From: Sasha Levin Date: Sat, 14 Oct 2023 12:58:38 +0000 (-0400) Subject: Fixes for 6.5 X-Git-Tag: v6.1.58~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6688cbfc53fccfeddc7dd0229481a6cb75753b57;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.5 Signed-off-by: Sasha Levin --- diff --git a/queue-6.5/af_packet-fix-fortified-memcpy-without-flex-array.patch b/queue-6.5/af_packet-fix-fortified-memcpy-without-flex-array.patch new file mode 100644 index 00000000000..7796a4888d5 --- /dev/null +++ b/queue-6.5/af_packet-fix-fortified-memcpy-without-flex-array.patch @@ -0,0 +1,76 @@ +From 03d133a6ce93a4cbb8982e734d1909b5faaa3910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 08:31:52 -0700 +Subject: af_packet: Fix fortified memcpy() without flex array. + +From: Kuniyuki Iwashima + +[ Upstream commit e2bca4870fdaf855651ee80b083d892599c5d982 ] + +Sergei Trofimovich reported a regression [0] caused by commit a0ade8404c3b +("af_packet: Fix warning of fortified memcpy() in packet_getname()."). + +It introduced a flex array sll_addr_flex in struct sockaddr_ll as a +union-ed member with sll_addr to work around the fortified memcpy() check. + +However, a userspace program uses a struct that has struct sockaddr_ll in +the middle, where a flex array is illegal to exist. + + include/linux/if_packet.h:24:17: error: flexible array member 'sockaddr_ll::::::sll_addr_flex' not at end of 'struct packet_info_t' + 24 | __DECLARE_FLEX_ARRAY(unsigned char, sll_addr_flex); + | ^~~~~~~~~~~~~~~~~~~~ + +To fix the regression, let's go back to the first attempt [1] telling +memcpy() the actual size of the array. + +Reported-by: Sergei Trofimovich +Closes: https://github.com/NixOS/nixpkgs/pull/252587#issuecomment-1741733002 [0] +Link: https://lore.kernel.org/netdev/20230720004410.87588-3-kuniyu@amazon.com/ [1] +Fixes: a0ade8404c3b ("af_packet: Fix warning of fortified memcpy() in packet_getname().") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20231009153151.75688-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/uapi/linux/if_packet.h | 6 +----- + net/packet/af_packet.c | 7 ++++++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/include/uapi/linux/if_packet.h b/include/uapi/linux/if_packet.h +index 4d0ad22f83b56..9efc42382fdb9 100644 +--- a/include/uapi/linux/if_packet.h ++++ b/include/uapi/linux/if_packet.h +@@ -18,11 +18,7 @@ struct sockaddr_ll { + unsigned short sll_hatype; + unsigned char sll_pkttype; + unsigned char sll_halen; +- union { +- unsigned char sll_addr[8]; +- /* Actual length is in sll_halen. */ +- __DECLARE_FLEX_ARRAY(unsigned char, sll_addr_flex); +- }; ++ unsigned char sll_addr[8]; + }; + + /* Packet types */ +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index a2935bd18ed98..a39b2a0dd5425 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3605,7 +3605,12 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +- memcpy(sll->sll_addr_flex, dev->dev_addr, dev->addr_len); ++ ++ /* Let __fortify_memcpy_chk() know the actual buffer size. */ ++ memcpy(((struct sockaddr_storage *)sll)->__data + ++ offsetof(struct sockaddr_ll, sll_addr) - ++ offsetofend(struct sockaddr_ll, sll_family), ++ dev->dev_addr, dev->addr_len); + } else { + sll->sll_hatype = 0; /* Bad: we have no ARPHRD_UNSPEC */ + sll->sll_halen = 0; +-- +2.40.1 + diff --git a/queue-6.5/arm64-dts-mediatek-fix-t-phy-unit-name.patch b/queue-6.5/arm64-dts-mediatek-fix-t-phy-unit-name.patch new file mode 100644 index 00000000000..03d5e3b5ee7 --- /dev/null +++ b/queue-6.5/arm64-dts-mediatek-fix-t-phy-unit-name.patch @@ -0,0 +1,59 @@ +From 8ea2ff99c059dab7e5bf21e844ece8181228b7f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 13:13:46 +0200 +Subject: arm64: dts: mediatek: fix t-phy unit name + +From: Eugen Hristev + +[ Upstream commit 963c3b0c47ec29b4c49c9f45965cd066f419d17f ] + +dtbs_check throws a warning at t-phy nodes: +Warning (unit_address_vs_reg): /t-phy@1a243000: node has a unit name, but no reg or ranges property +Warning (unit_address_vs_reg): /soc/t-phy@11c00000: node has a unit name, but no reg or ranges property + +The ranges is empty thus removing the `@1a243000`, `@11c00000` from +the node name. + +Fixes: 6029cae696c8 ("arm64: dts: mediatek: mt7622: harmonize node names and compatibles") +Fixes: 918aed7abd2d ("arm64: dts: mt7986: add pcie related device nodes") +Signed-off-by: Eugen Hristev +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230814093931.9298-2-eugen.hristev@collabora.com +Link: https://lore.kernel.org/r/20231003-mediatek-fixes-v6-7-v1-4-dad7cd62a8ff@collabora.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 +- + arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index 36ef2dbe8add4..3ee9266fa8e98 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -905,7 +905,7 @@ sata: sata@1a200000 { + status = "disabled"; + }; + +- sata_phy: t-phy@1a243000 { ++ sata_phy: t-phy { + compatible = "mediatek,mt7622-tphy", + "mediatek,generic-tphy-v1"; + #address-cells = <2>; +diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi +index 68539ea788dfc..24eda00e320d3 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi +@@ -434,7 +434,7 @@ pcie_intc: interrupt-controller { + }; + }; + +- pcie_phy: t-phy@11c00000 { ++ pcie_phy: t-phy { + compatible = "mediatek,mt7986-tphy", + "mediatek,generic-tphy-v2"; + #address-cells = <2>; +-- +2.40.1 + diff --git a/queue-6.5/arm64-dts-mediatek-mt8195-set-dsu-pmu-status-to-fail.patch b/queue-6.5/arm64-dts-mediatek-mt8195-set-dsu-pmu-status-to-fail.patch new file mode 100644 index 00000000000..338e27afb6c --- /dev/null +++ b/queue-6.5/arm64-dts-mediatek-mt8195-set-dsu-pmu-status-to-fail.patch @@ -0,0 +1,56 @@ +From d6a445807dcc9a151f26451c9e3006841f34c3d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 13:13:47 +0200 +Subject: arm64: dts: mediatek: mt8195: Set DSU PMU status to fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit d192615c307ec9f74cd0582880ece698533eb99b ] + +The DSU PMU allows monitoring performance events in the DSU cluster, +which is done by configuring and reading back values from the DSU PMU +system registers. However, for write-access to be allowed by ELs lower +than EL3, the EL3 firmware needs to update the setting on the ACTLR3_EL3 +register, as it is disallowed by default. + +That configuration is not done on the firmware used by the MT8195 SoC, +as a consequence, booting a MT8195-based machine like +mt8195-cherry-tomato-r2 with CONFIG_ARM_DSU_PMU enabled hangs the kernel +just as it writes to the CLUSTERPMOVSCLR_EL1 register, since the +instruction faults to EL3, and BL31 apparently just re-runs the +instruction over and over. + +Mark the DSU PMU node in the Devicetree with status "fail", as the +machine doesn't have a suitable firmware to make use of it from the +kernel, and allowing its driver to probe would hang the kernel. + +Fixes: 37f2582883be ("arm64: dts: Add mediatek SoC mt8195 and evaluation board") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230720200753.322133-1-nfraprado@collabora.com +Link: https://lore.kernel.org/r/20231003-mediatek-fixes-v6-7-v1-5-dad7cd62a8ff@collabora.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +index 4dbbf8fdab758..43011bc41da77 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +@@ -313,6 +313,7 @@ dsu-pmu { + interrupts = ; + cpus = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>, + <&cpu4>, <&cpu5>, <&cpu6>, <&cpu7>; ++ status = "fail"; + }; + + dmic_codec: dmic-codec { +-- +2.40.1 + diff --git a/queue-6.5/bpf-fix-verifier-log-for-async-callback-return-value.patch b/queue-6.5/bpf-fix-verifier-log-for-async-callback-return-value.patch new file mode 100644 index 00000000000..fe0e67b5f83 --- /dev/null +++ b/queue-6.5/bpf-fix-verifier-log-for-async-callback-return-value.patch @@ -0,0 +1,60 @@ +From 5df346e6de6a6db8150bab982be1b5955cf8f427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 11:14:13 -0500 +Subject: bpf: Fix verifier log for async callback return values + +From: David Vernet + +[ Upstream commit 829955981c557c7fc7416581c4cd68a8a0c28620 ] + +The verifier, as part of check_return_code(), verifies that async +callbacks such as from e.g. timers, will return 0. It does this by +correctly checking that R0->var_off is in tnum_const(0), which +effectively checks that it's in a range of 0. If this condition fails, +however, it prints an error message which says that the value should +have been in (0x0; 0x1). This results in possibly confusing output such +as the following in which an async callback returns 1: + + At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1) + +The fix is easy -- we should just pass the tnum_const(0) as the correct +range to verbose_invalid_scalar(), which will then print the following: + + At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0) + +Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.") +Signed-off-by: David Vernet +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231009161414.235829-1-void@manifault.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 93fd32f2957b7..104681258d24f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -14255,7 +14255,7 @@ static int check_return_code(struct bpf_verifier_env *env) + struct tnum enforce_attach_type_range = tnum_unknown; + const struct bpf_prog *prog = env->prog; + struct bpf_reg_state *reg; +- struct tnum range = tnum_range(0, 1); ++ struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0); + enum bpf_prog_type prog_type = resolve_prog_type(env->prog); + int err; + struct bpf_func_state *frame = env->cur_state->frame[0]; +@@ -14303,8 +14303,8 @@ static int check_return_code(struct bpf_verifier_env *env) + return -EINVAL; + } + +- if (!tnum_in(tnum_const(0), reg->var_off)) { +- verbose_invalid_scalar(env, reg, &range, "async callback", "R0"); ++ if (!tnum_in(const_0, reg->var_off)) { ++ verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0"); + return -EINVAL; + } + return 0; +-- +2.40.1 + diff --git a/queue-6.5/can-isotp-isotp_sendmsg-fix-tx-state-detection-and-w.patch b/queue-6.5/can-isotp-isotp_sendmsg-fix-tx-state-detection-and-w.patch new file mode 100644 index 00000000000..3efa6d2d13a --- /dev/null +++ b/queue-6.5/can-isotp-isotp_sendmsg-fix-tx-state-detection-and-w.patch @@ -0,0 +1,77 @@ +From 551206b1d9526c1c34ca87de8629cc0fdfc4f463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Aug 2023 09:22:05 +0000 +Subject: can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior + +From: Lukas Magel + +[ Upstream commit d9c2ba65e651467de739324d978b04ed8729f483 ] + +With patch [1], isotp_poll was updated to also queue the poller in the +so->wait queue, which is used for send state changes. Since the queue +now also contains polling tasks that are not interested in sending, the +queue fill state can no longer be used as an indication of send +readiness. As a consequence, nonblocking writes can lead to a race and +lock-up of the socket if there is a second task polling the socket in +parallel. + +With this patch, isotp_sendmsg does not consult wq_has_sleepers but +instead tries to atomically set so->tx.state and waits on so->wait if it +is unable to do so. This behavior is in alignment with isotp_poll, which +also checks so->tx.state to determine send readiness. + +V2: +- Revert direct exit to goto err_event_drop + +[1] https://lore.kernel.org/all/20230331125511.372783-1-michal.sojka@cvut.cz + +Reported-by: Maxime Jayat +Closes: https://lore.kernel.org/linux-can/11328958-453f-447f-9af8-3b5824dfb041@munic.io/ +Signed-off-by: Lukas Magel +Reviewed-by: Oliver Hartkopp +Fixes: 79e19fa79cb5 ("can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events") +Link: https://github.com/pylessard/python-udsoncan/issues/178#issuecomment-1743786590 +Link: https://lore.kernel.org/all/20230827092205.7908-1-lukas.magel@posteo.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/isotp.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index f02b5d3e47335..d1c6f206f4295 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -948,21 +948,18 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + if (!so->bound || so->tx.state == ISOTP_SHUTDOWN) + return -EADDRNOTAVAIL; + +-wait_free_buffer: +- /* we do not support multiple buffers - for now */ +- if (wq_has_sleeper(&so->wait) && (msg->msg_flags & MSG_DONTWAIT)) +- return -EAGAIN; ++ while (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) { ++ /* we do not support multiple buffers - for now */ ++ if (msg->msg_flags & MSG_DONTWAIT) ++ return -EAGAIN; + +- /* wait for complete transmission of current pdu */ +- err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); +- if (err) +- goto err_event_drop; +- +- if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) { + if (so->tx.state == ISOTP_SHUTDOWN) + return -EADDRNOTAVAIL; + +- goto wait_free_buffer; ++ /* wait for complete transmission of current pdu */ ++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); ++ if (err) ++ goto err_event_drop; + } + + /* PDU size > default => try max_pdu_size */ +-- +2.40.1 + diff --git a/queue-6.5/can-sun4i_can-only-show-kconfig-if-arch_sunxi-is-set.patch b/queue-6.5/can-sun4i_can-only-show-kconfig-if-arch_sunxi-is-set.patch new file mode 100644 index 00000000000..924d4ab22c0 --- /dev/null +++ b/queue-6.5/can-sun4i_can-only-show-kconfig-if-arch_sunxi-is-set.patch @@ -0,0 +1,41 @@ +From dcbedb7d53fa97bd3cf2aae4321f17cc249a079f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 09:13:43 +1000 +Subject: can: sun4i_can: Only show Kconfig if ARCH_SUNXI is set + +From: John Watts + +[ Upstream commit 1f223208ebdef84f21c15e9958c005a93c871aa2 ] + +When adding the RISCV option I didn't gate it behind ARCH_SUNXI. +As a result this option shows up with Allwinner support isn't enabled. +Fix that by requiring ARCH_SUNXI to be set if RISCV is set. + +Fixes: 8abb95250ae6 ("can: sun4i_can: Add support for the Allwinner D1") +Reported-by: Geert Uytterhoeven +Closes: https://lore.kernel.org/linux-sunxi/CAMuHMdV2m54UAH0X2dG7stEg=grFihrdsz4+o7=_DpBMhjTbkw@mail.gmail.com/ +Signed-off-by: John Watts +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/all/20230905231342.2042759-2-contact@jookia.