From: Sasha Levin Date: Mon, 5 Aug 2024 12:18:07 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.1.104~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7781adce1968ef19d226df9f59c27297bc7e567e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch b/queue-6.6/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch new file mode 100644 index 00000000000..244b0039a2e --- /dev/null +++ b/queue-6.6/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch @@ -0,0 +1,82 @@ +From dfebac043d8d21bd3504b54ebbae8e44a34beea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 19:05:15 +0200 +Subject: ALSA: hda: Conditionally use snooping for AMD HDMI + +From: Takashi Iwai + +[ Upstream commit 478689b5990deb626a0b3f1ebf165979914d6be4 ] + +The recent regression report revealed that the use of WC pages for AMD +HDMI device together with AMD IOMMU leads to unexpected truncation or +noises. The issue seems triggered by the change in the kernel core +memory allocation that enables IOMMU driver to use always S/G +buffers. Meanwhile, the use of WC pages has been a workaround for the +similar issue with standard pages in the past. So, now we need to +apply the workaround conditionally, namely, only when IOMMU isn't in +place. + +This patch modifies the workaround code to check the DMA ops at first +and apply the snoop-off only when needed. + +Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219087 +Link: https://patch.msgid.link/20240731170521.31714-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_controller.h | 2 +- + sound/pci/hda/hda_intel.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h +index 8556031bcd68e..f31cb31d46362 100644 +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -28,7 +28,7 @@ + #else + #define AZX_DCAPS_I915_COMPONENT 0 /* NOP */ + #endif +-/* 14 unused */ ++#define AZX_DCAPS_AMD_ALLOC_FIX (1 << 14) /* AMD allocation workaround */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ + #define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */ +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index a6a9d353fe635..d5c9f113e477a 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -40,6 +40,7 @@ + + #ifdef CONFIG_X86 + /* for snoop control */ ++#include + #include + #include + #endif +@@ -301,7 +302,7 @@ enum { + + /* quirks for ATI HDMI with snoop off */ + #define AZX_DCAPS_PRESET_ATI_HDMI_NS \ +- (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF) ++ (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_AMD_ALLOC_FIX) + + /* quirks for AMD SB */ + #define AZX_DCAPS_PRESET_AMD_SB \ +@@ -1715,6 +1716,13 @@ static void azx_check_snoop_available(struct azx *chip) + if (chip->driver_caps & AZX_DCAPS_SNOOP_OFF) + snoop = false; + ++#ifdef CONFIG_X86 ++ /* check the presence of DMA ops (i.e. IOMMU), disable snoop conditionally */ ++ if ((chip->driver_caps & AZX_DCAPS_AMD_ALLOC_FIX) && ++ !get_dma_ops(chip->card->dev)) ++ snoop = false; ++#endif ++ + chip->snoop = snoop; + if (!snoop) { + dev_info(chip->card->dev, "Force to non-snoop mode\n"); +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch b/queue-6.6/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch new file mode 100644 index 00000000000..ce163f6c60e --- /dev/null +++ b/queue-6.6/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch @@ -0,0 +1,127 @@ +From 0d0bb50d7dadeb3ea01a3dc9d340d887cc283958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 18:07:26 +0800 +Subject: ALSA: hda: conexant: Fix headset auto detect fail in the polling mode + +From: songxiebing + +[ Upstream commit e60dc98122110594d0290845160f12916192fc6d ] + +The previous fix (7aeb25908648) only handles the unsol_event reporting +during interrupts and does not include the polling mode used to set +jackroll_ms, so now we are replacing it with +snd_hda_jack_detect_enable_callback. + +Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140") +Co-developed-by: bo liu +Signed-off-by: bo liu +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20240726100726.50824-1-soxiebing@163.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 54 ++++++---------------------------- + 1 file changed, 9 insertions(+), 45 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 17389a3801bd1..4472923ba694b 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -21,12 +21,6 @@ + #include "hda_jack.h" + #include "hda_generic.h" + +-enum { +- CX_HEADSET_NOPRESENT = 0, +- CX_HEADSET_PARTPRESENT, +- CX_HEADSET_ALLPRESENT, +-}; +- + struct conexant_spec { + struct hda_gen_spec gen; + +@@ -48,7 +42,6 @@ struct conexant_spec { + unsigned int gpio_led; + unsigned int gpio_mute_led_mask; + unsigned int gpio_mic_led_mask; +- unsigned int headset_present_flag; + bool is_cx8070_sn6140; + }; + +@@ -250,48 +243,19 @@ static void cx_process_headset_plugin(struct hda_codec *codec) + } + } + +-static void cx_update_headset_mic_vref(struct hda_codec *codec, unsigned int res) ++static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_callback *event) + { +- unsigned int phone_present, mic_persent, phone_tag, mic_tag; +- struct conexant_spec *spec = codec->spec; ++ unsigned int mic_present; + + /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled, + * the node 19 can only be config to microphone or disabled. + * Check hp&mic tag to process headset pulgin&plugout. + */ +- phone_tag = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- mic_tag = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- if ((phone_tag & (res >> AC_UNSOL_RES_TAG_SHIFT)) || +- (mic_tag & (res >> AC_UNSOL_RES_TAG_SHIFT))) { +- phone_present = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_PIN_SENSE, 0x0); +- if (!(phone_present & AC_PINSENSE_PRESENCE)) {/* headphone plugout */ +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; +- snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); +- return; +- } +- if (spec->headset_present_flag == CX_HEADSET_NOPRESENT) { +- spec->headset_present_flag = CX_HEADSET_PARTPRESENT; +- } else if (spec->headset_present_flag == CX_HEADSET_PARTPRESENT) { +- mic_persent = snd_hda_codec_read(codec, 0x19, 0, +- AC_VERB_GET_PIN_SENSE, 0x0); +- /* headset is present */ +- if ((phone_present & AC_PINSENSE_PRESENCE) && +- (mic_persent & AC_PINSENSE_PRESENCE)) { +- cx_process_headset_plugin(codec); +- spec->headset_present_flag = CX_HEADSET_ALLPRESENT; +- } +- } +- } +-} +- +-static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) +-{ +- struct conexant_spec *spec = codec->spec; +- +- if (spec->is_cx8070_sn6140) +- cx_update_headset_mic_vref(codec, res); +- +- snd_hda_jack_unsol_event(codec, res); ++ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0); ++ if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */ ++ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); ++ else ++ cx_process_headset_plugin(codec); + } + + static int cx_auto_suspend(struct hda_codec *codec) +@@ -305,7 +269,7 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .build_pcms = snd_hda_gen_build_pcms, + .init = cx_auto_init, + .free = cx_auto_free, +- .unsol_event = cx_jack_unsol_event, ++ .unsol_event = snd_hda_jack_unsol_event, + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, + }; +@@ -1163,7 +1127,7 @@ static int patch_conexant_auto(struct hda_codec *codec) + case 0x14f11f86: + case 0x14f11f87: + spec->is_cx8070_sn6140 = true; +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; ++ snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref); + break; + } + +-- +2.43.0 + diff --git a/queue-6.6/alsa-hda-conexant-reduce-config_pm-dependencies.patch b/queue-6.6/alsa-hda-conexant-reduce-config_pm-dependencies.patch new file mode 100644 index 00000000000..3c0d350b342 --- /dev/null +++ b/queue-6.6/alsa-hda-conexant-reduce-config_pm-dependencies.patch @@ -0,0 +1,54 @@ +From 80d488ef40f082120bd9cad8aa151bf07e10d863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 18:13:50 +0200 +Subject: ALSA: hda: conexant: Reduce CONFIG_PM dependencies + +From: Takashi Iwai + +[ Upstream commit 29d57f6dc62485ee0752767debdfa2783d162beb ] + +CONFIG_PM dependencies got reduced in HD-audio codec core driver, and +now it's time to reduce in HD-audio conexant codec driver, too. + +Simply drop CONFIG_PM ifdefs. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240506161359.6960-8-tiwai@suse.de +Stable-dep-of: e60dc9812211 ("ALSA: hda: conexant: Fix headset auto detect fail in the polling mode") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index e8209178d87bb..17389a3801bd1 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -294,13 +294,11 @@ static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) + snd_hda_jack_unsol_event(codec, res); + } + +-#ifdef CONFIG_PM + static int cx_auto_suspend(struct hda_codec *codec) + { + cx_auto_shutdown(codec); + return 0; + } +-#endif + + static const struct hda_codec_ops cx_auto_patch_ops = { + .build_controls = snd_hda_gen_build_controls, +@@ -308,10 +306,8 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .init = cx_auto_init, + .free = cx_auto_free, + .unsol_event = cx_jack_unsol_event, +-#ifdef CONFIG_PM + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, +-#endif + }; + + /* +-- +2.43.0 + diff --git a/queue-6.6/arm-9406-1-fix-callchain_trace-return-value.patch b/queue-6.6/arm-9406-1-fix-callchain_trace-return-value.patch new file mode 100644 index 00000000000..e4b192a2a18 --- /dev/null +++ b/queue-6.6/arm-9406-1-fix-callchain_trace-return-value.patch @@ -0,0 +1,38 @@ +From 94db54a13e04ee27bdab8232101e57f6c41405c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 08:29:59 +0100 +Subject: ARM: 9406/1: Fix callchain_trace() return value + +From: Jinjie Ruan + +[ Upstream commit 4e7b4ff2dcaed228cb2fb7bfe720262c98ec1bb9 ] + +perf_callchain_store() return 0 on success, -1 otherwise, fix +callchain_trace() to return correct bool value. So walk_stackframe() can +have a chance to stop walking the stack ahead. + +Fixes: 70ccc7c0667b ("ARM: 9258/1: stacktrace: Make stack walk callback consistent with generic code") +Signed-off-by: Jinjie Ruan +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/perf_callchain.