(struct igb_q_vector *q_vector, void *va, + igb_ptp_systim_to_hwtstamp(adapter, &ts, le64_to_cpu(regval[1])); + + /* adjust timestamp for the RX latency based on link speed */ +- if (adapter->hw.mac.type == e1000_i210) { ++ if (hw->mac.type == e1000_i210 || hw->mac.type == e1000_i211) { + switch (adapter->link_speed) { + case SPEED_10: + adjust = IGB_I210_RX_LATENCY_10; +-- +2.43.0 + diff --git a/queue-6.1/ipv6-fix-potential-struct-net-leak-in-inet6_rtm_geta.patch b/queue-6.1/ipv6-fix-potential-struct-net-leak-in-inet6_rtm_geta.patch new file mode 100644 index 00000000000..2647f16d8e5 --- /dev/null +++ b/queue-6.1/ipv6-fix-potential-struct-net-leak-in-inet6_rtm_geta.patch @@ -0,0 +1,45 @@ +From 7b1a6458b4af20d1bd309e9f252fb13476e15156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 12:17:47 +0000 +Subject: ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() + +From: Eric Dumazet + +[ Upstream commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb ] + +It seems that if userspace provides a correct IFA_TARGET_NETNSID value +but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr() +returns -EINVAL with an elevated "struct net" refcount. + +Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR") +Signed-off-by: Eric Dumazet +Cc: Christian Brauner +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 46527b5cc8f0c..1648373692a99 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5473,9 +5473,10 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, + } + + addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer); +- if (!addr) +- return -EINVAL; +- ++ if (!addr) { ++ err = -EINVAL; ++ goto errout; ++ } + ifm = nlmsg_data(nlh); + if (ifm->ifa_index) + dev = dev_get_by_index(tgt_net, ifm->ifa_index); +-- +2.43.0 + diff --git a/queue-6.1/lan78xx-enable-auto-speed-configuration-for-lan7850-.patch b/queue-6.1/lan78xx-enable-auto-speed-configuration-for-lan7850-.patch new file mode 100644 index 00000000000..40a9cf4b9c3 --- /dev/null +++ b/queue-6.1/lan78xx-enable-auto-speed-configuration-for-lan7850-.patch @@ -0,0 +1,45 @@ +From 56f3ecf369d19dd76090f52228ae4715f9115cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 13:38:38 +0100 +Subject: lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is + detected + +From: Oleksij Rempel + +[ Upstream commit 0e67899abfbfdea0c3c0ed3fd263ffc601c5c157 ] + +Same as LAN7800, LAN7850 can be used without EEPROM. If EEPROM is not +present or not flashed, LAN7850 will fail to sync the speed detected by the PHY +with the MAC. In case link speed is 100Mbit, it will accidentally work, +otherwise no data can be transferred. + +Better way would be to implement link_up callback, or set auto speed +configuration unconditionally. But this changes would be more intrusive. +So, for now, set it only if no EEPROM is found. + +Fixes: e69647a19c87 ("lan78xx: Set ASD in MAC_CR when EEE is enabled.") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20240222123839.2816561-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index c458c030fadf6..7b9d480e44fe4 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3035,7 +3035,8 @@ static int lan78xx_reset(struct lan78xx_net *dev) + if (dev->chipid == ID_REV_CHIP_ID_7801_) + buf &= ~MAC_CR_GMII_EN_; + +- if (dev->chipid == ID_REV_CHIP_ID_7800_) { ++ if (dev->chipid == ID_REV_CHIP_ID_7800_ || ++ dev->chipid == ID_REV_CHIP_ID_7850_) { + ret = lan78xx_read_raw_eeprom(dev, 0, 1, &sig); + if (!ret && sig != EEPROM_INDICATOR) { + /* Implies there is no external eeprom. Set mac speed */ +-- +2.43.0 + diff --git a/queue-6.1/mtd-spinand-gigadevice-fix-the-get-ecc-status-issue.patch b/queue-6.1/mtd-spinand-gigadevice-fix-the-get-ecc-status-issue.patch new file mode 100644 index 00000000000..6be5253c4a9 --- /dev/null +++ b/queue-6.1/mtd-spinand-gigadevice-fix-the-get-ecc-status-issue.patch @@ -0,0 +1,63 @@ +From 9bb6804dcfe0919345e3913ed734490511eaf5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 09:07:01 -0600 +Subject: mtd: spinand: gigadevice: Fix the get ecc status issue + +From: Han Xu + +[ Upstream commit 59950610c0c00c7a06d8a75d2ee5d73dba4274cf ] + +Some GigaDevice ecc_get_status functions use on-stack buffer for +spi_mem_op causes spi_mem_check_op failing, fix the issue by using +spinand scratchbuf. + +Fixes: c40c7a990a46 ("mtd: spinand: Add support for GigaDevice GD5F1GQ4UExxG") +Signed-off-by: Han Xu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231108150701.593912-1-han.xu@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/gigadevice.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c +index 6b043e24855fb..9116ee7f023ed 100644 +--- a/drivers/mtd/nand/spi/gigadevice.c ++++ b/drivers/mtd/nand/spi/gigadevice.c +@@ -186,7 +186,7 @@ static int gd5fxgq4uexxg_ecc_get_status(struct spinand_device *spinand, + { + u8 status2; + struct spi_mem_op op = SPINAND_GET_FEATURE_OP(GD5FXGQXXEXXG_REG_STATUS2, +- &status2); ++ spinand->scratchbuf); + int ret; + + switch (status & STATUS_ECC_MASK) { +@@ -207,6 +207,7 @@ static int gd5fxgq4uexxg_ecc_get_status(struct spinand_device *spinand, + * report the maximum of 4 in this case + */ + /* bits sorted this way (3...0): ECCS1,ECCS0,ECCSE1,ECCSE0 */ ++ status2 = *(spinand->scratchbuf); + return ((status & STATUS_ECC_MASK) >> 2) | + ((status2 & STATUS_ECC_MASK) >> 4); + +@@ -228,7 +229,7 @@ static int gd5fxgq5xexxg_ecc_get_status(struct spinand_device *spinand, + { + u8 status2; + struct spi_mem_op op = SPINAND_GET_FEATURE_OP(GD5FXGQXXEXXG_REG_STATUS2, +- &status2); ++ spinand->scratchbuf); + int ret; + + switch (status & STATUS_ECC_MASK) { +@@ -248,6 +249,7 @@ static int gd5fxgq5xexxg_ecc_get_status(struct spinand_device *spinand, + * 1 ... 4 bits are flipped (and corrected) + */ + /* bits sorted this way (1...0): ECCSE1, ECCSE0 */ ++ status2 = *(spinand->scratchbuf); + return ((status2 & STATUS_ECC_MASK) >> 4) + 1; + + case STATUS_ECC_UNCOR_ERROR: +-- +2.43.0 + diff --git a/queue-6.1/net-hsr-use-correct-offset-for-hsr-tlv-values-in-sup.patch b/queue-6.1/net-hsr-use-correct-offset-for-hsr-tlv-values-in-sup.patch new file mode 100644 index 00000000000..fd4ac41eefe --- /dev/null +++ b/queue-6.1/net-hsr-use-correct-offset-for-hsr-tlv-values-in-sup.patch @@ -0,0 +1,54 @@ +From 47e683e31b3cac783c1ed484d805a1de35005878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 09:56:44 +0100 +Subject: net: hsr: Use correct offset for HSR TLV values in supervisory HSR + frames + +From: Lukasz Majewski + +[ Upstream commit 51dd4ee0372228ffb0f7709fa7aa0678d4199d06 ] + +Current HSR implementation uses following supervisory frame (even for +HSRv1 the HSR tag is not is not present): + +00000000: 01 15 4e 00 01 2d XX YY ZZ 94 77 10 88 fb 00 01 +00000010: 7e 1c 17 06 XX YY ZZ 94 77 10 1e 06 XX YY ZZ 94 +00000020: 77 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000030: 00 00 00 00 00 00 00 00 00 00 00 00 + +The current code adds extra two bytes (i.e. sizeof(struct hsr_sup_tlv)) +when offset for skb_pull() is calculated. +This is wrong, as both 'struct hsrv1_ethhdr_sp' and 'hsrv0_ethhdr_sp' +already have 'struct hsr_sup_tag' defined in them, so there is no need +for adding extra two bytes. + +This code was working correctly as with no RedBox support, the check for +HSR_TLV_EOT (0x00) was off by two bytes, which were corresponding to +zeroed padded bytes for minimal packet size. + +Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames") +Signed-off-by: Lukasz Majewski +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240228085644.3618044-1-lukma@denx.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 80cdc6f6b34c9..0323ab5023c69 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -83,7 +83,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb) + return false; + + /* Get next tlv */ +- total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tag->tlv.HSR_TLV_length; ++ total_length += hsr_sup_tag->tlv.HSR_TLV_length; + if (!pskb_may_pull(skb, total_length)) + return false; + skb_pull(skb, total_length); +-- +2.43.0 + diff --git a/queue-6.1/net-ip_tunnel-prevent-perpetual-headroom-growth.patch b/queue-6.1/net-ip_tunnel-prevent-perpetual-headroom-growth.patch new file mode 100644 index 00000000000..fde7bd561c4 --- /dev/null +++ b/queue-6.1/net-ip_tunnel-prevent-perpetual-headroom-growth.patch @@ -0,0 +1,181 @@ +From c58af4ceb6a8006aba768ba084f31067aa980001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 14:56:02 +0100 +Subject: net: ip_tunnel: prevent perpetual headroom growth + +From: Florian Westphal + +[ Upstream commit 5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f ] + +syzkaller triggered following kasan splat: +BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 +Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 +[..] + kasan_report+0xda/0x110 mm/kasan/report.c:588 + __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 + skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] + ___skb_get_hash net/core/flow_dissector.c:1791 [inline] + __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 + skb_get_hash include/linux/skbuff.h:1556 [inline] + ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 + ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 + __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 + ... + ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 + ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 + .. + iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 + ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 + ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 + ... + +The splat occurs because skb->data points past skb->head allocated area. +This is because neigh layer does: + __skb_pull(skb, skb_network_offset(skb)); + +... but skb_network_offset() returns a negative offset and __skb_pull() +arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. + +The negative value is returned because skb->head and skb->data distance is +more than 64k and skb->network_header (u16) has wrapped around. + +The bug is in the ip_tunnel infrastructure, which can cause +dev->needed_headroom to increment ad infinitum. + +The syzkaller reproducer consists of packets getting routed via a gre +tunnel, and route of gre encapsulated packets pointing at another (ipip) +tunnel. The ipip encapsulation finds gre0 as next output device. + +This results in the following pattern: + +1). First packet is to be sent out via gre0. +Route lookup found an output device, ipip0. + +2). +ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future +output device, rt.dev->needed_headroom (ipip0). + +3). +ip output / start_xmit moves skb on to ipip0. which runs the same +code path again (xmit recursion). + +4). +Routing step for the post-gre0-encap packet finds gre0 as output device +to use for ipip0 encapsulated packet. + +tunl0->needed_headroom is then incremented based on the (already bumped) +gre0 device headroom. + +This repeats for every future packet: + +gre0->needed_headroom gets inflated because previous packets' ipip0 step +incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 +needed_headroom was increased. + +For each subsequent packet, gre/ipip0->needed_headroom grows until +post-expand-head reallocations result in a skb->head/data distance of +more than 64k. + +Once that happens, skb->network_header (u16) wraps around when +pskb_expand_head tries to make sure that skb_network_offset() is unchanged +after the headroom expansion/reallocation. + +After this skb_network_offset(skb) returns a different (and negative) +result post headroom expansion. + +The next trip to neigh layer (or anything else that would __skb_pull the +network header) makes skb->data point to a memory location outside +skb->head area. + +v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to +prevent perpetual increase instead of dropping the headroom increment +completely. + +Reported-and-tested-by: syzbot+bfde3bef047a81b8fde6@syzkaller.appspotmail.com +Closes: https://groups.google.com/g/syzkaller-bugs/c/fL9G6GtWskY/m/VKk_PR5FBAAJ +Fixes: 243aad830e8a ("ip_gre: include route header_len in max_headroom calculation") +Signed-off-by: Florian Westphal +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240220135606.4939-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 24961b304dad0..328f9068c6a43 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -540,6 +540,20 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb, + return 0; + } + ++static void ip_tunnel_adj_headroom(struct net_device *dev, unsigned int headroom) ++{ ++ /* we must cap headroom to some upperlimit, else pskb_expand_head ++ * will overflow header offsets in skb_headers_offset_update(). ++ */ ++ static const unsigned int max_allowed = 512; ++ ++ if (headroom > max_allowed) ++ headroom = max_allowed; ++ ++ if (headroom > READ_ONCE(dev->needed_headroom)) ++ WRITE_ONCE(dev->needed_headroom, headroom); ++} ++ + void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + u8 proto, int tunnel_hlen) + { +@@ -614,13 +628,13 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + } + + headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len; +- if (headroom > READ_ONCE(dev->needed_headroom)) +- WRITE_ONCE(dev->needed_headroom, headroom); +- +- if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { ++ if (skb_cow_head(skb, headroom)) { + ip_rt_put(rt); + goto tx_dropped; + } ++ ++ ip_tunnel_adj_headroom(dev, headroom); ++ + iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr, proto, tos, ttl, + df, !net_eq(tunnel->net, dev_net(dev))); + return; +@@ -800,16 +814,16 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + + max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr) + + rt->dst.header_len + ip_encap_hlen(&tunnel->encap); +- if (max_headroom > READ_ONCE(dev->needed_headroom)) +- WRITE_ONCE(dev->needed_headroom, max_headroom); + +- if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) { ++ if (skb_cow_head(skb, max_headroom)) { + ip_rt_put(rt); + dev->stats.tx_dropped++; + kfree_skb(skb); + return; + } + ++ ip_tunnel_adj_headroom(dev, max_headroom); ++ + iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr, protocol, tos, ttl, + df, !net_eq(tunnel->net, dev_net(dev))); + return; +-- +2.43.0 + diff --git a/queue-6.1/net-lan78xx-fix-softirq-work-is-pending-error.patch b/queue-6.1/net-lan78xx-fix-softirq-work-is-pending-error.patch new file mode 100644 index 00000000000..463aa4ca4b0 --- /dev/null +++ b/queue-6.1/net-lan78xx-fix-softirq-work-is-pending-error.patch @@ -0,0 +1,39 @@ +From 6f99a4e190b500d9c894c9264e3cf22578c93797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 12:08:20 +0100 +Subject: net: lan78xx: fix "softirq work is pending" error + +From: Oleksij Rempel + +[ Upstream commit e3d5d70cb483df8296dd44e9ae3b6355ef86494c ] + +Disable BH around the call to napi_schedule() to avoid following +error: +NOHZ tick-stop error: local softirq work is pending, handler #08!!! + +Fixes: ec4c7e12396b ("lan78xx: Introduce NAPI polling support") +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20240226110820.2113584-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 7b9d480e44fe4..4fd4563811299 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1501,7 +1501,9 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + + lan78xx_rx_urb_submit_all(dev); + ++ local_bh_disable(); + napi_schedule(&dev->napi); ++ local_bh_enable(); + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/net-mctp-take-ownership-of-skb-in-mctp_local_output.patch b/queue-6.1/net-mctp-take-ownership-of-skb-in-mctp_local_output.patch new file mode 100644 index 00000000000..c3a0fe0201f --- /dev/null +++ b/queue-6.1/net-mctp-take-ownership-of-skb-in-mctp_local_output.patch @@ -0,0 +1,83 @@ +From c23be18277c45a8bc63b9e69e52ea37794b89a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 16:10:53 +0800 +Subject: net: mctp: take ownership of skb in mctp_local_output + +From: Jeremy Kerr + +[ Upstream commit 3773d65ae5154ed7df404b050fd7387a36ab5ef3 ] + +Currently, mctp_local_output only takes ownership of skb on success, and +we may leak an skb if mctp_local_output fails in specific states; the +skb ownership isn't transferred until the actual output routing occurs. + +Instead, make mctp_local_output free the skb on all error paths up to +the route action, so it always consumes the passed skb. + +Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") +Signed-off-by: Jeremy Kerr +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240220081053.1439104-1-jk@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/mctp.h | 1 + + net/mctp/route.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/net/mctp.h b/include/net/mctp.h +index 82800d521c3de..7ed84054f4623 100644 +--- a/include/net/mctp.h ++++ b/include/net/mctp.h +@@ -249,6 +249,7 @@ struct mctp_route { + struct mctp_route *mctp_route_lookup(struct net *net, unsigned int dnet, + mctp_eid_t daddr); + ++/* always takes ownership of skb */ + int mctp_local_output(struct sock *sk, struct mctp_route *rt, + struct sk_buff *skb, mctp_eid_t daddr, u8 req_tag); + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 256bf0b89e6ca..0144d8ebdaefb 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -888,7 +888,7 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, + dev = dev_get_by_index_rcu(sock_net(sk), cb->ifindex); + if (!dev) { + rcu_read_unlock(); +- return rc; ++ goto out_free; + } + rt->dev = __mctp_dev_get(dev); + rcu_read_unlock(); +@@ -903,7 +903,8 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, + rt->mtu = 0; + + } else { +- return -EINVAL; ++ rc = -EINVAL; ++ goto out_free; + } + + spin_lock_irqsave(&rt->dev->addrs_lock, flags); +@@ -966,12 +967,17 @@ int mctp_local_output(struct sock *sk, struct mctp_route *rt, + rc = mctp_do_fragment_route(rt, skb, mtu, tag); + } + ++ /* route output functions consume the skb, even on error */ ++ skb = NULL; ++ + out_release: + if (!ext_rt) + mctp_route_release(rt); + + mctp_dev_put(tmp_rt.dev); + ++out_free: ++ kfree_skb(skb); + return rc; + } + +-- +2.43.0 + diff --git a/queue-6.1/net-usb-dm9601-fix-wrong-return-value-in-dm9601_mdio.patch b/queue-6.1/net-usb-dm9601-fix-wrong-return-value-in-dm9601_mdio.patch new file mode 100644 index 00000000000..72fbd93fc10 --- /dev/null +++ b/queue-6.1/net-usb-dm9601-fix-wrong-return-value-in-dm9601_mdio.patch @@ -0,0 +1,49 @@ +From e2bf15b69ac239fe77c87b5bdb15f4c78152b6ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Feb 2024 00:20:06 +0100 +Subject: net: usb: dm9601: fix wrong return value in dm9601_mdio_read + +From: Javier Carrasco + +[ Upstream commit c68b2c9eba38ec3f60f4894b189090febf4d8d22 ] + +The MII code does not check the return value of mdio_read (among +others), and therefore no error code should be sent. A previous fix to +the use of an uninitialized variable propagates negative error codes, +that might lead to wrong operations by the MII library. + +An example of such issues is the use of mii_nway_restart by the dm9601 +driver. The mii_nway_restart function does not check the value returned +by mdio_read, which in this case might be a negative number which could +contain the exact bit the function checks (BMCR_ANENABLE = 0x1000). + +Return zero in case of error, as it is common practice in users of +mdio_read to avoid wrong uses of the return value. + +Fixes: 8f8abb863fa5 ("net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read") +Signed-off-by: Javier Carrasco +Reviewed-by: Simon Horman +Reviewed-by: Peter Korsgaard +Link: https://lore.kernel.org/r/20240225-dm9601_ret_err-v1-1-02c1d959ea59@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/dm9601.