From: Sasha Levin Date: Sat, 4 Jan 2025 14:21:14 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v5.4.289~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=558a80d9f0f874b6ff01e9203b2809048a086055;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch b/queue-5.15/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch new file mode 100644 index 00000000000..380f60ec3fb --- /dev/null +++ b/queue-5.15/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch @@ -0,0 +1,149 @@ +From cc7c64c9c4420690d64323f7a1f381ccb490dc45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:04 +0000 +Subject: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_protocol_dgram() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 +R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 +R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 +FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 + packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 + sock_recvmsg_nosec net/socket.c:1033 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1055 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2940 + __sys_recvmmsg net/socket.c:3014 [inline] + __do_sys_recvmmsg net/socket.c:3037 [inline] + __se_sys_recvmmsg net/socket.c:3030 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 16 +++++++++++++--- + net/packet/af_packet.c | 16 ++++------------ + 2 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index ce6714bec65f..64cfe7cd292c 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -582,13 +582,16 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci) + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query + * @type: first vlan protocol ++ * @mac_offset: MAC offset + * @depth: buffer to store length of eth and vlan tags in bytes + * + * Returns the EtherType of the packet, regardless of whether it is + * vlan encapsulated (normal or hardware accelerated) or not. + */ +-static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, +- int *depth) ++static inline __be16 __vlan_get_protocol_offset(const struct sk_buff *skb, ++ __be16 type, ++ int mac_offset, ++ int *depth) + { + unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH; + +@@ -607,7 +610,8 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + do { + struct vlan_hdr vhdr, *vh; + +- vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr); ++ vh = skb_header_pointer(skb, mac_offset + vlan_depth, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh || !--parse_depth)) + return 0; + +@@ -622,6 +626,12 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, + return type; + } + ++static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type, ++ int *depth) ++{ ++ return __vlan_get_protocol_offset(skb, type, 0, depth); ++} ++ + /** + * vlan_get_protocol - get protocol EtherType. + * @skb: skbuff to query +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b416be272327..3f3f23b0ce42 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -535,21 +535,13 @@ static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + return ntohs(vh->h_vlan_TCI); + } + +-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb) ++static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb) + { + __be16 proto = skb->protocol; + +- if (unlikely(eth_type_vlan(proto))) { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; +- +- skb_push(skb, skb->data - skb_mac_header(skb)); +- proto = __vlan_get_protocol(skb, proto, NULL); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } +- } ++ if (unlikely(eth_type_vlan(proto))) ++ proto = __vlan_get_protocol_offset(skb, proto, ++ skb_mac_offset(skb), NULL); + + return proto; + } +-- +2.39.5 + diff --git a/queue-5.15/af_packet-fix-vlan_get_tci-vs-msg_peek.patch b/queue-5.15/af_packet-fix-vlan_get_tci-vs-msg_peek.patch new file mode 100644 index 00000000000..21a19dc350f --- /dev/null +++ b/queue-5.15/af_packet-fix-vlan_get_tci-vs-msg_peek.patch @@ -0,0 +1,102 @@ +From 6f5ac6fd3fb122c3b2fca5c076ca31fa846c5704 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:10:03 +0000 +Subject: af_packet: fix vlan_get_tci() vs MSG_PEEK + +From: Eric Dumazet + +[ Upstream commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 ] + +Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found +by syzbot. + +Rework vlan_get_tci() to not touch skb at all, +so that it can be used from many cpus on the same skb. + +Add a const qualifier to skb argument. + +[1] +skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev: +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286 +RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50 +R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140 +R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014 +FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565 + packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0x22f/0x280 net/socket.c:1066 + ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814 + ___sys_recvmsg net/socket.c:2856 [inline] + do_recvmmsg+0x426/0xab0 net/socket.c:2951 + __sys_recvmmsg net/socket.c:3025 [inline] + __do_sys_recvmmsg net/socket.c:3048 [inline] + __se_sys_recvmmsg net/socket.c:3041 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading") +Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index dd38cf0c9040..b416be272327 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -505,10 +505,8 @@ static void *packet_current_frame(struct packet_sock *po, + return packet_lookup_frame(po, rb, rb->head, status); + } + +-static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) ++static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev) + { +- u8 *skb_orig_data = skb->data; +- int skb_orig_len = skb->len; + struct vlan_hdr vhdr, *vh; + unsigned int header_len; + +@@ -529,12 +527,8 @@ static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) + else + return 0; + +- skb_push(skb, skb->data - skb_mac_header(skb)); +- vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr); +- if (skb_orig_data != skb->data) { +- skb->data = skb_orig_data; +- skb->len = skb_orig_len; +- } ++ vh = skb_header_pointer(skb, skb_mac_offset(skb) + header_len, ++ sizeof(vhdr), &vhdr); + if (unlikely(!vh)) + return 0; + +-- +2.39.5 + diff --git a/queue-5.15/alsa-usb-audio-us16x08-initialize-array-before-use.patch b/queue-5.15/alsa-usb-audio-us16x08-initialize-array-before-use.patch new file mode 100644 index 00000000000..9007995b726 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-us16x08-initialize-array-before-use.patch @@ -0,0 +1,43 @@ +From 509e7f072a928476790058bf79a7caa7066272d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 11:32:42 +0530 +Subject: ALSA: usb-audio: US16x08: Initialize array before use + +From: Tanya Agarwal + +[ Upstream commit b06a6187ef983f501e93faa56209169752d3bde3 ] + +Initialize meter_urb array before use in mixer_us16x08.c. + +CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT) +uninit_use_in_call: Using uninitialized value *meter_urb when +calling get_meter_levels_from_urb. + +Coverity Link: +https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197 + +Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk") +Signed-off-by: Tanya Agarwal +Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_us16x08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c +index b7b6f3834ed5..2f6fa722442f 100644 +--- a/sound/usb/mixer_us16x08.c ++++ b/sound/usb/mixer_us16x08.c +@@ -687,7 +687,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol, + struct usb_mixer_elem_info *elem = kcontrol->private_data; + struct snd_usb_audio *chip = elem->head.mixer->chip; + struct snd_us16x08_meter_store *store = elem->private_data; +- u8 meter_urb[64]; ++ u8 meter_urb[64] = {0}; + + switch (kcontrol->private_value) { + case 0: { +-- +2.39.5 + diff --git a/queue-5.15/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch b/queue-5.15/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch new file mode 100644 index 00000000000..274540d04af --- /dev/null +++ b/queue-5.15/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch @@ -0,0 +1,74 @@ +From 9be07d5f70d533d4517d875b7f96ed481c3b9f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 08:40:29 +0100 +Subject: drm/bridge: adv7511_audio: Update Audio InfoFrame properly + +From: Stefan Ekenberg + +[ Upstream commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 ] + +AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1 +while updating Audio InfoFrame information and then set to 0 when done. +Otherwise partially updated Audio InfoFrames could be sent out. Two +cases where this rule were not followed are fixed: + - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated + before/after setting ADV7511_REG_AUDIO_INFOFRAME. + - In audio_startup() use the correct register for clearing + AUDIO_UPDATE bit. + +The problem with corrupted audio infoframes were discovered by letting +a HDMI logic analyser check the output of ADV7535. + +Note that this patchs replaces writing REG_GC(1) with +REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field +GC_PP[3:0] and that field doesn't control audio infoframe and is read- +only. My conclusion therefore was that the author if this code meant to +clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning. + +Tested-by: Biju Das +Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support") +Signed-off-by: Stefan Ekenberg +Reviewed-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +index 61f4a38e7d2b..8f786592143b 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +@@ -153,7 +153,16 @@ static int adv7511_hdmi_hw_params(struct device *dev, void *data, + ADV7511_AUDIO_CFG3_LEN_MASK, len); + regmap_update_bits(adv7511->regmap, ADV7511_REG_I2C_FREQ_ID_CFG, + ADV7511_I2C_FREQ_ID_CFG_RATE_MASK, rate << 4); +- regmap_write(adv7511->regmap, 0x73, 0x1); ++ ++ /* send current Audio infoframe values while updating */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), BIT(5)); ++ ++ regmap_write(adv7511->regmap, ADV7511_REG_AUDIO_INFOFRAME(0), 0x1); ++ ++ /* use Audio infoframe updated info */ ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, ++ BIT(5), 0); + + return 0; + } +@@ -184,8 +193,9 @@ static int audio_startup(struct device *dev, void *data) + regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(0), + BIT(7) | BIT(6), BIT(7)); + /* use Audio infoframe updated info */ +- regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1), ++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE, + BIT(5), 0); ++ + /* enable SPDIF receiver */ + if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF) + regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG, +-- +2.39.5 + diff --git a/queue-5.15/drm-i915-dg1-fix-power-gate-sequence.patch b/queue-5.15/drm-i915-dg1-fix-power-gate-sequence.patch new file mode 100644 index 00000000000..8bb0486ecb5 --- /dev/null +++ b/queue-5.15/drm-i915-dg1-fix-power-gate-sequence.patch @@ -0,0 +1,45 @@ +From e6a805aa31e387c2ce8e55d20e05b4f8a7ba42ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 16:00:19 -0500 +Subject: drm/i915/dg1: Fix power gate sequence. + +From: Rodrigo Vivi + +[ Upstream commit 20e7c5313ffbf11c34a46395345677adbe890bee ] + +sub-pipe PG is not present on DG1. Setting these bits can disable +other power gates and cause GPU hangs on video playbacks. + +VLK: 16314, 4304 + +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13381 +Fixes: 85a12d7eb8fe ("drm/i915/tgl: Fix Media power gate sequence.") +Cc: Vinay Belgaumkar +Cc: Himal Prasad Ghimiray +Reviewed-by: Vinay Belgaumkar +Reviewed-by: Himal Prasad Ghimiray +Link: https://patchwork.freedesktop.org/patch/msgid/20241219210019.70532-1-rodrigo.vivi@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit de7061947b4ed4be857d452c60d5fb795831d79e) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_rc6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_rc6.c b/drivers/gpu/drm/i915/gt/intel_rc6.c +index 799d382eea79..fbf1b0136aad 100644 +--- a/drivers/gpu/drm/i915/gt/intel_rc6.c ++++ b/drivers/gpu/drm/i915/gt/intel_rc6.c +@@ -122,7 +122,7 @@ static void gen11_rc6_enable(struct intel_rc6 *rc6) + GEN9_MEDIA_PG_ENABLE | + GEN11_MEDIA_SAMPLER_PG_ENABLE; + +- if (GRAPHICS_VER(gt->i915) >= 12) { ++ if (GRAPHICS_VER(gt->i915) >= 12 && !IS_DG1(gt->i915)) { + for (i = 0; i < I915_MAX_VCS; i++) + if (HAS_ENGINE(gt, _VCS(i))) + pg_enable |= (VDN_HCP_POWERGATE_ENABLE(i) | +-- +2.39.5 + diff --git a/queue-5.15/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch b/queue-5.15/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch new file mode 100644 index 00000000000..0e02ed565b6 --- /dev/null +++ b/queue-5.15/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch @@ -0,0 +1,82 @@ +From 02da27bf06f2806ececb47d2ce3c5d26ae67f8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 15:30:07 +0300 +Subject: eth: bcmsysport: fix call balance of priv->clk handling routines + +From: Vitalii Mordan + +[ Upstream commit b255ef45fcc2141c1bf98456796abb956d843a27 ] + +Check the return value of clk_prepare_enable to ensure that priv->clk has +been successfully enabled. + +If priv->clk was not enabled during bcm_sysport_probe, bcm_sysport_resume, +or bcm_sysport_open, it must not be disabled in any subsequent execution +paths. + +Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources") +Signed-off-by: Vitalii Mordan +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20241227123007.2333397-1-mordan@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 8962bd6349d4..fa140c5175a6 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1956,7 +1956,11 @@ static int bcm_sysport_open(struct net_device *dev) + unsigned int i; + int ret; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ netdev_err(dev, "could not enable priv clock\n"); ++ return ret; ++ } + + /* Reset UniMAC */ + umac_reset(priv); +@@ -2618,7 +2622,11 @@ static int bcm_sysport_probe(struct platform_device *pdev) + goto err_deregister_notifier; + } + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ dev_err(&pdev->dev, "could not enable priv clock\n"); ++ goto err_deregister_netdev; ++ } + + priv->rev = topctrl_readl(priv, REV_CNTL) & REV_MASK; + dev_info(&pdev->dev, +@@ -2632,6 +2640,8 @@ static int bcm_sysport_probe(struct platform_device *pdev) + + return 0; + ++err_deregister_netdev: ++ unregister_netdev(dev); + err_deregister_notifier: + unregister_netdevice_notifier(&priv->netdev_notifier); + err_deregister_fixed_link: +@@ -2803,7 +2813,12 @@ static int __maybe_unused bcm_sysport_resume(struct device *d) + if (!netif_running(dev)) + return 0; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) { ++ netdev_err(dev, "could not enable priv clock\n"); ++ return ret; ++ } ++ + if (priv->wolopts) + clk_disable_unprepare(priv->wol_clk); + +-- +2.39.5 + diff --git a/queue-5.15/ila-serialize-calls-to-nf_register_net_hooks.patch b/queue-5.15/ila-serialize-calls-to-nf_register_net_hooks.patch new file mode 100644 index 00000000000..c4e1d1743a0 --- /dev/null +++ b/queue-5.15/ila-serialize-calls-to-nf_register_net_hooks.patch @@ -0,0 +1,113 @@ +From bc2558edb651adc8be4968ad10bee0a81bc698a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 16:28:49 +0000 +Subject: ila: serialize calls to nf_register_net_hooks() + +From: Eric Dumazet + +[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ] + +syzbot found a race in ila_add_mapping() [1] + +commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") +attempted to fix a similar issue. + +Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. + +Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). + +[1] + BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] + BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 +Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 + +CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:489 + kasan_report+0xd9/0x110 mm/kasan/report.c:602 + rht_key_hashfn include/linux/rhashtable.h:159 [inline] + __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] + ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] + ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 + nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 + __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 + __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 + process_backlog+0x443/0x15f0 net/core/dev.c:6117 + __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 + napi_poll net/core/dev.c:6952 [inline] + net_rx_action+0xa94/0x1010 net/core/dev.c:7074 + handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 + +Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") +Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Tom Herbert +Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ila/ila_xlat.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c +index 1f7b674b7c58..31ad5ac74ee7 100644 +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -201,6 +201,8 @@ static const struct nf_hook_ops ila_nf_hook_ops[] = { + }, + }; + ++static DEFINE_MUTEX(ila_mutex); ++ + static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + { + struct ila_net *ilan = net_generic(net, ila_net_id); +@@ -208,16 +210,20 @@ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp) + spinlock_t *lock = ila_get_lock(ilan, xp->ip.locator_match); + int err = 0, order; + +- if (!ilan->xlat.hooks_registered) { ++ if (!READ_ONCE(ilan->xlat.hooks_registered)) { + /* We defer registering net hooks in the namespace until the + * first mapping is added. + */ +- err = nf_register_net_hooks(net, ila_nf_hook_ops, +- ARRAY_SIZE(ila_nf_hook_ops)); ++ mutex_lock(&ila_mutex); ++ if (!ilan->xlat.hooks_registered) { ++ err = nf_register_net_hooks(net, ila_nf_hook_ops, ++ ARRAY_SIZE(ila_nf_hook_ops)); ++ if (!err) ++ WRITE_ONCE(ilan->xlat.hooks_registered, true); ++ } ++ mutex_unlock(&ila_mutex); + if (err) + return err; +- +- ilan->xlat.hooks_registered = true; + } + + ila = kzalloc(sizeof(*ila), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.15/net-fix-memory-leak-in-tcp_conn_request.patch b/queue-5.15/net-fix-memory-leak-in-tcp_conn_request.patch new file mode 100644 index 00000000000..86bd52e475b --- /dev/null +++ b/queue-5.15/net-fix-memory-leak-in-tcp_conn_request.patch @@ -0,0 +1,64 @@ +From 5c5930247a8bc582f31f6d492d9881f0f0b4f770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 15:28:59 +0800 +Subject: net: fix memory leak in tcp_conn_request() + +From: Wang Liang + +[ Upstream commit 4f4aa4aa28142d53f8b06585c478476cfe325cfc ] + +If inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will +return without free the dst memory, which allocated in af_ops->route_req. + +Here is the kmemleak stack: + +unreferenced object 0xffff8881198631c0 (size 240): + comm "softirq", pid 0, jiffies 4299266571 (age 1802.392s) + hex dump (first 32 bytes): + 00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff ................ + 81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00 .U.............. + backtrace: + [] kmem_cache_alloc+0x60c/0xa80 + [] dst_alloc+0x55/0x250 + [] rt_dst_alloc+0x46/0x1d0 + [] __mkroute_output+0x29a/0xa50 + [] ip_route_output_key_hash+0x10b/0x240 + [] ip_route_output_flow+0x1d/0x90 + [] inet_csk_route_req+0x2c5/0x500 + [] tcp_conn_request+0x691/0x12c0 + [] tcp_rcv_state_process+0x3c8/0x11b0 + [] tcp_v4_do_rcv+0x156/0x3b0 + [] tcp_v4_rcv+0x1cf8/0x1d80 + [] ip_protocol_deliver_rcu+0xf6/0x360 + [] ip_local_deliver_finish+0xe6/0x1e0 + [] ip_local_deliver+0xee/0x360 + [] ip_rcv+0xad/0x2f0 + [] __netif_receive_skb_one_core+0x123/0x140 + +Call dst_release() to free the dst memory when +inet_csk_reqsk_queue_hash_add() return false in tcp_conn_request(). + +Fixes: ff46e3b44219 ("Fix race for duplicate reqsk on identical SYN") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20241219072859.3783576-1-wangliang74@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 3e7533f64512..6bd28ac949b4 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -7059,6 +7059,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, + if (unlikely(!inet_csk_reqsk_queue_hash_add(sk, req, + req->timeout))) { + reqsk_free(req); ++ dst_release(dst); + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.15/net-llc-reset-skb-transport_header.patch b/queue-5.15/net-llc-reset-skb-transport_header.patch new file mode 100644 index 00000000000..c937e06f6f7 --- /dev/null +++ b/queue-5.15/net-llc-reset-skb-transport_header.patch @@ -0,0 +1,62 @@ +From 125b6f472736d8e65bd11eafaf18d84952955111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 20:07:20 -0500 +Subject: net: llc: reset skb->transport_header + +From: Antonio Pastor + +[ Upstream commit a024e377efed31ecfb39210bed562932321345b3 ] + +802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. As snap_rcv expects transport_header +to point to SNAP header (OID:PID) after LLC processing advances offset +over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match +and packet is dropped. + +Between napi_complete_done and snap_rcv, transport_header is not used +until __netif_receive_skb_core, where originally it was being reset. +Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +only does so if not set, on the assumption the value was set correctly +by GRO (and also on assumption that "network stacks usually reset the +transport header anyway"). Afterwards it is moved forward by +llc_fixup_skb. + +Locally generated traffic shows up at __netif_receive_skb_core with no +transport_header set and is processed without issue. On a setup with +GRO but no DSA, transport_header and network_header are both set to +point to skb->data which is also correct. + +As issue is LLC specific, to avoid impacting non-LLC traffic, and to +follow up on original assumption made on previous code change, +llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb +assumes the LLC header is at skb->data, and by definition SNAP header +immediately follows. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 51bccfb00a9c..61b0159b2fbe 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -124,8 +124,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + if (unlikely(!pskb_may_pull(skb, llc_len))) + return 0; + +- skb->transport_header += llc_len; + skb_pull(skb, llc_len); ++ skb_reset_transport_header(skb); + if (skb->protocol == htons(ETH_P_802_2)) { + __be16 pdulen; + s32 data_size; +-- +2.39.5 + diff --git a/queue-5.15/net-mv643xx_eth-fix-an-of-node-reference-leak.patch b/queue-5.15/net-mv643xx_eth-fix-an-of-node-reference-leak.patch new file mode 100644 index 00000000000..0e147c18476 --- /dev/null +++ b/queue-5.15/net-mv643xx_eth-fix-an-of-node-reference-leak.patch @@ -0,0 +1,70 @@ +From 3e1167d4ba05d29c30b7f36a2a3a3650537e1c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Dec 2024 17:14:48 +0900 +Subject: net: mv643xx_eth: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit ad5c318086e2e23b577eca33559c5ebf89bc7eb9 ] + +Current implementation of mv643xx_eth_shared_of_add_port() calls +of_parse_phandle(), but does not release the refcount on error. Call +of_node_put() in the error path and in mv643xx_eth_shared_of_remove(). + +This bug was found by an experimental verification tool that I am +developing. + +Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241221081448.3313163-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index d37a0fba3d16..6174b4bd44d3 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2703,9 +2703,15 @@ static struct platform_device *port_platdev[3]; + + static void mv643xx_eth_shared_of_remove(void) + { ++ struct mv643xx_eth_platform_data *pd; + int n; + + for (n = 0; n < 3; n++) { ++ if (!port_platdev[n]) ++ continue; ++ pd = dev_get_platdata(&port_platdev[n]->dev); ++ if (pd) ++ of_node_put(pd->phy_node); + platform_device_del(port_platdev[n]); + port_platdev[n] = NULL; + } +@@ -2766,8 +2772,10 @@ static int mv643xx_eth_shared_of_add_port(struct platform_device *pdev, + } + + ppdev = platform_device_alloc(MV643XX_ETH_NAME, dev_num); +- if (!ppdev) +- return -ENOMEM; ++ if (!ppdev) { ++ ret = -ENOMEM; ++ goto put_err; ++ } + ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32); + ppdev->dev.of_node = pnp; + +@@ -2789,6 +2797,8 @@ static int mv643xx_eth_shared_of_add_port(struct platform_device *pdev, + + port_err: + platform_device_put(ppdev); ++put_err: ++ of_node_put(ppd.phy_node); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/net-restrict-so_reuseport-to-inet-sockets.patch b/queue-5.15/net-restrict-so_reuseport-to-inet-sockets.patch new file mode 100644 index 00000000000..3cca6df303b --- /dev/null +++ b/queue-5.15/net-restrict-so_reuseport-to-inet-sockets.patch @@ -0,0 +1,87 @@ +From a1c44225617ed814633fe655935a0995ea75d6cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 16:05:27 +0000 +Subject: net: restrict SO_REUSEPORT to inet sockets + +From: Eric Dumazet + +[ Upstream commit 5b0af621c3f6ef9261cf6067812f2fd9943acb4b ] + +After blamed commit, crypto sockets could accidentally be destroyed +from RCU call back, as spotted by zyzbot [1]. + +Trying to acquire a mutex in RCU callback is not allowed. + +Restrict SO_REUSEPORT socket option to inet sockets. + +v1 of this patch supported TCP, UDP and SCTP sockets, +but fcnal-test.sh test needed RAW and ICMP support. + +[1] +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1 +preempt_count: 100, expected: 0 +RCU nest depth: 0, expected: 0 +1 lock held by ksoftirqd/1/24: + #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] + #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline] + #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823 +Preemption disabled at: + [] softirq_handle_begin kernel/softirq.c:402 [inline] + [] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537 +CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + __might_resched+0x5d4/0x780 kernel/sched/core.c:8758 + __mutex_lock_common kernel/locking/mutex.c:562 [inline] + __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735 + crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179 + aead_release+0x3d/0x50 crypto/algif_aead.c:489 + alg_do_release crypto/af_alg.c:118 [inline] + alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502 + __sk_destruct+0x58/0x5f0 net/core/sock.c:2260 + rcu_do_batch kernel/rcu/tree.c:2567 [inline] + rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 + run_ksoftirqd+0xca/0x130 kernel/softirq.c:950 + smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +Fixes: 8c7138b33e5c ("net: Unpublish sk from sk_reuseport_cb before call_rcu") +Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6772f2f4.050a0220.2f3838.04cb.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241231160527.3994168-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 046943b6efb1..dce2bf8dfd1d 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -994,7 +994,10 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + sk->sk_reuse = (valbool ? SK_CAN_REUSE : SK_NO_REUSE); + break; + case SO_REUSEPORT: +- sk->sk_reuseport = valbool; ++ if (valbool && !sk_is_inet(sk)) ++ ret = -EOPNOTSUPP; ++ else ++ sk->sk_reuseport = valbool; + break; + case SO_TYPE: + case SO_PROTOCOL: +-- +2.39.5 + diff --git a/queue-5.15/net-stmmac-don-t-create-a-mdio-bus-if-unnecessary.patch b/queue-5.15/net-stmmac-don-t-create-a-mdio-bus-if-unnecessary.patch new file mode 100644 index 00000000000..e8e42c924a1 --- /dev/null +++ b/queue-5.15/net-stmmac-don-t-create-a-mdio-bus-if-unnecessary.patch @@ -0,0 +1,248 @@ +From b105c5d643079b470386255629f321b8150be122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 16:07:36 -0600 +Subject: net: stmmac: don't create a MDIO bus if unnecessary + +From: Andrew Halaney + +[ Upstream commit f3c2caacee824ce4a331cdafb0b8dc8e987f105e ] + +Currently a MDIO bus is created if the devicetree description is either: + + 1. Not fixed-link + 2. fixed-link but contains a MDIO bus as well + +The "1" case above isn't always accurate. If there's a phy-handle, +it could be referencing a phy on another MDIO controller's bus[1]. In +this case, where the MDIO bus is not described at all, currently +stmmac will make a MDIO bus and scan its address space to discover +phys (of which there are none). This process takes time scanning a bus +that is known to be empty, delaying time to complete probe. + +There are also a lot of upstream devicetrees[2] that expect a MDIO bus +to be created, scanned for phys, and the first one found connected +to the MAC. This case can be inferred from the platform description by +not having a phy-handle && not being fixed-link. This hits case "1" in +the current driver's logic, and must be handled in any logic change here +since it is a valid legacy dt-binding. + +Let's improve the logic to create a MDIO bus if either: + + - Devicetree contains a MDIO bus + - !fixed-link && !phy-handle (legacy handling) + +This way the case where no MDIO bus should be made is handled, as well +as retaining backwards compatibility with the valid cases. + +Below devicetree snippets can be found that explain some of +the cases above more concretely. + +Here's[0] a devicetree example where the MAC is both fixed-link and +driving a switch on MDIO (case "2" above). This needs a MDIO bus