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/kernel/perf_callchain.c b/arch/arm/kernel/perf_callchain.c +index 7147edbe56c67..1d230ac9d0eb5 100644 +--- a/arch/arm/kernel/perf_callchain.c ++++ b/arch/arm/kernel/perf_callchain.c +@@ -85,8 +85,7 @@ static bool + callchain_trace(void *data, unsigned long pc) + { + struct perf_callchain_entry_ctx *entry = data; +- perf_callchain_store(entry, pc); +- return true; ++ return perf_callchain_store(entry, pc) == 0; + } + + void +-- +2.43.0 + diff --git a/queue-6.6/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch b/queue-6.6/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch new file mode 100644 index 00000000000..5633e1bc262 --- /dev/null +++ b/queue-6.6/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch @@ -0,0 +1,108 @@ +From d83a5898b39ecca98ae1959fbef8fa0e949ec5ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 14:36:01 +0100 +Subject: arm64: jump_label: Ensure patched jump_labels are visible to all CPUs + +From: Will Deacon + +[ Upstream commit cfb00a35786414e7c0e6226b277d9f09657eae74 ] + +Although the Arm architecture permits concurrent modification and +execution of NOP and branch instructions, it still requires some +synchronisation to ensure that other CPUs consistently execute the newly +written instruction: + + > When the modified instructions are observable, each PE that is + > executing the modified instructions must execute an ISB or perform a + > context synchronizing event to ensure execution of the modified + > instructions + +Prior to commit f6cc0c501649 ("arm64: Avoid calling stop_machine() when +patching jump labels"), the arm64 jump_label patching machinery +performed synchronisation using stop_machine() after each modification, +however this was problematic when flipping static keys from atomic +contexts (namely, the arm_arch_timer CPU hotplug startup notifier) and +so we switched to the _nosync() patching routines to avoid "scheduling +while atomic" BUG()s during boot. + +In hindsight, the analysis of the issue in f6cc0c501649 isn't quite +right: it cites the use of IPIs in the default patching routines as the +cause of the lockup, whereas stop_machine() does not rely on IPIs and +the I-cache invalidation is performed using __flush_icache_range(), +which elides the call to kick_all_cpus_sync(). In fact, the blocking +wait for other CPUs is what triggers the BUG() and the problem remains +even after f6cc0c501649, for example because we could block on the +jump_label_mutex. Eventually, the arm_arch_timer driver was fixed to +avoid the static key entirely in commit a862fc2254bd +("clocksource/arm_arch_timer: Remove use of workaround static key"). + +This all leaves the jump_label patching code in a funny situation on +arm64 as we do not synchronise with other CPUs to reduce the likelihood +of a bug which no longer exists. Consequently, toggling a static key on +one CPU cannot be assumed to take effect on other CPUs, leading to +potential issues, for example with missing preempt notifiers. + +Rather than revert f6cc0c501649 and go back to stop_machine() for each +patch site, implement arch_jump_label_transform_apply() and kick all +the other CPUs with an IPI at the end of patching. + +Cc: Alexander Potapenko +Cc: Mark Rutland +Cc: Marc Zyngier +Fixes: f6cc0c501649 ("arm64: Avoid calling stop_machine() when patching jump labels") +Signed-off-by: Will Deacon +Reviewed-by: Catalin Marinas +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240731133601.3073-1-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/jump_label.h | 1 + + arch/arm64/kernel/jump_label.c | 11 +++++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/jump_label.h b/arch/arm64/include/asm/jump_label.h +index 6aafbb7899916..4b99159150829 100644 +--- a/arch/arm64/include/asm/jump_label.h ++++ b/arch/arm64/include/asm/jump_label.h +@@ -13,6 +13,7 @@ + #include + #include + ++#define HAVE_JUMP_LABEL_BATCH + #define JUMP_LABEL_NOP_SIZE AARCH64_INSN_SIZE + + static __always_inline bool arch_static_branch(struct static_key * const key, +diff --git a/arch/arm64/kernel/jump_label.c b/arch/arm64/kernel/jump_label.c +index faf88ec9c48e8..f63ea915d6ad2 100644 +--- a/arch/arm64/kernel/jump_label.c ++++ b/arch/arm64/kernel/jump_label.c +@@ -7,11 +7,12 @@ + */ + #include + #include ++#include + #include + #include + +-void arch_jump_label_transform(struct jump_entry *entry, +- enum jump_label_type type) ++bool arch_jump_label_transform_queue(struct jump_entry *entry, ++ enum jump_label_type type) + { + void *addr = (void *)jump_entry_code(entry); + u32 insn; +@@ -25,4 +26,10 @@ void arch_jump_label_transform(struct jump_entry *entry, + } + + aarch64_insn_patch_text_nosync(addr, insn); ++ return true; ++} ++ ++void arch_jump_label_transform_apply(void) ++{ ++ kick_all_cpus_sync(); + } +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-btintel-fail-setup-on-error.patch b/queue-6.6/bluetooth-btintel-fail-setup-on-error.patch new file mode 100644 index 00000000000..572765d40af --- /dev/null +++ b/queue-6.6/bluetooth-btintel-fail-setup-on-error.patch @@ -0,0 +1,37 @@ +From ca0f0bda02c4078d37b8157f781f7367181328f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 14:22:42 +0530 +Subject: Bluetooth: btintel: Fail setup on error + +From: Kiran K + +[ Upstream commit e22a3a9d4134d7e6351a2998771522e74bcc58da ] + +Do not attempt to send any hci command to controller if *setup* function +fails. + +Fixes: af395330abed ("Bluetooth: btintel: Add Intel devcoredump support") +Signed-off-by: Kiran K +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index 3da3c266a66f3..a936219aebb81 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2845,6 +2845,9 @@ static int btintel_setup_combined(struct hci_dev *hdev) + btintel_set_dsm_reset_method(hdev, &ver_tlv); + + err = btintel_bootloader_setup_tlv(hdev, &ver_tlv); ++ if (err) ++ goto exit_error; ++ + btintel_register_devcoredump_support(hdev); + break; + default: +-- +2.43.0 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch b/queue-6.6/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch new file mode 100644 index 00000000000..b869f1a34aa --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch @@ -0,0 +1,59 @@ +From 421a703227c207304ae02ed992a87e6b633fcfae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 10:40:03 -0400 +Subject: Bluetooth: hci_sync: Fix suspending with wrong filter policy + +From: Luiz Augusto von Dentz + +[ Upstream commit 96b82af36efaa1787946e021aa3dc5410c05beeb ] + +When suspending the scan filter policy cannot be 0x00 (no acceptlist) +since that means the host has to process every advertisement report +waking up the system, so this attempts to check if hdev is marked as +suspended and if the resulting filter policy would be 0x00 (no +acceptlist) then skip passive scanning if thre no devices in the +acceptlist otherwise reset the filter policy to 0x01 so the acceptlist +is used since the devices programmed there can still wakeup be system. + +Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index b3f5714dab342..6dab0c99c82c7 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2862,6 +2862,27 @@ static int hci_passive_scan_sync(struct hci_dev *hdev) + */ + filter_policy = hci_update_accept_list_sync(hdev); + ++ /* If suspended and filter_policy set to 0x00 (no acceptlist) then ++ * passive scanning cannot be started since that would require the host ++ * to be woken up to process the reports. ++ */ ++ if (hdev->suspended && !filter_policy) { ++ /* Check if accept list is empty then there is no need to scan ++ * while suspended. ++ */ ++ if (list_empty(&hdev->le_accept_list)) ++ return 0; ++ ++ /* If there are devices is the accept_list that means some ++ * devices could not be programmed which in non-suspended case ++ * means filter_policy needs to be set to 0x00 so the host needs ++ * to filter, but since this is treating suspended case we ++ * can ignore device needing host to filter to allow devices in ++ * the acceptlist to be able to wakeup the system. ++ */ ++ filter_policy = 0x01; ++ } ++ + /* When the controller is using random resolvable addresses and + * with that having LE privacy enabled, then controllers with + * Extended Scanner Filter Policies support can now enable support +-- +2.43.0 + diff --git a/queue-6.6/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch b/queue-6.6/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch new file mode 100644 index 00000000000..d0de553d05b --- /dev/null +++ b/queue-6.6/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch @@ -0,0 +1,42 @@ +From c440efa34965bbcc7f0b7402da058d37c3119277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:25:05 +0530 +Subject: drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro + +From: Suraj Kandpal + +[ Upstream commit 555069117390a5d581863bc797fb546bb4417c31 ] + +Fix HDCP2_STREAM_STATUS macro, it called pipe instead of port never +threw a compile error as no one used it. + +--v2 +-Add Fixes [Jani] + +Fixes: d631b984cc90 ("drm/i915/hdcp: Add HDCP 2.2 stream register") +Signed-off-by: Suraj Kandpal +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240730035505.3759899-1-suraj.kandpal@intel.com +(cherry picked from commit 73d7cd542bbd0a7c6881ea0df5255f190a1e7236) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_hdcp_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_hdcp_regs.h b/drivers/gpu/drm/i915/display/intel_hdcp_regs.h +index 8023c85c7fa0e..74059384892af 100644 +--- a/drivers/gpu/drm/i915/display/intel_hdcp_regs.h ++++ b/drivers/gpu/drm/i915/display/intel_hdcp_regs.h +@@ -249,7 +249,7 @@ + #define HDCP2_STREAM_STATUS(dev_priv, trans, port) \ + (GRAPHICS_VER(dev_priv) >= 12 ? \ + TRANS_HDCP2_STREAM_STATUS(trans) : \ +- PIPE_HDCP2_STREAM_STATUS(pipe)) ++ PIPE_HDCP2_STREAM_STATUS(port)) + + #define _PORTA_HDCP2_AUTH_STREAM 0x66F00 + #define _PORTB_HDCP2_AUTH_STREAM 0x66F04 +-- +2.43.0 + diff --git a/queue-6.6/drm-nouveau-prime-fix-refcount-underflow.patch b/queue-6.6/drm-nouveau-prime-fix-refcount-underflow.patch new file mode 100644 index 00000000000..0dec3415aee --- /dev/null +++ b/queue-6.6/drm-nouveau-prime-fix-refcount-underflow.patch @@ -0,0 +1,47 @@ +From 86257efc9fda60ca79642e76ca95753f268cafea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 18:58:46 +0200 +Subject: drm/nouveau: prime: fix refcount underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Danilo Krummrich + +[ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ] + +Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and +hence the backing ttm_bo) leads to a refcount underflow. + +Instead of calling nouveau_bo_ref() in the unwind path of +drm_gem_object_init(), clean things up manually. + +Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers") +Reviewed-by: Ben Skeggs +Reviewed-by: Christian König +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org +(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_prime.