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c +index 99ec1d4a972db..8b6d6a1b3c2ec 100644 +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -232,7 +232,7 @@ static int dm9601_mdio_read(struct net_device *netdev, int phy_id, int loc) + err = dm_read_shared_word(dev, 1, loc, &res); + if (err < 0) { + netdev_err(dev->net, "MDIO read error: %d\n", err); +- return err; ++ return 0; + } + + netdev_dbg(dev->net, +-- +2.43.0 + diff --git a/queue-6.1/net-veth-clear-gro-when-clearing-xdp-even-when-down.patch b/queue-6.1/net-veth-clear-gro-when-clearing-xdp-even-when-down.patch new file mode 100644 index 00000000000..1e87c9c24b8 --- /dev/null +++ b/queue-6.1/net-veth-clear-gro-when-clearing-xdp-even-when-down.patch @@ -0,0 +1,121 @@ +From f2956ea2a638b0a1b9cc18e945ef57f7c0aefedf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 15:12:10 -0800 +Subject: net: veth: clear GRO when clearing XDP even when down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski + +[ Upstream commit fe9f801355f0b47668419f30f1fac1cf4539e736 ] + +veth sets NETIF_F_GRO automatically when XDP is enabled, +because both features use the same NAPI machinery. + +The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which +is called both on ndo_stop and when XDP is turned off. +To avoid the flag from being cleared when the device is brought +down, the clearing is skipped when IFF_UP is not set. +Bringing the device down should indeed not modify its features. + +Unfortunately, this means that clearing is also skipped when +XDP is disabled _while_ the device is down. And there's nothing +on the open path to bring the device features back into sync. +IOW if user enables XDP, disables it and then brings the device +up we'll end up with a stray GRO flag set but no NAPI instances. + +We don't depend on the GRO flag on the datapath, so the datapath +won't crash. We will crash (or hang), however, next time features +are sync'ed (either by user via ethtool or peer changing its config). +The GRO flag will go away, and veth will try to disable the NAPIs. +But the open path never created them since XDP was off, the GRO flag +was a stray. If NAPI was initialized before we'll hang in napi_disable(). +If it never was we'll crash trying to stop uninitialized hrtimer. + +Move the GRO flag updates to the XDP enable / disable paths, +instead of mixing them with the ndo_open / ndo_close paths. + +Fixes: d3256efd8e8b ("veth: allow enabling NAPI even without XDP") +Reported-by: Thomas Gleixner +Reported-by: syzbot+039399a9b96297ddedca@syzkaller.appspotmail.com +Signed-off-by: Jakub Kicinski +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 36c5a41f84e44..dea9cc8c39f7a 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -1135,14 +1135,6 @@ static int veth_enable_xdp(struct net_device *dev) + veth_disable_xdp_range(dev, 0, dev->real_num_rx_queues, true); + return err; + } +- +- if (!veth_gro_requested(dev)) { +- /* user-space did not require GRO, but adding XDP +- * is supposed to get GRO working +- */ +- dev->features |= NETIF_F_GRO; +- netdev_features_change(dev); +- } + } + } + +@@ -1162,18 +1154,9 @@ static void veth_disable_xdp(struct net_device *dev) + for (i = 0; i < dev->real_num_rx_queues; i++) + rcu_assign_pointer(priv->rq[i].xdp_prog, NULL); + +- if (!netif_running(dev) || !veth_gro_requested(dev)) { ++ if (!netif_running(dev) || !veth_gro_requested(dev)) + veth_napi_del(dev); + +- /* if user-space did not require GRO, since adding XDP +- * enabled it, clear it now +- */ +- if (!veth_gro_requested(dev) && netif_running(dev)) { +- dev->features &= ~NETIF_F_GRO; +- netdev_features_change(dev); +- } +- } +- + veth_disable_xdp_range(dev, 0, dev->real_num_rx_queues, false); + } + +@@ -1558,6 +1541,14 @@ static int veth_xdp_set(struct net_device *dev, struct bpf_prog *prog, + } + + if (!old_prog) { ++ if (!veth_gro_requested(dev)) { ++ /* user-space did not require GRO, but adding ++ * XDP is supposed to get GRO working ++ */ ++ dev->features |= NETIF_F_GRO; ++ netdev_features_change(dev); ++ } ++ + peer->hw_features &= ~NETIF_F_GSO_SOFTWARE; + peer->max_mtu = max_mtu; + } +@@ -1568,6 +1559,14 @@ static int veth_xdp_set(struct net_device *dev, struct bpf_prog *prog, + if (dev->flags & IFF_UP) + veth_disable_xdp(dev); + ++ /* if user-space did not require GRO, since adding XDP ++ * enabled it, clear it now ++ */ ++ if (!veth_gro_requested(dev)) { ++ dev->features &= ~NETIF_F_GRO; ++ netdev_features_change(dev); ++ } ++ + if (peer) { + peer->hw_features |= NETIF_F_GSO_SOFTWARE; + peer->max_mtu = ETH_MAX_MTU; +-- +2.43.0 + diff --git a/queue-6.1/netfilter-bridge-confirm-multicast-packets-before-pa.patch b/queue-6.1/netfilter-bridge-confirm-multicast-packets-before-pa.patch new file mode 100644 index 00000000000..93d4b5d1c33 --- /dev/null +++ b/queue-6.1/netfilter-bridge-confirm-multicast-packets-before-pa.patch @@ -0,0 +1,282 @@ +From c8456b9f0bd10e9409a32fe64c59c0d4771fb062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 16:17:51 +0100 +Subject: netfilter: bridge: confirm multicast packets before passing them up + the stack + +From: Florian Westphal + +[ Upstream commit 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 ] + +conntrack nf_confirm logic cannot handle cloned skbs referencing +the same nf_conn entry, which will happen for multicast (broadcast) +frames on bridges. + + Example: + macvlan0 + | + br0 + / \ + ethX ethY + + ethX (or Y) receives a L2 multicast or broadcast packet containing + an IP packet, flow is not yet in conntrack table. + + 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. + -> skb->_nfct now references a unconfirmed entry + 2. skb is broad/mcast packet. bridge now passes clones out on each bridge + interface. + 3. skb gets passed up the stack. + 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb + and schedules a work queue to send them out on the lower devices. + + The clone skb->_nfct is not a copy, it is the same entry as the + original skb. The macvlan rx handler then returns RX_HANDLER_PASS. + 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. + +The Macvlan broadcast worker and normal confirm path will race. + +This race will not happen if step 2 already confirmed a clone. In that +case later steps perform skb_clone() with skb->_nfct already confirmed (in +hash table). This works fine. + +But such confirmation won't happen when eb/ip/nftables rules dropped the +packets before they reached the nf_confirm step in postrouting. + +Pablo points out that nf_conntrack_bridge doesn't allow use of stateful +nat, so we can safely discard the nf_conn entry and let inet call +conntrack again. + +This doesn't work for bridge netfilter: skb could have a nat +transformation. Also bridge nf prevents re-invocation of inet prerouting +via 'sabotage_in' hook. + +Work around this problem by explicit confirmation of the entry at LOCAL_IN +time, before upper layer has a chance to clone the unconfirmed entry. + +The downside is that this disables NAT and conntrack helpers. + +Alternative fix would be to add locking to all code parts that deal with +unconfirmed packets, but even if that could be done in a sane way this +opens up other problems, for example: + +-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 +-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 + +For multicast case, only one of such conflicting mappings will be +created, conntrack only handles 1:1 NAT mappings. + +Users should set create a setup that explicitly marks such traffic +NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass +them, ruleset might have accept rules for untracked traffic already, +so user-visible behaviour would change. + +Suggested-by: Pablo Neira Ayuso +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217777 +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/linux/netfilter.h | 1 + + net/bridge/br_netfilter_hooks.c | 96 ++++++++++++++++++++++ + net/bridge/netfilter/nf_conntrack_bridge.c | 30 +++++++ + net/netfilter/nf_conntrack_core.c | 1 + + 4 files changed, 128 insertions(+) + +diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h +index c8e03bcaecaaa..e5f4b6f8d1c09 100644 +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -462,6 +462,7 @@ struct nf_ct_hook { + const struct sk_buff *); + void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb); + void (*set_closing)(struct nf_conntrack *nfct); ++ int (*confirm)(struct sk_buff *skb); + }; + extern const struct nf_ct_hook __rcu *nf_ct_hook; + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 202ad43e35d6b..bff48d5763635 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -43,6 +43,10 @@ + #include + #endif + ++#if IS_ENABLED(CONFIG_NF_CONNTRACK) ++#include ++#endif ++ + static unsigned int brnf_net_id __read_mostly; + + struct brnf_net { +@@ -553,6 +557,90 @@ static unsigned int br_nf_pre_routing(void *priv, + return NF_STOLEN; + } + ++#if IS_ENABLED(CONFIG_NF_CONNTRACK) ++/* conntracks' nf_confirm logic cannot handle cloned skbs referencing ++ * the same nf_conn entry, which will happen for multicast (broadcast) ++ * Frames on bridges. ++ * ++ * Example: ++ * macvlan0 ++ * br0 ++ * ethX ethY ++ * ++ * ethX (or Y) receives multicast or broadcast packet containing ++ * an IP packet, not yet in conntrack table. ++ * ++ * 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. ++ * -> skb->_nfct now references a unconfirmed entry ++ * 2. skb is broad/mcast packet. bridge now passes clones out on each bridge ++ * interface. ++ * 3. skb gets passed up the stack. ++ * 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb ++ * and schedules a work queue to send them out on the lower devices. ++ * ++ * The clone skb->_nfct is not a copy, it is the same entry as the ++ * original skb. The macvlan rx handler then returns RX_HANDLER_PASS. ++ * 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. ++ * ++ * The Macvlan broadcast worker and normal confirm path will race. ++ * ++ * This race will not happen if step 2 already confirmed a clone. In that ++ * case later steps perform skb_clone() with skb->_nfct already confirmed (in ++ * hash table). This works fine. ++ * ++ * But such confirmation won't happen when eb/ip/nftables rules dropped the ++ * packets before they reached the nf_confirm step in postrouting. ++ * ++ * Work around this problem by explicit confirmation of the entry at ++ * LOCAL_IN time, before upper layer has a chance to clone the unconfirmed ++ * entry. ++ * ++ */ ++static unsigned int br_nf_local_in(void *priv, ++ struct sk_buff *skb, ++ const struct nf_hook_state *state) ++{ ++ struct nf_conntrack *nfct = skb_nfct(skb); ++ const struct nf_ct_hook *ct_hook; ++ struct nf_conn *ct; ++ int ret; ++ ++ if (!nfct || skb->pkt_type == PACKET_HOST) ++ return NF_ACCEPT; ++ ++ ct = container_of(nfct, struct nf_conn, ct_general); ++ if (likely(nf_ct_is_confirmed(ct))) ++ return NF_ACCEPT; ++ ++ WARN_ON_ONCE(skb_shared(skb)); ++ WARN_ON_ONCE(refcount_read(&nfct->use) != 1); ++ ++ /* We can't call nf_confirm here, it would create a dependency ++ * on nf_conntrack module. ++ */ ++ ct_hook = rcu_dereference(nf_ct_hook); ++ if (!ct_hook) { ++ skb->_nfct = 0ul; ++ nf_conntrack_put(nfct); ++ return NF_ACCEPT; ++ } ++ ++ nf_bridge_pull_encap_header(skb); ++ ret = ct_hook->confirm(skb); ++ switch (ret & NF_VERDICT_MASK) { ++ case NF_STOLEN: ++ return NF_STOLEN; ++ default: ++ nf_bridge_push_encap_header(skb); ++ break; ++ } ++ ++ ct = container_of(nfct, struct nf_conn, ct_general); ++ WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); ++ ++ return ret; ++} ++#endif + + /* PF_BRIDGE/FORWARD *************************************************/ + static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) +@@ -962,6 +1050,14 @@ static const struct nf_hook_ops br_nf_ops[] = { + .hooknum = NF_BR_PRE_ROUTING, + .priority = NF_BR_PRI_BRNF, + }, ++#if IS_ENABLED(CONFIG_NF_CONNTRACK) ++ { ++ .hook = br_nf_local_in, ++ .pf = NFPROTO_BRIDGE, ++ .hooknum = NF_BR_LOCAL_IN, ++ .priority = NF_BR_PRI_LAST, ++ }, ++#endif + { + .hook = br_nf_forward_ip, + .pf = NFPROTO_BRIDGE, +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index 06d94b2c6b5de..c7c27ada67044 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -291,6 +291,30 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb, + return nf_conntrack_in(skb, &bridge_state); + } + ++static unsigned int nf_ct_bridge_in(void *priv, struct sk_buff *skb, ++ const struct nf_hook_state *state) ++{ ++ enum ip_conntrack_info ctinfo; ++ struct nf_conn *ct; ++ ++ if (skb->pkt_type == PACKET_HOST) ++ return NF_ACCEPT; ++ ++ /* nf_conntrack_confirm() cannot handle concurrent clones, ++ * this happens for broad/multicast frames with e.g. macvlan on top ++ * of the bridge device. ++ */ ++ ct = nf_ct_get(skb, &ctinfo); ++ if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) ++ return NF_ACCEPT; ++ ++ /* let inet prerouting call conntrack again */ ++ skb->_nfct = 0; ++ nf_ct_put(ct); ++ ++ return NF_ACCEPT; ++} ++ + static void nf_ct_bridge_frag_save(struct sk_buff *skb, + struct nf_bridge_frag_data *data) + { +@@ -415,6 +439,12 @@ static struct nf_hook_ops nf_ct_bridge_hook_ops[] __read_mostly = { + .hooknum = NF_BR_PRE_ROUTING, + .priority = NF_IP_PRI_CONNTRACK, + }, ++ { ++ .hook = nf_ct_bridge_in, ++ .pf = NFPROTO_BRIDGE, ++ .hooknum = NF_BR_LOCAL_IN, ++ .priority = NF_IP_PRI_CONNTRACK_CONFIRM, ++ }, + { + .hook = nf_ct_bridge_post, + .pf = NFPROTO_BRIDGE, +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 6d30c64a5fe86..024f93fc8c0bb 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2789,6 +2789,7 @@ static const struct nf_ct_hook nf_conntrack_hook = { + .get_tuple_skb = nf_conntrack_get_tuple_skb, + .attach = nf_conntrack_attach, + .set_closing = nf_conntrack_set_closing, ++ .confirm = __nf_conntrack_confirm, + }; + + void nf_conntrack_init_end(void) +-- +2.43.0 + diff --git a/queue-6.1/netfilter-let-reset-rules-clean-out-conntrack-entrie.patch b/queue-6.1/netfilter-let-reset-rules-clean-out-conntrack-entrie.patch new file mode 100644 index 00000000000..9edfa4db0f0 --- /dev/null +++ b/queue-6.1/netfilter-let-reset-rules-clean-out-conntrack-entrie.patch @@ -0,0 +1,229 @@ +From 79ab6f26aa4e6c7691a498605d78f3e7f5c8cfc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 14:45:22 +0100 +Subject: netfilter: let reset rules clean out conntrack entries + +From: Florian Westphal + +[ Upstream commit 2954fe60e33da0f4de4d81a4c95c7dddb517d00c ] + +iptables/nftables support responding to tcp packets with tcp resets. + +The generated tcp reset packet passes through both output and postrouting +netfilter hooks, but conntrack will never see them because the generated +skb has its ->nfct pointer copied over from the packet that triggered the +reset rule. + +If the reset rule is used for established connections, this +may result in the conntrack entry to be around for a very long +time (default timeout is 5 days). + +One way to avoid this would be to not copy the nf_conn pointer +so that the rest packet passes through conntrack too. + +Problem is that output rules might not have the same conntrack +zone setup as the prerouting ones, so its possible that the +reset skb won't find the correct entry. Generating a template +entry for the skb seems error prone as well. + +Add an explicit "closing" function that switches a confirmed +conntrack entry to closed state and wire this up for tcp. + +If the entry isn't confirmed, no action is needed because +the conntrack entry will never be committed to the table. + +Reported-by: Russel King +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack") +Signed-off-by: Sasha Levin +--- + include/linux/netfilter.h | 3 +++ + include/net/netfilter/nf_conntrack.h | 8 ++++++ + net/ipv4/netfilter/nf_reject_ipv4.c | 1 + + net/ipv6/netfilter/nf_reject_ipv6.c | 1 + + net/netfilter/core.c | 16 ++++++++++++ + net/netfilter/nf_conntrack_core.c | 12 +++++++++ + net/netfilter/nf_conntrack_proto_tcp.c | 35 ++++++++++++++++++++++++++ + 7 files changed, 76 insertions(+) + +diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h +index bef8db9d6c085..c8e03bcaecaaa 100644 +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -437,11 +437,13 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) + #include + + void nf_ct_attach(struct sk_buff *, const struct sk_buff *); ++void nf_ct_set_closing(struct nf_conntrack *nfct); + struct nf_conntrack_tuple; + bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, + const struct sk_buff *skb); + #else + static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} ++static inline void nf_ct_set_closing(struct nf_conntrack *nfct) {} + struct nf_conntrack_tuple; + static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, + const struct sk_buff *skb) +@@ -459,6 +461,7 @@ struct nf_ct_hook { + bool (*get_tuple_skb)(struct nf_conntrack_tuple *, + const struct sk_buff *); + void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb); ++ void (*set_closing)(struct nf_conntrack *nfct); + }; + extern const struct nf_ct_hook __rcu *nf_ct_hook; + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 6a2019aaa4644..3dbf947285be2 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -125,6 +125,12 @@ struct nf_conn { + union nf_conntrack_proto proto; + }; + ++static inline struct nf_conn * ++nf_ct_to_nf_conn(const struct nf_conntrack *nfct) ++{ ++ return container_of(nfct, struct nf_conn, ct_general); ++} ++ + static inline struct nf_conn * + nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) + { +@@ -175,6 +181,8 @@ nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo) + + void nf_ct_destroy(struct nf_conntrack *nfct); + ++void nf_conntrack_tcp_set_closing(struct nf_conn *ct); ++ + /* decrement reference count on a conntrack */ + static inline void nf_ct_put(struct nf_conn *ct) + { +diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c +index 4073762996e22..fc761915c5f6f 100644 +--- a/net/ipv4/netfilter/nf_reject_ipv4.c ++++ b/net/ipv4/netfilter/nf_reject_ipv4.c +@@ -279,6 +279,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb, + goto free_nskb; + + nf_ct_attach(nskb, oldskb); ++ nf_ct_set_closing(skb_nfct(oldskb)); + + #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) + /* If we use ip_local_out for bridged traffic, the MAC source on +diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c +index 433d98bbe33f7..71d692728230e 100644 +--- a/net/ipv6/netfilter/nf_reject_ipv6.c ++++ b/net/ipv6/netfilter/nf_reject_ipv6.c +@@ -344,6 +344,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb, + nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen); + + nf_ct_attach(nskb, oldskb); ++ nf_ct_set_closing(skb_nfct(oldskb)); + + #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) + /* If we use ip6_local_out for bridged traffic, the MAC source on +diff --git a/net/netfilter/core.c b/net/netfilter/core.c +index 55a7f72d547cd..edf92074221e2 100644 +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -707,6 +707,22 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct) + } + EXPORT_SYMBOL(nf_conntrack_destroy); + ++void nf_ct_set_closing(struct nf_conntrack *nfct) ++{ ++ const struct nf_ct_hook *ct_hook; ++ ++ if (!nfct) ++ return; ++ ++ rcu_read_lock(); ++ ct_hook = rcu_dereference(nf_ct_hook); ++ if (ct_hook) ++ ct_hook->set_closing(nfct); ++ ++ rcu_read_unlock(); ++} ++EXPORT_SYMBOL_GPL(nf_ct_set_closing); ++ + bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, + const struct sk_buff *skb) + { +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 7960262966094..6d30c64a5fe86 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2772,11 +2772,23 @@ int nf_conntrack_init_start(void) + return ret; + } + ++static void nf_conntrack_set_closing(struct nf_conntrack *nfct) ++{ ++ struct nf_conn *ct = nf_ct_to_nf_conn(nfct); ++ ++ switch (nf_ct_protonum(ct)) { ++ case IPPROTO_TCP: ++ nf_conntrack_tcp_set_closing(ct); ++ break; ++ } ++} ++ + static const struct nf_ct_hook nf_conntrack_hook = { + .update = nf_conntrack_update, + .destroy = nf_ct_destroy, + .get_tuple_skb = nf_conntrack_get_tuple_skb, + .attach = nf_conntrack_attach, ++ .set_closing = nf_conntrack_set_closing, + }; + + void nf_conntrack_init_end(void) +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index e0092bf273fd0..9480e638e5d15 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -913,6 +913,41 @@ static bool tcp_can_early_drop(const struct nf_conn *ct) + return false; + } + ++void nf_conntrack_tcp_set_closing(struct nf_conn *ct) ++{ ++ enum tcp_conntrack old_state; ++ const unsigned int *timeouts; ++ u32 timeout; ++ ++ if (!nf_ct_is_confirmed(ct)) ++ return; ++ ++ spin_lock_bh(&ct->lock); ++ old_state = ct->proto.tcp.state; ++ ct->proto.tcp.state = TCP_CONNTRACK_CLOSE; ++ ++ if (old_state == TCP_CONNTRACK_CLOSE || ++ test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) { ++ spin_unlock_bh(&ct->lock); ++ return; ++ } ++ ++ timeouts = nf_ct_timeout_lookup(ct); ++ if (!timeouts) { ++ const struct nf_tcp_net *tn; ++ ++ tn = nf_tcp_pernet(nf_ct_net(ct)); ++ timeouts = tn->timeouts; ++ } ++ ++ timeout = timeouts[TCP_CONNTRACK_CLOSE]; ++ WRITE_ONCE(ct->timeout, timeout + nfct_time_stamp); ++ ++ spin_unlock_bh(&ct->lock); ++ ++ nf_conntrack_event_cache(IPCT_PROTOINFO, ct); ++} ++ + static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state) + { + state->td_end = 0; +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-allow-nfproto_inet-in-nft_-match.patch b/queue-6.1/netfilter-nf_tables-allow-nfproto_inet-in-nft_-match.patch new file mode 100644 index 00000000000..dfa7bea1456 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-allow-nfproto_inet-in-nft_-match.patch @@ -0,0 +1,108 @@ +From 79af929dfb9c790db030a161adb4a0661133aba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 10:33:08 +0000 +Subject: netfilter: nf_tables: allow NFPROTO_INET in + nft_(match/target)_validate() + +From: Ignat Korchagin + +[ Upstream commit 7e0f122c65912740327e4c54472acaa5f85868cb ] + +Commit d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") added +some validation of NFPROTO_* families in the nft_compat module, but it broke +the ability to use legacy iptables modules in dual-stack nftables. + +While with legacy iptables one had to independently manage IPv4 and IPv6 +tables, with nftables it is possible to have dual-stack tables sharing the +rules. Moreover, it was possible to use rules based on legacy iptables +match/target modules in dual-stack nftables. + +As an example, the program from [2] creates an INET dual-stack family table +using an xt_bpf based rule, which looks like the following (the actual output +was generated with a patched nft tool as the current nft tool does not parse +dual stack tables with legacy match rules, so consider it for illustrative +purposes only): + +table inet testfw { + chain input { + type filter hook prerouting priority filter; policy accept; + bytecode counter packets 0 bytes 0 accept + } +} + +After d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") we get +EOPNOTSUPP for the above program. + +Fix this by allowing NFPROTO_INET for nft_(match/target)_validate(), but also +restrict the functions to classic iptables hooks. + +Changes in v3: + * clarify that upstream nft will not display such configuration properly and + that the output was generated with a patched nft tool + * remove example program from commit description and link to it instead + * no code changes otherwise + +Changes in v2: + * restrict nft_(match/target)_validate() to classic iptables hooks + * rewrite example program to use unmodified libnftnl + +Fixes: d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") +Link: https://lore.kernel.org/all/Zc1PfoWN38UuFJRI@calendula/T/#mc947262582c90fec044c7a3398cc92fac7afea72 [1] +Link: https://lore.kernel.org/all/20240220145509.53357-1-ignat@cloudflare.com/ [2] +Reported-by: Jordan Griege +Signed-off-by: Ignat Korchagin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_compat.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index e1623fbf36548..e4b8c02c5e6ae 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -358,10 +358,20 @@ static int nft_target_validate(const struct nft_ctx *ctx, + + if (ctx->family != NFPROTO_IPV4 && + ctx->family != NFPROTO_IPV6 && ++ ctx->family != NFPROTO_INET && + ctx->family != NFPROTO_BRIDGE && + ctx->family != NFPROTO_ARP) + return -EOPNOTSUPP; + ++ ret = nft_chain_validate_hooks(ctx->chain, ++ (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_FORWARD) | ++ (1 << NF_INET_LOCAL_OUT) | ++ (1 << NF_INET_POST_ROUTING)); ++ if (ret) ++ return ret; ++ + if (nft_is_base_chain(ctx->chain)) { + const struct nft_base_chain *basechain = + nft_base_chain(ctx->chain); +@@ -607,10 +617,20 @@ static int nft_match_validate(const struct nft_ctx *ctx, + + if (ctx->family != NFPROTO_IPV4 && + ctx->family != NFPROTO_IPV6 && ++ ctx->family != NFPROTO_INET && + ctx->family != NFPROTO_BRIDGE && + ctx->family != NFPROTO_ARP) + return -EOPNOTSUPP; + ++ ret = nft_chain_validate_hooks(ctx->chain, ++ (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_FORWARD) | ++ (1 << NF_INET_LOCAL_OUT) | ++ (1 << NF_INET_POST_ROUTING)); ++ if (ret) ++ return ret; ++ + if (nft_is_base_chain(ctx->chain)) { + const struct nft_base_chain *basechain = + nft_base_chain(ctx->chain); +-- +2.43.0 + diff --git a/queue-6.1/netlink-add-nla-be16-32-types-to-minlen-array.patch b/queue-6.1/netlink-add-nla-be16-32-types-to-minlen-array.patch new file mode 100644 index 00000000000..35375a81ee5 --- /dev/null +++ b/queue-6.1/netlink-add-nla-be16-32-types-to-minlen-array.patch @@ -0,0 +1,65 @@ +From bebaa730c9976266b96e2ca4b094d68c6e271cdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 18:27:33 +0100 +Subject: netlink: add nla be16/32 types to minlen array + +From: Florian Westphal + +[ Upstream commit 9a0d18853c280f6a0ee99f91619f2442a17a323a ] + +BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline] +BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline] +BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline] +BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 + nla_validate_range_unsigned lib/nlattr.c:222 [inline] + nla_validate_int_range lib/nlattr.c:336 [inline] + validate_nla lib/nlattr.c:575 [inline] +... + +The message in question matches this policy: + + [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255), + +but because NLA_BE32 size in minlen array is 0, the validation +code will read past the malformed (too small) attribute. + +Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing: +those likely should be added too. + +Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com +Reported-by: xingwei lee +Closes: https://lore.kernel.org/all/CABOYnLzFYHSnvTyS6zGa-udNX55+izqkOt2sB9WDqUcEGW6n8w@mail.gmail.com/raw +Fixes: ecaf75ffd5f5 ("netlink: introduce bigendian integer types") +Signed-off-by: Florian Westphal +Link: https://lore.kernel.org/r/20240221172740.5092-1-fw@strlen.