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig +index e626de33e735d..716bba8cc2017 100644 +--- a/drivers/net/can/Kconfig ++++ b/drivers/net/can/Kconfig +@@ -185,7 +185,7 @@ config CAN_SLCAN + + config CAN_SUN4I + tristate "Allwinner A10 CAN controller" +- depends on MACH_SUN4I || MACH_SUN7I || RISCV || COMPILE_TEST ++ depends on MACH_SUN4I || MACH_SUN7I || (RISCV && ARCH_SUNXI) || COMPILE_TEST + help + Say Y here if you want to use CAN controller found on Allwinner + A10/A20/D1 SoCs. +-- +2.40.1 + diff --git a/queue-6.5/devlink-hold-devlink-lock-on-health-reporter-dump-ge.patch b/queue-6.5/devlink-hold-devlink-lock-on-health-reporter-dump-ge.patch new file mode 100644 index 00000000000..641089fa9bc --- /dev/null +++ b/queue-6.5/devlink-hold-devlink-lock-on-health-reporter-dump-ge.patch @@ -0,0 +1,144 @@ +From 85941b6e651c76f77fe5536a6ad22ae4f8312e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 15:50:16 +0300 +Subject: devlink: Hold devlink lock on health reporter dump get + +From: Moshe Shemesh + +[ Upstream commit aba0e909dc20eceb1de985474af459f82e7b0b82 ] + +Devlink health dump get callback should take devlink lock as any other +devlink callback. Otherwise, since devlink_mutex was removed, this +callback is not protected from a race of the reporter being destroyed +while handling the callback. + +Add devlink lock to the callback and to any call for +devlink_health_do_dump(). This should be safe as non of the drivers dump +callback implementation takes devlink lock. + +As devlink lock is added to any callback of dump, the reporter dump_lock +is now redundant and can be removed. + +Fixes: d3efc2a6a6d8 ("net: devlink: remove devlink_mutex") +Signed-off-by: Moshe Shemesh +Reviewed-by: Jiri Pirko +Reviewed-by: Przemek Kitszel +Link: https://lore.kernel.org/r/1696510216-189379-1-git-send-email-moshe@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/health.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/net/devlink/health.c b/net/devlink/health.c +index 194340a8bb863..8c6a2e5140d4d 100644 +--- a/net/devlink/health.c ++++ b/net/devlink/health.c +@@ -58,7 +58,6 @@ struct devlink_health_reporter { + struct devlink *devlink; + struct devlink_port *devlink_port; + struct devlink_fmsg *dump_fmsg; +- struct mutex dump_lock; /* lock parallel read/write from dump buffers */ + u64 graceful_period; + bool auto_recover; + bool auto_dump; +@@ -125,7 +124,6 @@ __devlink_health_reporter_create(struct devlink *devlink, + reporter->graceful_period = graceful_period; + reporter->auto_recover = !!ops->recover; + reporter->auto_dump = !!ops->dump; +- mutex_init(&reporter->dump_lock); + return reporter; + } + +@@ -226,7 +224,6 @@ EXPORT_SYMBOL_GPL(devlink_health_reporter_create); + static void + devlink_health_reporter_free(struct devlink_health_reporter *reporter) + { +- mutex_destroy(&reporter->dump_lock); + if (reporter->dump_fmsg) + devlink_fmsg_free(reporter->dump_fmsg); + kfree(reporter); +@@ -609,10 +606,10 @@ int devlink_health_report(struct devlink_health_reporter *reporter, + } + + if (reporter->auto_dump) { +- mutex_lock(&reporter->dump_lock); ++ devl_lock(devlink); + /* store current dump of current error, for later analysis */ + devlink_health_do_dump(reporter, priv_ctx, NULL); +- mutex_unlock(&reporter->dump_lock); ++ devl_unlock(devlink); + } + + if (!reporter->auto_recover) +@@ -1246,7 +1243,7 @@ int devlink_nl_cmd_health_reporter_diagnose_doit(struct sk_buff *skb, + } + + static struct devlink_health_reporter * +-devlink_health_reporter_get_from_cb(struct netlink_callback *cb) ++devlink_health_reporter_get_from_cb_lock(struct netlink_callback *cb) + { + const struct genl_dumpit_info *info = genl_dumpit_info(cb); + struct devlink_health_reporter *reporter; +@@ -1256,10 +1253,12 @@ devlink_health_reporter_get_from_cb(struct netlink_callback *cb) + devlink = devlink_get_from_attrs_lock(sock_net(cb->skb->sk), attrs); + if (IS_ERR(devlink)) + return NULL; +- devl_unlock(devlink); + + reporter = devlink_health_reporter_get_from_attrs(devlink, attrs); +- devlink_put(devlink); ++ if (!reporter) { ++ devl_unlock(devlink); ++ devlink_put(devlink); ++ } + return reporter; + } + +@@ -1268,16 +1267,20 @@ int devlink_nl_cmd_health_reporter_dump_get_dumpit(struct sk_buff *skb, + { + struct devlink_nl_dump_state *state = devlink_dump_state(cb); + struct devlink_health_reporter *reporter; ++ struct devlink *devlink; + int err; + +- reporter = devlink_health_reporter_get_from_cb(cb); ++ reporter = devlink_health_reporter_get_from_cb_lock(cb); + if (!reporter) + return -EINVAL; + +- if (!reporter->ops->dump) ++ devlink = reporter->devlink; ++ if (!reporter->ops->dump) { ++ devl_unlock(devlink); ++ devlink_put(devlink); + return -EOPNOTSUPP; ++ } + +- mutex_lock(&reporter->dump_lock); + if (!state->idx) { + err = devlink_health_do_dump(reporter, NULL, cb->extack); + if (err) +@@ -1293,7 +1296,8 @@ int devlink_nl_cmd_health_reporter_dump_get_dumpit(struct sk_buff *skb, + err = devlink_fmsg_dumpit(reporter->dump_fmsg, skb, cb, + DEVLINK_CMD_HEALTH_REPORTER_DUMP_GET); + unlock: +- mutex_unlock(&reporter->dump_lock); ++ devl_unlock(devlink); ++ devlink_put(devlink); + return err; + } + +@@ -1310,9 +1314,7 @@ int devlink_nl_cmd_health_reporter_dump_clear_doit(struct sk_buff *skb, + if (!reporter->ops->dump) + return -EOPNOTSUPP; + +- mutex_lock(&reporter->dump_lock); + devlink_health_dump_clear(reporter); +- mutex_unlock(&reporter->dump_lock); + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dp-add-newlines-to-debug-printks.patch b/queue-6.5/drm-msm-dp-add-newlines-to-debug-printks.patch new file mode 100644 index 00000000000..240436d5e5f --- /dev/null +++ b/queue-6.5/drm-msm-dp-add-newlines-to-debug-printks.patch @@ -0,0 +1,52 @@ +From c37a2e1ee641692556974862b9554c54ee6a58aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Aug 2023 16:01:08 -0700 +Subject: drm/msm/dp: Add newlines to debug printks + +From: Stephen Boyd + +[ Upstream commit eba8c99a0fc45da1c8d5b5f5bd1dc2e79229a767 ] + +These debug printks are missing newlines, causing drm debug logs to be +hard to read. Add newlines so that the messages are on their own line. + +Cc: Kuogee Hsieh +Cc: Vinod Polimera +Signed-off-by: Stephen Boyd +Fixes: 601f0479c583 ("drm/msm/dp: add logs across DP driver for ease of debugging") +Fixes: cd779808cccd ("drm/msm/dp: Add basic PSR support for eDP") +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/554533/ +Link: https://lore.kernel.org/r/20230825230109.2264345-1-swboyd@chromium.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_link.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c +index 42427129acea8..6375daaeb98e1 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.c ++++ b/drivers/gpu/drm/msm/dp/dp_link.c +@@ -1090,7 +1090,7 @@ int dp_link_process_request(struct dp_link *dp_link) + } else if (dp_link_read_psr_error_status(link)) { + DRM_ERROR("PSR IRQ_HPD received\n"); + } else if (dp_link_psr_capability_changed(link)) { +- drm_dbg_dp(link->drm_dev, "PSR Capability changed"); ++ drm_dbg_dp(link->drm_dev, "PSR Capability changed\n"); + } else { + ret = dp_link_process_link_status_update(link); + if (!ret) { +@@ -1107,7 +1107,7 @@ int dp_link_process_request(struct dp_link *dp_link) + } + } + +- drm_dbg_dp(link->drm_dev, "sink request=%#x", ++ drm_dbg_dp(link->drm_dev, "sink request=%#x\n", + dp_link->sink_request); + return ret; + } +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch b/queue-6.5/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch new file mode 100644 index 00000000000..c2e0edf5b52 --- /dev/null +++ b/queue-6.5/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch @@ -0,0 +1,74 @@ +From 752bcf4a7c4b1e8e35f82a575f187162c4cd08c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 15:19:50 -0700 +Subject: drm/msm/dp: do not reinitialize phy unless retry during link training + +From: Kuogee Hsieh + +[ Upstream commit 0c1a2e69bcb506f48ebf94bd199bab0b93f66da2 ] + +DP PHY re-initialization done using dp_ctrl_reinitialize_mainlink() will +cause PLL unlocked initially and then PLL gets locked at the end of +initialization. PLL_UNLOCKED interrupt will fire during this time if the +interrupt mask is enabled. + +However currently DP driver link training implementation incorrectly +re-initializes PHY unconditionally during link training as the PHY was +already configured in dp_ctrl_enable_mainlink_clocks(). + +Fix this by re-initializing the PHY only if the previous link training +failed. + +[drm:dp_aux_isr] *ERROR* Unexpected DP AUX IRQ 0x01000000 when not busy + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/30 +Signed-off-by: Kuogee Hsieh +Tested-by: Abhinav Kumar # sc7280 +Reviewed-by: Abhinav Kumar +Reviewed-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/551847/ +Link: https://lore.kernel.org/r/1691533190-19335-1-git-send-email-quic_khsieh@quicinc.com +[quic_abhinavk@quicinc.com: added line break in commit text] +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index a7a5c7e0ab923..77a8d9366ed7b 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1774,13 +1774,6 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl) + return rc; + + while (--link_train_max_retries) { +- rc = dp_ctrl_reinitialize_mainlink(ctrl); +- if (rc) { +- DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n", +- rc); +- break; +- } +- + training_step = DP_TRAINING_NONE; + rc = dp_ctrl_setup_main_link(ctrl, &training_step); + if (rc == 0) { +@@ -1832,6 +1825,12 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl) + /* stop link training before start re training */ + dp_ctrl_clear_training_pattern(ctrl); + } ++ ++ rc = dp_ctrl_reinitialize_mainlink(ctrl); ++ if (rc) { ++ DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n", rc); ++ break; ++ } + } + + if (ctrl->link->sink_request & DP_TEST_LINK_PHY_TEST_PATTERN) +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch b/queue-6.5/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch new file mode 100644 index 00000000000..502f699e89e --- /dev/null +++ b/queue-6.5/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch @@ -0,0 +1,67 @@ +From f4bf222231c320a068683949c64073e9971baff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 18:26:16 -0700 +Subject: drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow + +From: Abhinav Kumar + +[ Upstream commit 95e681ca3b65e4ce3d2537b47672d787b7d30375 ] + +_dpu_plane_calc_bw() uses integer variables to calculate the bandwidth +used during plane bandwidth calculations. However for high resolution +displays this overflows easily and leads to below errors + +[dpu error]crtc83 failed performance check -7 + +Promote the intermediate variables to u64 to avoid overflow. + +changes in v2: + - change to u64 where actually needed in the math + +Fixes: c33b7c0389e1 ("drm/msm/dpu: add support for clk and bw scaling for display") +Reviewed-by: Dmitry Baryshkov +Reported-by: Nia Espera +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/32 +Tested-by: Nia Espera +Patchwork: https://patchwork.freedesktop.org/patch/556288/ +Link: https://lore.kernel.org/r/20230908012616.20654-1-quic_abhinavk@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +index c2aaaded07ed6..98c1b22e9bca0 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -119,6 +119,7 @@ static u64 _dpu_plane_calc_bw(const struct dpu_mdss_cfg *catalog, + struct dpu_sw_pipe_cfg *pipe_cfg) + { + int src_width, src_height, dst_height, fps; ++ u64 plane_pixel_rate, plane_bit_rate; + u64 plane_prefill_bw; + u64 plane_bw; + u32 hw_latency_lines; +@@ -136,13 +137,12 @@ static u64 _dpu_plane_calc_bw(const struct dpu_mdss_cfg *catalog, + scale_factor = src_height > dst_height ? + mult_frac(src_height, 1, dst_height) : 1; + +- plane_bw = +- src_width * mode->vtotal * fps * fmt->bpp * +- scale_factor; ++ plane_pixel_rate = src_width * mode->vtotal * fps; ++ plane_bit_rate = plane_pixel_rate * fmt->bpp; + +- plane_prefill_bw = +- src_width * hw_latency_lines * fps * fmt->bpp * +- scale_factor * mode->vtotal; ++ plane_bw = plane_bit_rate * scale_factor; ++ ++ plane_prefill_bw = plane_bw * hw_latency_lines; + + if ((vbp+vpw) > hw_latency_lines) + do_div(plane_prefill_bw, (vbp+vpw)); +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dpu-fail-dpu_plane_atomic_check-based-on-mdp.patch b/queue-6.5/drm-msm-dpu-fail-dpu_plane_atomic_check-based-on-mdp.patch new file mode 100644 index 00000000000..9caf66cc9e7 --- /dev/null +++ b/queue-6.5/drm-msm-dpu-fail-dpu_plane_atomic_check-based-on-mdp.patch @@ -0,0 +1,80 @@ +From 492f63dc5727be8a87148828de0c1610529049fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 15:16:26 -0700 +Subject: drm/msm/dpu: fail dpu_plane_atomic_check() based on mdp clk limits + +From: Abhinav Kumar + +[ Upstream commit 10f20628c9b8e924b8046e63b36b2cea4d2c85e4 ] + +Currently, dpu_plane_atomic_check() does not check whether the +plane can process the image without exceeding the per chipset +limits for MDP clock. This leads to underflow issues because the +SSPP is not able to complete the processing for the data rate of +the display. + +Fail the dpu_plane_atomic_check() if the SSPP cannot process the +image without exceeding the MDP clock limits. + +changes in v2: + - use crtc_state's adjusted_mode instead of mode + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/556819/ +Link: https://lore.kernel.org/r/20230911221627.9569-1-quic_abhinavk@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +index 98c1b22e9bca0..0be195f9149c5 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -733,9 +733,11 @@ static int dpu_plane_check_inline_rotation(struct dpu_plane *pdpu, + static int dpu_plane_atomic_check_pipe(struct dpu_plane *pdpu, + struct dpu_sw_pipe *pipe, + struct dpu_sw_pipe_cfg *pipe_cfg, +- const struct dpu_format *fmt) ++ const struct dpu_format *fmt, ++ const struct drm_display_mode *mode) + { + uint32_t min_src_size; ++ struct dpu_kms *kms = _dpu_plane_get_kms(&pdpu->base); + + min_src_size = DPU_FORMAT_IS_YUV(fmt) ? 