From: Sasha Levin Date: Sun, 17 Sep 2023 02:27:51 +0000 (-0400) Subject: Fixes for 6.5 X-Git-Tag: v5.10.195~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6eaa7c2dbb476b7331bcb1601119c42e16984866;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.5 Signed-off-by: Sasha Levin --- diff --git a/queue-6.5/bpf-fix-bpf_probe_read_kernel-prototype-mismatch.patch b/queue-6.5/bpf-fix-bpf_probe_read_kernel-prototype-mismatch.patch new file mode 100644 index 00000000000..345817c39ea --- /dev/null +++ b/queue-6.5/bpf-fix-bpf_probe_read_kernel-prototype-mismatch.patch @@ -0,0 +1,123 @@ +From 96701628a0e316d4d20a10be9b76bcd0f3e638e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 13:13:58 +0200 +Subject: bpf: fix bpf_probe_read_kernel prototype mismatch + +From: Arnd Bergmann + +[ Upstream commit 6a5a148aaf14747570cc634f9cdfcb0393f5617f ] + +bpf_probe_read_kernel() has a __weak definition in core.c and another +definition with an incompatible prototype in kernel/trace/bpf_trace.c, +when CONFIG_BPF_EVENTS is enabled. + +Since the two are incompatible, there cannot be a shared declaration in +a header file, but the lack of a prototype causes a W=1 warning: + +kernel/bpf/core.c:1638:12: error: no previous prototype for 'bpf_probe_read_kernel' [-Werror=missing-prototypes] + +On 32-bit architectures, the local prototype + +u64 __weak bpf_probe_read_kernel(void *dst, u32 size, const void *unsafe_ptr) + +passes arguments in other registers as the one in bpf_trace.c + +BPF_CALL_3(bpf_probe_read_kernel, void *, dst, u32, size, + const void *, unsafe_ptr) + +which uses 64-bit arguments in pairs of registers. + +As both versions of the function are fairly simple and only really +differ in one line, just move them into a header file as an inline +function that does not add any overhead for the bpf_trace.c callers +and actually avoids a function call for the other one. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/ac25cb0f-b804-1649-3afb-1dc6138c2716@iogearbox.net/ +Signed-off-by: Arnd Bergmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230801111449.185301-1-arnd@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 12 ++++++++++++ + kernel/bpf/core.c | 10 ++-------- + kernel/trace/bpf_trace.c | 11 ----------- + 3 files changed, 14 insertions(+), 19 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index f58895830adae..f316affcd2e13 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -2619,6 +2619,18 @@ static inline void bpf_dynptr_set_rdonly(struct bpf_dynptr_kern *ptr) + } + #endif /* CONFIG_BPF_SYSCALL */ + ++static __always_inline int ++bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) ++{ ++ int ret = -EFAULT; ++ ++ if (IS_ENABLED(CONFIG_BPF_EVENTS)) ++ ret = copy_from_kernel_nofault(dst, unsafe_ptr, size); ++ if (unlikely(ret < 0)) ++ memset(dst, 0, size); ++ return ret; ++} ++ + void __bpf_free_used_btfs(struct bpf_prog_aux *aux, + struct btf_mod_pair *used_btfs, u32 len); + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index dc85240a01342..e3e45b651cd40 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1635,12 +1635,6 @@ bool bpf_opcode_in_insntable(u8 code) + } + + #ifndef CONFIG_BPF_JIT_ALWAYS_ON +-u64 __weak bpf_probe_read_kernel(void *dst, u32 size, const void *unsafe_ptr) +-{ +- memset(dst, 0, size); +- return -EFAULT; +-} +- + /** + * ___bpf_prog_run - run eBPF program on a given context + * @regs: is the array of MAX_BPF_EXT_REG eBPF pseudo-registers +@@ -1931,8 +1925,8 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) + DST = *(SIZE *)(unsigned long) (SRC + insn->off); \ + CONT; \ + LDX_PROBE_MEM_##SIZEOP: \ +- bpf_probe_read_kernel(&DST, sizeof(SIZE), \ +- (const void *)(long) (SRC + insn->off)); \ ++ bpf_probe_read_kernel_common(&DST, sizeof(SIZE), \ ++ (const void *)(long) (SRC + insn->off)); \ + DST = *((SIZE *)&DST); \ + CONT; + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 30d8db47c1e2f..abf287b2678a1 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -223,17 +223,6 @@ const struct bpf_func_proto bpf_probe_read_user_str_proto = { + .arg3_type = ARG_ANYTHING, + }; + +-static __always_inline int +-bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) +-{ +- int ret; +- +- ret = copy_from_kernel_nofault(dst, unsafe_ptr, size); +- if (unlikely(ret < 0)) +- memset(dst, 0, size); +- return ret; +-} +- + BPF_CALL_3(bpf_probe_read_kernel, void *, dst, u32, size, + const void *, unsafe_ptr) + { +-- +2.40.1 + diff --git a/queue-6.5/hsr-fix-uninit-value-access-in-fill_frame_info.patch b/queue-6.5/hsr-fix-uninit-value-access-in-fill_frame_info.patch new file mode 100644 index 00000000000..168b4613e53 --- /dev/null +++ b/queue-6.5/hsr-fix-uninit-value-access-in-fill_frame_info.patch @@ -0,0 +1,90 @@ +From d041e0b1885bafc6a902c8c296f71cc7ac4c9d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 18:17:52 +0800 +Subject: hsr: Fix uninit-value access in fill_frame_info() + +From: Ziyang Xuan + +[ Upstream commit 484b4833c604c0adcf19eac1ca14b60b757355b5 ] + +Syzbot reports the following uninit-value access problem. + +===================================================== +BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline] +BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616 + fill_frame_info net/hsr/hsr_forward.c:601 [inline] + hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616 + hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223 + __netdev_start_xmit include/linux/netdevice.h:4889 [inline] + netdev_start_xmit include/linux/netdevice.h:4903 [inline] + xmit_one net/core/dev.c:3544 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560 + __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340 + dev_queue_xmit include/linux/netdevice.h:3082 [inline] + packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3087 [inline] + packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + __sys_sendto+0x781/0xa30 net/socket.c:2176 + __do_sys_sendto net/socket.c:2188 [inline] + __se_sys_sendto net/socket.c:2184 [inline] + __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 + do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Uninit was created at: + slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 + kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559 + __alloc_skb+0x318/0x740 net/core/skbuff.c:644 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794 + packet_alloc_skb net/packet/af_packet.c:2936 [inline] + packet_snd net/packet/af_packet.c:3030 [inline] + packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + __sys_sendto+0x781/0xa30 net/socket.c:2176 + __do_sys_sendto net/socket.c:2188 [inline] + __se_sys_sendto net/socket.c:2184 [inline] + __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 + do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +It is because VLAN not yet supported in hsr driver. Return error +when protocol is ETH_P_8021Q in fill_frame_info() now to fix it. + +Fixes: 451d8123f897 ("net: prp: add packet handling support") +Reported-by: syzbot+bf7e6250c7ce248f3ec9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bf7e6250c7ce248f3ec9 +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 629daacc96071..b71dab630a873 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -594,6 +594,7 @@ static int fill_frame_info(struct hsr_frame_info *frame, + proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto; + /* FIXME: */ + netdev_warn_once(skb->dev, "VLAN not yet supported"); ++ return -EINVAL; + } + + frame->is_from_san = false; +-- +2.40.1 + diff --git a/queue-6.5/igb-clean-up-in-all-error-paths-when-enabling-sr-iov.patch b/queue-6.5/igb-clean-up-in-all-error-paths-when-enabling-sr-iov.patch new file mode 100644 index 00000000000..58e4d7c7b45 --- /dev/null +++ b/queue-6.5/igb-clean-up-in-all-error-paths-when-enabling-sr-iov.patch @@ -0,0 +1,114 @@ +From 03a1320d59100206c53fd1903931325f38b0c1c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 13:28:49 -0700 +Subject: igb: clean up in all error paths when enabling SR-IOV + +From: Corinna Vinschen + +[ Upstream commit bc6ed2fa24b14e40e1005488bbe11268ce7108fa ] + +After commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), removing +the igb module could hang or crash (depending on the machine) when the +module has been loaded with the max_vfs parameter set to some value != 0. + +In case of one test machine with a dual port 82580, this hang occurred: + +[ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1 +[ 233.093257] igb 0000:41:00.1: IOV Disabled +[ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0 +[ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata) +[ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000 +[ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First) +[ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c +[ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata) +[ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000 +[ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First) +[ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c +[ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback) +[ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0 +[ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed +[ 234.157244] igb 0000:41:00.0: IOV Disabled +[ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds. +[ 371.627489] Not tainted 6.4.0-dirty #2 +[ 371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this. +[ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0 +[ 371.650330] Call Trace: +[ 371.653061] +[ 371.655407] __schedule+0x20e/0x660 +[ 371.659313] schedule+0x5a/0xd0 +[ 371.662824] schedule_preempt_disabled+0x11/0x20 +[ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0 +[ 371.673237] ? __pfx_aer_root_reset+0x10/0x10 +[ 371.678105] report_error_detected+0x25/0x1c0 +[ 371.682974] ? __pfx_report_normal_detected+0x10/0x10 +[ 371.688618] pci_walk_bus+0x72/0x90 +[ 371.692519] pcie_do_recovery+0xb2/0x330 +[ 371.696899] aer_process_err_devices+0x117/0x170 +[ 371.702055] aer_isr+0x1c0/0x1e0 +[ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0 +[ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10 +[ 371.715496] irq_thread_fn+0x20/0x60 +[ 371.719491] irq_thread+0xe6/0x1b0 +[ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10 +[ 371.728255] ? __pfx_irq_thread+0x10/0x10 +[ 371.732731] kthread+0xe2/0x110 +[ 371.736243] ? __pfx_kthread+0x10/0x10 +[ 371.740430] ret_from_fork+0x2c/0x50 +[ 371.744428] + +The reproducer was a simple script: + + #!/bin/sh + for i in `seq 1 5`; do + modprobe -rv igb + modprobe -v igb max_vfs=1 + sleep 1 + modprobe -rv igb + done + +It turned out that this could only be reproduce on 82580 (quad and +dual-port), but not on 82576, i350 and i210. Further debugging showed +that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because +dev->is_physfn is 0 on 82580. + +Prior to commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), +igb_enable_sriov() jumped into the "err_out" cleanup branch. After this +commit it only returned the error code. + +So the cleanup didn't take place, and the incorrect VF setup in the +igb_adapter structure fooled the igb driver into assuming that VFs have +been set up where no VF actually existed. + +Fix this problem by cleaning up again if pci_enable_sriov() fails. + +Fixes: 50f303496d92 ("igb: Enable SR-IOV after reinit") +Signed-off-by: Corinna Vinschen +Reviewed-by: Akihiko Odaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index ac19730e8db91..12f106b3a878b 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3827,8 +3827,11 @@ static int igb_enable_sriov(struct pci_dev *pdev, int num_vfs, bool reinit) + } + + /* only call pci_enable_sriov() if no VFs are allocated already */ +- if (!old_vfs) ++ if (!old_vfs) { + err = pci_enable_sriov(pdev, adapter->vfs_allocated_count); ++ if (err) ++ goto err_out; ++ } + + goto out; + +-- +2.40.1 + diff --git a/queue-6.5/ipv6-fix-ip6_sock_set_addr_preferences-typo.patch b/queue-6.5/ipv6-fix-ip6_sock_set_addr_preferences-typo.patch new file mode 100644 index 00000000000..960c7790ead --- /dev/null +++ b/queue-6.5/ipv6-fix-ip6_sock_set_addr_preferences-typo.patch @@ -0,0 +1,42 @@ +From d7b7b7c58e7d65bbacfc3a003f6d7cbebe4ed558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 15:42:13 +0000 +Subject: ipv6: fix ip6_sock_set_addr_preferences() typo + +From: Eric Dumazet + +[ Upstream commit 8cdd9f1aaedf823006449faa4e540026c692ac43 ] + +ip6_sock_set_addr_preferences() second argument should be an integer. + +SUNRPC attempts to set IPV6_PREFER_SRC_PUBLIC were +translated to IPV6_PREFER_SRC_TMP + +Fixes: 18d5ad623275 ("ipv6: add ip6_sock_set_addr_preferences") +Signed-off-by: Eric Dumazet +Cc: Christoph Hellwig +Cc: Chuck Lever +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230911154213.713941-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ipv6.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 2acc4c808d45d..b08bd694385aa 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -1356,7 +1356,7 @@ static inline int __ip6_sock_set_addr_preferences(struct sock *sk, int val) + return 0; + } + +-static inline int ip6_sock_set_addr_preferences(struct sock *sk, bool val) ++static inline int ip6_sock_set_addr_preferences(struct sock *sk, int val) + { + int ret; + +-- +2.40.1 + diff --git a/queue-6.5/ixgbe-fix-timestamp-configuration-code.patch b/queue-6.5/ixgbe-fix-timestamp-configuration-code.patch new file mode 100644 index 00000000000..8c9483419f9 --- /dev/null +++ b/queue-6.5/ixgbe-fix-timestamp-configuration-code.patch @@ -0,0 +1,149 @@ +From 02896be9b8708e9752ac40aa11ac7549bbc9077b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 13:28:14 -0700 +Subject: ixgbe: fix timestamp configuration code + +From: Vadim Fedorenko + +[ Upstream commit 3c44191dd76cf9c0cc49adaf34384cbd42ef8ad2 ] + +The commit in fixes introduced flags to control the status of hardware +configuration while processing packets. At the same time another structure +is used to provide configuration of timestamper to user-space applications. +The way it was coded makes this structures go out of sync easily. The +repro is easy for 82599 chips: + +[root@hostname ~]# hwstamp_ctl -i eth0 -r 12 -t 1 +current settings: +tx_type 0 +rx_filter 0 +new settings: +tx_type 1 +rx_filter 12 + +The eth0 device is properly configured to timestamp any PTPv2 events. + +[root@hostname ~]# hwstamp_ctl -i eth0 -r 1 -t 1 +current settings: +tx_type 1 +rx_filter 12 +SIOCSHWTSTAMP failed: Numerical result out of range +The requested time stamping mode is not supported by the hardware. + +The error is properly returned because HW doesn't support all packets +timestamping. But the adapter->flags is cleared of timestamp flags +even though no HW configuration was done. From that point no RX timestamps +are received by user-space application. But configuration shows good +values: + +[root@hostname ~]# hwstamp_ctl -i eth0 +current settings: +tx_type 1 +rx_filter 12 + +Fix the issue by applying new flags only when the HW was actually +configured. + +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") +Signed-off-by: Vadim Fedorenko +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +++++++++++--------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index 0310af851086b..9339edbd90821 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -979,6 +979,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + u32 tsync_tx_ctl = IXGBE_TSYNCTXCTL_ENABLED; + u32 tsync_rx_ctl = IXGBE_TSYNCRXCTL_ENABLED; + u32 tsync_rx_mtrl = PTP_EV_PORT << 16; ++ u32 aflags = adapter->flags; + bool is_l2 = false; + u32 regval; + +@@ -996,20 +997,20 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + case HWTSTAMP_FILTER_NONE: + tsync_rx_ctl = 0; + tsync_rx_mtrl = 0; +- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_SYNC: + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1; + tsync_rx_mtrl |= IXGBE_RXMTRL_V1_SYNC_MSG; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ: + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1; + tsync_rx_mtrl |= IXGBE_RXMTRL_V1_DELAY_REQ_MSG; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L2_EVENT: +@@ -1023,8 +1024,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_EVENT_V2; + is_l2 = true; + config->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; +- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); ++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED | ++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + break; + case HWTSTAMP_FILTER_PTP_V1_L4_EVENT: + case HWTSTAMP_FILTER_NTP_ALL: +@@ -1035,7 +1036,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + if (hw->mac.type >= ixgbe_mac_X550) { + tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_ALL; + config->rx_filter = HWTSTAMP_FILTER_ALL; +- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; ++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; + break; + } + fallthrough; +@@ -1046,8 +1047,6 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + * Delay_Req messages and hardware does not support + * timestamping all packets => return error + */ +- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED | +- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER); + config->rx_filter = HWTSTAMP_FILTER_NONE; + return -ERANGE; + } +@@ -1079,8 +1078,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + IXGBE_TSYNCRXCTL_TYPE_ALL | + IXGBE_TSYNCRXCTL_TSIP_UT_EN; + config->rx_filter = HWTSTAMP_FILTER_ALL; +- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; +- adapter->flags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER; ++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED; ++ aflags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER; + is_l2 = true; + break; + default: +@@ -1113,6 +1112,9 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter, + + IXGBE_WRITE_FLUSH(hw); + ++ /* configure adapter flags only when HW is actually configured */ ++ adapter->flags = aflags; ++ + /* clear TX/RX time stamp registers, just to be sure */ + ixgbe_ptp_clear_tx_timestamp(adapter); + IXGBE_READ_REG(hw, IXGBE_RXSTMPH); +-- +2.40.1 + diff --git a/queue-6.5/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch b/queue-6.5/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch new file mode 100644 index 00000000000..1ae32e194e9 --- /dev/null +++ b/queue-6.5/kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch @@ -0,0 +1,70 @@ +From 1feadcb7e883a7fc9bc1801bd653ac33246904e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 19:27:53 -0700 +Subject: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). + +From: Kuniyuki Iwashima + +[ Upstream commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada ] + +syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 +("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by +updating kcm_tx_msg(head)->last_skb if partial data is copied so that the +following sendmsg() will resume from the skb. + +However, we cannot know how many bytes were copied when we get the error. +Thus, we could mess up the MSG_MORE queue. + +When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we +do so for UDP by udp_flush_pending_frames(). + +Even without this change, when the error occurred, the following sendmsg() +resumed from a wrong skb and the queue was messed up. However, we have +yet to get such a report, and only syzkaller stumbled on it. So, this +can be changed safely. + +Note this does not change SOCK_SEQPACKET behaviour. + +Fixes: c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()") +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 740539a218b7c..dd1d8ffd5f594 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -930,17 +930,18 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + out_error: + kcm_push(kcm); + +- if (copied && sock->type == SOCK_SEQPACKET) { ++ if (sock->type == SOCK_SEQPACKET) { + /* Wrote some bytes before encountering an + * error, return partial success. + */ +- goto partial_message; +- } +- +- if (head != kcm->seq_skb) ++ if (copied) ++ goto partial_message; ++ if (head != kcm->seq_skb) ++ kfree_skb(head); ++ } else { + kfree_skb(head); +- else if (copied) +- kcm_tx_msg(head)->last_skb = skb; ++ kcm->seq_skb = NULL; ++ } + + err = sk_stream_error(sk, msg->msg_flags, err); + +-- +2.40.1 + diff --git a/queue-6.5/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch b/queue-6.5/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch new file mode 100644 index 00000000000..f04c46e863a --- /dev/null +++ b/queue-6.5/kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch @@ -0,0 +1,65 @@ +From 368c288d962a918b72d2cba0bc1a539389a581b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Sep 2023 02:03:10 +0900 +Subject: kcm: Fix memory leak in error path of kcm_sendmsg() + +From: Shigeru Yoshida + +[ Upstream commit c821a88bd720b0046433173185fd841a100d44ad ] + +syzbot reported a memory leak like below: + +BUG: memory leak +unreferenced object 0xffff88810b088c00 (size 240): + comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) + hex dump (first 32 bytes): + 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 + [] alloc_skb include/linux/skbuff.h:1289 [inline] + [] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 + [] sock_sendmsg_nosec net/socket.c:725 [inline] + [] sock_sendmsg+0x56/0xb0 net/socket.c:748 + [] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 + [] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 + [] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append +newly allocated skbs to 'head'. If some bytes are copied, an error occurred, +and jumped to out_error label, 'last_skb' is left unmodified. A later +kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the +'head' frag_list and causing the leak. + +This patch fixes this issue by properly updating the last allocated skb in +'last_skb'. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccb +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 4580f61426bb8..740539a218b7c 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -939,6 +939,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) + + if (head != kcm->seq_skb) + kfree_skb(head); ++ else if (copied) ++ kcm_tx_msg(head)->last_skb = skb; + + err = sk_stream_error(sk, msg->msg_flags, err); + +-- +2.40.1 + diff --git a/queue-6.5/kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch b/queue-6.5/kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch new file mode 100644 index 00000000000..972072a48ca --- /dev/null +++ b/queue-6.5/kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch @@ -0,0 +1,54 @@ +From 805964b63d68d36d20efb59767a0c71c22330a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 13:53:17 +0200 +Subject: kselftest/runner.sh: Propagate SIGTERM to runner child +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 9616cb34b08ec86642b162eae75c5a7ca8debe3c ] + +Timeouts in kselftest are done using the "timeout" command with the +"--foreground" option. Without the "foreground" option, it is not +possible for a user to cancel the runner using SIGINT, because the +signal is not propagated to timeout which is running in a different +process group. The "forground" options places the timeout in the same +process group as its parent, but only sends the SIGTERM (on timeout) +signal to the forked process. Unfortunately, this does not play nice +with all kselftests, e.g. "net:fcnal-test.sh", where the child +processes will linger because timeout does not send SIGTERM to the +group. + +Some users have noted these hangs [1]. + +Fix this by nesting the timeout with an additional timeout without the +foreground option. + +Link: https://lore.kernel.org/all/7650b2eb-0aee-a2b0-2e64-c9bc63210f67@alu.unizg.hr/ # [1] +Fixes: 651e0d881461 ("kselftest/runner: allow to properly deliver signals to tests") +Signed-off-by: Björn Töpel +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest/runner.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kselftest/runner.sh b/tools/testing/selftests/kselftest/runner.sh +index 1c952d1401d46..70e0a465e30da 100644 +--- a/tools/testing/selftests/kselftest/runner.sh ++++ b/tools/testing/selftests/kselftest/runner.sh +@@ -36,7 +36,8 @@ tap_timeout() + { + # Make sure tests will time out if utility is available. + if [ -x /usr/bin/timeout ] ; then +- /usr/bin/timeout --foreground "$kselftest_timeout" $1 ++ /usr/bin/timeout --foreground "$kselftest_timeout" \ ++ /usr/bin/timeout "$kselftest_timeout" $1 + else + $1 + fi +-- +2.40.1 + diff --git a/queue-6.5/kunit-fix-wild-memory-access-bug-in-kunit_free_suite.patch b/queue-6.5/kunit-fix-wild-memory-access-bug-in-kunit_free_suite.patch new file mode 100644 index 00000000000..cac3627ad38 --- /dev/null +++ b/queue-6.5/kunit-fix-wild-memory-access-bug-in-kunit_free_suite.patch @@ -0,0 +1,124 @@ +From f8e407ccbe25344be4f54ef81a2f7a0f7dae0beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 15:10:25 +0800 +Subject: kunit: Fix wild-memory-access bug in kunit_free_suite_set() + +From: Jinjie Ruan + +[ Upstream commit 2810c1e99867a811e631dd24e63e6c1e3b78a59d ] + +Inject fault while probing kunit-example-test.ko, if kstrdup() +fails in mod_sysfs_setup() in load_module(), the mod->state will +switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of +from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only +kunit_module_exit() will be called without kunit_module_init(), and +the mod->kunit_suites is no set correctly and the free in +kunit_free_suite_set() will cause below wild-memory-access bug. + +The mod->state state machine when load_module() succeeds: + +MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE + ^ | + | | delete_module + +---------------- MODULE_STATE_GOING <---------+ + +The mod->state state machine when load_module() fails at +mod_sysfs_setup(): + +MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING + ^ | + | | + +-----------------------------------------------+ + +Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue +because MODULE_STATE_LIVE is transformed from it. + + Unable to handle kernel paging request at virtual address ffffff341e942a88 + KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447] + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000 + [ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP + Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test] + CPU: 3 PID: 2035 Comm: modprobe Tainted: G W N 6.5.0-next-20230828+ #136 + Hardware name: linux,dummy-virt (DT) + pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : kfree+0x2c/0x70 + lr : kunit_free_suite_set+0xcc/0x13c + sp : ffff8000829b75b0 + x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000 + x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300 + x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000 + x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764 + x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7 + x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000 + x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000 + x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000 + x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000 + Call trace: + kfree+0x2c/0x70 + kunit_free_suite_set+0xcc/0x13c + kunit_module_notify+0xd8/0x360 + blocking_notifier_call_chain+0xc4/0x128 + load_module+0x382c/0x44a4 + init_module_from_file+0xd4/0x128 + idempotent_init_module+0x2c8/0x524 + __arm64_sys_finit_module+0xac/0x100 + invoke_syscall+0x6c/0x258 + el0_svc_common.constprop.0+0x160/0x22c + do_el0_svc+0x44/0x5c + el0_svc+0x38/0x78 + el0t_64_sync_handler+0x13c/0x158 + el0t_64_sync+0x190/0x194 + Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Oops: Fatal exception + SMP: stopping secondary CPUs + Kernel Offset: 0x4d0742200000 from 0xffff800080000000 + PHYS_OFFSET: 0xffffee43c0000000 + CPU features: 0x88000203,3c020000,1000421b + Memory Limit: none + Rebooting in 1 seconds.. + +Fixes: 3d6e44623841 ("kunit: unify module and builtin suite definitions") +Signed-off-by: Jinjie Ruan +Reviewed-by: Rae Moar +Reviewed-by: David Gow +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/test.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/kunit/test.c b/lib/kunit/test.c +index 84e4666555c94..e8c9dd9d73a30 100644 +--- a/lib/kunit/test.c ++++ b/lib/kunit/test.c +@@ -744,12 +744,13 @@ static int kunit_module_notify(struct notifier_block *nb, unsigned long val, + + switch (val) { + case MODULE_STATE_LIVE: +- kunit_module_init(mod); + break; + case MODULE_STATE_GOING: + kunit_module_exit(mod); + break; + case MODULE_STATE_COMING: ++ kunit_module_init(mod); ++ break; + case MODULE_STATE_UNFORMED: + break; + } +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-sja1105-block-fdb-accesses-that-are-concurre.patch b/queue-6.5/net-dsa-sja1105-block-fdb-accesses-that-are-concurre.patch new file mode 100644 index 00000000000..40d5b5514a0 --- /dev/null +++ b/queue-6.5/net-dsa-sja1105-block-fdb-accesses-that-are-concurre.patch @@ -0,0 +1,58 @@ +From 25916a82f63ae5fdaf412ae056922f7cb4988c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 16:33:52 +0300 +Subject: net: dsa: sja1105: block FDB accesses that are concurrent with a + switch reset + +From: Vladimir Oltean + +[ Upstream commit 86899e9e1e29e854b5f6dcc24ba4f75f792c89aa ] + +Currently, when we add the first sja1105 port to a bridge with +vlan_filtering 1, then we sometimes see this output: + +sja1105 spi2.2: port 4 failed to read back entry for be:79:b4:9e:9e:96 vid 3088: -ENOENT +sja1105 spi2.2: Reset switch and programmed static config. Reason: VLAN filtering +sja1105 spi2.2: port 0 failed to add be:79:b4:9e:9e:96 vid 0 to fdb: -2 + +It is because sja1105_fdb_add() runs from the dsa_owq which is no longer +serialized with switch resets since it dropped the rtnl_lock() in the +blamed commit. + +Either performing the FDB accesses before the reset, or after the reset, +is equally fine, because sja1105_static_fdb_change() backs up those +changes in the static config, but FDB access during reset isn't ok. + +Make sja1105_static_config_reload() take the fdb_lock to fix that. + +Fixes: 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 79927191ac623..013976b0af9f1 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2304,6 +2304,7 @@ int sja1105_static_config_reload(struct sja1105_private *priv, + int rc, i; + s64 now; + ++ mutex_lock(&priv->fdb_lock); + mutex_lock(&priv->mgmt_lock); + + mac = priv->static_config.tables[BLK_IDX_MAC_CONFIG].entries; +@@ -2416,6 +2417,7 @@ int sja1105_static_config_reload(struct sja1105_private *priv, + goto out; + out: + mutex_unlock(&priv->mgmt_lock); ++ mutex_unlock(&priv->fdb_lock); + + return rc; + } +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-sja1105-fix-multicast-forwarding-working-onl.patch b/queue-6.5/net-dsa-sja1105-fix-multicast-forwarding-working-onl.patch new file mode 100644 index 00000000000..cbcbf045555 --- /dev/null +++ b/queue-6.5/net-dsa-sja1105-fix-multicast-forwarding-working-onl.patch @@ -0,0 +1,221 @@ +From 6a7a4637ec2f415a7c0bf1a2a165c03b27afa2c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 16:33:50 +0300 +Subject: net: dsa: sja1105: fix multicast forwarding working only for last + added mdb entry + +From: Vladimir Oltean + +[ Upstream commit 7cef293b9a634a05fcce9e1df4aee3aeed023345 ] + +The commit cited in Fixes: did 2 things: it refactored the read-back +polling from sja1105_dynamic_config_read() into a new function, +sja1105_dynamic_config_wait_complete(), and it called that from +sja1105_dynamic_config_write() too. + +What is problematic is the refactoring. + +The refactored code from sja1105_dynamic_config_poll_valid() works like +the previous one, but the problem is that it uses another packed_buf[] +SPI buffer, and there was code at the end of sja1105_dynamic_config_read() +which was relying on the read-back packed_buf[]: + + /* Don't dereference possibly NULL pointer - maybe caller + * only wanted to see whether the entry existed or not. + */ + if (entry) + ops->entry_packing(packed_buf, entry, UNPACK); + +After the change, the packed_buf[] that this code sees is no longer the +entry read back from hardware, but the original entry that the caller +passed to the sja1105_dynamic_config_read(), packed into this buffer. + +This difference is the most notable with the SJA1105_SEARCH uses from +sja1105pqrs_fdb_add() - used for both fdb and mdb. There, we have logic +added by commit 728db843df88 ("net: dsa: sja1105: ignore the FDB entry +for unknown multicast when adding a new address") to figure out whether +the address we're trying to add matches on any existing hardware entry, +with the exception of the catch-all multicast address. + +That logic was