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/nlattr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index dffd60e4065fd..86344df0ccf7b 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -30,6 +30,8 @@ static const u8 nla_attr_len[NLA_TYPE_MAX+1] = { + [NLA_S16] = sizeof(s16), + [NLA_S32] = sizeof(s32), + [NLA_S64] = sizeof(s64), ++ [NLA_BE16] = sizeof(__be16), ++ [NLA_BE32] = sizeof(__be32), + }; + + static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = { +@@ -43,6 +45,8 @@ static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = { + [NLA_S16] = sizeof(s16), + [NLA_S32] = sizeof(s32), + [NLA_S64] = sizeof(s64), ++ [NLA_BE16] = sizeof(__be16), ++ [NLA_BE32] = sizeof(__be32), + }; + + /* +-- +2.43.0 + diff --git a/queue-6.1/netlink-fix-kernel-infoleak-after-free-in-__skb_data.patch b/queue-6.1/netlink-fix-kernel-infoleak-after-free-in-__skb_data.patch new file mode 100644 index 00000000000..eb7c31451ab --- /dev/null +++ b/queue-6.1/netlink-fix-kernel-infoleak-after-free-in-__skb_data.patch @@ -0,0 +1,134 @@ +From a59c0a08906175afae5ad6bb255b8df76b2332b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 16:40:48 +0900 +Subject: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter + +From: Ryosuke Yasuoka + +[ Upstream commit 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd ] + +syzbot reported the following uninit-value access issue [1]: + +netlink_to_full_skb() creates a new `skb` and puts the `skb->data` +passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data +size is specified as `len` and passed to skb_put_data(). This `len` +is based on `skb->end` that is not data offset but buffer offset. The +`skb->end` contains data and tailroom. Since the tailroom is not +initialized when the new `skb` created, KMSAN detects uninitialized +memory area when copying the data. + +This patch resolved this issue by correct the len from `skb->end` to +`skb->len`, which is the actual data offset. + +BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] +BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + copy_to_user_iter lib/iov_iter.c:24 [inline] + iterate_ubuf include/linux/iov_iter.h:29 [inline] + iterate_and_advance2 include/linux/iov_iter.h:245 [inline] + iterate_and_advance include/linux/iov_iter.h:271 [inline] + _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 + copy_to_iter include/linux/uio.h:197 [inline] + simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 + __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 + skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 + skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] + packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg net/socket.c:1066 [inline] + sock_read_iter+0x467/0x580 net/socket.c:1136 + call_read_iter include/linux/fs.h:2014 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x8f6/0xe00 fs/read_write.c:470 + ksys_read+0x20f/0x4c0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x93/0xd0 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was stored to memory at: + skb_put_data include/linux/skbuff.h:2622 [inline] + netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] + __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] + __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 + netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] + netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + free_pages_prepare mm/page_alloc.c:1087 [inline] + free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 + free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 + release_pages+0x23d3/0x2410 mm/swap.c:1042 + free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 + tlb_batch_pages_flush mm/mmu_gather.c:98 [inline] + tlb_flush_mmu_free mm/mmu_gather.c:293 [inline] + tlb_flush_mmu+0x6f5/0x980 mm/mmu_gather.c:300 + tlb_finish_mmu+0x101/0x260 mm/mmu_gather.c:392 + exit_mmap+0x49e/0xd30 mm/mmap.c:3321 + __mmput+0x13f/0x530 kernel/fork.c:1349 + mmput+0x8a/0xa0 kernel/fork.c:1371 + exit_mm+0x1b8/0x360 kernel/exit.c:567 + do_exit+0xd57/0x4080 kernel/exit.c:858 + do_group_exit+0x2fd/0x390 kernel/exit.c:1021 + __do_sys_exit_group kernel/exit.c:1032 [inline] + __se_sys_exit_group kernel/exit.c:1030 [inline] + __x64_sys_exit_group+0x3c/0x50 kernel/exit.c:1030 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Bytes 3852-3903 of 3904 are uninitialized +Memory access of size 3904 starts at ffff88812ea1e000 +Data copied to user address 0000000020003280 + +CPU: 1 PID: 5043 Comm: syz-executor297 Not tainted 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 + +Fixes: 1853c9496460 ("netlink, mmap: transform mmap skb into full skb on taps") +Reported-and-tested-by: syzbot+34ad5fab48f7bf510349@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=34ad5fab48f7bf510349 [1] +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240221074053.1794118-1-ryasuoka@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 6857a4965fe87..e9b81cba1e2b4 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -167,7 +167,7 @@ static inline u32 netlink_group_mask(u32 group) + static struct sk_buff *netlink_to_full_skb(const struct sk_buff *skb, + gfp_t gfp_mask) + { +- unsigned int len = skb_end_offset(skb); ++ unsigned int len = skb->len; + struct sk_buff *new; + + new = alloc_skb(len, gfp_mask); +-- +2.43.0 + diff --git a/queue-6.1/of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch b/queue-6.1/of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch new file mode 100644 index 00000000000..61aecfb024e --- /dev/null +++ b/queue-6.1/of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch @@ -0,0 +1,44 @@ +From d7042ff780e9c53589ac59d1a67bd39ae9a0d2ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 21:24:35 -0800 +Subject: of: property: fw_devlink: Fix stupid bug in remote-endpoint parsing + +From: Saravana Kannan + +[ Upstream commit 7cb50f6c9fbaa1c0b80100b8971bf13db5d75d06 ] + +Introduced a stupid bug in commit 782bfd03c3ae ("of: property: Improve +finding the supplier of a remote-endpoint property") due to a last minute +incorrect edit of "index !=0" into "!index". This patch fixes it to be +"index > 0" to match the comment right next to it. + +Reported-by: Luca Ceresoli +Link: https://lore.kernel.org/lkml/20240223171849.10f9901d@booty/ +Fixes: 782bfd03c3ae ("of: property: Improve finding the supplier of a remote-endpoint property") +Signed-off-by: Saravana Kannan +Reviewed-by: Herve Codina +Reviewed-by: Luca Ceresoli +Tested-by: Luca Ceresoli +Link: https://lore.kernel.org/r/20240224052436.3552333-1-saravanak@google.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/property.c b/drivers/of/property.c +index 33d5f16c81204..da5d712197704 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -1332,7 +1332,7 @@ static struct device_node *parse_remote_endpoint(struct device_node *np, + int index) + { + /* Return NULL for index > 0 to signify end of remote-endpoints. */ +- if (!index || strcmp(prop_name, "remote-endpoint")) ++ if (index > 0 || strcmp(prop_name, "remote-endpoint")) + return NULL; + + return of_graph_get_remote_port_parent(np); +-- +2.43.0 + diff --git a/queue-6.1/power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch b/queue-6.1/power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch new file mode 100644 index 00000000000..ab77e960bb3 --- /dev/null +++ b/queue-6.1/power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch @@ -0,0 +1,51 @@ +From d21a42adc199ade5aaa81bf1409387d53091bf86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 16:51:33 +0100 +Subject: power: supply: bq27xxx-i2c: Do not free non existing IRQ + +From: Hans de Goede + +[ Upstream commit 2df70149e73e79783bcbc7db4fa51ecef0e2022c ] + +The bq27xxx i2c-client may not have an IRQ, in which case +client->irq will be 0. bq27xxx_battery_i2c_probe() already has +an if (client->irq) check wrapping the request_threaded_irq(). + +But bq27xxx_battery_i2c_remove() unconditionally calls +free_irq(client->irq) leading to: + +[ 190.310742] ------------[ cut here ]------------ +[ 190.310843] Trying to free already-free IRQ 0 +[ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 + +Followed by a backtrace when unbinding the driver. Add +an if (client->irq) to bq27xxx_battery_i2c_remove() mirroring +probe() to fix this. + +Fixes: 444ff00734f3 ("power: supply: bq27xxx: Fix I2C IRQ race on remove") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240215155133.70537-1-hdegoede@redhat.