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 1b2ff0c40fc1c..6c599a9f49ee4 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -64,7 +64,8 @@ struct drm_gem_object *nouveau_gem_prime_import_sg_table(struct drm_device *dev, + * to the caller, instead of a normal nouveau_bo ttm reference. */ + ret = drm_gem_object_init(dev, &nvbo->bo.base, size); + if (ret) { +- nouveau_bo_ref(NULL, &nvbo); ++ drm_gem_object_release(&nvbo->bo.base); ++ kfree(nvbo); + obj = ERR_PTR(-ENOMEM); + goto unlock; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch b/queue-6.6/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch new file mode 100644 index 00000000000..f30d7d2581e --- /dev/null +++ b/queue-6.6/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch @@ -0,0 +1,41 @@ +From c02b7f9e7a91d130ae9d88fe384e965ae6e07155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 11:36:27 -0500 +Subject: drm/vmwgfx: Fix overlay when using Screen Targets + +From: Ian Forbes + +[ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ] + +This code was never updated to support Screen Targets. +Fixes a bug where Xv playback displays a green screen instead of actual +video contents when 3D acceleration is disabled in the guest. + +Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets") +Reported-by: Doug Brown +Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com +Signed-off-by: Ian Forbes +Tested-by: Doug Brown +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +index c45b4724e4141..e20f64b67b266 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +@@ -92,7 +92,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv, + { + struct vmw_escape_video_flush *flush; + size_t fifo_size; +- bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object); ++ bool have_so = (dev_priv->active_display_unit != vmw_du_legacy); + int i, num_items; + SVGAGuestPtr ptr; + +-- +2.43.0 + diff --git a/queue-6.6/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch b/queue-6.6/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch new file mode 100644 index 00000000000..90a22995e7c --- /dev/null +++ b/queue-6.6/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch @@ -0,0 +1,76 @@ +From 79b413d8535d8d568136e545f8883eeddcacd5f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 15:59:51 -0500 +Subject: drm/vmwgfx: Trigger a modeset when the screen moves + +From: Ian Forbes + +[ Upstream commit 75c3e8a26a35d4f3eee299b3cc7e465f166f4e2d ] + +When multi-monitor is cycled the X,Y position of the Screen Target will +likely change but the resolution will not. We need to trigger a modeset +when this occurs in order to recreate the Screen Target with the correct +X,Y position. + +Fixes a bug where multiple displays are shown in a single scrollable +host window rather than in 2+ windows on separate host displays. + +Fixes: 426826933109 ("drm/vmwgfx: Filter modes which exceed graphics memory") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240624205951.23343-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 29 +++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +index 4ccab07faff08..cb03c589ab226 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -868,6 +868,32 @@ vmw_stdu_connector_mode_valid(struct drm_connector *connector, + return MODE_OK; + } + ++/* ++ * Trigger a modeset if the X,Y position of the Screen Target changes. ++ * This is needed when multi-mon is cycled. The original Screen Target will have ++ * the same mode but its relative X,Y position in the topology will change. ++ */ ++static int vmw_stdu_connector_atomic_check(struct drm_connector *conn, ++ struct drm_atomic_state *state) ++{ ++ struct drm_connector_state *conn_state; ++ struct vmw_screen_target_display_unit *du; ++ struct drm_crtc_state *new_crtc_state; ++ ++ conn_state = drm_atomic_get_connector_state(state, conn); ++ du = vmw_connector_to_stdu(conn); ++ ++ if (!conn_state->crtc) ++ return 0; ++ ++ new_crtc_state = drm_atomic_get_new_crtc_state(state, conn_state->crtc); ++ if (du->base.gui_x != du->base.set_gui_x || ++ du->base.gui_y != du->base.set_gui_y) ++ new_crtc_state->mode_changed = true; ++ ++ return 0; ++} ++ + static const struct drm_connector_funcs vmw_stdu_connector_funcs = { + .dpms = vmw_du_connector_dpms, + .detect = vmw_du_connector_detect, +@@ -882,7 +908,8 @@ static const struct drm_connector_funcs vmw_stdu_connector_funcs = { + static const struct + drm_connector_helper_funcs vmw_stdu_connector_helper_funcs = { + .get_modes = vmw_connector_get_modes, +- .mode_valid = vmw_stdu_connector_mode_valid ++ .mode_valid = vmw_stdu_connector_mode_valid, ++ .atomic_check = vmw_stdu_connector_atomic_check, + }; + + +-- +2.43.0 + diff --git a/queue-6.6/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch b/queue-6.6/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch new file mode 100644 index 00000000000..b37380e724e --- /dev/null +++ b/queue-6.6/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch @@ -0,0 +1,68 @@ +From a1f7ed538d563c24d2333988fb83b9d1505e9c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 16:46:16 +0530 +Subject: HID: amd_sfh: Move sensor discovery before HID device initialization + +From: Basavaraj Natikar + +[ Upstream commit 8031b001da700474c11d28629581480b12a0d8d4 ] + +Sensors discovery is independent of HID device initialization. If sensor +discovery fails after HID initialization, then the HID device needs to be +deinitialized. Therefore, sensors discovery should be moved before HID +device initialization. + +Fixes: 7bcfdab3f0c6 ("HID: amd_sfh: if no sensors are enabled, clean up") +Tested-by: Aurinko +Signed-off-by: Basavaraj Natikar +Link: https://patch.msgid.link/20240718111616.3012155-1-Basavaraj.Natikar@amd.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index bdb578e0899f5..4b59687ff5d82 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -288,12 +288,22 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + mp2_ops->start(privdata, info); + cl_data->sensor_sts[i] = amd_sfh_wait_for_response + (privdata, cl_data->sensor_idx[i], SENSOR_ENABLED); ++ ++ if (cl_data->sensor_sts[i] == SENSOR_ENABLED) ++ cl_data->is_any_sensor_enabled = true; ++ } ++ ++ if (!cl_data->is_any_sensor_enabled || ++ (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { ++ dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", ++ cl_data->is_any_sensor_enabled); ++ rc = -EOPNOTSUPP; ++ goto cleanup; + } + + for (i = 0; i < cl_data->num_hid_devices; i++) { + cl_data->cur_hid_dev = i; + if (cl_data->sensor_sts[i] == SENSOR_ENABLED) { +- cl_data->is_any_sensor_enabled = true; + rc = amdtp_hid_probe(i, cl_data); + if (rc) + goto cleanup; +@@ -305,12 +315,6 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + cl_data->sensor_sts[i]); + } + +- if (!cl_data->is_any_sensor_enabled || +- (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { +- dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", cl_data->is_any_sensor_enabled); +- rc = -EOPNOTSUPP; +- goto cleanup; +- } + schedule_delayed_work(&cl_data->work_buffer, msecs_to_jiffies(AMD_SFH_IDLE_LOOP)); + return 0; + +-- +2.43.0 + diff --git a/queue-6.6/i915-perf-remove-code-to-update-pwr_clk_state-for-ge.patch b/queue-6.6/i915-perf-remove-code-to-update-pwr_clk_state-for-ge.patch new file mode 100644 index 00000000000..86ad8391290 --- /dev/null +++ b/queue-6.6/i915-perf-remove-code-to-update-pwr_clk_state-for-ge.patch @@ -0,0 +1,92 @@ +From 49c82e65927f7483005e58b37749382e3546d197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 17:56:43 -0700 +Subject: i915/perf: Remove code to update PWR_CLK_STATE for gen12 + +From: Umesh Nerlige Ramappa + +[ Upstream commit 4bc14b9cfaa2149d41baef2f2620e9f82d9847d7 ] + +PWR_CLK_STATE only needs to be modified up until gen11. For gen12 this +code is not applicable. Remove code to update context image with +PWR_CLK_STATE for gen12. + +Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Ashutosh Dixit +Link: https://patchwork.freedesktop.org/patch/msgid/20240629005643.3050678-1-umesh.nerlige.ramappa@intel.com +(cherry picked from commit 7b5bdae7740eb6a3d09f9cd4e4b07362a15b86b3) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_perf.c | 33 -------------------------------- + 1 file changed, 33 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c +index 3f90403d86cb4..0808b54d3c518 100644 +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -2781,26 +2781,6 @@ oa_configure_all_contexts(struct i915_perf_stream *stream, + return 0; + } + +-static int +-gen12_configure_all_contexts(struct i915_perf_stream *stream, +- const struct i915_oa_config *oa_config, +- struct i915_active *active) +-{ +- struct flex regs[] = { +- { +- GEN8_R_PWR_CLK_STATE(RENDER_RING_BASE), +- CTX_R_PWR_CLK_STATE, +- }, +- }; +- +- if (stream->engine->class != RENDER_CLASS) +- return 0; +- +- return oa_configure_all_contexts(stream, +- regs, ARRAY_SIZE(regs), +- active); +-} +- + static