to +be created: + + &fec1 { + phy-mode = "rmii"; + + fixed-link { + speed = <100>; + full-duplex; + }; + + mdio1: mdio { + switch0: switch0@0 { + compatible = "marvell,mv88e6190"; + pinctrl-0 = <&pinctrl_gpio_switch0>; + }; + }; + }; + +Here's[1] an example where there is no MDIO bus or fixed-link for +the ethernet1 MAC, so no MDIO bus should be created since ethernet0 +is the MDIO master for ethernet1's phy: + + ðernet0 { + phy-mode = "sgmii"; + phy-handle = <&sgmii_phy0>; + + mdio { + compatible = "snps,dwmac-mdio"; + sgmii_phy0: phy@8 { + compatible = "ethernet-phy-id0141.0dd4"; + reg = <0x8>; + device_type = "ethernet-phy"; + }; + + sgmii_phy1: phy@a { + compatible = "ethernet-phy-id0141.0dd4"; + reg = <0xa>; + device_type = "ethernet-phy"; + }; + }; + }; + + ðernet1 { + phy-mode = "sgmii"; + phy-handle = <&sgmii_phy1>; + }; + +Finally there's descriptions like this[2] which don't describe the +MDIO bus but expect it to be created and the whole address space +scanned for a phy since there's no phy-handle or fixed-link described: + + &gmac { + phy-supply = <&vcc_lan>; + phy-mode = "rmii"; + snps,reset-gpio = <&gpio3 RK_PB4 GPIO_ACTIVE_HIGH>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 1000000>; + }; + +[0] https://elixir.bootlin.com/linux/v6.5-rc5/source/arch/arm/boot/dts/nxp/vf/vf610-zii-ssmb-dtu.dts +[1] https://elixir.bootlin.com/linux/v6.6-rc5/source/arch/arm64/boot/dts/qcom/sa8775p-ride.dts +[2] https://elixir.bootlin.com/linux/v6.6-rc5/source/arch/arm64/boot/dts/rockchip/rk3368-r88.dts#L164 + +Reviewed-by: Serge Semin +Co-developed-by: Bartosz Golaszewski +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Andrew Halaney +Signed-off-by: David S. Miller +Stable-dep-of: 2b6ffcd7873b ("net: stmmac: restructure the error path of stmmac_probe_config_dt()") +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/stmmac_platform.c | 91 +++++++++++-------- + 1 file changed, 54 insertions(+), 37 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 196fb1ddbec0..7f816f0cf9a5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -294,62 +294,80 @@ static int stmmac_mtl_setup(struct platform_device *pdev, + } + + /** +- * stmmac_dt_phy - parse device-tree driver parameters to allocate PHY resources +- * @plat: driver data platform structure +- * @np: device tree node +- * @dev: device pointer +- * Description: +- * The mdio bus will be allocated in case of a phy transceiver is on board; +- * it will be NULL if the fixed-link is configured. +- * If there is the "snps,dwmac-mdio" sub-node the mdio will be allocated +- * in any case (for DSA, mdio must be registered even if fixed-link). +- * The table below sums the supported configurations: +- * ------------------------------- +- * snps,phy-addr | Y +- * ------------------------------- +- * phy-handle | Y +- * ------------------------------- +- * fixed-link | N +- * ------------------------------- +- * snps,dwmac-mdio | +- * even if | Y +- * fixed-link | +- * ------------------------------- ++ * stmmac_of_get_mdio() - Gets the MDIO bus from the devicetree. ++ * @np: devicetree node + * +- * It returns 0 in case of success otherwise -ENODEV. ++ * The MDIO bus will be searched for in the following ways: ++ * 1. The compatible is "snps,dwc-qos-ethernet-4.10" && a "mdio" named ++ * child node exists ++ * 2. A child node with the "snps,dwmac-mdio" compatible is present ++ * ++ * Return: The MDIO node if present otherwise NULL + */ +-static int stmmac_dt_phy(struct plat_stmmacenet_data *plat, +- struct device_node *np, struct device *dev) ++static struct device_node *stmmac_of_get_mdio(struct device_node *np) + { +- bool mdio = !of_phy_is_fixed_link(np); + static const struct of_device_id need_mdio_ids[] = { + { .compatible = "snps,dwc-qos-ethernet-4.10" }, + {}, + }; ++ struct device_node *mdio_node = NULL; + + if (of_match_node(need_mdio_ids, np)) { +- plat->mdio_node = of_get_child_by_name(np, "mdio"); ++ mdio_node = of_get_child_by_name(np, "mdio"); + } else { + /** + * If snps,dwmac-mdio is passed from DT, always register + * the MDIO + */ +- for_each_child_of_node(np, plat->mdio_node) { +- if (of_device_is_compatible(plat->mdio_node, ++ for_each_child_of_node(np, mdio_node) { ++ if (of_device_is_compatible(mdio_node, + "snps,dwmac-mdio")) + break; + } + } + +- if (plat->mdio_node) { ++ return mdio_node; ++} ++ ++/** ++ * stmmac_mdio_setup() - Populate platform related MDIO structures. ++ * @plat: driver data platform structure ++ * @np: devicetree node ++ * @dev: device pointer ++ * ++ * This searches for MDIO information from the devicetree. ++ * If an MDIO node is found, it's assigned to plat->mdio_node and ++ * plat->mdio_bus_data is allocated. ++ * If no connection can be determined, just plat->mdio_bus_data is allocated ++ * to indicate a bus should be created and scanned for a phy. ++ * If it's determined there's no MDIO bus needed, both are left NULL. ++ * ++ * This expects that plat->phy_node has already been searched for. ++ * ++ * Return: 0 on success, errno otherwise. ++ */ ++static int stmmac_mdio_setup(struct plat_stmmacenet_data *plat, ++ struct device_node *np, struct device *dev) ++{ ++ bool legacy_mdio; ++ ++ plat->mdio_node = stmmac_of_get_mdio(np); ++ if (plat->mdio_node) + dev_dbg(dev, "Found MDIO subnode\n"); +- mdio = true; +- } + +- if (mdio) { +- plat->mdio_bus_data = +- devm_kzalloc(dev, sizeof(struct stmmac_mdio_bus_data), +- GFP_KERNEL); ++ /* Legacy devicetrees allowed for no MDIO bus description and expect ++ * the bus to be scanned for devices. If there's no phy or fixed-link ++ * described assume this is the case since there must be something ++ * connected to the MAC. ++ */ ++ legacy_mdio = !of_phy_is_fixed_link(np) && !plat->phy_node; ++ if (legacy_mdio) ++ dev_info(dev, "Deprecated MDIO bus assumption used\n"); ++ ++ if (plat->mdio_node || legacy_mdio) { ++ plat->mdio_bus_data = devm_kzalloc(dev, ++ sizeof(*plat->mdio_bus_data), ++ GFP_KERNEL); + if (!plat->mdio_bus_data) + return -ENOMEM; + +@@ -453,8 +471,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + if (of_property_read_u32(np, "snps,phy-addr", &plat->phy_addr) == 0) + dev_warn(&pdev->dev, "snps,phy-addr property is deprecated\n"); + +- /* To Configure PHY by using all device-tree supported properties */ +- rc = stmmac_dt_phy(plat, np, &pdev->dev); ++ rc = stmmac_mdio_setup(plat, np, &pdev->dev); + if (rc) + return ERR_PTR(rc); + +-- +2.39.5 + diff --git a/queue-5.15/net-stmmac-platform-provide-devm_stmmac_probe_config.patch b/queue-5.15/net-stmmac-platform-provide-devm_stmmac_probe_config.patch new file mode 100644 index 00000000000..eb195b84919 --- /dev/null +++ b/queue-5.15/net-stmmac-platform-provide-devm_stmmac_probe_config.patch @@ -0,0 +1,110 @@ +From b29985b9f0784c1471ec3e3faa7a5b8047a09d21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 12:04:14 +0200 +Subject: net: stmmac: platform: provide devm_stmmac_probe_config_dt() + +From: Bartosz Golaszewski + +[ Upstream commit d74065427374da6659a2d7fad4ec55c8926d43c4 ] + +Provide a devres variant of stmmac_probe_config_dt() that allows users to +skip calling stmmac_remove_config_dt() at driver detach. + +Signed-off-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20230623100417.93592-9-brgl@bgdev.pl +Signed-off-by: Jakub Kicinski +Stable-dep-of: 2b6ffcd7873b ("net: stmmac: restructure the error path of stmmac_probe_config_dt()") +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/stmmac_platform.c | 41 +++++++++++++++++++ + .../ethernet/stmicro/stmmac/stmmac_platform.h | 2 + + 2 files changed, 43 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index e12df9d99089..196fb1ddbec0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -8,6 +8,7 @@ + Author: Giuseppe Cavallaro + *******************************************************************************/ + ++#include + #include + #include + #include +@@ -627,6 +628,39 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + return ret; + } + ++static void devm_stmmac_remove_config_dt(void *data) ++{ ++ struct plat_stmmacenet_data *plat = data; ++ ++ /* Platform data argument is unused */ ++ stmmac_remove_config_dt(NULL, plat); ++} ++ ++/** ++ * devm_stmmac_probe_config_dt ++ * @pdev: platform_device structure ++ * @mac: MAC address to use ++ * Description: Devres variant of stmmac_probe_config_dt(). Does not require ++ * the user to call stmmac_remove_config_dt() at driver detach. ++ */ ++struct plat_stmmacenet_data * ++devm_stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) ++{ ++ struct plat_stmmacenet_data *plat; ++ int ret; ++ ++ plat = stmmac_probe_config_dt(pdev, mac); ++ if (IS_ERR(plat)) ++ return plat; ++ ++ ret = devm_add_action_or_reset(&pdev->dev, ++ devm_stmmac_remove_config_dt, plat); ++ if (ret) ++ return ERR_PTR(ret); ++ ++ return plat; ++} ++ + /** + * stmmac_remove_config_dt - undo the effects of stmmac_probe_config_dt() + * @pdev: platform_device structure +@@ -649,12 +683,19 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + return ERR_PTR(-EINVAL); + } + ++struct plat_stmmacenet_data * ++devm_stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) ++{ ++ return ERR_PTR(-EINVAL); ++} ++ + void stmmac_remove_config_dt(struct platform_device *pdev, + struct plat_stmmacenet_data *plat) + { + } + #endif /* CONFIG_OF */ + EXPORT_SYMBOL_GPL(stmmac_probe_config_dt); ++EXPORT_SYMBOL_GPL(devm_stmmac_probe_config_dt); + EXPORT_SYMBOL_GPL(stmmac_remove_config_dt); + + int stmmac_get_platform_resources(struct platform_device *pdev, +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h +index 3fff3f59d73d..2102c6d41464 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h +@@ -13,6 +13,8 @@ + + struct plat_stmmacenet_data * + stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac); ++struct plat_stmmacenet_data * ++devm_stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac); + void stmmac_remove_config_dt(struct platform_device *pdev, + struct plat_stmmacenet_data *plat); + +-- +2.39.5 + diff --git a/queue-5.15/net-stmmac-restructure-the-error-path-of-stmmac_prob.patch b/queue-5.15/net-stmmac-restructure-the-error-path-of-stmmac_prob.patch new file mode 100644 index 00000000000..7aabfd4a6a2 --- /dev/null +++ b/queue-5.15/net-stmmac-restructure-the-error-path-of-stmmac_prob.patch @@ -0,0 +1,105 @@ +From d4d6b4ad35d494ce20696a822f3ef5d73d9a5b96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 11:41:19 +0900 +Subject: net: stmmac: restructure the error path of stmmac_probe_config_dt() + +From: Joe Hattori + +[ Upstream commit 2b6ffcd7873b7e8a62c3e15a6f305bfc747c466b ] + +Current implementation of stmmac_probe_config_dt() does not release the +OF node reference obtained by of_parse_phandle() in some error paths. +The problem is that some error paths call stmmac_remove_config_dt() to +clean up but others use and unwind ladder. These two types of error +handling have not kept in sync and have been a recurring source of bugs. +Re-write the error handling in stmmac_probe_config_dt() to use an unwind +ladder. Consequently, stmmac_remove_config_dt() is not needed anymore, +thus remove it. + +This bug was found by an experimental verification tool that I am +developing. + +Fixes: 4838a5405028 ("net: stmmac: Fix wrapper drivers not detecting PHY") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241219024119.2017012-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/stmmac_platform.c | 27 ++++++++++++------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 7f816f0cf9a5..36b013b9d99e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -472,8 +472,10 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + dev_warn(&pdev->dev, "snps,phy-addr property is deprecated\n"); + + rc = stmmac_mdio_setup(plat, np, &pdev->dev); +- if (rc) +- return ERR_PTR(rc); ++ if (rc) { ++ ret = ERR_PTR(rc); ++ goto error_put_phy; ++ } + + of_property_read_u32(np, "tx-fifo-depth", &plat->tx_fifo_size); + +@@ -559,8 +561,8 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + dma_cfg = devm_kzalloc(&pdev->dev, sizeof(*dma_cfg), + GFP_KERNEL); + if (!dma_cfg) { +- stmmac_remove_config_dt(pdev, plat); +- return ERR_PTR(-ENOMEM); ++ ret = ERR_PTR(-ENOMEM); ++ goto error_put_mdio; + } + plat->dma_cfg = dma_cfg; + +@@ -588,8 +590,8 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + + rc = stmmac_mtl_setup(pdev, plat); + if (rc) { +- stmmac_remove_config_dt(pdev, plat); +- return ERR_PTR(rc); ++ ret = ERR_PTR(rc); ++ goto error_put_mdio; + } + + /* clock setup */ +@@ -641,6 +643,10 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + clk_disable_unprepare(plat->pclk); + error_pclk_get: + clk_disable_unprepare(plat->stmmac_clk); ++error_put_mdio: ++ of_node_put(plat->mdio_node); ++error_put_phy: ++ of_node_put(plat->phy_node); + + return ret; + } +@@ -649,16 +655,17 @@ static void devm_stmmac_remove_config_dt(void *data) + { + struct plat_stmmacenet_data *plat = data; + +- /* Platform data argument is unused */ +- stmmac_remove_config_dt(NULL, plat); ++ clk_disable_unprepare(plat->stmmac_clk); ++ clk_disable_unprepare(plat->pclk); ++ of_node_put(plat->mdio_node); ++ of_node_put(plat->phy_node); + } + + /** + * devm_stmmac_probe_config_dt + * @pdev: platform_device structure + * @mac: MAC address to use +- * Description: Devres variant of stmmac_probe_config_dt(). Does not require +- * the user to call stmmac_remove_config_dt() at driver detach. ++ * Description: Devres variant of stmmac_probe_config_dt(). + */ + struct plat_stmmacenet_data * + devm_stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) +-- +2.39.5 + diff --git a/queue-5.15/net-wwan-iosm-properly-check-for-valid-exec-stage-in.patch b/queue-5.15/net-wwan-iosm-properly-check-for-valid-exec-stage-in.patch new file mode 100644 index 00000000000..cd0bd67984c --- /dev/null +++ b/queue-5.15/net-wwan-iosm-properly-check-for-valid-exec-stage-in.patch @@ -0,0 +1,47 @@ +From 5a4271bdeb9ccc8308f6ee63e87407716420d10f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 17:46:58 +0100 +Subject: net: wwan: iosm: Properly check for valid exec stage in + ipc_mmio_init() + +From: Maciej S. Szmigiero + +[ Upstream commit a7af435df0e04cfb4a4004136d597c42639a2ae7 ] + +ipc_mmio_init() used the post-decrement operator in its loop continuing +condition of "retries" counter being "> 0", which meant that when this +condition caused loop exit "retries" counter reached -1. + +But the later valid exec stage failure check only tests for "retries" +counter being exactly zero, so it didn't trigger in this case (but +would wrongly trigger if the code reaches a valid exec stage in the +very last loop iteration). + +Fix this by using the pre-decrement operator instead, so the loop counter +is exactly zero on valid exec stage failure. + +Fixes: dc0514f5d828 ("net: iosm: mmio scratchpad") +Signed-off-by: Maciej S. Szmigiero +Link: https://patch.msgid.link/8b19125a825f9dcdd81c667c1e5c48ba28d505a6.1735490770.git.mail@maciej.szmigiero.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mmio.c b/drivers/net/wwan/iosm/iosm_ipc_mmio.c +index 09f94c123531..b452ddf9ef06 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mmio.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mmio.c +@@ -102,7 +102,7 @@ struct iosm_mmio *ipc_mmio_init(void __iomem *mmio, struct device *dev) + break; + + msleep(20); +- } while (retries-- > 0); ++ } while (--retries > 0); + + if (!retries) { + dev_err(ipc_mmio->dev, "invalid exec stage %X", stage); +-- +2.39.5 + diff --git a/queue-5.15/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch b/queue-5.15/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch new file mode 100644 index 00000000000..6ee96feaa4d --- /dev/null +++ b/queue-5.15/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch @@ -0,0 +1,96 @@ +From d8e9ef12d686a6b1b19ab64cf3483a7e73bd795a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Dec 2024 00:29:20 +0100 +Subject: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext + +From: Pablo Neira Ayuso + +[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ] + +Access to genmask field in struct nft_set_ext results in unaligned +atomic read: + +[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c +[ 72.131036] Mem abort info: +[ 72.131213] ESR = 0x0000000096000021 +[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits +[ 72.132209] SET = 0, FnV = 0 +[ 72.133216] EA = 0, S1PTW = 0 +[ 72.134080] FSC = 0x21: alignment fault +[ 72.135593] Data abort info: +[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 +[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 +[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, ++pte=0068000102bb7707 +[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP +[...] +[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 +[ 72.170509] Tainted: [E]=UNSIGNED_MODULE +[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 +[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] +[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] +[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] +[ 72.172546] sp : ffff800081f2bce0 +[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 +[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 +[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 +[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 +[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 +[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 +[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 +[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 +[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 +[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 +[ 72.176207] Call trace: +[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) +[ 72.176653] process_one_work+0x178/0x3d0 +[ 72.176831] worker_thread+0x200/0x3f0 +[ 72.176995] kthread+0xe8/0xf8 +[ 72.177130] ret_from_fork+0x10/0x20 +[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) +[ 72.177557] ---[ end trace 0000000000000000 ]--- + +Align struct nft_set_ext to word size to address this and +documentation it. + +pahole reports that this increases the size of elements for rhash and +pipapo in 8 bytes on x86_64. + +Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index e2c786af2fc6..9ee225cff611 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -690,15 +690,18 @@ struct nft_set_ext_tmpl { + /** + * struct nft_set_ext - set extensions + * +- * @genmask: generation mask ++ * @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT) + * @offset: offsets of individual extension types + * @data: beginning of extension data ++ * ++ * This structure must be aligned to word size, otherwise atomic bitops ++ * on genmask field can cause alignment failure on some archs. + */ + struct nft_set_ext { + u8 genmask; + u8 offset[NFT_SET_EXT_NUM]; + char data[]; +-}; ++} __aligned(BITS_PER_LONG / 8); + + static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl) + { +-- +2.39.5 + diff --git a/queue-5.15/netrom-check-buffer-length-before-accessing-it.patch b/queue-5.15/netrom-check-buffer-length-before-accessing-it.patch new file mode 100644 index 00000000000..38d0a64eda7 --- /dev/null +++ b/queue-5.15/netrom-check-buffer-length-before-accessing-it.patch @@ -0,0 +1,105 @@ +From 5f51504102f8dfdd0b8a9e037c06b968dd8fe5e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 08:23:07 +0000 +Subject: netrom: check buffer length before accessing it + +From: Ilya Shchipletsov + +[ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ] + +Syzkaller reports an uninit value read from ax25cmp when sending raw message +through ieee802154 implementation. + +===================================================== +BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119 + nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601 + nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774 + nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 + __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x318/0x740 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780 + sock_alloc_send_skb include/net/sock.h:1884 [inline] + raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282 + ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +===================================================== + +This issue occurs because the skb buffer is too small, and it's actual +allocation is aligned. This hides an actual issue, which is that nr_route_frame +does not validate the buffer size before using it. + +Fix this issue by checking skb->len before accessing any fields in skb->data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Nikita Marushkin +Signed-off-by: Nikita Marushkin +Signed-off-by: Ilya Shchipletsov +Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_route.