From: Sasha Levin Date: Sun, 16 Jun 2024 02:01:16 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.19.316~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=692674bc014318689a92d3717a38badcb7cab728;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch b/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch new file mode 100644 index 00000000000..11db5597b04 --- /dev/null +++ b/queue-5.15/af_unix-annodate-data-races-around-sk-sk_state-for-w.patch @@ -0,0 +1,88 @@ +From 4e7817c3190175d02a107405205be715d8ddebbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:28 -0700 +Subject: af_unix: Annodate data-races around sk->sk_state for writers. + +From: Kuniyuki Iwashima + +[ Upstream commit 942238f9735a4a4ebf8274b218d9a910158941d1 ] + +sk->sk_state is changed under unix_state_lock(), but it's read locklessly +in many places. + +This patch adds WRITE_ONCE() on the writer side. + +We will add READ_ONCE() to the lockless readers in the following patches. + +Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 914e40697f00a..616d6c34d6102 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -542,7 +542,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.dentry = NULL; + u->path.mnt = NULL; + state = sk->sk_state; +- sk->sk_state = TCP_CLOSE; ++ WRITE_ONCE(sk->sk_state, TCP_CLOSE); + + skpair = unix_peer(sk); + unix_peer(sk) = NULL; +@@ -664,7 +664,8 @@ static int unix_listen(struct socket *sock, int backlog) + if (backlog > sk->sk_max_ack_backlog) + wake_up_interruptible_all(&u->peer_wait); + sk->sk_max_ack_backlog = backlog; +- sk->sk_state = TCP_LISTEN; ++ WRITE_ONCE(sk->sk_state, TCP_LISTEN); ++ + /* set credentials so connect can copy them */ + init_peercred(sk); + err = 0; +@@ -1254,7 +1255,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + if (err) + goto out_unlock; + +- sk->sk_state = other->sk_state = TCP_ESTABLISHED; ++ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED); ++ WRITE_ONCE(other->sk_state, TCP_ESTABLISHED); + } else { + /* + * 1003.1g breaking connected state with AF_UNSPEC +@@ -1271,7 +1273,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + + unix_peer(sk) = other; + if (!other) +- sk->sk_state = TCP_CLOSE; ++ WRITE_ONCE(sk->sk_state, TCP_CLOSE); + unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); + + unix_state_double_unlock(sk, other); +@@ -1484,7 +1486,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + copy_peercred(sk, other); + + sock->state = SS_CONNECTED; +- sk->sk_state = TCP_ESTABLISHED; ++ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED); + sock_hold(newsk); + + smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */ +@@ -1880,7 +1882,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + unix_peer(sk) = NULL; + unix_dgram_peer_wake_disconnect_wakeup(sk, other); + +- sk->sk_state = TCP_CLOSE; ++ WRITE_ONCE(sk->sk_state, TCP_CLOSE); + unix_state_unlock(sk); + + unix_dgram_disconnected(sk, other); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch b/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch new file mode 100644 index 00000000000..43066025588 --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch @@ -0,0 +1,38 @@ +From d0211af6e254986091d952cd861d1ec9517ca5cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:37 -0700 +Subject: af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. + +From: Kuniyuki Iwashima + +[ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ] + +net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be +changed concurrently. + +Let's use READ_ONCE() in unix_create1(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index c6d3a19956004..5c4318f64d253 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -888,7 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, + + sk->sk_allocation = GFP_KERNEL_ACCOUNT; + sk->sk_write_space = unix_write_space; +- sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen; ++ sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen); + sk->sk_destruct = unix_sock_destructor; + u = unix_sk(sk); + u->inflight = 0; +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch new file mode 100644 index 00000000000..fd132f653bc --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch @@ -0,0 +1,37 @@ +From 94dccc65b7d84333cead9dfbd69fd322a517704d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:41 -0700 +Subject: af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). + +From: Kuniyuki Iwashima + +[ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ] + +While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock(). + +Let's use READ_ONCE() to read sk->sk_shutdown. + +Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 63a0040e9fb45..86b3401dcc000 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -165,7 +165,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + sock_diag_put_meminfo(sk, skb, UNIX_DIAG_MEMINFO)) + goto out_nlmsg_trim; + +- if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, sk->sk_shutdown)) ++ if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, READ_ONCE(sk->sk_shutdown))) + goto out_nlmsg_trim; + + if ((req->udiag_show & UDIAG_SHOW_UID) && +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch new file mode 100644 index 00000000000..dd88ae17726 --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch @@ -0,0 +1,50 @@ +From 606ac2707f4c4f563be7f791560647cbac5c339c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:29 -0700 +Subject: af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). + +From: Kuniyuki Iwashima + +[ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ] + +ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first +and returns -EINVAL if it's TCP_LISTEN. + +Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of +bytes in recvq. + +However, unix_inq_len() does not hold unix_state_lock(), and the +concurrent listen() might change the state after checking sk->sk_state. + +If the race occurs, 0 is returned for the listener, instead of -EINVAL, +because the length of skb with embryo is 0. + +We could hold unix_state_lock() in unix_inq_len(), but it's overkill +given the result is true for pre-listen() TCP_CLOSE state. + +So, let's use READ_ONCE() for sk->sk_state in unix_inq_len(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 616d6c34d6102..18e2dea699720 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2957,7 +2957,7 @@ long unix_inq_len(struct sock *sk) + struct sk_buff *skb; + long amount = 0; + +- if (sk->sk_state == TCP_LISTEN) ++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) + return -EINVAL; + + spin_lock(&sk->sk_receive_queue.lock); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch new file mode 100644 index 00000000000..ebb773cf4bf --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch @@ -0,0 +1,60 @@ +From aeec58466a73081c275584e95c683b252b99a215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:31 -0700 +Subject: af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit a9bf9c7dc6a5899c01cb8f6e773a66315a5cd4b7 ] + +As small optimisation, unix_stream_connect() prefetches the client's +sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE. + +Later, sk->sk_state is checked again under unix_state_lock(). + +Let's use READ_ONCE() for the first check and TCP_CLOSE directly for +the second check. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 9800d255a8bc7..628b3fcc74227 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1371,7 +1371,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + struct sk_buff *skb = NULL; + long timeo; + int err; +- int st; + + err = unix_validate_addr(sunaddr, addr_len); + if (err) +@@ -1455,9 +1454,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + + Well, and we have to recheck the state after socket locked. + */ +- st = sk->sk_state; +- +- switch (st) { ++ switch (READ_ONCE(sk->sk_state)) { + case TCP_CLOSE: + /* This is ok... continue with connect */ + break; +@@ -1472,7 +1469,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + + unix_state_lock_nested(sk, U_LOCK_SECOND); + +- if (sk->sk_state != st) { ++ if (sk->sk_state != TCP_CLOSE) { + unix_state_unlock(sk); + unix_state_unlock(other); + sock_put(other); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 new file mode 100644 index 00000000000..ed338c1a425 --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 @@ -0,0 +1,39 @@ +From 342e27acc53fd2f8a50a957f7c82bf1445299273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:34 -0700 +Subject: af_unix: Annotate data-race of sk->sk_state in + unix_stream_read_skb(). + +From: Kuniyuki Iwashima + +[ Upstream commit af4c733b6b1aded4dc808fafece7dfe6e9d2ebb3 ] + +unix_stream_read_skb() is called from sk->sk_data_ready() context +where unix_state_lock() is not held. + +Let's use READ_ONCE() there. + +Fixes: 77462de14a43 ("af_unix: Add read_sock for stream socket types") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index d00d781f777be..c6d3a19956004 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2642,7 +2642,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, + static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc, + sk_read_actor_t recv_actor) + { +- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) ++ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) + return -ENOTCONN; + + return unix_read_sock(sk, desc, recv_actor); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch new file mode 100644 index 00000000000..a51461faab3 --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-se.patch @@ -0,0 +1,72 @@ +From 00d7a1aca3c596b90e6bd71e005335419ed7f4fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:33 -0700 +Subject: af_unix: Annotate data-races around sk->sk_state in sendmsg() and + recvmsg(). + +From: Kuniyuki Iwashima + +[ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ] + +The following functions read sk->sk_state locklessly and proceed only if +the state is TCP_ESTABLISHED. + + * unix_stream_sendmsg + * unix_stream_read_generic + * unix_seqpacket_sendmsg + * unix_seqpacket_recvmsg + +Let's use READ_ONCE() there. + +Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 628b3fcc74227..d00d781f777be 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2093,7 +2093,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, + } + + if (msg->msg_namelen) { +- err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; ++ err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; + goto out_err; + } else { + err = -ENOTCONN; +@@ -2305,7 +2305,7 @@ static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg, + if (err) + return err; + +- if (sk->sk_state != TCP_ESTABLISHED) ++ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED) + return -ENOTCONN; + + if (msg->msg_namelen) +@@ -2319,7 +2319,7 @@ static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg, + { + struct sock *sk = sock->sk; + +- if (sk->sk_state != TCP_ESTABLISHED) ++ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED) + return -ENOTCONN; + + return unix_dgram_recvmsg(sock, msg, size, flags); +@@ -2666,7 +2666,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + size_t size = state->size; + unsigned int last_len; + +- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) { ++ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) { + err = -EINVAL; + goto out; + } +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch new file mode 100644 index 00000000000..616b02b702f --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch @@ -0,0 +1,128 @@ +From b2efe08af840020f292ef96693445bd9feffa196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:30 -0700 +Subject: af_unix: Annotate data-races around sk->sk_state in + unix_write_space() and poll(). + +From: Kuniyuki Iwashima + +[ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ] + +unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and +calls unix_writable() which also reads sk->sk_state without holding +unix_state_lock(). + +Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass +it to unix_writable(). + +While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as +that state does not exist for AF_UNIX socket since the code was added. + +Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners") +Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 18e2dea699720..73b287b7a1154 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -455,9 +455,9 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) + return 0; + } + +-static int unix_writable(const struct sock *sk) ++static int unix_writable(const struct sock *sk, unsigned char state) + { +- return sk->sk_state != TCP_LISTEN && ++ return state != TCP_LISTEN && + (refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; + } + +@@ -466,7 +466,7 @@ static void unix_write_space(struct sock *sk) + struct socket_wq *wq; + + rcu_read_lock(); +- if (unix_writable(sk)) { ++ if (unix_writable(sk, READ_ONCE(sk->sk_state))) { + wq = rcu_dereference(sk->sk_wq); + if (skwq_has_sleeper(wq)) + wake_up_interruptible_sync_poll(&wq->wait, +@@ -3069,12 +3069,14 @@ static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned lon + static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait) + { + struct sock *sk = sock->sk; ++ unsigned char state; + __poll_t mask; + u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; + shutdown = READ_ONCE(sk->sk_shutdown); ++ state = READ_ONCE(sk->sk_state); + + /* exceptional events? */ + if (sk->sk_err) +@@ -3096,14 +3098,14 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa + + /* Connection-based need to check for termination and startup */ + if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) && +- sk->sk_state == TCP_CLOSE) ++ state == TCP_CLOSE) + mask |= EPOLLHUP; + + /* + * we set writable also when the other side has shut down the + * connection. This prevents stuck sockets. + */ +- if (unix_writable(sk)) ++ if (unix_writable(sk, state)) + mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND; + + return mask; +@@ -3114,12 +3116,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, + { + struct sock *sk = sock->sk, *other; + unsigned int writable; ++ unsigned char state; + __poll_t mask; + u8 shutdown; + + sock_poll_wait(file, sock, wait); + mask = 0; + shutdown = READ_ONCE(sk->sk_shutdown); ++ state = READ_ONCE(sk->sk_state); + + /* exceptional events? */ + if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) +@@ -3138,19 +3142,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, + mask |= EPOLLIN | EPOLLRDNORM; + + /* Connection-based need to check for termination and startup */ +- if (sk->sk_type == SOCK_SEQPACKET) { +- if (sk->sk_state == TCP_CLOSE) +- mask |= EPOLLHUP; +- /* connection hasn't started yet? */ +- if (sk->sk_state == TCP_SYN_SENT) +- return mask; +- } ++ if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE) ++ mask |= EPOLLHUP; + + /* No write status requested, avoid expensive OUT tests. */ + if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT))) + return mask; + +- writable = unix_writable(sk); ++ writable = unix_writable(sk, state); + if (writable) { + unix_state_lock(sk); + +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 new file mode 100644 index 00000000000..2c9a559faf5 --- /dev/null +++ b/queue-5.15/af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 @@ -0,0 +1,71 @@ +From 3e7745374f5d333d3c29dd950a845f1990da2cb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:35 -0700 +Subject: af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. + +From: Kuniyuki Iwashima + +[ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ] + +While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read +locklessly. + +Let's use READ_ONCE() there. + +Note that the result could be inconsistent if the socket is dumped +during the state change. This is common for other SOCK_DIAG and +similar interfaces. + +Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report") +Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA") +Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 15aaeabb1363b..94c8f509261d0 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -65,7 +65,7 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb) + u32 *buf; + int i; + +- if (sk->sk_state == TCP_LISTEN) { ++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { + spin_lock(&sk->sk_receive_queue.lock); + + attr = nla_reserve(nlskb, UNIX_DIAG_ICONS, +@@ -103,7 +103,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) + { + struct unix_diag_rqlen rql; + +- if (sk->sk_state == TCP_LISTEN) { ++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { + rql.udiag_rqueue = sk->sk_receive_queue.qlen; + rql.udiag_wqueue = sk->sk_max_ack_backlog; + } else { +@@ -136,7 +136,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + rep = nlmsg_data(nlh); + rep->udiag_family = AF_UNIX; + rep->udiag_type = sk->sk_type; +- rep->udiag_state = sk->sk_state; ++ rep->udiag_state = READ_ONCE(sk->sk_state); + rep->pad = 0; + rep->udiag_ino = sk_ino; + sock_diag_save_cookie(sk, rep->udiag_cookie); +@@ -219,7 +219,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) + continue; + if (num < s_num) + goto next; +- if (!(req->udiag_states & (1 << sk->sk_state))) ++ if (!(req->udiag_states & (1 << READ_ONCE(sk->sk_state)))) + goto next; + if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk), + NETLINK_CB(cb->skb).portid, +-- +2.43.0 + diff --git a/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch b/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch new file mode 100644 index 00000000000..86118b37394 --- /dev/null +++ b/queue-5.15/af_unix-annotate-lockless-accesses-to-sk-sk_err.patch @@ -0,0 +1,66 @@ +From d67e0043413caa1b66c8d9bb708330ddeebf7fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 20:57:46 +0000 +Subject: af_unix: annotate lockless accesses to sk->sk_err + +From: Eric Dumazet + +[ Upstream commit cc04410af7de348234ac36a5f50c4ce416efdb4b ] + +unix_poll() and unix_dgram_poll() read sk->sk_err +without any lock held. + +Add relevant READ_ONCE()/WRITE_ONCE() annotations. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 83690b82d228 ("af_unix: Use skb_queue_empty_lockless() in unix_release_sock().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 3fa86d70467c2..85b1c0d7c287a 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -500,7 +500,7 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other) + * when peer was not connected to us. + */ + if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) { +- other->sk_err = ECONNRESET; ++ WRITE_ONCE(other->sk_err, ECONNRESET); + sk_error_report(other); + } + } +@@ -571,7 +571,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + /* No more writes */ + WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); + if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) +- skpair->sk_err = ECONNRESET; ++ WRITE_ONCE(skpair->sk_err, ECONNRESET); + unix_state_unlock(skpair); + skpair->sk_state_change(skpair); + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); +@@ -3108,7 +3108,7 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa + state = READ_ONCE(sk->sk_state); + + /* exceptional events? */ +- if (sk->sk_err) ++ if (READ_ONCE(sk->sk_err)) + mask |= EPOLLERR; + if (shutdown == SHUTDOWN_MASK) + mask |= EPOLLHUP; +@@ -3155,7 +3155,8 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock, + state = READ_ONCE(sk->sk_state); + + /* exceptional events? */ +- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) ++ if (READ_ONCE(sk->sk_err) || ++ !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= EPOLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0); + +-- +2.43.0 + diff --git a/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch b/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch new file mode 100644 index 00000000000..10c1f50e5d3 --- /dev/null +++ b/queue-5.15/af_unix-clean-up-some-sock_net-uses.patch @@ -0,0 +1,140 @@ +From 871f1d52052c897d94a9ed0573e073d4fe7ff7e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 10:19:08 -0700 +Subject: af_unix: Clean up some sock_net() uses. + +From: Kuniyuki Iwashima + +[ Upstream commit 340c3d337119ea177a98338be2e3bc62ee87ac80 ] + +Some functions define a net pointer only for one-shot use. Others call +sock_net() redundantly even when a net pointer is available. Let's fix +these and make the code simpler. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 33 ++++++++++++++------------------- + net/unix/diag.c | 3 +-- + 2 files changed, 15 insertions(+), 21 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index a848e777e448c..9800d255a8bc7 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -903,7 +903,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, + memset(&u->scm_stat, 0, sizeof(struct scm_stat)); + unix_insert_socket(unix_sockets_unbound(sk), sk); + +- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); ++ sock_prot_inuse_add(net, sk->sk_prot, 1); + + return sk; + +@@ -1247,9 +1247,8 @@ static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2) + static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + int alen, int flags) + { +- struct sock *sk = sock->sk; +- struct net *net = sock_net(sk); + struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr; ++ struct sock *sk = sock->sk; + struct sock *other; + int err; + +@@ -1270,7 +1269,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + } + + restart: +- other = unix_find_other(net, sunaddr, alen, sock->type); ++ other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type); + if (IS_ERR(other)) { + err = PTR_ERR(other); + goto out; +@@ -1366,15 +1365,13 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + int addr_len, int flags) + { + struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; +- struct sock *sk = sock->sk; +- struct net *net = sock_net(sk); ++ struct sock *sk = sock->sk, *newsk = NULL, *other = NULL; + struct unix_sock *u = unix_sk(sk), *newu, *otheru; +- struct sock *newsk = NULL; +- struct sock *other = NULL; ++ struct net *net = sock_net(sk); + struct sk_buff *skb = NULL; +- int st; +- int err; + long timeo; ++ int err; ++ int st; + + err = unix_validate_addr(sunaddr, addr_len); + if (err) +@@ -1394,7 +1391,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + */ + + /* create new sock for complete connection */ +- newsk = unix_create1(sock_net(sk), NULL, 0, sock->type); ++ newsk = unix_create1(net, NULL, 0, sock->type); + if (IS_ERR(newsk)) { + err = PTR_ERR(newsk); + newsk = NULL; +@@ -1803,17 +1800,15 @@ static void scm_stat_del(struct sock *sk, struct sk_buff *skb) + static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { +- struct sock *sk = sock->sk; +- struct net *net = sock_net(sk); +- struct unix_sock *u = unix_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); +- struct sock *other = NULL; +- int err; +- struct sk_buff *skb; +- long timeo; ++ struct sock *sk = sock->sk, *other = NULL; ++ struct unix_sock *u = unix_sk(sk); + struct scm_cookie scm; ++ struct sk_buff *skb; + int data_len = 0; + int sk_locked; ++ long timeo; ++ int err; + + wait_for_unix_gc(); + err = scm_send(sock, msg, &scm, false); +@@ -1880,7 +1875,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + if (sunaddr == NULL) + goto out_free; + +- other = unix_find_other(net, sunaddr, msg->msg_namelen, ++ other = unix_find_other(sock_net(sk), sunaddr, msg->msg_namelen, + sk->sk_type); + if (IS_ERR(other)) { + err = PTR_ERR(other); +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 006438e2e07a2..15aaeabb1363b 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -312,7 +312,6 @@ static int unix_diag_get_exact(struct sk_buff *in_skb, + static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h) + { + int hdrlen = sizeof(struct unix_diag_req); +- struct net *net = sock_net(skb->sk); + + if (nlmsg_len(h) < hdrlen) + return -EINVAL; +@@ -321,7 +320,7 @@ static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h) + struct netlink_dump_control c = { + .dump = unix_diag_dump, + }; +- return netlink_dump_start(net->diag_nlsk, skb, h, &c); ++ return netlink_dump_start(sock_net(skb->sk)->diag_nlsk, skb, h, &c); + } else + return unix_diag_get_exact(skb, h, nlmsg_data(h)); + } +-- +2.43.0 + diff --git a/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch b/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch new file mode 100644 index 00000000000..bd03dfbd025 --- /dev/null +++ b/queue-5.15/af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch @@ -0,0 +1,202 @@ +From a521bba7af6be404371346310d94ccd7c1e8c224 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:24 +0900 +Subject: af_unix: Copy unix_mkname() into unix_find_(bsd|abstract)(). + +From: Kuniyuki Iwashima + +[ Upstream commit d2d8c9fddb1c11ccfa73bf0ad2b1e6b4ea7afdaf ] + +We should not call unix_mkname() before unix_find_other() and instead do +the same thing where necessary based on the address type: + + - terminating the address with '\0' in unix_find_bsd() + - calculating the hash in unix_find_abstract(). + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 63 ++++++++++++++++++---------------------------- + 1 file changed, 25 insertions(+), 38 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 8aeafe66e6115..a848e777e448c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -239,19 +239,25 @@ static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len) + return 0; + } + ++static void unix_mkname_bsd(struct sockaddr_un *sunaddr, int addr_len) ++{ ++ /* This may look like an off by one error but it is a bit more ++ * subtle. 108 is the longest valid AF_UNIX path for a binding. ++ * sun_path[108] doesn't as such exist. However in kernel space ++ * we are guaranteed that it is a valid memory location in our ++ * kernel address buffer because syscall functions always pass ++ * a pointer of struct sockaddr_storage which has a bigger buffer ++ * than 108. ++ */ ++ ((char *)sunaddr)[addr_len] = 0; ++} ++ + static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) + { + *hashp = 0; + + if (sunaddr->sun_path[0]) { +- /* +- * This may look like an off by one error but it is a bit more +- * subtle. 108 is the longest valid AF_UNIX path for a binding. +- * sun_path[108] doesn't as such exist. However in kernel space +- * we are guaranteed that it is a valid memory location in our +- * kernel address buffer. +- */ +- ((char *)sunaddr)[len] = 0; ++ unix_mkname_bsd(sunaddr, len); + len = strlen(sunaddr->sun_path) + + offsetof(struct sockaddr_un, sun_path) + 1; + return len; +@@ -959,13 +965,14 @@ static int unix_release(struct socket *sock) + } + + static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, +- int type) ++ int addr_len, int type) + { + struct inode *inode; + struct path path; + struct sock *sk; + int err; + ++ unix_mkname_bsd(sunaddr, addr_len); + err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); + if (err) + goto fail; +@@ -1003,9 +1010,9 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, + + static struct sock *unix_find_abstract(struct net *net, + struct sockaddr_un *sunaddr, +- int addr_len, int type, +- unsigned int hash) ++ int addr_len, int type) + { ++ unsigned int hash = unix_hash_fold(csum_partial(sunaddr, addr_len, 0)); + struct dentry *dentry; + struct sock *sk; + +@@ -1022,15 +1029,14 @@ static struct sock *unix_find_abstract(struct net *net, + + static struct sock *unix_find_other(struct net *net, + struct sockaddr_un *sunaddr, +- int addr_len, int type, +- unsigned int hash) ++ int addr_len, int type) + { + struct sock *sk; + + if (sunaddr->sun_path[0]) +- sk = unix_find_bsd(net, sunaddr, type); ++ sk = unix_find_bsd(net, sunaddr, addr_len, type); + else +- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash); ++ sk = unix_find_abstract(net, sunaddr, addr_len, type); + + return sk; + } +@@ -1245,7 +1251,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + struct net *net = sock_net(sk); + struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr; + struct sock *other; +- unsigned int hash; + int err; + + err = -EINVAL; +@@ -1257,11 +1262,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + if (err) + goto out; + +- err = unix_mkname(sunaddr, alen, &hash); +- if (err < 0) +- goto out; +- alen = err; +- + if (test_bit(SOCK_PASSCRED, &sock->flags) && + !unix_sk(sk)->addr) { + err = unix_autobind(sk); +@@ -1270,7 +1270,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + } + + restart: +- other = unix_find_other(net, sunaddr, alen, sock->type, hash); ++ other = unix_find_other(net, sunaddr, alen, sock->type); + if (IS_ERR(other)) { + err = PTR_ERR(other); + goto out; +@@ -1372,7 +1372,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + struct sock *newsk = NULL; + struct sock *other = NULL; + struct sk_buff *skb = NULL; +- unsigned int hash; + int st; + int err; + long timeo; +@@ -1381,11 +1380,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + if (err) + goto out; + +- err = unix_mkname(sunaddr, addr_len, &hash); +- if (err < 0) +- goto out; +- addr_len = err; +- + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { + err = unix_autobind(sk); + if (err) +@@ -1416,7 +1410,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + + restart: + /* Find listening sock. */ +- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash); ++ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type); + if (IS_ERR(other)) { + err = PTR_ERR(other); + other = NULL; +@@ -1814,9 +1808,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + struct unix_sock *u = unix_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); + struct sock *other = NULL; +- int namelen = 0; /* fake GCC */ + int err; +- unsigned int hash; + struct sk_buff *skb; + long timeo; + struct scm_cookie scm; +@@ -1836,11 +1828,6 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + err = unix_validate_addr(sunaddr, msg->msg_namelen); + if (err) + goto out; +- +- err = unix_mkname(sunaddr, msg->msg_namelen, &hash); +- if (err < 0) +- goto out; +- namelen = err; + } else { + sunaddr = NULL; + err = -ENOTCONN; +@@ -1893,8 +1880,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + if (sunaddr == NULL) + goto out_free; + +- other = unix_find_other(net, sunaddr, namelen, sk->sk_type, +- hash); ++ other = unix_find_other(net, sunaddr, msg->msg_namelen, ++ sk->sk_type); + if (IS_ERR(other)) { + err = PTR_ERR(other); + other = NULL; +-- +2.43.0 + diff --git a/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch b/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch new file mode 100644 index 00000000000..872d4056a1d --- /dev/null +++ b/queue-5.15/af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch @@ -0,0 +1,118 @@ +From 66094a2eae821c3437f6bee8337b83adbd0663a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:23 +0900 +Subject: af_unix: Cut unix_validate_addr() out of unix_mkname(). + +From: Kuniyuki Iwashima + +[ Upstream commit b8a58aa6fccc5b2940f0da18c7f02e8a1deb693a ] + +unix_mkname() tests socket address length and family and does some +processing based on the address type. It is called in the early stage, +and therefore some instructions are redundant and can end up in vain. + +The address length/family tests are done twice in unix_bind(). Also, the +address type is rechecked later in unix_bind() and unix_find_other(), where +we can do the same processing. Moreover, in the BSD address case, the hash +is set to 0 but never used and confusing. + +This patch moves the address tests out of unix_mkname(), and the following +patches move the other part into appropriate places and remove +unix_mkname() finally. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 40 ++++++++++++++++++++++++++++++---------- + 1 file changed, 30 insertions(+), 10 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0a1258b417a9d..8aeafe66e6115 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -227,15 +227,22 @@ static inline void unix_release_addr(struct unix_address *addr) + * - if started by zero, it is abstract name. + */ + ++static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len) ++{ ++ if (addr_len <= offsetof(struct sockaddr_un, sun_path) || ++ addr_len > sizeof(*sunaddr)) ++ return -EINVAL; ++ ++ if (sunaddr->sun_family != AF_UNIX) ++ return -EINVAL; ++ ++ return 0; ++} ++ + static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) + { + *hashp = 0; + +- if (len <= offsetof(struct sockaddr_un, sun_path) || +- len > sizeof(*sunaddr)) +- return -EINVAL; +- if (!sunaddr || sunaddr->sun_family != AF_UNIX) +- return -EINVAL; + if (sunaddr->sun_path[0]) { + /* + * This may look like an off by one error but it is a bit more +@@ -1178,13 +1185,14 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + unsigned int hash; + struct unix_address *addr; + +- if (addr_len < offsetofend(struct sockaddr_un, sun_family) || +- sunaddr->sun_family != AF_UNIX) +- return -EINVAL; +- +- if (addr_len == offsetof(struct sockaddr_un, sun_path)) ++ if (addr_len == offsetof(struct sockaddr_un, sun_path) && ++ sunaddr->sun_family == AF_UNIX) + return unix_autobind(sk); + ++ err = unix_validate_addr(sunaddr, addr_len); ++ if (err) ++ return err; ++ + err = unix_mkname(sunaddr, addr_len, &hash); + if (err < 0) + return err; +@@ -1245,6 +1253,10 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + goto out; + + if (addr->sa_family != AF_UNSPEC) { ++ err = unix_validate_addr(sunaddr, alen); ++ if (err) ++ goto out; ++ + err = unix_mkname(sunaddr, alen, &hash); + if (err < 0) + goto out; +@@ -1365,6 +1377,10 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + int err; + long timeo; + ++ err = unix_validate_addr(sunaddr, addr_len); ++ if (err) ++ goto out; ++ + err = unix_mkname(sunaddr, addr_len, &hash); + if (err < 0) + goto out; +@@ -1817,6 +1833,10 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + goto out; + + if (msg->msg_namelen) { ++ err = unix_validate_addr(sunaddr, msg->msg_namelen); ++ if (err) ++ goto out; ++ + err = unix_mkname(sunaddr, msg->msg_namelen, &hash); + if (err < 0) + goto out; +-- +2.43.0 + diff --git a/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch b/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch new file mode 100644 index 00000000000..3446a6d77e7 --- /dev/null +++ b/queue-5.15/af_unix-factorise-unix_find_other-based-on-address-t.patch @@ -0,0 +1,178 @@ +From 37f21e3bf98191271a970d44f8437110434cf447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:21 +0900 +Subject: af_unix: Factorise unix_find_other() based on address types. + +From: Kuniyuki Iwashima + +[ Upstream commit fa39ef0e472961baef49ddb0e6f7b8ebb555bd8f ] + +As done in the commit fa42d910a38e ("unix_bind(): take BSD and abstract +address cases into new helpers"), this patch moves BSD and abstract address +cases from unix_find_other() into unix_find_bsd() and unix_find_abstract(). + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 136 +++++++++++++++++++++++++++------------------ + 1 file changed, 81 insertions(+), 55 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 1fc3022510093..20a7be3effe83 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -951,6 +951,87 @@ static int unix_release(struct socket *sock) + return 0; + } + ++static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, ++ int type, int *error) ++{ ++ struct inode *inode; ++ struct path path; ++ struct sock *sk; ++ int err; ++ ++ err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path); ++ if (err) ++ goto fail; ++ ++ err = path_permission(&path, MAY_WRITE); ++ if (err) ++ goto path_put; ++ ++ err = -ECONNREFUSED; ++ inode = d_backing_inode(path.dentry); ++ if (!S_ISSOCK(inode->i_mode)) ++ goto path_put; ++ ++ sk = unix_find_socket_byinode(inode); ++ if (!sk) ++ goto path_put; ++ ++ err = -EPROTOTYPE; ++ if (sk->sk_type == type) ++ touch_atime(&path); ++ else ++ goto sock_put; ++ ++ path_put(&path); ++ ++ return sk; ++ ++sock_put: ++ sock_put(sk); ++path_put: ++ path_put(&path); ++fail: ++ *error = err; ++ return NULL; ++} ++ ++static struct sock *unix_find_abstract(struct net *net, ++ struct sockaddr_un *sunaddr, ++ int addr_len, int type, ++ unsigned int hash, int *error) ++{ ++ struct dentry *dentry; ++ struct sock *sk; ++ ++ sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash); ++ if (!sk) { ++ *error = -ECONNREFUSED; ++ return NULL; ++ } ++ ++ dentry = unix_sk(sk)->path.dentry; ++ if (dentry) ++ touch_atime(&unix_sk(sk)->path); ++ ++ return sk; ++} ++ ++static struct sock *unix_find_other(struct net *net, ++ struct sockaddr_un *sunaddr, ++ int addr_len, int type, ++ unsigned int hash, int *error) ++{ ++ struct sock *sk; ++ ++ if (sunaddr->sun_path[0]) ++ sk = unix_find_bsd(net, sunaddr, type, error); ++ else ++ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash, ++ error); ++ ++ return sk; ++} ++ + static int unix_autobind(struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); +@@ -1009,61 +1090,6 @@ out: mutex_unlock(&u->bindlock); + return err; + } + +-static struct sock *unix_find_other(struct net *net, +- struct sockaddr_un *sunname, int len, +- int type, unsigned int hash, int *error) +-{ +- struct sock *u; +- struct path path; +- int err = 0; +- +- if (sunname->sun_path[0]) { +- struct inode *inode; +- err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path); +- if (err) +- goto fail; +- inode = d_backing_inode(path.dentry); +- err = path_permission(&path, MAY_WRITE); +- if (err) +- goto put_fail; +- +- err = -ECONNREFUSED; +- if (!S_ISSOCK(inode->i_mode)) +- goto put_fail; +- u = unix_find_socket_byinode(inode); +- if (!u) +- goto put_fail; +- +- if (u->sk_type == type) +- touch_atime(&path); +- +- path_put(&path); +- +- err = -EPROTOTYPE; +- if (u->sk_type != type) { +- sock_put(u); +- goto fail; +- } +- } else { +- err = -ECONNREFUSED; +- u = unix_find_socket_byname(net, sunname, len, type ^ hash); +- if (u) { +- struct dentry *dentry; +- dentry = unix_sk(u)->path.dentry; +- if (dentry) +- touch_atime(&unix_sk(u)->path); +- } else +- goto fail; +- } +- return u; +- +-put_fail: +- path_put(&path); +-fail: +- *error = err; +- return NULL; +-} +- + static int unix_bind_bsd(struct sock *sk, struct unix_address *addr) + { + struct unix_sock *u = unix_sk(sk); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch b/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch new file mode 100644 index 00000000000..592137c26f3 --- /dev/null +++ b/queue-5.15/af_unix-pass-struct-sock-to-unix_autobind.patch @@ -0,0 +1,121 @@ +From 6e28b0638dc4a6110a6b56646b3b62d9619a0076 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:20 +0900 +Subject: af_unix: Pass struct sock to unix_autobind(). + +From: Kuniyuki Iwashima + +[ Upstream commit f7ed31f4615f4e1d97c0e4325c5b8a240e10073c ] + +We do not use struct socket in unix_autobind() and pass struct sock to +unix_bind_bsd() and unix_bind_abstract(). Let's pass it to unix_autobind() +as well. + +Also, this patch fixes these errors by checkpatch.pl. + + ERROR: do not use assignment in if condition + #1795: FILE: net/unix/af_unix.c:1795: + + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr + + CHECK: Logical continuations should be on the previous line + #1796: FILE: net/unix/af_unix.c:1796: + + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr + + && (err = unix_autobind(sock)) != 0) + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 7d58067ffd3f8..1fc3022510093 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -951,15 +951,13 @@ static int unix_release(struct socket *sock) + return 0; + } + +-static int unix_autobind(struct socket *sock) ++static int unix_autobind(struct sock *sk) + { +- struct sock *sk = sock->sk; +- struct net *net = sock_net(sk); + struct unix_sock *u = unix_sk(sk); +- static u32 ordernum = 1; + struct unix_address *addr; +- int err; + unsigned int retries = 0; ++ static u32 ordernum = 1; ++ int err; + + err = mutex_lock_interruptible(&u->bindlock); + if (err) +@@ -986,7 +984,8 @@ static int unix_autobind(struct