broken, because with sja1105_dynamic_config_read() not +working properly, it doesn't return us the entry read back from +hardware, but the entry that we passed to it. And, since for multicast, +a match will always exist, it will tell us that any mdb entry already +exists at index=0 L2 Address Lookup table. It is index=0 because the +caller doesn't know the index - it wants to find it out, and +sja1105_dynamic_config_read() does: + + if (index < 0) { // SJA1105_SEARCH + /* Avoid copying a signed negative number to an u64 */ + cmd.index = 0; // <- this + cmd.search = true; + } else { + cmd.index = index; + cmd.search = false; + } + +So, to the caller of sja1105_dynamic_config_read(), the returned info +looks entirely legit, and it will add all mdb entries to FDB index 0. +There, they will always overwrite each other (not to mention, +potentially they can also overwrite a pre-existing bridge fdb entry), +and the user-visible impact will be that only the last mdb entry will be +forwarded as it should. The others won't (will be flooded or dropped, +depending on the egress flood settings). + +Fixing is a bit more complicated, and involves either passing the same +packed_buf[] to sja1105_dynamic_config_wait_complete(), or moving all +the extra processing on the packed_buf[] to +sja1105_dynamic_config_wait_complete(). I've opted for the latter, +because it makes sja1105_dynamic_config_wait_complete() a bit more +self-contained. + +Fixes: df405910ab9f ("net: dsa: sja1105: wait for dynamic config command completion on writes too") +Reported-by: Yanan Yang +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/dsa/sja1105/sja1105_dynamic_config.c | 80 +++++++++---------- + 1 file changed, 37 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c +index 93d47dab8d3e9..984c0e604e8de 100644 +--- a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c ++++ b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c +@@ -1175,18 +1175,15 @@ const struct sja1105_dynamic_table_ops sja1110_dyn_ops[BLK_IDX_MAX_DYN] = { + + static int + sja1105_dynamic_config_poll_valid(struct sja1105_private *priv, +- struct sja1105_dyn_cmd *cmd, +- const struct sja1105_dynamic_table_ops *ops) ++ const struct sja1105_dynamic_table_ops *ops, ++ void *entry, bool check_valident, ++ bool check_errors) + { + u8 packed_buf[SJA1105_MAX_DYN_CMD_SIZE] = {}; ++ struct sja1105_dyn_cmd cmd = {}; + int rc; + +- /* We don't _need_ to read the full entry, just the command area which +- * is a fixed SJA1105_SIZE_DYN_CMD. But our cmd_packing() API expects a +- * buffer that contains the full entry too. Additionally, our API +- * doesn't really know how many bytes into the buffer does the command +- * area really begin. So just read back the whole entry. +- */ ++ /* Read back the whole entry + command structure. */ + rc = sja1105_xfer_buf(priv, SPI_READ, ops->addr, packed_buf, + ops->packed_size); + if (rc) +@@ -1195,11 +1192,25 @@ sja1105_dynamic_config_poll_valid(struct sja1105_private *priv, + /* Unpack the command structure, and return it to the caller in case it + * needs to perform further checks on it (VALIDENT). + */ +- memset(cmd, 0, sizeof(*cmd)); +- ops->cmd_packing(packed_buf, cmd, UNPACK); ++ ops->cmd_packing(packed_buf, &cmd, UNPACK); + + /* Hardware hasn't cleared VALID => still working on it */ +- return cmd->valid ? -EAGAIN : 0; ++ if (cmd.valid) ++ return -EAGAIN; ++ ++ if (check_valident && !cmd.valident && !(ops->access & OP_VALID_ANYWAY)) ++ return -ENOENT; ++ ++ if (check_errors && cmd.errors) ++ return -EINVAL; ++ ++ /* Don't dereference possibly NULL pointer - maybe caller ++ * only wanted to see whether the entry existed or not. ++ */ ++ if (entry) ++ ops->entry_packing(packed_buf, entry, UNPACK); ++ ++ return 0; + } + + /* Poll the dynamic config entry's control area until the hardware has +@@ -1208,8 +1219,9 @@ sja1105_dynamic_config_poll_valid(struct sja1105_private *priv, + */ + static int + sja1105_dynamic_config_wait_complete(struct sja1105_private *priv, +- struct sja1105_dyn_cmd *cmd, +- const struct sja1105_dynamic_table_ops *ops) ++ const struct sja1105_dynamic_table_ops *ops, ++ void *entry, bool check_valident, ++ bool check_errors) + { + int err, rc; + +@@ -1217,7 +1229,8 @@ sja1105_dynamic_config_wait_complete(struct sja1105_private *priv, + rc, rc != -EAGAIN, + SJA1105_DYNAMIC_CONFIG_SLEEP_US, + SJA1105_DYNAMIC_CONFIG_TIMEOUT_US, +- false, priv, cmd, ops); ++ false, priv, ops, entry, check_valident, ++ check_errors); + return err < 0 ? err : rc; + } + +@@ -1287,25 +1300,14 @@ int sja1105_dynamic_config_read(struct sja1105_private *priv, + mutex_lock(&priv->dynamic_config_lock); + rc = sja1105_xfer_buf(priv, SPI_WRITE, ops->addr, packed_buf, + ops->packed_size); +- if (rc < 0) { +- mutex_unlock(&priv->dynamic_config_lock); +- return rc; +- } +- +- rc = sja1105_dynamic_config_wait_complete(priv, &cmd, ops); +- mutex_unlock(&priv->dynamic_config_lock); + if (rc < 0) +- return rc; ++ goto out; + +- if (!cmd.valident && !(ops->access & OP_VALID_ANYWAY)) +- return -ENOENT; ++ rc = sja1105_dynamic_config_wait_complete(priv, ops, entry, true, false); ++out: ++ mutex_unlock(&priv->dynamic_config_lock); + +- /* Don't dereference possibly NULL pointer - maybe caller +- * only wanted to see whether the entry existed or not. +- */ +- if (entry) +- ops->entry_packing(packed_buf, entry, UNPACK); +- return 0; ++ return rc; + } + + int sja1105_dynamic_config_write(struct sja1105_private *priv, +@@ -1357,22 +1359,14 @@ int sja1105_dynamic_config_write(struct sja1105_private *priv, + mutex_lock(&priv->dynamic_config_lock); + rc = sja1105_xfer_buf(priv, SPI_WRITE, ops->addr, packed_buf, + ops->packed_size); +- if (rc < 0) { +- mutex_unlock(&priv->dynamic_config_lock); +- return rc; +- } +- +- rc = sja1105_dynamic_config_wait_complete(priv, &cmd, ops); +- mutex_unlock(&priv->dynamic_config_lock); + if (rc < 0) +- return rc; ++ goto out; + +- cmd = (struct sja1105_dyn_cmd) {0}; +- ops->cmd_packing(packed_buf, &cmd, UNPACK); +- if (cmd.errors) +- return -EINVAL; ++ rc = sja1105_dynamic_config_wait_complete(priv, ops, NULL, false, true); ++out: ++ mutex_unlock(&priv->dynamic_config_lock); + +- return 0; ++ return rc; + } + + static u8 sja1105_crc8_add(u8 crc, u8 byte, u8 poly) +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch b/queue-6.5/net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch new file mode 100644 index 00000000000..3003194c05f --- /dev/null +++ b/queue-6.5/net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch @@ -0,0 +1,50 @@ +From 9660fff44f9f50b14918dd3f6e7e28e4ba68f0a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 16:33:48 +0300 +Subject: net: dsa: sja1105: hide all multicast addresses from "bridge fdb + show" + +From: Vladimir Oltean + +[ Upstream commit 02c652f5465011126152bbd93b6a582a1d0c32f1 ] + +Commit 4d9423549501 ("net: dsa: sja1105: offload bridge port flags to +device") has partially hidden some multicast entries from showing up in +the "bridge fdb show" output, but it wasn't enough. Addresses which are +added through "bridge mdb add" still show up. Hide them all. + +Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index b6deba4a75121..ba65a95b0c372 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1875,13 +1875,14 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port, + if (!(l2_lookup.destports & BIT(port))) + continue; + +- /* We need to hide the FDB entry for unknown multicast */ +- if (l2_lookup.macaddr == SJA1105_UNKNOWN_MULTICAST && +- l2_lookup.mask_macaddr == SJA1105_UNKNOWN_MULTICAST) +- continue; +- + u64_to_ether_addr(l2_lookup.macaddr, macaddr); + ++ /* Hardware FDB is shared for fdb and mdb, "bridge fdb show" ++ * only wants to see unicast ++ */ ++ if (is_multicast_ether_addr(macaddr)) ++ continue; ++ + /* We need to hide the dsa_8021q VLANs from the user. */ + if (vid_is_dsa_8021q(l2_lookup.vlanid)) + l2_lookup.vlanid = 0; +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-sja1105-propagate-exact-error-code-from-sja1.patch b/queue-6.5/net-dsa-sja1105-propagate-exact-error-code-from-sja1.patch new file mode 100644 index 00000000000..d9acbed52e7 --- /dev/null +++ b/queue-6.5/net-dsa-sja1105-propagate-exact-error-code-from-sja1.patch @@ -0,0 +1,55 @@ +From de3095805cd2a5da8b4be502d7201dc4e28fee1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 16:33:49 +0300 +Subject: net: dsa: sja1105: propagate exact error code from + sja1105_dynamic_config_poll_valid() + +From: Vladimir Oltean + +[ Upstream commit c956798062b5a308db96e75157747291197f0378 ] + +Currently, sja1105_dynamic_config_wait_complete() returns either 0 or +-ETIMEDOUT, because it just looks at the read_poll_timeout() return code. + +There will be future changes which move some more checks to +sja1105_dynamic_config_poll_valid(). It is important that we propagate +their exact return code (-ENOENT, -EINVAL), because callers of +sja1105_dynamic_config_read() depend on them. + +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Stable-dep-of: 7cef293b9a63 ("net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_dynamic_config.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c +index 7729d3f8b7f50..93d47dab8d3e9 100644 +--- a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c ++++ b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c +@@ -1211,13 +1211,14 @@ sja1105_dynamic_config_wait_complete(struct sja1105_private *priv, + struct sja1105_dyn_cmd *cmd, + const struct sja1105_dynamic_table_ops *ops) + { +- int rc; +- +- return read_poll_timeout(sja1105_dynamic_config_poll_valid, +- rc, rc != -EAGAIN, +- SJA1105_DYNAMIC_CONFIG_SLEEP_US, +- SJA1105_DYNAMIC_CONFIG_TIMEOUT_US, +- false, priv, cmd, ops); ++ int err, rc; ++ ++ err = read_poll_timeout(sja1105_dynamic_config_poll_valid, ++ rc, rc != -EAGAIN, ++ SJA1105_DYNAMIC_CONFIG_SLEEP_US, ++ SJA1105_DYNAMIC_CONFIG_TIMEOUT_US, ++ false, priv, cmd, ops); ++ return err < 0 ? err : rc; + } + + /* Provides read access to the settings through the dynamic interface +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-sja1105-serialize-sja1105_port_mcast_flood-w.patch b/queue-6.5/net-dsa-sja1105-serialize-sja1105_port_mcast_flood-w.patch new file mode 100644 index 00000000000..a3d2c341b6c --- /dev/null +++ b/queue-6.5/net-dsa-sja1105-serialize-sja1105_port_mcast_flood-w.patch @@ -0,0 +1,189 @@ +From 66e35bae07852017f34f8f7b9b7e740728007be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 16:33:51 +0300 +Subject: net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other + FDB accesses + +From: Vladimir Oltean + +[ Upstream commit ea32690daf4fa525dc5a4d164bd00ed8c756e1c6 ] + +sja1105_fdb_add() runs from the dsa_owq, and sja1105_port_mcast_flood() +runs from switchdev_deferred_process_work(). Prior to the blamed commit, +they used to be indirectly serialized through the rtnl_lock(), which +no longer holds true because dsa_owq dropped that. + +So, it is now possible that we traverse the static config BLK_IDX_L2_LOOKUP +elements concurrently compared to when we change them, in +sja1105_static_fdb_change(). That is not ideal, since it might result in +data corruption. + +Introduce a mutex which serializes accesses to the hardware FDB and to +the static config elements for the L2 Address Lookup table. + +I can't find a good reason to add locking around sja1105_fdb_dump(). +I'll add it later if needed. + +Fixes: 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105.h | 2 + + drivers/net/dsa/sja1105/sja1105_main.c | 56 ++++++++++++++++++++------ + 2 files changed, 45 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105.h b/drivers/net/dsa/sja1105/sja1105.h +index 0617d5ccd3ff1..8c66d3bf61f02 100644 +--- a/drivers/net/dsa/sja1105/sja1105.h ++++ b/drivers/net/dsa/sja1105/sja1105.h +@@ -266,6 +266,8 @@ struct sja1105_private { + * the switch doesn't confuse them with one another. + */ + struct mutex mgmt_lock; ++ /* Serializes accesses to the FDB */ ++ struct mutex fdb_lock; + /* PTP two-step TX timestamp ID, and its serialization lock */ + spinlock_t ts_id_lock; + u8 ts_id; +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index ba65a95b0c372..79927191ac623 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1805,6 +1805,7 @@ static int sja1105_fdb_add(struct dsa_switch *ds, int port, + struct dsa_db db) + { + struct sja1105_private *priv = ds->priv; ++ int rc; + + if (!vid) { + switch (db.type) { +@@ -1819,12 +1820,16 @@ static int sja1105_fdb_add(struct dsa_switch *ds, int port, + } + } + +- return priv->info->fdb_add_cmd(ds, port, addr, vid); ++ mutex_lock(&priv->fdb_lock); ++ rc = priv->info->fdb_add_cmd(ds, port, addr, vid); ++ mutex_unlock(&priv->fdb_lock); ++ ++ return rc; + } + +-static int sja1105_fdb_del(struct dsa_switch *ds, int port, +- const unsigned char *addr, u16 vid, +- struct dsa_db db) ++static int __sja1105_fdb_del(struct dsa_switch *ds, int port, ++ const unsigned char *addr, u16 vid, ++ struct dsa_db db) + { + struct sja1105_private *priv = ds->priv; + +@@ -1844,6 +1849,20 @@ static int sja1105_fdb_del(struct dsa_switch *ds, int port, + return priv->info->fdb_del_cmd(ds, port, addr, vid); + } + ++static int sja1105_fdb_del(struct dsa_switch *ds, int port, ++ const unsigned char *addr, u16 vid, ++ struct dsa_db db) ++{ ++ struct sja1105_private *priv = ds->priv; ++ int rc; ++ ++ mutex_lock(&priv->fdb_lock); ++ rc = __sja1105_fdb_del(ds, port, addr, vid, db); ++ mutex_unlock(&priv->fdb_lock); ++ ++ return rc; ++} ++ + static int sja1105_fdb_dump(struct dsa_switch *ds, int port, + dsa_fdb_dump_cb_t *cb, void *data) + { +@@ -1906,6 +1925,8 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port) + }; + int i; + ++ mutex_lock(&priv->fdb_lock); ++ + for (i = 0; i < SJA1105_MAX_L2_LOOKUP_COUNT; i++) { + struct sja1105_l2_lookup_entry l2_lookup = {0}; + u8 macaddr[ETH_ALEN]; +@@ -1919,7 +1940,7 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port) + if (rc) { + dev_err(ds->dev, "Failed to read FDB: %pe\n", + ERR_PTR(rc)); +- return; ++ break; + } + + if (!