int + lrc_configure_all_contexts(struct i915_perf_stream *stream, + const struct i915_oa_config *oa_config, +@@ -2907,7 +2887,6 @@ gen12_enable_metric_set(struct i915_perf_stream *stream, + { + struct drm_i915_private *i915 = stream->perf->i915; + struct intel_uncore *uncore = stream->uncore; +- struct i915_oa_config *oa_config = stream->oa_config; + bool periodic = stream->periodic; + u32 period_exponent = stream->period_exponent; + u32 sqcnt1; +@@ -2951,15 +2930,6 @@ gen12_enable_metric_set(struct i915_perf_stream *stream, + + intel_uncore_rmw(uncore, GEN12_SQCNT1, 0, sqcnt1); + +- /* +- * Update all contexts prior writing the mux configurations as we need +- * to make sure all slices/subslices are ON before writing to NOA +- * registers. +- */ +- ret = gen12_configure_all_contexts(stream, oa_config, active); +- if (ret) +- return ret; +- + /* + * For Gen12, performance counters are context + * saved/restored. Only enable it for the context that +@@ -3014,9 +2984,6 @@ static void gen12_disable_metric_set(struct i915_perf_stream *stream) + _MASKED_BIT_DISABLE(GEN12_DISABLE_DOP_GATING)); + } + +- /* Reset all contexts' slices/subslices configurations. */ +- gen12_configure_all_contexts(stream, NULL, NULL); +- + /* disable the context save/restore or OAR counters */ + if (stream->ctx) + gen12_configure_oar_context(stream, NULL); +-- +2.43.0 + diff --git a/queue-6.6/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch b/queue-6.6/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch new file mode 100644 index 00000000000..d8b920f41e5 --- /dev/null +++ b/queue-6.6/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch @@ -0,0 +1,38 @@ +From ca7c6d5bdaf3114833bbb780e508c3eff2cf0ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:15 +0200 +Subject: ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog + +From: Maciej Fijalkowski + +[ Upstream commit 6044ca26210ba72b3dcc649fae1cbedd9e6ab018 ] + +It is read by data path and modified from process context on remote cpu +so it is needed to use WRITE_ONCE to clear the pointer. + +Fixes: efc2214b6047 ("ice: Add support for XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index 24c914015973e..49b1fa9651161 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -456,7 +456,7 @@ void ice_free_rx_ring(struct ice_rx_ring *rx_ring) + if (rx_ring->vsi->type == ICE_VSI_PF) + if (xdp_rxq_info_is_reg(&rx_ring->xdp_rxq)) + xdp_rxq_info_unreg(&rx_ring->xdp_rxq); +- rx_ring->xdp_prog = NULL; ++ WRITE_ONCE(rx_ring->xdp_prog, NULL); + if (rx_ring->xsk_pool) { + kfree(rx_ring->xdp_buf); + rx_ring->xdp_buf = NULL; +-- +2.43.0 + diff --git a/queue-6.6/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch b/queue-6.6/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch new file mode 100644 index 00000000000..1bec7edceb3 --- /dev/null +++ b/queue-6.6/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch @@ -0,0 +1,48 @@ +From f774a1245531a7f0a13ddd4c81ea201ab0cfe221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:10 +0200 +Subject: ice: don't busy wait for Rx queue disable in ice_qp_dis() + +From: Maciej Fijalkowski + +[ Upstream commit 1ff72a2f67791cd4ddad19ed830445f57b30e992 ] + +When ice driver is spammed with multiple xdpsock instances and flow +control is enabled, there are cases when Rx queue gets stuck and unable +to reflect the disable state in QRX_CTRL register. Similar issue has +previously been addressed in commit 13a6233b033f ("ice: Add support to +enable/disable all Rx queues before waiting"). + +To workaround this, let us simply not wait for a disabled state as later +patch will make sure that regardless of the encountered error in the +process of disabling a queue pair, the Rx queue will be enabled. + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 248cb02958acd..a8d0cd3d831a0 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -199,10 +199,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + if (err) + return err; + } +- err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true); +- if (err) +- return err; + ++ ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, false); + ice_qp_clean_rings(vsi, q_idx); + ice_qp_reset_stats(vsi, q_idx); + +-- +2.43.0 + diff --git a/queue-6.6/ice-replace-synchronize_rcu-with-synchronize_net.patch b/queue-6.6/ice-replace-synchronize_rcu-with-synchronize_net.patch new file mode 100644 index 00000000000..7042fdcf943 --- /dev/null +++ b/queue-6.6/ice-replace-synchronize_rcu-with-synchronize_net.patch @@ -0,0 +1,60 @@ +From a9b39a6d8bfdb70827aa33155de02b50a7e4c75e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:11 +0200 +Subject: ice: replace synchronize_rcu with synchronize_net + +From: Maciej Fijalkowski + +[ Upstream commit 405d9999aa0b4ae467ef391d1d9c7e0d30ad0841 ] + +Given that ice_qp_dis() is called under rtnl_lock, synchronize_net() can +be called instead of synchronize_rcu() so that XDP rings can finish its +job in a faster way. Also let us do this as earlier in XSK queue disable +flow. + +Additionally, turn off regular Tx queue before disabling irqs and NAPI. + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index a8d0cd3d831a0..67511153081ae 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -52,10 +52,8 @@ static void ice_qp_reset_stats(struct ice_vsi *vsi, u16 q_idx) + static void ice_qp_clean_rings(struct ice_vsi *vsi, u16 q_idx) + { + ice_clean_tx_ring(vsi->tx_rings[q_idx]); +- if (ice_is_xdp_ena_vsi(vsi)) { +- synchronize_rcu(); ++ if (ice_is_xdp_ena_vsi(vsi)) + ice_clean_tx_ring(vsi->xdp_rings[q_idx]); +- } + ice_clean_rx_ring(vsi->rx_rings[q_idx]); + } + +@@ -180,11 +178,12 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + usleep_range(1000, 2000); + } + ++ synchronize_net(); ++ netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); ++ + ice_qvec_dis_irq(vsi, rx_ring, q_vector); + ice_qvec_toggle_napi(vsi, q_vector, false); + +- netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); +- + ice_fill_txq_meta(vsi, tx_ring, &txq_meta); + err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta); + if (err) +-- +2.43.0 + diff --git a/queue-6.6/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch b/queue-6.6/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch new file mode 100644 index 00000000000..3867d683972 --- /dev/null +++ b/queue-6.6/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch @@ -0,0 +1,67 @@ +From ce187a0d80b4c93d594426c5c7293f1bbdaf9217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:09 +0200 +Subject: ice: respect netif readiness in AF_XDP ZC related ndo's + +From: Michal Kubiak + +[ Upstream commit ec145a18687fec8dd97eeb4f30057fa4debef577 ] + +Address a scenario in which XSK ZC Tx produces descriptors to XDP Tx +ring when link is either not yet fully initialized or process of +stopping the netdev has already started. To avoid this, add checks +against carrier readiness in ice_xsk_wakeup() and in ice_xmit_zc(). +One could argue that bailing out early in ice_xsk_wakeup() would be +sufficient but given the fact that we produce Tx descriptors on behalf +of NAPI that is triggered for Rx traffic, the latter is also needed. + +Bringing link up is an asynchronous event executed within +ice_service_task so even though interface has been brought up there is +still a time frame where link is not yet ok. + +Without this patch, when AF_XDP ZC Tx is used simultaneously with stack +Tx, Tx timeouts occur after going through link flap (admin brings +interface down then up again). HW seem to be unable to transmit +descriptor to the wire after HW tail register bump which in turn causes +bit __QUEUE_STATE_STACK_XOFF to be set forever as +netdev_tx_completed_queue() sees no cleaned bytes on the input. + +Fixes: 126cdfe1007a ("ice: xsk: Improve AF_XDP ZC Tx and use batching API") +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Michal Kubiak +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index f53566cb6bfbd..248cb02958acd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -1068,6 +1068,10 @@ bool ice_xmit_zc(struct ice_tx_ring *xdp_ring) + + ice_clean_xdp_irq_zc(xdp_ring); + ++ if (!netif_carrier_ok(xdp_ring->vsi->netdev) || ++ !netif_running(xdp_ring->vsi->netdev)) ++ return true; ++ + budget = ICE_DESC_UNUSED(xdp_ring); + budget = min_t(u16, budget, ICE_RING_QUARTER(xdp_ring)); + +@@ -1111,7 +1115,7 @@ ice_xsk_wakeup(struct net_device *netdev, u32 queue_id, + struct ice_vsi *vsi = np->vsi; + struct ice_tx_ring *ring; + +- if (test_bit(ICE_VSI_DOWN, vsi->state)) ++ if (test_bit(ICE_VSI_DOWN, vsi->state) || !netif_carrier_ok(netdev)) + return -ENETDOWN; + + if (!ice_is_xdp_ena_vsi(vsi)) +-- +2.43.0 + diff --git a/queue-6.6/igc-fix-double-reset-adapter-triggered-from-a-single.patch b/queue-6.6/igc-fix-double-reset-adapter-triggered-from-a-single.patch new file mode 100644 index 00000000000..2d12e255cf5 --- /dev/null +++ b/queue-6.6/igc-fix-double-reset-adapter-triggered-from-a-single.patch @@ -0,0 +1,92 @@ +From 4a40687fa395dbe2c912f4e7d8c3e373dda7a70b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 10:33:02 -0700 +Subject: igc: Fix double reset adapter triggered from a single taprio cmd + +From: Faizal Rahim + +[ Upstream commit b9e7fc0aeda79031a101610b2fcb12bf031056e9 ] + +Following the implementation of "igc: Add TransmissionOverrun counter" +patch, when a taprio command is triggered by user, igc processes two +commands: TAPRIO_CMD_REPLACE followed by TAPRIO_CMD_STATS. However, both +commands unconditionally pass through igc_tsn_offload_apply() which +evaluates and triggers reset adapter. The double reset causes issues in +the calculation of adapter->qbv_count in igc. + +TAPRIO_CMD_REPLACE command is expected to reset the adapter since it +activates qbv. It's unexpected for TAPRIO_CMD_STATS to do the same +because it doesn't configure any driver-specific TSN settings. So, the +evaluation in igc_tsn_offload_apply() isn't needed for TAPRIO_CMD_STATS. + +To address