socket *sock) + spin_lock(&unix_table_lock); + ordernum = (ordernum+1)&0xFFFFF; + +- if (__unix_find_socket_byname(net, addr->name, addr->len, addr->hash)) { ++ if (__unix_find_socket_byname(sock_net(sk), addr->name, addr->len, ++ addr->hash)) { + spin_unlock(&unix_table_lock); + /* + * __unix_find_socket_byname() may take long time if many names +@@ -1162,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + return -EINVAL; + + if (addr_len == offsetof(struct sockaddr_un, sun_path)) +- return unix_autobind(sock); ++ return unix_autobind(sk); + + err = unix_mkname(sunaddr, addr_len, &hash); + if (err < 0) +@@ -1230,8 +1229,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + alen = err; + + if (test_bit(SOCK_PASSCRED, &sock->flags) && +- !unix_sk(sk)->addr && (err = unix_autobind(sock)) != 0) +- goto out; ++ !unix_sk(sk)->addr) { ++ err = unix_autobind(sk); ++ if (err) ++ goto out; ++ } + + restart: + other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err); +@@ -1344,9 +1346,11 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + goto out; + addr_len = err; + +- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr && +- (err = unix_autobind(sock)) != 0) +- goto out; ++ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { ++ err = unix_autobind(sk); ++ if (err) ++ goto out; ++ } + + timeo = sock_sndtimeo(sk, flags & O_NONBLOCK); + +@@ -1798,9 +1802,11 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + goto out; + } + +- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr +- && (err = unix_autobind(sock)) != 0) +- goto out; ++ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) { ++ err = unix_autobind(sk); ++ if (err) ++ goto out; ++ } + + err = -EMSGSIZE; + if (len > sk->sk_sndbuf - 32) +-- +2.43.0 + diff --git a/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch b/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch new file mode 100644 index 00000000000..5970bdcbd28 --- /dev/null +++ b/queue-5.15/af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch @@ -0,0 +1,127 @@ +From 8d66d269fbdf2e746bb696f4723f626698608dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:22 +0900 +Subject: af_unix: Return an error as a pointer in unix_find_other(). + +From: Kuniyuki Iwashima + +[ Upstream commit aed26f557bbc94f0c778f63d7dfe86af99208f68 ] + +We can return an error as a pointer and need not pass an additional +argument to unix_find_other(). + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 20a7be3effe83..0a1258b417a9d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -952,7 +952,7 @@ static int unix_release(struct socket *sock) + } + + static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, +- int type, int *error) ++ int type) + { + struct inode *inode; + struct path path; +@@ -991,23 +991,20 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr, + path_put: + path_put(&path); + fail: +- *error = err; +- return NULL; ++ return ERR_PTR(err); + } + + static struct sock *unix_find_abstract(struct net *net, + struct sockaddr_un *sunaddr, + int addr_len, int type, +- unsigned int hash, int *error) ++ unsigned int hash) + { + struct dentry *dentry; + struct sock *sk; + + sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash); +- if (!sk) { +- *error = -ECONNREFUSED; +- return NULL; +- } ++ if (!sk) ++ return ERR_PTR(-ECONNREFUSED); + + dentry = unix_sk(sk)->path.dentry; + if (dentry) +@@ -1019,15 +1016,14 @@ static struct sock *unix_find_abstract(struct net *net, + static struct sock *unix_find_other(struct net *net, + struct sockaddr_un *sunaddr, + int addr_len, int type, +- unsigned int hash, int *error) ++ unsigned int hash) + { + struct sock *sk; + + if (sunaddr->sun_path[0]) +- sk = unix_find_bsd(net, sunaddr, type, error); ++ sk = unix_find_bsd(net, sunaddr, type); + else +- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash, +- error); ++ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash); + + return sk; + } +@@ -1262,9 +1258,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + } + + restart: +- other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err); +- if (!other) ++ other = unix_find_other(net, sunaddr, alen, sock->type, hash); ++ if (IS_ERR(other)) { ++ err = PTR_ERR(other); + goto out; ++ } + + unix_state_double_lock(sk, other); + +@@ -1402,9 +1400,12 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + + restart: + /* Find listening sock. */ +- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash, &err); +- if (!other) ++ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash); ++ if (IS_ERR(other)) { ++ err = PTR_ERR(other); ++ other = NULL; + goto out; ++ } + + /* Latch state of peer */ + unix_state_lock(other); +@@ -1873,9 +1874,12 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, + goto out_free; + + other = unix_find_other(net, sunaddr, namelen, sk->sk_type, +- hash, &err); +- if (other == NULL) ++ hash); ++ if (IS_ERR(other)) { ++ err = PTR_ERR(other); ++ other = NULL; + goto out_free; ++ } + } + + if (sk_filter(other, skb) < 0) { +-- +2.43.0 + diff --git a/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch b/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch new file mode 100644 index 00000000000..db3a224f99a --- /dev/null +++ b/queue-5.15/af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch @@ -0,0 +1,90 @@ +From afe6f203c22c6b2ebb197c34f902211d748b58f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:27 -0700 +Subject: af_unix: Set sk->sk_state under unix_state_lock() for truly + disconencted peer. + +From: Kuniyuki Iwashima + +[ Upstream commit 26bfb8b57063f52b867f9b6c8d1742fcb5bd656c ] + +When a SOCK_DGRAM socket connect()s to another socket, the both sockets' +sk->sk_state are changed to TCP_ESTABLISHED so that we can register them +to BPF SOCKMAP. + +When the socket disconnects from the peer by connect(AF_UNSPEC), the state +is set back to TCP_CLOSE. + +Then, the peer's state is also set to TCP_CLOSE, but the update is done +locklessly and unconditionally. + +Let's say socket A connect()ed to B, B connect()ed to C, and A disconnects +from B. + +After the first two connect()s, all three sockets' sk->sk_state are +TCP_ESTABLISHED: + + $ ss -xa + Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess + u_dgr ESTAB 0 0 @A 641 * 642 + u_dgr ESTAB 0 0 @B 642 * 643 + u_dgr ESTAB 0 0 @C 643 * 0 + +And after the disconnect, B's state is TCP_CLOSE even though it's still +connected to C and C's state is TCP_ESTABLISHED. + + $ ss -xa + Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess + u_dgr UNCONN 0 0 @A 641 * 0 + u_dgr UNCONN 0 0 @B 642 * 643 + u_dgr ESTAB 0 0 @C 643 * 0 + +In this case, we cannot register B to SOCKMAP. + +So, when a socket disconnects from the peer, we should not set TCP_CLOSE to +the peer if the peer is connected to yet another socket, and this must be +done under unix_state_lock(). + +Note that we use WRITE_ONCE() for sk->sk_state as there are many lockless +readers. These data-races will be fixed in the following patches. + +Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 80f91b5ab4012..914e40697f00a 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -495,7 +495,6 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other) + sk_error_report(other); + } + } +- other->sk_state = TCP_CLOSE; + } + + static void unix_sock_destructor(struct sock *sk) +@@ -1277,8 +1276,15 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, + + unix_state_double_unlock(sk, other); + +- if (other != old_peer) ++ if (other != old_peer) { + unix_dgram_disconnected(sk, old_peer); ++ ++ unix_state_lock(old_peer); ++ if (!unix_peer(old_peer)) ++ WRITE_ONCE(old_peer->sk_state, TCP_CLOSE); ++ unix_state_unlock(old_peer); ++ } ++ + sock_put(old_peer); + } else { + unix_peer(sk) = other; +-- +2.43.0 + diff --git a/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch b/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch new file mode 100644 index 00000000000..5f4b03f3ab0 --- /dev/null +++ b/queue-5.15/af_unix-use-offsetof-instead-of-sizeof.patch @@ -0,0 +1,118 @@ +From 9f19d9848e020c6dd48d37bfff3428f2376e72dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 11:14:19 +0900 +Subject: af_unix: Use offsetof() instead of sizeof(). + +From: Kuniyuki Iwashima + +[ Upstream commit 755662ce78d14c1a9118df921c528b1f992ded2e ] + +The length of the AF_UNIX socket address contains an offset to the member +sun_path of struct sockaddr_un. + +Currently, the preceding member is just sun_family, and its type is +sa_family_t and resolved to short. Therefore, the offset is represented by +sizeof(short). However, it is not clear and fragile to changes in struct +sockaddr_storage or sockaddr_un. + +This commit makes it clear and robust by rewriting sizeof() with +offsetof(). + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Jakub Kicinski +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 19 ++++++++++++------- + net/unix/diag.c | 3 ++- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 262aeaea9861c..7d58067ffd3f8 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -231,7 +231,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp + { + *hashp = 0; + +- if (len <= sizeof(short) || len > sizeof(*sunaddr)) ++ if (len <= offsetof(struct sockaddr_un, sun_path) || ++ len > sizeof(*sunaddr)) + return -EINVAL; + if (!sunaddr || sunaddr->sun_family != AF_UNIX) + return -EINVAL; +@@ -244,7 +245,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp + * kernel address buffer. + */ + ((char *)sunaddr)[len] = 0; +- len = strlen(sunaddr->sun_path)+1+sizeof(short); ++ len = strlen(sunaddr->sun_path) + ++ offsetof(struct sockaddr_un, sun_path) + 1; + return len; + } + +@@ -967,7 +969,8 @@ static int unix_autobind(struct socket *sock) + goto out; + + err = -ENOMEM; +- addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL); ++ addr = kzalloc(sizeof(*addr) + ++ offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL); + if (!addr) + goto out; + +@@ -975,7 +978,8 @@ static int unix_autobind(struct socket *sock) + refcount_set(&addr->refcnt, 1); + + retry: +- addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short); ++ addr->len = sprintf(addr->name->sun_path + 1, "%05x", ordernum) + ++ offsetof(struct sockaddr_un, sun_path) + 1; + addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0)); + addr->hash ^= sk->sk_type; + +@@ -1157,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + sunaddr->sun_family != AF_UNIX) + return -EINVAL; + +- if (addr_len == sizeof(short)) ++ if (addr_len == offsetof(struct sockaddr_un, sun_path)) + return unix_autobind(sock); + + err = unix_mkname(sunaddr, addr_len, &hash); +@@ -1607,7 +1611,7 @@ static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer) + if (!addr) { + sunaddr->sun_family = AF_UNIX; + sunaddr->sun_path[0] = 0; +- err = sizeof(short); ++ err = offsetof(struct sockaddr_un, sun_path); + } else { + err = addr->len; + memcpy(sunaddr, addr->name, addr->len); +@@ -3271,7 +3275,8 @@ static int unix_seq_show(struct seq_file *seq, void *v) + seq_putc(seq, ' '); + + i = 0; +- len = u->addr->len - sizeof(short); ++ len = u->addr->len - ++ offsetof(struct sockaddr_un, sun_path); + if (!UNIX_ABSTRACT(s)) + len--; + else { +diff --git a/net/unix/diag.c b/net/unix/diag.c +index daef19932f780..006438e2e07a2 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -19,7 +19,8 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + if (!addr) + return 0; + +- return nla_put(nlskb, UNIX_DIAG_NAME, addr->len - sizeof(short), ++ return nla_put(nlskb, UNIX_DIAG_NAME, ++ addr->len - offsetof(struct sockaddr_un, sun_path), + addr->name->sun_path); + } + +-- +2.43.0 + diff --git a/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch b/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch new file mode 100644 index 00000000000..6be1803b8e5 --- /dev/null +++ b/queue-5.15/af_unix-use-skb_queue_empty_lockless-in-unix_release.patch @@ -0,0 +1,44 @@ +From 0d596d22aae72b7ca666d21a079b8f63449f0407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:39 -0700 +Subject: af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). + +From: Kuniyuki Iwashima + +[ Upstream commit 83690b82d228b3570565ebd0b41873933238b97f ] + +If the socket type is SOCK_STREAM or SOCK_SEQPACKET, unix_release_sock() +checks the length of the peer socket's recvq under unix_state_lock(). + +However, unix_stream_read_generic() calls skb_unlink() after releasing +the lock. Also, for SOCK_SEQPACKET, __skb_try_recv_datagram() unlinks +skb without unix_state_lock(). + +Thues, unix_state_lock() does not protect qlen. + +Let's use skb_queue_empty_lockless() in unix_release_sock(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 85b1c0d7c287a..12099b06d7e88 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -570,7 +570,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + unix_state_lock(skpair); + /* No more writes */ + WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); +- if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion) + WRITE_ONCE(skpair->sk_err, ECONNRESET); + unix_state_unlock(skpair); + skpair->sk_state_change(skpair); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch b/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch new file mode 100644 index 00000000000..5a7e0e1672c --- /dev/null +++ b/queue-5.15/af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch @@ -0,0 +1,41 @@ +From 27be04be4ebc9fca755aeeec004c4367ae4dc3eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:40 -0700 +Subject: af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). + +From: Kuniyuki Iwashima + +[ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ] + +We can dump the socket queue length via UNIX_DIAG by specifying +UDIAG_SHOW_RQLEN. + +If sk->sk_state is TCP_LISTEN, we return the recv queue length, +but here we do not hold recvq lock. + +Let's use skb_queue_len_lockless() in sk_diag_show_rqlen(). + +Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 94c8f509261d0..63a0040e9fb45 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -104,7 +104,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) + struct unix_diag_rqlen rql; + + if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { +- rql.udiag_rqueue = sk->sk_receive_queue.qlen; ++ rql.udiag_rqueue = skb_queue_len_lockless(&sk->sk_receive_queue); + rql.udiag_wqueue = sk->sk_max_ack_backlog; + } else { + rql.udiag_rqueue = (u32) unix_inq_len(sk); +-- +2.43.0 + diff --git a/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch b/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch new file mode 100644 index 00000000000..4fe7349b324 --- /dev/null +++ b/queue-5.15/af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch @@ -0,0 +1,72 @@ +From 17eb75b26b34dcf7b81ff17b71e88f908abe9198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 09:52:38 -0700 +Subject: af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ] + +Once sk->sk_state is changed to TCP_LISTEN, it never changes. + +unix_accept() takes advantage of this characteristics; it does not +hold the listener's unix_state_lock() and only acquires recvq lock +to pop one skb. + +It means unix_state_lock() does not prevent the queue length from +changing in unix_stream_connect(). + +Thus, we need to use unix_recvq_full_lockless() to avoid data-race. + +Now we remove unix_recvq_full() as no one uses it. + +Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in +unix_recvq_full_lockless() because of the following reasons: + + (1) For SOCK_DGRAM, it is a written-once field in unix_create1() + + (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the + listener's unix_state_lock() in unix_listen(), and we hold + the lock in unix_stream_connect() + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5c4318f64d253..3fa86d70467c2 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -190,15 +190,9 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) + return unix_peer(osk) == NULL || unix_our_peer(sk, osk); + } + +-static inline int unix_recvq_full(const struct sock *sk) +-{ +- return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; +-} +- + static inline int unix_recvq_full_lockless(const struct sock *sk) + { +- return skb_queue_len_lockless(&sk->sk_receive_queue) > +- READ_ONCE(sk->sk_max_ack_backlog); ++ return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; + } + + struct sock *unix_peer_get(struct sock *s) +@@ -1429,7 +1423,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, + if (other->sk_shutdown & RCV_SHUTDOWN) + goto out_unlock; + +- if (unix_recvq_full(other)) { ++ if (unix_recvq_full_lockless(other)) { + err = -EAGAIN; + if (!timeo) + goto out_unlock; +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch b/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch new file mode 100644 index 00000000000..d989cb56c9f --- /dev/null +++ b/queue-5.15/bluetooth-btqca-add-wcn3988-support.patch @@ -0,0 +1,124 @@ +From 98c19c5237cadc9efec6b16923140e860e0ce0dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:56:29 +0200 +Subject: Bluetooth: btqca: Add WCN3988 support + +From: Luca Weiss + +[ Upstream commit f904feefe60c28b6852d5625adc4a2c39426a2d9 ] + +Add support for the Bluetooth chip codenamed APACHE which is part of +WCN3988. + +The firmware for this chip has a slightly different naming scheme +compared to most others. For ROM Version 0x0200 we need to use +apbtfw10.tlv + apnv10.bin and for ROM version 0x201 apbtfw11.tlv + +apnv11.bin + +Signed-off-by: Luca Weiss +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 13 +++++++++++-- + drivers/bluetooth/btqca.h | 12 ++++++++++-- + drivers/bluetooth/hci_qca.c | 12 ++++++++++++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index b850b5de9f862..6ae806b9e77f2 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -595,11 +595,17 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + /* Firmware files to download are based on ROM version. + * ROM version is derived from last two bytes of soc_ver. + */ +- rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); ++ if (soc_type == QCA_WCN3988) ++ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f); ++ else ++ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f); + + /* Download rampatch file */ + config.type = TLV_TYPE_PATCH; +- if (qca_is_wcn399x(soc_type)) { ++ if (soc_type == QCA_WCN3988) { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apbtfw%02x.tlv", rom_ver); ++ } else if (qca_is_wcn399x(soc_type)) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/crbtfw%02x.tlv", rom_ver); + } else if (soc_type == QCA_QCA6390) { +@@ -634,6 +640,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + if (firmware_name) + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); ++ else if (soc_type == QCA_WCN3988) ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apnv%02x.bin", rom_ver); + else if (qca_is_wcn399x(soc_type)) { + if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { + snprintf(config.fwname, sizeof(config.fwname), +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index b83bf202ea604..104bb12c88adf 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -140,6 +140,7 @@ enum qca_btsoc_type { + QCA_INVALID = -1, + QCA_AR3002, + QCA_ROME, ++ QCA_WCN3988, + QCA_WCN3990, + QCA_WCN3998, + QCA_WCN3991, +@@ -160,8 +161,15 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); + int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); + static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) + { +- return soc_type == QCA_WCN3990 || soc_type == QCA_WCN3991 || +- soc_type == QCA_WCN3998; ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ return true; ++ default: ++ return false; ++ } + } + static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) + { +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 1c2bd292ecb7c..3e67e07161969 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1834,6 +1834,17 @@ static const struct hci_uart_proto qca_proto = { + .dequeue = qca_dequeue, + }; + ++static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = { ++ .soc_type = QCA_WCN3988, ++ .vregs = (struct qca_vreg []) { ++ { "vddio", 15000 }, ++ { "vddxo", 80000 }, ++ { "vddrf", 300000 }, ++ { "vddch0", 450000 }, ++ }, ++ .num_vregs = 4, ++}; ++ + static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { + .soc_type = QCA_WCN3990, + .vregs = (struct qca_vreg []) { +@@ -2359,6 +2370,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = { + { .compatible = "qcom,qca6174-bt" }, + { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390}, + { .compatible = "qcom,qca9377-bt" }, ++ { .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988}, + { .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990}, + { .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991}, + { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998}, +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch b/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch new file mode 100644 index 00000000000..1885635e8a0 --- /dev/null +++ b/queue-5.15/bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch @@ -0,0 +1,40 @@ +From 3323f172de3ed2953633009e6517363a8d748667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 18:43:23 +0800 +Subject: Bluetooth: btqca: use le32_to_cpu for ver.soc_id + +From: Min-Hua Chen + +[ Upstream commit 8153b738bc547878a017889d2b1cf8dd2de0e0c6 ] + +Use le32_to_cpu for ver.soc_id to fix the following +sparse warning. + +drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted +__le32 degrades to integer + +Signed-off-by: Min-Hua Chen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Jakub Kicinski +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index d4ae33a5f805e..b850b5de9f862 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -635,7 +635,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); + else if (qca_is_wcn399x(soc_type)) { +- if (ver.soc_id == QCA_WCN3991_SOC_ID) { ++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/crnv%02xu.bin", rom_ver); + } else { +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch b/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch new file mode 100644 index 00000000000..089497e2da6 --- /dev/null +++ b/queue-5.15/bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch @@ -0,0 +1,82 @@ +From 391192635689b4cde600c4d5be334134929a0e79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Mar 2023 12:13:53 +0100 +Subject: Bluetooth: hci_qca: mark OF related data as maybe unused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 44fac8a2fd2f72ee98ee41e6bc9ecc7765b5d3cc ] + +The driver can be compile tested with !CONFIG_OF making certain data +unused: + + drivers/bluetooth/hci_qca.c:1869:37: error: ‘qca_soc_data_wcn6750’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1853:37: error: ‘qca_soc_data_wcn3998’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1841:37: error: ‘qca_soc_data_wcn3991’ + defined but not used [-Werror=unused-const-variable=] + drivers/bluetooth/hci_qca.c:1830:37: error: ‘qca_soc_data_wcn3990’ + defined but not used [-Werror=unused-const-variable=] + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index fb71caa31daa7..1c2bd292ecb7c 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1834,7 +1834,7 @@ static const struct hci_uart_proto qca_proto = { + .dequeue = qca_dequeue, + }; + +-static const struct qca_device_data qca_soc_data_wcn3990 = { ++static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = { + .soc_type = QCA_WCN3990, + .vregs = (struct qca_vreg []) { + { "vddio", 15000 }, +@@ -1845,7 +1845,7 @@ static const struct qca_device_data qca_soc_data_wcn3990 = { + .num_vregs = 4, + }; + +-static const struct qca_device_data qca_soc_data_wcn3991 = { ++static const struct qca_device_data qca_soc_data_wcn3991 __maybe_unused = { + .soc_type = QCA_WCN3991, + .vregs = (struct qca_vreg []) { + { "vddio", 15000 }, +@@ -1857,7 +1857,7 @@ static const struct qca_device_data qca_soc_data_wcn3991 = { + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + +-static const struct qca_device_data qca_soc_data_wcn3998 = { ++static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = { + .soc_type = QCA_WCN3998, + .vregs = (struct qca_vreg []) { + { "vddio", 10000 }, +@@ -1868,13 +1868,13 @@ static const struct qca_device_data qca_soc_data_wcn3998 = { + .num_vregs = 4, + }; + +-static const struct qca_device_data qca_soc_data_qca6390 = { ++static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = { + .soc_type = QCA_QCA6390, + .num_vregs = 0, + .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + +-static const struct qca_device_data qca_soc_data_wcn6750 = { ++static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = { + .soc_type = QCA_WCN6750, + .vregs = (struct qca_vreg []) { + { "vddio", 5000 }, +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch b/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch new file mode 100644 index 00000000000..15fef7f658c --- /dev/null +++ b/queue-5.15/bluetooth-qca-add-support-for-qca2066.patch @@ -0,0 +1,224 @@ +From 2bb103505fb2d3ef1afb539e814575d11df48336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 17:39:57 +0800 +Subject: Bluetooth: qca: add support for QCA2066 + +From: Tim Jiang + +[ Upstream commit a7f8dedb4be2cc930a29af24427b885405ecd15d ] + +This patch adds support for QCA2066 firmware patch and NVM downloading. +as the RF performance of QCA2066 SOC chip from different foundries may +vary. Therefore we use different NVM to configure them based on board ID. + +Changes in v2 + - optimize the function qca_generate_hsp_nvm_name + - remove redundant debug code for function qca_read_fw_board_id + +Signed-off-by: Tim Jiang +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 68 +++++++++++++++++++++++++++++++++++++ + drivers/bluetooth/btqca.h | 5 ++- + drivers/bluetooth/hci_qca.c | 11 ++++++ + 3 files changed, 83 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index b14201b7bcd04..abd621d224667 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -160,6 +160,44 @@ static int qca_send_reset(struct hci_dev *hdev) + return 0; + } + ++static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid) ++{ ++ u8 cmd; ++ struct sk_buff *skb; ++ struct edl_event_hdr *edl; ++ int err = 0; ++ ++ cmd = EDL_GET_BID_REQ_CMD; ++ skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN, ++ &cmd, 0, HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) { ++ err = PTR_ERR(skb); ++ bt_dev_err(hdev, "Reading QCA board ID failed (%d)", err); ++ return err; ++ } ++ ++ edl = skb_pull_data(skb, sizeof(*edl)); ++ if (!edl) { ++ bt_dev_err(hdev, "QCA read board ID with no header"); ++ err = -EILSEQ; ++ goto out; ++ } ++ ++ if (edl->cresp != EDL_CMD_REQ_RES_EVT || ++ edl->rtype != EDL_GET_BID_REQ_CMD) { ++ bt_dev_err(hdev, "QCA Wrong packet: %d %d", edl->cresp, edl->rtype); ++ err = -EIO; ++ goto out; ++ } ++ ++ *bid = (edl->data[1] << 8) + edl->data[2]; ++ bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid); ++ ++out: ++ kfree_skb(skb); ++ return err; ++} ++ + int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + { + struct sk_buff *skb; +@@ -575,6 +613,23 @@ int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) + } + EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); + ++static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size, ++ struct qca_btsoc_version ver, u8 rom_ver, u16 bid) ++{ ++ const char *variant; ++ ++ /* hsp gf chip */ ++ if ((le32_to_cpu(ver.soc_id) & QCA_HSP_GF_SOC_MASK) == QCA_HSP_GF_SOC_ID) ++ variant = "g"; ++ else ++ variant = ""; ++ ++ if (bid == 0x0) ++ snprintf(fwname, max_size, "qca/hpnv%02x%s.bin", rom_ver, variant); ++ else ++ snprintf(fwname, max_size, "qca/hpnv%02x%s.%x", rom_ver, variant, bid); ++} ++ + int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + enum qca_btsoc_type soc_type, struct qca_btsoc_version ver, + const char *firmware_name) +@@ -583,6 +638,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + int err; + u8 rom_ver = 0; + u32 soc_ver; ++ u16 boardid = 0; + + bt_dev_dbg(hdev, "QCA setup on UART"); + +@@ -613,6 +669,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/apbtfw%02x.tlv", rom_ver); + break; ++ case QCA_QCA2066: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hpbtfw%02x.tlv", rom_ver); ++ break; + case QCA_QCA6390: + snprintf(config.fwname, sizeof(config.fwname), + "qca/htbtfw%02x.tlv", rom_ver); +@@ -643,6 +703,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + /* Give the controller some time to get ready to receive the NVM */ + msleep(10); + ++ if (soc_type == QCA_QCA2066) ++ qca_read_fw_board_id(hdev, &boardid); ++ + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; + if (firmware_name) { +@@ -665,6 +728,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + snprintf(config.fwname, sizeof(config.fwname), + "qca/apnv%02x.bin", rom_ver); + break; ++ case QCA_QCA2066: ++ qca_generate_hsp_nvm_name(config.fwname, ++ sizeof(config.fwname), ver, rom_ver, boardid); ++ break; + case QCA_QCA6390: + snprintf(config.fwname, sizeof(config.fwname), + "qca/htnv%02x.bin", rom_ver); +@@ -692,6 +759,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + + switch (soc_type) { + case QCA_WCN3991: ++ case QCA_QCA2066: + case QCA_QCA6390: + case QCA_WCN6750: + case QCA_WCN6855: +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index fa77c07daecf5..d69ecfdef2a20 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -12,6 +12,7 @@ + #define EDL_PATCH_VER_REQ_CMD (0x19) + #define EDL_PATCH_TLV_REQ_CMD (0x1E) + #define EDL_GET_BUILD_INFO_CMD (0x20) ++#define EDL_GET_BID_REQ_CMD (0x23) + #define EDL_NVM_ACCESS_SET_REQ_CMD (0x01) + #define MAX_SIZE_PER_TLV_SEGMENT (243) + #define QCA_PRE_SHUTDOWN_CMD (0xFC08) +@@ -45,7 +46,8 @@ + ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) + + #define QCA_FW_BUILD_VER_LEN 255 +- ++#define QCA_HSP_GF_SOC_ID 0x1200 ++#define QCA_HSP_GF_SOC_MASK 0x0000ff00 + + enum qca_baudrate { + QCA_BAUDRATE_115200 = 0, +@@ -144,6 +146,7 @@ enum qca_btsoc_type { + QCA_WCN3990, + QCA_WCN3998, + QCA_WCN3991, ++ QCA_QCA2066, + QCA_QCA6390, + QCA_WCN6750, + QCA_WCN6855, +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 62491e7610384..0800f6e62b7f0 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1801,6 +1801,10 @@ static int qca_setup(struct hci_uart *hu) + set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); + + switch (soc_type) { ++ case QCA_QCA2066: ++ soc_name = "qca2066"; ++ break; ++ + case QCA_WCN3988: + case QCA_WCN3990: + case QCA_WCN3991: +@@ -1981,6 +1985,11 @@ static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = { + .num_vregs = 4, + }; + ++static const struct qca_device_data qca_soc_data_qca2066 __maybe_unused = { ++ .soc_type = QCA_QCA2066, ++ .num_vregs = 0, ++}; ++ + static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = { + .soc_type = QCA_QCA6390, + .num_vregs = 0, +@@ -2492,6 +2501,7 @@ static SIMPLE_DEV_PM_OPS(qca_pm_ops, qca_suspend, qca_resume); + + #ifdef CONFIG_OF + static const struct of_device_id qca_bluetooth_of_match[] = { ++ { .compatible = "qcom,qca2066-bt", .data = &qca_soc_data_qca2066}, + { .compatible = "qcom,qca6174-bt" }, + { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390}, + { .compatible = "qcom,qca9377-bt" }, +@@ -2508,6 +2518,7 @@ MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match); + + #ifdef CONFIG_ACPI + static const struct acpi_device_id qca_bluetooth_acpi_match[] = { ++ { "QCOM2066", (kernel_ulong_t)&qca_soc_data_qca2066 }, + { "QCOM6390", (kernel_ulong_t)&qca_soc_data_qca6390 }, + { "DLA16390", (kernel_ulong_t)&qca_soc_data_qca6390 }, + { "DLB16390", (kernel_ulong_t)&qca_soc_data_qca6390 }, +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch b/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch new file mode 100644 index 00000000000..20d7bb1586a --- /dev/null +++ b/queue-5.15/bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch @@ -0,0 +1,93 @@ +From 9a92c309f6ebee38d42f674015c7ad8270d8d690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 14:34:52 +0200 +Subject: Bluetooth: qca: fix info leak when fetching fw build id + +From: Johan Hovold + +[ Upstream commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 ] + +Add the missing sanity checks and move the 255-byte build-id buffer off +the stack to avoid leaking stack data through debugfs in case the +build-info reply is malformed. + +Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC") +Cc: stable@vger.kernel.org # 5.12 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++---- + drivers/bluetooth/btqca.h | 1 - + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index abd621d224667..7011151420e48 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -98,7 +98,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) + { + struct sk_buff *skb; + struct edl_event_hdr *edl; +- char cmd, build_label[QCA_FW_BUILD_VER_LEN]; ++ char *build_label; ++ char cmd; + int build_lbl_len, err = 0; + + bt_dev_dbg(hdev, "QCA read fw build info"); +@@ -113,6 +114,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) + return err; + } + ++ if (skb->len < sizeof(*edl)) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + edl = (struct edl_event_hdr *)(skb->data); + if (!edl) { + bt_dev_err(hdev, "QCA read fw build info with no header"); +@@ -128,14 +134,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev) + goto out; + } + ++ if (skb->len < sizeof(*edl) + 1) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + build_lbl_len = edl->data[0]; +- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) { +- memcpy(build_label, edl->data + 1, build_lbl_len); +- *(build_label + build_lbl_len) = '\0'; ++ ++ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) { ++ err = -EILSEQ; ++ goto out; + } + ++ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); ++ if (!build_label) ++ goto out; ++ + hci_set_fw_info(hdev, "%s", build_label); + ++ kfree(build_label); + out: + kfree_skb(skb); + return err; +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index d69ecfdef2a20..6a6a286bc8547 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -45,7 +45,6 @@ + #define get_soc_ver(soc_id, rom_ver) \ + ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) + +-#define QCA_FW_BUILD_VER_LEN 255 + #define QCA_HSP_GF_SOC_ID 0x1200 + #define QCA_HSP_GF_SOC_MASK 0x0000ff00 + +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch b/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch new file mode 100644 index 00000000000..9888c79f466 --- /dev/null +++ b/queue-5.15/bluetooth-qca-use-switch-case-for-soc-type-behavior.patch @@ -0,0 +1,616 @@ +From ff36c600c800a4cbeb2ae58251e1465104807b29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:06:47 +0200 +Subject: Bluetooth: qca: use switch case for soc type behavior + +From: Neil Armstrong + +[ Upstream commit 691d54d0f7cb14baac1ff4af210d13c0e4897e27 ] + +Use switch/case to handle soc type specific behaviour, +the permit dropping the qca_is_xxx() inline functions +and make the code clearer and easier to update for new +SoCs. + +Suggested-by: Konrad Dybcio +Suggested-by: Luiz Augusto von Dentz +Signed-off-by: Neil Armstrong +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqca.c | 87 +++++++++----- + drivers/bluetooth/btqca.h | 36 ------ + drivers/bluetooth/hci_qca.c | 233 +++++++++++++++++++++++++++--------- + 3 files changed, 236 insertions(+), 120 deletions(-) + +diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c +index 6ae806b9e77f2..b14201b7bcd04 100644 +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -602,26 +602,34 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + + /* Download rampatch file */ + config.type = TLV_TYPE_PATCH; +- if (soc_type == QCA_WCN3988) { +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/apbtfw%02x.tlv", rom_ver); +- } else if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + snprintf(config.fwname, sizeof(config.fwname), + "qca/crbtfw%02x.tlv", rom_ver); +- } else if (soc_type == QCA_QCA6390) { ++ break; ++ case QCA_WCN3988: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/apbtfw%02x.tlv", rom_ver); ++ break; ++ case QCA_QCA6390: + snprintf(config.fwname, sizeof(config.fwname), + "qca/htbtfw%02x.tlv", rom_ver); +- } else if (soc_type == QCA_WCN6750) { ++ break; ++ case QCA_WCN6750: + /* Choose mbn file by default.If mbn file is not found + * then choose tlv file + */ + config.type = ELF_TYPE_PATCH; + snprintf(config.fwname, sizeof(config.fwname), + "qca/msbtfw%02x.mbn", rom_ver); +- } else if (soc_type == QCA_WCN6855) { ++ break; ++ case QCA_WCN6855: + snprintf(config.fwname, sizeof(config.fwname), + "qca/hpbtfw%02x.tlv", rom_ver); +- } else { ++ break; ++ default: + snprintf(config.fwname, sizeof(config.fwname), + "qca/rampatch_%08x.bin", soc_ver); + } +@@ -637,33 +645,44 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + + /* Download NVM configuration */ + config.type = TLV_TYPE_NVM; +- if (firmware_name) ++ if (firmware_name) { + snprintf(config.fwname, sizeof(config.fwname), + "qca/%s", firmware_name); +- else if (soc_type == QCA_WCN3988) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/apnv%02x.bin", rom_ver); +- else if (qca_is_wcn399x(soc_type)) { +- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { ++ } else { ++ switch (soc_type) { ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/crnv%02xu.bin", rom_ver); ++ } else { ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/crnv%02x.bin", rom_ver); ++ } ++ break; ++ case QCA_WCN3988: + snprintf(config.fwname, sizeof(config.fwname), +- "qca/crnv%02xu.bin", rom_ver); +- } else { ++ "qca/apnv%02x.bin", rom_ver); ++ break; ++ case QCA_QCA6390: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/htnv%02x.bin", rom_ver); ++ break; ++ case QCA_WCN6750: + snprintf(config.fwname, sizeof(config.fwname), +- "qca/crnv%02x.bin", rom_ver); ++ "qca/msnv%02x.bin", rom_ver); ++ break; ++ case QCA_WCN6855: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/hpnv%02x.bin", rom_ver); ++ break; ++ ++ default: ++ snprintf(config.fwname, sizeof(config.fwname), ++ "qca/nvm_%08x.bin", soc_ver); + } + } +- else if (soc_type == QCA_QCA6390) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/htnv%02x.bin", rom_ver); +- else if (soc_type == QCA_WCN6750) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/msnv%02x.bin", rom_ver); +- else if (soc_type == QCA_WCN6855) +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/hpnv%02x.bin", rom_ver); +- else +- snprintf(config.fwname, sizeof(config.fwname), +- "qca/nvm_%08x.bin", soc_ver); + + err = qca_download_firmware(hdev, &config, soc_type, rom_ver); + if (err < 0) { +@@ -671,16 +690,24 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, + return err; + } + +- if (soc_type >= QCA_WCN3991) { ++ switch (soc_type) { ++ case QCA_WCN3991: ++ case QCA_QCA6390: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + err = qca_disable_soc_logging(hdev); + if (err < 0) + return err; ++ break; ++ default: ++ break; + } + + /* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the + * VsMsftOpCode. + */ + switch (soc_type) { ++ case QCA_WCN3988: + case QCA_WCN3990: + case QCA_WCN3991: + case QCA_WCN3998: +diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h +index 104bb12c88adf..fa77c07daecf5 100644 +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -159,27 +159,6 @@ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type); + int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr); + int qca_send_pre_shutdown_cmd(struct hci_dev *hdev); +-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) +-{ +- switch (soc_type) { +- case QCA_WCN3988: +- case QCA_WCN3990: +- case QCA_WCN3991: +- case QCA_WCN3998: +- return true; +- default: +- return false; +- } +-} +-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) +-{ +- return soc_type == QCA_WCN6750; +-} +-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) +-{ +- return soc_type == QCA_WCN6855; +-} +- + #else + + static inline int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) +@@ -207,21 +186,6 @@ static inline int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) + return -EOPNOTSUPP; + } + +-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- +-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- +-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type) +-{ +- return false; +-} +- + static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) + { + return -EOPNOTSUPP; +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 3e67e07161969..62491e7610384 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -606,9 +606,18 @@ static int qca_open(struct hci_uart *hu) + if (hu->serdev) { + qcadev = serdev_device_get_drvdata(hu->serdev); + +- if (qca_is_wcn399x(qcadev->btsoc_type) || +- qca_is_wcn6750(qcadev->btsoc_type)) ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: + hu->init_speed = qcadev->init_speed; ++ break; ++ ++ default: ++ break; ++ } + + if (qcadev->oper_speed) + hu->oper_speed = qcadev->oper_speed; +@@ -1314,12 +1323,19 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) + msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS)); + + /* Give the controller time to process the request */ +- if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu)) || +- qca_is_wcn6855(qca_soc_type(hu))) ++ switch (qca_soc_type(hu)) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + usleep_range(1000, 10000); +- else ++ break; ++ ++ default: + msleep(300); ++ } + + return 0; + } +@@ -1392,13 +1408,19 @@ static unsigned int qca_get_speed(struct hci_uart *hu, + + static int qca_check_speeds(struct hci_uart *hu) + { +- if (qca_is_wcn399x(qca_soc_type(hu)) || +- qca_is_wcn6750(qca_soc_type(hu)) || +- qca_is_wcn6855(qca_soc_type(hu))) { ++ switch (qca_soc_type(hu)) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + if (!qca_get_speed(hu, QCA_INIT_SPEED) && + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +- } else { ++ break; ++ ++ default: + if (!qca_get_speed(hu, QCA_INIT_SPEED) || + !qca_get_speed(hu, QCA_OPER_SPEED)) + return -EINVAL; +@@ -1427,14 +1449,28 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + /* Disable flow control for wcn3990 to deassert RTS while + * changing the baudrate of chip and host. + */ +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + hci_uart_set_flow_control(hu, true); ++ break; + +- if (soc_type == QCA_WCN3990) { ++ default: ++ break; ++ } ++ ++ switch (soc_type) { ++ case QCA_WCN3990: + reinit_completion(&qca->drop_ev_comp); + set_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); ++ break; ++ ++ default: ++ break; + } + + qca_baudrate = qca_get_baudrate_value(speed); +@@ -1446,12 +1482,22 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + host_set_baudrate(hu, speed); + + error: +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + hci_uart_set_flow_control(hu, false); ++ break; + +- if (soc_type == QCA_WCN3990) { ++ default: ++ break; ++ } ++ ++ switch (soc_type) { ++ case QCA_WCN3990: + /* Wait for the controller to send the vendor event + * for the baudrate change command. + */ +@@ -1463,6 +1509,10 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type) + } + + clear_bit(QCA_DROP_VENDOR_EVENT, &qca->flags); ++ break; ++ ++ default: ++ break; + } + } + +@@ -1627,12 +1677,20 @@ static int qca_regulator_init(struct hci_uart *hu) + } + } + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + /* Forcefully enable wcn399x to enter in to boot mode. */ + host_set_baudrate(hu, 2400); + ret = qca_send_power_pulse(hu, false); + if (ret) + return ret; ++ break; ++ ++ default: ++ break; + } + + /* For wcn6750 need to enable gpio bt_en */ +@@ -1649,10 +1707,18 @@ static int qca_regulator_init(struct hci_uart *hu) + + qca_set_speed(hu, QCA_INIT_SPEED); + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + ret = qca_send_power_pulse(hu, true); + if (ret) + return ret; ++ break; ++ ++ default: ++ break; + } + + /* Now the device is in ready state to communicate with host. +@@ -1686,11 +1752,17 @@ static int qca_power_on(struct hci_dev *hdev) + if (!hu->serdev) + return 0; + +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + ret = qca_regulator_init(hu); +- } else { ++ break; ++ ++ default: + qcadev = serdev_device_get_drvdata(hu->serdev); + if (qcadev->bt_en) { + gpiod_set_value_cansleep(qcadev->bt_en, 1); +@@ -1713,6 +1785,7 @@ static int qca_setup(struct hci_uart *hu) + const char *firmware_name = qca_get_firmware_name(hu); + int ret; + struct qca_btsoc_version ver; ++ const char *soc_name; + + ret = qca_check_speeds(hu); + if (ret) +@@ -1727,10 +1800,26 @@ static int qca_setup(struct hci_uart *hu) + */ + set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); + +- bt_dev_info(hdev, "setting up %s", +- qca_is_wcn399x(soc_type) ? "wcn399x" : +- (soc_type == QCA_WCN6750) ? "wcn6750" : +- (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390"); ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ soc_name = "wcn399x"; ++ break; ++ ++ case QCA_WCN6750: ++ soc_name = "wcn6750"; ++ break; ++ ++ case QCA_WCN6855: ++ soc_name = "wcn6855"; ++ break; ++ ++ default: ++ soc_name = "ROME/QCA6390"; ++ } ++ bt_dev_info(hdev, "setting up %s", soc_name); + + qca->memdump_state = QCA_MEMDUMP_IDLE; + +@@ -1741,15 +1830,21 @@ static int qca_setup(struct hci_uart *hu) + + clear_bit(QCA_SSR_TRIGGERED, &qca->flags); + +- if (qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); + + ret = qca_read_soc_version(hdev, &ver, soc_type); + if (ret) + goto out; +- } else { ++ break; ++ ++ default: + qca_set_speed(hu, QCA_INIT_SPEED); + } + +@@ -1763,9 +1858,16 @@ static int qca_setup(struct hci_uart *hu) + qca_baudrate = qca_get_baudrate_value(speed); + } + +- if (!