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index dc39ae20c6aa..782a6e0d1b6e 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -754,6 +754,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) + int ret; + struct sk_buff *skbn; + ++ /* ++ * Reject malformed packets early. Check that it contains at least 2 ++ * addresses and 1 byte more for Time-To-Live ++ */ ++ if (skb->len < 2 * sizeof(ax25_address) + 1) ++ return 0; + + nr_src = (ax25_address *)(skb->data + 0); + nr_dest = (ax25_address *)(skb->data + 7); +-- +2.39.5 + diff --git a/queue-5.15/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch b/queue-5.15/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch new file mode 100644 index 00000000000..0de7e32b52b --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch @@ -0,0 +1,64 @@ +From ecc7cac830a4936e76afd159d3713d55e0627d0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:28 +0530 +Subject: RDMA/bnxt_re: Add check for path mtu in modify_qp + +From: Saravanan Vajravel + +[ Upstream commit 798653a0ee30d3cd495099282751c0f248614ae7 ] + +When RDMA app configures path MTU, add a check in modify_qp verb +to make sure that it doesn't go beyond interface MTU. If this +check fails, driver will fail the modify_qp verb. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Kalesh AP +Signed-off-by: Saravanan Vajravel +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 26 +++++++++++++----------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 0ce7bdcf988e..3839e794de22 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1935,18 +1935,20 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr, + } + } + +- if (qp_attr_mask & IB_QP_PATH_MTU) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = __from_ib_mtu(qp_attr->path_mtu); +- qp->qplib_qp.mtu = ib_mtu_enum_to_int(qp_attr->path_mtu); +- } else if (qp_attr->qp_state == IB_QPS_RTR) { +- qp->qplib_qp.modify_flags |= +- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; +- qp->qplib_qp.path_mtu = +- __from_ib_mtu(iboe_get_mtu(rdev->netdev->mtu)); +- qp->qplib_qp.mtu = +- ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->mtu)); ++ if (qp_attr->qp_state == IB_QPS_RTR) { ++ enum ib_mtu qpmtu; ++ ++ qpmtu = iboe_get_mtu(rdev->netdev->mtu); ++ if (qp_attr_mask & IB_QP_PATH_MTU) { ++ if (ib_mtu_enum_to_int(qp_attr->path_mtu) > ++ ib_mtu_enum_to_int(qpmtu)) ++ return -EINVAL; ++ qpmtu = qp_attr->path_mtu; ++ } ++ ++ qp->qplib_qp.modify_flags |= CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU; ++ qp->qplib_qp.path_mtu = __from_ib_mtu(qpmtu); ++ qp->qplib_qp.mtu = ib_mtu_enum_to_int(qpmtu); + } + + if (qp_attr_mask & IB_QP_TIMEOUT) { +-- +2.39.5 + diff --git a/queue-5.15/rdma-bnxt_re-fix-max_qp_wrs-reported.patch b/queue-5.15/rdma-bnxt_re-fix-max_qp_wrs-reported.patch new file mode 100644 index 00000000000..34906ddd168 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-max_qp_wrs-reported.patch @@ -0,0 +1,42 @@ +From a36bcbdcbffea21943ba732f8e196bf91dd1b5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 15:56:45 +0530 +Subject: RDMA/bnxt_re: Fix max_qp_wrs reported + +From: Selvin Xavier + +[ Upstream commit 40be32303ec829ea12f9883e499bfd3fe9e52baf ] + +While creating qps, driver adds one extra entry to the sq size +passed by the ULPs in order to avoid queue full condition. +When ULPs creates QPs with max_qp_wr reported, driver creates +QP with 1 more than the max_wqes supported by HW. Create QP fails +in this case. To avoid this error, reduce 1 entry in max_qp_wqes +and report it to the stack. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241217102649.1377704-2-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index a161e0d3cb44..2a9f08ac5fea 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -124,7 +124,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw, + attr->max_qp_init_rd_atom = + sb->max_qp_init_rd_atom > BNXT_QPLIB_MAX_OUT_RD_ATOM ? + BNXT_QPLIB_MAX_OUT_RD_ATOM : sb->max_qp_init_rd_atom; +- attr->max_qp_wqes = le16_to_cpu(sb->max_qp_wr); ++ attr->max_qp_wqes = le16_to_cpu(sb->max_qp_wr) - 1; + /* + * 128 WQEs needs to be reserved for the HW (8916). Prevent + * reporting the max number +-- +2.39.5 + diff --git a/queue-5.15/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch b/queue-5.15/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch new file mode 100644 index 00000000000..54900bc679c --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch @@ -0,0 +1,41 @@ +From 874dc0d29034de9b2f3db432f5efb5c6ab81c063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 14:09:31 +0530 +Subject: RDMA/bnxt_re: Fix reporting hw_ver in query_device + +From: Kalesh AP + +[ Upstream commit 7179fe0074a3c962e43a9e51169304c4911989ed ] + +Driver currently populates subsystem_device id in the +"hw_ver" field of ib_attr structure in query_device. + +Updated to populate PCI revision ID. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Reviewed-by: Preethi G +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 3839e794de22..cb733fc497c8 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -137,7 +137,7 @@ int bnxt_re_query_device(struct ib_device *ibdev, + + ib_attr->vendor_id = rdev->en_dev->pdev->vendor; + ib_attr->vendor_part_id = rdev->en_dev->pdev->device; +- ib_attr->hw_ver = rdev->en_dev->pdev->subsystem_device; ++ ib_attr->hw_ver = rdev->en_dev->pdev->revision; + ib_attr->max_qp = dev_attr->max_qp; + ib_attr->max_qp_wr = dev_attr->max_qp_wqes; + ib_attr->device_cap_flags = +-- +2.39.5 + diff --git a/queue-5.15/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch b/queue-5.15/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch new file mode 100644 index 00000000000..7c40c0ce8e5 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch @@ -0,0 +1,43 @@ +From c1e80043b1564838148cdf0fa4a29daca6bf3aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 15:56:49 +0530 +Subject: RDMA/bnxt_re: Fix the locking while accessing the QP table + +From: Selvin Xavier + +[ Upstream commit 9272cba0ded71b5a2084da3004ec7806b8cb7fd2 ] + +QP table handling is synchronized with destroy QP and Async +event from the HW. The same needs to be synchronized +during create_qp also. Use the same lock in create_qp also. + +Fixes: 76d3ddff7153 ("RDMA/bnxt_re: synchronize the qp-handle table array") +Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error") +Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing") +Signed-off-by: Selvin Xavier +Link: https://patch.msgid.link/20241217102649.1377704-6-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index dea70db9ee97..27cf6e62422a 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1144,9 +1144,11 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp) + rq->dbinfo.db = qp->dpi->dbr; + rq->dbinfo.max_slot = bnxt_qplib_set_rq_max_slot(rq->wqe_size); + } ++ spin_lock_bh(&rcfw->tbl_lock); + tbl_indx = map_qp_id_to_tbl_indx(qp->id, rcfw); + rcfw->qp_tbl[tbl_indx].qp_id = qp->id; + rcfw->qp_tbl[tbl_indx].qp_handle = (void *)qp; ++ spin_unlock_bh(&rcfw->tbl_lock); + + return 0; + fail: +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-fix-mapping-error-of-zero-hop-wqe-buffer.patch b/queue-5.15/rdma-hns-fix-mapping-error-of-zero-hop-wqe-buffer.patch new file mode 100644 index 00000000000..166ba805705 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-mapping-error-of-zero-hop-wqe-buffer.patch @@ -0,0 +1,177 @@ +From 733ff5d0668f118211968cc08264f874ef952e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 13:52:46 +0800 +Subject: RDMA/hns: Fix mapping error of zero-hop WQE buffer + +From: wenglianfa + +[ Upstream commit 8673a6c2d9e483dfeeef83a1f06f59e05636f4d1 ] + +Due to HW limitation, the three region of WQE buffer must be mapped +and set to HW in a fixed order: SQ buffer, SGE buffer, and RQ buffer. + +Currently when one region is zero-hop while the other two are not, +the zero-hop region will not be mapped. This violate the limitation +above and leads to address error. + +Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20241220055249.146943-2-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 43 ++++++++++++++++-------- + drivers/infiniband/hw/hns/hns_roce_mr.c | 5 --- + 2 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index 09298f38be23..99708a7bcda7 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -977,6 +977,7 @@ struct hns_roce_hem_item { + size_t count; /* max