(l2_lookup.destports & BIT(port))) +@@ -1931,14 +1952,16 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port) + + u64_to_ether_addr(l2_lookup.macaddr, macaddr); + +- rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db); ++ rc = __sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db); + if (rc) { + dev_err(ds->dev, + "Failed to delete FDB entry %pM vid %lld: %pe\n", + macaddr, l2_lookup.vlanid, ERR_PTR(rc)); +- return; ++ break; + } + } ++ ++ mutex_unlock(&priv->fdb_lock); + } + + static int sja1105_mdb_add(struct dsa_switch *ds, int port, +@@ -2962,7 +2985,9 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to, + { + struct sja1105_l2_lookup_entry *l2_lookup; + struct sja1105_table *table; +- int match; ++ int match, rc; ++ ++ mutex_lock(&priv->fdb_lock); + + table = &priv->static_config.tables[BLK_IDX_L2_LOOKUP]; + l2_lookup = table->entries; +@@ -2975,7 +3000,8 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to, + if (match == table->entry_count) { + NL_SET_ERR_MSG_MOD(extack, + "Could not find FDB entry for unknown multicast"); +- return -ENOSPC; ++ rc = -ENOSPC; ++ goto out; + } + + if (flags.val & BR_MCAST_FLOOD) +@@ -2983,10 +3009,13 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to, + else + l2_lookup[match].destports &= ~BIT(to); + +- return sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP, +- l2_lookup[match].index, +- &l2_lookup[match], +- true); ++ rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP, ++ l2_lookup[match].index, ++ &l2_lookup[match], true); ++out: ++ mutex_unlock(&priv->fdb_lock); ++ ++ return rc; + } + + static int sja1105_port_pre_bridge_flags(struct dsa_switch *ds, int port, +@@ -3356,6 +3385,7 @@ static int sja1105_probe(struct spi_device *spi) + mutex_init(&priv->ptp_data.lock); + mutex_init(&priv->dynamic_config_lock); + mutex_init(&priv->mgmt_lock); ++ mutex_init(&priv->fdb_lock); + spin_lock_init(&priv->ts_id_lock); + + rc = sja1105_parse_dt(priv); +-- +2.40.1 + diff --git a/queue-6.5/net-ethernet-adi-adin1110-fix-forwarding-offload.patch b/queue-6.5/net-ethernet-adi-adin1110-fix-forwarding-offload.patch new file mode 100644 index 00000000000..4b4ee1000c5 --- /dev/null +++ b/queue-6.5/net-ethernet-adi-adin1110-fix-forwarding-offload.patch @@ -0,0 +1,46 @@ +From 2c295df8f4f7cceceeb1b5188fdb205d32346f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 15:58:08 +0300 +Subject: net:ethernet:adi:adin1110: Fix forwarding offload + +From: Ciprian Regus + +[ Upstream commit 32530dba1bd48da4437d18d9a8dbc9d2826938a6 ] + +Currently, when a new fdb entry is added (with both ports of the +ADIN2111 bridged), the driver configures the MAC filters for the wrong +port, which results in the forwarding being done by the host, and not +actually hardware offloaded. + +The ADIN2111 offloads the forwarding by setting filters on the +destination MAC address of incoming frames. Based on these, they may be +routed to the other port. Thus, if a frame has to be forwarded from port +1 to port 2, the required configuration for the ADDR_FILT_UPRn register +should set the APPLY2PORT1 bit (instead of APPLY2PORT2, as it's +currently the case). + +Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") +Signed-off-by: Ciprian Regus +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index 1c009b485188d..ca66b747b7c5d 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -1385,7 +1385,7 @@ static int adin1110_fdb_add(struct adin1110_port_priv *port_priv, + return -ENOMEM; + + other_port = priv->ports[!port_priv->nr]; +- port_rules = adin1110_port_rules(port_priv, false, true); ++ port_rules = adin1110_port_rules(other_port, false, true); + eth_broadcast_addr(mask); + + return adin1110_write_mac_address(other_port, mac_nr, (u8 *)fdb->addr, +-- +2.40.1 + diff --git a/queue-6.5/net-ethernet-adi-adin1110-use-eth_broadcast_addr-to-.patch b/queue-6.5/net-ethernet-adi-adin1110-use-eth_broadcast_addr-to-.patch new file mode 100644 index 00000000000..0bdb0778f1b --- /dev/null +++ b/queue-6.5/net-ethernet-adi-adin1110-use-eth_broadcast_addr-to-.patch @@ -0,0 +1,65 @@ +From 5aa4b04988939b11b4dd380c31f44ee19a3b8952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:35:31 +0800 +Subject: net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign + broadcast address + +From: Yang Yingliang + +[ Upstream commit 54024dbec95585243391caeb9f04a2620e630765 ] + +Use eth_broadcast_addr() to assign broadcast address instead +of memset(). + +Signed-off-by: Yang Yingliang +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 32530dba1bd4 ("net:ethernet:adi:adin1110: Fix forwarding offload") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index f5c2d7a9abc10..1c009b485188d 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -739,7 +739,7 @@ static int adin1110_broadcasts_filter(struct adin1110_port_priv *port_priv, + u32 port_rules = 0; + u8 mask[ETH_ALEN]; + +- memset(mask, 0xFF, ETH_ALEN); ++ eth_broadcast_addr(mask); + + if (accept_broadcast && port_priv->state == BR_STATE_FORWARDING) + port_rules = adin1110_port_rules(port_priv, true, true); +@@ -760,7 +760,7 @@ static int adin1110_set_mac_address(struct net_device *netdev, + return -EADDRNOTAVAIL; + + eth_hw_addr_set(netdev, dev_addr); +- memset(mask, 0xFF, ETH_ALEN); ++ eth_broadcast_addr(mask); + + mac_slot = (!port_priv->nr) ? ADIN_MAC_P1_ADDR_SLOT : ADIN_MAC_P2_ADDR_SLOT; + port_rules = adin1110_port_rules(port_priv, true, false); +@@ -1271,7 +1271,7 @@ static int adin1110_port_set_blocking_state(struct adin1110_port_priv *port_priv + goto out; + + /* Allow only BPDUs to be passed to the CPU */ +- memset(mask, 0xFF, ETH_ALEN); ++ eth_broadcast_addr(mask); + port_rules = adin1110_port_rules(port_priv, true, false); + ret = adin1110_write_mac_address(port_priv, mac_slot, mac, + mask, port_rules); +@@ -1386,7 +1386,7 @@ static int adin1110_fdb_add(struct adin1110_port_priv *port_priv, + + other_port = priv->ports[!port_priv->nr]; + port_rules = adin1110_port_rules(port_priv, false, true); +- memset(mask, 0xFF, ETH_ALEN); ++ eth_broadcast_addr(mask); + + return adin1110_write_mac_address(other_port, mac_nr, (u8 *)fdb->addr, + mask, port_rules); +-- +2.40.1 + diff --git a/queue-6.5/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch b/queue-6.5/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..ab3a105bd88 --- /dev/null +++ b/queue-6.5/net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch @@ -0,0 +1,40 @@ +From 9ab4167c56b91b92e9aa0bafd97cd8ce7336b617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 14:19:50 +0800 +Subject: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in + mtk_hwlro_get_fdir_all() + +From: Hangyu Hua + +[ Upstream commit e4c79810755f66c9a933ca810da2724133b1165a ] + +rule_locs is allocated in ethtool_get_rxnfc and the size is determined by +rule_cnt from user space. So rule_cnt needs to be check before using +rule_locs to avoid NULL pointer dereference. + +Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 2d15342c260ae..7f0807672071f 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2860,6 +2860,9 @@ static int mtk_hwlro_get_fdir_all(struct net_device *dev, + int i; + + for (i = 0; i < MTK_MAX_LRO_IP_CNT; i++) { ++ if (cnt == cmd->rule_cnt) ++ return -EMSGSIZE; ++ + if (mac->hwlro_ip[i]) { + rule_locs[cnt] = i; + cnt++; +-- +2.40.1 + diff --git a/queue-6.5/net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch b/queue-6.5/net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch new file mode 100644 index 00000000000..2c89f283f93 --- /dev/null +++ b/queue-6.5/net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch @@ -0,0 +1,43 @@ +From d604d7bbc25feb2aae238e3a9701c4a26844cf16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 14:19:49 +0800 +Subject: net: ethernet: mvpp2_main: fix possible OOB write in + mvpp2_ethtool_get_rxnfc() + +From: Hangyu Hua + +[ Upstream commit 51fe0a470543f345e3c62b6798929de3ddcedc1d ] + +rules is allocated in ethtool_get_rxnfc and the size is determined by +rule_cnt from user space. So rule_cnt needs to be check before using +rules to avoid OOB writing or NULL pointer dereference. + +Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support") +Signed-off-by: Hangyu Hua +Reviewed-by: Marcin Wojtas +Reviewed-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 1fec84b4c068d..0129afa1210e6 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5586,6 +5586,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev, + break; + case ETHTOOL_GRXCLSRLALL: + for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) { ++ if (loc == info->rule_cnt) { ++ ret = -EMSGSIZE; ++ break; ++ } ++ + if (port->rfs_rules[i]) + rules[loc++] = i; + } +-- +2.40.1 + diff --git a/queue-6.5/net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch b/queue-6.5/net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch new file mode 100644 index 00000000000..b7a22dd2cf4 --- /dev/null +++ b/queue-6.5/net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch @@ -0,0 +1,85 @@ +From d2d10943efc884eb563aafd8299e7483a17dd506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 10:57:09 +0800 +Subject: net: ipv4: fix one memleak in __inet_del_ifa() + +From: Liu Jian + +[ Upstream commit ac28b1ec6135649b5d78b028e47264cb3ebca5ea ] + +I got the below warning when do fuzzing test: +unregister_netdevice: waiting for bond0 to become free. Usage count = 2 + +It can be repoduced via: + +ip link add bond0 type bond +sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 +ip addr add 4.117.174.103/0 scope 0x40 dev bond0 +ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 +ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 +ip addr del 4.117.174.103/0 scope 0x40 dev bond0 +ip link delete bond0 type bond + +In this reproduction test case, an incorrect 'last_prim' is found in +__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) +is lost. The memory of the secondary address is leaked and the reference of +in_device and net_device is leaked. + +Fix this problem: +Look for 'last_prim' starting at location of the deleted IP and inserting +the promoted IP into the location of 'last_prim'. + +Fixes: 0ff60a45678e ("[IPV4]: Fix secondary IP addresses after promotion") +Signed-off-by: Liu Jian +Signed-off-by: Julian Anastasov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 5deac0517ef70..37be82496322d 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -355,14 +355,14 @@ static void __inet_del_ifa(struct in_device *in_dev, + { + struct in_ifaddr *promote = NULL; + struct in_ifaddr *ifa, *ifa1; +- struct in_ifaddr *last_prim; ++ struct in_ifaddr __rcu **last_prim; + struct in_ifaddr *prev_prom = NULL; + int do_promote = IN_DEV_PROMOTE_SECONDARIES(in_dev); + + ASSERT_RTNL(); + + ifa1 = rtnl_dereference(*ifap); +- last_prim = rtnl_dereference(in_dev->ifa_list); ++ last_prim = ifap; + if (in_dev->dead) + goto no_promotions; + +@@ -376,7 +376,7 @@ static void __inet_del_ifa(struct in_device *in_dev, + while ((ifa = rtnl_dereference(*ifap1)) != NULL) { + if (!(ifa->ifa_flags & IFA_F_SECONDARY) && + ifa1->ifa_scope <= ifa->ifa_scope) +- last_prim = ifa; ++ last_prim = &ifa->ifa_next; + + if (!(ifa->ifa_flags & IFA_F_SECONDARY) || + ifa1->ifa_mask != ifa->ifa_mask || +@@ -440,9 +440,9 @@ static void __inet_del_ifa(struct in_device *in_dev, + + rcu_assign_pointer(prev_prom->ifa_next, next_sec); + +- last_sec = rtnl_dereference(last_prim->ifa_next); ++ last_sec = rtnl_dereference(*last_prim); + rcu_assign_pointer(promote->ifa_next, last_sec); +- rcu_assign_pointer(last_prim->ifa_next, promote); ++ rcu_assign_pointer(*last_prim, promote); + } + + promote->ifa_flags &= ~IFA_F_SECONDARY; +-- +2.40.1 + diff --git a/queue-6.5/net-macb-fix-sleep-inside-spinlock.patch b/queue-6.5/net-macb-fix-sleep-inside-spinlock.patch new file mode 100644 index 00000000000..bf756eb5204 --- /dev/null +++ b/queue-6.5/net-macb-fix-sleep-inside-spinlock.patch @@ -0,0 +1,97 @@ +From 310dc070c1ca7549141d047369db3d1b4e3e2928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 13:29:13 +0200 +Subject: net: macb: fix sleep inside spinlock + +From: Sascha Hauer + +[ Upstream commit 403f0e771457e2b8811dc280719d11b9bacf10f4 ] + +macb_set_tx_clk() is called under a spinlock but itself calls clk_set_rate() +which can sleep. This results in: + +| BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 +| pps pps1: new PPS source ptp1 +| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 40, name: kworker/u4:3 +| preempt_count: 1, expected: 0 +| RCU nest depth: 0, expected: 0 +| 4 locks held by kworker/u4:3/40: +| #0: ffff000003409148 +| macb ff0c0000.ethernet: gem-ptp-timer ptp clock registered. +| ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c +| #1: ffff8000833cbdd8 ((work_completion)(&pl->resolve)){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c +| #2: ffff000004f01578 (&pl->state_mutex){+.+.}-{4:4}, at: phylink_resolve+0x44/0x4e8 +| #3: ffff000004f06f50 (&bp->lock){....}-{3:3}, at: macb_mac_link_up+0x40/0x2ac +| irq event stamp: 113998 +| hardirqs last enabled at (113997): [] _raw_spin_unlock_irq+0x30/0x64 +| hardirqs last disabled at (113998): [] _raw_spin_lock_irqsave+0xac/0xc8 +| softirqs last enabled at (113608): [] __do_softirq+0x430/0x4e4 +| softirqs last disabled at (113597): [] ____do_softirq+0x10/0x1c +| CPU: 0 PID: 40 Comm: kworker/u4:3 Not tainted 6.5.0-11717-g9355ce8b2f50-dirty #368 +| Hardware name: ... ZynqMP ... (DT) +| Workqueue: events_power_efficient phylink_resolve +| Call trace: +| dump_backtrace+0x98/0xf0 +| show_stack+0x18/0x24 +| dump_stack_lvl+0x60/0xac +| dump_stack+0x18/0x24 +| __might_resched+0x144/0x24c +| __might_sleep+0x48/0x98 +| __mutex_lock+0x58/0x7b0 +| mutex_lock_nested+0x24/0x30 +| clk_prepare_lock+0x4c/0xa8 +| clk_set_rate+0x24/0x8c +| macb_mac_link_up+0x25c/0x2ac +| phylink_resolve+0x178/0x4e8 +| process_one_work+0x1ec/0x51c +| worker_thread+0x1ec/0x3e4 +| kthread+0x120/0x124 +| ret_from_fork+0x10/0x20 + +The obvious fix is to move the call to macb_set_tx_clk() out of the +protected area. This seems safe as rx and tx are both disabled anyway at +this point. +It is however not entirely clear what the spinlock shall protect. It +could be the read-modify-write access to the NCFGR register, but this +is accessed in macb_set_rx_mode() and macb_set_rxcsum_feature() as well +without holding the spinlock. It could also be the register accesses +done in mog_init_rings() or macb_init_buffers(), but again these +functions are called without holding the spinlock in macb_hresp_error_task(). +The locking seems fishy in this driver and it might deserve another look +before this patch is applied. + +Fixes: 633e98a711ac0 ("net: macb: use resolved link config in mac_link_up()") +Signed-off-by: Sascha Hauer +Link: https://lore.kernel.org/r/20230908112913.1701766-1-s.hauer@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 82929ee76739d..2d18acf3d5eae 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -757,8 +757,6 @@ static void macb_mac_link_up(struct phylink_config *config, + if (rx_pause) + ctrl |= MACB_BIT(PAE); + +- macb_set_tx_clk(bp, speed); +- + /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down + * cleared the pipeline and control registers. + */ +@@ -778,6 +776,9 @@ static void macb_mac_link_up(struct phylink_config *config, + + spin_unlock_irqrestore(&bp->lock, flags); + ++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) ++ macb_set_tx_clk(bp, speed); ++ + /* Enable Rx and Tx; Enable PTP unicast */ + ctrl = macb_readl(bp, NCR); + if (gem_has_ptp(bp)) +-- +2.40.1 + diff --git a/queue-6.5/net-microchip-vcap-api-fix-possible-memory-leak-for-.patch b/queue-6.5/net-microchip-vcap-api-fix-possible-memory-leak-for-.patch new file mode 100644 index 00000000000..99e674d11be --- /dev/null +++ b/queue-6.5/net-microchip-vcap-api-fix-possible-memory-leak-for-.patch @@ -0,0 +1,83 @@ +From 2b61047cedc935036011648de8a9076a55905481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 22:03:58 +0800 +Subject: net: microchip: vcap api: Fix possible memory leak for + vcap_dup_rule() + +From: Jinjie Ruan + +[ Upstream commit 281f65d29d6da1a9b6907fb0b145aaf34f4e4822 ] + +Inject fault When select CONFIG_VCAP_KUNIT_TEST, the below memory leak +occurs. If kzalloc() for duprule succeeds, but the following +kmemdup() fails, the duprule, ckf and caf memory will be leaked. So kfree +them in the error path. + +unreferenced object 0xffff122744c50600 (size 192): + comm "kunit_try_catch", pid 346, jiffies 4294896122 (age 911.812s) + hex dump (first 32 bytes): + 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,... + 00 00 00 00 00 00 00 00 18 06 c5 44 27 12 ff ff ...........D'... + backtrace: + [<00000000394b0db8>] __kmem_cache_alloc_node+0x274/0x2f8 + [<0000000001bedc67>] kmalloc_trace+0x38/0x88 + [<00000000b0612f98>] vcap_dup_rule+0x50/0x460 + [<000000005d2d3aca>] vcap_add_rule+0x8cc/0x1038 + [<00000000eef9d0f8>] test_vcap_xn_rule_creator.constprop.0.isra.0+0x238/0x494 + [<00000000cbda607b>] vcap_api_rule_remove_in_front_test+0x1ac/0x698 + [<00000000c8766299>] kunit_try_run_case+0xe0/0x20c + [<00000000c4fe9186>] kunit_generic_run_threadfn_adapter+0x50/0x94 + [<00000000f6864acf>] kthread+0x2e8/0x374 + [<0000000022e639b3>] ret_from_fork+0x10/0x20 + +Fixes: 814e7693207f ("net: microchip: vcap api: Add a storage state to a VCAP rule") +Signed-off-by: Jinjie Ruan +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/vcap/vcap_api.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api.c b/drivers/net/ethernet/microchip/vcap/vcap_api.c +index a418ad8e8770a..15a3a31b15d45 100644 +--- a/drivers/net/ethernet/microchip/vcap/vcap_api.c ++++ b/drivers/net/ethernet/microchip/vcap/vcap_api.c +@@ -1021,18 +1021,32 @@ static struct vcap_rule_internal *vcap_dup_rule(struct vcap_rule_internal *ri, + list_for_each_entry(ckf, &ri->data.keyfields, ctrl.list) { + newckf = kmemdup(ckf, sizeof(*newckf), GFP_KERNEL); + if (!newckf) +- return ERR_PTR(-ENOMEM); ++ goto err; + list_add_tail(&newckf->ctrl.list, &duprule->data.keyfields); + } + + list_for_each_entry(caf, &ri->data.actionfields, ctrl.list) { + newcaf = kmemdup(caf, sizeof(*newcaf), GFP_KERNEL); + if (!newcaf) +- return ERR_PTR(-ENOMEM); ++ goto err; + list_add_tail(&newcaf->ctrl.list, &duprule->data.actionfields); + } + + return duprule; ++ ++err: ++ list_for_each_entry_safe(ckf, newckf, &duprule->data.keyfields, ctrl.list) { ++ list_del(&ckf->ctrl.list); ++ kfree(ckf); ++ } ++ ++ list_for_each_entry_safe(caf, newcaf, &duprule->data.actionfields, ctrl.list) { ++ list_del(&caf->ctrl.list); ++ kfree(caf); ++ } ++ ++ kfree(duprule); ++ return ERR_PTR(-ENOMEM); + } + + static void vcap_apply_width(u8 *dst, int width, int bytes) +-- +2.40.1 + diff --git a/queue-6.5/net-renesas-rswitch-fix-unmasking-irq-condition.patch b/queue-6.5/net-renesas-rswitch-fix-unmasking-irq-condition.patch new file mode 100644 index 00000000000..1b5227696a7 --- /dev/null +++ b/queue-6.5/net-renesas-rswitch-fix-unmasking-irq-condition.patch @@ -0,0 +1,43 @@ +From 1e2b7e9d310ab069c45f7320339bdcdba7c67e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 10:49:35 +0900 +Subject: net: renesas: rswitch: Fix unmasking irq condition + +From: Yoshihiro Shimoda + +[ Upstream commit e7b1ef29420fe52c2c1a273a9b4b36103a522625 ] + +Fix unmasking irq condition by using napi_complete_done(). Otherwise, +redundant interrupts happen. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 4e412ac0965a4..449ed1f5624c9 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -816,10 +816,10 @@ static int rswitch_poll(struct napi_struct *napi, int budget) + + netif_wake_subqueue(ndev, 0); + +- napi_complete(napi); +- +- rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true); +- rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true); ++ if (napi_complete_done(napi, budget - quota)) { ++ rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true); ++ rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true); ++ } + + out: + return budget - quota; +-- +2.40.1 + diff --git a/queue-6.5/net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch b/queue-6.5/net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch new file mode 100644 index 00000000000..21be6cdcbac --- /dev/null +++ b/queue-6.5/net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch @@ -0,0 +1,73 @@ +From 755304e5c05a6cdb38e9b44ee14ab5eee802db46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 11:31:43 +0800 +Subject: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate + in smcr_port_add + +From: Guangguan Wang + +[ Upstream commit f5146e3ef0a9eea405874b36178c19a4863b8989 ] + +While doing smcr_port_add, there maybe linkgroup add into or delete +from smc_lgr_list.list at the same time, which may result kernel crash. +So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in +smcr_port_add. + +The crash calltrace show below: +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP NOPTI +CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G +Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014 +Workqueue: events smc_ib_port_event_work [smc] +RIP: 0010:smcr_port_add+0xa6/0xf0 [smc] +RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297 +RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000 +RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918 +R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4 +R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08 +FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0 +PKRU: 55555554 +Call Trace: + smc_ib_port_event_work+0x18f/0x380 [smc] + process_one_work+0x19b/0x340 + worker_thread+0x30/0x370 + ? process_one_work+0x340/0x340 + kthread+0x114/0x130 + ? __kthread_cancel_work+0x50/0x50 + ret_from_fork+0x1f/0x30 + +Fixes: 1f90a05d9ff9 ("net/smc: add smcr_port_add() and smcr_link_up() processing") +Signed-off-by: Guangguan Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 6b78075404d7d..3e89bb9b7c56c 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -1654,6 +1654,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport) + { + struct smc_link_group *lgr, *n; + ++ spin_lock_bh(&smc_lgr_list.lock); + list_for_each_entry_safe(lgr, n, &smc_lgr_list.list, list) { + struct smc_link *link; + +@@ -1669,6 +1670,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport) + if (link) + smc_llc_add_link_local(link); + } ++ spin_unlock_bh(&smc_lgr_list.lock); + } + + /* link is down - switch connections to alternate link, +-- +2.40.1 + diff --git a/queue-6.5/net-stmmac-fix-handling-of-zero-coalescing-tx-usecs.patch b/queue-6.5/net-stmmac-fix-handling-of-zero-coalescing-tx-usecs.patch new file mode 100644 index 00000000000..ae9dd0e0306 --- /dev/null +++ b/queue-6.5/net-stmmac-fix-handling-of-zero-coalescing-tx-usecs.patch @@ -0,0 +1,59 @@ +From 07ae12ae6f46cc9aeffd94dd07ec8003ca6afc97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 12:46:31 +0200 +Subject: net: stmmac: fix handling of zero coalescing tx-usecs + +From: Vincent Whitchurch + +[ Upstream commit fa60b8163816f194786f3ee334c9a458da7699c6 ] + +Setting ethtool -C eth0 tx-usecs 0 is supposed to disable the use of the +coalescing timer but currently it gets programmed with zero delay +instead. + +Disable the use of the coalescing timer if tx-usecs is zero by +preventing it from being restarted. Note that to keep things simple we +don't start/stop the timer when the coalescing settings are changed, but +just let that happen on the next transmit or timer expiry. + +Fixes: 8fce33317023 ("net: stmmac: Rework coalesce timer and fix multi-queue races") +Signed-off-by: Vincent Whitchurch +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 4727f7be4f86e..6931973028aef 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2703,9 +2703,7 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + + /* We still have pending packets, let's call for a new scheduling */ + if (tx_q->dirty_tx != tx_q->cur_tx) +- hrtimer_start(&tx_q->txtimer, +- STMMAC_COAL_TIMER(priv->tx_coal_timer[queue]), +- HRTIMER_MODE_REL); ++ stmmac_tx_timer_arm(priv, queue); + + __netif_tx_unlock_bh(netdev_get_tx_queue(priv->dev, queue)); + +@@ -2986,9 +2984,13 @@ static int stmmac_init_dma_engine(struct stmmac_priv *priv) + static void stmmac_tx_timer_arm(struct stmmac_priv *priv, u32 queue) + { + struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[queue]; ++ u32 tx_coal_timer = priv->tx_coal_timer[queue]; ++ ++ if (!tx_coal_timer) ++ return; + + hrtimer_start(&tx_q->txtimer, +- STMMAC_COAL_TIMER(priv->tx_coal_timer[queue]), ++ STMMAC_COAL_TIMER(tx_coal_timer), + HRTIMER_MODE_REL); + } + +-- +2.40.1 + diff --git a/queue-6.5/net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch b/queue-6.5/net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch new file mode 100644 index 00000000000..fa61930f342 --- /dev/null +++ b/queue-6.5/net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch @@ -0,0 +1,85 @@ +From 1eb60cd574f67def00807cfa17d97d8573290e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Sep 2023 16:14:34 +0800 +Subject: net/tls: do not free tls_rec on async operation in + bpf_exec_tx_verdict() + +From: Liu Jian + +[ Upstream commit cfaa80c91f6f99b9342b6557f0f0e1143e434066 ] + +I got the below warning when do fuzzing test: +BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470 +Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9 + +CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE +Hardware name: linux,dummy-virt (DT) +Workqueue: pencrypt_parallel padata_parallel_worker +Call trace: + dump_backtrace+0x0/0x420 + show_stack+0x34/0x44 + dump_stack+0x1d0/0x248 + __kasan_report+0x138/0x140 + kasan_report+0x44/0x6c + __asan_load4+0x94/0xd0 + scatterwalk_copychunks+0x320/0x470 + skcipher_next_slow+0x14c/0x290 + skcipher_walk_next+0x2fc/0x480 + skcipher_walk_first+0x9c/0x110 + skcipher_walk_aead_common+0x380/0x440 + skcipher_walk_aead_encrypt+0x54/0x70 + ccm_encrypt+0x13c/0x4d0 + crypto_aead_encrypt+0x7c/0xfc + pcrypt_aead_enc+0x28/0x84 + padata_parallel_worker+0xd0/0x2dc + process_one_work+0x49c/0xbdc + worker_thread+0x124/0x880 + kthread+0x210/0x260 + ret_from_fork+0x10/0x18 + +This is because the value of rec_seq of tls_crypto_info configured by the +user program is too large, for example, 0xffffffffffffff. In addition, TLS +is asynchronously accelerated. When tls_do_encryption() returns +-EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow, +skmsg is released before the asynchronous encryption process ends. As a +result, the UAF problem occurs during the asynchronous processing of the +encryption module. + +If the operation is asynchronous and the encryption module returns +EINPROGRESS, do not free the record information. + +Fixes: 635d93981786 ("net/tls: free record only on encryption error") +Signed-off-by: Liu Jian +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 53f944e6d8ef2..e047abc600893 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -817,7 +817,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + psock = sk_psock_get(sk); + if (!psock || !policy) { + err = tls_push_record(sk, flags, record_type); +- if (err && sk->sk_err == EBADMSG) { ++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); + err = -sk->sk_err; +@@ -846,7 +846,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + switch (psock->eval) { + case __SK_PASS: + err = tls_push_record(sk, flags, record_type); +- if (err && sk->sk_err == EBADMSG) { ++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); + err = -sk->sk_err; +-- +2.40.1 + diff --git a/queue-6.5/octeontx2-pf-fix-page-pool-cache-index-corruption.patch b/queue-6.5/octeontx2-pf-fix-page-pool-cache-index-corruption.patch new file mode 100644 index 00000000000..01568be4061 --- /dev/null +++ b/queue-6.5/octeontx2-pf-fix-page-pool-cache-index-corruption.patch @@ -0,0 +1,285 @@ +From e169fe8983e2e3be5aaff4014de9aea00be9bf01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 08:23:09 +0530 +Subject: octeontx2-pf: Fix page pool cache index corruption. + +From: Ratheesh Kannoth + +[ Upstream commit 88e69af061f2e061a68751ef9cad47a674527a1b ] + +The access to page pool `cache' array and the `count' variable +is not locked. Page pool cache access is fine as long as there +is only one consumer per pool. + +octeontx2 driver fills in rx buffers from page pool in NAPI context. +If system is stressed and could not allocate buffers, refiiling work +will be delegated to a delayed workqueue. This means that there are +two cosumers to the page pool cache. + +Either workqueue or IRQ/NAPI can be run on other CPU. This will lead +to lock less access, hence corruption of cache pool indexes. + +To fix this issue, NAPI is rescheduled from workqueue context to refill +rx buffers. + +Fixes: b2e3406a38f0 ("octeontx2-pf: Add support for page pool") +Signed-off-by: Ratheesh Kannoth +Reported-by: Sebastian Andrzej Siewior +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/cn10k.c | 6 ++- + .../ethernet/marvell/octeontx2/nic/cn10k.h | 2 +- + .../marvell/octeontx2/nic/otx2_common.c | 43 +++---------------- + .../marvell/octeontx2/nic/otx2_common.h | 3 +- + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 7 +-- + .../marvell/octeontx2/nic/otx2_txrx.c | 30 ++++++++++--- + .../marvell/octeontx2/nic/otx2_txrx.h | 4 +- + 7 files changed, 44 insertions(+), 51 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +index 826f691de2595..a4a258da8dd59 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +@@ -107,12 +107,13 @@ int cn10k_sq_aq_init(void *dev, u16 qidx, u16 sqb_aura) + } + + #define NPA_MAX_BURST 16 +-void cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) ++int cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) + { + struct otx2_nic *pfvf = dev; ++ int cnt = cq->pool_ptrs; + u64 ptrs[NPA_MAX_BURST]; +- int num_ptrs = 1; + dma_addr_t bufptr; ++ int num_ptrs = 1; + + /* Refill pool with new buffers */ + while (cq->pool_ptrs) { +@@ -131,6 +132,7 @@ void cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) + num_ptrs = 1; + } + } ++ return cnt - cq->pool_ptrs; + } + + void cn10k_sqe_flush(void *dev, struct otx2_snd_queue *sq, int size, int qidx) +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h +index 8ae96815865e6..c1861f7de2545 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.h +@@ -24,7 +24,7 @@ static inline int mtu_to_dwrr_weight(struct otx2_nic *pfvf, int mtu) + return weight; + } + +-void cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); ++int cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); + void cn10k_sqe_flush(void *dev, struct otx2_snd_queue *sq, int size, int qidx); + int cn10k_sq_aq_init(void *dev, u16 qidx, u16 sqb_aura); + int cn10k_lmtst_init(struct otx2_nic *pfvf); +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index b9712040a0bc2..20ecc90d203e0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -573,20 +573,8 @@ int otx2_alloc_rbuf(struct otx2_nic *pfvf, struct otx2_pool *pool, + int otx2_alloc_buffer(struct otx2_nic *pfvf, struct otx2_cq_queue *cq, + dma_addr_t *dma) + { +- if (unlikely(__otx2_alloc_rbuf(pfvf, cq->rbpool, dma))) { +- struct refill_work *work; +- struct delayed_work *dwork; +- +- work = &pfvf->refill_wrk[cq->cq_idx]; +- dwork = &work->pool_refill_work; +- /* Schedule a task if no other task is running */ +- if (!cq->refill_task_sched) { +- cq->refill_task_sched = true; +- schedule_delayed_work(dwork, +- msecs_to_jiffies(100)); +- } ++ if (unlikely(__otx2_alloc_rbuf(pfvf, cq->rbpool, dma))) + return -ENOMEM; +- } + return 0; + } + +@@ -1080,39 +1068,20 @@ static int otx2_cq_init(struct otx2_nic *pfvf, u16 qidx) + static void otx2_pool_refill_task(struct work_struct *work) + { + struct otx2_cq_queue *cq; +- struct otx2_pool *rbpool; + struct refill_work *wrk; +- int qidx, free_ptrs = 0; + struct otx2_nic *pfvf; +- dma_addr_t bufptr; ++ int qidx; + + wrk = container_of(work, struct refill_work, pool_refill_work.work); + pfvf = wrk->pf; + qidx = wrk - pfvf->refill_wrk; + cq = &pfvf->qset.cq[qidx]; +- rbpool = cq->rbpool; +- free_ptrs = cq->pool_ptrs; + +- while (cq->pool_ptrs) { +- if (otx2_alloc_rbuf(pfvf, rbpool, &bufptr)) { +- /* Schedule a WQ if we fails to free atleast half of the +- * pointers else enable napi for this RQ. +- */ +- if (!((free_ptrs - cq->pool_ptrs) > free_ptrs / 2)) { +- struct delayed_work *dwork; +- +- dwork = &wrk->pool_refill_work; +- schedule_delayed_work(dwork, +- msecs_to_jiffies(100)); +- } else { +- cq->refill_task_sched = false; +- } +- return; +- } +- pfvf->hw_ops->aura_freeptr(pfvf, qidx, bufptr + OTX2_HEAD_ROOM); +- cq->pool_ptrs--; +- } + cq->refill_task_sched = false; ++ ++ local_bh_disable(); ++ napi_schedule(wrk->napi); ++ local_bh_enable(); + } + + int otx2_config_nix_queues(struct otx2_nic *pfvf) +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +index ba8091131ec08..0e81849db3538 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -301,6 +301,7 @@ struct flr_work { + struct refill_work { + struct delayed_work pool_refill_work; + struct otx2_nic *pf; ++ struct napi_struct *napi; + }; + + /* PTPv2 originTimestamp structure */ +@@ -373,7 +374,7 @@ struct dev_hw_ops { + int (*sq_aq_init)(void *dev, u16 qidx, u16 sqb_aura); + void (*sqe_flush)(void *dev, struct otx2_snd_queue *sq, + int size, int qidx); +- void (*refill_pool_ptrs)(void *dev, struct otx2_cq_queue *cq); ++ int (*refill_pool_ptrs)(void *dev, struct otx2_cq_queue *cq); + void (*aura_freeptr)(void *dev, int aura, u64 buf); + }; + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 9551b422622a4..9ded98bb1c890 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1942,6 +1942,10 @@ int otx2_stop(struct net_device *netdev) + + netif_tx_disable(netdev); + ++ for (wrk = 0; wrk < pf->qset.cq_cnt; wrk++) ++ cancel_delayed_work_sync(&pf->refill_wrk[wrk].pool_refill_work); ++ devm_kfree(pf->dev, pf->refill_wrk); ++ + otx2_free_hw_resources(pf); + otx2_free_cints(pf, pf->hw.cint_cnt); + otx2_disable_napi(pf); +@@ -1949,9 +1953,6 @@ int otx2_stop(struct net_device *netdev) + for (qidx = 0; qidx < netdev->num_tx_queues; qidx++) + netdev_tx_reset_queue(netdev_get_tx_queue(netdev, qidx)); + +- for (wrk = 0; wrk < pf->qset.cq_cnt; wrk++) +- cancel_delayed_work_sync(&pf->refill_wrk[wrk].pool_refill_work); +- devm_kfree(pf->dev, pf->refill_wrk); + + kfree(qset->sq); + kfree(qset->cq); +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index e369baf115301..e77d438489557 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -424,9 +424,10 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf, + return processed_cqe; + } + +-void otx2_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) ++int otx2_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) + { + struct otx2_nic *pfvf = dev; ++ int cnt = cq->pool_ptrs; + dma_addr_t bufptr; + + while (cq->pool_ptrs) { +@@ -435,6 +436,8 @@ void otx2_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq) + otx2_aura_freeptr(pfvf, cq->cq_idx, bufptr + OTX2_HEAD_ROOM); + cq->pool_ptrs--; + } ++ ++ return cnt - cq->pool_ptrs; + } + + static