(qca_is_wcn399x(soc_type) || +- qca_is_wcn6750(soc_type) || +- qca_is_wcn6855(soc_type))) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: ++ break; ++ ++ default: + /* Get QCA version information */ + ret = qca_read_soc_version(hdev, &ver, soc_type); + if (ret) +@@ -1941,11 +2043,18 @@ static void qca_power_shutdown(struct hci_uart *hu) + + qcadev = serdev_device_get_drvdata(hu->serdev); + +- if (qca_is_wcn399x(soc_type)) { ++ switch (soc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: + host_set_baudrate(hu, 2400); + qca_send_power_pulse(hu, false); + qca_regulator_disable(qcadev); +- } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) { ++ break; ++ ++ case QCA_WCN6750: ++ case QCA_WCN6855: + gpiod_set_value_cansleep(qcadev->bt_en, 0); + msleep(100); + qca_regulator_disable(qcadev); +@@ -1953,7 +2062,9 @@ static void qca_power_shutdown(struct hci_uart *hu) + sw_ctrl_state = gpiod_get_value_cansleep(qcadev->sw_ctrl); + bt_dev_dbg(hu->hdev, "SW_CTRL is %d", sw_ctrl_state); + } +- } else if (qcadev->bt_en) { ++ break; ++ ++ default: + gpiod_set_value_cansleep(qcadev->bt_en, 0); + } + +@@ -2078,11 +2189,18 @@ static int qca_serdev_probe(struct serdev_device *serdev) + if (!qcadev->oper_speed) + BT_DBG("UART will pick default operating speed"); + +- if (data && +- (qca_is_wcn399x(data->soc_type) || +- qca_is_wcn6750(data->soc_type) || +- qca_is_wcn6855(data->soc_type))) { ++ if (data) + qcadev->btsoc_type = data->soc_type; ++ else ++ qcadev->btsoc_type = QCA_ROME; ++ ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: + qcadev->bt_power = devm_kzalloc(&serdev->dev, + sizeof(struct qca_power), + GFP_KERNEL); +@@ -2126,12 +2244,9 @@ static int qca_serdev_probe(struct serdev_device *serdev) + BT_ERR("wcn3990 serdev registration failed"); + return err; + } +- } else { +- if (data) +- qcadev->btsoc_type = data->soc_type; +- else +- qcadev->btsoc_type = QCA_ROME; ++ break; + ++ default: + qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", + GPIOD_OUT_LOW); + if (IS_ERR(qcadev->bt_en)) { +@@ -2187,13 +2302,23 @@ static void qca_serdev_remove(struct serdev_device *serdev) + struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev); + struct qca_power *power = qcadev->bt_power; + +- if ((qca_is_wcn399x(qcadev->btsoc_type) || +- qca_is_wcn6750(qcadev->btsoc_type) || +- qca_is_wcn6855(qcadev->btsoc_type)) && +- power->vregs_on) +- qca_power_shutdown(&qcadev->serdev_hu); +- else if (qcadev->susclk) +- clk_disable_unprepare(qcadev->susclk); ++ switch (qcadev->btsoc_type) { ++ case QCA_WCN3988: ++ case QCA_WCN3990: ++ case QCA_WCN3991: ++ case QCA_WCN3998: ++ case QCA_WCN6750: ++ case QCA_WCN6855: ++ if (power->vregs_on) { ++ qca_power_shutdown(&qcadev->serdev_hu); ++ break; ++ } ++ fallthrough; ++ ++ default: ++ if (qcadev->susclk) ++ clk_disable_unprepare(qcadev->susclk); ++ } + + hci_uart_unregister_device(&qcadev->serdev_hu); + } +-- +2.43.0 + diff --git a/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch b/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch new file mode 100644 index 00000000000..6d42c063d5b --- /dev/null +++ b/queue-5.15/bpf-set-run-context-for-rawtp-test_run-callback.patch @@ -0,0 +1,52 @@ +From ee021c76a34f6d96be17d94e197d8b14a4d4b5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 17:00:24 +0200 +Subject: bpf: Set run context for rawtp test_run callback + +From: Jiri Olsa + +[ Upstream commit d0d1df8ba18abc57f28fb3bc053b2bf319367f2c ] + +syzbot reported crash when rawtp program executed through the +test_run interface calls bpf_get_attach_cookie helper or any +other helper that touches task->bpf_ctx pointer. + +Setting the run context (task->bpf_ctx pointer) for test_run +callback. + +Fixes: 7adfc6c9b315 ("bpf: Add bpf_get_attach_cookie() BPF helper to access bpf_cookie value") +Reported-by: syzbot+3ab78ff125b7979e45f9@syzkaller.appspotmail.com +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Closes: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9 +Link: https://lore.kernel.org/bpf/20240604150024.359247-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index 11d254ce3581c..a0d75c33b5d6a 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -326,10 +326,16 @@ static void + __bpf_prog_test_run_raw_tp(void *data) + { + struct bpf_raw_tp_test_run_info *info = data; ++ struct bpf_trace_run_ctx run_ctx = {}; ++ struct bpf_run_ctx *old_run_ctx; ++ ++ old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx); + + rcu_read_lock(); + info->retval = bpf_prog_run(info->prog, info->ctx); + rcu_read_unlock(); ++ ++ bpf_reset_run_ctx(old_run_ctx); + } + + int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, +-- +2.43.0 + diff --git a/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch b/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch new file mode 100644 index 00000000000..82a2c386ba0 --- /dev/null +++ b/queue-5.15/btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch @@ -0,0 +1,66 @@ +From e889b0b319a8f077d83a493209c9a0ff93c16830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 12:49:08 +0100 +Subject: btrfs: fix leak of qgroup extent records after transaction abort + +From: Filipe Manana + +[ Upstream commit fb33eb2ef0d88e75564983ef057b44c5b7e4fded ] + +Qgroup extent records are created when delayed ref heads are created and +then released after accounting extents at btrfs_qgroup_account_extents(), +called during the transaction commit path. + +If a transaction is aborted we free the qgroup records by calling +btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs(), +unless we don't have delayed references. We are incorrectly assuming +that no delayed references means we don't have qgroup extents records. + +We can currently have no delayed references because we ran them all +during a transaction commit and the transaction was aborted after that +due to some error in the commit path. + +So fix this by ensuring we btrfs_qgroup_destroy_extent_records() at +btrfs_destroy_delayed_refs() even if we don't have any delayed references. + +Reported-by: syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/0000000000004e7f980619f91835@google.com/ +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index c1dfde886b1e3..092ebed754b0c 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4707,19 +4707,11 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, + struct btrfs_fs_info *fs_info) + { + struct rb_node *node; +- struct btrfs_delayed_ref_root *delayed_refs; ++ struct btrfs_delayed_ref_root *delayed_refs = &trans->delayed_refs; + struct btrfs_delayed_ref_node *ref; + int ret = 0; + +- delayed_refs = &trans->delayed_refs; +- + spin_lock(&delayed_refs->lock); +- if (atomic_read(&delayed_refs->num_entries) == 0) { +- spin_unlock(&delayed_refs->lock); +- btrfs_debug(fs_info, "delayed_refs has NO entry"); +- return ret; +- } +- + while ((node = rb_first_cached(&delayed_refs->href_root)) != NULL) { + struct btrfs_delayed_ref_head *head; + struct rb_node *n; +-- +2.43.0 + diff --git a/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch b/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch new file mode 100644 index 00000000000..2184a2e2ddf --- /dev/null +++ b/queue-5.15/cma-factor-out-minimum-alignment-requirement.patch @@ -0,0 +1,221 @@ +From ad9e4137a36db6cf7391c2f51b2fe9cd6ab0911a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:43:17 -0700 +Subject: cma: factor out minimum alignment requirement + +From: David Hildenbrand + +[ Upstream commit e16faf26780fc0c8dd693ea9ee8420a7706cb2f5 ] + +Patch series "mm: enforce pageblock_order < MAX_ORDER". + +Having pageblock_order >= MAX_ORDER seems to be able to happen in corner +cases and some parts of the kernel are not prepared for it. + +For example, Aneesh has shown [1] that such kernels can be compiled on +ppc64 with 64k base pages by setting FORCE_MAX_ZONEORDER=8, which will +run into a WARN_ON_ONCE(order >= MAX_ORDER) in comapction code right +during boot. + +We can get pageblock_order >= MAX_ORDER when the default hugetlb size is +bigger than the maximum allocation granularity of the buddy, in which +case we are no longer talking about huge pages but instead gigantic +pages. + +Having pageblock_order >= MAX_ORDER can only make alloc_contig_range() +of such gigantic pages more likely to succeed. + +Reliable use of gigantic pages either requires boot time allcoation or +CMA, no need to overcomplicate some places in the kernel to optimize for +corner cases that are broken in other areas of the kernel. + +This patch (of 2): + +Let's enforce pageblock_order < MAX_ORDER and simplify. + +Especially patch #1 can be regarded a cleanup before: + [PATCH v5 0/6] Use pageblock_order for cma and alloc_contig_range + alignment. [2] + +[1] https://lkml.kernel.org/r/87r189a2ks.fsf@linux.ibm.com +[2] https://lkml.kernel.org/r/20220211164135.1803616-1-zi.yan@sent.com + +Link: https://lkml.kernel.org/r/20220214174132.219303-2-david@redhat.com +Signed-off-by: David Hildenbrand +Reviewed-by: Zi Yan +Acked-by: Rob Herring +Cc: Aneesh Kumar K.V +Cc: Michael Ellerman +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Frank Rowand +Cc: Michael S. Tsirkin +Cc: Christoph Hellwig +Cc: Marek Szyprowski +Cc: Robin Murphy +Cc: Minchan Kim +Cc: Vlastimil Babka +Cc: John Garry via iommu + +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: b174f139bdc8 ("mm/cma: drop incorrect alignment check in cma_init_reserved_mem") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/fadump-internal.h | 5 ----- + arch/powerpc/kernel/fadump.c | 2 +- + drivers/of/of_reserved_mem.c | 9 +++------ + include/linux/cma.h | 9 +++++++++ + kernel/dma/contiguous.c | 4 +--- + mm/cma.c | 20 +++++--------------- + 6 files changed, 19 insertions(+), 30 deletions(-) + +diff --git a/arch/powerpc/include/asm/fadump-internal.h b/arch/powerpc/include/asm/fadump-internal.h +index 8d61c8f3fec47..d06b2be645326 100644 +--- a/arch/powerpc/include/asm/fadump-internal.h ++++ b/arch/powerpc/include/asm/fadump-internal.h +@@ -19,11 +19,6 @@ + + #define memblock_num_regions(memblock_type) (memblock.memblock_type.cnt) + +-/* Alignment per CMA requirement. */ +-#define FADUMP_CMA_ALIGNMENT (PAGE_SIZE << \ +- max_t(unsigned long, MAX_ORDER - 1, \ +- pageblock_order)) +- + /* FAD commands */ + #define FADUMP_REGISTER 1 + #define FADUMP_UNREGISTER 2 +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index d496dc5151aa1..35b142ad0e40e 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -544,7 +544,7 @@ int __init fadump_reserve_mem(void) + if (!fw_dump.nocma) { + fw_dump.boot_memory_size = + ALIGN(fw_dump.boot_memory_size, +- FADUMP_CMA_ALIGNMENT); ++ CMA_MIN_ALIGNMENT_BYTES); + } + #endif + +diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c +index 9e949ddcb1464..6ec668ae2d6fa 100644 +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include "of_private.h" + +@@ -117,12 +118,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node, + if (IS_ENABLED(CONFIG_CMA) + && of_flat_dt_is_compatible(node, "shared-dma-pool") + && of_get_flat_dt_prop(node, "reusable", NULL) +- && !nomap) { +- unsigned long order = +- max_t(unsigned long, MAX_ORDER - 1, pageblock_order); +- +- align = max(align, (phys_addr_t)PAGE_SIZE << order); +- } ++ && !nomap) ++ align = max_t(phys_addr_t, align, CMA_MIN_ALIGNMENT_BYTES); + + prop = of_get_flat_dt_prop(node, "alloc-ranges", &len); + if (prop) { +diff --git a/include/linux/cma.h b/include/linux/cma.h +index 53fd8c3cdbd04..1b302e204c09b 100644 +--- a/include/linux/cma.h ++++ b/include/linux/cma.h +@@ -20,6 +20,15 @@ + + #define CMA_MAX_NAME 64 + ++/* ++ * TODO: once the buddy -- especially pageblock merging and alloc_contig_range() ++ * -- can deal with only some pageblocks of a higher-order page being ++ * MIGRATE_CMA, we can use pageblock_nr_pages. ++ */ ++#define CMA_MIN_ALIGNMENT_PAGES max_t(phys_addr_t, MAX_ORDER_NR_PAGES, \ ++ pageblock_nr_pages) ++#define CMA_MIN_ALIGNMENT_BYTES (PAGE_SIZE * CMA_MIN_ALIGNMENT_PAGES) ++ + struct cma; + + extern unsigned long totalcma_pages; +diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c +index 3d63d91cba5cf..6ea80ae426228 100644 +--- a/kernel/dma/contiguous.c ++++ b/kernel/dma/contiguous.c +@@ -399,8 +399,6 @@ static const struct reserved_mem_ops rmem_cma_ops = { + + static int __init rmem_cma_setup(struct reserved_mem *rmem) + { +- phys_addr_t align = PAGE_SIZE << max(MAX_ORDER - 1, pageblock_order); +- phys_addr_t mask = align - 1; + unsigned long node = rmem->fdt_node; + bool default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL); + struct cma *cma; +@@ -416,7 +414,7 @@ static int __init rmem_cma_setup(struct reserved_mem *rmem) + of_get_flat_dt_prop(node, "no-map", NULL)) + return -EINVAL; + +- if ((rmem->base & mask) || (rmem->size & mask)) { ++ if (!IS_ALIGNED(rmem->base | rmem->size, CMA_MIN_ALIGNMENT_BYTES)) { + pr_err("Reserved memory: incorrect alignment of CMA region\n"); + return -EINVAL; + } +diff --git a/mm/cma.c b/mm/cma.c +index 26967c70e9c73..5208aee4f45ad 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -169,7 +169,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, + struct cma **res_cma) + { + struct cma *cma; +- phys_addr_t alignment; + + /* Sanity checks */ + if (cma_area_count == ARRAY_SIZE(cma_areas)) { +@@ -180,15 +179,12 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, + if (!size || !memblock_is_region_reserved(base, size)) + return -EINVAL; + +- /* ensure minimal alignment required by mm core */ +- alignment = PAGE_SIZE << +- max_t(unsigned long, MAX_ORDER - 1, pageblock_order); +- + /* alignment should be aligned with order_per_bit */ +- if (!IS_ALIGNED(alignment >> PAGE_SHIFT, 1 << order_per_bit)) ++ if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit)) + return -EINVAL; + +- if (ALIGN(base, alignment) != base || ALIGN(size, alignment) != size) ++ /* ensure minimal alignment required by mm core */ ++ if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES)) + return -EINVAL; + + /* +@@ -263,14 +259,8 @@ int __init cma_declare_contiguous_nid(phys_addr_t base, + if (alignment && !is_power_of_2(alignment)) + return -EINVAL; + +- /* +- * Sanitise input arguments. +- * Pages both ends in CMA area could be merged into adjacent unmovable +- * migratetype page by page allocator's buddy algorithm. In the case, +- * you couldn't get a contiguous memory, which is not what we want. +- */ +- alignment = max(alignment, (phys_addr_t)PAGE_SIZE << +- max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); ++ /* Sanitise input arguments. */ ++ alignment = max_t(phys_addr_t, alignment, CMA_MIN_ALIGNMENT_BYTES); + if (fixed && base & (alignment - 1)) { + ret = -EINVAL; + pr_err("Region at %pa must be aligned to %pa bytes\n", +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch b/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch new file mode 100644 index 00000000000..0d4a00f0c85 --- /dev/null +++ b/queue-5.15/drm-amd-display-clean-up-some-inconsistent-indenting.patch @@ -0,0 +1,190 @@ +From aa5d2fb014aac47ef4182aca7ff801989be6f6a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 15:25:55 +0800 +Subject: drm/amd/display: Clean up some inconsistent indenting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiapeng Chong + +[ Upstream commit 1da2fcc435114ea5a65d7e15fc31b4d0ce11113c ] + +Eliminate the follow smatch warning: + +drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_srv.c:622 +dmub_srv_cmd_execute() warn: inconsistent indenting. + +Reported-by: Abaci Robot +Reviewed-by: Christian König +Signed-off-by: Jiapeng Chong +Signed-off-by: Alex Deucher +Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST") +Signed-off-by: Sasha Levin +--- + .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++++++---------- + 1 file changed, 36 insertions(+), 36 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +index ed2f6802b0e20..fc0f6b0089ba0 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1315,9 +1315,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -1421,9 +1421,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx || !pipe_ctx->stream) +@@ -1506,9 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -1610,9 +1610,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx || !pipe_ctx->stream) +@@ -1695,9 +1695,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -1799,9 +1799,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx || !pipe_ctx->stream) +@@ -1880,9 +1880,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -1981,9 +1981,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx || !pipe_ctx->stream) +@@ -2060,9 +2060,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -2121,9 +2121,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -2197,9 +2197,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +@@ -2273,9 +2273,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) +- break; ++ if (pipe_ctx && pipe_ctx->stream && ++ pipe_ctx->stream->link == aconnector->dc_link) ++ break; + } + + if (!pipe_ctx) { +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch b/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch new file mode 100644 index 00000000000..152f193afc9 --- /dev/null +++ b/queue-5.15/drm-amd-display-drop-unnecessary-null-checks-in-debu.patch @@ -0,0 +1,235 @@ +From d0bfe387038bc7b99948146c0ed1e5dccf9c366d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 20:04:15 +0300 +Subject: drm/amd/display: drop unnecessary NULL checks in debugfs + +From: Alexey Kodanev + +[ Upstream commit f8e12e770e8049917f82387033b3cf44bc43b915 ] + +pipe_ctx pointer cannot be NULL when getting the address of +an element of the pipe_ctx array. Moreover, the MAX_PIPES is +defined as 6, so pipe_ctx is not NULL after the loop either. + +Detected using the static analysis tool - Svace. + +Signed-off-by: Alexey Kodanev +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST") +Signed-off-by: Sasha Levin +--- + .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++-------------- + 1 file changed, 16 insertions(+), 56 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +index fc0f6b0089ba0..939734eecf709 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1315,16 +1315,11 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -1421,12 +1416,12 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx || !pipe_ctx->stream) ++ if (!pipe_ctx->stream) + goto done; + + // Get CRTC state +@@ -1506,16 +1501,11 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -1610,12 +1600,12 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx || !pipe_ctx->stream) ++ if (!pipe_ctx->stream) + goto done; + + // Safely get CRTC state +@@ -1695,16 +1685,11 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -1799,12 +1784,12 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx || !pipe_ctx->stream) ++ if (!pipe_ctx->stream) + goto done; + + // Get CRTC state +@@ -1880,16 +1865,11 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -1981,12 +1961,12 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx || !pipe_ctx->stream) ++ if (!pipe_ctx->stream) + goto done; + + // Get CRTC state +@@ -2060,16 +2040,11 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -2121,16 +2096,11 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -2197,16 +2167,11 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +@@ -2273,16 +2238,11 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, + + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; +- if (pipe_ctx && pipe_ctx->stream && ++ if (pipe_ctx->stream && + pipe_ctx->stream->link == aconnector->dc_link) + break; + } + +- if (!pipe_ctx) { +- kfree(rd_buf); +- return -ENXIO; +- } +- + dsc = pipe_ctx->stream_res.dsc; + if (dsc) + dsc->funcs->dsc_read_state(dsc, &dsc_state); +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch b/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch new file mode 100644 index 00000000000..4efd191482a --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch @@ -0,0 +1,166 @@ +From 961b1d2a069a0595b8b3afd8b7094469d9ca1308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 14:26:06 -0500 +Subject: drm/amd/display: Fix incorrect DSC instance for MST + +From: Hersen Wu + +[ Upstream commit 892b41b16f6163e6556545835abba668fcab4eea ] + +[Why] DSC debugfs, such as dp_dsc_clock_en_read, +use aconnector->dc_link to find pipe_ctx for display. +Displays connected to MST hub share the same dc_link. +DSC instance is from pipe_ctx. This causes incorrect +DSC instance for display connected to MST hub. + +[How] Add aconnector->sink check to find pipe_ctx. + +CC: stable@vger.kernel.org +Reviewed-by: Aurabindo Pillai +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 48 ++++++++++++++----- + 1 file changed, 36 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +index 939734eecf709..8ccd43ec68829 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1316,7 +1316,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1417,7 +1419,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1502,7 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1601,7 +1607,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1686,7 +1694,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1785,7 +1795,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1866,7 +1878,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -1962,7 +1976,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -2041,7 +2057,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -2097,7 +2115,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -2168,7 +2188,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +@@ -2239,7 +2261,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf, + for (i = 0; i < MAX_PIPES; i++) { + pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i]; + if (pipe_ctx->stream && +- pipe_ctx->stream->link == aconnector->dc_link) ++ pipe_ctx->stream->link == aconnector->dc_link && ++ pipe_ctx->stream->sink && ++ pipe_ctx->stream->sink == aconnector->dc_sink) + break; + } + +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch b/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch new file mode 100644 index 00000000000..5d45444a8a2 --- /dev/null +++ b/queue-5.15/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch @@ -0,0 +1,44 @@ +From ae2b75cf1443bc3a0d7f3bcbf705251d594ad09c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 19:55:39 -0400 +Subject: drm/amd/display: Handle Y carry-over in VCP X.Y calculation + +From: George Shen + +[ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ] + +[Why/How] +Theoretically rare corner case where ceil(Y) results in rounding +up to an integer. If this happens, the 1 should be carried over to +the X value. + +Reviewed-by: Wenjing Liu +Acked-by: Anson Jacob +Signed-off-by: George Shen +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c +index cf364ae931386..d0799c426a84d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c +@@ -644,6 +644,12 @@ void enc1_stream_encoder_set_throttled_vcp_size( + x), + 26)); + ++ // If y rounds up to integer, carry it over to x. ++ if (y >> 26) { ++ x += 1; ++ y = 0; ++ } ++ + REG_SET_2(DP_MSE_RATE_CNTL, 0, + DP_MSE_RATE_X, x, + DP_MSE_RATE_Y, y); +-- +2.43.0 + diff --git a/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch b/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch new file mode 100644 index 00000000000..7e42bcb67a8 --- /dev/null +++ b/queue-5.15/ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch @@ -0,0 +1,175 @@ +From e8887fbea9da99ad55188ba9a0829f88c1d44ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 03:28:59 +0800 +Subject: ftrace: Fix possible use-after-free issue in ftrace_location() + +From: Zheng Yejian + +[ Upstream commit e60b613df8b6253def41215402f72986fee3fc8d ] + +KASAN reports a bug: + + BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 + Read of size 8 at addr ffff888141d40010 by task insmod/424 + CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ + [...] + Call Trace: + + dump_stack_lvl+0x68/0xa0 + print_report+0xcf/0x610 + kasan_report+0xb5/0xe0 + ftrace_location+0x90/0x120 + register_kprobe+0x14b/0xa40 + kprobe_init+0x2d/0xff0 [kprobe_example] + do_one_initcall+0x8f/0x2d0 + do_init_module+0x13a/0x3c0 + load_module+0x3082/0x33d0 + init_module_from_file+0xd2/0x130 + __x64_sys_finit_module+0x306/0x440 + do_syscall_64+0x68/0x140 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +The root cause is that, in lookup_rec(), ftrace record of some address +is being searched in ftrace pages of some module, but those ftrace pages +at the same time is being freed in ftrace_release_mod() as the +corresponding module is being deleted: + + CPU1 | CPU2 + register_kprobes() { | delete_module() { + check_kprobe_address_safe() { | + arch_check_ftrace_location() { | + ftrace_location() { | + lookup_rec() // USE! | ftrace_release_mod() // Free! + +To fix this issue: + 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); + 2. Use ftrace_location_range() instead of lookup_rec() in + ftrace_location(); + 3. Call synchronize_rcu() before freeing any ftrace pages both in + ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). + +Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") +Suggested-by: Steven Rostedt +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 3dce1a107a7c7..780f1c0563f58 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1566,12 +1566,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end) + unsigned long ftrace_location_range(unsigned long start, unsigned long end) + { + struct dyn_ftrace *rec; ++ unsigned long ip = 0; + ++ rcu_read_lock(); + rec = lookup_rec(start, end); + if (rec) +- return rec->ip; ++ ip = rec->ip; ++ rcu_read_unlock(); + +- return 0; ++ return ip; + } + + /** +@@ -1584,25 +1587,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) + */ + unsigned long ftrace_location(unsigned long ip) + { +- struct dyn_ftrace *rec; ++ unsigned long loc; + unsigned long offset; + unsigned long size; + +- rec = lookup_rec(ip, ip); +- if (!rec) { ++ loc = ftrace_location_range(ip, ip); ++ if (!loc) { + if (!kallsyms_lookup_size_offset(ip, &size, &offset)) + goto out; + + /* map sym+0 to __fentry__ */ + if (!offset) +- rec = lookup_rec(ip, ip + size - 1); ++ loc = ftrace_location_range(ip, ip + size - 1); + } + +- if (rec) +- return rec->ip; +- + out: +- return 0; ++ return loc; + } + + /** +@@ -6325,6 +6325,8 @@ static int ftrace_process_locs(struct module *mod, + /* We should have used all pages unless we skipped some */ + if (pg_unuse) { + WARN_ON(!skipped); ++ /* Need to synchronize with ftrace_location_range() */ ++ synchronize_rcu(); + ftrace_free_pages(pg_unuse); + } + return ret; +@@ -6507,6 +6509,9 @@ void ftrace_release_mod(struct module *mod) + out_unlock: + mutex_unlock(&ftrace_lock); + ++ /* Need to synchronize with ftrace_location_range() */ ++ if (tmp_page) ++ synchronize_rcu(); + for (pg = tmp_page; pg; pg = tmp_page) { + + /* Needs to be called outside of ftrace_lock */ +@@ -6829,6 +6834,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) + unsigned long start = (unsigned long)(start_ptr); + unsigned long end = (unsigned long)(end_ptr); + struct ftrace_page **last_pg = &ftrace_pages_start; ++ struct ftrace_page *tmp_page = NULL; + struct ftrace_page *pg; + struct dyn_ftrace *rec; + struct dyn_ftrace key; +@@ -6872,12 +6878,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) + ftrace_update_tot_cnt--; + if (!pg->index) { + *last_pg = pg->next; +- if (pg->records) { +- free_pages((unsigned long)pg->records, pg->order); +- ftrace_number_of_pages -= 1 << pg->order; +- } +- ftrace_number_of_groups--; +- kfree(pg); ++ pg->next = tmp_page; ++ tmp_page = pg; + pg = container_of(last_pg, struct ftrace_page, next); + if (!(*last_pg)) + ftrace_pages = pg; +@@ -6894,6 +6896,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) + clear_func_from_hashes(func); + kfree(func); + } ++ /* Need to synchronize with ftrace_location_range() */ ++ if (tmp_page) { ++ synchronize_rcu(); ++ ftrace_free_pages(tmp_page); ++ } + } + + void __init ftrace_free_init_mem(void) +-- +2.43.0 + diff --git a/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch b/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch new file mode 100644 index 00000000000..e6b26720fdf --- /dev/null +++ b/queue-5.15/i2c-acpi-unbind-mux-adapters-before-delete.patch @@ -0,0 +1,158 @@ +From d4c7d1bb33b84b3c22d3f68f53d01f37f26edcb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 11:16:32 +1300 +Subject: i2c: acpi: Unbind mux adapters before delete + +From: Hamish Martin + +[ Upstream commit 3f858bbf04dbac934ac279aaee05d49eb9910051 ] + +There is an issue with ACPI overlay table removal specifically related +to I2C multiplexers. + +Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an +existing I2C bus. When this table is loaded we see the creation of a +device for the overall PCA9548 chip and 8 further devices - one +i2c_adapter each for the mux channels. These are all bound to their +ACPI equivalents via an eventual invocation of acpi_bind_one(). + +When we unload the SSDT overlay we run into the problem. The ACPI +devices are deleted as normal via acpi_device_del_work_fn() and the +acpi_device_del_list. + +However, the following warning and stack trace is output as the +deletion does not go smoothly: +------------[ cut here ]------------ +kernfs: can not remove 'physical_node', no directory +WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0 +Modules linked in: +CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1 +Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023 +Workqueue: kacpi_hotplug acpi_device_del_work_fn +RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0 +Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000 +RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780 +RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff +R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50 +R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8 +FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0 +Call Trace: + + ? kernfs_remove_by_name_ns+0xb9/0xc0 + ? __warn+0x7c/0x130 + ? kernfs_remove_by_name_ns+0xb9/0xc0 + ? report_bug+0x171/0x1a0 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? kernfs_remove_by_name_ns+0xb9/0xc0 + ? kernfs_remove_by_name_ns+0xb9/0xc0 + acpi_unbind_one+0x108/0x180 + device_del+0x18b/0x490 + ? srso_return_thunk+0x5/0x5f + ? srso_return_thunk+0x5/0x5f + device_unregister+0xd/0x30 + i2c_del_adapter.part.0+0x1bf/0x250 + i2c_mux_del_adapters+0xa1/0xe0 + i2c_device_remove+0x1e/0x80 + device_release_driver_internal+0x19a/0x200 + bus_remove_device+0xbf/0x100 + device_del+0x157/0x490 + ? __pfx_device_match_fwnode+0x10/0x10 + ? srso_return_thunk+0x5/0x5f + device_unregister+0xd/0x30 + i2c_acpi_notify+0x10f/0x140 + notifier_call_chain+0x58/0xd0 + blocking_notifier_call_chain+0x3a/0x60 + acpi_device_del_work_fn+0x85/0x1d0 + process_one_work+0x134/0x2f0 + worker_thread+0x2f0/0x410 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe3/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2f/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + +---[ end trace 0000000000000000 ]--- +... +repeated 7 more times, 1 for each channel of the mux +... + +The issue is that the binding of the ACPI devices to their peer I2C +adapters is not correctly cleaned up. Digging deeper into the issue we +see that the deletion order is such that the ACPI devices matching the +mux channel i2c adapters are deleted first during the SSDT overlay +removal. For each of the channels we see a call to i2c_acpi_notify() +with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not +actually i2c_clients, nothing is done for them. + +Later on, after each of the mux channels has been dealt with, we come +to delete the i2c_client representing the PCA9548 device. This is the +call stack we see above, whereby the kernel cleans up the i2c_client +including destruction of the mux and its channel adapters. At this +point we do attempt to unbind from the ACPI peers but those peers no +longer exist and so we hit the kernfs errors. + +The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But, +given that the life cycle of the adapters is linked to the i2c_client, +instead of deleting the i2c_adapters during the i2c_acpi_notify(), we +just trigger unbinding of the ACPI device from the adapter device, and +allow the clean up of the adapter to continue in the way it always has. + +Signed-off-by: Hamish Martin +Reviewed-by: Mika Westerberg +Reviewed-by: Andi Shyti +Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications") +Cc: # v4.8+ +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index 29a482abf1eed..6ce05441178a3 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -424,6 +424,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) + return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); + } + ++static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev) ++{ ++ return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev)); ++} ++ + static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, + void *arg) + { +@@ -450,11 +455,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, + break; + + client = i2c_acpi_find_client_by_adev(adev); +- if (!client) +- break; ++ if (client) { ++ i2c_unregister_device(client); ++ put_device(&client->dev); ++ } ++ ++ adapter = i2c_acpi_find_adapter_by_adev(adev); ++ if (adapter) { ++ acpi_unbind_one(&adapter->dev); ++ put_device(&adapter->dev); ++ } + +- i2c_unregister_device(client); +- put_device(&client->dev); + break; + } + +-- +2.43.0 + diff --git a/queue-5.15/i2c-add-fwnode-apis.patch b/queue-5.15/i2c-add-fwnode-apis.patch new file mode 100644 index 00000000000..8cad9ffddd5 --- /dev/null +++ b/queue-5.15/i2c-add-fwnode-apis.patch @@ -0,0 +1,290 @@ +From 6b51c4fd816685f533c92a285f28dd79b97699c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 10:54:21 +0000 +Subject: i2c: add fwnode APIs + +From: Russell King (Oracle) + +[ Upstream commit 373c612d72461ddaea223592df31e62c934aae61 ] + +Add fwnode APIs for finding and