this, commands parsing are relocated to +igc_tsn_enable_qbv_scheduling(). Commands that don't require an adapter +reset will exit after processing, thus avoiding igc_tsn_offload_apply(). + +Fixes: d3750076d464 ("igc: Add TransmissionOverrun counter") +Signed-off-by: Faizal Rahim +Acked-by: Vinicius Costa Gomes +Reviewed-by: Vladimir Oltean +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20240730173304.865479-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 33 ++++++++++++----------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index e83700ad7e622..d80bbcdeb93ed 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -6208,21 +6208,6 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter, + size_t n; + int i; + +- switch (qopt->cmd) { +- case TAPRIO_CMD_REPLACE: +- break; +- case TAPRIO_CMD_DESTROY: +- return igc_tsn_clear_schedule(adapter); +- case TAPRIO_CMD_STATS: +- igc_taprio_stats(adapter->netdev, &qopt->stats); +- return 0; +- case TAPRIO_CMD_QUEUE_STATS: +- igc_taprio_queue_stats(adapter->netdev, &qopt->queue_stats); +- return 0; +- default: +- return -EOPNOTSUPP; +- } +- + if (qopt->base_time < 0) + return -ERANGE; + +@@ -6331,7 +6316,23 @@ static int igc_tsn_enable_qbv_scheduling(struct igc_adapter *adapter, + if (hw->mac.type != igc_i225) + return -EOPNOTSUPP; + +- err = igc_save_qbv_schedule(adapter, qopt); ++ switch (qopt->cmd) { ++ case TAPRIO_CMD_REPLACE: ++ err = igc_save_qbv_schedule(adapter, qopt); ++ break; ++ case TAPRIO_CMD_DESTROY: ++ err = igc_tsn_clear_schedule(adapter); ++ break; ++ case TAPRIO_CMD_STATS: ++ igc_taprio_stats(adapter->netdev, &qopt->stats); ++ return 0; ++ case TAPRIO_CMD_QUEUE_STATS: ++ igc_taprio_queue_stats(adapter->netdev, &qopt->queue_stats); ++ return 0; ++ default: ++ return -EOPNOTSUPP; ++ } ++ + if (err) + return err; + +-- +2.43.0 + diff --git a/queue-6.6/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch b/queue-6.6/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch new file mode 100644 index 00000000000..8537168f531 --- /dev/null +++ b/queue-6.6/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch @@ -0,0 +1,92 @@ +From c8b7be8fef6b1e002a6e82b9173dca84c2e7592c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 17:17:48 -0700 +Subject: ipv6: fix ndisc_is_useropt() handling for PIO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ] + +The current logic only works if the PIO is between two +other ND user options. This fixes it so that the PIO +can also be either before or after other ND user options +(for example the first or last option in the RA). + +side note: there's actually Android tests verifying +a portion of the old broken behaviour, so: + https://android-review.googlesource.com/c/kernel/tests/+/3196704 +fixes those up. + +Cc: Jen Linkova +Cc: Lorenzo Colitti +Cc: Patrick Rohr +Cc: David Ahern +Cc: YOSHIFUJI Hideaki / 吉藤英明 +Cc: Jakub Kicinski +Signed-off-by: Maciej Żenczykowski +Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO") +Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 68debc78189c2..2062ab94721e3 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -227,6 +227,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + return NULL; + memset(ndopts, 0, sizeof(*ndopts)); + while (opt_len) { ++ bool unknown = false; + int l; + if (opt_len < sizeof(struct nd_opt_hdr)) + return NULL; +@@ -262,22 +263,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + break; + #endif + default: +- if (ndisc_is_useropt(dev, nd_opt)) { +- ndopts->nd_useropts_end = nd_opt; +- if (!ndopts->nd_useropts) +- ndopts->nd_useropts = nd_opt; +- } else { +- /* +- * Unknown options must be silently ignored, +- * to accommodate future extension to the +- * protocol. +- */ +- ND_PRINTK(2, notice, +- "%s: ignored unsupported option; type=%d, len=%d\n", +- __func__, +- nd_opt->nd_opt_type, +- nd_opt->nd_opt_len); +- } ++ unknown = true; ++ } ++ if (ndisc_is_useropt(dev, nd_opt)) { ++ ndopts->nd_useropts_end = nd_opt; ++ if (!ndopts->nd_useropts) ++ ndopts->nd_useropts = nd_opt; ++ } else if (unknown) { ++ /* ++ * Unknown options must be silently ignored, ++ * to accommodate future extension to the ++ * protocol. ++ */ ++ ND_PRINTK(2, notice, ++ "%s: ignored unsupported option; type=%d, len=%d\n", ++ __func__, ++ nd_opt->nd_opt_type, ++ nd_opt->nd_opt_len); + } + next_opt: + opt_len -= l; +-- +2.43.0 + diff --git a/queue-6.6/mptcp-give-rcvlowat-some-love.patch b/queue-6.6/mptcp-give-rcvlowat-some-love.patch new file mode 100644 index 00000000000..497369fff00 --- /dev/null +++ b/queue-6.6/mptcp-give-rcvlowat-some-love.patch @@ -0,0 +1,273 @@ +From 31483e3f75f3492c35a66a2eb1d40417d63c3393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 13:44:38 -0700 +Subject: mptcp: give rcvlowat some love + +From: Paolo Abeni + +[ Upstream commit 5684ab1a0effbfeb706f47d85785f653005b97b1 ] + +The MPTCP protocol allow setting sk_rcvlowat, but the value there +is currently ignored. + +Additionally, the default subflows sk_rcvlowat basically disables per +subflow delayed ack: the MPTCP protocol move the incoming data from the +subflows into the msk socket as soon as the TCP stacks invokes the subflow +data_ready callback. Later, when __tcp_ack_snd_check() takes action, +the subflow-level copied_seq matches rcv_nxt, and that mandate for an +immediate ack. + +Let the mptcp receive path be aware of such threshold, explicitly tracking +the amount of data available to be ready and checking vs sk_rcvlowat in +mptcp_poll() and before waking-up readers. + +Additionally implement the set_rcvlowat() callback, to properly handle +the rcvbuf auto-tuning on sk_rcvlowat changes. + +Finally to properly handle delayed ack, force the subflow level threshold +to 0 and instead explicitly ask for an immediate ack when the msk level th +is not reached. + +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20231023-send-net-next-20231023-2-v1-5-9dc60939d371@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: 05f76b2d634e ("tcp: Adjust clamping window for applications specifying SO_RCVBUF") +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 24 +++++++++++------------- + net/mptcp/protocol.h | 20 ++++++++++++++++++++ + net/mptcp/sockopt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + net/mptcp/subflow.c | 12 ++++++++++-- + 4 files changed, 83 insertions(+), 15 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index fbf2b26760731..d2edd02a137bd 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -849,9 +849,8 @@ void mptcp_data_ready(struct sock *sk, struct sock *ssk) + + /* Wake-up the reader only for in-sequence data */ + mptcp_data_lock(sk); +- if (move_skbs_to_msk(msk, ssk)) ++ if (move_skbs_to_msk(msk, ssk) && mptcp_epollin_ready(sk)) + sk->sk_data_ready(sk); +- + mptcp_data_unlock(sk); + } + +@@ -1918,6 +1917,7 @@ static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, + if (!(flags & MSG_PEEK)) { + MPTCP_SKB_CB(skb)->offset += count; + MPTCP_SKB_CB(skb)->map_seq += count; ++ msk->bytes_consumed += count; + } + break; + } +@@ -1928,6 +1928,7 @@ static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, + WRITE_ONCE(msk->rmem_released, msk->rmem_released + skb->truesize); + __skb_unlink(skb, &msk->receive_queue); + __kfree_skb(skb); ++ msk->bytes_consumed += count; + } + + if (copied >= len) +@@ -2752,6 +2753,7 @@ static void __mptcp_init_sock(struct sock *sk) + msk->rmem_fwd_alloc = 0; + WRITE_ONCE(msk->rmem_released, 0); + msk->timer_ival = TCP_RTO_MIN; ++ msk->scaling_ratio = TCP_DEFAULT_SCALING_RATIO; + + WRITE_ONCE(msk->first, NULL); + inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss; +@@ -2984,16 +2986,9 @@ void __mptcp_unaccepted_force_close(struct sock *sk) + __mptcp_destroy_sock(sk); + } + +-static __poll_t mptcp_check_readable(struct mptcp_sock *msk) ++static __poll_t mptcp_check_readable(struct sock *sk) + { +- /* Concurrent splices from sk_receive_queue into receive_queue will +- * always show at least one non-empty queue when checked in this order. +- */ +- if (skb_queue_empty_lockless(&((struct sock *)msk)->sk_receive_queue) && +- skb_queue_empty_lockless(&msk->receive_queue)) +- return 0; +- +- return EPOLLIN | EPOLLRDNORM; ++ return mptcp_epollin_ready(sk) ? EPOLLIN | EPOLLRDNORM : 0; + } + + static void mptcp_check_listen_stop(struct sock *sk) +@@ -3031,7 +3026,7 @@ bool __mptcp_close(struct sock *sk, long timeout) + goto cleanup; + } + +- if (mptcp_check_readable(msk) || timeout < 0) { ++ if (mptcp_data_avail(msk) || timeout < 0) { + /* If the msk has read data, or the caller explicitly ask it, + * do the MPTCP equivalent of TCP reset, aka MPTCP fastclose + */ +@@ -3157,6 +3152,7 @@ static int mptcp_disconnect(struct sock *sk, int flags) + msk->snd_data_fin_enable = false; + msk->rcv_fastclose = false; + msk->use_64bit_ack = false; ++ msk->bytes_consumed = 0; + WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk))); + mptcp_pm_data_reset(msk); + mptcp_ca_reset(sk); +@@ -3983,7 +3979,7 @@ static __poll_t mptcp_poll(struct file *file, struct socket *sock, + mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; + + if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) { +- mask |= mptcp_check_readable(msk); ++ mask |= mptcp_check_readable(sk); + if (shutdown & SEND_SHUTDOWN) + mask |= EPOLLOUT | EPOLLWRNORM; + else +@@ -4021,6 +4017,7 @@ static const struct proto_ops mptcp_stream_ops = { + .sendmsg = inet_sendmsg, + .recvmsg = inet_recvmsg, + .mmap = sock_no_mmap, ++ .set_rcvlowat = mptcp_set_rcvlowat, + }; + + static struct inet_protosw mptcp_protosw = { +@@ -4122,6 +4119,7 @@ static const struct proto_ops mptcp_v6_stream_ops = { + #ifdef CONFIG_COMPAT + .compat_ioctl = inet6_compat_ioctl, + #endif ++ .set_rcvlowat = mptcp_set_rcvlowat, + }; + + static struct proto mptcp_v6_prot; +diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h +index 93ba48f4ae386..305f4ed954b4b 100644 +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -268,6 +268,7 @@ struct mptcp_sock { + atomic64_t