2 : 1; + +@@ -774,6 +776,12 @@ static int dpu_plane_atomic_check_pipe(struct dpu_plane *pdpu, + return -EINVAL; + } + ++ /* max clk check */ ++ if (_dpu_plane_calc_clk(mode, pipe_cfg) > kms->perf.max_core_clk_rate) { ++ DPU_DEBUG_PLANE(pdpu, "plane exceeds max mdp core clk limits\n"); ++ return -E2BIG; ++ } ++ + return 0; + } + +@@ -899,12 +907,13 @@ static int dpu_plane_atomic_check(struct drm_plane *plane, + r_pipe_cfg->dst_rect.x1 = pipe_cfg->dst_rect.x2; + } + +- ret = dpu_plane_atomic_check_pipe(pdpu, pipe, pipe_cfg, fmt); ++ ret = dpu_plane_atomic_check_pipe(pdpu, pipe, pipe_cfg, fmt, &crtc_state->adjusted_mode); + if (ret) + return ret; + + if (r_pipe->sspp) { +- ret = dpu_plane_atomic_check_pipe(pdpu, r_pipe, r_pipe_cfg, fmt); ++ ret = dpu_plane_atomic_check_pipe(pdpu, r_pipe, r_pipe_cfg, fmt, ++ &crtc_state->adjusted_mode); + if (ret) + return ret; + } +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch b/queue-6.5/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch new file mode 100644 index 00000000000..10e8be38654 --- /dev/null +++ b/queue-6.5/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch @@ -0,0 +1,45 @@ +From 0a1b80bc0590b41dc9dda92732ddf359ffbb7304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:59:40 +0300 +Subject: drm/msm/dsi: fix irq_of_parse_and_map() error checking + +From: Dan Carpenter + +[ Upstream commit 6a1d4c7976dd1ee7c9f80bc8e62801ec7b1f2f58 ] + +The irq_of_parse_and_map() function returns zero on error. It +never returns negative error codes. Fix the check. + +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Dan Carpenter +Reviewed-by: Konrad Dybcio +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/557715/ +Link: https://lore.kernel.org/r/4f3c5c98-04f7-43f7-900f-5d7482c83eef@moroto.mountain +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index ee91bad0d5880..9ac62651eb756 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1899,10 +1899,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + } + + msm_host->irq = irq_of_parse_and_map(pdev->dev.of_node, 0); +- if (msm_host->irq < 0) { +- ret = msm_host->irq; +- dev_err(&pdev->dev, "failed to get irq: %d\n", ret); +- return ret; ++ if (!msm_host->irq) { ++ dev_err(&pdev->dev, "failed to get irq\n"); ++ return -EINVAL; + } + + /* do not autoenable, will be enabled later */ +-- +2.40.1 + diff --git a/queue-6.5/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch b/queue-6.5/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch new file mode 100644 index 00000000000..e45f2ea73d4 --- /dev/null +++ b/queue-6.5/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch @@ -0,0 +1,65 @@ +From a1b7549ee7ca7dc8b000c4f414d6cc783be58980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 13:44:25 -0700 +Subject: drm/msm/dsi: skip the wait for video mode done if not applicable + +From: Abhinav Kumar + +[ Upstream commit ab483e3adcc178254eb1ce0fbdfbea65f86f1006 ] + +dsi_wait4video_done() API waits for the DSI video mode engine to +become idle so that we can transmit the DCS commands in the +beginning of BLLP. However, with the current sequence, the MDP +timing engine is turned on after the panel's pre_enable() callback +which can send out the DCS commands needed to power up the panel. + +During those cases, this API will always timeout and print out the +error spam leading to long bootup times and log flooding. + +Fix this by checking if the DSI video engine was actually busy before +waiting for it to become idle otherwise this is a redundant wait. + +changes in v2: + - move the reg read below the video mode check + - minor fixes in commit text + +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/34 +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/557853/ +Link: https://lore.kernel.org/r/20230915204426.19011-1-quic_abhinavk@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 3f6dfb4f9d5a6..ee91bad0d5880 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1075,9 +1075,21 @@ static void dsi_wait4video_done(struct msm_dsi_host *msm_host) + + static void dsi_wait4video_eng_busy(struct msm_dsi_host *msm_host) + { ++ u32 data; ++ + if (!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) + return; + ++ data = dsi_read(msm_host, REG_DSI_STATUS0); ++ ++ /* if video mode engine is not busy, its because ++ * either timing engine was not turned on or the ++ * DSI controller has finished transmitting the video ++ * data already, so no need to wait in those cases ++ */ ++ if (!(data & DSI_STATUS0_VIDEO_MODE_ENGINE_BUSY)) ++ return; ++ + if (msm_host->power_on && msm_host->enabled) { + dsi_wait4video_done(msm_host); + /* delay 4 ms to skip BLLP */ +-- +2.40.1 + diff --git a/queue-6.5/drm-panel-boe-tv101wum-nl6-completely-pull-gpw-to-vg.patch b/queue-6.5/drm-panel-boe-tv101wum-nl6-completely-pull-gpw-to-vg.patch new file mode 100644 index 00000000000..2864186a55c --- /dev/null +++ b/queue-6.5/drm-panel-boe-tv101wum-nl6-completely-pull-gpw-to-vg.patch @@ -0,0 +1,52 @@ +From 5483575e58102084cd581ba3178b500e62e7eae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 14:49:49 +0800 +Subject: drm/panel: boe-tv101wum-nl6: Completely pull GPW to VGL before TP + term + +From: Ruihai Zhou + +[ Upstream commit 258dd5e6e65995ee85a941eed9a06708a36b1bfe ] + +The sta_himax83102 panel sometimes shows abnormally flickering +horizontal lines. The front gate output will precharge the X point of +the next pole circuit before TP(TouchPanel Enable) term starts, and wait +until the end of the TP term to resume the CLK. For this reason, the X +point must be maintained during the TP term. In abnormal case, we +measured a slight leakage at point X. This because during the TP term, +the GPW does not fully pull the VGL low, causing the TFT to not be +closed tightly. + +To fix this, we completely pull GPW to VGL before entering the TP term. +This will ensure that the TFT is closed tightly and prevent the abnormal +display. + +Fixes: 1bc2ef065f13 ("drm/panel: Support for Starry-himax83102-j02 TDDI MIPI-DSI panel") +Signed-off-by: Ruihai Zhou +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20231007064949.22668-1-zhouruihai@huaqin.corp-partner.google.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231007064949.22668-1-zhouruihai@huaqin.corp-partner.google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +index dc276c346fd1a..dcc5e79cfe879 100644 +--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c ++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +@@ -1343,9 +1343,7 @@ static const struct panel_init_cmd starry_himax83102_j02_init_cmd[] = { + _INIT_DCS_CMD(0xB1, 0x01, 0xBF, 0x11), + _INIT_DCS_CMD(0xCB, 0x86), + _INIT_DCS_CMD(0xD2, 0x3C, 0xFA), +- _INIT_DCS_CMD(0xE9, 0xC5), +- _INIT_DCS_CMD(0xD3, 0x00, 0x00, 0x00, 0x00, 0x80, 0x0C, 0x01), +- _INIT_DCS_CMD(0xE9, 0x3F), ++ _INIT_DCS_CMD(0xD3, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x0C, 0x01), + _INIT_DCS_CMD(0xE7, 0x02, 0x00, 0x28, 0x01, 0x7E, 0x0F, 0x7E, 0x10, 0xA0, 0x00, 0x00, 0x20, 0x40, 0x50, 0x40), + _INIT_DCS_CMD(0xBD, 0x02), + _INIT_DCS_CMD(0xD8, 0xFF, 0xFF, 0xBF, 0xFE, 0xAA, 0xA0, 0xFF, 0xFF, 0xBF, 0xFE, 0xAA, 0xA0), +-- +2.40.1 + diff --git a/queue-6.5/drm-vmwgfx-fix-typo-of-sizeof-argument.patch b/queue-6.5/drm-vmwgfx-fix-typo-of-sizeof-argument.patch new file mode 100644 index 00000000000..3c7c4200fde --- /dev/null +++ b/queue-6.5/drm-vmwgfx-fix-typo-of-sizeof-argument.patch @@ -0,0 +1,40 @@ +From 202ab2db044e9213a20e8d1e4dab92b848a02841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 18:02:03 +0800 +Subject: drm/vmwgfx: fix typo of sizeof argument + +From: Konstantin Meskhidze + +[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ] + +Since size of 'header' pointer and '*header' structure is equal on 64-bit +machines issue probably didn't cause any wrong behavior. But anyway, +fixing typo is required. + +Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 98e0723ca6f5e..cc3f301ca1639 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1619,7 +1619,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv, + { + VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSetTextureState); + SVGA3dTextureState *last_state = (SVGA3dTextureState *) +- ((unsigned long) header + header->size + sizeof(header)); ++ ((unsigned long) header + header->size + sizeof(*header)); + SVGA3dTextureState *cur_state = (SVGA3dTextureState *) + ((unsigned long) header + sizeof(*cmd)); + struct vmw_resource *ctx; +-- +2.40.1 + diff --git a/queue-6.5/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch b/queue-6.5/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch new file mode 100644 index 00000000000..b4450f3fe48 --- /dev/null +++ b/queue-6.5/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch @@ -0,0 +1,104 @@ +From e86daf36d0bae53b9d3a6e6ecb4a85e921a348cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 15:36:45 +0200 +Subject: ethtool: Fix mod state of verbose no_mask bitset + +From: Kory Maincent + +[ Upstream commit 108a36d07c01edbc5942d27c92494d1c6e4d45a0 ] + +A bitset without mask in a _SET request means we want exactly the bits in +the bitset to be set. This works correctly for compact format but when +verbose format is parsed, ethnl_update_bitset32_verbose() only sets the +bits present in the request bitset but does not clear the rest. The commit +6699170376ab fixes this issue by clearing the whole target bitmap before we +start iterating. The solution proposed brought an issue with the behavior +of the mod variable. As the bitset is always cleared the old val will +always differ to the new val. + +Fix it by adding a new temporary variable which save the state of the old +bitmap. + +Fixes: 6699170376ab ("ethtool: fix application of verbose no_mask bitset") +Signed-off-by: Kory Maincent +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009133645.44503-1-kory.maincent@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/bitset.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c +index 0515d6604b3b9..883ed9be81f9f 100644 +--- a/net/ethtool/bitset.c ++++ b/net/ethtool/bitset.c +@@ -431,8 +431,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + ethnl_string_array_t names, + struct netlink_ext_ack *extack, bool *mod) + { ++ u32 *orig_bitmap, *saved_bitmap = NULL; + struct nlattr *bit_attr; + bool no_mask; ++ bool dummy; + int rem; + int ret; + +@@ -448,8 +450,22 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + } + + no_mask = tb[ETHTOOL_A_BITSET_NOMASK]; +- if (no_mask) +- ethnl_bitmap32_clear(bitmap, 0, nbits, mod); ++ if (no_mask) { ++ unsigned int nwords = DIV_ROUND_UP(nbits, 32); ++ unsigned int nbytes = nwords * sizeof(u32); ++ ++ /* The bitmap size is only the size of the map part without ++ * its mask part. ++ */ ++ saved_bitmap = kcalloc(nwords, sizeof(u32), GFP_KERNEL); ++ if (!saved_bitmap) ++ return -ENOMEM; ++ memcpy(saved_bitmap, bitmap, nbytes); ++ ethnl_bitmap32_clear(bitmap, 0, nbits, &dummy); ++ orig_bitmap = saved_bitmap; ++ } else { ++ orig_bitmap = bitmap; ++ } + + nla_for_each_nested(bit_attr, tb[ETHTOOL_A_BITSET_BITS], rem) { + bool old_val, new_val; +@@ -458,13 +474,14 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + if (nla_type(bit_attr) != ETHTOOL_A_BITSET_BITS_BIT) { + NL_SET_ERR_MSG_ATTR(extack, bit_attr, + "only ETHTOOL_A_BITSET_BITS_BIT allowed in ETHTOOL_A_BITSET_BITS"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; + } + ret = ethnl_parse_bit(&idx, &new_val, nbits, bit_attr, no_mask, + names, extack); + if (ret < 0) +- return ret; +- old_val = bitmap[idx / 32] & ((u32)1 << (idx % 32)); ++ goto out; ++ old_val = orig_bitmap[idx / 32] & ((u32)1 << (idx % 32)); + if (new_val != old_val) { + if (new_val) + bitmap[idx / 32] |= ((u32)1 << (idx % 32)); +@@ -474,7 +491,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + } + } + +- return 0; ++ ret = 0; ++out: ++ kfree(saved_bitmap); ++ return ret; + } + + static int ethnl_compact_sanity_checks(unsigned int nbits, +-- +2.40.1 + diff --git a/queue-6.5/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch b/queue-6.5/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch new file mode 100644 index 00000000000..3dbdf72d50f --- /dev/null +++ b/queue-6.5/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch @@ -0,0 +1,75 @@ +From d0da7f5c993869d9921beb8386fcc8f2072c276a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:30:49 +0800 +Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe + +From: Dinghao Liu + +[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ] + +If of_clk_add_provider() fails in ca8210_register_ext_clock(), +it calls clk_unregister() to release priv->clk and returns an +error. However, the caller ca8210_probe() then calls ca8210_remove(), +where priv->clk is freed again in ca8210_unregister_ext_clock(). In +this case, a use-after-free may happen in the second time we call +clk_unregister(). + +Fix this by removing the first clk_unregister(). Also, priv->clk could +be an error code on failure of clk_register_fixed_rate(). Use +IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Dinghao Liu +Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index f9b10e84de067..9cb99dc65db34 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2741,7 +2741,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + struct device_node *np = spi->dev.of_node; + struct ca8210_priv *priv = spi_get_drvdata(spi); + struct ca8210_platform_data *pdata = spi->dev.platform_data; +- int ret = 0; + + if (!np) + return -EFAULT; +@@ -2758,18 +2757,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + dev_crit(&spi->dev, "Failed to register external clk\n"); + return PTR_ERR(priv->clk); + } +- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); +- if (ret) { +- clk_unregister(priv->clk); +- dev_crit( +- &spi->dev, +- "Failed to register external clock as clock provider\n" +- ); +- } else { +- dev_info(&spi->dev, "External clock set as clock provider\n"); +- } + +- return ret; ++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); + } + + /** +@@ -2781,8 +2770,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi) + { + struct ca8210_priv *priv = spi_get_drvdata(spi); + +- if (!priv->clk) +- return ++ if (IS_ERR_OR_NULL(priv->clk)) ++ return; + + of_clk_del_provider(spi->dev.of_node); + clk_unregister(priv->clk); +-- +2.40.1 + diff --git a/queue-6.5/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch b/queue-6.5/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch new file mode 100644 index 00000000000..71eb9aa8b16 --- /dev/null +++ b/queue-6.5/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch @@ -0,0 +1,49 @@ +From 67313e683e9ce24cbb5639c60564688710e8a7f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 15:53:09 +0300 +Subject: ixgbe: fix crash with empty VF macvlan list + +From: Dan Carpenter + +[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ] + +The adapter->vf_mvs.l list needs to be initialized even if the list is +empty. Otherwise it will lead to crashes. + +Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +index 29cc609880712..ea88ac04ab9ad 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -28,6 +28,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + struct vf_macvlans *mv_list; + int num_vf_macvlans, i; + ++ /* Initialize list of VF macvlans */ ++ INIT_LIST_HEAD(&adapter->vf_mvs.l); ++ + num_vf_macvlans = hw->mac.num_rar_entries - + (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs); + if (!num_vf_macvlans) +@@ -36,8 +39,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans), + GFP_KERNEL); + if (mv_list) { +- /* Initialize list of VF macvlans */ +- INIT_LIST_HEAD(&adapter->vf_mvs.l); + for (i = 0; i < num_vf_macvlans; i++) { + mv_list[i].vf = -1; + mv_list[i].free = true; +-- +2.40.1 + diff --git a/queue-6.5/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch b/queue-6.5/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch new file mode 100644 index 00000000000..c295e507b43 --- /dev/null +++ b/queue-6.5/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch @@ -0,0 +1,40 @@ +From fd8ffb5cf21848f9647077ecfaec164d54932add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 17:00:12 +0300 +Subject: mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type + +From: Dan Carpenter + +[ Upstream commit 1e0b72a2a6432c0ef67ee5ce8d9172a7c20bba25 ] + +The mlxsw_sp2_nve_vxlan_learning_set() function is supposed to return +zero on success or negative error codes. So it needs to be type int +instead of bool. + +Fixes: 4ee70efab68d ("mlxsw: spectrum_nve: Add support for VXLAN on