getting I2C adapters, which will be +used by the SFP code. These are passed the fwnode corresponding to +the adapter, and return the I2C adapter. It is the responsibility of +the caller to find the appropriate fwnode. + +We keep the DT and ACPI interfaces, but where appropriate, recode them +to use the fwnode interfaces internally. + +Reviewed-by: Mika Westerberg +Signed-off-by: Russell King (Oracle) +Signed-off-by: Wolfram Sang +Stable-dep-of: 3f858bbf04db ("i2c: acpi: Unbind mux adapters before delete") +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 13 +---- + drivers/i2c/i2c-core-base.c | 98 +++++++++++++++++++++++++++++++++++++ + drivers/i2c/i2c-core-of.c | 66 ------------------------- + include/linux/i2c.h | 24 +++++++-- + 4 files changed, 120 insertions(+), 81 deletions(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index 546cc935e035a..29a482abf1eed 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -421,18 +421,7 @@ EXPORT_SYMBOL_GPL(i2c_acpi_find_adapter_by_handle); + + static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev) + { +- struct device *dev; +- struct i2c_client *client; +- +- dev = bus_find_device_by_acpi_dev(&i2c_bus_type, adev); +- if (!dev) +- return NULL; +- +- client = i2c_verify_client(dev); +- if (!client) +- put_device(dev); +- +- return client; ++ return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev)); + } + + static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value, +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index 1810a994c07ca..505eebbc98a09 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -1009,6 +1009,35 @@ void i2c_unregister_device(struct i2c_client *client) + } + EXPORT_SYMBOL_GPL(i2c_unregister_device); + ++/** ++ * i2c_find_device_by_fwnode() - find an i2c_client for the fwnode ++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_client ++ * ++ * Look up and return the &struct i2c_client corresponding to the @fwnode. ++ * If no client can be found, or @fwnode is NULL, this returns NULL. ++ * ++ * The user must call put_device(&client->dev) once done with the i2c client. ++ */ ++struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode) ++{ ++ struct i2c_client *client; ++ struct device *dev; ++ ++ if (!fwnode) ++ return NULL; ++ ++ dev = bus_find_device_by_fwnode(&i2c_bus_type, fwnode); ++ if (!dev) ++ return NULL; ++ ++ client = i2c_verify_client(dev); ++ if (!client) ++ put_device(dev); ++ ++ return client; ++} ++EXPORT_SYMBOL(i2c_find_device_by_fwnode); ++ + + static const struct i2c_device_id dummy_id[] = { + { "dummy", 0 }, +@@ -1764,6 +1793,75 @@ int devm_i2c_add_adapter(struct device *dev, struct i2c_adapter *adapter) + } + EXPORT_SYMBOL_GPL(devm_i2c_add_adapter); + ++static int i2c_dev_or_parent_fwnode_match(struct device *dev, const void *data) ++{ ++ if (dev_fwnode(dev) == data) ++ return 1; ++ ++ if (dev->parent && dev_fwnode(dev->parent) == data) ++ return 1; ++ ++ return 0; ++} ++ ++/** ++ * i2c_find_adapter_by_fwnode() - find an i2c_adapter for the fwnode ++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter ++ * ++ * Look up and return the &struct i2c_adapter corresponding to the @fwnode. ++ * If no adapter can be found, or @fwnode is NULL, this returns NULL. ++ * ++ * The user must call put_device(&adapter->dev) once done with the i2c adapter. ++ */ ++struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode) ++{ ++ struct i2c_adapter *adapter; ++ struct device *dev; ++ ++ if (!fwnode) ++ return NULL; ++ ++ dev = bus_find_device(&i2c_bus_type, NULL, fwnode, ++ i2c_dev_or_parent_fwnode_match); ++ if (!dev) ++ return NULL; ++ ++ adapter = i2c_verify_adapter(dev); ++ if (!adapter) ++ put_device(dev); ++ ++ return adapter; ++} ++EXPORT_SYMBOL(i2c_find_adapter_by_fwnode); ++ ++/** ++ * i2c_get_adapter_by_fwnode() - find an i2c_adapter for the fwnode ++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter ++ * ++ * Look up and return the &struct i2c_adapter corresponding to the @fwnode, ++ * and increment the adapter module's use count. If no adapter can be found, ++ * or @fwnode is NULL, this returns NULL. ++ * ++ * The user must call i2c_put_adapter(adapter) once done with the i2c adapter. ++ * Note that this is different from i2c_find_adapter_by_node(). ++ */ ++struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode) ++{ ++ struct i2c_adapter *adapter; ++ ++ adapter = i2c_find_adapter_by_fwnode(fwnode); ++ if (!adapter) ++ return NULL; ++ ++ if (!try_module_get(adapter->owner)) { ++ put_device(&adapter->dev); ++ adapter = NULL; ++ } ++ ++ return adapter; ++} ++EXPORT_SYMBOL(i2c_get_adapter_by_fwnode); ++ + static void i2c_parse_timing(struct device *dev, char *prop_name, u32 *cur_val_p, + u32 def_val, bool use_def) + { +diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c +index 3ed74aa4b44bb..bce6b796e04c2 100644 +--- a/drivers/i2c/i2c-core-of.c ++++ b/drivers/i2c/i2c-core-of.c +@@ -113,72 +113,6 @@ void of_i2c_register_devices(struct i2c_adapter *adap) + of_node_put(bus); + } + +-static int of_dev_or_parent_node_match(struct device *dev, const void *data) +-{ +- if (dev->of_node == data) +- return 1; +- +- if (dev->parent) +- return dev->parent->of_node == data; +- +- return 0; +-} +- +-/* must call put_device() when done with returned i2c_client device */ +-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node) +-{ +- struct device *dev; +- struct i2c_client *client; +- +- dev = bus_find_device_by_of_node(&i2c_bus_type, node); +- if (!dev) +- return NULL; +- +- client = i2c_verify_client(dev); +- if (!client) +- put_device(dev); +- +- return client; +-} +-EXPORT_SYMBOL(of_find_i2c_device_by_node); +- +-/* must call put_device() when done with returned i2c_adapter device */ +-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node) +-{ +- struct device *dev; +- struct i2c_adapter *adapter; +- +- dev = bus_find_device(&i2c_bus_type, NULL, node, +- of_dev_or_parent_node_match); +- if (!dev) +- return NULL; +- +- adapter = i2c_verify_adapter(dev); +- if (!adapter) +- put_device(dev); +- +- return adapter; +-} +-EXPORT_SYMBOL(of_find_i2c_adapter_by_node); +- +-/* must call i2c_put_adapter() when done with returned i2c_adapter device */ +-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node) +-{ +- struct i2c_adapter *adapter; +- +- adapter = of_find_i2c_adapter_by_node(node); +- if (!adapter) +- return NULL; +- +- if (!try_module_get(adapter->owner)) { +- put_device(&adapter->dev); +- adapter = NULL; +- } +- +- return adapter; +-} +-EXPORT_SYMBOL(of_get_i2c_adapter_by_node); +- + static const struct of_device_id* + i2c_of_match_device_sysfs(const struct of_device_id *matches, + struct i2c_client *client) +diff --git a/include/linux/i2c.h b/include/linux/i2c.h +index 2ce3efbe9198a..f071a121ed914 100644 +--- a/include/linux/i2c.h ++++ b/include/linux/i2c.h +@@ -954,15 +954,33 @@ int i2c_handle_smbus_host_notify(struct i2c_adapter *adap, unsigned short addr); + + #endif /* I2C */ + ++/* must call put_device() when done with returned i2c_client device */ ++struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode); ++ ++/* must call put_device() when done with returned i2c_adapter device */ ++struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode); ++ ++/* must call i2c_put_adapter() when done with returned i2c_adapter device */ ++struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode); ++ + #if IS_ENABLED(CONFIG_OF) + /* must call put_device() when done with returned i2c_client device */ +-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node); ++static inline struct i2c_client *of_find_i2c_device_by_node(struct device_node *node) ++{ ++ return i2c_find_device_by_fwnode(of_fwnode_handle(node)); ++} + + /* must call put_device() when done with returned i2c_adapter device */ +-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node); ++static inline struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node) ++{ ++ return i2c_find_adapter_by_fwnode(of_fwnode_handle(node)); ++} + + /* must call i2c_put_adapter() when done with returned i2c_adapter device */ +-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node); ++static inline struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node) ++{ ++ return i2c_get_adapter_by_fwnode(of_fwnode_handle(node)); ++} + + const struct of_device_id + *i2c_of_match_device(const struct of_device_id *matches, +-- +2.43.0 + diff --git a/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch b/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch new file mode 100644 index 00000000000..8529a197c40 --- /dev/null +++ b/queue-5.15/iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch @@ -0,0 +1,157 @@ +From 5ec1f0816a672a4ab79c27ec0ab1f6d269ccb84a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 12:37:00 +0100 +Subject: iio: accel: mxc4005: Reset chip on probe() and resume() + +From: Hans de Goede + +[ Upstream commit 6b8cffdc4a31e4a72f75ecd1bc13fbf0dafee390 ] + +On some designs the chip is not properly reset when powered up at boot or +after a suspend/resume cycle. + +Use the sw-reset feature to ensure that the chip is in a clean state +after probe() / resume() and in the case of resume() restore the settings +(scale, trigger-enabled). + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218578 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240326113700.56725-3-hdegoede@redhat.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mxc4005.c | 68 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 68 insertions(+) + +diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c +index ffae30e5eb5be..8db5611134da4 100644 +--- a/drivers/iio/accel/mxc4005.c ++++ b/drivers/iio/accel/mxc4005.c +@@ -5,6 +5,7 @@ + * Copyright (c) 2014, Intel Corporation. + */ + ++#include + #include + #include + #include +@@ -36,6 +37,7 @@ + + #define MXC4005_REG_INT_CLR1 0x01 + #define MXC4005_REG_INT_CLR1_BIT_DRDYC 0x01 ++#define MXC4005_REG_INT_CLR1_SW_RST 0x10 + + #define MXC4005_REG_CONTROL 0x0D + #define MXC4005_REG_CONTROL_MASK_FSR GENMASK(6, 5) +@@ -43,6 +45,9 @@ + + #define MXC4005_REG_DEVICE_ID 0x0E + ++/* Datasheet does not specify a reset time, this is a conservative guess */ ++#define MXC4005_RESET_TIME_US 2000 ++ + enum mxc4005_axis { + AXIS_X, + AXIS_Y, +@@ -66,6 +71,8 @@ struct mxc4005_data { + s64 timestamp __aligned(8); + } scan; + bool trigger_enabled; ++ unsigned int control; ++ unsigned int int_mask1; + }; + + /* +@@ -349,6 +356,7 @@ static int mxc4005_set_trigger_state(struct iio_trigger *trig, + return ret; + } + ++ data->int_mask1 = val; + data->trigger_enabled = state; + mutex_unlock(&data->mutex); + +@@ -384,6 +392,13 @@ static int mxc4005_chip_init(struct mxc4005_data *data) + + dev_dbg(data->dev, "MXC4005 chip id %02x\n", reg); + ++ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1, ++ MXC4005_REG_INT_CLR1_SW_RST); ++ if (ret < 0) ++ return dev_err_probe(data->dev, ret, "resetting chip\n"); ++ ++ fsleep(MXC4005_RESET_TIME_US); ++ + ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0); + if (ret < 0) + return dev_err_probe(data->dev, ret, "writing INT_MASK0\n"); +@@ -480,6 +495,58 @@ static int mxc4005_probe(struct i2c_client *client, + return devm_iio_device_register(&client->dev, indio_dev); + } + ++static int mxc4005_suspend(struct device *dev) ++{ ++ struct iio_dev *indio_dev = dev_get_drvdata(dev); ++ struct mxc4005_data *data = iio_priv(indio_dev); ++ int ret; ++ ++ /* Save control to restore it on resume */ ++ ret = regmap_read(data->regmap, MXC4005_REG_CONTROL, &data->control); ++ if (ret < 0) ++ dev_err(data->dev, "failed to read reg_control\n"); ++ ++ return ret; ++} ++ ++static int mxc4005_resume(struct device *dev) ++{ ++ struct iio_dev *indio_dev = dev_get_drvdata(dev); ++ struct mxc4005_data *data = iio_priv(indio_dev); ++ int ret; ++ ++ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1, ++ MXC4005_REG_INT_CLR1_SW_RST); ++ if (ret) { ++ dev_err(data->dev, "failed to reset chip: %d\n", ret); ++ return ret; ++ } ++ ++ fsleep(MXC4005_RESET_TIME_US); ++ ++ ret = regmap_write(data->regmap, MXC4005_REG_CONTROL, data->control); ++ if (ret) { ++ dev_err(data->dev, "failed to restore control register\n"); ++ return ret; ++ } ++ ++ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0); ++ if (ret) { ++ dev_err(data->dev, "failed to restore interrupt 0 mask\n"); ++ return ret; ++ } ++ ++ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK1, data->int_mask1); ++ if (ret) { ++ dev_err(data->dev, "failed to restore interrupt 1 mask\n"); ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static DEFINE_SIMPLE_DEV_PM_OPS(mxc4005_pm_ops, mxc4005_suspend, mxc4005_resume); ++ + static const struct acpi_device_id mxc4005_acpi_match[] = { + {"MXC4005", 0}, + {"MXC6655", 0}, +@@ -498,6 +565,7 @@ static struct i2c_driver mxc4005_driver = { + .driver = { + .name = MXC4005_DRV_NAME, + .acpi_match_table = ACPI_PTR(mxc4005_acpi_match), ++ .pm = pm_sleep_ptr(&mxc4005_pm_ops), + }, + .probe = mxc4005_probe, + .id_table = mxc4005_id, +-- +2.43.0 + diff --git a/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch b/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch new file mode 100644 index 00000000000..8f274083617 --- /dev/null +++ b/queue-5.15/ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch @@ -0,0 +1,130 @@ +From 04c9445b5ceb19ca07135611ecd02104fb94ff93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 19:35:49 +0000 +Subject: ipv6: fix possible race in __fib6_drop_pcpu_from() + +From: Eric Dumazet + +[ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ] + +syzbot found a race in __fib6_drop_pcpu_from() [1] + +If compiler reads more than once (*ppcpu_rt), +second read could read NULL, if another cpu clears +the value in rt6_get_pcpu_route(). + +Add a READ_ONCE() to prevent this race. + +Also add rcu_read_lock()/rcu_read_unlock() because +we rely on RCU protection while dereferencing pcpu_rt. + +[1] + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] +CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 +Workqueue: netns cleanup_net + RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 +Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 +RSP: 0018:ffffc900040df070 EFLAGS: 00010206 +RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 +RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 +RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 +R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 +R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] + fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] + fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 + fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] + fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 + fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 + fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 + fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 + fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 + __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 + rt6_sync_down_dev net/ipv6/route.c:4906 [inline] + rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 + addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 + addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 + notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 + call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 + call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] + call_netdevice_notifiers net/core/dev.c:2044 [inline] + dev_close_many+0x333/0x6a0 net/core/dev.c:1585 + unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 + unregister_netdevice_many net/core/dev.c:11276 [inline] + default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 + ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 + cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 + process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info") +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/r/20240604193549.981839-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 6 +++++- + net/ipv6/route.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index c0ff5ee490e7b..7d09193c14445 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -961,6 +961,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, + if (!fib6_nh->rt6i_pcpu) + return; + ++ rcu_read_lock(); + /* release the reference to this fib entry from + * all of its cached pcpu routes + */ +@@ -969,7 +970,9 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, + struct rt6_info *pcpu_rt; + + ppcpu_rt = per_cpu_ptr(fib6_nh->rt6i_pcpu, cpu); +- pcpu_rt = *ppcpu_rt; ++ ++ /* Paired with xchg() in rt6_get_pcpu_route() */ ++ pcpu_rt = READ_ONCE(*ppcpu_rt); + + /* only dropping the 'from' reference if the cached route + * is using 'match'. The cached pcpu_rt->from only changes +@@ -983,6 +986,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh, + fib6_info_release(from); + } + } ++ rcu_read_unlock(); + } + + struct fib6_nh_pcpu_arg { +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 3bc3a30363e19..2c60270c5798b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1398,6 +1398,7 @@ static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res) + struct rt6_info *prev, **p; + + p = this_cpu_ptr(res->nh->rt6i_pcpu); ++ /* Paired with READ_ONCE() in __fib6_drop_pcpu_from() */ + prev = xchg(p, NULL); + if (prev) { + dst_dev_put(&prev->dst); +-- +2.43.0 + diff --git a/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch b/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch new file mode 100644 index 00000000000..e24117a1d66 --- /dev/null +++ b/queue-5.15/ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch @@ -0,0 +1,95 @@ +From 93568aa9547731c6c2711c5caa0d7a8c76e3787f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 13:26:34 +0000 +Subject: ipv6: sr: block BH in seg6_output_core() and seg6_input_core() + +From: Eric Dumazet + +[ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ] + +As explained in commit 1378817486d6 ("tipc: block BH +before using dst_cache"), net/core/dst_cache.c +helpers need to be called with BH disabled. + +Disabling preemption in seg6_output_core() is not good enough, +because seg6_output_core() is called from process context, +lwtunnel_output() only uses rcu_read_lock(). + +We might be interrupted by a softirq, re-enter seg6_output_core() +and corrupt dst_cache data structures. + +Fix the race by using local_bh_disable() instead of +preempt_disable(). + +Apply a similar change in seg6_input_core(). + +Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled") +Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Signed-off-by: Eric Dumazet +Cc: David Lebrun +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_iptunnel.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c +index f98bb719190be..135712649d25f 100644 +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -332,9 +332,8 @@ static int seg6_input_core(struct net *net, struct sock *sk, + + slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); + +- preempt_disable(); ++ local_bh_disable(); + dst = dst_cache_get(&slwt->cache); +- preempt_enable(); + + skb_dst_drop(skb); + +@@ -342,14 +341,13 @@ static int seg6_input_core(struct net *net, struct sock *sk, + ip6_route_input(skb); + dst = skb_dst(skb); + if (!dst->error) { +- preempt_disable(); + dst_cache_set_ip6(&slwt->cache, dst, + &ipv6_hdr(skb)->saddr); +- preempt_enable(); + } + } else { + skb_dst_set(skb, dst); + } ++ local_bh_enable(); + + err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); + if (unlikely(err)) +@@ -405,9 +403,9 @@ static int seg6_output_core(struct net *net, struct sock *sk, + + slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); + +- preempt_disable(); ++ local_bh_disable(); + dst = dst_cache_get(&slwt->cache); +- preempt_enable(); ++ local_bh_enable(); + + if (unlikely(!dst)) { + struct ipv6hdr *hdr = ipv6_hdr(skb); +@@ -427,9 +425,9 @@ static int seg6_output_core(struct net *net, struct sock *sk, + goto drop; + } + +- preempt_disable(); ++ local_bh_disable(); + dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr); +- preempt_enable(); ++ local_bh_enable(); + } + + skb_dst_drop(skb); +-- +2.43.0 + diff --git a/queue-5.15/misc-pvpanic-deduplicate-common-code.patch b/queue-5.15/misc-pvpanic-deduplicate-common-code.patch new file mode 100644 index 00000000000..f7c07d7dcbe --- /dev/null +++ b/queue-5.15/misc-pvpanic-deduplicate-common-code.patch @@ -0,0 +1,328 @@ +From 667d7657871bd1a717461173de1518aac7a9233c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 09:18:27 +0200 +Subject: misc/pvpanic: deduplicate common code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit c1426d392aebc51da4944d950d89e483e43f6f14 ] + +pvpanic-mmio.c and pvpanic-pci.c share a lot of code. +Refactor it into pvpanic.c where it doesn't have to be kept in sync +manually and where the core logic can be understood more easily. + +No functional change. + +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20231011-pvpanic-cleanup-v2-1-4b21d56f779f@weissschuh.net +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") +Signed-off-by: Sasha Levin +--- + drivers/misc/pvpanic/pvpanic-mmio.c | 58 +--------------------- + drivers/misc/pvpanic/pvpanic-pci.c | 58 +--------------------- + drivers/misc/pvpanic/pvpanic.c | 76 ++++++++++++++++++++++++++++- + drivers/misc/pvpanic/pvpanic.h | 10 +--- + 4 files changed, 80 insertions(+), 122 deletions(-) + +diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c +index eb97167c03fb4..9715798acce3d 100644 +--- a/drivers/misc/pvpanic/pvpanic-mmio.c ++++ b/drivers/misc/pvpanic/pvpanic-mmio.c +@@ -24,52 +24,9 @@ MODULE_AUTHOR("Hu Tao "); + MODULE_DESCRIPTION("pvpanic-mmio device driver"); + MODULE_LICENSE("GPL"); + +-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- +- return sysfs_emit(buf, "%x\n", pi->capability); +-} +-static DEVICE_ATTR_RO(capability); +- +-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- +- return sysfs_emit(buf, "%x\n", pi->events); +-} +- +-static ssize_t events_store(struct device *dev, struct device_attribute *attr, +- const char *buf, size_t count) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- unsigned int tmp; +- int err; +- +- err = kstrtouint(buf, 16, &tmp); +- if (err) +- return err; +- +- if ((tmp & pi->capability) != tmp) +- return -EINVAL; +- +- pi->events = tmp; +- +- return count; +-} +-static DEVICE_ATTR_RW(events); +- +-static struct attribute *pvpanic_mmio_dev_attrs[] = { +- &dev_attr_capability.attr, +- &dev_attr_events.attr, +- NULL +-}; +-ATTRIBUTE_GROUPS(pvpanic_mmio_dev); +- + static int pvpanic_mmio_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- struct pvpanic_instance *pi; + struct resource *res; + void __iomem *base; + +@@ -92,18 +49,7 @@ static int pvpanic_mmio_probe(struct platform_device *pdev) + return -EINVAL; + } + +- pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL); +- if (!pi) +- return -ENOMEM; +- +- pi->base = base; +- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; +- +- /* initialize capability by RDPT */ +- pi->capability &= ioread8(base); +- pi->events = pi->capability; +- +- return devm_pvpanic_probe(dev, pi); ++ return devm_pvpanic_probe(dev, base); + } + + static const struct of_device_id pvpanic_mmio_match[] = { +@@ -123,7 +69,7 @@ static struct platform_driver pvpanic_mmio_driver = { + .name = "pvpanic-mmio", + .of_match_table = pvpanic_mmio_match, + .acpi_match_table = pvpanic_device_ids, +- .dev_groups = pvpanic_mmio_dev_groups, ++ .dev_groups = pvpanic_dev_groups, + }, + .probe = pvpanic_mmio_probe, + }; +diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c +index 07eddb5ea30fa..689af4c28c2a9 100644 +--- a/drivers/misc/pvpanic/pvpanic-pci.c ++++ b/drivers/misc/pvpanic/pvpanic-pci.c +@@ -22,51 +22,8 @@ MODULE_AUTHOR("Mihai Carabas "); + MODULE_DESCRIPTION("pvpanic device driver"); + MODULE_LICENSE("GPL"); + +-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- +- return sysfs_emit(buf, "%x\n", pi->capability); +-} +-static DEVICE_ATTR_RO(capability); +- +-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- +- return sysfs_emit(buf, "%x\n", pi->events); +-} +- +-static ssize_t events_store(struct device *dev, struct device_attribute *attr, +- const char *buf, size_t count) +-{ +- struct pvpanic_instance *pi = dev_get_drvdata(dev); +- unsigned int tmp; +- int err; +- +- err = kstrtouint(buf, 16, &tmp); +- if (err) +- return err; +- +- if ((tmp & pi->capability) != tmp) +- return -EINVAL; +- +- pi->events = tmp; +- +- return count; +-} +-static DEVICE_ATTR_RW(events); +- +-static struct attribute *pvpanic_pci_dev_attrs[] = { +- &dev_attr_capability.attr, +- &dev_attr_events.attr, +- NULL +-}; +-ATTRIBUTE_GROUPS(pvpanic_pci_dev); +- + static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { +- struct pvpanic_instance *pi; + void __iomem *base; + int ret; + +@@ -78,18 +35,7 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *e + if (!base) + return -ENOMEM; + +- pi = devm_kmalloc(&pdev->dev, sizeof(*pi), GFP_KERNEL); +- if (!pi) +- return -ENOMEM; +- +- pi->base = base; +- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; +- +- /* initlize capability by RDPT */ +- pi->capability &= ioread8(base); +- pi->events = pi->capability; +- +- return devm_pvpanic_probe(&pdev->dev, pi); ++ return devm_pvpanic_probe(&pdev->dev, base); + } + + static const struct pci_device_id pvpanic_pci_id_tbl[] = { +@@ -103,7 +49,7 @@ static struct pci_driver pvpanic_pci_driver = { + .id_table = pvpanic_pci_id_tbl, + .probe = pvpanic_pci_probe, + .driver = { +- .dev_groups = pvpanic_pci_dev_groups, ++ .dev_groups = pvpanic_dev_groups, + }, + }; + module_pci_driver(pvpanic_pci_driver); +diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c +index 049a120063489..305b367e0ce34 100644 +--- a/drivers/misc/pvpanic/pvpanic.c ++++ b/drivers/misc/pvpanic/pvpanic.c +@@ -7,6 +7,7 @@ + * Copyright (C) 2021 Oracle. + */ + ++#include + #include + #include + #include +@@ -26,6 +27,13 @@ MODULE_AUTHOR("Mihai Carabas "); + MODULE_DESCRIPTION("pvpanic device driver"); + MODULE_LICENSE("GPL"); + ++struct pvpanic_instance { ++ void __iomem *base; ++ unsigned int capability; ++ unsigned int events; ++ struct list_head list; ++}; ++ + static struct list_head pvpanic_list; + static spinlock_t pvpanic_lock; + +@@ -81,11 +89,75 @@ static void pvpanic_remove(void *param) + spin_unlock(&pvpanic_lock); + } + +-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi) ++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ struct pvpanic_instance *pi = dev_get_drvdata(dev); ++ ++ return sysfs_emit(buf, "%x\n", pi->capability); ++} ++static DEVICE_ATTR_RO(capability); ++ ++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ struct pvpanic_instance *pi = dev_get_drvdata(dev); ++ ++ return sysfs_emit(buf, "%x\n", pi->events); ++} ++ ++static ssize_t events_store(struct device *dev, struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct pvpanic_instance *pi = dev_get_drvdata(dev); ++ unsigned int tmp; ++ int err; ++ ++ err = kstrtouint(buf, 16, &tmp); ++ if (err) ++ return err; ++ ++ if ((tmp & pi->capability) != tmp) ++ return -EINVAL; ++ ++ pi->events = tmp; ++ ++ return count; ++} ++static DEVICE_ATTR_RW(events); ++ ++static struct attribute *pvpanic_dev_attrs[] = { ++ &dev_attr_capability.attr, ++ &dev_attr_events.attr, ++ NULL ++}; ++ ++static const struct attribute_group pvpanic_dev_group = { ++ .attrs = pvpanic_dev_attrs, ++}; ++ ++const struct attribute_group *pvpanic_dev_groups[] = { ++ &pvpanic_dev_group, ++ NULL ++}; ++EXPORT_SYMBOL_GPL(pvpanic_dev_groups); ++ ++int devm_pvpanic_probe(struct device *dev, void __iomem *base) + { +- if (!pi || !pi->base) ++ struct pvpanic_instance *pi; ++ ++ if (!base) + return -EINVAL; + ++ pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL); ++ if (!pi) ++ return -ENOMEM; ++ ++ pi->base = base; ++ pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED; ++ ++ /* initlize capability by RDPT */ ++ pi->capability &= ioread8(base); ++ pi->events = pi->capability; ++ + spin_lock(&pvpanic_lock); + list_add(&pi->list, &pvpanic_list); + spin_unlock(&pvpanic_lock); +diff --git a/drivers/misc/pvpanic/pvpanic.h b/drivers/misc/pvpanic/pvpanic.h +index 4935459517548..46ffb10438adf 100644 +--- a/drivers/misc/pvpanic/pvpanic.h ++++ b/drivers/misc/pvpanic/pvpanic.h +@@ -8,13 +8,7 @@ + #ifndef PVPANIC_H_ + #define PVPANIC_H_ + +-struct pvpanic_instance { +- void __iomem *base; +- unsigned int capability; +- unsigned int events; +- struct list_head list; +-}; +- +-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi); ++int devm_pvpanic_probe(struct device *dev, void __iomem *base); ++extern const struct attribute_group *pvpanic_dev_groups[]; + + #endif /* PVPANIC_H_ */ +-- +2.43.0 + diff --git a/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch b/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch new file mode 100644 index 00000000000..c6659317ba9 --- /dev/null +++ b/queue-5.15/misc-pvpanic-pci-register-attributes-via-pci_driver.patch @@ -0,0 +1,48 @@ +From d12d57cd2c7be519b412445578f9d583ff77f91a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 23:33:51 +0200 +Subject: misc/pvpanic-pci: register attributes via pci_driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit ee59be35d7a8be7fcaa2d61fb89734ab5c25e4ee ] + +In __pci_register_driver(), the pci core overwrites the dev_groups field of +the embedded struct device_driver with the dev_groups from the outer +struct pci_driver unconditionally. + +Set dev_groups in the pci_driver to make sure it is used. + +This was broken since the introduction of pvpanic-pci. + +Fixes: db3a4f0abefd ("misc/pvpanic: add PCI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Fixes: ded13b9cfd59 ("PCI: Add support for dev_groups to struct pci_driver") +Link: https://lore.kernel.org/r/20240411-pvpanic-pci-dev-groups-v1-1-db8cb69f1b09@weissschuh.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/pvpanic/pvpanic-pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c +index 689af4c28c2a9..2494725dfacfa 100644 +--- a/drivers/misc/pvpanic/pvpanic-pci.c ++++ b/drivers/misc/pvpanic/pvpanic-pci.c +@@ -48,8 +48,6 @@ static struct pci_driver pvpanic_pci_driver = { + .name = "pvpanic-pci", + .id_table = pvpanic_pci_id_tbl, + .probe = pvpanic_pci_probe, +- .driver = { +- .dev_groups = pvpanic_dev_groups, +- }, ++ .dev_groups = pvpanic_dev_groups, + }; + module_pci_driver(pvpanic_pci_driver); +-- +2.43.0 + diff --git a/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch b/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch new file mode 100644 index 00000000000..dfb5deeeb96 --- /dev/null +++ b/queue-5.15/mm-avoid-unnecessary-flush-on-change_huge_pmd.patch @@ -0,0 +1,154 @@ +From 6f73cf81e6438c334ae03321c915e9d376501fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 18:20:50 -0700 +Subject: mm: avoid unnecessary flush on change_huge_pmd() + +From: Nadav Amit + +[ Upstream commit 4f83145721f362c2f4d312edc4755269a2069488 ] + +Calls to change_protection_range() on THP can trigger, at least on x86, +two TLB flushes for one page: one immediately, when pmdp_invalidate() is +called by change_huge_pmd(), and then another one later (that can be +batched) when change_protection_range() finishes. + +The first TLB flush is only necessary to prevent the dirty bit (and with a +lesser importance the access bit) from changing while the PTE is modified. +However, this is not necessary as the x86 CPUs set the dirty-bit +atomically with an additional check that the PTE is (still) present. One +caveat is Intel's Knights Landing that has a bug and does not do so. + +Leverage this behavior to eliminate the unnecessary TLB flush in +change_huge_pmd(). Introduce a new arch specific pmdp_invalidate_ad() +that only invalidates the access and dirty bit from further changes. + +Link: https://lkml.kernel.org/r/20220401180821.1986781-4-namit@vmware.com +Signed-off-by: Nadav Amit +Cc: Andrea Arcangeli +Cc: Andrew Cooper +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Peter Xu +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Yu Zhao +Cc: Nick Piggin +Signed-off-by: Andrew Morton +Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable.h | 5 +++++ + arch/x86/mm/pgtable.c | 10 ++++++++++ + include/linux/pgtable.h | 20 ++++++++++++++++++++ + mm/huge_memory.c | 4 ++-- + mm/pgtable-generic.c | 8 ++++++++ + 5 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 448cd01eb3ecb..c04be133a6cd7 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -1146,6 +1146,11 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, + } + } + #endif ++ ++#define __HAVE_ARCH_PMDP_INVALIDATE_AD ++extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp); ++ + /* + * Page table pages are page-aligned. The lower half of the top + * level is used for userspace and the top half for the kernel. +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index 3481b35cb4ec7..f16059e9a85e7 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -608,6 +608,16 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, + + return young; + } ++ ++pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, ++ pmd_t *pmdp) ++{ ++ /* ++ * No flush is necessary. Once an invalid PTE is established, the PTE's ++ * access and dirty bits cannot be updated. ++ */ ++ return pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); ++} + #endif + + /** +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index d468efcf48f45..952969aa19ec1 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -562,6 +562,26 @@ extern pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); + #endif + ++#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD ++ ++/* ++ * pmdp_invalidate_ad() invalidates the PMD while changing a transparent ++ * hugepage mapping in the page tables. This function is similar to ++ * pmdp_invalidate(), but should only be used if the access and dirty bits would ++ * not be cleared by the software in the new PMD value. The function ensures ++ * that hardware changes of the access and dirty bits updates would not be lost. ++ * ++ * Doing so can allow in certain architectures to avoid a TLB flush in most ++ * cases. Yet, another TLB flush might be necessary later if the PMD update ++ * itself requires such flush (e.g., if protection was set to be stricter). Yet, ++ * even when a TLB flush is needed because of the update, the caller may be able ++ * to batch these TLB flushing operations, so fewer TLB flush operations are ++ * needed. ++ */ ++extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp); ++#endif ++ + #ifndef __HAVE_ARCH_PTE_SAME + static inline int pte_same(pte_t pte_a, pte_t pte_b) + { +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 8ab6316d85391..265ef8d1393c5 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1798,10 +1798,10 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, + * The race makes MADV_DONTNEED miss the huge pmd and don't clear it + * which may break userspace. + * +- * pmdp_invalidate() is required to make sure we don't miss ++ * pmdp_invalidate_ad() is required to make sure we don't miss + * dirty/young flags set by hardware. + */ +- oldpmd = pmdp_invalidate(vma, addr, pmd); ++ oldpmd = pmdp_invalidate_ad(vma, addr, pmd); + + entry = pmd_modify(oldpmd, newprot); + if (preserve_write) +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c +index 4e640baf97948..b0ce6c7391bf4 100644 +--- a/mm/pgtable-generic.c ++++ b/mm/pgtable-generic.c +@@ -200,6 +200,14 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + } + #endif + ++#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD ++pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, ++ pmd_t *pmdp) ++{ ++ return pmdp_invalidate(vma, address, pmdp); ++} ++#endif ++ + #ifndef pmdp_collapse_flush + pmd_t pmdp_collapse_flush(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) +-- +2.43.0 + diff --git a/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch b/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch new file mode 100644 index 00000000000..54af2d70372 --- /dev/null +++ b/queue-5.15/mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch @@ -0,0 +1,51 @@ +From f3f649041a190cda4c4b0f15f9898ad8f6653c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 16:25:14 +0000 +Subject: mm/cma: drop incorrect alignment check in cma_init_reserved_mem + +From: Frank van der Linden + +[ Upstream commit b174f139bdc8aaaf72f5b67ad1bd512c4868a87e ] + +cma_init_reserved_mem uses IS_ALIGNED to check if the size represented by +one bit in the cma allocation bitmask is aligned with +CMA_MIN_ALIGNMENT_BYTES (pageblock size). + +However, this is too strict, as this will fail if order_per_bit > +pageblock_order, which is a valid configuration. + +We could check IS_ALIGNED both ways, but since both numbers are powers of +two, no check is needed at all. + +Link: https://lkml.kernel.org/r/20240404162515.527802-1-fvdl@google.com +Fixes: de9e14eebf33 ("drivers: dma-contiguous: add initialization from device tree") +Signed-off-by: Frank van der Linden +Acked-by: David Hildenbrand +Cc: Marek Szyprowski +Cc: Muchun Song +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/cma.