rcv_wnd_sent; + u64 rcv_data_fin_seq; + u64 bytes_retrans; ++ u64 bytes_consumed; + int rmem_fwd_alloc; + int snd_burst; + int old_wspace; +@@ -674,6 +675,24 @@ struct sock *mptcp_subflow_get_retrans(struct mptcp_sock *msk); + int mptcp_sched_get_send(struct mptcp_sock *msk); + int mptcp_sched_get_retrans(struct mptcp_sock *msk); + ++static inline u64 mptcp_data_avail(const struct mptcp_sock *msk) ++{ ++ return READ_ONCE(msk->bytes_received) - READ_ONCE(msk->bytes_consumed); ++} ++ ++static inline bool mptcp_epollin_ready(const struct sock *sk) ++{ ++ /* mptcp doesn't have to deal with small skbs in the receive queue, ++ * at it can always coalesce them ++ */ ++ return (mptcp_data_avail(mptcp_sk(sk)) >= sk->sk_rcvlowat) || ++ (mem_cgroup_sockets_enabled && sk->sk_memcg && ++ mem_cgroup_under_socket_pressure(sk->sk_memcg)) || ++ READ_ONCE(tcp_memory_pressure); ++} ++ ++int mptcp_set_rcvlowat(struct sock *sk, int val); ++ + static inline bool __tcp_can_send(const struct sock *ssk) + { + /* only send if our side has not closed yet */ +@@ -748,6 +767,7 @@ static inline bool mptcp_is_fully_established(struct sock *sk) + return inet_sk_state_load(sk) == TCP_ESTABLISHED && + READ_ONCE(mptcp_sk(sk)->fully_established); + } ++ + void mptcp_rcv_space_init(struct mptcp_sock *msk, const struct sock *ssk); + void mptcp_data_ready(struct sock *sk, struct sock *ssk); + bool mptcp_finish_join(struct sock *sk); +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index cc04b5e29dd35..6e254f10b41e6 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -1521,9 +1521,51 @@ void mptcp_sockopt_sync_locked(struct mptcp_sock *msk, struct sock *ssk) + + msk_owned_by_me(msk); + ++ ssk->sk_rcvlowat = 0; ++ + if (READ_ONCE(subflow->setsockopt_seq) != msk->setsockopt_seq) { + sync_socket_options(msk, ssk); + + subflow->setsockopt_seq = msk->setsockopt_seq; + } + } ++ ++/* unfortunately this is different enough from the tcp version so ++ * that we can't factor it out ++ */ ++int mptcp_set_rcvlowat(struct sock *sk, int val) ++{ ++ struct mptcp_subflow_context *subflow; ++ int space, cap; ++ ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK) ++ cap = sk->sk_rcvbuf >> 1; ++ else ++ cap = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1; ++ val = min(val, cap); ++ WRITE_ONCE(sk->sk_rcvlowat, val ? : 1); ++ ++ /* Check if we need to signal EPOLLIN right now */ ++ if (mptcp_epollin_ready(sk)) ++ sk->sk_data_ready(sk); ++ ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK) ++ return 0; ++ ++ space = __tcp_space_from_win(mptcp_sk(sk)->scaling_ratio, val); ++ if (space <= sk->sk_rcvbuf) ++ return 0; ++ ++ /* propagate the rcvbuf changes to all the subflows */ ++ WRITE_ONCE(sk->sk_rcvbuf, space); ++ mptcp_for_each_subflow(mptcp_sk(sk), subflow) { ++ struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ bool slow; ++ ++ slow = lock_sock_fast(ssk); ++ WRITE_ONCE(ssk->sk_rcvbuf, space); ++ tcp_sk(ssk)->window_clamp = val; ++ unlock_sock_fast(ssk, slow); ++ } ++ return 0; ++} +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 23ee96c6abcbf..090bd05a78642 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1432,10 +1432,18 @@ static void subflow_data_ready(struct sock *sk) + WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable && + !subflow->mp_join && !(state & TCPF_CLOSE)); + +- if (mptcp_subflow_data_available(sk)) ++ if (mptcp_subflow_data_available(sk)) { + mptcp_data_ready(parent, sk); +- else if (unlikely(sk->sk_err)) ++ ++ /* subflow-level lowat test are not relevant. ++ * respect the msk-level threshold eventually mandating an immediate ack ++ */ ++ if (mptcp_data_avail(msk) < parent->sk_rcvlowat && ++ (tcp_sk(sk)->rcv_nxt - tcp_sk(sk)->rcv_wup) > inet_csk(sk)->icsk_ack.rcv_mss) ++ inet_csk(sk)->icsk_ack.pending |= ICSK_ACK_NOW; ++ } else if (unlikely(sk->sk_err)) { + subflow_error_report(sk); ++ } + } + + static void subflow_write_space(struct sock *ssk) +-- +2.43.0 + diff --git a/queue-6.6/net-axienet-start-napi-before-enabling-rx-tx.patch b/queue-6.6/net-axienet-start-napi-before-enabling-rx-tx.patch new file mode 100644 index 00000000000..6001d2f789b --- /dev/null +++ b/queue-6.6/net-axienet-start-napi-before-enabling-rx-tx.patch @@ -0,0 +1,41 @@ +From 8f495b2b1926915c0eddce356d25e323f469406a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 15:06:50 +0800 +Subject: net: axienet: start napi before enabling Rx/Tx + +From: Andy Chiu + +[ Upstream commit 799a829507506924add8a7620493adc1c3cfda30 ] + +softirq may get lost if an Rx interrupt comes before we call +napi_enable. Move napi_enable in front of axienet_setoptions(), which +turns on the device, to address the issue. + +Link: https://lists.gnu.org/archive/html/qemu-devel/2024-07/msg06160.html +Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive") +Signed-off-by: Andy Chiu +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 3297aff969c80..11e08cb8d3c3e 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1826,9 +1826,9 @@ static void axienet_dma_err_handler(struct work_struct *work) + ~(XAE_OPTION_TXEN | XAE_OPTION_RXEN)); + axienet_set_mac_address(ndev, NULL); + axienet_set_multicast_list(ndev); +- axienet_setoptions(ndev, lp->options); + napi_enable(&lp->napi_rx); + napi_enable(&lp->napi_tx); ++ axienet_setoptions(ndev, lp->options); + } + + /** +-- +2.43.0 + diff --git a/queue-6.6/net-iucv-fix-use-after-free-in-iucv_sock_close.patch b/queue-6.6/net-iucv-fix-use-after-free-in-iucv_sock_close.patch new file mode 100644 index 00000000000..99c64c6621a --- /dev/null +++ b/queue-6.6/net-iucv-fix-use-after-free-in-iucv_sock_close.patch @@ -0,0 +1,75 @@ +From d194b5a8e323d6049644045a47b5c03a118d6295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 14:28:16 +0200 +Subject: net/iucv: fix use after free in iucv_sock_close() + +From: Alexandra Winter + +[ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ] + +iucv_sever_path() is called from process context and from bh context. +iucv->path is used as indicator whether somebody else is taking care of +severing the path (or it is already removed / never existed). +This needs to be done with atomic compare and swap, otherwise there is a +small window where iucv_sock_close() will try to work with a path that has +already been severed and freed by iucv_callback_connrej() called by +iucv_tasklet_fn(). + +Example: +[452744.123844] Call Trace: +[452744.123845] ([<0000001e87f03880>] 0x1e87f03880) +[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 +[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] +[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] +[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] +[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 +[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 +[452744.124820] [<00000000d5421642>] __fput+0xba/0x268 +[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 +[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 +[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 +[452744.125319] Last Breaking-Event-Address: +[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 +[452744.125324] +[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt + +Note that bh_lock_sock() is not serializing the tasklet context against +process context, because the check for sock_owned_by_user() and +corresponding handling is missing. + +Ideas for a future clean-up patch: +A) Correct usage of bh_lock_sock() in tasklet context, as described in +Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/ +Re-enqueue, if needed. This may require adding return values to the +tasklet functions and thus changes to all users of iucv. + +B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. + +Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely") +Reviewed-by: Halil Pasic +Signed-off-by: Alexandra Winter +Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/iucv/af_iucv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 498a0c35b7bb2..815b1df0b2d19 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -335,8 +335,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data) + struct iucv_sock *iucv = iucv_sk(sk); + struct iucv_path *path = iucv->path; + +- if (iucv->path) { +- iucv->path = NULL; ++ /* Whoever resets the path pointer, must sever and free it. */ ++ if (xchg(&iucv->path, NULL)) { + if (with_user_data) { + low_nmcpy(user_data, iucv->src_name); + high_nmcpy(user_data, iucv->dst_name); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-always-drain-health-in-shutdown-callback.patch b/queue-6.6/net-mlx5-always-drain-health-in-shutdown-callback.patch new file mode 100644 index 00000000000..8582c28bd9c --- /dev/null +++ b/queue-6.6/net-mlx5-always-drain-health-in-shutdown-callback.patch @@ -0,0 +1,64 @@ +From bbf850a2b184287da51c90fb40656da148458a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:30 +0300 +Subject: net/mlx5: Always drain health in shutdown callback + +From: Shay Drory + +[ Upstream commit 1b75da22ed1e6171e261bc9265370162553d5393 ] + +There is no point in recovery during device shutdown. if health +work started need to wait for it to avoid races and NULL pointer +access. + +Hence, drain health WQ on shutdown callback. + +Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") +Fixes: d2aa060d40fa ("net/mlx5: Cancel health poll before sending panic teardown command") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 2237b3d01e0e5..11f11248feb8b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -2130,7 +2130,6 @@ static int mlx5_try_fast_unload(struct mlx5_core_dev *dev) + /* Panic tear down fw command will stop the PCI bus communication + * with the HCA, so the health poll is no longer needed. + */ +- mlx5_drain_health_wq(dev); + mlx5_stop_health_poll(dev, false); + + ret = mlx5_cmd_fast_teardown_hca(dev); +@@ -2165,6 +2164,7 @@ static void shutdown(struct pci_dev *pdev) + + mlx5_core_info(dev, "Shutdown was called\n"); + set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state); ++ mlx5_drain_health_wq(dev); + err = mlx5_try_fast_unload(dev); + if (err) + mlx5_unload_one(dev, false); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index 30218f37d5285..2028acbe85ca2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -90,6 +90,7 @@ static void mlx5_sf_dev_shutdown(struct auxiliary_device *adev) + struct mlx5_core_dev *mdev = sf_dev->mdev; + + set_bit(MLX5_BREAK_FW_WAIT, &mdev->intf_state); ++ mlx5_drain_health_wq(mdev); + mlx5_unload_one(mdev, false); + } + +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-fix-error-handling-in-irq_pool_request_irq.patch b/queue-6.6/net-mlx5-fix-error-handling-in-irq_pool_request_irq.patch new file mode 100644 index 00000000000..6b320b355ff --- /dev/null +++ b/queue-6.6/net-mlx5-fix-error-handling-in-irq_pool_request_irq.patch @@ -0,0 +1,58 @@ +From ac1738eeae208ae240a75d0a6edffa41bd1d0956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:31 +0300 +Subject: net/mlx5: Fix error handling in irq_pool_request_irq + +From: Shay Drory + +[ Upstream commit a4557b0b57c40871ff00da4f623cf79211e052f3 ] + +In case mlx5_irq_alloc fails, the previously allocated index remains +in the XArray, which could lead to inconsistencies. + +Fix it by adding error handling that erases the allocated index +from the XArray if mlx5_irq_alloc returns an error. + +Fixes: c36326d38d93 ("net/mlx5: Round-Robin EQs over IRQs") +Signed-off-by: Shay Drory +Reviewed-by: Maher Sanalla +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c b/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c +index 612e666ec2635..e2230c8f18152 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/irq_affinity.c +@@ -48,6 +48,7 @@ static struct mlx5_irq * + irq_pool_request_irq(struct mlx5_irq_pool *pool, struct irq_affinity_desc *af_desc) + { + struct irq_affinity_desc auto_desc = {}; ++ struct mlx5_irq *irq; + u32 irq_index; + int err; + +@@ -64,9 +65,12 @@ irq_pool_request_irq(struct mlx5_irq_pool *pool, struct irq_affinity_desc *af_de + else + cpu_get(pool, cpumask_first(&af_desc->mask)); + } +- return mlx5_irq_alloc(pool, irq_index, +- cpumask_empty(&auto_desc.mask) ? af_desc : &auto_desc, +- NULL); ++ irq = mlx5_irq_alloc(pool, irq_index, ++ cpumask_empty(&auto_desc.mask) ? af_desc : &auto_desc, ++ NULL); ++ if (IS_ERR(irq)) ++ xa_erase(&pool->irqs, irq_index); ++ return irq; + } + + /* Looking for the IRQ with the smallest refcount that fits req_mask. +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch b/queue-6.6/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch new file mode 100644 index 00000000000..d2d777f0e10 --- /dev/null +++ b/queue-6.6/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch @@ -0,0 +1,80 @@ +From ce87eab7bd0e07dee18ff45626a01b934c3c1362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:34 +0300 +Subject: net/mlx5: Fix missing lock on sync reset reload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Moshe Shemesh + +[ Upstream commit 572f9caa9e7295f8c8822e4122c7ae8f1c412ff9 ] + +On sync reset reload work, when remote host updates devlink on reload +actions performed on that host, it misses taking devlink lock before +calling devlink_remote_reload_actions_performed() which results in +triggering lock assert like the following: + +WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50 +… + CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116 + Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015 + Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core] + RIP: 0010:devl_assert_locked+0x3e/0x50 +… + Call Trace: + + ? __warn+0xa4/0x210 + ? devl_assert_locked+0x3e/0x50 + ? report_bug+0x160/0x280 + ? handle_bug+0x3f/0x80 + ? exc_invalid_op+0x17/0x40 + ? asm_exc_invalid_op+0x1a/0x20 + ? devl_assert_locked+0x3e/0x50 + devlink_notify+0x88/0x2b0 + ? mlx5_attach_device+0x20c/0x230 [mlx5_core] + ? __pfx_devlink_notify+0x10/0x10 + ? process_one_work+0x4b6/0xbb0 + process_one_work+0x4b6/0xbb0 +[…] + +Fixes: 84a433a40d0e ("net/mlx5: Lock mlx5 devlink reload callbacks") +Signed-off-by: Moshe Shemesh +Reviewed-by: Maor Gottlieb +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index 3a9cdf79403ae..6b17346aa4cef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -206,6 +206,7 @@ int mlx5_fw_reset_set_live_patch(struct mlx5_core_dev *dev) + static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev, bool unloaded) + { + struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset; ++ struct devlink *devlink = priv_to_devlink(dev); + + /* if this is the driver that initiated the fw reset, devlink completed the reload */ + if (test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags)) { +@@ -217,9 +218,11 @@ static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev, bool unload + mlx5_core_err(dev, "reset reload flow aborted, PCI reads still not working\n"); + else + mlx5_load_one(dev, true); +- devlink_remote_reload_actions_performed(priv_to_devlink(dev), 0, ++ devl_lock(devlink); ++ devlink_remote_reload_actions_performed(devlink, 0, + BIT(DEVLINK_RELOAD_ACTION_DRIVER_REINIT) | + BIT(DEVLINK_RELOAD_ACTION_FW_ACTIVATE)); ++ devl_unlock(devlink); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch b/queue-6.6/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch new file mode 100644 index 00000000000..5ac08232beb --- /dev/null +++ b/queue-6.6/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch @@ -0,0 +1,39 @@ +From fbdc46be913a3f9930c75f7f18bae5f499eb871e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:33 +0300 +Subject: net/mlx5: Lag, don't use the hardcoded value of the first port + +From: Mark Bloch + +[ Upstream commit 3fda84dc090390573cfbd0b1d70372663315de21 ] + +The cited commit didn't change the body of the loop as it should. +It shouldn't be using MLX5_LAG_P1. + +Fixes: 7e978e7714d6 ("net/mlx5: Lag, use actual number of lag ports") +Signed-off-by: Mark Bloch +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index dfc2ba6f780a2..18cf756bad8cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -1512,7 +1512,7 @@ u8 mlx5_lag_get_slave_port(struct mlx5_core_dev *dev, + goto unlock; + + for (i = 0; i < ldev->ports; i++) { +- if (ldev->pf[MLX5_LAG_P1].netdev == slave) { ++ if (ldev->pf[i].netdev == slave) { + port = i; + break; + } +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch b/queue-6.6/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch new file mode 100644 index 00000000000..4c35abccdd7 --- /dev/null +++ b/queue-6.6/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch @@ -0,0 +1,48 @@ +From 7a78420415b927f2a32864dee07eac2558a36ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:37 +0300 +Subject: net/mlx5e: Add a check for the return value from + mlx5_port_set_eth_ptys + +From: Shahar Shitrit + +[ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ] + +Since the documentation for mlx5_toggle_port_link states that it should +only be used after setting the port register, we add a check for the +return value from mlx5_port_set_eth_ptys to ensure the register was +successfully set before calling it. + +Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters") +Signed-off-by: Shahar Shitrit +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 38263d5c98b34..50db127e6371b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1223,7 +1223,12 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + if (!an_changes && link_modes == eproto.admin) + goto out; + +- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ err = mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ if (err) { ++ netdev_err(priv->netdev, "%s: failed to set ptys reg: %d\n", __func__, err); ++ goto out; ++ } ++ + mlx5_toggle_port_link(mdev); + + out: +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-fix-ct-entry-update-leaks-of-modify-header.patch b/queue-6.6/net-mlx5e-fix-ct-entry-update-leaks-of-modify-header.patch new file mode 100644 index 00000000000..c67a69de12f --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-ct-entry-update-leaks-of-modify-header.patch @@ -0,0 +1,47 @@ +From bf9c2b7ed7d21bc387b92e02c579590ae1c0cf1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:36 +0300 +Subject: net/mlx5e: Fix CT entry update leaks of modify header context + +From: Chris Mi + +[ Upstream commit 025f2b85a5e5a46df14ecf162c3c80a957a36d0b ] + +The cited commit allocates a new modify header to replace the old +one when updating CT entry. But if failed to allocate a new one, eg. +exceed the max number firmware can support, modify header will be +an error pointer that will trigger a panic when deallocating it. And +the old modify header point is copied to old attr. When the old +attr is freed, the old modify header is lost. + +Fix it by restoring the old attr to attr when failed to allocate a +new modify header context. So when the CT entry is freed, the right +modify header context will be freed. And the panic of accessing +error pointer is also fixed. + +Fixes: 94ceffb48eac ("net/mlx5e: Implement CT entry update") +Signed-off-by: Chris Mi +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-8-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +index fadfa8b50bebe..8c4e3ecef5901 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -920,6 +920,7 @@ mlx5_tc_ct_entry_replace_rule(struct mlx5_tc_ct_priv *ct_priv, + mlx5_tc_ct_entry_destroy_mod_hdr(ct_priv, zone_rule->attr, mh); + mlx5_put_label_mapping(ct_priv, attr->ct_attr.ct_labels_id); + err_mod_hdr: ++ *attr = *old_attr; + kfree(old_attr); + err_attr: + kvfree(spec); +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-require-mlx5-tc-classifier-action-support-.patch b/queue-6.6/net-mlx5e-require-mlx5-tc-classifier-action-support-.patch new file mode 100644 index 00000000000..758b151cf08 --- /dev/null +++ b/queue-6.6/net-mlx5e-require-mlx5-tc-classifier-action-support-.patch @@ -0,0 +1,49 @@ +From de996178eb223d7905e298443c22171aef04c75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:35 +0300 +Subject: net/mlx5e: Require mlx5 tc