int otx2_tx_napi_handler(struct otx2_nic *pfvf, +@@ -521,6 +524,7 @@ int otx2_napi_handler(struct napi_struct *napi, int budget) + struct otx2_cq_queue *cq; + struct otx2_qset *qset; + struct otx2_nic *pfvf; ++ int filled_cnt = -1; + + cq_poll = container_of(napi, struct otx2_cq_poll, napi); + pfvf = (struct otx2_nic *)cq_poll->dev; +@@ -541,7 +545,7 @@ int otx2_napi_handler(struct napi_struct *napi, int budget) + } + + if (rx_cq && rx_cq->pool_ptrs) +- pfvf->hw_ops->refill_pool_ptrs(pfvf, rx_cq); ++ filled_cnt = pfvf->hw_ops->refill_pool_ptrs(pfvf, rx_cq); + /* Clear the IRQ */ + otx2_write64(pfvf, NIX_LF_CINTX_INT(cq_poll->cint_idx), BIT_ULL(0)); + +@@ -561,9 +565,25 @@ int otx2_napi_handler(struct napi_struct *napi, int budget) + otx2_config_irq_coalescing(pfvf, i); + } + +- /* Re-enable interrupts */ +- otx2_write64(pfvf, NIX_LF_CINTX_ENA_W1S(cq_poll->cint_idx), +- BIT_ULL(0)); ++ if (unlikely(!filled_cnt)) { ++ struct refill_work *work; ++ struct delayed_work *dwork; ++ ++ work = &pfvf->refill_wrk[cq->cq_idx]; ++ dwork = &work->pool_refill_work; ++ /* Schedule a task if no other task is running */ ++ if (!cq->refill_task_sched) { ++ work->napi = napi; ++ cq->refill_task_sched = true; ++ schedule_delayed_work(dwork, ++ msecs_to_jiffies(100)); ++ } ++ } else { ++ /* Re-enable interrupts */ ++ otx2_write64(pfvf, ++ NIX_LF_CINTX_ENA_W1S(cq_poll->cint_idx), ++ BIT_ULL(0)); ++ } + } + return workdone; + } +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h +index 9e3bfbe5c4809..a82ffca8ce1b1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h +@@ -170,6 +170,6 @@ void cn10k_sqe_flush(void *dev, struct otx2_snd_queue *sq, + int size, int qidx); + void otx2_sqe_flush(void *dev, struct otx2_snd_queue *sq, + int size, int qidx); +-void otx2_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); +-void cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); ++int otx2_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); ++int cn10k_refill_pool_ptrs(void *dev, struct otx2_cq_queue *cq); + #endif /* OTX2_TXRX_H */ +-- +2.40.1 + diff --git a/queue-6.5/parisc-sba_iommu-fix-build-warning-if-procfs-if-disa.patch b/queue-6.5/parisc-sba_iommu-fix-build-warning-if-procfs-if-disa.patch new file mode 100644 index 00000000000..92b84290729 --- /dev/null +++ b/queue-6.5/parisc-sba_iommu-fix-build-warning-if-procfs-if-disa.patch @@ -0,0 +1,90 @@ +From 339b9b78a371ae067e7f11f6314548f06c8b8d48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 07:56:04 +0200 +Subject: parisc: sba_iommu: Fix build warning if procfs if disabled + +From: Helge Deller + +[ Upstream commit 6428bc7bd3f35e43c8cb7359cb89d83248d339d2 ] + +Clean up the code, e.g. make proc_mckinley_root static, drop the now +empty mckinley header file and remove some unneeded ifdefs around procfs +functions. + +Signed-off-by: Helge Deller +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202308300800.Jod4sHzM-lkp@intel.com/ +Fixes: 77e0ddf097d6 ("parisc: ccio-dma: Create private runway procfs root entry") +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/mckinley.h | 8 -------- + drivers/parisc/sba_iommu.c | 10 ++-------- + 2 files changed, 2 insertions(+), 16 deletions(-) + delete mode 100644 arch/parisc/include/asm/mckinley.h + +diff --git a/arch/parisc/include/asm/mckinley.h b/arch/parisc/include/asm/mckinley.h +deleted file mode 100644 +index 1314390b9034b..0000000000000 +--- a/arch/parisc/include/asm/mckinley.h ++++ /dev/null +@@ -1,8 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ +-#ifndef ASM_PARISC_MCKINLEY_H +-#define ASM_PARISC_MCKINLEY_H +- +-/* declared in arch/parisc/kernel/setup.c */ +-extern struct proc_dir_entry * proc_mckinley_root; +- +-#endif /*ASM_PARISC_MCKINLEY_H*/ +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index 8f28f8696bf32..b8e91cbb60567 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -46,8 +46,6 @@ + #include + + #include +-#include /* for proc_mckinley_root */ +-#include /* for proc_runway_root */ + #include /* for PAGE0 */ + #include /* for PDC_MODEL_* */ + #include /* for is_pdc_pat() */ +@@ -122,7 +120,7 @@ MODULE_PARM_DESC(sba_reserve_agpgart, "Reserve half of IO pdir as AGPGART"); + #endif + + static struct proc_dir_entry *proc_runway_root __ro_after_init; +-struct proc_dir_entry *proc_mckinley_root __ro_after_init; ++static struct proc_dir_entry *proc_mckinley_root __ro_after_init; + + /************************************ + ** SBA register read and write support +@@ -1899,9 +1897,7 @@ static int __init sba_driver_callback(struct parisc_device *dev) + int i; + char *version; + void __iomem *sba_addr = ioremap(dev->hpa.start, SBA_FUNC_SIZE); +-#ifdef CONFIG_PROC_FS +- struct proc_dir_entry *root; +-#endif ++ struct proc_dir_entry *root __maybe_unused; + + sba_dump_ranges(sba_addr); + +@@ -1967,7 +1963,6 @@ static int __init sba_driver_callback(struct parisc_device *dev) + + hppa_dma_ops = &sba_ops; + +-#ifdef CONFIG_PROC_FS + switch (dev->id.hversion) { + case PLUTO_MCKINLEY_PORT: + if (!proc_mckinley_root) +@@ -1985,7 +1980,6 @@ static int __init sba_driver_callback(struct parisc_device *dev) + + proc_create_single("sba_iommu", 0, root, sba_proc_info); + proc_create_single("sba_iommu-bitmap", 0, root, sba_proc_bitmap_info); +-#endif + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.5/platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch b/queue-6.5/platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch new file mode 100644 index 00000000000..5006609eb98 --- /dev/null +++ b/queue-6.5/platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch @@ -0,0 +1,77 @@ +From fe064dd54e7868f0cefbcd80299900148bf5cd17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 08:49:32 -0400 +Subject: platform/mellanox: mlxbf-pmc: Fix potential buffer overflows + +From: Shravan Kumar Ramani + +[ Upstream commit 80ccd40568bcd3655b0fd0be1e9b3379fd6e1056 ] + +Replace sprintf with sysfs_emit where possible. +Size check in mlxbf_pmc_event_list_show should account for "\0". + +Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") +Signed-off-by: Shravan Kumar Ramani +Reviewed-by: Vadim Pasternak +Reviewed-by: David Thompson +Link: https://lore.kernel.org/r/bef39ef32319a31b32f999065911f61b0d3b17c3.1693917738.git.shravankr@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index be967d797c28e..95afcae7b9fa9 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -1008,7 +1008,7 @@ static ssize_t mlxbf_pmc_counter_show(struct device *dev, + } else + return -EINVAL; + +- return sprintf(buf, "0x%llx\n", value); ++ return sysfs_emit(buf, "0x%llx\n", value); + } + + /* Store function for "counter" sysfs files */ +@@ -1078,13 +1078,13 @@ static ssize_t mlxbf_pmc_event_show(struct device *dev, + + err = mlxbf_pmc_read_event(blk_num, cnt_num, is_l3, &evt_num); + if (err) +- return sprintf(buf, "No event being monitored\n"); ++ return sysfs_emit(buf, "No event being monitored\n"); + + evt_name = mlxbf_pmc_get_event_name(pmc->block_name[blk_num], evt_num); + if (!evt_name) + return -EINVAL; + +- return sprintf(buf, "0x%llx: %s\n", evt_num, evt_name); ++ return sysfs_emit(buf, "0x%llx: %s\n", evt_num, evt_name); + } + + /* Store function for "event" sysfs files */ +@@ -1139,9 +1139,9 @@ static ssize_t mlxbf_pmc_event_list_show(struct device *dev, + return -EINVAL; + + for (i = 0, buf[0] = '\0'; i < size; ++i) { +- len += sprintf(e_info, "0x%x: %s\n", events[i].evt_num, +- events[i].evt_name); +- if (len > PAGE_SIZE) ++ len += snprintf(e_info, sizeof(e_info), "0x%x: %s\n", ++ events[i].evt_num, events[i].evt_name); ++ if (len >= PAGE_SIZE) + break; + strcat(buf, e_info); + ret = len; +@@ -1168,7 +1168,7 @@ static ssize_t mlxbf_pmc_enable_show(struct device *dev, + + value = FIELD_GET(MLXBF_PMC_L3C_PERF_CNT_CFG_EN, perfcnt_cfg); + +- return sprintf(buf, "%d\n", value); ++ return sysfs_emit(buf, "%d\n", value); + } + + /* Store function for "enable" sysfs files - only for l3cache */ +-- +2.40.1 + diff --git a/queue-6.5/platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch b/queue-6.5/platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch new file mode 100644 index 00000000000..531080e5fdb --- /dev/null +++ b/queue-6.5/platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch @@ -0,0 +1,118 @@ +From 706a266ce4ab5db167371346bacc0bb4a271f143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 08:49:33 -0400 +Subject: platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events + +From: Shravan Kumar Ramani + +[ Upstream commit 0f5969452e162efc50bdc98968fb62b424a9874b ] + +This fix involves 2 changes: + - All event regs have a reset value of 0, which is not a valid + event_number as per the event_list for most blocks and hence seen + as an error. Add a "disable" event with event_number 0 for all blocks. + + - The enable bit for each counter need not be checked before + reading the event info, and hence removed. + +Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") +Signed-off-by: Shravan Kumar Ramani +Reviewed-by: Vadim Pasternak +Reviewed-by: David Thompson +Link: https://lore.kernel.org/r/04d0213932d32681de1c716b54320ed894e52425.1693917738.git.shravankr@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 27 +++++++-------------------- + 1 file changed, 7 insertions(+), 20 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index 95afcae7b9fa9..2d4bbe99959ef 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -191,6 +191,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_smgen_events[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = { ++ { 0x0, "DISABLE" }, + { 0xa0, "TPIO_DATA_BEAT" }, + { 0xa1, "TDMA_DATA_BEAT" }, + { 0xa2, "MAP_DATA_BEAT" }, +@@ -214,6 +215,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = { ++ { 0x0, "DISABLE" }, + { 0xa0, "TPIO_DATA_BEAT" }, + { 0xa1, "TDMA_DATA_BEAT" }, + { 0xa2, "MAP_DATA_BEAT" }, +@@ -246,6 +248,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = { ++ { 0x0, "DISABLE" }, + { 0x100, "ECC_SINGLE_ERROR_CNT" }, + { 0x104, "ECC_DOUBLE_ERROR_CNT" }, + { 0x114, "SERR_INJ" }, +@@ -258,6 +261,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = { ++ { 0x0, "DISABLE" }, + { 0xc0, "RXREQ_MSS" }, + { 0xc1, "RXDAT_MSS" }, + { 0xc2, "TXRSP_MSS" }, +@@ -265,6 +269,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = { ++ { 0x0, "DISABLE" }, + { 0x45, "HNF_REQUESTS" }, + { 0x46, "HNF_REJECTS" }, + { 0x47, "ALL_BUSY" }, +@@ -323,6 +328,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = { + }; + + static const struct mlxbf_pmc_events mlxbf_pmc_hnfnet_events[] = { ++ { 0x0, "DISABLE" }, + { 0x12, "CDN_REQ" }, + { 0x13, "DDN_REQ" }, + { 0x14, "NDN_REQ" }, +@@ -892,7 +898,7 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3, + uint64_t *result) + { + uint32_t perfcfg_offset, perfval_offset; +- uint64_t perfmon_cfg, perfevt, perfctl; ++ uint64_t perfmon_cfg, perfevt; + + if (cnt_num >= pmc->block[blk_num].counters) + return -EINVAL; +@@ -904,25 +910,6 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3, + perfval_offset = perfcfg_offset + + pmc->block[blk_num].counters * MLXBF_PMC_REG_SIZE; + +- /* Set counter in "read" mode */ +- perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR, +- MLXBF_PMC_PERFCTL); +- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_STROBE, 1); +- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_WR_R_B, 0); +- +- if (mlxbf_pmc_write(pmc->block[blk_num].mmio_base + perfcfg_offset, +- MLXBF_PMC_WRITE_REG_64, perfmon_cfg)) +- return -EFAULT; +- +- /* Check if the counter is enabled */ +- +- if (mlxbf_pmc_read(pmc->block[blk_num].mmio_base + perfval_offset, +- MLXBF_PMC_READ_REG_64, &perfctl)) +- return -EFAULT; +- +- if (!FIELD_GET(MLXBF_PMC_PERFCTL_EN0, perfctl)) +- return -EINVAL; +- + /* Set counter in "read" mode */ + perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR, + MLXBF_PMC_PERFEVT); +-- +2.40.1 + diff --git a/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch b/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch new file mode 100644 index 00000000000..017a19429eb --- /dev/null +++ b/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch @@ -0,0 +1,103 @@ +From 64744f9b1f1508e458ccf2e6c7fe5cc81e8861ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 13:43:00 -0400 +Subject: platform/mellanox: mlxbf-tmfifo: Drop jumbo frames + +From: Liming Sun + +[ Upstream commit fc4c655821546239abb3cf4274d66b9747aa87dd ] + +This commit drops over-sized network packets to avoid tmfifo +queue stuck. + +Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc") +Signed-off-by: Liming Sun +Reviewed-by: Vadim Pasternak +Reviewed-by: David Thompson +Link: https://lore.kernel.org/r/9318936c2447f76db475c985ca6d91f057efcd41.1693322547.git.limings@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index 5c1f859b682a8..f3696a54a2bd7 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -224,7 +224,7 @@ static u8 mlxbf_tmfifo_net_default_mac[ETH_ALEN] = { + static efi_char16_t mlxbf_tmfifo_efi_name[] = L"RshimMacAddr"; + + /* Maximum L2 header length. */ +-#define MLXBF_TMFIFO_NET_L2_OVERHEAD 36 ++#define MLXBF_TMFIFO_NET_L2_OVERHEAD (ETH_HLEN + VLAN_HLEN) + + /* Supported virtio-net features. */ + #define MLXBF_TMFIFO_NET_FEATURES \ +@@ -642,13 +642,14 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring, + * flag is set. + */ + static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring, +- struct vring_desc *desc, ++ struct vring_desc **desc, + bool is_rx, bool *vring_change) + { + struct mlxbf_tmfifo *fifo = vring->fifo; + struct virtio_net_config *config; + struct mlxbf_tmfifo_msg_hdr hdr; + int vdev_id, hdr_len; ++ bool drop_rx = false; + + /* Read/Write packet header. */ + if (is_rx) { +@@ -668,8 +669,8 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring, + if (ntohs(hdr.len) > + __virtio16_to_cpu(virtio_legacy_is_little_endian(), + config->mtu) + +- MLXBF_TMFIFO_NET_L2_OVERHEAD) +- return; ++ MLXBF_TMFIFO_NET_L2_OVERHEAD) ++ drop_rx = true; + } else { + vdev_id = VIRTIO_ID_CONSOLE; + hdr_len = 0; +@@ -684,16 +685,25 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring, + + if (!tm_dev2) + return; +- vring->desc = desc; ++ vring->desc = *desc; + vring = &tm_dev2->vrings[MLXBF_TMFIFO_VRING_RX]; + *vring_change = true; + } ++ ++ if (drop_rx && !IS_VRING_DROP(vring)) { ++ if (vring->desc_head) ++ mlxbf_tmfifo_release_pkt(vring); ++ *desc = &vring->drop_desc; ++ vring->desc_head = *desc; ++ vring->desc = *desc; ++ } ++ + vring->pkt_len = ntohs(hdr.len) + hdr_len; + } else { + /* Network virtio has an extra header. */ + hdr_len = (vring->vdev_id == VIRTIO_ID_NET) ? + sizeof(struct virtio_net_hdr) : 0; +- vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, desc); ++ vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, *desc); + hdr.type = (vring->vdev_id == VIRTIO_ID_NET) ? + VIRTIO_ID_NET : VIRTIO_ID_CONSOLE; + hdr.len = htons(vring->pkt_len - hdr_len); +@@ -742,7 +752,7 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring, + + /* Beginning of a packet. Start to Rx/Tx packet header. */ + if (vring->pkt_len == 0) { +- mlxbf_tmfifo_rxtx_header(vring, desc, is_rx, &vring_change); ++ mlxbf_tmfifo_rxtx_header(vring, &desc, is_rx, &vring_change); + (*avail)--; + + /* Return if new packet is for another ring. */ +-- +2.40.1 + diff --git a/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch b/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch new file mode 100644 index 00000000000..cc292ff87bd --- /dev/null +++ b/queue-6.5/platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch @@ -0,0 +1,176 @@ +From e36ceb39047583a55eeb74c9d57592993f49e804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 13:42:59 -0400 +Subject: platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more + descriptors + +From: Liming Sun + +[ Upstream commit 78034cbece79c2d730ad0770b3b7f23eedbbecf5 ] + +This commit fixes tmfifo console stuck issue when the virtual +networking interface is in down state. In such case, the network +Rx descriptors runs out and causes the Rx network packet staying +in the head of the tmfifo thus blocking the console packets. The +fix is to drop the Rx network packet when no more Rx descriptors. +Function name mlxbf_tmfifo_release_pending_pkt() is also renamed +to mlxbf_tmfifo_release_pkt() to be more