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/mm/cma.c b/mm/cma.c +index 5208aee4f45ad..88fbd4f8124d3 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -179,10 +179,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size, + if (!size || !memblock_is_region_reserved(base, size)) + return -EINVAL; + +- /* alignment should be aligned with order_per_bit */ +- if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit)) +- return -EINVAL; +- + /* ensure minimal alignment required by mm core */ + if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES)) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch b/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch new file mode 100644 index 00000000000..d682d9ad3bf --- /dev/null +++ b/queue-5.15/mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch @@ -0,0 +1,242 @@ +From dca09ad288fc1dd6652c82f0aa90f993a357f4f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 15:33:10 +0100 +Subject: mm: fix race between __split_huge_pmd_locked() and GUP-fast + +From: Ryan Roberts + +[ Upstream commit 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 ] + +__split_huge_pmd_locked() can be called for a present THP, devmap or +(non-present) migration entry. It calls pmdp_invalidate() unconditionally +on the pmdp and only determines if it is present or not based on the +returned old pmd. This is a problem for the migration entry case because +pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a +present pmd. + +On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future +call to pmd_present() will return true. And therefore any lockless +pgtable walker could see the migration entry pmd in this state and start +interpretting the fields as if it were present, leading to BadThings (TM). +GUP-fast appears to be one such lockless pgtable walker. + +x86 does not suffer the above problem, but instead pmd_mkinvalid() will +corrupt the offset field of the swap entry within the swap pte. See link +below for discussion of that problem. + +Fix all of this by only calling pmdp_invalidate() for a present pmd. And +for good measure let's add a warning to all implementations of +pmdp_invalidate[_ad](). I've manually reviewed all other +pmdp_invalidate[_ad]() call sites and believe all others to be conformant. + +This is a theoretical bug found during code review. I don't have any test +case to trigger it in practice. + +Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com +Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ +Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") +Signed-off-by: Ryan Roberts +Reviewed-by: Zi Yan +Reviewed-by: Anshuman Khandual +Acked-by: David Hildenbrand +Cc: Andreas Larsson +Cc: Andy Lutomirski +Cc: Aneesh Kumar K.V +Cc: Borislav Petkov (AMD) +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: "David S. Miller" +Cc: Ingo Molnar +Cc: Jonathan Corbet +Cc: Mark Rutland +Cc: Naveen N. Rao +Cc: Nicholas Piggin +Cc: Peter Zijlstra +Cc: Sven Schnelle +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + Documentation/vm/arch_pgtable_helpers.rst | 6 ++- + arch/powerpc/mm/book3s64/pgtable.c | 1 + + arch/s390/include/asm/pgtable.h | 4 +- + arch/sparc/mm/tlb.c | 1 + + arch/x86/mm/pgtable.c | 2 + + mm/huge_memory.c | 49 ++++++++++++----------- + mm/pgtable-generic.c | 2 + + 7 files changed, 39 insertions(+), 26 deletions(-) + +diff --git a/Documentation/vm/arch_pgtable_helpers.rst b/Documentation/vm/arch_pgtable_helpers.rst +index 552567d863b86..b8ae5d040b998 100644 +--- a/Documentation/vm/arch_pgtable_helpers.rst ++++ b/Documentation/vm/arch_pgtable_helpers.rst +@@ -134,7 +134,8 @@ PMD Page Table Helpers + +---------------------------+--------------------------------------------------+ + | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | + +---------------------------+--------------------------------------------------+ +-| pmd_mkinvalid | Invalidates a mapped PMD [1] | ++| pmd_mkinvalid | Invalidates a present PMD; do not call for | ++| | non-present PMD [1] | + +---------------------------+--------------------------------------------------+ + | pmd_set_huge | Creates a PMD huge mapping | + +---------------------------+--------------------------------------------------+ +@@ -190,7 +191,8 @@ PUD Page Table Helpers + +---------------------------+--------------------------------------------------+ + | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | + +---------------------------+--------------------------------------------------+ +-| pud_mkinvalid | Invalidates a mapped PUD [1] | ++| pud_mkinvalid | Invalidates a present PUD; do not call for | ++| | non-present PUD [1] | + +---------------------------+--------------------------------------------------+ + | pud_set_huge | Creates a PUD huge mapping | + +---------------------------+--------------------------------------------------+ +diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c +index da15f28c7b13a..3a22e7d970f33 100644 +--- a/arch/powerpc/mm/book3s64/pgtable.c ++++ b/arch/powerpc/mm/book3s64/pgtable.c +@@ -115,6 +115,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + { + unsigned long old_pmd; + ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + return __pmd(old_pmd); +diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h +index b61426c9ef178..b65ce0c90dd0e 100644 +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1625,8 +1625,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, + static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, + unsigned long addr, pmd_t *pmdp) + { +- pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); ++ pmd_t pmd; + ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); ++ pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); + } + +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c +index 9a725547578e8..946f33c1b032f 100644 +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -245,6 +245,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + { + pmd_t old, entry; + ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); + old = pmdp_establish(vma, address, pmdp, entry); + flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index f16059e9a85e7..5c2be867a2ed9 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -612,6 +612,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, + pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); ++ + /* + * No flush is necessary. Once an invalid PTE is established, the PTE's + * access and dirty bits cannot be updated. +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 265ef8d1393c5..99d38f712863b 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2024,32 +2024,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + return __split_huge_zero_page_pmd(vma, haddr, pmd); + } + +- /* +- * Up to this point the pmd is present and huge and userland has the +- * whole access to the hugepage during the split (which happens in +- * place). If we overwrite the pmd with the not-huge version pointing +- * to the pte here (which of course we could if all CPUs were bug +- * free), userland could trigger a small page size TLB miss on the +- * small sized TLB while the hugepage TLB entry is still established in +- * the huge TLB. Some CPU doesn't like that. +- * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum +- * 383 on page 105. Intel should be safe but is also warns that it's +- * only safe if the permission and cache attributes of the two entries +- * loaded in the two TLB is identical (which should be the case here). +- * But it is generally safer to never allow small and huge TLB entries +- * for the same virtual address to be loaded simultaneously. So instead +- * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the +- * current pmd notpresent (atomically because here the pmd_trans_huge +- * must remain set at all times on the pmd until the split is complete +- * for this pmd), then we flush the SMP TLB and finally we write the +- * non-huge version of the pmd entry with pmd_populate. +- */ +- old_pmd = pmdp_invalidate(vma, haddr, pmd); +- +- pmd_migration = is_pmd_migration_entry(old_pmd); ++ pmd_migration = is_pmd_migration_entry(*pmd); + if (unlikely(pmd_migration)) { + swp_entry_t entry; + ++ old_pmd = *pmd; + entry = pmd_to_swp_entry(old_pmd); + page = pfn_swap_entry_to_page(entry); + write = is_writable_migration_entry(entry); +@@ -2057,6 +2036,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + soft_dirty = pmd_swp_soft_dirty(old_pmd); + uffd_wp = pmd_swp_uffd_wp(old_pmd); + } else { ++ /* ++ * Up to this point the pmd is present and huge and userland has ++ * the whole access to the hugepage during the split (which ++ * happens in place). If we overwrite the pmd with the not-huge ++ * version pointing to the pte here (which of course we could if ++ * all CPUs were bug free), userland could trigger a small page ++ * size TLB miss on the small sized TLB while the hugepage TLB ++ * entry is still established in the huge TLB. Some CPU doesn't ++ * like that. See ++ * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum ++ * 383 on page 105. Intel should be safe but is also warns that ++ * it's only safe if the permission and cache attributes of the ++ * two entries loaded in the two TLB is identical (which should ++ * be the case here). But it is generally safer to never allow ++ * small and huge TLB entries for the same virtual address to be ++ * loaded simultaneously. So instead of doing "pmd_populate(); ++ * flush_pmd_tlb_range();" we first mark the current pmd ++ * notpresent (atomically because here the pmd_trans_huge must ++ * remain set at all times on the pmd until the split is ++ * complete for this pmd), then we flush the SMP TLB and finally ++ * we write the non-huge version of the pmd entry with ++ * pmd_populate. ++ */ ++ old_pmd = pmdp_invalidate(vma, haddr, pmd); + page = pmd_page(old_pmd); + if (pmd_dirty(old_pmd)) + SetPageDirty(page); +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c +index b0ce6c7391bf4..cc8b11724cf5a 100644 +--- a/mm/pgtable-generic.c ++++ b/mm/pgtable-generic.c +@@ -194,6 +194,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) + pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + return old; +@@ -204,6 +205,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { ++ VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + return pmdp_invalidate(vma, address, pmdp); + } + #endif +-- +2.43.0 + diff --git a/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch b/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch new file mode 100644 index 00000000000..dc8b5c585ae --- /dev/null +++ b/queue-5.15/mm-mprotect-do-not-flush-when-not-required-architect.patch @@ -0,0 +1,251 @@ +From 2031c117202f5d2e11b95194e0012d36553e6e78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 18:20:50 -0700 +Subject: mm/mprotect: do not flush when not required architecturally + +From: Nadav Amit + +[ Upstream commit c9fe66560bf2dc7d109754414e309888cb8c9ba9 ] + +Currently, using mprotect() to unprotect a memory region or uffd to +unprotect a memory region causes a TLB flush. However, in such cases the +PTE is often not modified (i.e., remain RO) and therefore not TLB flush is +needed. + +Add an arch-specific pte_needs_flush() which tells whether a TLB flush is +needed based on the old PTE and the new one. Implement an x86 +pte_needs_flush(). + +Always flush the TLB when it is architecturally needed even when skipping +a TLB flush might only result in a spurious page-faults by skipping the +flush. + +Even with such conservative manner, we can in the future further refine +the checks to test whether a PTE is present by only considering the +architectural _PAGE_PRESENT flag instead of {pte|pmd}_preesnt(). For not +be careful and use the latter. + +Link: https://lkml.kernel.org/r/20220401180821.1986781-3-namit@vmware.com +Signed-off-by: Nadav Amit +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Yu Zhao +Cc: Nick Piggin +Cc: Andrew Cooper +Cc: Peter Xu +Signed-off-by: Andrew Morton +Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_types.h | 2 + + arch/x86/include/asm/tlbflush.h | 97 ++++++++++++++++++++++++++++ + include/asm-generic/tlb.h | 14 ++++ + mm/huge_memory.c | 9 +-- + mm/mprotect.c | 3 +- + 5 files changed, 120 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 28e59576c75be..de9e3c635618e 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -110,9 +110,11 @@ + #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) + #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX) + #define _PAGE_DEVMAP (_AT(u64, 1) << _PAGE_BIT_DEVMAP) ++#define _PAGE_SOFTW4 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW4) + #else + #define _PAGE_NX (_AT(pteval_t, 0)) + #define _PAGE_DEVMAP (_AT(pteval_t, 0)) ++#define _PAGE_SOFTW4 (_AT(pteval_t, 0)) + #endif + + #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE) +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index b587a9ee9cb25..8be1ff9081728 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -259,6 +259,103 @@ static inline void arch_tlbbatch_add_mm(struct arch_tlbflush_unmap_batch *batch, + + extern void arch_tlbbatch_flush(struct arch_tlbflush_unmap_batch *batch); + ++static inline bool pte_flags_need_flush(unsigned long oldflags, ++ unsigned long newflags, ++ bool ignore_access) ++{ ++ /* ++ * Flags that require a flush when cleared but not when they are set. ++ * Only include flags that would not trigger spurious page-faults. ++ * Non-present entries are not cached. Hardware would set the ++ * dirty/access bit if needed without a fault. ++ */ ++ const pteval_t flush_on_clear = _PAGE_DIRTY | _PAGE_PRESENT | ++ _PAGE_ACCESSED; ++ const pteval_t software_flags = _PAGE_SOFTW1 | _PAGE_SOFTW2 | ++ _PAGE_SOFTW3 | _PAGE_SOFTW4; ++ const pteval_t flush_on_change = _PAGE_RW | _PAGE_USER | _PAGE_PWT | ++ _PAGE_PCD | _PAGE_PSE | _PAGE_GLOBAL | _PAGE_PAT | ++ _PAGE_PAT_LARGE | _PAGE_PKEY_BIT0 | _PAGE_PKEY_BIT1 | ++ _PAGE_PKEY_BIT2 | _PAGE_PKEY_BIT3 | _PAGE_NX; ++ unsigned long diff = oldflags ^ newflags; ++ ++ BUILD_BUG_ON(flush_on_clear & software_flags); ++ BUILD_BUG_ON(flush_on_clear & flush_on_change); ++ BUILD_BUG_ON(flush_on_change & software_flags); ++ ++ /* Ignore software flags */ ++ diff &= ~software_flags; ++ ++ if (ignore_access) ++ diff &= ~_PAGE_ACCESSED; ++ ++ /* ++ * Did any of the 'flush_on_clear' flags was clleared set from between ++ * 'oldflags' and 'newflags'? ++ */ ++ if (diff & oldflags & flush_on_clear) ++ return true; ++ ++ /* Flush on modified flags. */ ++ if (diff & flush_on_change) ++ return true; ++ ++ /* Ensure there are no flags that were left behind */ ++ if (IS_ENABLED(CONFIG_DEBUG_VM) && ++ (diff & ~(flush_on_clear | software_flags | flush_on_change))) { ++ VM_WARN_ON_ONCE(1); ++ return true; ++ } ++ ++ return false; ++} ++ ++/* ++ * pte_needs_flush() checks whether permissions were demoted and require a ++ * flush. It should only be used for userspace PTEs. ++ */ ++static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte) ++{ ++ /* !PRESENT -> * ; no need for flush */ ++ if (!(pte_flags(oldpte) & _PAGE_PRESENT)) ++ return false; ++ ++ /* PFN changed ; needs flush */ ++ if (pte_pfn(oldpte) != pte_pfn(newpte)) ++ return true; ++ ++ /* ++ * check PTE flags; ignore access-bit; see comment in ++ * ptep_clear_flush_young(). ++ */ ++ return pte_flags_need_flush(pte_flags(oldpte), pte_flags(newpte), ++ true); ++} ++#define pte_needs_flush pte_needs_flush ++ ++/* ++ * huge_pmd_needs_flush() checks whether permissions were demoted and require a ++ * flush. It should only be used for userspace huge PMDs. ++ */ ++static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd) ++{ ++ /* !PRESENT -> * ; no need for flush */ ++ if (!(pmd_flags(oldpmd) & _PAGE_PRESENT)) ++ return false; ++ ++ /* PFN changed ; needs flush */ ++ if (pmd_pfn(oldpmd) != pmd_pfn(newpmd)) ++ return true; ++ ++ /* ++ * check PMD flags; do not ignore access-bit; see ++ * pmdp_clear_flush_young(). ++ */ ++ return pte_flags_need_flush(pmd_flags(oldpmd), pmd_flags(newpmd), ++ false); ++} ++#define huge_pmd_needs_flush huge_pmd_needs_flush ++ + #endif /* !MODULE */ + + #endif /* _ASM_X86_TLBFLUSH_H */ +diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h +index c99710b3027a0..7afde1eff2398 100644 +--- a/include/asm-generic/tlb.h ++++ b/include/asm-generic/tlb.h +@@ -662,6 +662,20 @@ static inline void tlb_flush_p4d_range(struct mmu_gather *tlb, + } while (0) + #endif + ++#ifndef pte_needs_flush ++static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte) ++{ ++ return true; ++} ++#endif ++ ++#ifndef huge_pmd_needs_flush ++static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd) ++{ ++ return true; ++} ++#endif ++ + #endif /* CONFIG_MMU */ + + #endif /* _ASM_GENERIC__TLB_H */ +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 661dd29642ebc..8ab6316d85391 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1726,7 +1726,7 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, + { + struct mm_struct *mm = vma->vm_mm; + spinlock_t *ptl; +- pmd_t entry; ++ pmd_t oldpmd, entry; + bool preserve_write; + int ret; + bool prot_numa = cp_flags & MM_CP_PROT_NUMA; +@@ -1801,9 +1801,9 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, + * pmdp_invalidate() is required to make sure we don't miss + * dirty/young flags set by hardware. + */ +- entry = pmdp_invalidate(vma, addr, pmd); ++ oldpmd = pmdp_invalidate(vma, addr, pmd); + +- entry = pmd_modify(entry, newprot); ++ entry = pmd_modify(oldpmd, newprot); + if (preserve_write) + entry = pmd_mk_savedwrite(entry); + if (uffd_wp) { +@@ -1820,7 +1820,8 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, + ret = HPAGE_PMD_NR; + set_pmd_at(mm, addr, pmd, entry); + +- tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); ++ if (huge_pmd_needs_flush(oldpmd, entry)) ++ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); + + BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry)); + unlock: +diff --git a/mm/mprotect.c b/mm/mprotect.c +index fe1196be9ca28..09c5c448b9e7c 100644 +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -141,7 +141,8 @@ static unsigned long change_pte_range(struct mmu_gather *tlb, + ptent = pte_mkwrite(ptent); + } + ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent); +- tlb_flush_pte_range(tlb, addr, PAGE_SIZE); ++ if (pte_needs_flush(oldpte, ptent)) ++ tlb_flush_pte_range(tlb, addr, PAGE_SIZE); + pages++; + } else if (is_swap_pte(oldpte)) { + swp_entry_t entry = pte_to_swp_entry(oldpte); +-- +2.43.0 + diff --git a/queue-5.15/mm-mprotect-use-mmu_gather.patch b/queue-5.15/mm-mprotect-use-mmu_gather.patch new file mode 100644 index 00000000000..fe42d2d0f2b --- /dev/null +++ b/queue-5.15/mm-mprotect-use-mmu_gather.patch @@ -0,0 +1,537 @@ +From 61cba6a6dc1cc6682b9aeff3aff3114f0ff30462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 18:20:50 -0700 +Subject: mm/mprotect: use mmu_gather + +From: Nadav Amit + +[ Upstream commit 4a18419f71cdf9155d2d2a6c79546f720978b990 ] + +Patch series "mm/mprotect: avoid unnecessary TLB flushes", v6. + +This patchset is intended to remove unnecessary TLB flushes during +mprotect() syscalls. Once this patch-set make it through, similar and +further optimizations for MADV_COLD and userfaultfd would be possible. + +Basically, there are 3 optimizations in this patch-set: + +1. Use TLB batching infrastructure to batch flushes across VMAs and do + better/fewer flushes. This would also be handy for later userfaultfd + enhancements. + +2. Avoid unnecessary TLB flushes. This optimization is the one that + provides most of the performance benefits. Unlike previous versions, + we now only avoid flushes that would not result in spurious + page-faults. + +3. Avoiding TLB flushes on change_huge_pmd() that are only needed to + prevent the A/D bits from changing. + +Andrew asked for some benchmark numbers. I do not have an easy +determinate macrobenchmark in which it is easy to show benefit. I +therefore ran a microbenchmark: a loop that does the following on +anonymous memory, just as a sanity check to see that time is saved by +avoiding TLB flushes. The loop goes: + + mprotect(p, PAGE_SIZE, PROT_READ) + mprotect(p, PAGE_SIZE, PROT_READ|PROT_WRITE) + *p = 0; // make the page writable + +The test was run in KVM guest with 1 or 2 threads (the second thread was +busy-looping). I measured the time (cycles) of each operation: + + 1 thread 2 threads + mmots +patch mmots +patch +PROT_READ 3494 2725 (-22%) 8630 7788 (-10%) +PROT_READ|WRITE 3952 2724 (-31%) 9075 2865 (-68%) + +[ mmots = v5.17-rc6-mmots-2022-03-06-20-38 ] + +The exact numbers are really meaningless, but the benefit is clear. There +are 2 interesting results though. + +(1) PROT_READ is cheaper, while one can expect it not to be affected. +This is presumably due to TLB miss that is saved + +(2) Without memory access (*p = 0), the speedup of the patch is even +greater. In that scenario mprotect(PROT_READ) also avoids the TLB flush. +As a result both operations on the patched kernel take roughly ~1500 +cycles (with either 1 or 2 threads), whereas on mmotm their cost is as +high as presented in the table. + +This patch (of 3): + +change_pXX_range() currently does not use mmu_gather, but instead +implements its own deferred TLB flushes scheme. This both complicates the +code, as developers need to be aware of different invalidation schemes, +and prevents opportunities to avoid TLB flushes or perform them in finer +granularity. + +The use of mmu_gather for modified PTEs has benefits in various scenarios +even if pages are not released. For instance, if only a single page needs +to be flushed out of a range of many pages, only that page would be +flushed. If a THP page is flushed, on x86 a single TLB invlpg instruction +can be used instead of 512 instructions (or a full TLB flush, which would +Linux would actually use by default). mprotect() over multiple VMAs +requires a single flush. + +Use mmu_gather in change_pXX_range(). As the pages are not released, only +record the flushed range using tlb_flush_pXX_range(). + +Handle THP similarly and get rid of flush_cache_range() which becomes +redundant since tlb_start_vma() calls it when needed. + +Link: https://lkml.kernel.org/r/20220401180821.1986781-1-namit@vmware.com +Link: https://lkml.kernel.org/r/20220401180821.1986781-2-namit@vmware.com +Signed-off-by: Nadav Amit +Acked-by: Peter Zijlstra (Intel) +Cc: Andrea Arcangeli +Cc: Andrew Cooper +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Peter Xu +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Yu Zhao +Cc: Nick Piggin +Signed-off-by: Andrew Morton +Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast") +Signed-off-by: Sasha Levin +--- + fs/exec.c | 6 ++- + include/linux/huge_mm.h | 5 ++- + include/linux/mm.h | 5 ++- + mm/huge_memory.c | 10 ++++- + mm/mempolicy.c | 9 +++- + mm/mprotect.c | 92 ++++++++++++++++++++++------------------- + mm/userfaultfd.c | 6 ++- + 7 files changed, 82 insertions(+), 51 deletions(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 03516b704d8a4..3cf38e5e8b733 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -758,6 +758,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_size; + unsigned long stack_expand; + unsigned long rlim_stack; ++ struct mmu_gather tlb; + + #ifdef CONFIG_STACK_GROWSUP + /* Limit stack size */ +@@ -812,8 +813,11 @@ int setup_arg_pages(struct linux_binprm *bprm, + vm_flags |= mm->def_flags; + vm_flags |= VM_STACK_INCOMPLETE_SETUP; + +- ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, ++ tlb_gather_mmu(&tlb, mm); ++ ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end, + vm_flags); ++ tlb_finish_mmu(&tlb); ++ + if (ret) + goto out_unlock; + BUG_ON(prev != vma); +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h +index f123e15d966e8..6cb3e6fe11e7f 100644 +--- a/include/linux/huge_mm.h ++++ b/include/linux/huge_mm.h +@@ -36,8 +36,9 @@ int zap_huge_pud(struct mmu_gather *tlb, struct vm_area_struct *vma, pud_t *pud, + unsigned long addr); + bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, + unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd); +-int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, +- pgprot_t newprot, unsigned long cp_flags); ++int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, ++ pmd_t *pmd, unsigned long addr, pgprot_t newprot, ++ unsigned long cp_flags); + vm_fault_t vmf_insert_pfn_pmd_prot(struct vm_fault *vmf, pfn_t pfn, + pgprot_t pgprot, bool write); + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 5692055f202cb..e05c91ea5735d 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1899,10 +1899,11 @@ extern unsigned long move_page_tables(struct vm_area_struct *vma, + #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \ + MM_CP_UFFD_WP_RESOLVE) + +-extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, ++extern unsigned long change_protection(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, unsigned long start, + unsigned long end, pgprot_t newprot, + unsigned long cp_flags); +-extern int mprotect_fixup(struct vm_area_struct *vma, ++extern int mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma, + struct vm_area_struct **pprev, unsigned long start, + unsigned long end, unsigned long newflags); + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 98ff57c8eda69..661dd29642ebc 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1720,8 +1720,9 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, + * or if prot_numa but THP migration is not supported + * - HPAGE_PMD_NR if protections changed and TLB flush necessary + */ +-int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, +- unsigned long addr, pgprot_t newprot, unsigned long cp_flags) ++int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, ++ pmd_t *pmd, unsigned long addr, pgprot_t newprot, ++ unsigned long cp_flags) + { + struct mm_struct *mm = vma->vm_mm; + spinlock_t *ptl; +@@ -1732,6 +1733,8 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, + bool uffd_wp = cp_flags & MM_CP_UFFD_WP; + bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; + ++ tlb_change_page_size(tlb, HPAGE_PMD_SIZE); ++ + if (prot_numa && !thp_migration_supported()) + return 1; + +@@ -1816,6 +1819,9 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, + } + ret = HPAGE_PMD_NR; + set_pmd_at(mm, addr, pmd, entry); ++ ++ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE); ++ + BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry)); + unlock: + spin_unlock(ptl); +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 818753635e427..c05e979fd8695 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -104,6 +104,7 @@ + #include + + #include ++#include + #include + + #include "internal.h" +@@ -634,12 +635,18 @@ static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask, + unsigned long change_prot_numa(struct vm_area_struct *vma, + unsigned long addr, unsigned long end) + { ++ struct mmu_gather tlb; + int nr_updated; + +- nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA); ++ tlb_gather_mmu(&tlb, vma->vm_mm); ++ ++ nr_updated = change_protection(&tlb, vma, addr, end, PAGE_NONE, ++ MM_CP_PROT_NUMA); + if (nr_updated) + count_vm_numa_events(NUMA_PTE_UPDATES, nr_updated); + ++ tlb_finish_mmu(&tlb); ++ + return nr_updated; + } + #else +diff --git a/mm/mprotect.c b/mm/mprotect.c +index ed18dc49533f6..fe1196be9ca28 100644 +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -32,12 +32,13 @@ + #include + #include + #include ++#include + + #include "internal.h" + +-static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, +- unsigned long addr, unsigned long end, pgprot_t newprot, +- unsigned long cp_flags) ++static unsigned long change_pte_range(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + pte_t *pte, oldpte; + spinlock_t *ptl; +@@ -48,6 +49,8 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, + bool uffd_wp = cp_flags & MM_CP_UFFD_WP; + bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; + ++ tlb_change_page_size(tlb, PAGE_SIZE); ++ + /* + * Can be called with only the mmap_lock for reading by + * prot_numa so we must check the pmd isn't constantly +@@ -138,6 +141,7 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, + ptent = pte_mkwrite(ptent); + } + ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent); ++ tlb_flush_pte_range(tlb, addr, PAGE_SIZE); + pages++; + } else if (is_swap_pte(oldpte)) { + swp_entry_t entry = pte_to_swp_entry(oldpte); +@@ -219,9 +223,9 @@ static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd) + return 0; + } + +-static inline unsigned long change_pmd_range(struct vm_area_struct *vma, +- pud_t *pud, unsigned long addr, unsigned long end, +- pgprot_t newprot, unsigned long cp_flags) ++static inline unsigned long change_pmd_range(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, pud_t *pud, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + pmd_t *pmd; + unsigned long next; +@@ -261,8 +265,12 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, + if (next - addr != HPAGE_PMD_SIZE) { + __split_huge_pmd(vma, pmd, addr, false, NULL); + } else { +- int nr_ptes = change_huge_pmd(vma, pmd, addr, +- newprot, cp_flags); ++ /* ++ * change_huge_pmd() does not defer TLB flushes, ++ * so no need to propagate the tlb argument. ++ */ ++ int nr_ptes = change_huge_pmd(tlb, vma, pmd, ++ addr, newprot, cp_flags); + + if (nr_ptes) { + if (nr_ptes == HPAGE_PMD_NR) { +@@ -276,8 +284,8 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, + } + /* fall through, the trans huge pmd just split */ + } +- this_pages = change_pte_range(vma, pmd, addr, next, newprot, +- cp_flags); ++ this_pages = change_pte_range(tlb, vma, pmd, addr, next, ++ newprot, cp_flags); + pages += this_pages; + next: + cond_resched(); +@@ -291,9 +299,9 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma, + return pages; + } + +-static inline unsigned long change_pud_range(struct vm_area_struct *vma, +- p4d_t *p4d, unsigned long addr, unsigned long end, +- pgprot_t newprot, unsigned long cp_flags) ++static inline unsigned long change_pud_range(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, p4d_t *p4d, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + pud_t *pud; + unsigned long next; +@@ -304,16 +312,16 @@ static inline unsigned long change_pud_range(struct vm_area_struct *vma, + next = pud_addr_end(addr, end); + if (pud_none_or_clear_bad(pud)) + continue; +- pages += change_pmd_range(vma, pud, addr, next, newprot, ++ pages += change_pmd_range(tlb, vma, pud, addr, next, newprot, + cp_flags); + } while (pud++, addr = next, addr != end); + + return pages; + } + +-static inline unsigned long change_p4d_range(struct vm_area_struct *vma, +- pgd_t *pgd, unsigned long addr, unsigned long end, +- pgprot_t newprot, unsigned long cp_flags) ++static inline unsigned long change_p4d_range(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, pgd_t *pgd, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + p4d_t *p4d; + unsigned long next; +@@ -324,44 +332,40 @@ static inline unsigned long change_p4d_range(struct vm_area_struct *vma, + next = p4d_addr_end(addr, end); + if (p4d_none_or_clear_bad(p4d)) + continue; +- pages += change_pud_range(vma, p4d, addr, next, newprot, ++ pages += change_pud_range(tlb, vma, p4d, addr, next, newprot, + cp_flags); + } while (p4d++, addr = next, addr != end); + + return pages; + } + +-static unsigned long change_protection_range(struct vm_area_struct *vma, +- unsigned long addr, unsigned long end, pgprot_t newprot, +- unsigned long cp_flags) ++static unsigned long change_protection_range(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + struct mm_struct *mm = vma->vm_mm; + pgd_t *pgd; + unsigned long next; +- unsigned long start = addr; + unsigned long pages = 0; + + BUG_ON(addr >= end); + pgd = pgd_offset(mm, addr); +- flush_cache_range(vma, addr, end); +- inc_tlb_flush_pending(mm); ++ tlb_start_vma(tlb, vma); + do { + next = pgd_addr_end(addr, end); + if (pgd_none_or_clear_bad(pgd)) + continue; +- pages += change_p4d_range(vma, pgd, addr, next, newprot, ++ pages += change_p4d_range(tlb, vma, pgd, addr, next, newprot, + cp_flags); + } while (pgd++, addr = next, addr != end); + +- /* Only flush the TLB if we actually modified any entries: */ +- if (pages) +- flush_tlb_range(vma, start, end); +- dec_tlb_flush_pending(mm); ++ tlb_end_vma(tlb, vma); + + return pages; + } + +-unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, ++unsigned long change_protection(struct mmu_gather *tlb, ++ struct vm_area_struct *vma, unsigned long start, + unsigned long end, pgprot_t newprot, + unsigned long cp_flags) + { +@@ -372,7 +376,7 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, + if (is_vm_hugetlb_page(vma)) + pages = hugetlb_change_protection(vma, start, end, newprot); + else +- pages = change_protection_range(vma, start, end, newprot, ++ pages = change_protection_range(tlb, vma, start, end, newprot, + cp_flags); + + return pages; +@@ -406,8 +410,9 @@ static const struct mm_walk_ops prot_none_walk_ops = { + }; + + int +-mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, +- unsigned long start, unsigned long end, unsigned long newflags) ++mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma, ++ struct vm_area_struct **pprev, unsigned long start, ++ unsigned long end, unsigned long newflags) + { + struct mm_struct *mm = vma->vm_mm; + unsigned long oldflags = vma->vm_flags; +@@ -494,7 +499,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, + dirty_accountable = vma_wants_writenotify(vma, vma->vm_page_prot); + vma_set_page_prot(vma); + +- change_protection(vma, start, end, vma->vm_page_prot, ++ change_protection(tlb, vma, start, end, vma->vm_page_prot, + dirty_accountable ? MM_CP_DIRTY_ACCT : 0); + + /* +@@ -528,6 +533,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, + const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP); + const bool rier = (current->personality & READ_IMPLIES_EXEC) && + (prot & PROT_READ); ++ struct mmu_gather tlb; + + start = untagged_addr(start); + +@@ -584,6 +590,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, + if (start > vma->vm_start) + prev = vma; + ++ tlb_gather_mmu(&tlb, current->mm); + for (nstart = start ; ; ) { + unsigned long mask_off_old_flags; + unsigned long newflags; +@@ -610,18 +617,18 @@ static int do_mprotect_pkey(unsigned long start, size_t len, + /* newflags >> 4 shift VM_MAY% in place of VM_% */ + if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) { + error = -EACCES; +- goto out; ++ break; + } + + /* Allow architectures to sanity-check the new flags */ + if (!arch_validate_flags(newflags)) { + error = -EINVAL; +- goto out; ++ break; + } + + error = security_file_mprotect(vma, reqprot, prot); + if (error) +- goto out; ++ break; + + tmp = vma->vm_end; + if (tmp > end) +@@ -630,27 +637,28 @@ static int do_mprotect_pkey(unsigned long start, size_t len, + if (vma->vm_ops && vma->vm_ops->mprotect) { + error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags); + if (error) +- goto out; ++ break; + } + +- error = mprotect_fixup(vma, &prev, nstart, tmp, newflags); ++ error = mprotect_fixup(&tlb, vma, &prev, nstart, tmp, newflags); + if (error) +- goto out; ++ break; + + nstart = tmp; + + if (nstart < prev->vm_end) + nstart = prev->vm_end; + if (nstart >= end) +- goto out; ++ break; + + vma = prev->vm_next; + if (!vma || vma->vm_start != nstart) { + error = -ENOMEM; +- goto out; ++ break; + } + prot = reqprot; + } ++ tlb_finish_mmu(&tlb); + out: + mmap_write_unlock(current->mm); + return error; +diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c +index 98a9d0ef2d917..eafdc112ac7aa 100644 +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + static __always_inline +@@ -698,6 +699,7 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, + atomic_t *mmap_changing) + { + struct vm_area_struct *dst_vma; ++ struct mmu_gather tlb; + pgprot_t newprot; + int err; + +@@ -739,8 +741,10 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, + else + newprot = vm_get_page_prot(dst_vma->vm_flags); + +- change_protection(dst_vma, start, start + len, newprot, ++ tlb_gather_mmu(&tlb, dst_mm); ++ change_protection(&tlb, dst_vma, start, start + len, newprot, + enable_wp ? MM_CP_UFFD_WP : MM_CP_UFFD_WP_RESOLVE); ++ tlb_finish_mmu(&tlb); + + err = 0; + out_unlock: +-- +2.43.0 + diff --git a/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch b/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch new file mode 100644 index 00000000000..7ca4525c05c --- /dev/null +++ b/queue-5.15/mmc-davinci-don-t-strip-remove-function-when-driver-.patch @@ -0,0 +1,59 @@ +From db1dc85c7dd16e575bad700b7761451733db9665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Mar 2024 12:40:17 +0100 +Subject: mmc: davinci: Don't strip remove function when driver is builtin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 55c421b364482b61c4c45313a535e61ed5ae4ea3 ] + +Using __exit for the remove function results in the remove callback being +discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. +using sysfs or hotplug), the driver is just removed without the cleanup +being performed. This results in resource leaks. Fix it by compiling in the +remove callback unconditionally. + +This also fixes a W=1 modpost warning: + +WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in +reference: davinci_mmcsd_driver+0x10 (section: .data) -> +davinci_mmcsd_remove (section: .exit.text) + +Fixes: b4cff4549b7a ("DaVinci: MMC: MMC/SD controller driver for DaVinci family") +Signed-off-by: Uwe Kleine-König +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240324114017.231936-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/davinci_mmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index 36c45867eb643..e0175808c3b0d 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev) + return ret; + } + +-static void __exit davinci_mmcsd_remove(struct platform_device *pdev) ++static void davinci_mmcsd_remove(struct platform_device *pdev) + { + struct mmc_davinci_host *host = platform_get_drvdata(pdev); + +@@ -1402,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = { + .of_match_table = davinci_mmc_dt_ids, + }, + .probe = davinci_mmcsd_probe, +- .remove_new = __exit_p(davinci_mmcsd_remove), ++ .remove_new = davinci_mmcsd_remove, + .id_table = davinci_mmc_devtype, + }; + +-- +2.43.0 + diff --git a/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch b/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch new file mode 100644 index 00000000000..9de90e1b57f --- /dev/null +++ b/queue-5.15/mmc-davinci_mmc-convert-to-platform-remove-callback-.patch @@ -0,0 +1,67 @@ +From d2d80526ac7c82e3143dd7b830c6843e7acbbf7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 14:59:56 +0800 +Subject: mmc: davinci_mmc: Convert to platform remove callback returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yangtao Li + +[ Upstream commit bc1711e8332da03648d8fe1950189237e66313af ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Cc: Uwe Kleine-König +Signed-off-by: Yangtao Li +Link: https://lore.kernel.org/r/20230727070051.17778-7-frank.li@vivo.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 55c421b36448 ("mmc: davinci: Don't strip remove function when driver is builtin") +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/davinci_mmc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index 80de660027d89..36c45867eb643 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev) + return ret; + } + +-static int __exit davinci_mmcsd_remove(struct platform_device *pdev) ++static void __exit davinci_mmcsd_remove(struct platform_device *pdev) + { + struct mmc_davinci_host *host = platform_get_drvdata(pdev); + +@@ -1356,8 +1356,6 @@ static int __exit davinci_mmcsd_remove(struct platform_device *pdev) + davinci_release_dma_channels(host); + clk_disable_unprepare(host->clk); + mmc_free_host(host->mmc); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -1404,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = { + .of_match_table = davinci_mmc_dt_ids, + }, + .probe = davinci_mmcsd_probe, +- .remove = __exit_p(davinci_mmcsd_remove), ++ .remove_new = __exit_p(davinci_mmcsd_remove), + .id_table = davinci_mmc_devtype, + }; + +-- +2.43.0 + diff --git a/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch b/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch new file mode 100644 index 00000000000..242a294b239 --- /dev/null +++ b/queue-5.15/net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch @@ -0,0 +1,258 @@ +From 273f0826c81d3fcfcfdbcf1cd99efe2202aa4709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 09:11:50 -0800 +Subject: net: drop nopreempt requirement on sock_prot_inuse_add() + +From: Eric Dumazet + +[ Upstream commit b3cb764aa1d753cf6a58858f9e2097ba71e8100b ] + +This is distracting really, let's make this simpler, +because many callers had to take care of this +by themselves, even if on x86 this adds more +code than really needed. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++-- + net/ieee802154/socket.c | 4 ++-- + net/ipv4/raw.c | 2 +- + net/ipv6/ipv6_sockglue.c | 8 ++++---- + net/netlink/af_netlink.c | 4 ---- + net/packet/af_packet.c | 4 ---- + net/sctp/socket.c | 5 ----- + net/smc/af_smc.c | 2 +- + net/unix/af_unix.c | 4 ---- + net/xdp/xsk.c | 4 ---- + 10 files changed, 10 insertions(+), 31 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index c13c284222424..146f1b9c30636 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1464,11 +1464,11 @@ proto_memory_pressure(struct proto *prot) + struct prot_inuse { + int val[PROTO_INUSE_NR]; + }; +-/* Called with local bh disabled */ ++ + static inline void sock_prot_inuse_add(const struct net *net, + const struct proto *prot, int val) + { +- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); ++ this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); + } + int sock_prot_inuse_get(struct net *net, struct proto *proto); + int sock_inuse_get(struct net *net); +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index c33f46c9b6b34..586a6c4adf246 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -174,8 +174,8 @@ static int raw_hash(struct sock *sk) + { + write_lock_bh(&raw_lock); + sk_add_node(sk, &raw_head); +- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + write_unlock_bh(&raw_lock); ++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + + return 0; + } +@@ -458,8 +458,8 @@ static int dgram_hash(struct sock *sk) + { + write_lock_bh(&dgram_lock); + sk_add_node(sk, &dgram_head); +- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + write_unlock_bh(&dgram_lock); ++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + + return 0; + } +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index f532589d26926..cc8e946768e43 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -99,8 +99,8 @@ int raw_hash_sk(struct sock *sk) + + write_lock_bh(&h->lock); + sk_add_node(sk, head); +- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + write_unlock_bh(&h->lock); ++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + + return 0; + } +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 197e12d5607f1..2071a212a2679 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -471,10 +471,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + + if (sk->sk_protocol == IPPROTO_TCP) { + struct inet_connection_sock *icsk = inet_csk(sk); +- local_bh_disable(); ++ + sock_prot_inuse_add(net, sk->sk_prot, -1); + sock_prot_inuse_add(net, &tcp_prot, 1); +- local_bh_enable(); ++ + sk->sk_prot = &tcp_prot; + icsk->icsk_af_ops = &ipv4_specific; + sk->sk_socket->ops = &inet_stream_ops; +@@ -485,10 +485,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + + if (sk->sk_protocol == IPPROTO_UDPLITE) + prot = &udplite_prot; +- local_bh_disable(); ++ + sock_prot_inuse_add(net, sk->sk_prot, -1); + sock_prot_inuse_add(net, prot, 1); +- local_bh_enable(); ++ + sk->sk_prot = prot; + sk->sk_socket->ops = &inet_dgram_ops; + sk->sk_family = PF_INET; +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 216445dd44db9..18a38db2b27eb 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -711,9 +711,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol, + if (err < 0) + goto out_module; + +- local_bh_disable(); + sock_prot_inuse_add(net, &netlink_proto, 1); +- local_bh_enable(); + + nlk = nlk_sk(sock->sk); + nlk->module = module; +@@ -813,9 +811,7 @@ static int netlink_release(struct socket *sock) + netlink_table_ungrab(); + } + +- local_bh_disable(); + sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1); +- local_bh_enable(); + call_rcu(&nlk->rcu, deferred_put_nlk_sk); + return 0; + } +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 0ab3b09f863ba..4f920502f92fe 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3092,9 +3092,7 @@ static int packet_release(struct socket *sock) + sk_del_node_init_rcu(sk); + mutex_unlock(&net->packet.sklist_lock); + +- preempt_disable(); + sock_prot_inuse_add(net, sk->sk_prot, -1); +- preempt_enable(); + + spin_lock(&po->bind_lock); + unregister_prot_hook(sk, false); +@@ -3361,9 +3359,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + sk_add_node_tail_rcu(sk, &net->packet.sklist); + mutex_unlock(&net->packet.sklist_lock); + +- preempt_disable(); + sock_prot_inuse_add(net, &packet_proto, 1); +- preempt_enable(); + + return 0; + out2: +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 57acf7ed80de3..d9271ffb29781 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -5073,12 +5073,9 @@ static int sctp_init_sock(struct sock *sk) + + SCTP_DBG_OBJCNT_INC(sock); + +- local_bh_disable(); + sk_sockets_allocated_inc(sk); + sock_prot_inuse_add(net, sk->sk_prot, 1); + +- local_bh_enable(); +- + return 0; + } + +@@ -5104,10 +5101,8 @@ static void sctp_destroy_sock(struct sock *sk) + list_del(&sp->auto_asconf_list); + } + sctp_endpoint_free(sp->ep); +- local_bh_disable(); + sk_sockets_allocated_dec(sk); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); +- local_bh_enable(); + } + + /* Triggered when there are no references on the socket anymore */ +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 8c11eb70c0f69..bd0b3a8b95d50 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -88,8 +88,8 @@ int smc_hash_sk(struct sock *sk) + + write_lock_bh(&h->lock); + sk_add_node(sk, head); +- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + write_unlock_bh(&h->lock); ++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + + return 0; + } +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 73b287b7a1154..262aeaea9861c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -515,9 +515,7 @@ static void unix_sock_destructor(struct sock *sk) + unix_release_addr(u->addr); + + atomic_long_dec(&unix_nr_socks); +- local_bh_disable(); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); +- local_bh_enable(); + #ifdef UNIX_REFCNT_DEBUG + pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk, + atomic_long_read(&unix_nr_socks)); +@@ -890,9 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, + memset(&u->scm_stat, 0, sizeof(struct scm_stat)); + unix_insert_socket(unix_sockets_unbound(sk), sk); + +- local_bh_disable(); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); +- local_bh_enable(); + + return sk; + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 1f61d15b3d1d4..da31a99ce6521 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -842,9 +842,7 @@ static int xsk_release(struct socket *sock) + sk_del_node_init_rcu(sk); + mutex_unlock(&net->xdp.lock); + +- local_bh_disable(); + sock_prot_inuse_add(net, sk->sk_prot, -1); +- local_bh_enable(); + + xsk_delete_from_maps(xs); + mutex_lock(&xs->mutex); +@@ -1465,9 +1463,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol, + sk_add_node_rcu(sk, &net->xdp.list); + mutex_unlock(&net->xdp.lock); + +- local_bh_disable(); + sock_prot_inuse_add(net, &xsk_proto, 1); +- local_bh_enable(); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/net-inline-sock_prot_inuse_add.patch b/queue-5.15/net-inline-sock_prot_inuse_add.patch new file mode 100644 index 00000000000..6c694b38209 --- /dev/null +++ b/queue-5.15/net-inline-sock_prot_inuse_add.patch @@ -0,0 +1,76 @@ +From ab981fed621a211beeedabf25d14259651bfa005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 09:11:47 -0800 +Subject: net: inline sock_prot_inuse_add() + +From: Eric Dumazet + +[ Upstream commit 2a12ae5d433df3d3c3f1a930799ec09cb2b8058f ] + +sock_prot_inuse_add() is very small, we can inline it. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().") +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 14 +++++++++++--- + net/core/sock.c | 11 ----------- + 2 files changed, 11 insertions(+), 14 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index b8de579b916e8..c13c284222424 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1460,13 +1460,21 @@ proto_memory_pressure(struct proto *prot) + + + #ifdef CONFIG_PROC_FS ++#define PROTO_INUSE_NR 64 /* should be enough for the first time */ ++struct prot_inuse { ++ int val[PROTO_INUSE_NR]; ++}; + /* Called with local bh disabled */ +-void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc); ++static inline void sock_prot_inuse_add(const struct net *net, ++ const struct proto *prot, int val) ++{ ++ __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); ++} + int sock_prot_inuse_get(struct net *net, struct proto *proto); + int sock_inuse_get(struct net *net); + #else +-static inline void sock_prot_inuse_add(struct net *net, struct proto *prot, +- int inc) ++static inline void sock_prot_inuse_add(const struct net *net, ++ const struct proto *prot, int val) + { + } + #endif +diff --git a/net/core/sock.c b/net/core/sock.c +index 62e376f09f957..e79e1c7933537 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3497,19 +3497,8 @@ void sk_get_meminfo(const struct sock *sk, u32 *mem) + } + + #ifdef CONFIG_PROC_FS +-#define PROTO_INUSE_NR 64 /* should be enough for the first time */ +-struct prot_inuse { +- int val[PROTO_INUSE_NR]; +-}; +- + static DECLARE_BITMAP(proto_inuse_idx, PROTO_INUSE_NR); + +-void sock_prot_inuse_add(struct net *net, struct proto *prot, int val) +-{ +- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val); +-} +-EXPORT_SYMBOL_GPL(sock_prot_inuse_add); +- + int sock_prot_inuse_get(struct net *net, struct proto *prot) + { + int cpu, idx = prot->inuse_idx; +-- +2.43.0 + diff --git a/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch b/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch new file mode 100644 index 00000000000..ce1ea6ca0a8 --- /dev/null +++ b/queue-5.15/net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch @@ -0,0 +1,220 @@ +From 26e01ee3bec1ebf251e1e9c3050de28cba208228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 14:58:55 +0800 +Subject: net/ncsi: Fix the multi thread manner of NCSI driver + +From: DelphineCCChiu + +[ Upstream commit e85e271dec0270982afed84f70dc37703fcc1d52 ] + +Currently NCSI driver will send several NCSI commands back to back without +waiting the response of previous NCSI command or timeout in some state +when NIC have multi channel. This operation against the single thread +manner defined by NCSI SPEC(section 6.3.2.3 in DSP0222_1.1.1) + +According to NCSI SPEC(section 6.2.13.1 in DSP0222_1.1.1), we should probe +one channel at a time by sending NCSI commands (Clear initial state, Get +version ID, Get capabilities...), than repeat this steps until the max +number of channels which we got from NCSI command (Get capabilities) has +been probed. + +Fixes: e6f44ed6d04d ("net/ncsi: Package and channel management") +Signed-off-by: DelphineCCChiu +Link: https://lore.kernel.org/r/20240529065856.825241-1-delphine_cc_chiu@wiwynn.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 ++ + net/ncsi/ncsi-manage.c | 73 +++++++++++++++++++++--------------------- + net/ncsi/ncsi-rsp.c | 4 ++- + 3 files changed, 41 insertions(+), 38 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 374412ed780b6..ef0f8f73826f5 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -325,6 +325,7 @@ struct ncsi_dev_priv { + spinlock_t lock; /* Protect the NCSI device */ + unsigned int package_probe_id;/* Current ID during probe */ + unsigned int package_num; /* Number of packages */ ++ unsigned int channel_probe_id;/* Current cahnnel ID during probe */ + struct list_head packages; /* List of packages */ + struct ncsi_channel *hot_channel; /* Channel was ever active */ + struct ncsi_request requests[256]; /* Request table */ +@@ -343,6 +344,7 @@ struct ncsi_dev_priv { + bool multi_package; /* Enable multiple packages */ + bool mlx_multi_host; /* Enable multi host Mellanox */ + u32 package_whitelist; /* Packages to configure */ ++ unsigned char channel_count; /* Num of channels to probe */ + }; + + struct ncsi_cmd_arg { +diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c +index 734feb2352fbc..30f5502530374 100644 +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -510,17 +510,19 @@ static void ncsi_suspend_channel(struct ncsi_dev_priv *ndp) + + break; + case ncsi_dev_state_suspend_gls: +- ndp->pending_req_num = np->channel_num; ++ ndp->pending_req_num = 1; + + nca.type = NCSI_PKT_CMD_GLS; + nca.package = np->id; ++ nca.channel = ndp->channel_probe_id; ++ ret = ncsi_xmit_cmd(&nca); ++ if (ret) ++ goto error; ++ ndp->channel_probe_id++; + +- nd->state = ncsi_dev_state_suspend_dcnt; +- NCSI_FOR_EACH_CHANNEL(np, nc) { +- nca.channel = nc->id; +- ret = ncsi_xmit_cmd(&nca); +- if (ret) +- goto error; ++ if (ndp->channel_probe_id == ndp->channel_count) { ++ ndp->channel_probe_id = 0; ++ nd->state = ncsi_dev_state_suspend_dcnt; + } + + break; +@@ -1340,7 +1342,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + { + struct ncsi_dev *nd = &ndp->ndev; + struct ncsi_package *np; +- struct ncsi_channel *nc; + struct ncsi_cmd_arg nca; + unsigned char index; + int ret; +@@ -1418,23 +1419,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + + nd->state = ncsi_dev_state_probe_cis; + break; +- case ncsi_dev_state_probe_cis: +- ndp->pending_req_num = NCSI_RESERVED_CHANNEL; +- +- /* Clear initial state */ +- nca.type = NCSI_PKT_CMD_CIS; +- nca.package = ndp->active_package->id; +- for (index = 0; index < NCSI_RESERVED_CHANNEL; index++) { +- nca.channel = index; +- ret = ncsi_xmit_cmd(&nca); +- if (ret) +- goto error; +- } +- +- nd->state = ncsi_dev_state_probe_gvi; +- if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)) +- nd->state = ncsi_dev_state_probe_keep_phy; +- break; + case ncsi_dev_state_probe_keep_phy: + ndp->pending_req_num = 1; + +@@ -1447,14 +1431,17 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + + nd->state = ncsi_dev_state_probe_gvi; + break; ++ case ncsi_dev_state_probe_cis: + case ncsi_dev_state_probe_gvi: + case ncsi_dev_state_probe_gc: + case ncsi_dev_state_probe_gls: + np = ndp->active_package; +- ndp->pending_req_num = np->channel_num; ++ ndp->pending_req_num = 1; + +- /* Retrieve version, capability or link status */ +- if (nd->state == ncsi_dev_state_probe_gvi) ++ /* Clear initial state Retrieve version, capability or link status */ ++ if (nd->state == ncsi_dev_state_probe_cis) ++ nca.type = NCSI_PKT_CMD_CIS; ++ else if (nd->state == ncsi_dev_state_probe_gvi) + nca.type = NCSI_PKT_CMD_GVI; + else if (nd->state == ncsi_dev_state_probe_gc) + nca.type = NCSI_PKT_CMD_GC; +@@ -1462,19 +1449,29 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + nca.type = NCSI_PKT_CMD_GLS; + + nca.package = np->id; +- NCSI_FOR_EACH_CHANNEL(np, nc) { +- nca.channel = nc->id; +- ret = ncsi_xmit_cmd(&nca); +- if (ret) +- goto error; +- } ++ nca.channel = ndp->channel_probe_id; + +- if (nd->state == ncsi_dev_state_probe_gvi) ++ ret = ncsi_xmit_cmd(&nca); ++ if (ret) ++ goto error; ++ ++ if (nd->state == ncsi_dev_state_probe_cis) { ++ nd->state = ncsi_dev_state_probe_gvi; ++ if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) && ndp->channel_probe_id == 0) ++ nd->state = ncsi_dev_state_probe_keep_phy; ++ } else if (nd->state == ncsi_dev_state_probe_gvi) { + nd->state = ncsi_dev_state_probe_gc; +- else if (nd->state == ncsi_dev_state_probe_gc) ++ } else if (nd->state == ncsi_dev_state_probe_gc) { + nd->state = ncsi_dev_state_probe_gls; +- else ++ } else { ++ nd->state = ncsi_dev_state_probe_cis; ++ ndp->channel_probe_id++; ++ } ++ ++ if (ndp->channel_probe_id == ndp->channel_count) { ++ ndp->channel_probe_id = 0; + nd->state = ncsi_dev_state_probe_dp; ++ } + break; + case ncsi_dev_state_probe_dp: + ndp->pending_req_num = 1; +@@ -1775,6 +1772,7 @@ struct ncsi_dev *ncsi_register_dev(struct net_device *dev, + ndp->requests[i].ndp = ndp; + timer_setup(&ndp->requests[i].timer, ncsi_request_timeout, 0); + } ++ ndp->channel_count = NCSI_RESERVED_CHANNEL; + + spin_lock_irqsave(&ncsi_dev_lock, flags); + list_add_tail_rcu(&ndp->node, &ncsi_dev_list); +@@ -1807,6 +1805,7 @@ int ncsi_start_dev(struct ncsi_dev *nd) + + if (!(ndp->flags & NCSI_DEV_PROBED)) { + ndp->package_probe_id = 0; ++ ndp->channel_probe_id = 0; + nd->state = ncsi_dev_state_probe; + schedule_work(&ndp->work); + return 0; +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 480e80e3c2836..f22d67cb04d37 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -795,12 +795,13 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) + struct ncsi_rsp_gc_pkt *rsp; + struct ncsi_dev_priv *ndp = nr->ndp; + struct ncsi_channel *nc; ++ struct ncsi_package *np; + size_t size; + + /* Find the channel */ + rsp = (struct ncsi_rsp_gc_pkt *)skb_network_header(nr->rsp); + ncsi_find_package_and_channel(ndp, rsp->rsp.common.channel, +- NULL, &nc); ++ &np, &nc); + if (!nc) + return -ENODEV; + +@@ -835,6 +836,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr) + */ + nc->vlan_filter.bitmap = U64_MAX; + nc->vlan_filter.n_vids = rsp->vlan_cnt; ++ np->ndp->channel_count = rsp->channel_cnt; + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch b/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch new file mode 100644 index 00000000000..69fbccf8ff7 --- /dev/null +++ b/queue-5.15/net-ncsi-simplify-kconfig-dts-control-flow.patch @@ -0,0 +1,152 @@ +From db8e971e5aefe4855b8299f3e2aafa6081ffedcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 10:07:33 -0600 +Subject: net/ncsi: Simplify Kconfig/dts control flow + +From: Peter Delevoryas + +[ Upstream commit c797ce168930ce3d62a9b7fc4d7040963ee6a01e ] + +Background: + +1. CONFIG_NCSI_OEM_CMD_KEEP_PHY + +If this is enabled, we send an extra OEM Intel command in the probe +sequence immediately after discovering a channel (e.g. after "Clear +Initial State"). + +2. CONFIG_NCSI_OEM_CMD_GET_MAC + +If this is enabled, we send one of 3 OEM "Get MAC Address" commands from +Broadcom, Mellanox (Nvidida), and Intel in the *configuration* sequence +for a channel. + +3. mellanox,multi-host (or mlx,multi-host) + +Introduced by this patch: + +https://lore.kernel.org/all/20200108234341.2590674-1-vijaykhemka@fb.com/ + +Which was actually originally from cosmo.chou@quantatw.com: + +https://github.com/facebook/openbmc-linux/commit/9f132a10ec48db84613519258cd8a317fb9c8f1b + +Cosmo claimed that the Nvidia ConnectX-4 and ConnectX-6 NIC's don't +respond to Get Version ID, et. al in the probe sequence unless you send +the Set MC Affinity command first. + +Problem Statement: + +We've been using a combination of #ifdef code blocks and IS_ENABLED() +conditions to conditionally send these OEM commands. + +It makes adding any new code around these commands hard to understand. + +Solution: + +In this patch, I just want to remove the conditionally compiled blocks +of code, and always use IS_ENABLED(...) to do dynamic control flow. + +I don't think the small amount of code this adds to non-users of the OEM +Kconfigs is a big deal. + +Signed-off-by: Peter Delevoryas +Signed-off-by: David S. Miller +Stable-dep-of: e85e271dec02 ("net/ncsi: Fix the multi thread manner of NCSI driver") +Signed-off-by: Sasha Levin +--- + net/ncsi/ncsi-manage.c | 20 +++----------------- + 1 file changed, 3 insertions(+), 17 deletions(-) + +diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c +index 7121ce2a47c0b..734feb2352fbc 100644 +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -689,8 +689,6 @@ static int set_one_vid(struct ncsi_dev_priv *ndp, struct ncsi_channel *nc, + return 0; + } + +-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) +- + static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca) + { + unsigned char data[NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN]; +@@ -716,10 +714,6 @@ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca) + return ret; + } + +-#endif +- +-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) +- + /* NCSI OEM Command APIs */ + static int ncsi_oem_gma_handler_bcm(struct ncsi_cmd_arg *nca) + { +@@ -856,8 +850,6 @@ static int ncsi_gma_handler(struct ncsi_cmd_arg *nca, unsigned int mf_id) + return nch->handler(nca); + } + +-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ +- + /* Determine if a given channel from the channel_queue should be used for Tx */ + static bool ncsi_channel_is_tx(struct ncsi_dev_priv *ndp, + struct ncsi_channel *nc) +@@ -1039,20 +1031,18 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp) + goto error; + } + +- nd->state = ncsi_dev_state_config_oem_gma; ++ nd->state = IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) ++ ? ncsi_dev_state_config_oem_gma ++ : ncsi_dev_state_config_clear_vids; + break; + case ncsi_dev_state_config_oem_gma: + nd->state = ncsi_dev_state_config_clear_vids; +- ret = -1; + +-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) + nca.type = NCSI_PKT_CMD_OEM; + nca.package = np->id; + nca.channel = nc->id; + ndp->pending_req_num = 1; + ret = ncsi_gma_handler(&nca, nc->version.mf_id); +-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ +- + if (ret < 0) + schedule_work(&ndp->work); + +@@ -1404,7 +1394,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + + schedule_work(&ndp->work); + break; +-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) + case ncsi_dev_state_probe_mlx_gma: + ndp->pending_req_num = 1; + +@@ -1429,7 +1418,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + + nd->state = ncsi_dev_state_probe_cis; + break; +-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */ + case ncsi_dev_state_probe_cis: + ndp->pending_req_num = NCSI_RESERVED_CHANNEL; + +@@ -1447,7 +1435,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)) + nd->state = ncsi_dev_state_probe_keep_phy; + break; +-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) + case ncsi_dev_state_probe_keep_phy: + ndp->pending_req_num = 1; + +@@ -1460,7 +1447,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) + + nd->state = ncsi_dev_state_probe_gvi; + break; +-#endif /* CONFIG_NCSI_OEM_CMD_KEEP_PHY */ + case ncsi_dev_state_probe_gvi: + case ncsi_dev_state_probe_gc: + case ncsi_dev_state_probe_gls: +-- +2.43.0 + diff --git a/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch b/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch new file mode 100644 index 00000000000..a383053a0fa --- /dev/null +++ b/queue-5.15/net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch @@ -0,0 +1,38 @@ +From 012580408a8964b935cf4734390a75966d84b01b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 15:13:03 +0800 +Subject: net: sched: sch_multiq: fix possible OOB write in multiq_tune() + +From: Hangyu Hua + +[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ] + +q->bands will be assigned to qopt->bands to execute subsequent code logic +after kmalloc. So the old q->bands should not be used in kmalloc. +Otherwise, an out-of-bounds write will occur. + +Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock") +Signed-off-by: Hangyu Hua +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_multiq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c +index 8b99f07aa3a76..caa76c96b02ba 100644 +--- a/net/sched/sch_multiq.c ++++ b/net/sched/sch_multiq.c +@@ -185,7 +185,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt, + + qopt->bands = qdisc_dev(sch)->real_num_tx_queues; + +- removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands), ++ removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands), + GFP_KERNEL); + if (!removed) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch b/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch new file mode 100644 index 00000000000..e1d3c7d5b3d --- /dev/null +++ b/queue-5.15/net-sched-taprio-always-validate-tca_taprio_attr_pri.patch @@ -0,0 +1,63 @@ +From cb00efe7d5844d0eb017cce05e8791cb4c6f0650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 18:15:11 +0000 +Subject: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP + +From: Eric Dumazet + +[ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ] + +If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, +taprio_parse_mqprio_opt() must validate it, or userspace +can inject arbitrary data to the kernel, the second time +taprio_change() is called. + +First call (with valid attributes) sets dev->num_tc +to a non zero value. + +Second call (with arbitrary mqprio attributes) +returns early from taprio_parse_mqprio_opt() +and bad things can happen. + +Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") +Reported-by: Noam Rathaus +Signed-off-by: Eric Dumazet +Acked-by: Vinicius Costa Gomes +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index e40b4425eb6b5..4a0986843fb5d 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -947,16 +947,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, + { + int i, j; + +- if (!qopt && !dev->num_tc) { +- NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); +- return -EINVAL; +- } +- +- /* If num_tc is already set, it means that the user already +- * configured the mqprio part +- */ +- if (dev->num_tc) ++ if (!qopt) { ++ if (!dev->num_tc) { ++ NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); ++ return -EINVAL; ++ } + return 0; ++ } + + /* Verify num_tc is not out of max range */ + if (qopt->num_tc > TC_MAX_QUEUE) { +-- +2.43.0 + diff --git a/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch b/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch new file mode 100644 index 00000000000..c93300a624c --- /dev/null +++ b/queue-5.15/nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch @@ -0,0 +1,51 @@ +From 9d2b4690a8d80d81e80ac17bbfc4cf4183de4f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 22:42:55 +0900 +Subject: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors + +From: Ryusuke Konishi + +[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ] + +The error handling in nilfs_empty_dir() when a directory folio/page read +fails is incorrect, as in the old ext2 implementation, and if the +folio/page cannot be read or nilfs_check_folio() fails, it will falsely +determine the directory as empty and corrupt the file system. + +In addition, since nilfs_empty_dir() does not immediately return on a +failed folio/page read, but continues to loop, this can cause a long loop +with I/O if i_size of the directory's inode is also corrupted, causing the +log writer thread to wait and hang, as reported by syzbot. + +Fix these issues by making nilfs_empty_dir() immediately return a false +value (0) if it fails to get a directory folio/page. + +Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87 +Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c +index 22f1f75a90c1a..552234ef22fe7 100644 +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -627,7 +627,7 @@ int nilfs_empty_dir(struct inode *inode) + + kaddr = nilfs_get_page(inode, i, &page); + if (IS_ERR(kaddr)) +- continue; ++ return 0; + + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1); +-- +2.43.0 + diff --git a/queue-5.15/nilfs2-remove-check-for-pageerror.patch b/queue-5.15/nilfs2-remove-check-for-pageerror.patch new file mode 100644 index 00000000000..d18859b2367 --- /dev/null +++ b/queue-5.15/nilfs2-remove-check-for-pageerror.patch @@ -0,0 +1,35 @@ +From ab84725bc1775d0a3ef5fd2ea6a661463a5fd832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 18:12:25 -0400 +Subject: nilfs2: Remove check for PageError + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ] + +If read_mapping_page() encounters an error, it returns an errno, not a +page with PageError set, so this test is not needed. + +Signed-off-by: Matthew Wilcox (Oracle) +Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") +Signed-off-by: Sasha Levin +--- + fs/nilfs2/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c +index eb7de9e2a384e..24cfe9db66e02 100644 +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -194,7 +194,7 @@ static struct page *nilfs_get_page(struct inode *dir, unsigned long n) + if (!IS_ERR(page)) { + kmap(page); + if (unlikely(!PageChecked(page))) { +- if (PageError(page) || !nilfs_check_page(page)) ++ if (!nilfs_check_page(page)) + goto fail; + } + } +-- +2.43.0 + diff --git a/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch b/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch new file mode 100644 index 00000000000..2257830607f --- /dev/null +++ b/queue-5.15/nilfs2-return-the-mapped-address-from-nilfs_get_page.patch @@ -0,0 +1,146 @@ +From 396dd465c29ba59fbc07ee78f1ad824e6b0a42b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 23:30:25 +0900 +Subject: nilfs2: return the mapped address from nilfs_get_page() + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ] + +In prepartion for switching from kmap() to kmap_local(), return the kmap +address from nilfs_get_page() instead of having the caller look up +page_address(). + +[konishi.ryusuke: fixed a missing blank line after declaration] +Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors") +Signed-off-by: Sasha Levin +--- + fs/nilfs2/dir.c | 57 +++++++++++++++++++++++-------------------------- + 1 file changed, 27 insertions(+), 30 deletions(-) + +diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c +index 24cfe9db66e02..22f1f75a90c1a 100644 +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -186,19 +186,24 @@ static bool nilfs_check_page(struct page *page) + return false; + } + +-static struct page *nilfs_get_page(struct inode *dir, unsigned long n) ++static void *nilfs_get_page(struct inode *dir, unsigned long n, ++ struct page **pagep) + { + struct address_space *mapping = dir->i_mapping; + struct page *page = read_mapping_page(mapping, n, NULL); ++ void *kaddr; + +- if (!IS_ERR(page)) { +- kmap(page); +- if (unlikely(!PageChecked(page))) { +- if (!nilfs_check_page(page)) +- goto fail; +- } ++ if (IS_ERR(page)) ++ return page; ++ ++ kaddr = kmap(page); ++ if (unlikely(!PageChecked(page))) { ++ if (!nilfs_check_page(page)) ++ goto fail; + } +- return page; ++ ++ *pagep = page; ++ return kaddr; + + fail: + nilfs_put_page(page); +@@ -275,14 +280,14 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx) + for ( ; n < npages; n++, offset = 0) { + char *kaddr, *limit; + struct nilfs_dir_entry *de; +- struct page *page = nilfs_get_page(inode, n); ++ struct page *page; + +- if (IS_ERR(page)) { ++ kaddr = nilfs_get_page(inode, n, &page); ++ if (IS_ERR(kaddr)) { + nilfs_error(sb, "bad page in #%lu", inode->i_ino); + ctx->pos += PAGE_SIZE - offset; + return -EIO; + } +- kaddr = page_address(page); + de = (struct nilfs_dir_entry *)(kaddr + offset); + limit = kaddr + nilfs_last_byte(inode, n) - + NILFS_DIR_REC_LEN(1); +@@ -345,11 +350,9 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, + start = 0; + n = start; + do { +- char *kaddr; ++ char *kaddr = nilfs_get_page(dir, n, &page); + +- page = nilfs_get_page(dir, n); +- if (!IS_ERR(page)) { +- kaddr = page_address(page); ++ if (!IS_ERR(kaddr)) { + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(dir, n) - reclen; + while ((char *) de <= kaddr) { +@@ -387,15 +390,11 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, + + struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) + { +- struct page *page = nilfs_get_page(dir, 0); +- struct nilfs_dir_entry *de = NULL; ++ struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); + +- if (!IS_ERR(page)) { +- de = nilfs_next_entry( +- (struct nilfs_dir_entry *)page_address(page)); +- *p = page; +- } +- return de; ++ if (IS_ERR(de)) ++ return NULL; ++ return nilfs_next_entry(de); + } + + ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) +@@ -459,12 +458,11 @@ int nilfs_add_link(struct dentry *dentry, struct inode *inode) + for (n = 0; n <= npages; n++) { + char *dir_end; + +- page = nilfs_get_page(dir, n); +- err = PTR_ERR(page); +- if (IS_ERR(page)) ++ kaddr = nilfs_get_page(dir, n, &page); ++ err = PTR_ERR(kaddr); ++ if (IS_ERR(kaddr)) + goto out; + lock_page(page); +- kaddr = page_address(page); + dir_end = kaddr + nilfs_last_byte(dir, n); + de = (struct nilfs_dir_entry *)kaddr; + kaddr += PAGE_SIZE - reclen; +@@ -627,11 +625,10 @@ int nilfs_empty_dir(struct inode *inode) + char *kaddr; + struct nilfs_dir_entry *de; + +- page = nilfs_get_page(inode, i); +- if (IS_ERR(page)) ++ kaddr = nilfs_get_page(inode, i, &page); ++ if (IS_ERR(kaddr)) + continue; + +- kaddr = page_address(page); + de = (struct nilfs_dir_entry *)kaddr; + kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1); + +-- +2.43.0 + diff --git a/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch b/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch new file mode 100644 index 00000000000..a9945ff8149 --- /dev/null +++ b/queue-5.15/octeontx2-af-always-allocate-pf-entries-from-low-pri.patch @@ -0,0 +1,87 @@ +From 6cbbf3cbece256826d736dea4d0ab50d3dca35cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 20:59:44 +0530 +Subject: octeontx2-af: Always allocate PF entries from low prioriy zone + +From: Subbaraya Sundeep + +[ Upstream commit 8b0f7410942cdc420c4557eda02bfcdf60ccec17 ] + +PF mcam entries has to be at low priority always so that VF +can install longest prefix match rules at higher priority. +This was taken care currently but when priority allocation +wrt reference entry is requested then entries are allocated +from mid-zone instead of low priority zone. Fix this and +always allocate entries from low priority zone for PFs. + +Fixes: 7df5b4b260dd ("octeontx2-af: Allocate low priority entries for PF") +Signed-off-by: Subbaraya Sundeep +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/af/rvu_npc.c | 33 ++++++++++++------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +index c6b6d709e5908..84003243e3b75 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -2459,7 +2459,17 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, + * - when available free entries are less. + * Lower priority ones out of avaialble free entries are always + * chosen when 'high vs low' question arises. ++ * ++ * For a VF base MCAM match rule is set by its PF. And all the ++ * further MCAM rules installed by VF on its own are ++ * concatenated with the base rule set by its PF. Hence PF entries ++ * should be at lower priority compared to VF entries. Otherwise ++ * base rule is hit always and rules installed by VF will be of ++ * no use. Hence if the request is from PF then allocate low ++ * priority entries. + */ ++ if (!(pcifunc & RVU_PFVF_FUNC_MASK)) ++ goto lprio_alloc; + + /* Get the search range for priority allocation request */ + if (req->priority) { +@@ -2468,17 +2478,6 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, + goto alloc; + } + +- /* For a VF base MCAM match rule is set by its PF. And all the +- * further MCAM rules installed by VF on its own are +- * concatenated with the base rule set by its PF. Hence PF entries +- * should be at lower priority compared to VF entries. Otherwise +- * base rule is hit always and rules installed by VF will be of +- * no use. Hence if the request is from PF and NOT a priority +- * allocation request then allocate low priority entries. +- */ +- if (!(pcifunc & RVU_PFVF_FUNC_MASK)) +- goto lprio_alloc; +- + /* Find out the search range for non-priority allocation request + * + * Get MCAM free entry count in middle zone. +@@ -2508,6 +2507,18 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc, + reverse = true; + start = 0; + end = mcam->bmap_entries; ++ /* Ensure PF requests are always at bottom and if PF requests ++ * for higher/lower priority entry wrt reference entry then ++ * honour that criteria and start search for entries from bottom ++ * and not in mid zone. ++ */ ++ if (!(pcifunc & RVU_PFVF_FUNC_MASK) && ++ req->priority == NPC_MCAM_HIGHER_PRIO) ++ end = req->ref_entry; ++ ++ if (!(pcifunc & RVU_PFVF_FUNC_MASK) && ++ req->priority == NPC_MCAM_LOWER_PRIO) ++ start = req->ref_entry; + } + + alloc: +-- +2.43.0 + diff --git a/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch b/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch new file mode 100644 index 00000000000..a4ffc848315 --- /dev/null +++ b/queue-5.15/ptp-fix-error-message-on-failed-pin-verification.patch @@ -0,0 +1,42 @@ +From f37792d6c0c499db4e2e02e7a69d41d5e837ce08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 14:05:27 +0200 +Subject: ptp: Fix error message on failed pin verification + +From: Karol Kolacinski + +[ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ] + +On failed verification of PTP clock pin, error message prints channel +number instead of pin index after "pin", which is incorrect. + +Fix error message by adding channel number to the message and printing +pin number instead of channel number. + +Fixes: 6092315dfdec ("ptp: introduce programmable pins.") +Signed-off-by: Karol Kolacinski +Acked-by: Richard Cochran +Link: https://lore.kernel.org/r/20240604120555.16643-1-karol.kolacinski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_chardev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c +index 9311f3d09c8fc..8eb902fe73a98 100644 +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -84,7 +84,8 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin, + } + + if (info->verify(info, pin, func, chan)) { +- pr_err("driver cannot use function %u on pin %u\n", func, chan); ++ pr_err("driver cannot use function %u and channel %u on pin %u\n", ++ func, chan, pin); + return -EOPNOTSUPP; + } + +-- +2.43.0 + diff --git a/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch b/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch new file mode 100644 index 00000000000..610adcbcce0 --- /dev/null +++ b/queue-5.15/pvpanic-indentation-fixes-here-and-there.patch @@ -0,0 +1,146 @@ +From 06f0f18c3ad2b8622e86d452bf46b13e1f0c79f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Aug 2021 15:43:54 +0300 +Subject: pvpanic: Indentation fixes here and there + +From: Andy Shevchenko + +[ Upstream commit 84b0f12a953c4feff9994b1c4583ed18b441f482 ] + +1) replace double spaces with single; +2) relax line width limitation a bit. + +Reviewed-by: Mihai Carabas +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210829124354.81653-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") +Signed-off-by: Sasha Levin +--- + drivers/misc/pvpanic/pvpanic-mmio.c | 7 +++---- + drivers/misc/pvpanic/pvpanic-pci.c | 12 +++++------- + drivers/misc/pvpanic/pvpanic.c | 11 ++++------- + 3 files changed, 12 insertions(+), 18 deletions(-) + +diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c +index 61dbff5f0065c..eb97167c03fb4 100644 +--- a/drivers/misc/pvpanic/pvpanic-mmio.c ++++ b/drivers/misc/pvpanic/pvpanic-mmio.c +@@ -24,8 +24,7 @@ MODULE_AUTHOR("Hu Tao "); + MODULE_DESCRIPTION("pvpanic-mmio device driver"); + MODULE_LICENSE("GPL"); + +-static ssize_t capability_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); + +@@ -33,14 +32,14 @@ static ssize_t capability_show(struct device *dev, + } + static DEVICE_ATTR_RO(capability); + +-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) ++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); + + return sysfs_emit(buf, "%x\n", pi->events); + } + +-static ssize_t events_store(struct device *dev, struct device_attribute *attr, ++static ssize_t events_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); +diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c +index 7d1220f4c95bc..07eddb5ea30fa 100644 +--- a/drivers/misc/pvpanic/pvpanic-pci.c ++++ b/drivers/misc/pvpanic/pvpanic-pci.c +@@ -19,11 +19,10 @@ + #define PCI_DEVICE_ID_REDHAT_PVPANIC 0x0011 + + MODULE_AUTHOR("Mihai Carabas "); +-MODULE_DESCRIPTION("pvpanic device driver "); ++MODULE_DESCRIPTION("pvpanic device driver"); + MODULE_LICENSE("GPL"); + +-static ssize_t capability_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); + +@@ -31,14 +30,14 @@ static ssize_t capability_show(struct device *dev, + } + static DEVICE_ATTR_RO(capability); + +-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) ++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); + + return sysfs_emit(buf, "%x\n", pi->events); + } + +-static ssize_t events_store(struct device *dev, struct device_attribute *attr, ++static ssize_t events_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { + struct pvpanic_instance *pi = dev_get_drvdata(dev); +@@ -65,8 +64,7 @@ static struct attribute *pvpanic_pci_dev_attrs[] = { + }; + ATTRIBUTE_GROUPS(pvpanic_pci_dev); + +-static int pvpanic_pci_probe(struct pci_dev *pdev, +- const struct pci_device_id *ent) ++static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct pvpanic_instance *pi; + void __iomem *base; +diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c +index 477bf9c6b6bc5..049a120063489 100644 +--- a/drivers/misc/pvpanic/pvpanic.c ++++ b/drivers/misc/pvpanic/pvpanic.c +@@ -23,7 +23,7 @@ + #include "pvpanic.h" + + MODULE_AUTHOR("Mihai Carabas "); +-MODULE_DESCRIPTION("pvpanic device driver "); ++MODULE_DESCRIPTION("pvpanic device driver"); + MODULE_LICENSE("GPL"); + + static struct list_head pvpanic_list; +@@ -45,8 +45,7 @@ pvpanic_send_event(unsigned int event) + } + + static int +-pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, +- void *unused) ++pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, void *unused) + { + unsigned int event = PVPANIC_PANICKED; + +@@ -102,8 +101,7 @@ static int pvpanic_init(void) + INIT_LIST_HEAD(&pvpanic_list); + spin_lock_init(&pvpanic_lock); + +- atomic_notifier_chain_register(&panic_notifier_list, +- &pvpanic_panic_nb); ++ atomic_notifier_chain_register(&panic_notifier_list, &pvpanic_panic_nb); + + return 0; + } +@@ -111,8 +109,7 @@ module_init(pvpanic_init); + + static void pvpanic_exit(void) + { +- atomic_notifier_chain_unregister(&panic_notifier_list, +- &pvpanic_panic_nb); ++ atomic_notifier_chain_unregister(&panic_notifier_list, &pvpanic_panic_nb); + + } + module_exit(pvpanic_exit); +-- +2.43.0 + diff --git a/queue-5.15/pvpanic-keep-single-style-across-modules.patch b/queue-5.15/pvpanic-keep-single-style-across-modules.patch new file mode 100644 index 00000000000..9a8f3cf8f53 --- /dev/null +++ b/queue-5.15/pvpanic-keep-single-style-across-modules.patch @@ -0,0 +1,82 @@ +From 1d75229b9ef3c1ca26bf3b39c0da530ef818899d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Aug 2021 15:43:52 +0300 +Subject: pvpanic: Keep single style across modules + +From: Andy Shevchenko + +[ Upstream commit 33a430419456991480cde9d8889e5a27f6049df4 ] + +We have different style on where we place module_*() and MODULE_*() macros. +Inherit the style from the original module (now pvpanic-mmio.c). + +Reviewed-by: Mihai Carabas +Link: https://lore.kernel.org/r/20210829124354.81653-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver") +Signed-off-by: Sasha Levin +--- + drivers/misc/pvpanic/pvpanic-pci.c | 14 ++++++-------- + drivers/misc/pvpanic/pvpanic.c | 3 +-- + 2 files changed, 7 insertions(+), 10 deletions(-) + +diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c +index 741116b3d9958..7d1220f4c95bc 100644 +--- a/drivers/misc/pvpanic/pvpanic-pci.c ++++ b/drivers/misc/pvpanic/pvpanic-pci.c +@@ -22,11 +22,6 @@ MODULE_AUTHOR("Mihai Carabas "); + MODULE_DESCRIPTION("pvpanic device driver "); + MODULE_LICENSE("GPL"); + +-static const struct pci_device_id pvpanic_pci_id_tbl[] = { +- { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)}, +- {} +-}; +- + static ssize_t capability_show(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -99,6 +94,12 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, + return devm_pvpanic_probe(&pdev->dev, pi); + } + ++static const struct pci_device_id pvpanic_pci_id_tbl[] = { ++ { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)}, ++ {} ++}; ++MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl); ++ + static struct pci_driver pvpanic_pci_driver = { + .name = "pvpanic-pci", + .id_table = pvpanic_pci_id_tbl, +@@ -107,7 +108,4 @@ static struct pci_driver pvpanic_pci_driver = { + .dev_groups = pvpanic_pci_dev_groups, + }, + }; +- +-MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl); +- + module_pci_driver(pvpanic_pci_driver); +diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c +index b9e6400a574b0..477bf9c6b6bc5 100644 +--- a/drivers/misc/pvpanic/pvpanic.c ++++ b/drivers/misc/pvpanic/pvpanic.c +@@ -107,6 +107,7 @@ static int pvpanic_init(void) + + return 0; + } ++module_init(pvpanic_init); + + static void pvpanic_exit(void) + { +@@ -114,6 +115,4 @@ static void pvpanic_exit(void) + &pvpanic_panic_nb); + + } +- +-module_init(pvpanic_init); + module_exit(pvpanic_exit); +-- +2.43.0 + diff --git a/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch b/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch new file mode 100644 index 00000000000..8d6212a730a --- /dev/null +++ b/queue-5.15/selftests-mm-compaction_test-fix-bogus-test-success-.patch @@ -0,0 +1,109 @@ +From 7942fb2584daa8140ea8680021b03bf0b9c9a0d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 13:13:56 +0530 +Subject: selftests/mm: compaction_test: fix bogus test success on Aarch64 + +From: Dev Jain + +[ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ] + +Patch series "Fixes for compaction_test", v2. + +The compaction_test memory selftest introduces fragmentation in memory +and then tries to allocate as many hugepages as possible. This series +addresses some problems. + +On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since +compaction_index becomes 0, which is less than 3, due to no division by +zero exception being raised. We fix that by checking for division by +zero. + +Secondly, correctly set the number of hugepages to zero before trying +to set a large number of them. + +Now, consider a situation in which, at the start of the test, a non-zero +number of hugepages have been already set (while running the entire +selftests/mm suite, or manually by the admin). The test operates on 80% +of memory to avoid OOM-killer invocation, and because some memory is +already blocked by hugepages, it would increase the chance of OOM-killing. +Also, since mem_free used in check_compaction() is the value before we +set nr_hugepages to zero, the chance that the compaction_index will +be small is very high if the preset nr_hugepages was high, leading to a +bogus test success. + +This patch (of 3): + +Currently, if at runtime we are not able to allocate a huge page, the test +will trivially pass on Aarch64 due to no exception being raised on +division by zero while computing compaction_index. Fix that by checking +for nr_hugepages == 0. Anyways, in general, avoid a division by zero by +exiting the program beforehand. While at it, fix a typo, and handle the +case where the number of hugepages may overflow an integer. + +Link: https://lkml.kernel.org/r/20240521074358.675031-1-dev.jain@arm.com +Link: https://lkml.kernel.org/r/20240521074358.675031-2-dev.jain@arm.com +Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") +Signed-off-by: Dev Jain +Cc: Anshuman Khandual +Cc: Shuah Khan +Cc: Sri Jayaramappa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/compaction_test.