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 0713a52a25107..17b37354e32c0 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -209,7 +209,9 @@ static void bq27xxx_battery_i2c_remove(struct i2c_client *client) + { + struct bq27xxx_device_info *di = i2c_get_clientdata(client); + +- free_irq(client->irq, di); ++ if (client->irq) ++ free_irq(client->irq, di); ++ + bq27xxx_battery_teardown(di); + + mutex_lock(&battery_mutex); +-- +2.43.0 + diff --git a/queue-6.1/riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch b/queue-6.1/riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch new file mode 100644 index 00000000000..23cbbb27ea1 --- /dev/null +++ b/queue-6.1/riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch @@ -0,0 +1,50 @@ +From f527034fc185199c26687af087a232fab62a4431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 21:17:23 +0200 +Subject: riscv: Sparse-Memory/vmemmap out-of-bounds fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dimitris Vlachos + +[ Upstream commit a11dd49dcb9376776193e15641f84fcc1e5980c9 ] + +Offset vmemmap so that the first page of vmemmap will be mapped +to the first page of physical memory in order to ensure that +vmemmap’s bounds will be respected during +pfn_to_page()/page_to_pfn() operations. +The conversion macros will produce correct SV39/48/57 addresses +for every possible/valid DRAM_BASE inside the physical memory limits. + +v2:Address Alex's comments + +Suggested-by: Alexandre Ghiti +Signed-off-by: Dimitris Vlachos +Reported-by: Dimitris Vlachos +Closes: https://lore.kernel.org/linux-riscv/20240202135030.42265-1-csd4492@csd.uoc.gr +Fixes: d95f1a542c3d ("RISC-V: Implement sparsemem") +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240229191723.32779-1-dvlachos@ics.forth.gr +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h +index 59bb53da473dd..63055c6ad2c25 100644 +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -79,7 +79,7 @@ + * Define vmemmap for pfn_to_page & page_to_pfn calls. Needed if kernel + * is configured with CONFIG_SPARSEMEM_VMEMMAP enabled. + */ +-#define vmemmap ((struct page *)VMEMMAP_START) ++#define vmemmap ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)) + + #define PCI_IO_SIZE SZ_16M + #define PCI_IO_END VMEMMAP_START +-- +2.43.0 + diff --git a/queue-6.1/rtnetlink-fix-error-logic-of-ifla_bridge_flags-writi.patch b/queue-6.1/rtnetlink-fix-error-logic-of-ifla_bridge_flags-writi.patch new file mode 100644 index 00000000000..4ef130e1922 --- /dev/null +++ b/queue-6.1/rtnetlink-fix-error-logic-of-ifla_bridge_flags-writi.patch @@ -0,0 +1,83 @@ +From ca010d26f0129f44a0f5b72e6eefe82f6c0459dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 20:11:28 +0800 +Subject: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back + +From: Lin Ma + +[ Upstream commit 743ad091fb46e622f1b690385bb15e3cd3daf874 ] + +In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks +IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic +in the function `rtnl_bridge_setlink` to enable the loop to also check +the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment +removed the `break` statement and led to an error logic of the flags +writing back at the end of this function. + +if (have_flags) + memcpy(nla_data(attr), &flags, sizeof(flags)); + // attr should point to IFLA_BRIDGE_FLAGS NLA !!! + +Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. +However, this is not necessarily true fow now as the updated loop will let +the attr point to the last NLA, even an invalid NLA which could cause +overflow writes. + +This patch introduces a new variable `br_flag` to save the NLA pointer +that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned +error logic. + +Fixes: d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length") +Signed-off-by: Lin Ma +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20240227121128.608110-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 7cf1e42d7f93b..ac379e4590f8d 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -5026,10 +5026,9 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + struct net *net = sock_net(skb->sk); + struct ifinfomsg *ifm; + struct net_device *dev; +- struct nlattr *br_spec, *attr = NULL; ++ struct nlattr *br_spec, *attr, *br_flags_attr = NULL; + int rem, err = -EOPNOTSUPP; + u16 flags = 0; +- bool have_flags = false; + + if (nlmsg_len(nlh) < sizeof(*ifm)) + return -EINVAL; +@@ -5047,11 +5046,11 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC); + if (br_spec) { + nla_for_each_nested(attr, br_spec, rem) { +- if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !have_flags) { ++ if (nla_type(attr) == IFLA_BRIDGE_FLAGS && !br_flags_attr) { + if (nla_len(attr) < sizeof(flags)) + return -EINVAL; + +- have_flags = true; ++ br_flags_attr = attr; + flags = nla_get_u16(attr); + } + +@@ -5095,8 +5094,8 @@ static int rtnl_bridge_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, + } + } + +- if (have_flags) +- memcpy(nla_data(attr), &flags, sizeof(flags)); ++ if (br_flags_attr) ++ memcpy(nla_data(br_flags_attr), &flags, sizeof(flags)); + out: + return err; + } +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index d93db114d81..8bcbe10787b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -25,3 +25,48 @@ fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch rdma-core-fix-multiple-warray-bounds-warnings.patch +mtd-spinand-gigadevice-fix-the-get-ecc-status-issue.patch +netlink-fix-kernel-infoleak-after-free-in-__skb_data.patch +netlink-add-nla-be16-32-types-to-minlen-array.patch +net-ip_tunnel-prevent-perpetual-headroom-growth.patch +net-mctp-take-ownership-of-skb-in-mctp_local_output.patch +tun-fix-xdp_rxq_info-s-queue_index-when-detaching.patch +cpufreq-intel_pstate-fix-pstate-limits-enforcement-f.patch +net-veth-clear-gro-when-clearing-xdp-even-when-down.patch +ipv6-fix-potential-struct-net-leak-in-inet6_rtm_geta.patch +lan78xx-enable-auto-speed-configuration-for-lan7850-.patch +veth-try-harder-when-allocating-queue-memory.patch +net-usb-dm9601-fix-wrong-return-value-in-dm9601_mdio.patch +net-lan78xx-fix-softirq-work-is-pending-error.patch +uapi-in6-replace-temporary-label-with-rfc9486.patch +stmmac-clear-variable-when-destroying-workqueue.patch +bluetooth-hci_sync-check-the-correct-flag-before-sta.patch +bluetooth-avoid-potential-use-after-free-in-hci_erro.patch +bluetooth-hci_sync-fix-accept_list-when-attempting-t.patch +bluetooth-hci_event-fix-wrongly-recorded-wakeup-bd_a.patch +bluetooth-hci_event-fix-handling-of-hci_ev_io_capa_r.patch +bluetooth-enforce-validation-on-max-value-of-connect.patch +bluetooth-qca-fix-wrong-event-type-for-patch-config-.patch +bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch +bluetooth-hci_qca-add-support-for-qti-bluetooth-chip.patch +bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch +bluetooth-btqca-add-wcn3988-support.patch +bluetooth-qca-use-switch-case-for-soc-type-behavior.patch +bluetooth-qca-add-support-for-wcn7850.patch +bluetooth-hci_qca-set-bda-quirk-bit-if-fwnode-exists.patch +netfilter-nf_tables-allow-nfproto_inet-in-nft_-match.patch +netfilter-let-reset-rules-clean-out-conntrack-entrie.patch +netfilter-bridge-confirm-multicast-packets-before-pa.patch +rtnetlink-fix-error-logic-of-ifla_bridge_flags-writi.patch +igb-extend-ptp-timestamp-adjustments-to-i211.patch +net-hsr-use-correct-offset-for-hsr-tlv-values-in-sup.patch +tls-decrement-decrypt_pending-if-no-async-completion.patch +tls-fix-peeking-with-sync-async-decryption.patch +efi-capsule-loader-fix-incorrect-allocation-size.patch +power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch +alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch +drm-tegra-remove-existing-framebuffer-only-if-we-sup.patch +fbcon-always-restore-the-old-font-data-in-fbcon_do_s.patch +afs-fix-endless-loop-in-directory-parsing.patch +riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch +of-property-fw_devlink-fix-stupid-bug-in-remote-endp.patch diff --git a/queue-6.1/stmmac-clear-variable-when-destroying-workqueue.patch b/queue-6.1/stmmac-clear-variable-when-destroying-workqueue.patch new file mode 100644 index 00000000000..43d0a69c374 --- /dev/null +++ b/queue-6.1/stmmac-clear-variable-when-destroying-workqueue.patch @@ -0,0 +1,83 @@ +From ea3956cb01a1f07c9fcdf3e00d8560faf37f64c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 17:42:32 +0100 +Subject: stmmac: Clear variable when destroying workqueue + +From: Jakub Raczynski + +[ Upstream commit 8af411bbba1f457c33734795f024d0ef26d0963f ] + +Currently when suspending driver and stopping workqueue it is checked whether +workqueue is not NULL and if so, it is destroyed. +Function destroy_workqueue() does drain queue and does clear variable, but +it does not set workqueue variable to NULL. This can cause kernel/module +panic if code attempts to clear workqueue that was not initialized. + +This scenario is possible when resuming suspended driver in stmmac_resume(), +because there is no handling for failed stmmac_hw_setup(), +which can fail and return if DMA engine has failed to initialize, +and workqueue is initialized after DMA engine. +Should DMA engine fail to initialize, resume will proceed normally, +but interface won't work and TX queue will eventually timeout, +causing 'Reset adapter' error. +This then does destroy workqueue during reset process. +And since workqueue is initialized after DMA engine and can be skipped, +it will cause kernel/module panic. + +To secure against this possible crash, set workqueue variable to NULL when +destroying workqueue. + +Log/backtrace from crash goes as follows: +[88.031977]------------[ cut here ]------------ +[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out +[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 + +[88.032251]---[ end trace e70de432e4d5c2c0 ]--- +[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. +[88.036359]------------[ cut here ]------------ +[88.036519]Call trace: +[88.036523] flush_workqueue+0x3e4/0x430 +[88.036528] drain_workqueue+0xc4/0x160 +[88.036533] destroy_workqueue+0x40/0x270 +[88.036537] stmmac_fpe_stop_wq+0x4c/0x70 +[88.036541] stmmac_release+0x278/0x280 +[88.036546] __dev_close_many+0xcc/0x158 +[88.036551] dev_close_many+0xbc/0x190 +[88.036555] dev_close.part.0+0x70/0xc0 +[88.036560] dev_close+0x24/0x30 +[88.036564] stmmac_service_task+0x110/0x140 +[88.036569] process_one_work+0x1d8/0x4a0 +[88.036573] worker_thread+0x54/0x408 +[88.036578] kthread+0x164/0x170 +[88.036583] ret_from_fork+0x10/0x20 +[88.036588]---[ end trace