Spectrum-2") +Signed-off-by: Dan Carpenter +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +index bb8eeb86edf75..52c2fe3644d4b 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +@@ -310,8 +310,8 @@ const struct mlxsw_sp_nve_ops mlxsw_sp1_nve_vxlan_ops = { + .fdb_clear_offload = mlxsw_sp_nve_vxlan_clear_offload, + }; + +-static bool mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, +- bool learning_en) ++static int mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, ++ bool learning_en) + { + char tnpc_pl[MLXSW_REG_TNPC_LEN]; + +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-qca8k-fix-potential-mdio-bus-conflict-when-a.patch b/queue-6.5/net-dsa-qca8k-fix-potential-mdio-bus-conflict-when-a.patch new file mode 100644 index 00000000000..061dfad39bf --- /dev/null +++ b/queue-6.5/net-dsa-qca8k-fix-potential-mdio-bus-conflict-when-a.patch @@ -0,0 +1,116 @@ +From e4a09620e150ae0511db53d2eafb4cf674d61d1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 11:19:04 +0200 +Subject: net: dsa: qca8k: fix potential MDIO bus conflict when accessing + internal PHYs via management frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 526c8ee04bdbd4d8d19a583b1f3b06700229a815 ] + +Besides the QCA8337 switch the Turris 1.x device has on it's MDIO bus +also Micron ethernet PHY (dedicated to the WAN port). + +We've been experiencing a strange behavior of the WAN ethernet +interface, wherein the WAN PHY started timing out the MDIO accesses, for +example when the interface was brought down and then back up. + +Bisecting led to commit 2cd548566384 ("net: dsa: qca8k: add support for +phy read/write with mgmt Ethernet"), which added support to access the +QCA8337 switch's internal PHYs via management ethernet frames. + +Connecting the MDIO bus pins onto an oscilloscope, I was able to see +that the MDIO bus was active whenever a request to read/write an +internal PHY register was done via an management ethernet frame. + +My theory is that when the switch core always communicates with the +internal PHYs via the MDIO bus, even when externally we request the +access via ethernet. This MDIO bus is the same one via which the switch +and internal PHYs are accessible to the board, and the board may have +other devices connected on this bus. An ASCII illustration may give more +insight: + + +---------+ + +----| | + | | WAN PHY | + | +--| | + | | +---------+ + | | + | | +----------------------------------+ + | | | QCA8337 | +MDC | | | +-------+ | +------o-+--|--------o------------o--| | | +MDIO | | | | | PHY 1 |-|--to RJ45 +--------o--|---o----+---------o--+--| | | + | | | | | +-------+ | + | +-------------+ | o--| | | + | | MDIO MDC | | | | PHY 2 |-|--to RJ45 +eth1 | | | o--+--| | | +-----------|-|port0 | | | +-------+ | + | | | | o--| | | + | | switch core | | | | PHY 3 |-|--to RJ45 + | +-------------+ o--+--| | | + | | | +-------+ | + | | o--| ... | | + +----------------------------------+ + +When we send a request to read an internal PHY register via an ethernet +management frame via eth1, the switch core receives the ethernet frame +on port 0 and then communicates with the internal PHY via MDIO. At this +time, other potential devices, such as the WAN PHY on Turris 1.x, cannot +use the MDIO bus, since it may cause a bus conflict. + +Fix this issue by locking the MDIO bus even when we are accessing the +PHY registers via ethernet management frames. + +Fixes: 2cd548566384 ("net: dsa: qca8k: add support for phy read/write with mgmt Ethernet") +Signed-off-by: Marek Behún +Reviewed-by: Christian Marangi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/qca/qca8k-8xxx.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/dsa/qca/qca8k-8xxx.c b/drivers/net/dsa/qca/qca8k-8xxx.c +index 8e1574c63954e..252089929eb92 100644 +--- a/drivers/net/dsa/qca/qca8k-8xxx.c ++++ b/drivers/net/dsa/qca/qca8k-8xxx.c +@@ -666,6 +666,15 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy, + goto err_read_skb; + } + ++ /* It seems that accessing the switch's internal PHYs via management ++ * packets still uses the MDIO bus within the switch internally, and ++ * these accesses can conflict with external MDIO accesses to other ++ * devices on the MDIO bus. ++ * We therefore need to lock the MDIO bus onto which the switch is ++ * connected. ++ */ ++ mutex_lock(&priv->bus->mdio_lock); ++ + /* Actually start the request: + * 1. Send mdio master packet + * 2. Busy Wait for mdio master command +@@ -678,6 +687,7 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy, + mgmt_master = priv->mgmt_master; + if (!mgmt_master) { + mutex_unlock(&mgmt_eth_data->mutex); ++ mutex_unlock(&priv->bus->mdio_lock); + ret = -EINVAL; + goto err_mgmt_master; + } +@@ -765,6 +775,7 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy, + QCA8K_ETHERNET_TIMEOUT); + + mutex_unlock(&mgmt_eth_data->mutex); ++ mutex_unlock(&priv->bus->mdio_lock); + + return ret; + +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-qca8k-fix-regmap-bulk-read-write-methods-on-.patch b/queue-6.5/net-dsa-qca8k-fix-regmap-bulk-read-write-methods-on-.patch new file mode 100644 index 00000000000..60d3e3aeb53 --- /dev/null +++ b/queue-6.5/net-dsa-qca8k-fix-regmap-bulk-read-write-methods-on-.patch @@ -0,0 +1,71 @@ +From b00502870a37a16355c94d51269e1d12272b87aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 11:19:03 +0200 +Subject: net: dsa: qca8k: fix regmap bulk read/write methods on big endian + systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 5652d1741574eb89cc02576e50ee3e348bd6dd77 ] + +Commit c766e077d927 ("net: dsa: qca8k: convert to regmap read/write +API") introduced bulk read/write methods to qca8k's regmap. + +The regmap bulk read/write methods get the register address in a buffer +passed as a void pointer parameter (the same buffer contains also the +read/written values). The register address occupies only as many bytes +as it requires at the beginning of this buffer. For example if the +.reg_bits member in regmap_config is 16 (as is the case for this +driver), the register address occupies only the first 2 bytes in this +buffer, so it can be cast to u16. + +But the original commit implementing these bulk read/write methods cast +the buffer to u32: + u32 reg = *(u32 *)reg_buf & U16_MAX; +taking the first 4 bytes. This works on little endian systems where the +first 2 bytes of the buffer correspond to the low 16-bits, but it +obviously cannot work on big endian systems. + +Fix this by casting the beginning of the buffer to u16 as + u32 reg = *(u16 *)reg_buf; + +Fixes: c766e077d927 ("net: dsa: qca8k: convert to regmap read/write API") +Signed-off-by: Marek Behún +Tested-by: Christian Marangi +Reviewed-by: Christian Marangi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/qca/qca8k-8xxx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/qca/qca8k-8xxx.c b/drivers/net/dsa/qca/qca8k-8xxx.c +index efe9380d4a15d..8e1574c63954e 100644 +--- a/drivers/net/dsa/qca/qca8k-8xxx.c ++++ b/drivers/net/dsa/qca/qca8k-8xxx.c +@@ -505,8 +505,8 @@ qca8k_bulk_read(void *ctx, const void *reg_buf, size_t reg_len, + void *val_buf, size_t val_len) + { + int i, count = val_len / sizeof(u32), ret; +- u32 reg = *(u32 *)reg_buf & U16_MAX; + struct qca8k_priv *priv = ctx; ++ u32 reg = *(u16 *)reg_buf; + + if (priv->mgmt_master && + !qca8k_read_eth(priv, reg, val_buf, val_len)) +@@ -527,8 +527,8 @@ qca8k_bulk_gather_write(void *ctx, const void *reg_buf, size_t reg_len, + const void *val_buf, size_t val_len) + { + int i, count = val_len / sizeof(u32), ret; +- u32 reg = *(u32 *)reg_buf & U16_MAX; + struct qca8k_priv *priv = ctx; ++ u32 reg = *(u16 *)reg_buf; + u32 *val = (u32 *)val_buf; + + if (priv->mgmt_master && +-- +2.40.1 + diff --git a/queue-6.5/net-macsec-indicate-next-pn-update-when-offloading.patch b/queue-6.5/net-macsec-indicate-next-pn-update-when-offloading.patch new file mode 100644 index 00000000000..fd8ee5dcd0e --- /dev/null +++ b/queue-6.5/net-macsec-indicate-next-pn-update-when-offloading.patch @@ -0,0 +1,73 @@ +From 715c1cd4ea7157c60e6918657791f88907915aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:33 +0300 +Subject: net: macsec: indicate next pn update when offloading + +From: Radu Pirea (NXP OSS) + +[ Upstream commit 0412cc846a1ef38697c3f321f9b174da91ecd3b5 ] + +Indicate next PN update using update_pn flag in macsec_context. +Offloaded MACsec implementations does not know whether or not the +MACSEC_SA_ATTR_PN attribute was passed for an SA update and assume +that next PN should always updated, but this is not always true. + +The PN can be reset to its initial value using the following command: +$ ip macsec set macsec0 tx sa 0 off #octeontx2-pf case + +Or, the update PN command will succeed even if the driver does not support +PN updates. +$ ip macsec set macsec0 tx sa 0 pn 1 on #mscc phy driver case + +Comparing the initial PN with the new PN value is not a solution. When +the user updates the PN using its initial value the command will +succeed, even if the driver does not support it. Like this: +$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \ +ead3664f508eb06c40ac7104cdae4ce5 +$ ip macsec set macsec0 tx sa 0 pn 1 on #mlx5 case + +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Stable-dep-of: e0a8c918daa5 ("net: phy: mscc: macsec: reject PN update requests") +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 ++ + include/net/macsec.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 2d64650f4eb3c..1c60548c1ddde 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2394,6 +2394,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) + + ctx.sa.assoc_num = assoc_num; + ctx.sa.tx_sa = tx_sa; ++ ctx.sa.update_pn = !!prev_pn.full64; + ctx.secy = secy; + + ret = macsec_offload(ops->mdo_upd_txsa, &ctx); +@@ -2487,6 +2488,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) + + ctx.sa.assoc_num = assoc_num; + ctx.sa.rx_sa = rx_sa; ++ ctx.sa.update_pn = !!prev_pn.full64; + ctx.secy = secy; + + ret = macsec_offload(ops->mdo_upd_rxsa, &ctx); +diff --git a/include/net/macsec.h b/include/net/macsec.h +index 441ed8fd4b5f6..41c1884a3e419 100644 +--- a/include/net/macsec.h ++++ b/include/net/macsec.h +@@ -258,6 +258,7 @@ struct macsec_context { + struct macsec_secy *secy; + struct macsec_rx_sc *rx_sc; + struct { ++ bool update_pn; + unsigned char assoc_num; + u8 key[MACSEC_MAX_KEY_LEN]; + union { +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch b/queue-6.5/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch new file mode 100644 index 00000000000..404f55255f5 --- /dev/null +++ b/queue-6.5/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch @@ -0,0 +1,57 @@ +From 007ebf16646ea3c48c3b5e440599a213812c3377 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 22:37:06 -0700 +Subject: net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp + +From: Will Mortensen + +[ Upstream commit da6192ca72d5ad913d109d43dc896290ad05d98f ] + +Commit 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs +flag change") seems to have accidentally inverted the logic added in +commit 0bc73ad46a76 ("net/mlx5e: Mutually exclude RX-FCS and +RX-port-timestamp"). + +The impact of this is a little unclear since it seems the FCS scattered +with RX-FCS is (usually?) correct regardless. + +Fixes: 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change") +Tested-by: Charlotte Tan +Reviewed-by: Charlotte Tan +Cc: Adham Faris +Cc: Aya Levin +Cc: Tariq Toukan +Cc: Moshe Shemesh +Cc: Saeed Mahameed +Signed-off-by: Will Mortensen +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20231006053706.514618-1-will@extrahop.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index f7b494125eee8..0cbe822ab084f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3952,13 +3952,14 @@ static int set_feature_rx_fcs(struct net_device *netdev, bool enable) + struct mlx5e_channels *chs = &priv->channels; + struct mlx5e_params new_params; + int err; ++ bool rx_ts_over_crc = !enable; + + mutex_lock(&priv->state_lock); + + new_params = chs->params; + new_params.scatter_fcs_en = enable; + err = mlx5e_safe_switch_params(priv, &new_params, mlx5e_set_rx_port_ts_wrap, +- &new_params.scatter_fcs_en, true); ++ &rx_ts_over_crc, true); + mutex_unlock(&priv->state_lock); + return err; + } +-- +2.40.1 + diff --git a/queue-6.5/net-mlx5e-macsec-use-update_pn-flag-instead-of-pn-co.patch b/queue-6.5/net-mlx5e-macsec-use-update_pn-flag-instead-of-pn-co.patch new file mode 100644 index 00000000000..d8aa7074e03 --- /dev/null +++ b/queue-6.5/net-mlx5e-macsec-use-update_pn-flag-instead-of-pn-co.patch @@ -0,0 +1,53 @@ +From 86b5ed8a1bf7c33ff7a0c31c4b297627a5c4c336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:36 +0300 +Subject: net/mlx5e: macsec: use update_pn flag instead of PN comparation + +From: Radu Pirea (NXP OSS) + +[ Upstream commit fde2f2d7f23d39f2fc699ba6d91ac3f4a2e637ca ] + +When updating the SA, use the new update_pn flags instead of comparing the +new PN with the initial one. + +Comparing the initial PN value with the new value will allow the user +to update the SA using the initial PN value as a parameter like this: +$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \ +ead3664f508eb06c40ac7104cdae4ce5 +$ ip macsec set macsec0 tx sa 0 pn 1 off + +Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support") +Fixes: aae3454e4d4c ("net/mlx5e: Add MACsec offload Rx command support") +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c +index 592b165530ffa..6bce55978aa72 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c +@@ -612,7 +612,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx) + goto out; + } + +- if (tx_sa->next_pn != ctx_tx_sa->next_pn_halves.lower) { ++ if (ctx->sa.update_pn) { + netdev_err(netdev, "MACsec offload: update TX sa %d PN isn't supported\n", + assoc_num); + err = -EINVAL; +@@ -1017,7 +1017,7 @@ static int mlx5e_macsec_upd_rxsa(struct macsec_context *ctx) + goto out; + } + +- if (rx_sa->next_pn != ctx_rx_sa->next_pn_halves.lower) { ++ if (ctx->sa.update_pn) { + netdev_err(ctx->netdev, + "MACsec offload update RX sa %d PN isn't supported\n", + assoc_num); +-- +2.40.1 + diff --git a/queue-6.5/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch b/queue-6.5/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch new file mode 100644 index 00000000000..e543a539884 --- /dev/null +++ b/queue-6.5/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch @@ -0,0 +1,130 @@ +From becd4d6f2ad093b4327ebb63d387fdb0dae2eec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 12:31:10 +0000 +Subject: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() + +From: Eric Dumazet + +[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ] + +Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. + +Getting a reference on the socket found in a lookup while +holding a lock should happen before releasing the lock. + +nfc_llcp_sock_get_sn() has a similar