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c +index 6aa6460b854ea..309b3750e57e1 100644 +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -82,12 +82,13 @@ int prereq(void) + return -1; + } + +-int check_compaction(unsigned long mem_free, unsigned int hugepage_size) ++int check_compaction(unsigned long mem_free, unsigned long hugepage_size) + { ++ unsigned long nr_hugepages_ul; + int fd, ret = -1; + int compaction_index = 0; +- char initial_nr_hugepages[10] = {0}; +- char nr_hugepages[10] = {0}; ++ char initial_nr_hugepages[20] = {0}; ++ char nr_hugepages[20] = {0}; + + /* We want to test with 80% of available memory. Else, OOM killer comes + in to play */ +@@ -136,7 +137,12 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + /* We should have been able to request at least 1/3 rd of the memory in + huge pages */ +- compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size); ++ nr_hugepages_ul = strtoul(nr_hugepages, NULL, 10); ++ if (!nr_hugepages_ul) { ++ ksft_print_msg("ERROR: No memory is available as huge pages\n"); ++ goto close_fd; ++ } ++ compaction_index = mem_free/(nr_hugepages_ul * hugepage_size); + + lseek(fd, 0, SEEK_SET); + +@@ -147,11 +153,11 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + goto close_fd; + } + +- ksft_print_msg("Number of huge pages allocated = %d\n", +- atoi(nr_hugepages)); ++ ksft_print_msg("Number of huge pages allocated = %lu\n", ++ nr_hugepages_ul); + + if (compaction_index > 3) { +- ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" ++ ksft_print_msg("ERROR: Less than 1/%d of memory is available\n" + "as huge pages\n", compaction_index); + goto close_fd; + } +-- +2.43.0 + diff --git a/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch b/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch new file mode 100644 index 00000000000..ae14829955c --- /dev/null +++ b/queue-5.15/selftests-mm-compaction_test-fix-incorrect-write-of-.patch @@ -0,0 +1,43 @@ +From 8122b9a1d85ed20baf5b0f0dc31e8a912e38559f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 13:13:57 +0530 +Subject: selftests/mm: compaction_test: fix incorrect write of zero to + nr_hugepages + +From: Dev Jain + +[ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ] + +Currently, the test tries to set nr_hugepages to zero, but that is not +actually done because the file offset is not reset after read(). Fix that +using lseek(). + +Link: https://lkml.kernel.org/r/20240521074358.675031-3-dev.jain@arm.com +Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") +Signed-off-by: Dev Jain +Cc: +Cc: Anshuman Khandual +Cc: Shuah Khan +Cc: Sri Jayaramappa +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/compaction_test.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c +index 9b420140ba2ba..55dec92e1e58c 100644 +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -103,6 +103,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + goto close_fd; + } + ++ lseek(fd, 0, SEEK_SET); ++ + /* Start with the initial condition of 0 huge pages*/ + if (write(fd, "0", sizeof(char)) != sizeof(char)) { + perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n"); +-- +2.43.0 + diff --git a/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch b/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch new file mode 100644 index 00000000000..1f6518cd7cb --- /dev/null +++ b/queue-5.15/selftests-mm-conform-test-to-tap-format-output.patch @@ -0,0 +1,229 @@ +From fc916f38ee158cfe606782f4c93fb9e349c54cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jan 2024 13:36:12 +0500 +Subject: selftests/mm: conform test to TAP format output + +From: Muhammad Usama Anjum + +[ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ] + +Conform the layout, informational and status messages to TAP. No +functional change is intended other than the layout of output messages. + +Link: https://lkml.kernel.org/r/20240101083614.1076768-1-usama.anjum@collabora.com +Signed-off-by: Muhammad Usama Anjum +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/compaction_test.c | 91 ++++++++++---------- + 1 file changed, 44 insertions(+), 47 deletions(-) + +diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c +index 55dec92e1e58c..f81931c1f8386 100644 +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -33,7 +33,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize) + FILE *cmdfile = popen(cmd, "r"); + + if (!(fgets(buffer, sizeof(buffer), cmdfile))) { +- perror("Failed to read meminfo\n"); ++ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno)); + return -1; + } + +@@ -44,7 +44,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize) + cmdfile = popen(cmd, "r"); + + if (!(fgets(buffer, sizeof(buffer), cmdfile))) { +- perror("Failed to read meminfo\n"); ++ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno)); + return -1; + } + +@@ -62,14 +62,14 @@ int prereq(void) + fd = open("/proc/sys/vm/compact_unevictable_allowed", + O_RDONLY | O_NONBLOCK); + if (fd < 0) { +- perror("Failed to open\n" +- "/proc/sys/vm/compact_unevictable_allowed\n"); ++ ksft_print_msg("Failed to open /proc/sys/vm/compact_unevictable_allowed: %s\n", ++ strerror(errno)); + return -1; + } + + if (read(fd, &allowed, sizeof(char)) != sizeof(char)) { +- perror("Failed to read from\n" +- "/proc/sys/vm/compact_unevictable_allowed\n"); ++ ksft_print_msg("Failed to read from /proc/sys/vm/compact_unevictable_allowed: %s\n", ++ strerror(errno)); + close(fd); + return -1; + } +@@ -78,12 +78,13 @@ int prereq(void) + if (allowed == '1') + return 0; + ++ ksft_print_msg("Compaction isn't allowed\n"); + return -1; + } + + int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + { +- int fd; ++ int fd, ret = -1; + int compaction_index = 0; + char initial_nr_hugepages[10] = {0}; + char nr_hugepages[10] = {0}; +@@ -94,12 +95,14 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK); + if (fd < 0) { +- perror("Failed to open /proc/sys/vm/nr_hugepages"); ++ ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + return -1; + } + + if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) { +- perror("Failed to read from /proc/sys/vm/nr_hugepages"); ++ ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -107,7 +110,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + /* Start with the initial condition of 0 huge pages*/ + if (write(fd, "0", sizeof(char)) != sizeof(char)) { +- perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n"); ++ ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -116,14 +120,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + /* Request a large number of huge pages. The Kernel will allocate + as much as it can */ + if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { +- perror("Failed to write 100000 to /proc/sys/vm/nr_hugepages\n"); ++ ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + + lseek(fd, 0, SEEK_SET); + + if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { +- perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n"); ++ ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -131,67 +137,58 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + huge pages */ + compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size); + +- if (compaction_index > 3) { +- printf("No of huge pages allocated = %d\n", +- (atoi(nr_hugepages))); +- fprintf(stderr, "ERROR: Less that 1/%d of memory is available\n" +- "as huge pages\n", compaction_index); +- goto close_fd; +- } +- +- printf("No of huge pages allocated = %d\n", +- (atoi(nr_hugepages))); +- + lseek(fd, 0, SEEK_SET); + + if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages)) + != strlen(initial_nr_hugepages)) { +- perror("Failed to write value to /proc/sys/vm/nr_hugepages\n"); ++ ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +- close(fd); +- return 0; ++ if (compaction_index > 3) { ++ ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" ++ "as huge pages\n", compaction_index); ++ ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages))); ++ goto close_fd; ++ } ++ ++ ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n", ++ (atoi(nr_hugepages))); ++ ret = 0; + + close_fd: + close(fd); +- printf("Not OK. Compaction test failed."); +- return -1; ++ return ret; + } + + + int main(int argc, char **argv) + { + struct rlimit lim; +- struct map_list *list, *entry; ++ struct map_list *list = NULL, *entry; + size_t page_size, i; + void *map = NULL; + unsigned long mem_free = 0; + unsigned long hugepage_size = 0; + long mem_fragmentable_MB = 0; + +- if (prereq() != 0) { +- printf("Either the sysctl compact_unevictable_allowed is not\n" +- "set to 1 or couldn't read the proc file.\n" +- "Skipping the test\n"); +- return KSFT_SKIP; +- } ++ ksft_print_header(); ++ ++ if (prereq() != 0) ++ return ksft_exit_pass(); ++ ++ ksft_set_plan(1); + + lim.rlim_cur = RLIM_INFINITY; + lim.rlim_max = RLIM_INFINITY; +- if (setrlimit(RLIMIT_MEMLOCK, &lim)) { +- perror("Failed to set rlimit:\n"); +- return -1; +- } ++ if (setrlimit(RLIMIT_MEMLOCK, &lim)) ++ ksft_exit_fail_msg("Failed to set rlimit: %s\n", strerror(errno)); + + page_size = getpagesize(); + +- list = NULL; +- +- if (read_memory_info(&mem_free, &hugepage_size) != 0) { +- printf("ERROR: Cannot read meminfo\n"); +- return -1; +- } ++ if (read_memory_info(&mem_free, &hugepage_size) != 0) ++ ksft_exit_fail_msg("Failed to get meminfo\n"); + + mem_fragmentable_MB = mem_free * 0.8 / 1024; + +@@ -227,7 +224,7 @@ int main(int argc, char **argv) + } + + if (check_compaction(mem_free, hugepage_size) == 0) +- return 0; ++ return ksft_exit_pass(); + +- return -1; ++ return ksft_exit_fail(); + } +-- +2.43.0 + diff --git a/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch b/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch new file mode 100644 index 00000000000..7f004635829 --- /dev/null +++ b/queue-5.15/selftests-mm-log-a-consistent-test-name-for-check_co.patch @@ -0,0 +1,124 @@ +From 853c0f059d7a91d4bd850040a0da0512dbfeedda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 14:30:04 +0000 +Subject: selftests/mm: log a consistent test name for check_compaction + +From: Mark Brown + +[ Upstream commit f3b7568c49420d2dcd251032c9ca1e069ec8a6c9 ] + +Every test result report in the compaction test prints a distinct log +messae, and some of the reports print a name that varies at runtime. This +causes problems for automation since a lot of automation software uses the +printed string as the name of the test, if the name varies from run to run +and from pass to fail then the automation software can't identify that a +test changed result or that the same tests are being run. + +Refactor the logging to use a consistent name when printing the result of +the test, printing the existing messages as diagnostic information instead +so they are still available for people trying to interpret the results. + +Link: https://lkml.kernel.org/r/20240209-kselftest-mm-cleanup-v1-2-a3c0386496b5@kernel.org +Signed-off-by: Mark Brown +Cc: Muhammad Usama Anjum +Cc: Ryan Roberts +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/compaction_test.c | 35 +++++++++++--------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c +index f81931c1f8386..6aa6460b854ea 100644 +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -95,14 +95,15 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK); + if (fd < 0) { +- ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); +- return -1; ++ ksft_print_msg("Failed to open /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); ++ ret = -1; ++ goto out; + } + + if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) { +- ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ ksft_print_msg("Failed to read from /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -110,8 +111,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + /* Start with the initial condition of 0 huge pages*/ + if (write(fd, "0", sizeof(char)) != sizeof(char)) { +- ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ ksft_print_msg("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -120,16 +121,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + /* Request a large number of huge pages. The Kernel will allocate + as much as it can */ + if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { +- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + + lseek(fd, 0, SEEK_SET); + + if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { +- ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ ksft_print_msg("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + +@@ -141,24 +142,26 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size) + + if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages)) + != strlen(initial_nr_hugepages)) { +- ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ ksft_print_msg("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n", ++ strerror(errno)); + goto close_fd; + } + ++ ksft_print_msg("Number of huge pages allocated = %d\n", ++ atoi(nr_hugepages)); ++ + if (compaction_index > 3) { + ksft_print_msg("ERROR: Less that 1/%d of memory is available\n" + "as huge pages\n", compaction_index); +- ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages))); + goto close_fd; + } + +- ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n", +- (atoi(nr_hugepages))); + ret = 0; + + close_fd: + close(fd); ++ out: ++ ksft_test_result(ret == 0, "check_compaction\n"); + return ret; + } + +-- +2.43.0 + diff --git a/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch b/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch new file mode 100644 index 00000000000..c4451f791c8 --- /dev/null +++ b/queue-5.15/serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch @@ -0,0 +1,96 @@ +From 8caf55f63a641ad26dbc95f25a4d9d3e1308b18b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:04:30 -0400 +Subject: serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using + prescaler + +From: Hugo Villeneuve + +[ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ] + +When using a high speed clock with a low baud rate, the 4x prescaler is +automatically selected if required. In that case, sc16is7xx_set_baud() +properly configures the chip registers, but returns an incorrect baud +rate by not taking into account the prescaler value. This incorrect baud +rate is then fed to uart_update_timeout(). + +For example, with an input clock of 80MHz, and a selected baud rate of 50, +sc16is7xx_set_baud() will return 200 instead of 50. + +Fix this by first changing the prescaler variable to hold the selected +prescaler value instead of the MCR bitfield. Then properly take into +account the selected prescaler value in the return value computation. + +Also add better documentation about the divisor value computation. + +Fixes: dfeae619d781 ("serial: sc16is7xx") +Cc: stable@vger.kernel.org +Signed-off-by: Hugo Villeneuve +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20240430200431.4102923-1-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sc16is7xx.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 25e625c2ee74b..d274a847c6ab3 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -490,16 +490,28 @@ static bool sc16is7xx_regmap_noinc(struct device *dev, unsigned int reg) + return reg == SC16IS7XX_RHR_REG; + } + ++/* ++ * Configure programmable baud rate generator (divisor) according to the ++ * desired baud rate. ++ * ++ * From the datasheet, the divisor is computed according to: ++ * ++ * XTAL1 input frequency ++ * ----------------------- ++ * prescaler ++ * divisor = --------------------------- ++ * baud-rate x sampling-rate ++ */ + static int sc16is7xx_set_baud(struct uart_port *port, int baud) + { + struct sc16is7xx_port *s = dev_get_drvdata(port->dev); + u8 lcr; +- u8 prescaler = 0; ++ unsigned int prescaler = 1; + unsigned long clk = port->uartclk, div = clk / 16 / baud; + + if (div >= BIT(16)) { +- prescaler = SC16IS7XX_MCR_CLKSEL_BIT; +- div /= 4; ++ prescaler = 4; ++ div /= prescaler; + } + + /* In an amazing feat of design, the Enhanced Features Register shares +@@ -534,9 +546,10 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + + mutex_unlock(&s->efr_lock); + ++ /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ + sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, + SC16IS7XX_MCR_CLKSEL_BIT, +- prescaler); ++ prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + + /* Open the LCR divisors for configuration */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, +@@ -551,7 +564,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + /* Put LCR back to the normal mode */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + +- return DIV_ROUND_CLOSEST(clk / 16, div); ++ return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); + } + + static void sc16is7xx_handle_rx(struct uart_port *port, unsigned int rxlen, +-- +2.43.0 + diff --git a/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch b/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch new file mode 100644 index 00000000000..612d1c87426 --- /dev/null +++ b/queue-5.15/serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch @@ -0,0 +1,39 @@ +From 33192d74cb6f30113e61243ae4fae4f917008d94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 18:18:19 -0500 +Subject: serial: sc16is7xx: replace hardcoded divisor value with BIT() macro + +From: Hugo Villeneuve + +[ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ] + +To better show why the limit is what it is, since we have only 16 bits for +the divisor. + +Reviewed-by: Andy Shevchenko +Suggested-by: Andy Shevchenko +Signed-off-by: Hugo Villeneuve +Link: https://lore.kernel.org/r/20231221231823.2327894-13-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sc16is7xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 35f8675db1d89..25e625c2ee74b 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -497,7 +497,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + u8 prescaler = 0; + unsigned long clk = port->uartclk, div = clk / 16 / baud; + +- if (div > 0xffff) { ++ if (div >= BIT(16)) { + prescaler = SC16IS7XX_MCR_CLKSEL_BIT; + div /= 4; + } +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index f81d18d4e95..1821948446c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -386,3 +386,89 @@ edac-igen6-convert-pcibios_-return-codes-to-errnos.patch nfs-fix-undefined-behavior-in-nfs_block_bits.patch nfs-fix-read_plus-when-server-doesn-t-support-op_read_plus.patch scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch +wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch +wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch +wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch +wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch +wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch +wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch +wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch +wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch +wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch +net-ncsi-simplify-kconfig-dts-control-flow.patch +net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch +ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch +bpf-set-run-context-for-rawtp-test_run-callback.patch +octeontx2-af-always-allocate-pf-entries-from-low-pri.patch +net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch +vxlan-fix-regression-when-dropping-packets-due-to-in.patch +tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch +net-sched-taprio-always-validate-tca_taprio_attr_pri.patch +ptp-fix-error-message-on-failed-pin-verification.patch +af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch +af_unix-annodate-data-races-around-sk-sk_state-for-w.patch +af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch +af_unix-annotate-data-races-around-sk-sk_state-in-un.patch +net-inline-sock_prot_inuse_add.patch +net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch +af_unix-use-offsetof-instead-of-sizeof.patch +af_unix-pass-struct-sock-to-unix_autobind.patch +af_unix-factorise-unix_find_other-based-on-address-t.patch +af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch +af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch +af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch +af_unix-clean-up-some-sock_net-uses.patch +af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch +af_unix-annotate-data-races-around-sk-sk_state-in-se.patch +af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290 +af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162 +af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch +af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch +af_unix-annotate-lockless-accesses-to-sk-sk_err.patch +af_unix-use-skb_queue_empty_lockless-in-unix_release.patch +af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch +af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch +ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch +usb-gadget-f_fs-use-io_data-status-consistently.patch +usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch +iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch +drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch +drm-amd-display-clean-up-some-inconsistent-indenting.patch +drm-amd-display-drop-unnecessary-null-checks-in-debu.patch +drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch +pvpanic-keep-single-style-across-modules.patch +pvpanic-indentation-fixes-here-and-there.patch +misc-pvpanic-deduplicate-common-code.patch +misc-pvpanic-pci-register-attributes-via-pci_driver.patch +skbuff-introduce-skb_pull_data.patch +bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch +bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch +bluetooth-btqca-add-wcn3988-support.patch +bluetooth-qca-use-switch-case-for-soc-type-behavior.patch +bluetooth-qca-add-support-for-qca2066.patch +bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch +serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch +serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch +x86-ibt-ftrace-search-for-__fentry__-location.patch +ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch +mmc-davinci_mmc-convert-to-platform-remove-callback-.patch +mmc-davinci-don-t-strip-remove-function-when-driver-.patch +mm-mprotect-use-mmu_gather.patch +mm-mprotect-do-not-flush-when-not-required-architect.patch +mm-avoid-unnecessary-flush-on-change_huge_pmd.patch +mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch +i2c-add-fwnode-apis.patch +i2c-acpi-unbind-mux-adapters-before-delete.patch +cma-factor-out-minimum-alignment-requirement.patch +mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch +selftests-mm-compaction_test-fix-incorrect-write-of-.patch +selftests-mm-conform-test-to-tap-format-output.patch +selftests-mm-log-a-consistent-test-name-for-check_co.patch +selftests-mm-compaction_test-fix-bogus-test-success-.patch +wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch +wifi-ath10k-fix-qcom_smem-dependency.patch +wifi-ath10k-fix-qcom_rproc_common-dependency.patch +btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch +nilfs2-remove-check-for-pageerror.patch +nilfs2-return-the-mapped-address-from-nilfs_get_page.patch +nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch diff --git a/queue-5.15/skbuff-introduce-skb_pull_data.patch b/queue-5.15/skbuff-introduce-skb_pull_data.patch new file mode 100644 index 00000000000..df44f568fbe --- /dev/null +++ b/queue-5.15/skbuff-introduce-skb_pull_data.patch @@ -0,0 +1,83 @@ +From 2d4f94517222d0fa628417ac8333611548ca21fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 10:54:52 -0800 +Subject: skbuff: introduce skb_pull_data + +From: Luiz Augusto von Dentz + +[ Upstream commit 13244cccc2b61ec715f0ac583d3037497004d4a5 ] + +Like skb_pull but returns the original data pointer before pulling the +data after performing a check against sbk->len. + +This allows to change code that does "struct foo *p = (void *)skb->data;" +which is hard to audit and error prone, to: + + p = skb_pull_data(skb, sizeof(*p)); + if (!p) + return; + +Which is both safer and cleaner. + +Acked-by: Jakub Kicinski +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 2 ++ + net/core/skbuff.c | 24 ++++++++++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 15de91c65a09a..b230c422dc3b9 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2447,6 +2447,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len) + return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len); + } + ++void *skb_pull_data(struct sk_buff *skb, size_t len); ++ + void *__pskb_pull_tail(struct sk_buff *skb, int delta); + + static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 4ec8cfd357eba..17073429cc365 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2071,6 +2071,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len) + } + EXPORT_SYMBOL(skb_pull); + ++/** ++ * skb_pull_data - remove data from the start of a buffer returning its ++ * original position. ++ * @skb: buffer to use ++ * @len: amount of data to remove ++ * ++ * This function removes data from the start of a buffer, returning ++ * the memory to the headroom. A pointer to the original data in the buffer ++ * is returned after checking if there is enough data to pull. Once the ++ * data has been pulled future pushes will overwrite the old data. ++ */ ++void *skb_pull_data(struct sk_buff *skb, size_t len) ++{ ++ void *data = skb->data; ++ ++ if (skb->len < len) ++ return NULL; ++ ++ skb_pull(skb, len); ++ ++ return data; ++} ++EXPORT_SYMBOL(skb_pull_data); ++ + /** + * skb_trim - remove end from a buffer + * @skb: buffer to alter +-- +2.43.0 + diff --git a/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch b/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch new file mode 100644 index 00000000000..6b2496d2cd6 --- /dev/null +++ b/queue-5.15/tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch @@ -0,0 +1,71 @@ +From bd1a843eb8e9bc02a9d6eb451012475bcef63b78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 01:02:16 +0800 +Subject: tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB + +From: Jason Xing + +[ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ] + +According to RFC 1213, we should also take CLOSE-WAIT sockets into +consideration: + + "tcpCurrEstab OBJECT-TYPE + ... + The number of TCP connections for which the current state + is either ESTABLISHED or CLOSE- WAIT." + +After this, CurrEstab counter will display the total number of +ESTABLISHED and CLOSE-WAIT sockets. + +The logic of counting +When we increment the counter? +a) if we change the state to ESTABLISHED. +b) if we change the state from SYN-RECEIVED to CLOSE-WAIT. + +When we decrement the counter? +a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT, +say, on the client side, changing from ESTABLISHED to FIN-WAIT-1. +b) if the socket leaves CLOSE-WAIT, say, on the server side, changing +from CLOSE-WAIT to LAST-ACK. + +Please note: there are two chances that old state of socket can be changed +to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED. +So we have to take care of the former case. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 9c7998377d6bd..31c572882b41f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2619,6 +2619,10 @@ void tcp_set_state(struct sock *sk, int state) + if (oldstate != TCP_ESTABLISHED) + TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); + break; ++ case TCP_CLOSE_WAIT: ++ if (oldstate == TCP_SYN_RECV) ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); ++ break; + + case TCP_CLOSE: + if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED) +@@ -2630,7 +2634,7 @@ void tcp_set_state(struct sock *sk, int state) + inet_put_port(sk); + fallthrough; + default: +- if (oldstate == TCP_ESTABLISHED) ++ if (oldstate == TCP_ESTABLISHED || oldstate == TCP_CLOSE_WAIT) + TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB); + } + +-- +2.43.0 + diff --git a/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch b/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch new file mode 100644 index 00000000000..a67da127842 --- /dev/null +++ b/queue-5.15/usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch @@ -0,0 +1,95 @@ +From 2ad8b03cc0c9d860a128967ac53f5515871ca327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 18:40:59 -0700 +Subject: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request + complete + +From: Wesley Cheng + +[ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ] + +FFS based applications can utilize the aio_cancel() callback to dequeue +pending USB requests submitted to the UDC. There is a scenario where the +FFS application issues an AIO cancel call, while the UDC is handling a +soft disconnect. For a DWC3 based implementation, the callstack looks +like the following: + + DWC3 Gadget FFS Application +dwc3_gadget_soft_disconnect() ... + --> dwc3_stop_active_transfers() + --> dwc3_gadget_giveback(-ESHUTDOWN) + --> ffs_epfile_async_io_complete() ffs_aio_cancel() + --> usb_ep_free_request() --> usb_ep_dequeue() + +There is currently no locking implemented between the AIO completion +handler and AIO cancel, so the issue occurs if the completion routine is +running in parallel to an AIO cancel call coming from the FFS application. +As the completion call frees the USB request (io_data->req) the FFS +application is also referencing it for the usb_ep_dequeue() call. This can +lead to accessing a stale/hanging pointer. + +commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") +relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). +However, in order to properly implement locking to mitigate this issue, the +spinlock can't be added to ffs_epfile_async_io_complete(), as +usb_ep_dequeue() (if successfully dequeuing a USB request) will call the +function driver's completion handler in the same context. Hence, leading +into a deadlock. + +Fix this issue by moving the usb_ep_free_request() back to +ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req +to NULL after freeing it within the ffs->eps_lock. This resolves the race +condition above, as the ffs_aio_cancel() routine will not continue +attempting to dequeue a request that has already been freed, or the +ffs_user_copy_work() not freeing the USB request until the AIO cancel is +done referencing it. + +This fix depends on + commit b566d38857fc ("usb: gadget: f_fs: use io_data->status + consistently") + +Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") +Cc: stable # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 37d18e27ddc64..ad858044e0bfd 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -832,6 +832,7 @@ static void ffs_user_copy_worker(struct work_struct *work) + work); + int ret = io_data->status; + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; ++ unsigned long flags; + + if (io_data->read && ret > 0) { + kthread_use_mm(io_data->mm); +@@ -844,6 +845,11 @@ static void ffs_user_copy_worker(struct work_struct *work) + if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) + eventfd_signal(io_data->ffs->ffs_eventfd, 1); + ++ spin_lock_irqsave(&io_data->ffs->eps_lock, flags); ++ usb_ep_free_request(io_data->ep, io_data->req); ++ io_data->req = NULL; ++ spin_unlock_irqrestore(&io_data->ffs->eps_lock, flags); ++ + if (io_data->read) + kfree(io_data->to_free); + ffs_free_buffer(io_data); +@@ -859,7 +865,6 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep, + ENTER(); + + io_data->status = req->status ? req->status : req->actual; +- usb_ep_free_request(_ep, req); + + INIT_WORK(&io_data->work, ffs_user_copy_worker); + queue_work(ffs->io_completion_wq, &io_data->work); +-- +2.43.0 + diff --git a/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch b/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch new file mode 100644 index 00000000000..c876cdecfbb --- /dev/null +++ b/queue-5.15/usb-gadget-f_fs-use-io_data-status-consistently.patch @@ -0,0 +1,65 @@ +From b9cb2103b4d487c469b2b22b29d80343f0db2928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 17:04:28 +0000 +Subject: usb: gadget: f_fs: use io_data->status consistently + +From: John Keeping + +[ Upstream commit b566d38857fcb6777f25b674b90a831eec0817a2 ] + +Commit fb1f16d74e26 ("usb: gadget: f_fs: change ep->status safe in +ffs_epfile_io()") added a new ffs_io_data::status field to fix lifetime +issues in synchronous requests. + +While there are no similar lifetime issues for asynchronous requests +(the separate ep member in ffs_io_data avoids them) using the status +field means the USB request can be freed earlier and that there is more +consistency between the synchronous and asynchronous I/O paths. + +Cc: Linyu Yuan +Signed-off-by: John Keeping +Reviewed-by: Linyu Yuan +Link: https://lore.kernel.org/r/20221124170430.3998755-1-john@metanate.