e70de432e4d5c2c1 ]--- +[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 + +Fixes: 5a5586112b929 ("net: stmmac: support FPE link partner hand-shaking procedure") +Signed-off-by: Jakub Raczynski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 91b2aa81914ba..e2d51014ab4bc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3900,8 +3900,10 @@ static void stmmac_fpe_stop_wq(struct stmmac_priv *priv) + { + set_bit(__FPE_REMOVING, &priv->fpe_task_state); + +- if (priv->fpe_wq) ++ if (priv->fpe_wq) { + destroy_workqueue(priv->fpe_wq); ++ priv->fpe_wq = NULL; ++ } + + netdev_info(priv->dev, "FPE workqueue stop"); + } +-- +2.43.0 + diff --git a/queue-6.1/tls-decrement-decrypt_pending-if-no-async-completion.patch b/queue-6.1/tls-decrement-decrypt_pending-if-no-async-completion.patch new file mode 100644 index 00000000000..8a3b642dc31 --- /dev/null +++ b/queue-6.1/tls-decrement-decrypt_pending-if-no-async-completion.patch @@ -0,0 +1,42 @@ +From 2826aeb92ba2c305be12a933b8b0b5bdd0caf19d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 23:43:57 +0100 +Subject: tls: decrement decrypt_pending if no async completion will be called + +From: Sabrina Dubroca + +[ Upstream commit f7fa16d49837f947ee59492958f9e6f0e51d9a78 ] + +With mixed sync/async decryption, or failures of crypto_aead_decrypt, +we increment decrypt_pending but we never do the corresponding +decrement since tls_decrypt_done will not be called. In this case, we +should decrement decrypt_pending immediately to avoid getting stuck. + +For example, the prequeue prequeue test gets stuck with mixed +modes (one async decrypt + one sync decrypt). + +Fixes: 94524d8fc965 ("net/tls: Add support for async decryption of tls records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/c56d5fc35543891d5319f834f25622360e1bfbec.1709132643.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 93e1bfa72d791..c6ad435a44218 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -273,6 +273,8 @@ static int tls_do_decryption(struct sock *sk, + return 0; + + ret = crypto_wait_req(ret, &ctx->async_wait); ++ } else if (darg->async) { ++ atomic_dec(&ctx->decrypt_pending); + } + darg->async = false; + +-- +2.43.0 + diff --git a/queue-6.1/tls-fix-peeking-with-sync-async-decryption.patch b/queue-6.1/tls-fix-peeking-with-sync-async-decryption.patch new file mode 100644 index 00000000000..5901284a1a5 --- /dev/null +++ b/queue-6.1/tls-fix-peeking-with-sync-async-decryption.patch @@ -0,0 +1,72 @@ +From 34f333ed98300447d16f1d39bab7e241d5cc8579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 23:43:58 +0100 +Subject: tls: fix peeking with sync+async decryption + +From: Sabrina Dubroca + +[ Upstream commit 6caaf104423d809b49a67ee6500191d063b40dc6 ] + +If we peek from 2 records with a currently empty rx_list, and the +first record is decrypted synchronously but the second record is +decrypted async, the following happens: + 1. decrypt record 1 (sync) + 2. copy from record 1 to the userspace's msg + 3. queue the decrypted record to rx_list for future read(!PEEK) + 4. decrypt record 2 (async) + 5. queue record 2 to rx_list + 6. call process_rx_list to copy data from the 2nd record + +We currently pass copied=0 as skip offset to process_rx_list, so we +end up copying once again from the first record. We should skip over +the data we've already copied. + +Seen with selftest tls.12_aes_gcm.recv_peek_large_buf_mult_recs + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Signed-off-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/1b132d2b2b99296bfde54e8a67672d90d6d16e71.1709132643.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index c6ad435a44218..2bd27b77769cb 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2023,6 +2023,7 @@ int tls_sw_recvmsg(struct sock *sk, + struct strp_msg *rxm; + struct tls_msg *tlm; + ssize_t copied = 0; ++ ssize_t peeked = 0; + bool async = false; + int target, err; + bool is_kvec = iov_iter_is_kvec(&msg->msg_iter); +@@ -2170,8 +2171,10 @@ int tls_sw_recvmsg(struct sock *sk, + if (err < 0) + goto put_on_rx_list_err; + +- if (is_peek) ++ if (is_peek) { ++ peeked += chunk; + goto put_on_rx_list; ++ } + + if (partially_consumed) { + rxm->offset += chunk; +@@ -2210,8 +2213,8 @@ int tls_sw_recvmsg(struct sock *sk, + + /* Drain records from the rx_list & copy if required */ + if (is_peek || is_kvec) +- err = process_rx_list(ctx, msg, &control, copied, +- decrypted, is_peek, NULL); ++ err = process_rx_list(ctx, msg, &control, copied + peeked, ++ decrypted - peeked, is_peek, NULL); + else + err = process_rx_list(ctx, msg, &control, 0, + async_copy_bytes, is_peek, NULL); +-- +2.43.0 + diff --git a/queue-6.1/tun-fix-xdp_rxq_info-s-queue_index-when-detaching.patch b/queue-6.1/tun-fix-xdp_rxq_info-s-queue_index-when-detaching.patch new file mode 100644 index 00000000000..84999ee22de --- /dev/null +++ b/queue-6.1/tun-fix-xdp_rxq_info-s-queue_index-when-detaching.patch @@ -0,0 +1,36 @@ +From a0d3e490917548a98f71072257eb4030b1bd2cd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 11:12:07 +0800 +Subject: tun: Fix xdp_rxq_info's queue_index when detaching + +From: Yunjian Wang + +[ Upstream commit 2a770cdc4382b457ca3d43d03f0f0064f905a0d0 ] + +When a queue(tfile) is detached, we only update tfile's queue_index, +but do not update xdp_rxq_info's queue_index. This patch fixes it. + +Fixes: 8bf5c4ee1889 ("tun: setup xdp_rxq_info") +Signed-off-by: Yunjian Wang +Link: https://lore.kernel.org/r/1708398727-46308-1-git-send-email-wangyunjian@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 367255bb44cdc..922d6f16d99d1 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -653,6 +653,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean) + tun->tfiles[tun->numqueues - 1]); + ntfile = rtnl_dereference(tun->tfiles[index]); + ntfile->queue_index = index; ++ ntfile->xdp_rxq.queue_index = index; + rcu_assign_pointer(tun->tfiles[tun->numqueues - 1], + NULL); + +-- +2.43.0 + diff --git a/queue-6.1/uapi-in6-replace-temporary-label-with-rfc9486.patch b/queue-6.1/uapi-in6-replace-temporary-label-with-rfc9486.patch new file mode 100644 index 00000000000..8088c42b705 --- /dev/null +++ b/queue-6.1/uapi-in6-replace-temporary-label-with-rfc9486.patch @@ -0,0 +1,39 @@ +From 61e3f7937b905d37c57cace0ac0a6a8e26e3affd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 13:49:21 +0100 +Subject: uapi: in6: replace temporary label with rfc9486 + +From: Justin Iurman + +[ Upstream commit 6a2008641920a9c6fe1abbeb9acbec463215d505 ] + +Not really a fix per se, but IPV6_TLV_IOAM is still tagged as "TEMPORARY +IANA allocation for IOAM", while RFC 9486 is available for some time +now. Just update the reference. + +Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace") +Signed-off-by: Justin Iurman +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240226124921.9097-1-justin.iurman@uliege.be +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in6.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h +index c4c53a9ab9595..ff8d21f9e95b7 100644 +--- a/include/uapi/linux/in6.h ++++ b/include/uapi/linux/in6.h +@@ -145,7 +145,7 @@ struct in6_flowlabel_req { + #define IPV6_TLV_PADN 1 + #define IPV6_TLV_ROUTERALERT 5 + #define IPV6_TLV_CALIPSO 7 /* RFC 5570 */ +-#define IPV6_TLV_IOAM 49 /* TEMPORARY IANA allocation for IOAM */ ++#define IPV6_TLV_IOAM 49 /* RFC 9486 */ + #define IPV6_TLV_JUMBO 194 + #define IPV6_TLV_HAO 201 /* home address option */ + +-- +2.43.0 + diff --git a/queue-6.1/veth-try-harder-when-allocating-queue-memory.patch b/queue-6.1/veth-try-harder-when-allocating-queue-memory.patch new file mode 100644 index 00000000000..480acf63361 --- /dev/null +++ b/queue-6.1/veth-try-harder-when-allocating-queue-memory.patch @@ -0,0 +1,55 @@ +From cc9de08551e2df6bdd98d6cd6273d8c86ee673a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 15:59:08 -0800 +Subject: veth: try harder when allocating queue memory + +From: Jakub Kicinski + +[ Upstream commit 1ce7d306ea63f3e379557c79abd88052e0483813 ] + +struct veth_rq is pretty large, 832B total without debug +options enabled. Since commit under Fixes we try to pre-allocate +enough queues for every possible CPU. Miao Wang reports that +this may lead to order-5 allocations which will fail in production. + +Let the allocation fallback to vmalloc() and try harder. +These are the same flags we pass to netdev queue allocation. + +Reported-and-tested-by: Miao Wang +Fixes: 9d3684c24a52 ("veth: create by default nr_possible_cpus queues") +Link: https://lore.kernel.org/all/5F52CAE2-2FB7-4712-95F1-3312FBBFA8DD@gmail.com/ +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240223235908.693010-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index dea9cc8c39f7a..dd9f5f1461921 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -1359,7 +1359,8 @@ static int veth_alloc_queues(struct net_device *dev) + struct veth_priv *priv = netdev_priv(dev); + int i; + +- priv->rq = kcalloc(dev->num_rx_queues, sizeof(*priv->rq), GFP_KERNEL_ACCOUNT); ++ priv->rq = kvcalloc(dev->num_rx_queues, sizeof(*priv->rq), ++ GFP_KERNEL_ACCOUNT | __GFP_RETRY_MAYFAIL); + if (!priv->rq) + return -ENOMEM; + +@@ -1375,7 +1376,7 @@ static void veth_free_queues(struct net_device *dev) + { + struct veth_priv *priv = netdev_priv(dev); + +- kfree(priv->rq); ++ kvfree(priv->rq); + } + + static int veth_dev_init(struct net_device *dev) +-- +2.43.0 +