problem. + +Finally nfc_llcp_recv_snl() needs to make sure the socket +found by nfc_llcp_sock_from_sn() does not disappear. + +Fixes: 8f50020ed9b8 ("NFC: LLCP late binding") +Reported-by: Sili Luo +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 30 ++++++++++++------------------ + 1 file changed, 12 insertions(+), 18 deletions(-) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 6705bb895e239..1dac28136e6a3 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -203,17 +203,13 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local, + + if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) { + llcp_sock = tmp_sock; ++ sock_hold(&llcp_sock->sk); + break; + } + } + + read_unlock(&local->sockets.lock); + +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- + return llcp_sock; + } + +@@ -346,7 +342,8 @@ static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- const u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len, ++ bool needref) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -382,6 +379,8 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, + + if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) { + llcp_sock = tmp_sock; ++ if (needref) ++ sock_hold(&llcp_sock->sk); + break; + } + } +@@ -423,7 +422,8 @@ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + * to this service name. + */ + if (nfc_llcp_sock_from_sn(local, sock->service_name, +- sock->service_name_len) != NULL) { ++ sock->service_name_len, ++ false) != NULL) { + mutex_unlock(&local->sdp_lock); + + return LLCP_SAP_MAX; +@@ -824,16 +824,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + const u8 *sn, size_t sn_len) + { +- struct nfc_llcp_sock *llcp_sock; +- +- llcp_sock = nfc_llcp_sock_from_sn(local, sn, sn_len); +- +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- +- return llcp_sock; ++ return nfc_llcp_sock_from_sn(local, sn, sn_len, true); + } + + static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) +@@ -1298,7 +1289,8 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + } + + llcp_sock = nfc_llcp_sock_from_sn(local, service_name, +- service_name_len); ++ service_name_len, ++ true); + if (!llcp_sock) { + sap = 0; + goto add_snl; +@@ -1318,6 +1310,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + if (sap == LLCP_SAP_MAX) { + sap = 0; ++ nfc_llcp_sock_put(llcp_sock); + goto add_snl; + } + +@@ -1335,6 +1328,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + pr_debug("%p %d\n", llcp_sock, sap); + ++ nfc_llcp_sock_put(llcp_sock); + add_snl: + sdp = nfc_llcp_build_sdres_tlv(tid, sap); + if (sdp == NULL) +-- +2.40.1 + diff --git a/queue-6.5/net-phy-mscc-macsec-reject-pn-update-requests.patch b/queue-6.5/net-phy-mscc-macsec-reject-pn-update-requests.patch new file mode 100644 index 00000000000..faea015c868 --- /dev/null +++ b/queue-6.5/net-phy-mscc-macsec-reject-pn-update-requests.patch @@ -0,0 +1,52 @@ +From 5ae1b6da9b51ab2bb5ee5a688b190c8dac5b69b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:35 +0300 +Subject: net: phy: mscc: macsec: reject PN update requests + +From: Radu Pirea (NXP OSS) + +[ Upstream commit e0a8c918daa58700609ebd45e3fcd49965be8bbc ] + +Updating the PN is not supported. +Return -EINVAL if update_pn is true. + +The following command succeeded, but it should fail because the driver +does not update the PN: +ip macsec set macsec0 tx sa 0 pn 232 on + +Fixes: 28c5107aa904 ("net: phy: mscc: macsec support") +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_macsec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c +index 018253a573b88..4f39ba63a9a91 100644 +--- a/drivers/net/phy/mscc/mscc_macsec.c ++++ b/drivers/net/phy/mscc/mscc_macsec.c +@@ -849,6 +849,9 @@ static int vsc8584_macsec_upd_rxsa(struct macsec_context *ctx) + struct macsec_flow *flow; + int ret; + ++ if (ctx->sa.update_pn) ++ return -EINVAL; ++ + flow = vsc8584_macsec_find_flow(ctx, MACSEC_INGR); + if (IS_ERR(flow)) + return PTR_ERR(flow); +@@ -900,6 +903,9 @@ static int vsc8584_macsec_upd_txsa(struct macsec_context *ctx) + struct macsec_flow *flow; + int ret; + ++ if (ctx->sa.update_pn) ++ return -EINVAL; ++ + flow = vsc8584_macsec_find_flow(ctx, MACSEC_EGR); + if (IS_ERR(flow)) + return PTR_ERR(flow); +-- +2.40.1 + diff --git a/queue-6.5/net-refine-debug-info-in-skb_checksum_help.patch b/queue-6.5/net-refine-debug-info-in-skb_checksum_help.patch new file mode 100644 index 00000000000..69b72a0b078 --- /dev/null +++ b/queue-6.5/net-refine-debug-info-in-skb_checksum_help.patch @@ -0,0 +1,56 @@ +From 7f803ed30baa0722f19d84d9d42892fc4bb28528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 17:33:54 +0000 +Subject: net: refine debug info in skb_checksum_help() + +From: Eric Dumazet + +[ Upstream commit 26c29961b142444cd99361644c30fa1e9b3da6be ] + +syzbot uses panic_on_warn. + +This means that the skb_dump() I added in the blamed commit are +not even called. + +Rewrite this so that we get the needed skb dump before syzbot crashes. + +Fixes: eeee4b77dc52 ("net: add more debug info in skb_checksum_help()") +Signed-off-by: Eric Dumazet +Reported-by: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20231006173355.2254983-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 69a3e544676c4..968be1c20ca1f 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3285,15 +3285,19 @@ int skb_checksum_help(struct sk_buff *skb) + + offset = skb_checksum_start_offset(skb); + ret = -EINVAL; +- if (WARN_ON_ONCE(offset >= skb_headlen(skb))) { ++ if (unlikely(offset >= skb_headlen(skb))) { + DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false); ++ WARN_ONCE(true, "offset (%d) >= skb_headlen() (%u)\n", ++ offset, skb_headlen(skb)); + goto out; + } + csum = skb_checksum(skb, offset, skb->len - offset, 0); + + offset += skb->csum_offset; +- if (WARN_ON_ONCE(offset + sizeof(__sum16) > skb_headlen(skb))) { ++ if (unlikely(offset + sizeof(__sum16) > skb_headlen(skb))) { + DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false); ++ WARN_ONCE(true, "offset+2 (%zu) > skb_headlen() (%u)\n", ++ offset + sizeof(__sum16), skb_headlen(skb)); + goto out; + } + ret = skb_ensure_writable(skb, offset + sizeof(__sum16)); +-- +2.40.1 + diff --git a/queue-6.5/net-smc-fix-dependency-of-smc-on-ism.patch b/queue-6.5/net-smc-fix-dependency-of-smc-on-ism.patch new file mode 100644 index 00000000000..3f1e510f268 --- /dev/null +++ b/queue-6.5/net-smc-fix-dependency-of-smc-on-ism.patch @@ -0,0 +1,68 @@ +From 0d52b7ae5b0a68356425895de18620678d945147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 14:58:47 +0200 +Subject: net/smc: Fix dependency of SMC on ISM + +From: Gerd Bayer + +[ Upstream commit a72178cfe855c283224f393d94a1332b90d1483e ] + +When the SMC protocol is built into the kernel proper while ISM is +configured to be built as module, linking the kernel fails due to +unresolved dependencies out of net/smc/smc_ism.o to +ism_get_smcd_ops, ism_register_client, and ism_unregister_client +as reported via the linux-next test automation (see link). +This however is a bug introduced a while ago. + +Correct the dependency list in ISM's and SMC's Kconfig to reflect the +dependencies that are actually inverted. With this you cannot build a +kernel with CONFIG_SMC=y and CONFIG_ISM=m. Either ISM needs to be 'y', +too - or a 'n'. That way, SMC can still be configured on non-s390 +architectures that do not have (nor need) an ISM driver. + +Fixes: 89e7d2ba61b7 ("net/ism: Add new API for client registration") +Reported-by: Randy Dunlap +Closes: https://lore.kernel.org/linux-next/d53b5b50-d894-4df8-8969-fd39e63440ae@infradead.org/ +Co-developed-by: Wenjia Zhang +Signed-off-by: Wenjia Zhang +Signed-off-by: Gerd Bayer +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap # build-tested +Link: https://lore.kernel.org/r/20231006125847.1517840-1-gbayer@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/s390/net/Kconfig | 2 +- + net/smc/Kconfig | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/net/Kconfig b/drivers/s390/net/Kconfig +index 9c67b97faba2b..610ad8a801a57 100644 +--- a/drivers/s390/net/Kconfig ++++ b/drivers/s390/net/Kconfig +@@ -103,7 +103,7 @@ config CCWGROUP + + config ISM + tristate "Support for ISM vPCI Adapter" +- depends on PCI && SMC ++ depends on PCI + default n + help + Select this option if you want to use the Internal Shared Memory +diff --git a/net/smc/Kconfig b/net/smc/Kconfig +index 1ab3c5a2c5ada..746be39967683 100644 +--- a/net/smc/Kconfig ++++ b/net/smc/Kconfig +@@ -2,6 +2,7 @@ + config SMC + tristate "SMC socket protocol family" + depends on INET && INFINIBAND ++ depends on m || ISM != m + help + SMC-R provides a "sockets over RDMA" solution making use of + RDMA over Converged Ethernet (RoCE) technology to upgrade +-- +2.40.1 + diff --git a/queue-6.5/net-smc-fix-pos-miscalculation-in-statistics.patch b/queue-6.5/net-smc-fix-pos-miscalculation-in-statistics.patch new file mode 100644 index 00000000000..995ada93d61 --- /dev/null +++ b/queue-6.5/net-smc-fix-pos-miscalculation-in-statistics.patch @@ -0,0 +1,91 @@ +From ca0ff90b0a3a5ea53a8244f5cca42d5c5cdfbff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:40:48 +0200 +Subject: net/smc: Fix pos miscalculation in statistics + +From: Nils Hoppmann + +[ Upstream commit a950a5921db450c74212327f69950ff03419483a ] + +SMC_STAT_PAYLOAD_SUB(_smc_stats, _tech, key, _len, _rc) will calculate +wrong bucket positions for payloads of exactly 4096 bytes and +(1 << (m + 12)) bytes, with m == SMC_BUF_MAX - 1. + +Intended bucket distribution: +Assume l == size of payload, m == SMC_BUF_MAX - 1. + +Bucket 0 : 0 < l <= 2^13 +Bucket n, 1 <= n <= m-1 : 2^(n+12) < l <= 2^(n+13) +Bucket m : l > 2^(m+12) + +Current solution: +_pos = fls64((l) >> 13) +[...] +_pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m + +For l == 4096, _pos == -1, but should be _pos == 0. +For l == (1 << (m + 12)), _pos == m, but should be _pos == m - 1. + +In order to avoid special treatment of these corner cases, the +calculation is adjusted. The new solution first subtracts the length by +one, and then calculates the correct bucket by shifting accordingly, +i.e. _pos = fls64((l - 1) >> 13), l > 0. +This not only fixes the issues named above, but also makes the whole +bucket assignment easier to follow. + +Same is done for SMC_STAT_RMB_SIZE_SUB(_smc_stats, _tech, k, _len), +where the calculation of the bucket position is similar to the one +named above. + +Fixes: e0e4b8fa5338 ("net/smc: Add SMC statistics support") +Suggested-by: Halil Pasic +Signed-off-by: Nils Hoppmann +Reviewed-by: Halil Pasic +Reviewed-by: Wenjia Zhang +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_stats.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h +index aa8928975cc63..9d32058db2b5d 100644 +--- a/net/smc/smc_stats.h ++++ b/net/smc/smc_stats.h +@@ -92,13 +92,14 @@ do { \ + typeof(_smc_stats) stats = (_smc_stats); \ + typeof(_tech) t = (_tech); \ + typeof(_len) l = (_len); \ +- int _pos = fls64((l) >> 13); \ ++ int _pos; \ + typeof(_rc) r = (_rc); \ + int m = SMC_BUF_MAX - 1; \ + this_cpu_inc((*stats).smc[t].key ## _cnt); \ +- if (r <= 0) \ ++ if (r <= 0 || l <= 0) \ + break; \ +- _pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \ ++ _pos = fls64((l - 1) >> 13); \ ++ _pos = (_pos <= m) ? _pos : m; \ + this_cpu_inc((*stats).smc[t].key ## _pd.buf[_pos]); \ + this_cpu_add((*stats).smc[t].key ## _bytes, r); \ + } \ +@@ -138,9 +139,12 @@ while (0) + do { \ + typeof(_len) _l = (_len); \ + typeof(_tech) t = (_tech); \ +- int _pos = fls((_l) >> 13); \ ++ int _pos; \ + int m = SMC_BUF_MAX - 1; \ +- _pos = (_pos < m) ? ((_l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \ ++ if (_l <= 0) \ ++ break; \ ++ _pos = fls((_l - 1) >> 13); \ ++ _pos = (_pos <= m) ? _pos : m; \ + this_cpu_inc((*(_smc_stats)).smc[t].k ## _rmbsize.buf[_pos]); \ + } \ + while (0) +-- +2.40.1 + diff --git a/queue-6.5/net-tcp-fix-crashes-trying-to-free-half-baked-mtu-pr.patch b/queue-6.5/net-tcp-fix-crashes-trying-to-free-half-baked-mtu-pr.patch new file mode 100644 index 00000000000..ecc3baf112f --- /dev/null +++ b/queue-6.5/net-tcp-fix-crashes-trying-to-free-half-baked-mtu-pr.patch @@ -0,0 +1,37 @@ +From bdec67a24485af08ce014aa3d86dcb38553e3274 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 10:36:51 -0700 +Subject: net: tcp: fix crashes trying to free half-baked MTU probes + +From: Jakub Kicinski + +[ Upstream commit 71c299c711d1f44f0bf04f1fea66baad565240f1 ] + +tcp_stream_alloc_skb() initializes the skb to use tcp_tsorted_anchor +which is a union with the destructor. We need to clean that +TCP-iness up before freeing. + +Fixes: 736013292e3c ("tcp: let tcp_mtu_probe() build headless packets") +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231010173651.3990234-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 37fd9537423f1..a8f58f5e99a77 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2441,6 +2441,7 @@ static int tcp_mtu_probe(struct sock *sk) + + /* build the payload, and be prepared to abort if this fails. */ + if (tcp_clone_payload(sk, nskb, probe_size)) { ++ tcp_skb_tsorted_anchor_cleanup(nskb); + consume_skb(nskb); + return -1; + } +-- +2.40.1 + diff --git a/queue-6.5/nfc-nci-assert-requested-protocol-is-valid.patch b/queue-6.5/nfc-nci-assert-requested-protocol-is-valid.patch new file mode 100644 index 00000000000..3ad7c5858c5 --- /dev/null +++ b/queue-6.5/nfc-nci-assert-requested-protocol-is-valid.patch @@ -0,0 +1,45 @@ +From acb7e9d77b77fc5fbcc6974cb38fff1178aa2f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:00:54 -0400 +Subject: nfc: nci: assert requested protocol is valid + +From: Jeremy Cline + +[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ] + +The protocol is used in a bit mask to determine if the protocol is +supported. Assert the provided protocol is less than the maximum +defined so it doesn't potentially perform a shift-out-of-bounds and +provide a clearer error for undefined protocols vs unsupported ones. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78 +Signed-off-by: Jeremy Cline +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index fff755dde30d6..6c9592d051206 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -909,6 +909,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev, + return -EINVAL; + } + ++ if (protocol >= NFC_PROTO_MAX) { ++ pr_err("the requested nfc protocol is invalid\n"); ++ return -EINVAL; ++ } ++ + if (!