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 24729b307eef ("usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index a4367a43cdd87..37d18e27ddc64 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -830,8 +830,7 @@ static void ffs_user_copy_worker(struct work_struct *work) + { + struct ffs_io_data *io_data = container_of(work, struct ffs_io_data, + work); +- int ret = io_data->req->status ? io_data->req->status : +- io_data->req->actual; ++ int ret = io_data->status; + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; + + if (io_data->read && ret > 0) { +@@ -845,8 +844,6 @@ static void ffs_user_copy_worker(struct work_struct *work) + if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) + eventfd_signal(io_data->ffs->ffs_eventfd, 1); + +- usb_ep_free_request(io_data->ep, io_data->req); +- + if (io_data->read) + kfree(io_data->to_free); + ffs_free_buffer(io_data); +@@ -861,6 +858,9 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep, + + ENTER(); + ++ io_data->status = req->status ? req->status : req->actual; ++ usb_ep_free_request(_ep, req); ++ + INIT_WORK(&io_data->work, ffs_user_copy_worker); + queue_work(ffs->io_completion_wq, &io_data->work); + } +-- +2.43.0 + diff --git a/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch b/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch new file mode 100644 index 00000000000..52f5a77a1a6 --- /dev/null +++ b/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-in.patch @@ -0,0 +1,65 @@ +From 347d5f5211f188728422fcaa093770a7d47d5931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 10:59:26 +0200 +Subject: vxlan: Fix regression when dropping packets due to invalid src + addresses + +From: Daniel Borkmann + +[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ] + +Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +has recently been added to vxlan mainly in the context of source +address snooping/learning so that when it is enabled, an entry in the +FDB is not being created for an invalid address for the corresponding +tunnel endpoint. + +Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in +that it passed through whichever macs were set in the L2 header. It +turns out that this change in behavior breaks setups, for example, +Cilium with netkit in L3 mode for Pods as well as tunnel mode has been +passing before the change in f58f45c1e5b9 for both vxlan and geneve. +After mentioned change it is only passing for geneve as in case of +vxlan packets are dropped due to vxlan_set_mac() returning false as +source and destination macs are zero which for E/W traffic via tunnel +is totally fine. + +Fix it by only opting into the is_valid_ether_addr() check in +vxlan_set_mac() when in fact source address snooping/learning is +actually enabled in vxlan. This is done by moving the check into +vxlan_snoop(). With this change, the Cilium connectivity test suite +passes again for both tunnel flavors. + +Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +Signed-off-by: Daniel Borkmann +Cc: David Bauer +Cc: Ido Schimmel +Cc: Nikolay Aleksandrov +Cc: Martin KaFai Lau +Reviewed-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: David Bauer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 41b1b23fdd3e9..65a2f4ab89970 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1493,6 +1493,10 @@ static bool vxlan_snoop(struct net_device *dev, + struct vxlan_fdb *f; + u32 ifindex = 0; + ++ /* Ignore packets from invalid src-address */ ++ if (!is_valid_ether_addr(src_mac)) ++ return true; ++ + #if IS_ENABLED(CONFIG_IPV6) + if (src_ip->sa.sa_family == AF_INET6 && + (ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL)) +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch b/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch new file mode 100644 index 00000000000..cbbbd12e40f --- /dev/null +++ b/queue-5.15/wifi-ath10k-fix-qcom_rproc_common-dependency.patch @@ -0,0 +1,45 @@ +From 007ce78d1573733ad037be53635cf0f2ab6c9ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 10:00:28 +0300 +Subject: wifi: ath10k: fix QCOM_RPROC_COMMON dependency + +From: Dmitry Baryshkov + +[ Upstream commit 21ae74e1bf18331ae5e279bd96304b3630828009 ] + +If ath10k_snoc is built-in, while Qualcomm remoteprocs are built as +modules, compilation fails with: + +/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_init': +drivers/net/wireless/ath/ath10k/snoc.c:1534: undefined reference to `qcom_register_ssr_notifier' +/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_deinit': +drivers/net/wireless/ath/ath10k/snoc.c:1551: undefined reference to `qcom_unregister_ssr_notifier' + +Add corresponding dependency to ATH10K_SNOC Kconfig entry so that it's +built as module if QCOM_RPROC_COMMON is built as module too. + +Fixes: 747ff7d3d742 ("ath10k: Don't always treat modem stop events as crashes") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240511-ath10k-snoc-dep-v1-1-9666e3af5c27@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig +index e6ea884cafc19..4f385f4a8cef2 100644 +--- a/drivers/net/wireless/ath/ath10k/Kconfig ++++ b/drivers/net/wireless/ath/ath10k/Kconfig +@@ -45,6 +45,7 @@ config ATH10K_SNOC + depends on ATH10K + depends on ARCH_QCOM || COMPILE_TEST + depends on QCOM_SMEM ++ depends on QCOM_RPROC_COMMON || QCOM_RPROC_COMMON=n + select QCOM_SCM + select QCOM_QMI_HELPERS + help +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch b/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch new file mode 100644 index 00000000000..c3aa85fa784 --- /dev/null +++ b/queue-5.15/wifi-ath10k-fix-qcom_smem-dependency.patch @@ -0,0 +1,47 @@ +From 12b52b078e5bfd61b72af37318d48c6d850cce63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 12:30:27 +0200 +Subject: wifi: ath10k: fix QCOM_SMEM dependency + +From: Kalle Valo + +[ Upstream commit d03407183d97554dfffea70f385b5bdd520f846c ] + +Nathan noticed that when HWSPINLOCK is disabled there's a Kconfig warning: + + WARNING: unmet direct dependencies detected for QCOM_SMEM + Depends on [n]: (ARCH_QCOM [=y] || COMPILE_TEST [=n]) && HWSPINLOCK [=n] + Selected by [m]: + - ATH10K_SNOC [=m] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && ATH10K [=m] && (ARCH_QCOM [=y] || COMPILE_TEST [=n]) + +The problem here is that QCOM_SMEM depends on HWSPINLOCK so we cannot select +QCOM_SMEM and instead we neeed to use 'depends on'. + +Reported-by: Nathan Chancellor +Link: https://lore.kernel.org/all/Y4YsyaIW+CPdHWv3@dev-arch.thelio-3990X/ +Fixes: 4d79f6f34bbb ("wifi: ath10k: Store WLAN firmware version in SMEM image table") +Signed-off-by: Kalle Valo +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221202103027.25974-1-kvalo@kernel.org +Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig +index e0a51dad8e420..e6ea884cafc19 100644 +--- a/drivers/net/wireless/ath/ath10k/Kconfig ++++ b/drivers/net/wireless/ath/ath10k/Kconfig +@@ -44,7 +44,7 @@ config ATH10K_SNOC + tristate "Qualcomm ath10k SNOC support" + depends on ATH10K + depends on ARCH_QCOM || COMPILE_TEST +- select QCOM_SMEM ++ depends on QCOM_SMEM + select QCOM_SCM + select QCOM_QMI_HELPERS + help +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch b/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch new file mode 100644 index 00000000000..27bf426698a --- /dev/null +++ b/queue-5.15/wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch @@ -0,0 +1,123 @@ +From a54a8f74e25cdef2f972684f063bd23c9b4bab95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 23:35:34 +0530 +Subject: wifi: ath10k: Store WLAN firmware version in SMEM image table + +From: Youghandhar Chintala + +[ Upstream commit 4d79f6f34bbb01c6715b31ef457d5ab0390501a1 ] + +In a SoC based solution, it would be useful to know the versions of the +various binary firmware blobs the system is running on. On a QCOM based +SoC, this info can be obtained from socinfo debugfs infrastructure. For +this to work, respective subsystem drivers have to export the firmware +version information to an SMEM based version information table. + +Having firmware version information at one place will help quickly +figure out the firmware versions of various subsystems on the device +instead of going through builds/logs in an event of a system crash. + +Fill WLAN firmware version information in SMEM version table to be +printed as part of socinfo debugfs infrastructure on a Qualcomm based +SoC. + +This change is applicable only for SNOC/QMI based targets. + +Example: +cat /sys/kernel/debug/qcom_socinfo/cnss/name +QC_IMAGE_VERSION_STRING=WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1 + +Signed-off-by: Youghandhar Chintala +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221117180534.2267-1-quic_youghand@quicinc.com +Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/Kconfig | 1 + + drivers/net/wireless/ath/ath10k/qmi.c | 35 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig +index ca007b800f756..e0a51dad8e420 100644 +--- a/drivers/net/wireless/ath/ath10k/Kconfig ++++ b/drivers/net/wireless/ath/ath10k/Kconfig +@@ -44,6 +44,7 @@ config ATH10K_SNOC + tristate "Qualcomm ath10k SNOC support" + depends on ATH10K + depends on ARCH_QCOM || COMPILE_TEST ++ select QCOM_SMEM + select QCOM_SCM + select QCOM_QMI_HELPERS + help +diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c +index 80fcb917fe4e1..22bd97d434cc9 100644 +--- a/drivers/net/wireless/ath/ath10k/qmi.c ++++ b/drivers/net/wireless/ath/ath10k/qmi.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -22,6 +23,10 @@ + + #define ATH10K_QMI_CLIENT_ID 0x4b4e454c + #define ATH10K_QMI_TIMEOUT 30 ++#define SMEM_IMAGE_VERSION_TABLE 469 ++#define SMEM_IMAGE_TABLE_CNSS_INDEX 13 ++#define SMEM_IMAGE_VERSION_ENTRY_SIZE 128 ++#define SMEM_IMAGE_VERSION_NAME_SIZE 75 + + static int ath10k_qmi_map_msa_permission(struct ath10k_qmi *qmi, + struct ath10k_msa_mem_info *mem_info) +@@ -536,6 +541,33 @@ int ath10k_qmi_wlan_disable(struct ath10k *ar) + return ath10k_qmi_mode_send_sync_msg(ar, QMI_WLFW_OFF_V01); + } + ++static void ath10k_qmi_add_wlan_ver_smem(struct ath10k *ar, const char *fw_build_id) ++{ ++ u8 *table_ptr; ++ size_t smem_item_size; ++ const u32 smem_img_idx_wlan = SMEM_IMAGE_TABLE_CNSS_INDEX * ++ SMEM_IMAGE_VERSION_ENTRY_SIZE; ++ ++ table_ptr = qcom_smem_get(QCOM_SMEM_HOST_ANY, ++ SMEM_IMAGE_VERSION_TABLE, ++ &smem_item_size); ++ ++ if (IS_ERR(table_ptr)) { ++ ath10k_err(ar, "smem image version table not found\n"); ++ return; ++ } ++ ++ if (smem_img_idx_wlan + SMEM_IMAGE_VERSION_ENTRY_SIZE > ++ smem_item_size) { ++ ath10k_err(ar, "smem block size too small: %zu\n", ++ smem_item_size); ++ return; ++ } ++ ++ strscpy(table_ptr + smem_img_idx_wlan, fw_build_id, ++ SMEM_IMAGE_VERSION_NAME_SIZE); ++} ++ + static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi) + { + struct wlfw_cap_resp_msg_v01 *resp; +@@ -606,6 +638,9 @@ static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi) + qmi->fw_version, qmi->fw_build_timestamp, qmi->fw_build_id); + } + ++ if (resp->fw_build_id_valid) ++ ath10k_qmi_add_wlan_ver_smem(ar, qmi->fw_build_id); ++ + kfree(resp); + return 0; + +-- +2.43.0 + diff --git a/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch b/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch new file mode 100644 index 00000000000..c45d1ef7334 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch @@ -0,0 +1,103 @@ +From a54a4bdf1179814d1e07117f7184a40be1b736ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 21:47:26 +0200 +Subject: wifi: cfg80211: Lock wiphy in cfg80211_get_station + +From: Remi Pommarel + +[ Upstream commit 642f89daa34567d02f312d03e41523a894906dae ] + +Wiphy should be locked before calling rdev_get_station() (see lockdep +assert in ieee80211_get_station()). + +This fixes the following kernel NULL dereference: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 + Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000 + [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000 + Internal error: Oops: 0000000096000006 [#1] SMP + Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath + CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705 + Hardware name: RPT (r1) (DT) + Workqueue: bat_events batadv_v_elp_throughput_metric_update + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core] + lr : sta_set_sinfo+0xcc/0xbd4 + sp : ffff000007b43ad0 + x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98 + x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000 + x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc + x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000 + x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d + x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e + x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000 + x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000 + x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90 + x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000 + Call trace: + ath10k_sta_statistics+0x10/0x2dc [ath10k_core] + sta_set_sinfo+0xcc/0xbd4 + ieee80211_get_station+0x2c/0x44 + cfg80211_get_station+0x80/0x154 + batadv_v_elp_get_throughput+0x138/0x1fc + batadv_v_elp_throughput_metric_update+0x1c/0xa4 + process_one_work+0x1ec/0x414 + worker_thread+0x70/0x46c + kthread+0xdc/0xe0 + ret_from_fork+0x10/0x20 + Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814) + +This happens because STA has time to disconnect and reconnect before +batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In +this situation, ath10k_sta_state() can be in the middle of resetting +arsta data when the work queue get chance to be scheduled and ends up +accessing it. Locking wiphy prevents that. + +Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API") +Signed-off-by: Remi Pommarel +Reviewed-by: Nicolas Escande +Acked-by: Antonio Quartulli +Link: https://msgid.link/983b24a6a176e0800c01aedcd74480d9b551cb13.1716046653.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index cb15d7f4eb05a..d40c2cf777dc0 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -2033,6 +2033,7 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr, + { + struct cfg80211_registered_device *rdev; + struct wireless_dev *wdev; ++ int ret; + + wdev = dev->ieee80211_ptr; + if (!wdev) +@@ -2044,7 +2045,11 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr, + + memset(sinfo, 0, sizeof(*sinfo)); + +- return rdev_get_station(rdev, dev, mac_addr, sinfo); ++ wiphy_lock(&rdev->wiphy); ++ ret = rdev_get_station(rdev, dev, mac_addr, sinfo); ++ wiphy_unlock(&rdev->wiphy); ++ ++ return ret; + } + EXPORT_SYMBOL(cfg80211_get_station); + +-- +2.43.0 + diff --git a/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch b/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch new file mode 100644 index 00000000000..a949bf422b9 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch @@ -0,0 +1,85 @@ +From 48052b5da2a3440cd9119e4c0aef05bed91e3e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 15:50:59 +0800 +Subject: wifi: cfg80211: pmsr: use correct nla_get_uX functions + +From: Lin Ma + +[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ] + +The commit 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM +initiator API") defines four attributes NL80211_PMSR_FTM_REQ_ATTR_ +{NUM_BURSTS_EXP}/{BURST_PERIOD}/{BURST_DURATION}/{FTMS_PER_BURST} in +following ways. + +static const struct nla_policy +nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = { + ... + [NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] = + NLA_POLICY_MAX(NLA_U8, 15), + [NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 }, + [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] = + NLA_POLICY_MAX(NLA_U8, 15), + [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = + NLA_POLICY_MAX(NLA_U8, 31), + ... +}; + +That is, those attributes are expected to be NLA_U8 and NLA_U16 types. +However, the consumers of these attributes in `pmsr_parse_ftm` blindly +all use `nla_get_u32`, which is incorrect and causes functionality issues +on little-endian platforms. Hence, fix them with the correct `nla_get_u8` +and `nla_get_u16` functions. + +Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") +Signed-off-by: Lin Ma +Link: https://msgid.link/20240521075059.47999-1-linma@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/pmsr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c +index 328cf54bda826..65fa39275f73f 100644 +--- a/net/wireless/pmsr.c ++++ b/net/wireless/pmsr.c +@@ -58,7 +58,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, + out->ftm.burst_period = 0; + if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]) + out->ftm.burst_period = +- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]); ++ nla_get_u16(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]); + + out->ftm.asap = !!tb[NL80211_PMSR_FTM_REQ_ATTR_ASAP]; + if (out->ftm.asap && !capa->ftm.asap) { +@@ -77,7 +77,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, + out->ftm.num_bursts_exp = 0; + if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]) + out->ftm.num_bursts_exp = +- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]); ++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]); + + if (capa->ftm.max_bursts_exponent >= 0 && + out->ftm.num_bursts_exp > capa->ftm.max_bursts_exponent) { +@@ -90,7 +90,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, + out->ftm.burst_duration = 15; + if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]) + out->ftm.burst_duration = +- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]); ++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]); + + out->ftm.ftms_per_burst = 0; + if (tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST]) +@@ -109,7 +109,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev, + out->ftm.ftmr_retries = 3; + if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]) + out->ftm.ftmr_retries = +- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]); ++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]); + + out->ftm.request_lci = !!tb[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI]; + if (out->ftm.request_lci && !capa->ftm.request_lci) { +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch b/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch new file mode 100644 index 00000000000..ecf1e4fb4f0 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch @@ -0,0 +1,41 @@ +From b8239fdc32879358756bf6bd00e43f9866554f0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 17:06:39 +0300 +Subject: wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs + ifdef + +From: Shahar S Matityahu + +[ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ] + +The driver should call iwl_dbg_tlv_free even if debugfs is not defined +since ini mode does not depend on debugfs ifdef. + +Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file") +Signed-off-by: Shahar S Matityahu +Reviewed-by: Luciano Coelho +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240510170500.c8e3723f55b0.I5e805732b0be31ee6b83c642ec652a34e974ff10@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index 524b0ad873578..afa89deb7bc3a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -1667,8 +1667,8 @@ struct iwl_drv *iwl_drv_start(struct iwl_trans *trans) + err_fw: + #ifdef CONFIG_IWLWIFI_DEBUGFS + debugfs_remove_recursive(drv->dbgfs_drv); +- iwl_dbg_tlv_free(drv->trans); + #endif ++ iwl_dbg_tlv_free(drv->trans); + kfree(drv); + err: + return ERR_PTR(ret); +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch b/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch new file mode 100644 index 00000000000..c5c1fcd3270 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch @@ -0,0 +1,49 @@ +From 3ecd00c9f7dbcae03177c8a0f79029e10116f6d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:27:12 +0300 +Subject: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids + +From: Miri Korenblit + +[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ] + +In some versions of cfg80211, the ssids poinet might be a valid one even +though n_ssids is 0. Accessing the pointer in this case will cuase an +out-of-bound access. Fix this by checking n_ssids first. + +Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support") +Signed-off-by: Miri Korenblit +Reviewed-by: Ilan Peer +Reviewed-by: Johannes Berg +Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d15594c61fe583d45@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index c0ffa26bc5aaa..0605363b62720 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -1312,7 +1312,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm, + if (IWL_MVM_ADWELL_MAX_BUDGET) + cmd->v7.adwell_max_budget = + cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET); +- else if (params->ssids && params->ssids[0].ssid_len) ++ else if (params->n_ssids && params->ssids[0].ssid_len) + cmd->v7.adwell_max_budget = + cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN); + else +@@ -1414,7 +1414,7 @@ iwl_mvm_scan_umac_dwell_v10(struct iwl_mvm *mvm, + if (IWL_MVM_ADWELL_MAX_BUDGET) + general_params->adwell_max_budget = + cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET); +- else if (params->ssids && params->ssids[0].ssid_len) ++ else if (params->n_ssids && params->ssids[0].ssid_len) + general_params->adwell_max_budget = + cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN); + else +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch b/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch new file mode 100644 index 00000000000..cfb1c9fb220 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch @@ -0,0 +1,55 @@ +From d3db3ca66ecb01738b7ffce54eb38ceaa4894e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:27:14 +0300 +Subject: wifi: iwlwifi: mvm: don't read past the mfuart notifcation + +From: Emmanuel Grumbach + +[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ] + +In case the firmware sends a notification that claims it has more data +than it has, we will read past that was allocated for the notification. +Remove the print of the buffer, we won't see it by default. If needed, +we can see the content with tracing. + +This was reported by KFENCE. + +Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert") +Signed-off-by: Emmanuel Grumbach +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index d22a5628f9e0d..578956032e08b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -95,20 +95,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, + { + struct iwl_rx_packet *pkt = rxb_addr(rxb); + struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data; +- __le32 *dump_data = mfu_dump_notif->data; +- int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32); +- int i; + + if (mfu_dump_notif->index_num == 0) + IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n", + le32_to_cpu(mfu_dump_notif->assert_id)); +- +- for (i = 0; i < n_words; i++) +- IWL_DEBUG_INFO(mvm, +- "MFUART assert dump, dword %u: 0x%08x\n", +- le16_to_cpu(mfu_dump_notif->index_num) * +- n_words + i, +- le32_to_cpu(dump_data[i])); + } + + static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch b/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch new file mode 100644 index 00000000000..680213e1894 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch @@ -0,0 +1,49 @@ +From f43dd9b31cbdfd1b9a58a2ad68715fa957b39518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 17:06:33 +0300 +Subject: wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 + +From: Johannes Berg + +[ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ] + +We don't actually support >64 even for HE devices, so revert +back to 64. This fixes an issue where the session is refused +because the queue is configured differently from the actual +session later. + +Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax") +Signed-off-by: Johannes Berg +Reviewed-by: Liad Kaufman +Reviewed-by: Luciano Coelho +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h +index 32104c9f8f5ee..d59a47637d120 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h +@@ -133,13 +133,8 @@ enum { + + #define LINK_QUAL_AGG_FRAME_LIMIT_DEF (63) + #define LINK_QUAL_AGG_FRAME_LIMIT_MAX (63) +-/* +- * FIXME - various places in firmware API still use u8, +- * e.g. LQ command and SCD config command. +- * This should be 256 instead. +- */ +-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (255) +-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (255) ++#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (64) ++#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (64) + #define LINK_QUAL_AGG_FRAME_LIMIT_MIN (0) + + #define LQ_SIZE 2 /* 2 mode tables: "Active" and "Search" */ +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch b/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch new file mode 100644 index 00000000000..b7bd1c9820d --- /dev/null +++ b/queue-5.15/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch @@ -0,0 +1,65 @@ +From 2a41bcec40274c2e17b22cc71054b443bc89ed46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 May 2024 10:18:54 +0800 +Subject: wifi: mac80211: correctly parse Spatial Reuse Parameter Set element + +From: Lingbo Kong + +[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ] + +Currently, the way of parsing Spatial Reuse Parameter Set element is +incorrect and some members of struct ieee80211_he_obss_pd are not assigned. + +To address this issue, it must be parsed in the order of the elements of +Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification. + +The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax +-2021-9.4.2.252). + +------------------------------------------------------------------------- +| | | | |Non-SRG| SRG | SRG | SRG | SRG | +|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial| +| ID | | ID |Control| Max | Min | Max |Color | BSSID | +| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap | +------------------------------------------------------------------------- + +Fixes: 1ced169cc1c2 ("mac80211: allow setting spatial reuse parameters from bss_conf") +Signed-off-by: Lingbo Kong +Link: https://msgid.link/20240516021854.5682-3-quic_lingbok@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/he.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/he.c b/net/mac80211/he.c +index c05af7018f79f..c730ce5132cbc 100644 +--- a/net/mac80211/he.c ++++ b/net/mac80211/he.c +@@ -223,15 +223,21 @@ ieee80211_he_spr_ie_to_bss_conf(struct ieee80211_vif *vif, + + if (!he_spr_ie_elem) + return; ++ ++ he_obss_pd->sr_ctrl = he_spr_ie_elem->he_sr_control; + data = he_spr_ie_elem->optional; + + if (he_spr_ie_elem->he_sr_control & + IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT) +- data++; ++ he_obss_pd->non_srg_max_offset = *data++; ++ + if (he_spr_ie_elem->he_sr_control & + IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT) { +- he_obss_pd->max_offset = *data++; + he_obss_pd->min_offset = *data++; ++ he_obss_pd->max_offset = *data++; ++ memcpy(he_obss_pd->bss_color_bitmap, data, 8); ++ data += 8; ++ memcpy(he_obss_pd->partial_bssid_bitmap, data, 8); + he_obss_pd->enable = true; + } + } +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch b/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch new file mode 100644 index 00000000000..012b04a7496 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch @@ -0,0 +1,109 @@ +From 6e8dfd5b602d19e685cb7fa1d5ac3c57d4c339c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 08:57:53 +0200 +Subject: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() + +From: Remi Pommarel + +[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ] + +The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to +synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from +softirq context. However using only spin_lock() to get sta->ps_lock in +ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute +on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to +take this same lock ending in deadlock. Below is an example of rcu stall +that arises in such situation. + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 + rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) + CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 + Hardware name: RPT (r1) (DT) + pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : queued_spin_lock_slowpath+0x58/0x2d0 + lr : invoke_tx_handlers_early+0x5b4/0x5c0 + sp : ffff00001ef64660 + x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 + x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 + x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 + x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 + x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 + x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da + x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 + x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 + x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 + Call trace: + queued_spin_lock_slowpath+0x58/0x2d0 + ieee80211_tx+0x80/0x12c + ieee80211_tx_pending+0x110/0x278 + tasklet_action_common.constprop.0+0x10c/0x144 + tasklet_action+0x20/0x28 + _stext+0x11c/0x284 + ____do_softirq+0xc/0x14 + call_on_irq_stack+0x24/0x34 + do_softirq_own_stack+0x18/0x20 + do_softirq+0x74/0x7c + __local_bh_enable_ip+0xa0/0xa4 + _ieee80211_wake_txqs+0x3b0/0x4b8 + __ieee80211_wake_queue+0x12c/0x168 + ieee80211_add_pending_skbs+0xec/0x138 + ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 + ieee80211_mps_sta_status_update.part.0+0xd8/0x11c + ieee80211_mps_sta_status_update+0x18/0x24 + sta_apply_parameters+0x3bc/0x4c0 + ieee80211_change_station+0x1b8/0x2dc + nl80211_set_station+0x444/0x49c + genl_family_rcv_msg_doit.isra.0+0xa4/0xfc + genl_rcv_msg+0x1b0/0x244 + netlink_rcv_skb+0x38/0x10c + genl_rcv+0x34/0x48 + netlink_unicast+0x254/0x2bc + netlink_sendmsg+0x190/0x3b4 + ____sys_sendmsg+0x1e8/0x218 + ___sys_sendmsg+0x68/0x8c + __sys_sendmsg+0x44/0x84 + __arm64_sys_sendmsg+0x20/0x28 + do_el0_svc+0x6c/0xe8 + el0_svc+0x14/0x48 + el0t_64_sync_handler+0xb0/0xb4 + el0t_64_sync+0x14c/0x150 + +Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise +on the same CPU that is holding the lock. + +Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race") +Signed-off-by: Remi Pommarel +Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index f4deee1926e58..6d2b42cb3ad58 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1339,7 +1339,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) + skb_queue_head_init(&pending); + + /* sync with ieee80211_tx_h_unicast_ps_buf */ +- spin_lock(&sta->ps_lock); ++ spin_lock_bh(&sta->ps_lock); + /* Send all buffered frames to the station */ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + int count = skb_queue_len(&pending), tmp; +@@ -1368,7 +1368,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) + */ + clear_sta_flag(sta, WLAN_STA_PSPOLL); + clear_sta_flag(sta, WLAN_STA_UAPSD); +- spin_unlock(&sta->ps_lock); ++ spin_unlock_bh(&sta->ps_lock); + + atomic_dec(&ps->num_sta_ps); + +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch b/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch new file mode 100644 index 00000000000..e786f7d1223 --- /dev/null +++ b/queue-5.15/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch @@ -0,0 +1,100 @@ +From 36c885782014e1a47d629d5661ec18cc037a39db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 16:26:05 +0200 +Subject: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects + +From: Nicolas Escande + +[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ] + +The hwmp code use objects of type mesh_preq_queue, added to a list in +ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath +gets deleted, ex mesh interface is removed, the entries in that list will +never get cleaned. Fix this by flushing all corresponding items of the +preq_queue in mesh_path_flush_pending(). + +This should take care of KASAN reports like this: + +unreferenced object 0xffff00000668d800 (size 128): + comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) + hex dump (first 32 bytes): + 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... + 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... + backtrace: + [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c + [<00000000049bd418>] kmalloc_trace+0x34/0x80 + [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 + [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c + [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 + [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 + [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 + [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 + [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c + [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 + [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 + [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c + [<00000000b36425d1>] worker_thread+0x9c/0x634 + [<0000000005852dd5>] kthread+0x1bc/0x1c4 + [<000000005fccd770>] ret_from_fork+0x10/0x20 +unreferenced object 0xffff000009051f00 (size 128): + comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) + hex dump (first 32 bytes): + 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... + 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... + backtrace: + [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c + [<00000000049bd418>] kmalloc_trace+0x34/0x80 + [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 + [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c + [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 + [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 + [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 + [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 + [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c + [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 + [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 + [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c + [<00000000b36425d1>] worker_thread+0x9c/0x634 + [<0000000005852dd5>] kthread+0x1bc/0x1c4 + [<000000005fccd770>] ret_from_fork+0x10/0x20 + +Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") +Signed-off-by: Nicolas Escande +Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 69d5e1ec6edef..e7b9dcf30adc9 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -723,10 +723,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, + */ + void mesh_path_flush_pending(struct mesh_path *mpath) + { ++ struct ieee80211_sub_if_data *sdata = mpath->sdata; ++ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; ++ struct mesh_preq_queue *preq, *tmp; + struct sk_buff *skb; + + while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL) + mesh_path_discard_frame(mpath->sdata, skb); ++ ++ spin_lock_bh(&ifmsh->mesh_preq_queue_lock); ++ list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) { ++ if (ether_addr_equal(mpath->dst, preq->dst)) { ++ list_del(&preq->list); ++ kfree(preq); ++ --ifmsh->preq_queue_len; ++ } ++ } ++ spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); + } + + /** +-- +2.43.0 + diff --git a/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch b/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch new file mode 100644 index 00000000000..da5b2adca4f --- /dev/null +++ b/queue-5.15/x86-ibt-ftrace-search-for-__fentry__-location.patch @@ -0,0 +1,218 @@ +From 0fb3ba2981bdfeed49e23a1f6c7b020405952b3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 16:30:29 +0100 +Subject: x86/ibt,ftrace: Search for __fentry__ location + +From: Peter Zijlstra + +[ Upstream commit aebfd12521d9c7d0b502cf6d06314cfbcdccfe3b ] + +Currently a lot of ftrace code assumes __fentry__ is at sym+0. However +with Intel IBT enabled the first instruction of a function will most +likely be ENDBR. + +Change ftrace_location() to not only return the __fentry__ location +when called for the __fentry__ location, but also when called for the +sym+0 location. + +Then audit/update all callsites of this function to consistently use +these new semantics. + +Suggested-by: Steven Rostedt +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Masami Hiramatsu +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20220308154318.227581603@infradead.org +Stable-dep-of: e60b613df8b6 ("ftrace: Fix possible use-after-free issue in ftrace_location()") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kprobes/core.c | 11 ++------ + kernel/bpf/trampoline.c | 20 +++----------- + kernel/kprobes.c | 8 ++---- + kernel/trace/ftrace.c | 48 ++++++++++++++++++++++++++++------ + 4 files changed, 48 insertions(+), 39 deletions(-) + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 893f040b97b7d..99dd504307fdc 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -194,17 +194,10 @@ static unsigned long + __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr) + { + struct kprobe *kp; +- unsigned long faddr; ++ bool faddr; + + kp = get_kprobe((void *)addr); +- faddr = ftrace_location(addr); +- /* +- * Addresses inside the ftrace location are refused by +- * arch_check_ftrace_location(). Something went terribly wrong +- * if such an address is checked here. +- */ +- if (WARN_ON(faddr && faddr != addr)) +- return 0UL; ++ faddr = ftrace_location(addr) == addr; + /* + * Use the current code if it is not modified by Kprobe + * and it cannot be modified by ftrace. +diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c +index 4fa75791b45e2..1bffee0458863 100644 +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -108,18 +108,6 @@ static void bpf_trampoline_module_put(struct bpf_trampoline *tr) + tr->mod = NULL; + } + +-static int is_ftrace_location(void *ip) +-{ +- long addr; +- +- addr = ftrace_location((long)ip); +- if (!addr) +- return 0; +- if (WARN_ON_ONCE(addr != (long)ip)) +- return -EFAULT; +- return 1; +-} +- + static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr) + { + void *ip = tr->func.addr; +@@ -151,12 +139,12 @@ static int modify_fentry(struct bpf_trampoline *tr, void *old_addr, void *new_ad + static int register_fentry(struct bpf_trampoline *tr, void *new_addr) + { + void *ip = tr->func.addr; ++ unsigned long faddr; + int ret; + +- ret = is_ftrace_location(ip); +- if (ret < 0) +- return ret; +- tr->func.ftrace_managed = ret; ++ faddr = ftrace_location((unsigned long)ip); ++ if (faddr) ++ tr->func.ftrace_managed = true; + + if (bpf_trampoline_module_get(tr)) + return -ENOENT; +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index af57705e1fef3..258d425b2c4a5 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1526,14 +1526,10 @@ static inline int warn_kprobe_rereg(struct kprobe *p) + + int __weak arch_check_ftrace_location(struct kprobe *p) + { +- unsigned long ftrace_addr; ++ unsigned long addr = (unsigned long)p->addr; + +- ftrace_addr = ftrace_location((unsigned long)p->addr); +- if (ftrace_addr) { ++ if (ftrace_location(addr) == addr) { + #ifdef CONFIG_KPROBES_ON_FTRACE +- /* Given address is not on the instruction boundary */ +- if ((unsigned long)p->addr != ftrace_addr) +- return -EILSEQ; + p->flags |= KPROBE_FLAG_FTRACE; + #else /* !CONFIG_KPROBES_ON_FTRACE */ + return -EINVAL; +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 157a1d2d9802f..3dce1a107a7c7 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1575,17 +1575,34 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) + } + + /** +- * ftrace_location - return true if the ip giving is a traced location ++ * ftrace_location - return the ftrace location + * @ip: the instruction pointer to check + * +- * Returns rec->ip if @ip given is a pointer to a ftrace location. +- * That is, the instruction that is either a NOP or call to +- * the function tracer. It checks the ftrace internal tables to +- * determine if the address belongs or not. ++ * If @ip matches the ftrace location, return @ip. ++ * If @ip matches sym+0, return sym's ftrace location. ++ * Otherwise, return 0. + */ + unsigned long ftrace_location(unsigned long ip) + { +- return ftrace_location_range(ip, ip); ++ struct dyn_ftrace *rec; ++ unsigned long offset; ++ unsigned long size; ++ ++ rec = lookup_rec(ip, ip); ++ if (!rec) { ++ if (!kallsyms_lookup_size_offset(ip, &size, &offset)) ++ goto out; ++ ++ /* map sym+0 to __fentry__ */ ++ if (!offset) ++ rec = lookup_rec(ip, ip + size - 1); ++ } ++ ++ if (rec) ++ return rec->ip; ++ ++out: ++ return 0; + } + + /** +@@ -4942,7 +4959,8 @@ ftrace_match_addr(struct ftrace_hash *hash, unsigned long ip, int remove) + { + struct ftrace_func_entry *entry; + +- if (!ftrace_location(ip)) ++ ip = ftrace_location(ip); ++ if (!ip) + return -EINVAL; + + if (remove) { +@@ -5090,11 +5108,16 @@ int register_ftrace_direct(unsigned long ip, unsigned long addr) + struct ftrace_func_entry *entry; + struct ftrace_hash *free_hash = NULL; + struct dyn_ftrace *rec; +- int ret = -EBUSY; ++ int ret = -ENODEV; + + mutex_lock(&direct_mutex); + ++ ip = ftrace_location(ip); ++ if (!ip) ++ goto out_unlock; ++ + /* See if there's a direct function at @ip already */ ++ ret = -EBUSY; + if (ftrace_find_rec_direct(ip)) + goto out_unlock; + +@@ -5223,6 +5246,10 @@ int unregister_ftrace_direct(unsigned long ip, unsigned long addr) + + mutex_lock(&direct_mutex); + ++ ip = ftrace_location(ip); ++ if (!ip) ++ goto out_unlock; ++ + entry = find_direct_entry(&ip, NULL); + if (!entry) + goto out_unlock; +@@ -5354,6 +5381,11 @@ int modify_ftrace_direct(unsigned long ip, + mutex_lock(&direct_mutex); + + mutex_lock(&ftrace_lock); ++ ++ ip = ftrace_location(ip); ++ if (!ip) ++ goto out_unlock; ++ + entry = find_direct_entry(&ip, &rec); + if (!entry) + goto out_unlock; +-- +2.43.0 +