approperiate. + +Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc") +Signed-off-by: Liming Sun +Reviewed-by: Vadim Pasternak +Reviewed-by: David Thompson +Link: https://lore.kernel.org/r/8c0177dc938ae03f52ff7e0b62dbeee74b7bec09.1693322547.git.limings@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 66 ++++++++++++++++++------ + 1 file changed, 49 insertions(+), 17 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index b600b77d91ef2..5c1f859b682a8 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -59,6 +59,7 @@ struct mlxbf_tmfifo; + * @vq: pointer to the virtio virtqueue + * @desc: current descriptor of the pending packet + * @desc_head: head descriptor of the pending packet ++ * @drop_desc: dummy desc for packet dropping + * @cur_len: processed length of the current descriptor + * @rem_len: remaining length of the pending packet + * @pkt_len: total length of the pending packet +@@ -75,6 +76,7 @@ struct mlxbf_tmfifo_vring { + struct virtqueue *vq; + struct vring_desc *desc; + struct vring_desc *desc_head; ++ struct vring_desc drop_desc; + int cur_len; + int rem_len; + u32 pkt_len; +@@ -86,6 +88,14 @@ struct mlxbf_tmfifo_vring { + struct mlxbf_tmfifo *fifo; + }; + ++/* Check whether vring is in drop mode. */ ++#define IS_VRING_DROP(_r) ({ \ ++ typeof(_r) (r) = (_r); \ ++ (r->desc_head == &r->drop_desc ? true : false); }) ++ ++/* A stub length to drop maximum length packet. */ ++#define VRING_DROP_DESC_MAX_LEN GENMASK(15, 0) ++ + /* Interrupt types. */ + enum { + MLXBF_TM_RX_LWM_IRQ, +@@ -262,6 +272,7 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo, + vring->align = SMP_CACHE_BYTES; + vring->index = i; + vring->vdev_id = tm_vdev->vdev.id.device; ++ vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN; + dev = &tm_vdev->vdev.dev; + + size = vring_size(vring->num, vring->align); +@@ -367,7 +378,7 @@ static u32 mlxbf_tmfifo_get_pkt_len(struct mlxbf_tmfifo_vring *vring, + return len; + } + +-static void mlxbf_tmfifo_release_pending_pkt(struct mlxbf_tmfifo_vring *vring) ++static void mlxbf_tmfifo_release_pkt(struct mlxbf_tmfifo_vring *vring) + { + struct vring_desc *desc_head; + u32 len = 0; +@@ -596,19 +607,25 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring, + + if (vring->cur_len + sizeof(u64) <= len) { + /* The whole word. */ +- if (is_rx) +- memcpy(addr + vring->cur_len, &data, sizeof(u64)); +- else +- memcpy(&data, addr + vring->cur_len, sizeof(u64)); ++ if (!IS_VRING_DROP(vring)) { ++ if (is_rx) ++ memcpy(addr + vring->cur_len, &data, ++ sizeof(u64)); ++ else ++ memcpy(&data, addr + vring->cur_len, ++ sizeof(u64)); ++ } + vring->cur_len += sizeof(u64); + } else { + /* Leftover bytes. */ +- if (is_rx) +- memcpy(addr + vring->cur_len, &data, +- len - vring->cur_len); +- else +- memcpy(&data, addr + vring->cur_len, +- len - vring->cur_len); ++ if (!IS_VRING_DROP(vring)) { ++ if (is_rx) ++ memcpy(addr + vring->cur_len, &data, ++ len - vring->cur_len); ++ else ++ memcpy(&data, addr + vring->cur_len, ++ len - vring->cur_len); ++ } + vring->cur_len = len; + } + +@@ -709,8 +726,16 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring, + /* Get the descriptor of the next packet. */ + if (!vring->desc) { + desc = mlxbf_tmfifo_get_next_pkt(vring, is_rx); +- if (!desc) +- return false; ++ if (!desc) { ++ /* Drop next Rx packet to avoid stuck. */ ++ if (is_rx) { ++ desc = &vring->drop_desc; ++ vring->desc_head = desc; ++ vring->desc = desc; ++ } else { ++ return false; ++ } ++ } + } else { + desc = vring->desc; + } +@@ -743,17 +768,24 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring, + vring->rem_len -= len; + + /* Get the next desc on the chain. */ +- if (vring->rem_len > 0 && ++ if (!IS_VRING_DROP(vring) && vring->rem_len > 0 && + (virtio16_to_cpu(vdev, desc->flags) & VRING_DESC_F_NEXT)) { + idx = virtio16_to_cpu(vdev, desc->next); + desc = &vr->desc[idx]; + goto mlxbf_tmfifo_desc_done; + } + +- /* Done and release the pending packet. */ +- mlxbf_tmfifo_release_pending_pkt(vring); ++ /* Done and release the packet. */ + desc = NULL; + fifo->vring[is_rx] = NULL; ++ if (!IS_VRING_DROP(vring)) { ++ mlxbf_tmfifo_release_pkt(vring); ++ } else { ++ vring->pkt_len = 0; ++ vring->desc_head = NULL; ++ vring->desc = NULL; ++ return false; ++ } + + /* + * Make sure the load/store are in order before +@@ -933,7 +965,7 @@ static void mlxbf_tmfifo_virtio_del_vqs(struct virtio_device *vdev) + + /* Release the pending packet. */ + if (vring->desc) +- mlxbf_tmfifo_release_pending_pkt(vring); ++ mlxbf_tmfifo_release_pkt(vring); + vq = vring->vq; + if (vq) { + vring->vq = NULL; +-- +2.40.1 + diff --git a/queue-6.5/platform-mellanox-nvsw_sn2201-should-depend-on-acpi.patch b/queue-6.5/platform-mellanox-nvsw_sn2201-should-depend-on-acpi.patch new file mode 100644 index 00000000000..d340479b8fa --- /dev/null +++ b/queue-6.5/platform-mellanox-nvsw_sn2201-should-depend-on-acpi.patch @@ -0,0 +1,43 @@ +From d070801e835e8b2de58c3490e64c94f745f01672 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 14:00:35 +0200 +Subject: platform/mellanox: NVSW_SN2201 should depend on ACPI + +From: Geert Uytterhoeven + +[ Upstream commit 0a138f1670bd1af13ba6949c48ea86ddd4bf557e ] + +The only probing method supported by the Nvidia SN2201 platform driver +is probing through an ACPI match table. Hence add a dependency on +ACPI, to prevent asking the user about this driver when configuring a +kernel without ACPI support. + +Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system") +Signed-off-by: Geert Uytterhoeven +Acked-by: Vadim Pasternak +Acked-by: Andi Shyti +Link: https://lore.kernel.org/r/ec5a4071691ab08d58771b7732a9988e89779268.1693828363.git.geert+renesas@glider.be +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/mellanox/Kconfig b/drivers/platform/mellanox/Kconfig +index 382793e73a60a..30b50920b278c 100644 +--- a/drivers/platform/mellanox/Kconfig ++++ b/drivers/platform/mellanox/Kconfig +@@ -80,8 +80,8 @@ config MLXBF_PMC + + config NVSW_SN2201 + tristate "Nvidia SN2201 platform driver support" +- depends on HWMON +- depends on I2C ++ depends on HWMON && I2C ++ depends on ACPI || COMPILE_TEST + select REGMAP_I2C + help + This driver provides support for the Nvidia SN2201 platform. +-- +2.40.1 + diff --git a/queue-6.5/r8152-check-budget-for-r8152_poll.patch b/queue-6.5/r8152-check-budget-for-r8152_poll.patch new file mode 100644 index 00000000000..78e756ebeb3 --- /dev/null +++ b/queue-6.5/r8152-check-budget-for-r8152_poll.patch @@ -0,0 +1,38 @@ +From aa381c4463ae0ffac21d444cc6e3532fb0f05d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 15:01:52 +0800 +Subject: r8152: check budget for r8152_poll() + +From: Hayes Wang + +[ Upstream commit a7b8d60b37237680009dd0b025fe8c067aba0ee3 ] + +According to the document of napi, there is no rx process when the +budget is 0. Therefore, r8152_poll() has to return 0 directly when the +budget is equal to 0. + +Fixes: d2187f8e4454 ("r8152: divide the tx and rx bottom functions") +Signed-off-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 0738baa5b82e4..e88bedca8f32f 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -2629,6 +2629,9 @@ static int r8152_poll(struct napi_struct *napi, int budget) + struct r8152 *tp = container_of(napi, struct r8152, napi); + int work_done; + ++ if (!budget) ++ return 0; ++ + work_done = rx_bottom(tp, budget); + + if (work_done < budget) { +-- +2.40.1 + diff --git a/queue-6.5/regulator-raa215300-change-the-scope-of-the-variable.patch b/queue-6.5/regulator-raa215300-change-the-scope-of-the-variable.patch new file mode 100644 index 00000000000..b2dfe98055a --- /dev/null +++ b/queue-6.5/regulator-raa215300-change-the-scope-of-the-variable.patch @@ -0,0 +1,78 @@ +From 857020039d804062046ea31f5a8d6dc3792d9802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 11:42:00 +0100 +Subject: regulator: raa215300: Change the scope of the variables {clkin_name, + xin_name} + +From: Biju Das + +[ Upstream commit 42a95739c5bc4d7a6e93a43117e9283598ba2287 ] + +Change the scope of the variables {clkin_name, xin_name} from global->local +to fix the below warning. + +drivers/regulator/raa215300.c:42:12: sparse: sparse: symbol 'xin_name' was +not declared. Should it be static? + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202306250552.Fan9WTiN-lkp@intel.com/ +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230629104200.102663-1-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: e21ac64e669e ("regulator: raa215300: Fix resource leak in case of error") +Signed-off-by: Sasha Levin +--- + drivers/regulator/raa215300.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/raa215300.c b/drivers/regulator/raa215300.c +index 24a1c89f5dbc9..8e1a4c86b9789 100644 +--- a/drivers/regulator/raa215300.c ++++ b/drivers/regulator/raa215300.c +@@ -38,8 +38,6 @@ + #define RAA215300_REG_BLOCK_EN_RTC_EN BIT(6) + #define RAA215300_RTC_DEFAULT_ADDR 0x6f + +-const char *clkin_name = "clkin"; +-const char *xin_name = "xin"; + static struct clk *clk; + + static const struct regmap_config raa215300_regmap_config = { +@@ -71,8 +69,10 @@ static int raa215300_clk_present(struct i2c_client *client, const char *name) + static int raa215300_i2c_probe(struct i2c_client *client) + { + struct device *dev = &client->dev; +- const char *clk_name = xin_name; ++ const char *clkin_name = "clkin"; + unsigned int pmic_version, val; ++ const char *xin_name = "xin"; ++ const char *clk_name = NULL; + struct regmap *regmap; + int ret; + +@@ -114,15 +114,17 @@ static int raa215300_i2c_probe(struct i2c_client *client) + ret = raa215300_clk_present(client, xin_name); + if (ret < 0) { + return ret; +- } else if (!ret) { ++ } else if (ret) { ++ clk_name = xin_name; ++ } else { + ret = raa215300_clk_present(client, clkin_name); + if (ret < 0) + return ret; +- +- clk_name = clkin_name; ++ if (ret) ++ clk_name = clkin_name; + } + +- if (ret) { ++ if (clk_name) { + char *name = pmic_version >= 0x12 ? "isl1208" : "raa215300_a0"; + struct device_node *np = client->dev.of_node; + u32 addr = RAA215300_RTC_DEFAULT_ADDR; +-- +2.40.1 + diff --git a/queue-6.5/regulator-raa215300-fix-resource-leak-in-case-of-err.patch b/queue-6.5/regulator-raa215300-fix-resource-leak-in-case-of-err.patch new file mode 100644 index 00000000000..f9f7cc8f61f --- /dev/null +++ b/queue-6.5/regulator-raa215300-fix-resource-leak-in-case-of-err.patch @@ -0,0 +1,79 @@ +From c6cdf83974f56334e7d863bd439870088ca6f277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 14:55:49 +0100 +Subject: regulator: raa215300: Fix resource leak in case of error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Biju Das + +[ Upstream commit e21ac64e669e960688e79bf5babeed63132dac8a ] + +The clk_register_clkdev() allocates memory by calling vclkdev_alloc() and +this memory is not freed in the error path. Similarly, resources allocated +by clk_register_fixed_rate() are not freed in the error path. + +Fix these issues by using devm_clk_hw_register_fixed_rate() and +devm_clk_hw_register_clkdev(). + +After this, the static variable clk is not needed. Replace it with  +local variable hw in probe() and drop calling clk_unregister_fixed_rate() +from raa215300_rtc_unregister_device(). + +Fixes: 7bce16630837 ("regulator: Add Renesas PMIC RAA215300 driver") +Cc: stable@kernel.org +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230816135550.146657-2-biju.das.jz@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/raa215300.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/regulator/raa215300.c b/drivers/regulator/raa215300.c +index 8e1a4c86b9789..253645696d0bb 100644 +--- a/drivers/regulator/raa215300.c ++++ b/drivers/regulator/raa215300.c +@@ -38,8 +38,6 @@ + #define RAA215300_REG_BLOCK_EN_RTC_EN BIT(6) + #define RAA215300_RTC_DEFAULT_ADDR 0x6f + +-static struct clk *clk; +- + static const struct regmap_config raa215300_regmap_config = { + .reg_bits = 8, + .val_bits = 8, +@@ -49,10 +47,6 @@ static const struct regmap_config raa215300_regmap_config = { + static void raa215300_rtc_unregister_device(void *data) + { + i2c_unregister_device(data); +- if (!clk) { +- clk_unregister_fixed_rate(clk); +- clk = NULL; +- } + } + + static int raa215300_clk_present(struct i2c_client *client, const char *name) +@@ -130,10 +124,16 @@ static int raa215300_i2c_probe(struct i2c_client *client) + u32 addr = RAA215300_RTC_DEFAULT_ADDR; + struct i2c_board_info info = {}; + struct i2c_client *rtc_client; ++ struct clk_hw *hw; + ssize_t size; + +- clk = clk_register_fixed_rate(NULL, clk_name, NULL, 0, 32000); +- clk_register_clkdev(clk, clk_name, NULL); ++ hw = devm_clk_hw_register_fixed_rate(dev, clk_name, NULL, 0, 32000); ++ if (IS_ERR(hw)) ++ return PTR_ERR(hw); ++ ++ ret = devm_clk_hw_register_clkdev(dev, hw, clk_name, NULL); ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to initialize clkdev\n"); + + if (np) { + int i; +-- +2.40.1 + diff --git a/queue-6.5/selftest-tcp-fix-address-length-in-bind_wildcard.c.patch b/queue-6.5/selftest-tcp-fix-address-length-in-bind_wildcard.c.patch new file mode 100644 index 00000000000..6f535adaaf8 --- /dev/null +++ b/queue-6.5/selftest-tcp-fix-address-length-in-bind_wildcard.c.patch @@ -0,0 +1,40 @@ +From cdab7c594380812bba64a32eda203e4c831f3f07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 11:36:58 -0700 +Subject: selftest: tcp: Fix address length in bind_wildcard.c. + +From: Kuniyuki Iwashima + +[ Upstream commit 0071d15517b4a3d265abc00395beb1138e7236c7 ] + +The selftest passes the IPv6 address length for an IPv4 address. +We should pass the correct length. + +Note inet_bind_sk() does not check if the size is larger than +sizeof(struct sockaddr_in), so there is no real bug in this +selftest. + +Fixes: 13715acf8ab5 ("selftest: Add test for bind() conflicts.") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bind_wildcard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bind_wildcard.c b/tools/testing/selftests/net/bind_wildcard.c +index 58edfc15d28bd..e7ebe72e879d7 100644 +--- a/tools/testing/selftests/net/bind_wildcard.c ++++ b/tools/testing/selftests/net/bind_wildcard.c +@@ -100,7 +100,7 @@ void bind_sockets(struct __test_metadata *_metadata, + TEST_F(bind_wildcard, v4_v6) + { + bind_sockets(_metadata, self, +- (struct sockaddr *)&self->addr4, sizeof(self->addr6), ++ (struct sockaddr *)&self->addr4, sizeof(self->addr4), + (struct sockaddr *)&self->addr6, sizeof(self->addr6)); + } + +-- +2.40.1 + diff --git a/queue-6.5/selftests-ftrace-fix-dependencies-for-some-of-the-sy.patch b/queue-6.5/selftests-ftrace-fix-dependencies-for-some-of-the-sy.patch new file mode 100644 index 00000000000..038080d27cc --- /dev/null +++ b/queue-6.5/selftests-ftrace-fix-dependencies-for-some-of-the-sy.patch @@ -0,0 +1,62 @@ +From cf8301a1d79c476dd745fe898314f628cfa02c9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 14:40:46 +0530 +Subject: selftests/ftrace: Fix dependencies for some of the synthetic event + tests + +From: Naveen N Rao + +[ Upstream commit 145036f88d693d7ef3aa8537a4b1aa22f8764647 ] + +Commit b81a3a100cca1b ("tracing/histogram: Add simple tests for +stacktrace usage of synthetic events") changed the output text in +tracefs README, but missed updating some of the dependencies specified +in selftests. This causes some of the tests to exit as unsupported. + +Fix this by changing the grep pattern. Since we want these tests to work +on older kernels, match only against the common last part of the +pattern. + +Link: https://lore.kernel.org/linux-trace-kernel/20230614091046.2178539-1-naveen@kernel.org + +Cc: +Cc: Masami Hiramatsu +Cc: Shuah Khan +Fixes: b81a3a100cca ("tracing/histogram: Add simple tests for stacktrace usage of synthetic events") +Signed-off-by: Naveen N Rao +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + .../trigger/inter-event/trigger-synthetic-event-dynstring.tc | 2 +- + .../inter-event/trigger-synthetic_event_syntax_errors.tc | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-dynstring.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-dynstring.tc +index 213d890ed1886..174376ddbc6c7 100644 +--- a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-dynstring.tc ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic-event-dynstring.tc +@@ -1,7 +1,7 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + # description: event trigger - test inter-event histogram trigger trace action with dynamic string param +-# requires: set_event synthetic_events events/sched/sched_process_exec/hist "char name[]' >> synthetic_events":README ping:program ++# requires: set_event synthetic_events events/sched/sched_process_exec/hist "' >> synthetic_events":README ping:program + + fail() { #msg + echo $1 +diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic_event_syntax_errors.