(nci_target->supported_protocols & (1 << protocol))) { + pr_err("target does not support the requested protocol 0x%x\n", + protocol); +-- +2.40.1 + diff --git a/queue-6.5/octeontx2-pf-fix-page-pool-frag-allocation-warning.patch b/queue-6.5/octeontx2-pf-fix-page-pool-frag-allocation-warning.patch new file mode 100644 index 00000000000..0b82d4dc180 --- /dev/null +++ b/queue-6.5/octeontx2-pf-fix-page-pool-frag-allocation-warning.patch @@ -0,0 +1,79 @@ +From 2f71b78b0c505031d5917f9772ee1e451a7ffb12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 09:18:42 +0530 +Subject: octeontx2-pf: Fix page pool frag allocation warning + +From: Ratheesh Kannoth + +[ Upstream commit 50e492143374c17ad89c865a1a44837b3f5c8226 ] + +Since page pool param's "order" is set to 0, will result +in below warn message if interface is configured with higher +rx buffer size. + +Steps to reproduce the issue. +1. devlink dev param set pci/0002:04:00.0 name receive_buffer_size \ + value 8196 cmode runtime +2. ifconfig eth0 up + +[ 19.901356] ------------[ cut here ]------------ +[ 19.901361] WARNING: CPU: 11 PID: 12331 at net/core/page_pool.c:567 page_pool_alloc_frag+0x3c/0x230 +[ 19.901449] pstate: 82401009 (Nzcv daif +PAN -UAO +TCO -DIT +SSBS BTYPE=--) +[ 19.901451] pc : page_pool_alloc_frag+0x3c/0x230 +[ 19.901453] lr : __otx2_alloc_rbuf+0x60/0xbc [rvu_nicpf] +[ 19.901460] sp : ffff80000f66b970 +[ 19.901461] x29: ffff80000f66b970 x28: 0000000000000000 x27: 0000000000000000 +[ 19.901464] x26: ffff800000d15b68 x25: ffff000195b5c080 x24: ffff0002a5a32dc0 +[ 19.901467] x23: ffff0001063c0878 x22: 0000000000000100 x21: 0000000000000000 +[ 19.901469] x20: 0000000000000000 x19: ffff00016f781000 x18: 0000000000000000 +[ 19.901472] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 19.901474] x14: 0000000000000000 x13: ffff0005ffdc9c80 x12: 0000000000000000 +[ 19.901477] x11: ffff800009119a38 x10: 4c6ef2e3ba300519 x9 : ffff800000d13844 +[ 19.901479] x8 : ffff0002a5a33cc8 x7 : 0000000000000030 x6 : 0000000000000030 +[ 19.901482] x5 : 0000000000000005 x4 : 0000000000000000 x3 : 0000000000000a20 +[ 19.901484] x2 : 0000000000001080 x1 : ffff80000f66b9d4 x0 : 0000000000001000 +[ 19.901487] Call trace: +[ 19.901488] page_pool_alloc_frag+0x3c/0x230 +[ 19.901490] __otx2_alloc_rbuf+0x60/0xbc [rvu_nicpf] +[ 19.901494] otx2_rq_aura_pool_init+0x1c4/0x240 [rvu_nicpf] +[ 19.901498] otx2_open+0x228/0xa70 [rvu_nicpf] +[ 19.901501] otx2vf_open+0x20/0xd0 [rvu_nicvf] +[ 19.901504] __dev_open+0x114/0x1d0 +[ 19.901507] __dev_change_flags+0x194/0x210 +[ 19.901510] dev_change_flags+0x2c/0x70 +[ 19.901512] devinet_ioctl+0x3a4/0x6c4 +[ 19.901515] inet_ioctl+0x228/0x240 +[ 19.901518] sock_ioctl+0x2ac/0x480 +[ 19.901522] __arm64_sys_ioctl+0x564/0xe50 +[ 19.901525] invoke_syscall.constprop.0+0x58/0xf0 +[ 19.901529] do_el0_svc+0x58/0x150 +[ 19.901531] el0_svc+0x30/0x140 +[ 19.901533] el0t_64_sync_handler+0xe8/0x114 +[ 19.901535] el0t_64_sync+0x1a0/0x1a4 +[ 19.901537] ---[ end trace 678c0bf660ad8116 ]--- + +Fixes: b2e3406a38f0 ("octeontx2-pf: Add support for page pool") +Signed-off-by: Ratheesh Kannoth +Reviewed-by: Yunsheng Lin +Link: https://lore.kernel.org/r/20231010034842.3807816-1-rkannoth@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index 20ecc90d203e0..379e1510b70c0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -1401,6 +1401,7 @@ int otx2_pool_init(struct otx2_nic *pfvf, u16 pool_id, + return 0; + } + ++ pp_params.order = get_order(buf_size); + pp_params.flags = PP_FLAG_PAGE_FRAG | PP_FLAG_DMA_MAP; + pp_params.pool_size = min(OTX2_PAGE_POOL_SZ, numptrs); + pp_params.nid = NUMA_NO_NODE; +-- +2.40.1 + diff --git a/queue-6.5/octeontx2-pf-mcs-update-pn-only-when-update_pn-is-tr.patch b/queue-6.5/octeontx2-pf-mcs-update-pn-only-when-update_pn-is-tr.patch new file mode 100644 index 00000000000..660aa073220 --- /dev/null +++ b/queue-6.5/octeontx2-pf-mcs-update-pn-only-when-update_pn-is-tr.patch @@ -0,0 +1,57 @@ +From 62f6e71a1af5bdc61bb13587d07f1bed6872cad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:34 +0300 +Subject: octeontx2-pf: mcs: update PN only when update_pn is true + +From: Radu Pirea (NXP OSS) + +[ Upstream commit 4dcf38ae3ca16b8872f151d46ba5ac28dd580b60 ] + +When updating SA, update the PN only when the update_pn flag is true. +Otherwise, the PN will be reset to its previous value using the +following command and this should not happen: +$ ip macsec set macsec0 tx sa 0 on + +Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading") +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index 59b138214af2f..6cc7a78968fc1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -1357,10 +1357,12 @@ static int cn10k_mdo_upd_txsa(struct macsec_context *ctx) + + if (netif_running(secy->netdev)) { + /* Keys cannot be changed after creation */ +- err = cn10k_write_tx_sa_pn(pfvf, txsc, sa_num, +- sw_tx_sa->next_pn); +- if (err) +- return err; ++ if (ctx->sa.update_pn) { ++ err = cn10k_write_tx_sa_pn(pfvf, txsc, sa_num, ++ sw_tx_sa->next_pn); ++ if (err) ++ return err; ++ } + + err = cn10k_mcs_link_tx_sa2sc(pfvf, secy, txsc, + sa_num, sw_tx_sa->active); +@@ -1529,6 +1531,9 @@ static int cn10k_mdo_upd_rxsa(struct macsec_context *ctx) + if (err) + return err; + ++ if (!ctx->sa.update_pn) ++ return 0; ++ + err = cn10k_mcs_write_rx_sa_pn(pfvf, rxsc, sa_num, + rx_sa->next_pn); + if (err) +-- +2.40.1 + diff --git a/queue-6.5/phy-lynx-28g-cancel-the-cdr-check-work-item-on-the-r.patch b/queue-6.5/phy-lynx-28g-cancel-the-cdr-check-work-item-on-the-r.patch new file mode 100644 index 00000000000..c20c542b250 --- /dev/null +++ b/queue-6.5/phy-lynx-28g-cancel-the-cdr-check-work-item-on-the-r.patch @@ -0,0 +1,52 @@ +From ad3a210082846e380fe0abd7f30cd9751ee77e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:17:06 +0300 +Subject: phy: lynx-28g: cancel the CDR check work item on the remove path + +From: Ioana Ciornei + +[ Upstream commit f200bab3756fe81493a1b280180dafa1d9ccdcf7 ] + +The blamed commit added the CDR check work item but didn't cancel it on +the remove path. Fix this by adding a remove function which takes care +of it. + +Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G") +Signed-off-by: Ioana Ciornei +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c +index 569f12af2aafa..9d55dbee2e0a5 100644 +--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c ++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c +@@ -603,6 +603,14 @@ static int lynx_28g_probe(struct platform_device *pdev) + return PTR_ERR_OR_ZERO(provider); + } + ++static void lynx_28g_remove(struct platform_device *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ struct lynx_28g_priv *priv = dev_get_drvdata(dev); ++ ++ cancel_delayed_work_sync(&priv->cdr_check); ++} ++ + static const struct of_device_id lynx_28g_of_match_table[] = { + { .compatible = "fsl,lynx-28g" }, + { }, +@@ -611,6 +619,7 @@ MODULE_DEVICE_TABLE(of, lynx_28g_of_match_table); + + static struct platform_driver lynx_28g_driver = { + .probe = lynx_28g_probe, ++ .remove_new = lynx_28g_remove, + .driver = { + .name = "lynx-28g", + .of_match_table = lynx_28g_of_match_table, +-- +2.40.1 + diff --git a/queue-6.5/phy-lynx-28g-lock-phy-while-performing-cdr-lock-work.patch b/queue-6.5/phy-lynx-28g-lock-phy-while-performing-cdr-lock-work.patch new file mode 100644 index 00000000000..5879ebf2daf --- /dev/null +++ b/queue-6.5/phy-lynx-28g-lock-phy-while-performing-cdr-lock-work.patch @@ -0,0 +1,55 @@ +From 078f979664d9130f2c9afc322aa6a110df1ec677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:17:07 +0300 +Subject: phy: lynx-28g: lock PHY while performing CDR lock workaround + +From: Vladimir Oltean + +[ Upstream commit 0ac87fe54a171d18c5fb5345e3ee8d14e1b06f4b ] + +lynx_28g_cdr_lock_check() runs once per second in a workqueue to reset +the lane receiver if the CDR has not locked onto bit transitions in the +RX stream. But the PHY consumer may do stuff with the PHY simultaneously, +and that isn't okay. Block concurrent generic PHY calls by holding the +PHY mutex from this workqueue. + +Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c +index 9d55dbee2e0a5..d49aa59c7d812 100644 +--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c ++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c +@@ -507,11 +507,12 @@ static void lynx_28g_cdr_lock_check(struct work_struct *work) + for (i = 0; i < LYNX_28G_NUM_LANE; i++) { + lane = &priv->lane[i]; + +- if (!lane->init) +- continue; ++ mutex_lock(&lane->phy->mutex); + +- if (!lane->powered_up) ++ if (!lane->init || !lane->powered_up) { ++ mutex_unlock(&lane->phy->mutex); + continue; ++ } + + rrstctl = lynx_28g_lane_read(lane, LNaRRSTCTL); + if (!(rrstctl & LYNX_28G_LNaRRSTCTL_CDR_LOCK)) { +@@ -520,6 +521,8 @@ static void lynx_28g_cdr_lock_check(struct work_struct *work) + rrstctl = lynx_28g_lane_read(lane, LNaRRSTCTL); + } while (!(rrstctl & LYNX_28G_LNaRRSTCTL_RST_DONE)); + } ++ ++ mutex_unlock(&lane->phy->mutex); + } + queue_delayed_work(system_power_efficient_wq, &priv->cdr_check, + msecs_to_jiffies(1000)); +-- +2.40.1 + diff --git a/queue-6.5/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch b/queue-6.5/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch new file mode 100644 index 00000000000..d0d43bab11a --- /dev/null +++ b/queue-6.5/phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch @@ -0,0 +1,74 @@ +From 127340239b7d453e1475fdec012f8f5e5c19ef6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:17:08 +0300 +Subject: phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to + shared registers + +From: Vladimir Oltean + +[ Upstream commit 139ad1143151a07be93bf741d4ea7c89e59f89ce ] + +The protocol converter configuration registers PCC8, PCCC, PCCD +(implemented by the driver), as well as others, control protocol +converters from multiple lanes (each represented as a different +struct phy). So, if there are simultaneous calls to phy_set_mode_ext() +to lanes sharing the same PCC register (either for the "old" or for the +"new" protocol), corruption of the values programmed to hardware is +possible, because lynx_28g_rmw() has no locking. + +Add a spinlock in the struct lynx_28g_priv shared by all lanes, and take +the global spinlock from the phy_ops :: set_mode() implementation. There +are no other callers which modify PCC registers. + +Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c +index d49aa59c7d812..0a8b40edc3f31 100644 +--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c ++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c +@@ -126,6 +126,10 @@ struct lynx_28g_lane { + struct lynx_28g_priv { + void __iomem *base; + struct device *dev; ++ /* Serialize concurrent access to registers shared between lanes, ++ * like PCCn ++ */ ++ spinlock_t pcc_lock; + struct lynx_28g_pll pll[LYNX_28G_NUM_PLL]; + struct lynx_28g_lane lane[LYNX_28G_NUM_LANE]; + +@@ -396,6 +400,8 @@ static int lynx_28g_set_mode(struct phy *phy, enum phy_mode mode, int submode) + if (powered_up) + lynx_28g_power_off(phy); + ++ spin_lock(&priv->pcc_lock); ++ + switch (submode) { + case PHY_INTERFACE_MODE_SGMII: + case PHY_INTERFACE_MODE_1000BASEX: +@@ -412,6 +418,8 @@ static int lynx_28g_set_mode(struct phy *phy, enum phy_mode mode, int submode) + lane->interface = submode; + + out: ++ spin_unlock(&priv->pcc_lock); ++ + /* Power up the lane if necessary */ + if (powered_up) + lynx_28g_power_on(phy); +@@ -595,6 +603,7 @@ static int lynx_28g_probe(struct platform_device *pdev) + + dev_set_drvdata(dev, priv); + ++ spin_lock_init(&priv->pcc_lock); + INIT_DELAYED_WORK(&priv->cdr_check, lynx_28g_cdr_lock_check); + + queue_delayed_work(system_power_efficient_wq, &priv->cdr_check, +-- +2.40.1 + diff --git a/queue-6.5/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch b/queue-6.5/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch new file mode 100644 index 00000000000..0249ea688d7 --- /dev/null +++ b/queue-6.5/pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch @@ -0,0 +1,52 @@ +From e84c03cda4e0799d9453b986c3be29cc6a0c8f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Aug 2023 13:15:28 +0300 +Subject: pinctrl: nuvoton: wpcm450: fix out of bounds write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mikhail Kobuk + +[ Upstream commit 87d315a34133edcb29c4cadbf196ec6c30dfd47b ] + +Write into 'pctrl->gpio_bank' happens before the check for GPIO index +validity, so out of bounds write may happen. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a1d1e0e3d80a ("pinctrl: nuvoton: Add driver for WPCM450") +Signed-off-by: Mikhail Kobuk +Reviewed-by: Alexey Khoroshilov +Reviewed-by: Jonathan Neuschäfer +Link: https://lore.kernel.org/r/20230825101532.6624-1-m.kobuk@ispras.ru +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nuvoton/pinctrl-wpcm450.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c b/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c +index 2d1c1652cfd9d..8a9961ac87128 100644 +--- a/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c ++++ b/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c +@@ -1062,13 +1062,13 @@ static int wpcm450_gpio_register(struct platform_device *pdev, + if (ret < 0) + return ret; + +- gpio = &pctrl->gpio_bank[reg]; +- gpio->pctrl = pctrl; +- + if (reg >= WPCM450_NUM_BANKS) + return dev_err_probe(dev, -EINVAL, + "GPIO index %d out of range!\n", reg); + ++ gpio = &pctrl->gpio_bank[reg]; ++ gpio->pctrl = pctrl; ++ + bank = &wpcm450_banks[reg]; + gpio->bank = bank; + +-- +2.40.1 + diff --git a/queue-6.5/pinctrl-renesas-rzn1-enable-missing-pinmux.patch b/queue-6.5/pinctrl-renesas-rzn1-enable-missing-pinmux.patch new file mode 100644 index 00000000000..7ba5f098cb8 --- /dev/null +++ b/queue-6.5/pinctrl-renesas-rzn1-enable-missing-pinmux.patch @@ -0,0 +1,43 @@ +From b3da79984b8585883f0a0ca6b4e678ada08c32e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 16:00:08 -0400 +Subject: pinctrl: renesas: rzn1: Enable missing PINMUX + +From: Ralph Siemsen + +[ Upstream commit f055ff23c331f28aa4ace4b72dc56f63b9a726c8 ] + +Enable pin muxing (eg. programmable function), so that the RZ/N1 GPIO +pins will be configured as specified by the pinmux in the DTS. + +This used to be enabled implicitly via CONFIG_GENERIC_PINMUX_FUNCTIONS, +however that was removed, since the RZ/N1 driver does not call any of +the generic pinmux functions. + +Fixes: 1308fb4e4eae14e6 ("pinctrl: rzn1: Do not select GENERIC_PIN{CTRL_GROUPS,MUX_FUNCTIONS}") +Signed-off-by: Ralph Siemsen +Reviewed-by: Miquel Raynal +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20231004200008.1306798-1-ralph.siemsen@linaro.