ba numbers */ + int start; /* start buf offset in this hem */ + int end; /* end buf offset in this hem */ ++ bool exist_bt; + }; + + /* All HEM items are linked in a tree structure */ +@@ -1005,6 +1006,7 @@ hem_list_alloc_item(struct hns_roce_dev *hr_dev, int start, int end, int count, + } + } + ++ hem->exist_bt = exist_bt; + hem->count = count; + hem->start = start; + hem->end = end; +@@ -1015,22 +1017,22 @@ hem_list_alloc_item(struct hns_roce_dev *hr_dev, int start, int end, int count, + } + + static void hem_list_free_item(struct hns_roce_dev *hr_dev, +- struct hns_roce_hem_item *hem, bool exist_bt) ++ struct hns_roce_hem_item *hem) + { +- if (exist_bt) ++ if (hem->exist_bt) + dma_free_coherent(hr_dev->dev, hem->count * BA_BYTE_LEN, + hem->addr, hem->dma_addr); + kfree(hem); + } + + static void hem_list_free_all(struct hns_roce_dev *hr_dev, +- struct list_head *head, bool exist_bt) ++ struct list_head *head) + { + struct hns_roce_hem_item *hem, *temp_hem; + + list_for_each_entry_safe(hem, temp_hem, head, list) { + list_del(&hem->list); +- hem_list_free_item(hr_dev, hem, exist_bt); ++ hem_list_free_item(hr_dev, hem); + } + } + +@@ -1132,6 +1134,10 @@ int hns_roce_hem_list_calc_root_ba(const struct hns_roce_buf_region *regions, + + for (i = 0; i < region_cnt; i++) { + r = (struct hns_roce_buf_region *)®ions[i]; ++ /* when r->hopnum = 0, the region should not occupy root_ba. */ ++ if (!r->hopnum) ++ continue; ++ + if (r->hopnum > 1) { + step = hem_list_calc_ba_range(r->hopnum, 1, unit); + if (step > 0) +@@ -1226,7 +1232,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + + err_exit: + for (level = 1; level < hopnum; level++) +- hem_list_free_all(hr_dev, &temp_list[level], true); ++ hem_list_free_all(hr_dev, &temp_list[level]); + + return ret; + } +@@ -1267,16 +1273,26 @@ static int alloc_fake_root_bt(struct hns_roce_dev *hr_dev, void *cpu_base, + { + struct hns_roce_hem_item *hem; + ++ /* This is on the has_mtt branch, if r->hopnum ++ * is 0, there is no root_ba to reuse for the ++ * region's fake hem, so a dma_alloc request is ++ * necessary here. ++ */ + hem = hem_list_alloc_item(hr_dev, r->offset, r->offset + r->count - 1, +- r->count, false); ++ r->count, !r->hopnum); + if (!hem) + return -ENOMEM; + +- hem_list_assign_bt(hr_dev, hem, cpu_base, phy_base); ++ /* The root_ba can be reused only when r->hopnum > 0. */ ++ if (r->hopnum) ++ hem_list_assign_bt(hr_dev, hem, cpu_base, phy_base); + list_add(&hem->list, branch_head); + list_add(&hem->sibling, leaf_head); + +- return r->count; ++ /* If r->hopnum == 0, 0 is returned, ++ * so that the root_bt entry is not occupied. ++ */ ++ return r->hopnum ? r->count : 0; + } + + static int setup_middle_bt(struct hns_roce_dev *hr_dev, void *cpu_base, +@@ -1320,7 +1336,7 @@ setup_root_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem_list *hem_list, + return -ENOMEM; + + total = 0; +- for (i = 0; i < region_cnt && total < max_ba_num; i++) { ++ for (i = 0; i < region_cnt && total <= max_ba_num; i++) { + r = ®ions[i]; + if (!r->count) + continue; +@@ -1386,9 +1402,9 @@ static int hem_list_alloc_root_bt(struct hns_roce_dev *hr_dev, + region_cnt); + if (ret) { + for (i = 0; i < region_cnt; i++) +- hem_list_free_all(hr_dev, &head.branch[i], false); ++ hem_list_free_all(hr_dev, &head.branch[i]); + +- hem_list_free_all(hr_dev, &head.root, true); ++ hem_list_free_all(hr_dev, &head.root); + } + + return ret; +@@ -1451,10 +1467,9 @@ void hns_roce_hem_list_release(struct hns_roce_dev *hr_dev, + + for (i = 0; i < HNS_ROCE_MAX_BT_REGION; i++) + for (j = 0; j < HNS_ROCE_MAX_BT_LEVEL; j++) +- hem_list_free_all(hr_dev, &hem_list->mid_bt[i][j], +- j != 0); ++ hem_list_free_all(hr_dev, &hem_list->mid_bt[i][j]); + +- hem_list_free_all(hr_dev, &hem_list->root_bt, true); ++ hem_list_free_all(hr_dev, &hem_list->root_bt); + INIT_LIST_HEAD(&hem_list->btm_bt); + hem_list->root_ba = 0; + } +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 79a59d5180cc..604dd38b5c8f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -793,11 +793,6 @@ int hns_roce_mtr_map(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr, + for (i = 0, mapped_cnt = 0; i < mtr->hem_cfg.region_count && + mapped_cnt < page_cnt; i++) { + r = &mtr->hem_cfg.region[i]; +- /* if hopnum is 0, no need to map pages in this region */ +- if (!r->hopnum) { +- mapped_cnt += r->count; +- continue; +- } + + if (r->offset + r->count > page_cnt) { + ret = -EINVAL; +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-fix-missing-flush-cqe-for-dwqe.patch b/queue-5.15/rdma-hns-fix-missing-flush-cqe-for-dwqe.patch new file mode 100644 index 00000000000..bf1a2f7603b --- /dev/null +++ b/queue-5.15/rdma-hns-fix-missing-flush-cqe-for-dwqe.patch @@ -0,0 +1,58 @@ +From 7770ac88e2a6164290c7cdfafd6d93186982e822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 13:52:49 +0800 +Subject: RDMA/hns: Fix missing flush CQE for DWQE + +From: Chengchang Tang + +[ Upstream commit e3debdd48423d3d75b9d366399228d7225d902cd ] + +Flush CQE handler has not been called if QP state gets into errored +mode in DWQE path. So, the new added outstanding WQEs will never be +flushed. + +It leads to a hung task timeout when using NFS over RDMA: + __switch_to+0x7c/0xd0 + __schedule+0x350/0x750 + schedule+0x50/0xf0 + schedule_timeout+0x2c8/0x340 + wait_for_common+0xf4/0x2b0 + wait_for_completion+0x20/0x40 + __ib_drain_sq+0x140/0x1d0 [ib_core] + ib_drain_sq+0x98/0xb0 [ib_core] + rpcrdma_xprt_disconnect+0x68/0x270 [rpcrdma] + xprt_rdma_close+0x20/0x60 [rpcrdma] + xprt_autoclose+0x64/0x1cc [sunrpc] + process_one_work+0x1d8/0x4e0 + worker_thread+0x154/0x420 + kthread+0x108/0x150 + ret_from_fork+0x10/0x18 + +Fixes: 01584a5edcc4 ("RDMA/hns: Add support of direct wqe") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20241220055249.146943-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index aa0e5076f02a..4f2e8f9d228b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -656,6 +656,10 @@ static void write_dwqe(struct hns_roce_dev *hr_dev, struct hns_roce_qp *qp, + #define HNS_ROCE_SL_SHIFT 2 + struct hns_roce_v2_rc_send_wqe *rc_sq_wqe = wqe; + ++ if (unlikely(qp->state == IB_QPS_ERR)) { ++ flush_cqe(hr_dev, qp); ++ return; ++ } + /* All kinds of DirectWQE have the same header field layout */ + hr_reg_enable(rc_sq_wqe, RC_SEND_WQE_FLAG); + hr_reg_write(rc_sq_wqe, RC_SEND_WQE_DB_SL_L, qp->sl); +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-fix-warning-storm-caused-by-invalid-input-i.patch b/queue-5.15/rdma-hns-fix-warning-storm-caused-by-invalid-input-i.patch new file mode 100644 index 00000000000..da367221751 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-warning-storm-caused-by-invalid-input-i.patch @@ -0,0 +1,47 @@ +From 3e3c1178197ae1428ab3d9d912d0c4f5f8317a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 13:52:48 +0800 +Subject: RDMA/hns: Fix warning storm caused by invalid input in IO path + +From: Chengchang Tang + +[ Upstream commit fa5c4ba8cdbfd2c2d6422e001311c8213283ebbf ] + +WARN_ON() is called in the IO path. And it could lead to a warning +storm. Use WARN_ON_ONCE() instead of WARN_ON(). + +Fixes: 12542f1de179 ("RDMA/hns: Refactor process about opcode in post_send()") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20241220055249.146943-4-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 6fdd563c9b9e..aa0e5076f02a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -459,7 +459,7 @@ static inline int set_ud_wqe(struct hns_roce_qp *qp, + valid_num_sge = calc_wr_sge_num(wr, &msg_len); + + ret = set_ud_opcode(ud_sq_wqe, wr); +- if (WARN_ON(ret)) ++ if (WARN_ON_ONCE(ret)) + return ret; + + ud_sq_wqe->msg_len = cpu_to_le32(msg_len); +@@ -563,7 +563,7 @@ static inline int set_rc_wqe(struct hns_roce_qp *qp, + rc_sq_wqe->msg_len = cpu_to_le32(msg_len); + + ret = set_rc_opcode(hr_dev, rc_sq_wqe, wr); +- if (WARN_ON(ret)) ++ if (WARN_ON_ONCE(ret)) + return ret; + + hr_reg_write(rc_sq_wqe, RC_SEND_WQE_SO, +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-remove-redundant-attr_mask-in-modify_qp_ini.patch b/queue-5.15/rdma-hns-remove-redundant-attr_mask-in-modify_qp_ini.patch new file mode 100644 index 00000000000..413efe97466 --- /dev/null +++ b/queue-5.15/rdma-hns-remove-redundant-attr_mask-in-modify_qp_ini.patch @@ -0,0 +1,60 @@ +From b491d7f22bd797e7598d812e1784d10739a33e01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 20:33:07 +0800 +Subject: RDMA/hns: Remove redundant 'attr_mask' in modify_qp_init_to_init() + +From: Yixing Liu + +[ Upstream commit bb4874af19686019d0dafd58726ed7b4058663ca ] + +The attr_mask variable is not used in the function, +so remove it. + +Link: https://lore.kernel.org/r/20220922123315.3732205-5-xuhaoyue1@hisilicon.com +Signed-off-by: Yixing Liu +Signed-off-by: Haoyue Xu +Signed-off-by: Jason Gunthorpe +Stable-dep-of: 8673a6c2d9e4 ("RDMA/hns: Fix mapping error of zero-hop WQE buffer") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index c013e96f956e..6fdd563c9b9e 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4073,7 +4073,6 @@ static inline int get_pdn(struct ib_pd *ib_pd) + + static void modify_qp_reset_to_init(struct ib_qp *ibqp, + const struct ib_qp_attr *attr, +- int attr_mask, + struct hns_roce_v2_qp_context *context, + struct hns_roce_v2_qp_context *qpc_mask) + { +@@ -4137,7 +4136,7 @@ static void modify_qp_reset_to_init(struct ib_qp *ibqp, + } + + static void modify_qp_init_to_init(struct ib_qp *ibqp, +- const struct ib_qp_attr *attr, int attr_mask, ++ const struct ib_qp_attr *attr, + struct hns_roce_v2_qp_context *context, + struct hns_roce_v2_qp_context *qpc_mask) + { +@@ -4792,11 +4791,9 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp, + + if (cur_state == IB_QPS_RESET && new_state == IB_QPS_INIT) { + memset(qpc_mask, 0, hr_dev->caps.qpc_sz); +- modify_qp_reset_to_init(ibqp, attr, attr_mask, context, +- qpc_mask); ++ modify_qp_reset_to_init(ibqp, attr, context, qpc_mask); + } else if (cur_state == IB_QPS_INIT && new_state == IB_QPS_INIT) { +- modify_qp_init_to_init(ibqp, attr, attr_mask, context, +- qpc_mask); ++ modify_qp_init_to_init(ibqp, attr, context, qpc_mask); + } else if (cur_state == IB_QPS_INIT && new_state == IB_QPS_RTR) { + ret = modify_qp_init_to_rtr(ibqp, attr, attr_mask, context, + qpc_mask); +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-remove-redundant-bt_level-for-hem_list_allo.patch b/queue-5.15/rdma-hns-remove-redundant-bt_level-for-hem_list_allo.patch new file mode 100644 index 00000000000..a762ffea0a4 --- /dev/null +++ b/queue-5.15/rdma-hns-remove-redundant-bt_level-for-hem_list_allo.patch @@ -0,0 +1,65 @@ +From 0033cc171c78741e28b83bafb1185b550d95f37b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 20:33:08 +0800 +Subject: RDMA/hns: Remove redundant 'bt_level' for hem_list_alloc_item() + +From: Yunsheng Lin + +[ Upstream commit be1eeb667eb748391b1c8158678fe4d892187793 ] + +The 'bt_level' parameter is not used in hem_list_alloc_item(), +so remove it. + +Link: https://lore.kernel.org/r/20220922123315.3732205-6-xuhaoyue1@hisilicon.com +Signed-off-by: Yunsheng Lin +Signed-off-by: Haoyue Xu +Signed-off-by: Jason Gunthorpe +Stable-dep-of: 8673a6c2d9e4 ("RDMA/hns: Fix mapping error of zero-hop WQE buffer") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index ce2ace2c850d..09298f38be23 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -988,7 +988,7 @@ struct hns_roce_hem_head { + + static struct hns_roce_hem_item * + hem_list_alloc_item(struct hns_roce_dev *hr_dev, int start, int end, int count, +- bool exist_bt, int bt_level) ++ bool exist_bt) + { + struct hns_roce_hem_item *hem; + +@@ -1199,7 +1199,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + start_aligned = (distance / step) * step + r->offset; + end = min_t(u64, start_aligned + step - 1, max_ofs); + cur = hem_list_alloc_item(hr_dev, start_aligned, end, unit, +- true, level); ++ true); + if (!cur) { + ret = -ENOMEM; + goto err_exit; +@@ -1251,7 +1251,7 @@ alloc_root_hem(struct hns_roce_dev *hr_dev, int unit, int *max_ba_num, + /* indicate to last region */ + r = ®ions[region_cnt - 1]; + hem = hem_list_alloc_item(hr_dev, offset, r->offset + r->count - 1, +- ba_num, true, 0); ++ ba_num, true); + if (!hem) + return ERR_PTR(-ENOMEM); + +@@ -1268,7 +1268,7 @@ static int alloc_fake_root_bt(struct hns_roce_dev *hr_dev, void *cpu_base, + struct hns_roce_hem_item *hem; + + hem = hem_list_alloc_item(hr_dev, r->offset, r->offset + r->count - 1, +- r->count, false, 0); ++ r->count, false); + if (!hem) + return -ENOMEM; + +-- +2.39.5 + diff --git a/queue-5.15/rdma-mlx5-enforce-same-type-port-association-for-mul.patch b/queue-5.15/rdma-mlx5-enforce-same-type-port-association-for-mul.patch new file mode 100644 index 00000000000..22f0b44b872 --- /dev/null +++ b/queue-5.15/rdma-mlx5-enforce-same-type-port-association-for-mul.patch @@ -0,0 +1,69 @@ +From 3465a64b092bd71a1bf276bef1f8d7202024cdf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 15:45:37 +0200 +Subject: RDMA/mlx5: Enforce same type port association for multiport RoCE + +From: Patrisious Haddad + +[ Upstream commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b ] + +Different core device types such as PFs and VFs shouldn't be affiliated +together since they have different capabilities, fix that by enforcing +type check before doing the affiliation. + +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Reviewed-by: Mark Bloch +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com +Reviewed-by: Mateusz Polchlopek +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 6 ++++-- + include/linux/mlx5/driver.h | 6 ++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index aa7a44ea49fa..2236c62a1980 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3284,7 +3284,8 @@ static int mlx5_ib_init_multiport_master(struct mlx5_ib_dev *dev) + list_for_each_entry(mpi, &mlx5_ib_unaffiliated_port_list, + list) { + if (dev->sys_image_guid == mpi->sys_image_guid && +- (mlx5_core_native_port_num(mpi->mdev) - 1) == i) { ++ (mlx5_core_native_port_num(mpi->mdev) - 1) == i && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) { + bound = mlx5_ib_bind_slave_port(dev, mpi); + } + +@@ -4408,7 +4409,8 @@ static int mlx5r_mp_probe(struct auxiliary_device *adev, + + mutex_lock(&mlx5_ib_multiport_mutex); + list_for_each_entry(dev, &mlx5_ib_dev_list, ib_dev_list) { +- if (dev->sys_image_guid == mpi->sys_image_guid) ++ if (dev->sys_image_guid == mpi->sys_image_guid && ++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) + bound = mlx5_ib_bind_slave_port(dev, mpi); + + if (bound) { +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 26095c0fd781..62d60a515b03 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1182,6 +1182,12 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev) + return dev->coredev_type == MLX5_COREDEV_VF; + } + ++static inline bool mlx5_core_same_coredev_type(const struct mlx5_core_dev *dev1, ++ const struct mlx5_core_dev *dev2) ++{ ++ return dev1->coredev_type == dev2->coredev_type; ++} ++ + static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev) + { + return dev->caps.embedded_cpu; +-- +2.39.5 + diff --git a/queue-5.15/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch b/queue-5.15/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch new file mode 100644 index 00000000000..886cf2a0c31 --- /dev/null +++ b/queue-5.15/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch @@ -0,0 +1,71 @@ +From 8f83c944c935b69262a887919561d2b3aaf0b5e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 09:34:16 +0800 +Subject: RDMA/rtrs: Ensure 'ib_sge list' is accessible + +From: Li Zhijian + +[ Upstream commit fb514b31395946022f13a08e06a435f53cf9e8b3 ] + +Move the declaration of the 'ib_sge list' variable outside the +'always_invalidate' block to ensure it remains accessible for use +throughout the function. + +Previously, 'ib_sge list' was declared within the 'always_invalidate' +block, limiting its accessibility, then caused a +'BUG: kernel NULL pointer dereference'[1]. + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2d0 + ? search_module_extables+0x19/0x60 + ? search_bpf_extables+0x5f/0x80 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? memcpy_orig+0xd5/0x140 + rxe_mr_copy+0x1c3/0x200 [rdma_rxe] + ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] + copy_data+0xa5/0x230 [rdma_rxe] + rxe_requester+0xd9b/0xf70 [rdma_rxe] + ? finish_task_switch.isra.0+0x99/0x2e0 + rxe_sender+0x13/0x40 [rdma_rxe] + do_task+0x68/0x1e0 [rdma_rxe] + process_one_work+0x177/0x330 + worker_thread+0x252/0x390 + ? __pfx_worker_thread+0x10/0x10 + +This change ensures the variable is available for subsequent operations +that require it. + +[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/ + +Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") +Signed-off-by: Li Zhijian +Link: https://patch.msgid.link/20241231013416.1290920-1-lizhijian@fujitsu.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index 4fa916a8f386..96fe7c97bc71 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -353,6 +353,7 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id, + struct rtrs_srv_mr *srv_mr; + bool need_inval = false; + enum ib_send_flags flags; ++ struct ib_sge list; + u32 imm; + int err; + +@@ -403,7 +404,6 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id, + imm = rtrs_to_io_rsp_imm(id->msg_id, errno, need_inval); + imm_wr.wr.next = NULL; + if (always_invalidate) { +- struct ib_sge list; + struct rtrs_msg_rkey_rsp *msg; + + srv_mr = &srv_path->mrs[id->msg_id]; +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 89edd2cf28c..2916c22121a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -114,3 +114,31 @@ usb-xhci-limit-stop-endpoint-retries.patch xhci-turn-nec-specific-quirk-for-handling-stop-endpo.patch drivers-block-zram-zram_drv.c-do-not-keep-dangling-z.patch zram-fix-uninitialized-zram-not-releasing-backing-de.patch +rdma-mlx5-enforce-same-type-port-association-for-mul.patch +rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch +rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch +rdma-bnxt_re-fix-max_qp_wrs-reported.patch +rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch +drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch +rdma-hns-remove-redundant-attr_mask-in-modify_qp_ini.patch +rdma-hns-remove-redundant-bt_level-for-hem_list_allo.patch +rdma-hns-fix-mapping-error-of-zero-hop-wqe-buffer.patch +rdma-hns-fix-warning-storm-caused-by-invalid-input-i.patch +rdma-hns-fix-missing-flush-cqe-for-dwqe.patch +net-stmmac-platform-provide-devm_stmmac_probe_config.patch +net-stmmac-don-t-create-a-mdio-bus-if-unnecessary.patch +net-stmmac-restructure-the-error-path-of-stmmac_prob.patch +net-fix-memory-leak-in-tcp_conn_request.patch +netrom-check-buffer-length-before-accessing-it.patch +drm-i915-dg1-fix-power-gate-sequence.patch +netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch +net-llc-reset-skb-transport_header.patch +alsa-usb-audio-us16x08-initialize-array-before-use.patch +eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch +net-mv643xx_eth-fix-an-of-node-reference-leak.patch +rdma-rtrs-ensure-ib_sge-list-is-accessible.patch +net-restrict-so_reuseport-to-inet-sockets.patch +net-wwan-iosm-properly-check-for-valid-exec-stage-in.patch +af_packet-fix-vlan_get_tci-vs-msg_peek.patch +af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch +ila-serialize-calls-to-nf_register_net_hooks.patch