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic_event_syntax_errors.tc +index 955e3ceea44b5..b927ee54c02da 100644 +--- a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic_event_syntax_errors.tc ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-synthetic_event_syntax_errors.tc +@@ -1,7 +1,7 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + # description: event trigger - test synthetic_events syntax parser errors +-# requires: synthetic_events error_log "char name[]' >> synthetic_events":README ++# requires: synthetic_events error_log "' >> synthetic_events":README + + check_error() { # command-with-error-pos-by-^ + ftrace_errlog_check 'synthetic_events' "$1" 'synthetic_events' +-- +2.40.1 + diff --git a/queue-6.5/selftests-keep-symlinks-when-possible.patch b/queue-6.5/selftests-keep-symlinks-when-possible.patch new file mode 100644 index 00000000000..1e6fefa9918 --- /dev/null +++ b/queue-6.5/selftests-keep-symlinks-when-possible.patch @@ -0,0 +1,56 @@ +From b1170efcf9dbea8d445a73c7883696056ef03cf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 15:58:37 +0200 +Subject: selftests: Keep symlinks, when possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 3f3f384139ed147c71e1d770accf610133d5309b ] + +When kselftest is built/installed with the 'gen_tar' target, rsync is +used for the installation step to copy files. Extra care is needed for +tests that have symlinks. Commit ae108c48b5d2 ("selftests: net: Fix +cross-tree inclusion of scripts") added '-L' (transform symlink into +referent file/dir) to rsync, to fix dangling links. However, that +broke some tests where the symlink (being a symlink) is part of the +test (e.g. exec:execveat). + +Use rsync's '--copy-unsafe-links' that does right thing. + +Fixes: ae108c48b5d2 ("selftests: net: Fix cross-tree inclusion of scripts") +Signed-off-by: Björn Töpel +Reviewed-by: Benjamin Poirier +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lib.mk | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk +index d17854285f2b6..118e0964bda94 100644 +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -106,7 +106,7 @@ endef + run_tests: all + ifdef building_out_of_srctree + @if [ "X$(TEST_PROGS)$(TEST_PROGS_EXTENDED)$(TEST_FILES)" != "X" ]; then \ +- rsync -aLq $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(OUTPUT); \ ++ rsync -aq --copy-unsafe-links $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(OUTPUT); \ + fi + @if [ "X$(TEST_PROGS)" != "X" ]; then \ + $(call RUN_TESTS, $(TEST_GEN_PROGS) $(TEST_CUSTOM_PROGS) \ +@@ -120,7 +120,7 @@ endif + + define INSTALL_SINGLE_RULE + $(if $(INSTALL_LIST),@mkdir -p $(INSTALL_PATH)) +- $(if $(INSTALL_LIST),rsync -aL $(INSTALL_LIST) $(INSTALL_PATH)/) ++ $(if $(INSTALL_LIST),rsync -a --copy-unsafe-links $(INSTALL_LIST) $(INSTALL_PATH)/) + endef + + define INSTALL_RULE +-- +2.40.1 + diff --git a/queue-6.5/series b/queue-6.5/series index 75863e4c0b7..1752ca8bf1b 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -239,3 +239,45 @@ drm-amd-display-always-switch-off-odm-before-committing-more-streams.patch drm-amd-display-remove-wait-while-locked.patch drm-amdkfd-add-missing-gfx11-mqd-manager-callbacks.patch drm-amdgpu-register-a-dirty-framebuffer-callback-for-fbcon.patch +bpf-fix-bpf_probe_read_kernel-prototype-mismatch.patch +regulator-raa215300-change-the-scope-of-the-variable.patch +regulator-raa215300-fix-resource-leak-in-case-of-err.patch +parisc-sba_iommu-fix-build-warning-if-procfs-if-disa.patch +kunit-fix-wild-memory-access-bug-in-kunit_free_suite.patch +net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch +kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch +selftests-keep-symlinks-when-possible.patch +selftests-ftrace-fix-dependencies-for-some-of-the-sy.patch +net-microchip-vcap-api-fix-possible-memory-leak-for-.patch +octeontx2-pf-fix-page-pool-cache-index-corruption.patch +net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch +net-stmmac-fix-handling-of-zero-coalescing-tx-usecs.patch +net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch +net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch +hsr-fix-uninit-value-access-in-fill_frame_info.patch +net-ethernet-adi-adin1110-use-eth_broadcast_addr-to-.patch +net-ethernet-adi-adin1110-fix-forwarding-offload.patch +net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch +net-dsa-sja1105-propagate-exact-error-code-from-sja1.patch +net-dsa-sja1105-fix-multicast-forwarding-working-onl.patch +net-dsa-sja1105-serialize-sja1105_port_mcast_flood-w.patch +net-dsa-sja1105-block-fdb-accesses-that-are-concurre.patch +r8152-check-budget-for-r8152_poll.patch +kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch +platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch +platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch +platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch +platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch +platform-mellanox-nvsw_sn2201-should-depend-on-acpi.patch +net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch +net-macb-fix-sleep-inside-spinlock.patch +veth-update-xdp-feature-set-when-bringing-up-device.patch +ipv6-fix-ip6_sock_set_addr_preferences-typo.patch +tcp-factorise-sk_family-independent-comparison-in-in.patch +tcp-fix-bind-regression-for-v4-mapped-v6-wildcard-ad.patch +tcp-fix-bind-regression-for-v4-mapped-v6-non-wildcar.patch +selftest-tcp-fix-address-length-in-bind_wildcard.c.patch +ixgbe-fix-timestamp-configuration-code.patch +igb-clean-up-in-all-error-paths-when-enabling-sr-iov.patch +net-renesas-rswitch-fix-unmasking-irq-condition.patch +kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch diff --git a/queue-6.5/tcp-factorise-sk_family-independent-comparison-in-in.patch b/queue-6.5/tcp-factorise-sk_family-independent-comparison-in-in.patch new file mode 100644 index 00000000000..1c24902ba53 --- /dev/null +++ b/queue-6.5/tcp-factorise-sk_family-independent-comparison-in-in.patch @@ -0,0 +1,87 @@ +From d56b5832e7868288f338450aa52998f21ea2065e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 11:36:55 -0700 +Subject: tcp: Factorise sk_family-independent comparison in + inet_bind2_bucket_match(_addr_any). + +From: Kuniyuki Iwashima + +[ Upstream commit c6d277064b1da7f9015b575a562734de87a7e463 ] + +This is a prep patch to make the following patches cleaner that touch +inet_bind2_bucket_match() and inet_bind2_bucket_match_addr_any(). + +Both functions have duplicated comparison for netns, port, and l3mdev. +Let's factorise them. + +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: aa99e5f87bd5 ("tcp: Fix bind() regression for v4-mapped-v6 wildcard address.") +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 0819d6001b9ab..1ab81534f8c55 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -795,41 +795,39 @@ static bool inet_bind2_bucket_match(const struct inet_bind2_bucket *tb, + const struct net *net, unsigned short port, + int l3mdev, const struct sock *sk) + { ++ if (!net_eq(ib2_net(tb), net) || tb->port != port || ++ tb->l3mdev != l3mdev) ++ return false; ++ + #if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family != tb->family) + return false; + + if (sk->sk_family == AF_INET6) +- return net_eq(ib2_net(tb), net) && tb->port == port && +- tb->l3mdev == l3mdev && +- ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr); +- else ++ return ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr); + #endif +- return net_eq(ib2_net(tb), net) && tb->port == port && +- tb->l3mdev == l3mdev && tb->rcv_saddr == sk->sk_rcv_saddr; ++ return tb->rcv_saddr == sk->sk_rcv_saddr; + } + + bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const struct net *net, + unsigned short port, int l3mdev, const struct sock *sk) + { ++ if (!net_eq(ib2_net(tb), net) || tb->port != port || ++ tb->l3mdev != l3mdev) ++ return false; ++ + #if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family != tb->family) { + if (sk->sk_family == AF_INET) +- return net_eq(ib2_net(tb), net) && tb->port == port && +- tb->l3mdev == l3mdev && +- ipv6_addr_any(&tb->v6_rcv_saddr); ++ return ipv6_addr_any(&tb->v6_rcv_saddr); + + return false; + } + + if (sk->sk_family == AF_INET6) +- return net_eq(ib2_net(tb), net) && tb->port == port && +- tb->l3mdev == l3mdev && +- ipv6_addr_any(&tb->v6_rcv_saddr); +- else ++ return ipv6_addr_any(&tb->v6_rcv_saddr); + #endif +- return net_eq(ib2_net(tb), net) && tb->port == port && +- tb->l3mdev == l3mdev && tb->rcv_saddr == 0; ++ return tb->rcv_saddr == 0; + } + + /* The socket's bhash2 hashbucket spinlock must be held when this is called */ +-- +2.40.1 + diff --git a/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-non-wildcar.patch b/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-non-wildcar.patch new file mode 100644 index 00000000000..76bff6d3ffd --- /dev/null +++ b/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-non-wildcar.patch @@ -0,0 +1,66 @@ +From b75efcdb69d85d6771222677378b07791943247e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 11:36:57 -0700 +Subject: tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address. + +From: Kuniyuki Iwashima + +[ Upstream commit c48ef9c4aed3632566b57ba66cec6ec78624d4cb ] + +Since bhash2 was introduced, the example below does not work as expected. +These two bind() should conflict, but the 2nd bind() now succeeds. + + from socket import * + + s1 = socket(AF_INET6, SOCK_STREAM) + s1.bind(('::ffff:127.0.0.1', 0)) + + s2 = socket(AF_INET, SOCK_STREAM) + s2.bind(('127.0.0.1', s1.getsockname()[1])) + +During the 2nd bind() in inet_csk_get_port(), inet_bind2_bucket_find() +fails to find the 1st socket's tb2, so inet_bind2_bucket_create() allocates +a new tb2 for the 2nd socket. Then, we call inet_csk_bind_conflict() that +checks conflicts in the new tb2 by inet_bhash2_conflict(). However, the +new tb2 does not include the 1st socket, thus the bind() finally succeeds. + +In this case, inet_bind2_bucket_match() must check if AF_INET6 tb2 has +the conflicting v4-mapped-v6 address so that inet_bind2_bucket_find() +returns the 1st socket's tb2. + +Note that if we bind two sockets to 127.0.0.1 and then ::FFFF:127.0.0.1, +the 2nd bind() fails properly for the same reason mentinoed in the previous +commit. + +Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Acked-by: Andrei Vagin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index fb13a28577b01..ae5e786a0598d 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -800,8 +800,13 @@ static bool inet_bind2_bucket_match(const struct inet_bind2_bucket *tb, + return false; + + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family != tb->family) ++ if (sk->sk_family != tb->family) { ++ if (sk->sk_family == AF_INET) ++ return ipv6_addr_v4mapped(&tb->v6_rcv_saddr) && ++ tb->v6_rcv_saddr.s6_addr32[3] == sk->sk_rcv_saddr; ++ + return false; ++ } + + if (sk->sk_family == AF_INET6) + return ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr); +-- +2.40.1 + diff --git a/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-wildcard-ad.patch b/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-wildcard-ad.patch new file mode 100644 index 00000000000..ee53488648f --- /dev/null +++ b/queue-6.5/tcp-fix-bind-regression-for-v4-mapped-v6-wildcard-ad.patch @@ -0,0 +1,83 @@ +From e989ede4500d2147db6718702ee28f3add94d228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 11:36:56 -0700 +Subject: tcp: Fix bind() regression for v4-mapped-v6 wildcard address. + +From: Kuniyuki Iwashima + +[ Upstream commit aa99e5f87bd54db55dd37cb130bd5eb55933027f ] + +Andrei Vagin reported bind() regression with strace logs. + +If we bind() a TCPv6 socket to ::FFFF:0.0.0.0 and then bind() a TCPv4 +socket to 127.0.0.1, the 2nd bind() should fail but now succeeds. + + from socket import * + + s1 = socket(AF_INET6, SOCK_STREAM) + s1.bind(('::ffff:0.0.0.0', 0)) + + s2 = socket(AF_INET, SOCK_STREAM) + s2.bind(('127.0.0.1', s1.getsockname()[1])) + +During the 2nd bind(), if tb->family is AF_INET6 and sk->sk_family is +AF_INET in inet_bind2_bucket_match_addr_any(), we still need to check +if tb has the v4-mapped-v6 wildcard address. + +The example above does not work after commit 5456262d2baa ("net: Fix +incorrect address comparison when searching for a bind2 bucket"), but +the blamed change is not the commit. + +Before the commit, the leading zeros of ::FFFF:0.0.0.0 were treated +as 0.0.0.0, and the sequence above worked by chance. Technically, this +case has been broken since bhash2 was introduced. + +Note that if we bind() two sockets to 127.0.0.1 and then ::FFFF:0.0.0.0, +the 2nd bind() fails properly because we fall back to using bhash to +detect conflicts for the v4-mapped-v6 address. + +Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address") +Reported-by: Andrei Vagin +Closes: https://lore.kernel.org/netdev/ZPuYBOFC8zsK6r9T@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ipv6.h | 5 +++++ + net/ipv4/inet_hashtables.c | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index b08bd694385aa..a14ac821fb36f 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -784,6 +784,11 @@ static inline bool ipv6_addr_v4mapped(const struct in6_addr *a) + cpu_to_be32(0x0000ffff))) == 0UL; + } + ++static inline bool ipv6_addr_v4mapped_any(const struct in6_addr *a) ++{ ++ return ipv6_addr_v4mapped(a) && ipv4_is_zeronet(a->s6_addr32[3]); ++} ++ + static inline bool ipv6_addr_v4mapped_loopback(const struct in6_addr *a) + { + return ipv6_addr_v4mapped(a) && ipv4_is_loopback(a->s6_addr32[3]); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 1ab81534f8c55..fb13a28577b01 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -819,7 +819,8 @@ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const + #if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family != tb->family) { + if (sk->sk_family == AF_INET) +- return ipv6_addr_any(&tb->v6_rcv_saddr); ++ return ipv6_addr_any(&tb->v6_rcv_saddr) || ++ ipv6_addr_v4mapped_any(&tb->v6_rcv_saddr); + + return false; + } +-- +2.40.1 + diff --git a/queue-6.5/veth-update-xdp-feature-set-when-bringing-up-device.patch b/queue-6.5/veth-update-xdp-feature-set-when-bringing-up-device.patch new file mode 100644 index 00000000000..5c0f47aa8c1 --- /dev/null +++ b/queue-6.5/veth-update-xdp-feature-set-when-bringing-up-device.patch @@ -0,0 +1,65 @@ +From cb2497dfac25be4222f66cac7028a0c19115f71a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 15:58:25 +0200 +Subject: veth: Update XDP feature set when bringing up device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 7a6102aa6df0d5d032b4cbc51935d1d4cda17254 ] + +There's an early return in veth_set_features() if the device is in a down +state, which leads to the XDP feature flags not being updated when enabling +GRO while the device is down. Which in turn leads to XDP_REDIRECT not +working, because the redirect code now checks the flags. + +Fix this by updating the feature flags after bringing the device up. + +Before this patch: + +NETDEV_XDP_ACT_BASIC: yes +NETDEV_XDP_ACT_REDIRECT: yes +NETDEV_XDP_ACT_NDO_XMIT: no +NETDEV_XDP_ACT_XSK_ZEROCOPY: no +NETDEV_XDP_ACT_HW_OFFLOAD: no +NETDEV_XDP_ACT_RX_SG: yes +NETDEV_XDP_ACT_NDO_XMIT_SG: no + +After this patch: + +NETDEV_XDP_ACT_BASIC: yes +NETDEV_XDP_ACT_REDIRECT: yes +NETDEV_XDP_ACT_NDO_XMIT: yes +NETDEV_XDP_ACT_XSK_ZEROCOPY: no +NETDEV_XDP_ACT_HW_OFFLOAD: no +NETDEV_XDP_ACT_RX_SG: yes +NETDEV_XDP_ACT_NDO_XMIT_SG: yes + +Fixes: fccca038f300 ("veth: take into account device reconfiguration for xdp_features flag") +Fixes: 66c0e13ad236 ("drivers: net: turn on XDP features") +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20230911135826.722295-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 2db678c0082a3..fc0d0114d8c27 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -1447,6 +1447,8 @@ static int veth_open(struct net_device *dev) + netif_carrier_on(peer); + } + ++ veth_set_xdp_features(dev); ++ + return 0; + } + +-- +2.40.1 +