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/renesas/Kconfig b/drivers/pinctrl/renesas/Kconfig +index 77730dc548ed3..c8d519ca53eb7 100644 +--- a/drivers/pinctrl/renesas/Kconfig ++++ b/drivers/pinctrl/renesas/Kconfig +@@ -235,6 +235,7 @@ config PINCTRL_RZN1 + depends on OF + depends on ARCH_RZN1 || COMPILE_TEST + select GENERIC_PINCONF ++ select PINMUX + help + This selects pinctrl driver for Renesas RZ/N1 devices. + +-- +2.40.1 + diff --git a/queue-6.5/pinctrl-starfive-jh7110-fix-failure-to-set-irq-after.patch b/queue-6.5/pinctrl-starfive-jh7110-fix-failure-to-set-irq-after.patch new file mode 100644 index 00000000000..ea66d6da47b --- /dev/null +++ b/queue-6.5/pinctrl-starfive-jh7110-fix-failure-to-set-irq-after.patch @@ -0,0 +1,50 @@ +From f87ec58d56954690582dba39e5247126665f29cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 20:21:04 +0800 +Subject: pinctrl: starfive: jh7110: Fix failure to set irq after CONFIG_PM is + enabled + +From: Hal Feng + +[ Upstream commit 8406d6b5916663b4edc604b3effbf4935b61c2da ] + +The issue was found when we enabled CONFIG_PM and tested edge events using +libgpiod. + +> # gpiomon -r gpiochip0 55 +> gpiomon: error waiting for events: Permission denied + +`gpiomon` will call irq_chip_pm_get() and then call pm_runtime_resume_and_get() +if (IS_ENABLED(CONFIG_PM) && sfp->gc.irq.domain->pm_dev). +pm_runtime_resume_and_get() will fail if the runtime pm of pinctrl device +is disabled. + +As we expect the pinctrl driver can be always working and never suspend +during runtime, unset sfp->gc.irq.domain->pm_dev to make sure +pm_runtime_resume_and_get() won't be called when setting irq. + +Fixes: 447976ab62c5 ("pinctrl: starfive: Add StarFive JH7110 sys controller driver") +Signed-off-by: Hal Feng +Link: https://lore.kernel.org/r/20230905122105.117000-2-hal.feng@starfivetech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c b/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c +index 5fe729b4a03de..72747ad497b5e 100644 +--- a/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c ++++ b/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c +@@ -968,8 +968,6 @@ int jh7110_pinctrl_probe(struct platform_device *pdev) + if (ret) + return dev_err_probe(dev, ret, "could not register gpiochip\n"); + +- irq_domain_set_pm_device(sfp->gc.irq.domain, dev); +- + dev_info(dev, "StarFive GPIO chip registered %d GPIOs\n", sfp->gc.ngpio); + + return pinctrl_enable(sfp->pctl); +-- +2.40.1 + diff --git a/queue-6.5/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch b/queue-6.5/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch new file mode 100644 index 00000000000..80f9890e2a2 --- /dev/null +++ b/queue-6.5/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch @@ -0,0 +1,48 @@ +From 95507b66132d0e1670777f1de4917b0aee59bede Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:12:00 +0900 +Subject: ravb: Fix up dma_free_coherent() call in ravb_remove() + +From: Yoshihiro Shimoda + +[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ] + +In ravb_remove(), dma_free_coherent() should be call after +unregister_netdev(). Otherwise, this controller is possible to use +the freed buffer. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231005011201.14368-2-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 4d6b3b7d6abb3..49726183d264b 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2892,8 +2892,6 @@ static int ravb_remove(struct platform_device *pdev) + clk_disable_unprepare(priv->gptp_clk); + clk_disable_unprepare(priv->refclk); + +- dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, +- priv->desc_bat_dma); + /* Set reset mode */ + ravb_write(ndev, CCC_OPC_RESET, CCC); + unregister_netdev(ndev); +@@ -2901,6 +2899,8 @@ static int ravb_remove(struct platform_device *pdev) + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); + ravb_mdio_release(priv); ++ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, ++ priv->desc_bat_dma); + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + reset_control_assert(priv->rstc); +-- +2.40.1 + diff --git a/queue-6.5/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch b/queue-6.5/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch new file mode 100644 index 00000000000..206ab8300f2 --- /dev/null +++ b/queue-6.5/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch @@ -0,0 +1,55 @@ +From 5783d99156af53f873fb35fc7c4184cb52649b27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:12:01 +0900 +Subject: ravb: Fix use-after-free issue in ravb_tx_timeout_work() + +From: Yoshihiro Shimoda + +[ Upstream commit 3971442870713de527684398416970cf025b4f89 ] + +The ravb_stop() should call cancel_work_sync(). Otherwise, +ravb_tx_timeout_work() is possible to use the freed priv after +ravb_remove() was called like below: + +CPU0 CPU1 + ravb_tx_timeout() +ravb_remove() +unregister_netdev() +free_netdev(ndev) +// free priv + ravb_tx_timeout_work() + // use priv + +unregister_netdev() will call .ndo_stop() so that ravb_stop() is +called. And, after phy_stop() is called, netif_carrier_off() +is also called. So that .ndo_tx_timeout() will not be called +after phy_stop(). + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reported-by: Zheng Wang +Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231005011201.14368-3-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 49726183d264b..ef8f205f8ce1f 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2168,6 +2168,8 @@ static int ravb_close(struct net_device *ndev) + of_phy_deregister_fixed_link(np); + } + ++ cancel_work_sync(&priv->work); ++ + if (info->multi_irqs) { + free_irq(priv->tx_irqs[RAVB_NC], ndev); + free_irq(priv->rx_irqs[RAVB_NC], ndev); +-- +2.40.1 + diff --git a/queue-6.5/riscv-bpf-sign-extend-return-values.patch b/queue-6.5/riscv-bpf-sign-extend-return-values.patch new file mode 100644 index 00000000000..c6eecb70a1b --- /dev/null +++ b/queue-6.5/riscv-bpf-sign-extend-return-values.patch @@ -0,0 +1,83 @@ +From 4af4ffdd63202d8526ccbeda5cb814cdd549f3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:07:05 +0200 +Subject: riscv, bpf: Sign-extend return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 2f1b0d3d733169eb11680bfa97c266ae5e757148 ] + +The RISC-V architecture does not expose sub-registers, and hold all +32-bit values in a sign-extended format [1] [2]: + + | The compiler and calling convention maintain an invariant that all + | 32-bit values are held in a sign-extended format in 64-bit + | registers. Even 32-bit unsigned integers extend bit 31 into bits + | 63 through 32. Consequently, conversion between unsigned and + | signed 32-bit integers is a no-op, as is conversion from a signed + | 32-bit integer to a signed 64-bit integer. + +While BPF, on the other hand, exposes sub-registers, and use +zero-extension (similar to arm64/x86). + +This has led to some subtle bugs, where a BPF JITted program has not +sign-extended the a0 register (return value in RISC-V land), passed +the return value up the kernel, e.g.: + + | int from_bpf(void); + | + | long foo(void) + | { + | return from_bpf(); + | } + +Here, a0 would be 0xffff_ffff, instead of the expected +0xffff_ffff_ffff_ffff. + +Internally, the RISC-V JIT uses a5 as a dedicated register for BPF +return values. + +Keep a5 zero-extended, but explicitly sign-extend a0 (which is used +outside BPF land). Now that a0 (RISC-V ABI) and a5 (BPF ABI) differs, +a0 is only moved to a5 for non-BPF native calls (BPF_PSEUDO_CALL). + +Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://github.com/riscv/riscv-isa-manual/releases/download/riscv-isa-release-056b6ff-2023-10-02/unpriv-isa-asciidoc.pdf # [2] +Link: https://github.com/riscv-non-isa/riscv-elf-psabi-doc/releases/download/draft-20230929-e5c800e661a53efe3c2678d71a306323b60eb13b/riscv-abi.pdf # [2] +Link: https://lore.kernel.org/bpf/20231004120706.52848-2-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index c648864c8cd1a..3a3631bae05c1 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -239,7 +239,7 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx) + emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx); + /* Set return value. */ + if (!is_tail_call) +- emit_mv(RV_REG_A0, RV_REG_A5, ctx); ++ emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx); + emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA, + is_tail_call ? 20 : 0, /* skip reserved nops and TCC init */ + ctx); +@@ -1436,7 +1436,8 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, + if (ret) + return ret; + +- emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx); ++ if (insn->src_reg != BPF_PSEUDO_CALL) ++ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx); + break; + } + /* tail call */ +-- +2.40.1 + diff --git a/queue-6.5/riscv-bpf-track-both-a0-risc-v-abi-and-a5-bpf-return.patch b/queue-6.5/riscv-bpf-track-both-a0-risc-v-abi-and-a5-bpf-return.patch new file mode 100644 index 00000000000..6d24857b5fe --- /dev/null +++ b/queue-6.5/riscv-bpf-track-both-a0-risc-v-abi-and-a5-bpf-return.patch @@ -0,0 +1,80 @@ +From 05e315c292a63fdd07d10a0894f7fbf1433dd7a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:07:06 +0200 +Subject: riscv, bpf: Track both a0 (RISC-V ABI) and a5 (BPF) return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 7112cd26e606c7ba51f9cc5c1905f06039f6f379 ] + +The RISC-V BPF uses a5 for BPF return values, which are zero-extended, +whereas the RISC-V ABI uses a0 which is sign-extended. In other words, +a5 and a0 can differ, and are used in different context. + +The BPF trampoline are used for both BPF programs, and regular kernel +functions. + +Make sure that the RISC-V BPF trampoline saves, and restores both a0 +and a5. + +Fixes: 49b5e77ae3e2 ("riscv, bpf: Add bpf trampoline support for RV64") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231004120706.52848-3-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 3a3631bae05c1..3b4cb713e3684 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -757,8 +757,10 @@ static int invoke_bpf_prog(struct bpf_tramp_link *l, int args_off, int retval_of + if (ret) + return ret; + +- if (save_ret) +- emit_sd(RV_REG_FP, -retval_off, regmap[BPF_REG_0], ctx); ++ if (save_ret) { ++ emit_sd(RV_REG_FP, -retval_off, RV_REG_A0, ctx); ++ emit_sd(RV_REG_FP, -(retval_off - 8), regmap[BPF_REG_0], ctx); ++ } + + /* update branch with beqz */ + if (ctx->insns) { +@@ -844,7 +846,7 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + + save_ret = flags & (BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_RET_FENTRY_RET); + if (save_ret) { +- stack_size += 8; ++ stack_size += 16; /* Save both A5 (BPF R0) and A0 */ + retval_off = stack_size; + } + +@@ -931,6 +933,7 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + if (ret) + goto out; + emit_sd(RV_REG_FP, -retval_off, RV_REG_A0, ctx); ++ emit_sd(RV_REG_FP, -(retval_off - 8), regmap[BPF_REG_0], ctx); + im->ip_after_call = ctx->insns + ctx->ninsns; + /* 2 nops reserved for auipc+jalr pair */ + emit(rv_nop(), ctx); +@@ -962,8 +965,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + if (flags & BPF_TRAMP_F_RESTORE_REGS) + restore_args(nregs, args_off, ctx); + +- if (save_ret) ++ if (save_ret) { + emit_ld(RV_REG_A0, -retval_off, RV_REG_FP, ctx); ++ emit_ld(regmap[BPF_REG_0], -(retval_off - 8), RV_REG_FP, ctx); ++ } + + emit_ld(RV_REG_S1, -sreg_off, RV_REG_FP, ctx); + +-- +2.40.1 + diff --git a/queue-6.5/rswitch-fix-imbalance-phy_power_off-calling.patch b/queue-6.5/rswitch-fix-imbalance-phy_power_off-calling.patch new file mode 100644 index 00000000000..838d613c7d8 --- /dev/null +++ b/queue-6.5/rswitch-fix-imbalance-phy_power_off-calling.patch @@ -0,0 +1,36 @@ +From 0315f334e3f1441d9982d4246fa857387866a80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 21:48:58 +0900 +Subject: rswitch: Fix imbalance phy_power_off() calling + +From: Yoshihiro Shimoda + +[ Upstream commit 053f13f67be6d02781730c9ac71abde6e9140610 ] + +The phy_power_off() should not be called if phy_power_on() failed. +So, add a condition .power_count before calls phy_power_off(). + +Fixes: 5cb630925b49 ("net: renesas: rswitch: Add phy_power_{on,off}() calling") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 5024ce9587312..fb9a520f42078 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1255,7 +1255,7 @@ static void rswitch_adjust_link(struct net_device *ndev) + phy_print_status(phydev); + if (phydev->link) + phy_power_on(rdev->serdes); +- else ++ else if (rdev->serdes->power_count) + phy_power_off(rdev->serdes); + + rdev->etha->link = phydev->link; +-- +2.40.1 + diff --git a/queue-6.5/rswitch-fix-renesas_eth_sw_remove-implementation.patch b/queue-6.5/rswitch-fix-renesas_eth_sw_remove-implementation.patch new file mode 100644 index 00000000000..30f74b0b83a --- /dev/null +++ b/queue-6.5/rswitch-fix-renesas_eth_sw_remove-implementation.patch @@ -0,0 +1,50 @@ +From 8b5b1d562bebd11023184971062ea210fa9a961d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 21:48:57 +0900 +Subject: rswitch: Fix renesas_eth_sw_remove() implementation + +From: Yoshihiro Shimoda + +[ Upstream commit 510b18cf23b9bd8a982ef7f1fb19f3968a2bf787 ] + +Fix functions calling order and a condition in renesas_eth_sw_remove(). +Otherwise, kernel NULL pointer dereference happens from phy_stop() if +a net device opens. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 660cbfe344d2c..5024ce9587312 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1942,15 +1942,17 @@ static void rswitch_deinit(struct rswitch_private *priv) + rswitch_gwca_hw_deinit(priv); + rcar_gen4_ptp_unregister(priv->ptp_priv); + +- for (i = 0; i < RSWITCH_NUM_PORTS; i++) { ++ rswitch_for_each_enabled_port(priv, i) { + struct rswitch_device *rdev = priv->rdev[i]; + +- phy_exit(priv->rdev[i]->serdes); +- rswitch_ether_port_deinit_one(rdev); + unregister_netdev(rdev->ndev); +- rswitch_device_free(priv, i); ++ rswitch_ether_port_deinit_one(rdev); ++ phy_exit(priv->rdev[i]->serdes); + } + ++ for (i = 0; i < RSWITCH_NUM_PORTS; i++) ++ rswitch_device_free(priv, i); ++ + rswitch_gwca_ts_queue_free(priv); + rswitch_gwca_linkfix_free(priv); + +-- +2.40.1 + diff --git a/queue-6.5/s390-bpf-fix-clobbering-the-caller-s-backchain-in-th.patch b/queue-6.5/s390-bpf-fix-clobbering-the-caller-s-backchain-in-th.patch new file mode 100644 index 00000000000..9669eae8760 --- /dev/null +++ b/queue-6.5/s390-bpf-fix-clobbering-the-caller-s-backchain-in-th.patch @@ -0,0 +1,55 @@ +From ba9735e804bd6e7ae8a50f1349a5531547420260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:20:09 +0200 +Subject: s390/bpf: Fix clobbering the caller's backchain in the trampoline + +From: Ilya Leoshkevich + +[ Upstream commit ce10fc0604bc6a0d626ed8e5d69088057edc71ab ] + +One of the first things that s390x kernel functions do is storing the +the caller's frame address (backchain) on stack. This makes unwinding +possible. The backchain is always stored at frame offset 152, which is +inside the 160-byte stack area, that the functions allocate for their +callees. The callees must preserve the backchain; the remaining 152 +bytes they may use as they please. + +Currently the trampoline uses all 160 bytes, clobbering the backchain. +This causes kernel panics when using __builtin_return_address() in +functions called by the trampoline. + +Fix by reducing the usage of the caller-reserved stack area by 8 bytes +in the trampoline. + +Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()") +Reported-by: Song Liu +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231010203512.385819-2-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 2861e3360affc..9a9733e4bc801 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -2260,8 +2260,12 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + tjit->run_ctx_off = alloc_stack(tjit, + sizeof(struct bpf_tramp_run_ctx)); + tjit->tccnt_off = alloc_stack(tjit, sizeof(u64)); +- /* The caller has already reserved STACK_FRAME_OVERHEAD bytes. */ +- tjit->stack_size -= STACK_FRAME_OVERHEAD; ++ /* ++ * In accordance with the s390x ABI, the caller has allocated ++ * STACK_FRAME_OVERHEAD bytes for us. 8 of them contain the caller's ++ * backchain, and the rest we can use. ++ */ ++ tjit->stack_size -= STACK_FRAME_OVERHEAD - sizeof(u64); + tjit->orig_stack_args_off = tjit->stack_size + STACK_FRAME_OVERHEAD; + + /* aghi %r15,-stack_size */ +-- +2.40.1 + diff --git a/queue-6.5/s390-bpf-fix-unwinding-past-the-trampoline.patch b/queue-6.5/s390-bpf-fix-unwinding-past-the-trampoline.patch new file mode 100644 index 00000000000..0f34adf808e --- /dev/null +++ b/queue-6.5/s390-bpf-fix-unwinding-past-the-trampoline.patch @@ -0,0 +1,92 @@ +From d74bb1047babe29d7da99619b108acf124c29c3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:20:10 +0200 +Subject: s390/bpf: Fix unwinding past the trampoline + +From: Ilya Leoshkevich + +[ Upstream commit 5356ba1ff4f2417e1aebcf99aab35c1ea94dd6d7 ] + +When functions called by the trampoline panic, the backtrace that is +printed stops at the trampoline, because the trampoline does not store +its caller's frame address (backchain) on stack; it also stores the +return address at a wrong location. + +Store both the same way as is already done for the regular eBPF programs. + +Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231010203512.385819-3-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 9a9733e4bc801..e507692e51e71 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -2066,6 +2066,7 @@ struct bpf_tramp_jit { + * func_addr's original caller + */ + int stack_size; /* Trampoline stack size */ ++ int backchain_off; /* Offset of backchain */ + int stack_args_off; /* Offset of stack arguments for calling + * func_addr, has to be at the top + */ +@@ -2086,9 +2087,10 @@ struct bpf_tramp_jit { + * for __bpf_prog_enter() return value and + * func_addr respectively + */ +- int r14_off; /* Offset of saved %r14 */ + int run_ctx_off; /* Offset of struct bpf_tramp_run_ctx */ + int tccnt_off; /* Offset of saved tailcall counter */ ++ int r14_off; /* Offset of saved %r14, has to be at the ++ * bottom */ + int do_fexit; /* do_fexit: label */ + }; + +@@ -2247,8 +2249,12 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + * Calculate the stack layout. + */ + +- /* Reserve STACK_FRAME_OVERHEAD bytes for the callees. */ ++ /* ++ * Allocate STACK_FRAME_OVERHEAD bytes for the callees. As the s390x ++ * ABI requires, put our backchain at the end of the allocated memory. ++ */ + tjit->stack_size = STACK_FRAME_OVERHEAD; ++ tjit->backchain_off = tjit->stack_size - sizeof(u64); + tjit->stack_args_off = alloc_stack(tjit, nr_stack_args * sizeof(u64)); + tjit->reg_args_off = alloc_stack(tjit, nr_reg_args * sizeof(u64)); + tjit->ip_off = alloc_stack(tjit, sizeof(u64)); +@@ -2256,10 +2262,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + tjit->bpf_args_off = alloc_stack(tjit, nr_bpf_args * sizeof(u64)); + tjit->retval_off = alloc_stack(tjit, sizeof(u64)); + tjit->r7_r8_off = alloc_stack(tjit, 2 * sizeof(u64)); +- tjit->r14_off = alloc_stack(tjit, sizeof(u64)); + tjit->run_ctx_off = alloc_stack(tjit, + sizeof(struct bpf_tramp_run_ctx)); + tjit->tccnt_off = alloc_stack(tjit, sizeof(u64)); ++ tjit->r14_off = alloc_stack(tjit, sizeof(u64) * 2); + /* + * In accordance with the s390x ABI, the caller has allocated + * STACK_FRAME_OVERHEAD bytes for us. 8 of them contain the caller's +@@ -2268,8 +2274,13 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, + tjit->stack_size -= STACK_FRAME_OVERHEAD - sizeof(u64); + tjit->orig_stack_args_off = tjit->stack_size + STACK_FRAME_OVERHEAD; + ++ /* lgr %r1,%r15 */ ++ EMIT4(0xb9040000, REG_1, REG_15); + /* aghi %r15,-stack_size */ + EMIT4_IMM(0xa70b0000, REG_15, -tjit->stack_size); ++ /* stg %r1,backchain_off(%r15) */ ++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_1, REG_0, REG_15, ++ tjit->backchain_off); + /* mvc tccnt_off(4,%r15),stack_size+STK_OFF_TCCNT(%r15) */ + _EMIT6(0xd203f000 | tjit->tccnt_off, + 0xf000 | (tjit->stack_size + STK_OFF_TCCNT)); +-- +2.40.1 + diff --git a/queue-6.5/series b/queue-6.5/series index c0c4f8823c1..ea6203b1358 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -39,3 +39,53 @@ alsa-hda-realtek-add-quirk-for-hp-victus-16-d1xxx-to.patch alsa-hda-realtek-add-quirk-for-mute-leds-on-hp-envy-.patch alsa-hda-realtek-alc287-i2s-speaker-platform-support.patch alsa-hda-realtek-alc287-merge-rtk-codec-with-cs-cs35.patch +pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch +pinctrl-starfive-jh7110-fix-failure-to-set-irq-after.patch +drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch +drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch +drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch +drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch +drm-msm-dp-add-newlines-to-debug-printks.patch +drm-msm-dpu-fail-dpu_plane_atomic_check-based-on-mdp.patch +phy-lynx-28g-cancel-the-cdr-check-work-item-on-the-r.patch +phy-lynx-28g-lock-phy-while-performing-cdr-lock-work.patch +phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch +net-dsa-qca8k-fix-regmap-bulk-read-write-methods-on-.patch +net-dsa-qca8k-fix-potential-mdio-bus-conflict-when-a.patch +can-isotp-isotp_sendmsg-fix-tx-state-detection-and-w.patch +can-sun4i_can-only-show-kconfig-if-arch_sunxi-is-set.patch +arm64-dts-mediatek-fix-t-phy-unit-name.patch +arm64-dts-mediatek-mt8195-set-dsu-pmu-status-to-fail.patch +devlink-hold-devlink-lock-on-health-reporter-dump-ge.patch +ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch +ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch +ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch +mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch +xen-netback-use-default-tx-queue-size-for-vifs.patch +riscv-bpf-sign-extend-return-values.patch +riscv-bpf-track-both-a0-risc-v-abi-and-a5-bpf-return.patch +xdp-fix-zero-size-allocation-warning-in-xskq_create.patch +drm-vmwgfx-fix-typo-of-sizeof-argument.patch +bpf-fix-verifier-log-for-async-callback-return-value.patch +net-refine-debug-info-in-skb_checksum_help.patch +octeontx2-pf-mcs-update-pn-only-when-update_pn-is-tr.patch +net-macsec-indicate-next-pn-update-when-offloading.patch +net-phy-mscc-macsec-reject-pn-update-requests.patch +net-mlx5e-macsec-use-update_pn-flag-instead-of-pn-co.patch +drm-panel-boe-tv101wum-nl6-completely-pull-gpw-to-vg.patch +ixgbe-fix-crash-with-empty-vf-macvlan-list.patch +net-smc-fix-dependency-of-smc-on-ism.patch +net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch +s390-bpf-fix-clobbering-the-caller-s-backchain-in-th.patch +s390-bpf-fix-unwinding-past-the-trampoline.patch +net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch +ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch +net-smc-fix-pos-miscalculation-in-statistics.patch +net-tcp-fix-crashes-trying-to-free-half-baked-mtu-pr.patch +pinctrl-renesas-rzn1-enable-missing-pinmux.patch +af_packet-fix-fortified-memcpy-without-flex-array.patch +nfc-nci-assert-requested-protocol-is-valid.patch +octeontx2-pf-fix-page-pool-frag-allocation-warning.patch +rswitch-fix-renesas_eth_sw_remove-implementation.patch +rswitch-fix-imbalance-phy_power_off-calling.patch +workqueue-override-implicit-ordered-attribute-in-wor.patch diff --git a/queue-6.5/workqueue-override-implicit-ordered-attribute-in-wor.patch b/queue-6.5/workqueue-override-implicit-ordered-attribute-in-wor.patch new file mode 100644 index 00000000000..28c23e354e9 --- /dev/null +++ b/queue-6.5/workqueue-override-implicit-ordered-attribute-in-wor.patch @@ -0,0 +1,58 @@ +From e3010e95155bfdea699c1323987df6c0b8020936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:48:42 -0400 +Subject: workqueue: Override implicit ordered attribute in + workqueue_apply_unbound_cpumask() + +From: Waiman Long + +[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ] + +Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 +to be ordered") enabled implicit ordered attribute to be added to +WQ_UNBOUND workqueues with max_active of 1. This prevented the changing +of attributes to these workqueues leading to fix commit 0a94efb5acbb +("workqueue: implicit ordered attribute should be overridable"). + +However, workqueue_apply_unbound_cpumask() was not updated at that time. +So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND +workqueues with implicit ordered attribute. Since not all WQ_UNBOUND +workqueues are visible on sysfs, we are not able to make all the +necessary cpumask changes even if we iterates all the workqueue cpumasks +in sysfs and changing them one by one. + +Fix this problem by applying the corresponding change made +to apply_workqueue_attrs_locked() in the fix commit to +workqueue_apply_unbound_cpumask(). + +Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index e51ab3d4765eb..e4a37d7a6752d 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5741,9 +5741,13 @@ static int workqueue_apply_unbound_cpumask(const cpumask_var_t unbound_cpumask) + list_for_each_entry(wq, &workqueues, list) { + if (!(wq->flags & WQ_UNBOUND)) + continue; ++ + /* creating multiple pwqs breaks ordering guarantee */ +- if (wq->flags & __WQ_ORDERED) +- continue; ++ if (!list_empty(&wq->pwqs)) { ++ if (wq->flags & __WQ_ORDERED_EXPLICIT) ++ continue; ++ wq->flags &= ~__WQ_ORDERED; ++ } + + ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs, unbound_cpumask); + if (!ctx) { +-- +2.40.1 + diff --git a/queue-6.5/xdp-fix-zero-size-allocation-warning-in-xskq_create.patch b/queue-6.5/xdp-fix-zero-size-allocation-warning-in-xskq_create.patch new file mode 100644 index 00000000000..d29513148a6 --- /dev/null +++ b/queue-6.5/xdp-fix-zero-size-allocation-warning-in-xskq_create.patch @@ -0,0 +1,77 @@ +From c8af6ed533380cc8e936ad6847b1c057fdd2c560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 10:51:49 +0300 +Subject: xdp: Fix zero-size allocation warning in xskq_create() + +From: Andrew Kanner + +[ Upstream commit a12bbb3cccf03b12847de0f7a6772127f90936ac ] + +Syzkaller reported the following issue: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 2807 at mm/vmalloc.c:3247 __vmalloc_node_range (mm/vmalloc.c:3361) + Modules linked in: + CPU: 0 PID: 2807 Comm: repro Not tainted 6.6.0-rc2+ #12 + Hardware name: Generic DT based system + unwind_backtrace from show_stack (arch/arm/kernel/traps.c:258) + show_stack from dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) + dump_stack_lvl from __warn (kernel/panic.c:633 kernel/panic.c:680) + __warn from warn_slowpath_fmt (./include/linux/context_tracking.h:153 kernel/panic.c:700) + warn_slowpath_fmt from __vmalloc_node_range (mm/vmalloc.c:3361 (discriminator 3)) + __vmalloc_node_range from vmalloc_user (mm/vmalloc.c:3478) + vmalloc_user from xskq_create (net/xdp/xsk_queue.c:40) + xskq_create from xsk_setsockopt (net/xdp/xsk.c:953 net/xdp/xsk.c:1286) + xsk_setsockopt from __sys_setsockopt (net/socket.c:2308) + __sys_setsockopt from ret_fast_syscall (arch/arm/kernel/entry-common.S:68) + +xskq_get_ring_size() uses struct_size() macro to safely calculate the +size of struct xsk_queue and q->nentries of desc members. But the +syzkaller repro was able to set q->nentries with the value initially +taken from copy_from_sockptr() high enough to return SIZE_MAX by +struct_size(). The next PAGE_ALIGN(size) is such case will overflow +the size_t value and set it to 0. This will trigger WARN_ON_ONCE in +vmalloc_user() -> __vmalloc_node_range(). + +The issue is reproducible on 32-bit arm kernel. + +Fixes: 9f78bf330a66 ("xsk: support use vaddr as ring") +Reported-by: syzbot+fae676d3cf469331fc89@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000c84b4705fb31741e@google.com/T/ +Reported-by: syzbot+b132693e925cbbd89e26@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000e20df20606ebab4f@google.com/T/ +Signed-off-by: Andrew Kanner +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+fae676d3cf469331fc89@syzkaller.appspotmail.com +Acked-by: Magnus Karlsson +Link: https://syzkaller.appspot.com/bug?extid=fae676d3cf469331fc89 +Link: https://lore.kernel.org/bpf/20231007075148.1759-1-andrew.kanner@gmail.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_queue.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/xdp/xsk_queue.c b/net/xdp/xsk_queue.c +index f8905400ee07a..d2c2640300171 100644 +--- a/net/xdp/xsk_queue.c ++++ b/net/xdp/xsk_queue.c +@@ -34,6 +34,16 @@ struct xsk_queue *xskq_create(u32 nentries, bool umem_queue) + q->ring_mask = nentries - 1; + + size = xskq_get_ring_size(q, umem_queue); ++ ++ /* size which is overflowing or close to SIZE_MAX will become 0 in ++ * PAGE_ALIGN(), checking SIZE_MAX is enough due to the previous ++ * is_power_of_2(), the rest will be handled by vmalloc_user() ++ */ ++ if (unlikely(size == SIZE_MAX)) { ++ kfree(q); ++ return NULL; ++ } ++ + size = PAGE_ALIGN(size); + + q->ring = vmalloc_user(size); +-- +2.40.1 + diff --git a/queue-6.5/xen-netback-use-default-tx-queue-size-for-vifs.patch b/queue-6.5/xen-netback-use-default-tx-queue-size-for-vifs.patch new file mode 100644 index 00000000000..315e5e9a844 --- /dev/null +++ b/queue-6.5/xen-netback-use-default-tx-queue-size-for-vifs.patch @@ -0,0 +1,57 @@ +From 4013eb4eeb599eddacb0e5d17aa279a4542fd21b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 16:08:31 +0200 +Subject: xen-netback: use default TX queue size for vifs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 66cf7435a26917c0c4d6245ad9137e7606e84fdf ] + +Do not set netback interfaces (vifs) default TX queue size to the ring size. +The TX queue size is not related to the ring size, and using the ring size (32) +as the queue size can lead to packet drops. Note the TX side of the vif +interface in the netback domain is the one receiving packets to be injected +to the guest. + +Do not explicitly set the TX queue length to any value when creating the +interface, and instead use the system default. Note that the queue length can +also be adjusted at runtime. + +Fixes: f942dc2552b8 ('xen network backend driver') +Signed-off-by: Roger Pau Monné +Reviewed-by: Ross Lagerwall +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index f3f2c07423a6a..fc3bb63b9ac3e 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -41,8 +41,6 @@ + #include + #include + +-#define XENVIF_QUEUE_LENGTH 32 +- + /* Number of bytes allowed on the internal guest Rx queue. */ + #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE) + +@@ -530,8 +528,6 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, + dev->features = dev->hw_features | NETIF_F_RXCSUM; + dev->ethtool_ops = &xenvif_ethtool_ops; + +- dev->tx_queue_len = XENVIF_QUEUE_LENGTH; +- + dev->min_mtu = ETH_MIN_MTU; + dev->max_mtu = ETH_MAX_MTU - VLAN_ETH_HLEN; + +-- +2.40.1 +