classifier action support for IPsec prio + capability + +From: Rahul Rameshbabu + +[ Upstream commit 06827e27fdcd197557be72b2229dbd362303794f ] + +Require mlx5 classifier action support when creating IPSec chains in +offload path. MLX5_IPSEC_CAP_PRIO should only be set if CONFIG_MLX5_CLS_ACT +is enabled. If CONFIG_MLX5_CLS_ACT=n and MLX5_IPSEC_CAP_PRIO is set, +configuring IPsec offload will fail due to the mlxx5 ipsec chain rules +failing to be created due to lack of classifier action support. + +Fixes: fa5aa2f89073 ("net/mlx5e: Use chains for IPsec policy priority offload") +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-7-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +index ce29e31721208..de83567aae791 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c +@@ -50,9 +50,10 @@ u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev) + MLX5_CAP_FLOWTABLE_NIC_RX(mdev, decap)) + caps |= MLX5_IPSEC_CAP_PACKET_OFFLOAD; + +- if ((MLX5_CAP_FLOWTABLE_NIC_TX(mdev, ignore_flow_level) && +- MLX5_CAP_FLOWTABLE_NIC_RX(mdev, ignore_flow_level)) || +- MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, ignore_flow_level)) ++ if (IS_ENABLED(CONFIG_MLX5_CLS_ACT) && ++ ((MLX5_CAP_FLOWTABLE_NIC_TX(mdev, ignore_flow_level) && ++ MLX5_CAP_FLOWTABLE_NIC_RX(mdev, ignore_flow_level)) || ++ MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, ignore_flow_level))) + caps |= MLX5_IPSEC_CAP_PRIO; + + if (MLX5_CAP_FLOWTABLE_NIC_TX(mdev, +-- +2.43.0 + diff --git a/queue-6.6/net-mvpp2-don-t-re-use-loop-iterator.patch b/queue-6.6/net-mvpp2-don-t-re-use-loop-iterator.patch new file mode 100644 index 00000000000..68a5ba4c8fa --- /dev/null +++ b/queue-6.6/net-mvpp2-don-t-re-use-loop-iterator.patch @@ -0,0 +1,48 @@ +From 585c60a5c31a4faffce016121dd39aab84a4d6e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:06:56 -0500 +Subject: net: mvpp2: Don't re-use loop iterator + +From: Dan Carpenter + +[ Upstream commit 0aa3ca956c46d849775eae1816cef8fe4bc8b50e ] + +This function has a nested loop. The problem is that both the inside +and outside loop use the same variable as an iterator. I found this +via static analysis so I'm not sure the impact. It could be that it +loops forever or, more likely, the loop exits early. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/eaa8f403-7779-4d81-973d-a9ecddc0bf6f@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 05f4aa11b95c3..34051c9abd97d 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -953,13 +953,13 @@ static void mvpp2_bm_pool_update_fc(struct mvpp2_port *port, + static void mvpp2_bm_pool_update_priv_fc(struct mvpp2 *priv, bool en) + { + struct mvpp2_port *port; +- int i; ++ int i, j; + + for (i = 0; i < priv->port_count; i++) { + port = priv->port_list[i]; + if (port->priv->percpu_pools) { +- for (i = 0; i < port->nrxqs; i++) +- mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[i], ++ for (j = 0; j < port->nrxqs; j++) ++ mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[j], + port->tx_fc & en); + } else { + mvpp2_bm_pool_update_fc(port, port->pool_long, port->tx_fc & en); +-- +2.43.0 + diff --git a/queue-6.6/net-phy-micrel-fix-the-ksz9131-mdi-x-status-issue.patch b/queue-6.6/net-phy-micrel-fix-the-ksz9131-mdi-x-status-issue.patch new file mode 100644 index 00000000000..3b1061234c3 --- /dev/null +++ b/queue-6.6/net-phy-micrel-fix-the-ksz9131-mdi-x-status-issue.patch @@ -0,0 +1,88 @@ +From 70a7469b215e658c38d60a09f75a15faf2348b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:41:25 +0530 +Subject: net: phy: micrel: Fix the KSZ9131 MDI-X status issue + +From: Raju Lakkaraju + +[ Upstream commit 84383b5ef4cd21b4a67de92afdc05a03b5247db9 ] + +The MDIX status is not accurately reflecting the current state after the link +partner has manually altered its MDIX configuration while operating in forced +mode. + +Access information about Auto mdix completion and pair selection from the +KSZ9131's Auto/MDI/MDI-X status register + +Fixes: b64e6a8794d9 ("net: phy: micrel: Add PHY Auto/MDI/MDI-X set driver for KSZ9131") +Signed-off-by: Raju Lakkaraju +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20240725071125.13960-1-Raju.Lakkaraju@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 029c82f88ee38..9a0432145645f 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -1293,6 +1293,8 @@ static int ksz9131_config_init(struct phy_device *phydev) + const struct device *dev_walker; + int ret; + ++ phydev->mdix_ctrl = ETH_TP_MDI_AUTO; ++ + dev_walker = &phydev->mdio.dev; + do { + of_node = dev_walker->of_node; +@@ -1342,28 +1344,30 @@ static int ksz9131_config_init(struct phy_device *phydev) + #define MII_KSZ9131_AUTO_MDIX 0x1C + #define MII_KSZ9131_AUTO_MDI_SET BIT(7) + #define MII_KSZ9131_AUTO_MDIX_SWAP_OFF BIT(6) ++#define MII_KSZ9131_DIG_AXAN_STS 0x14 ++#define MII_KSZ9131_DIG_AXAN_STS_LINK_DET BIT(14) ++#define MII_KSZ9131_DIG_AXAN_STS_A_SELECT BIT(12) + + static int ksz9131_mdix_update(struct phy_device *phydev) + { + int ret; + +- ret = phy_read(phydev, MII_KSZ9131_AUTO_MDIX); +- if (ret < 0) +- return ret; +- +- if (ret & MII_KSZ9131_AUTO_MDIX_SWAP_OFF) { +- if (ret & MII_KSZ9131_AUTO_MDI_SET) +- phydev->mdix_ctrl = ETH_TP_MDI; +- else +- phydev->mdix_ctrl = ETH_TP_MDI_X; ++ if (phydev->mdix_ctrl != ETH_TP_MDI_AUTO) { ++ phydev->mdix = phydev->mdix_ctrl; + } else { +- phydev->mdix_ctrl = ETH_TP_MDI_AUTO; +- } ++ ret = phy_read(phydev, MII_KSZ9131_DIG_AXAN_STS); ++ if (ret < 0) ++ return ret; + +- if (ret & MII_KSZ9131_AUTO_MDI_SET) +- phydev->mdix = ETH_TP_MDI; +- else +- phydev->mdix = ETH_TP_MDI_X; ++ if (ret & MII_KSZ9131_DIG_AXAN_STS_LINK_DET) { ++ if (ret & MII_KSZ9131_DIG_AXAN_STS_A_SELECT) ++ phydev->mdix = ETH_TP_MDI; ++ else ++ phydev->mdix = ETH_TP_MDI_X; ++ } else { ++ phydev->mdix = ETH_TP_MDI_INVALID; ++ } ++ } + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/net-phy-realtek-add-support-for-rtl8366s-gigabit-phy.patch b/queue-6.6/net-phy-realtek-add-support-for-rtl8366s-gigabit-phy.patch new file mode 100644 index 00000000000..0c8906e928a --- /dev/null +++ b/queue-6.6/net-phy-realtek-add-support-for-rtl8366s-gigabit-phy.patch @@ -0,0 +1,58 @@ +From b72cf9aaed4d23da94bc82db5050b25d91ccb98d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 16:41:44 -0400 +Subject: net: phy: realtek: add support for RTL8366S Gigabit PHY + +From: Mark Mentovai + +[ Upstream commit 225990c487c1023e7b3aa89beb6a68011fbc0461 ] + +The PHY built in to the Realtek RTL8366S switch controller was +previously supported by genphy_driver. This PHY does not implement MMD +operations. Since commit 9b01c885be36 ("net: phy: c22: migrate to +genphy_c45_write_eee_adv()"), MMD register reads have been made during +phy_probe to determine EEE support. For genphy_driver, these reads are +transformed into 802.3 annex 22D clause 45-over-clause 22 +mmd_phy_indirect operations that perform MII register writes to +MII_MMD_CTRL and MII_MMD_DATA. This overwrites those two MII registers, +which on this PHY are reserved and have another function, rendering the +PHY unusable while so configured. + +Proper support for this PHY is restored by providing a phy_driver that +declares MMD operations as unsupported by using the helper functions +provided for that purpose, while remaining otherwise identical to +genphy_driver. + +Fixes: 9b01c885be36 ("net: phy: c22: migrate to genphy_c45_write_eee_adv()") +Reported-by: Russell Senior +Closes: https://github.com/openwrt/openwrt/issues/15981 +Link: https://github.com/openwrt/openwrt/issues/15739 +Signed-off-by: Mark Mentovai +Reviewed-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/realtek.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c +index 337899c69738e..2604d9663a5b2 100644 +--- a/drivers/net/phy/realtek.c ++++ b/drivers/net/phy/realtek.c +@@ -1083,6 +1083,13 @@ static struct phy_driver realtek_drvs[] = { + .handle_interrupt = genphy_handle_interrupt_no_ack, + .suspend = genphy_suspend, + .resume = genphy_resume, ++ }, { ++ PHY_ID_MATCH_EXACT(0x001cc960), ++ .name = "RTL8366S Gigabit Ethernet", ++ .suspend = genphy_suspend, ++ .resume = genphy_resume, ++ .read_mmd = genphy_read_mmd_unsupported, ++ .write_mmd = genphy_write_mmd_unsupported, + }, + }; + +-- +2.43.0 + diff --git a/queue-6.6/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch b/queue-6.6/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch new file mode 100644 index 00000000000..77bb703f363 --- /dev/null +++ b/queue-6.6/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch @@ -0,0 +1,133 @@ +From e0019bc99fef45ed1d7a13369fd5020b758ff0b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:20 -0700 +Subject: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit 5830aa863981d43560748aa93589c0695191d95d ] + +We had a report that iptables-restore sometimes triggered null-ptr-deref +at boot time. [0] + +The problem is that iptable_nat_table_init() is exposed to user space +before the kernel fully initialises netns. + +In the small race window, a user could call iptable_nat_table_init() +that accesses net_generic(net, iptable_nat_net_id), which is available +only after registering iptable_nat_net_ops. + +Let's call register_pernet_subsys() before xt_register_template(). + +[0]: +bpfilter: Loaded bpfilter_umh pid 11702 +Started bpfilter +BUG: kernel NULL pointer dereference, address: 0000000000000013 + PF: supervisor write access in kernel mode + PF: error_code(0x0002) - not-present page +PGD 0 P4D 0 +PREEMPT SMP NOPTI +CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1 +Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017 +RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat +Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c +RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246 +RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80 +RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0 +RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240 +R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000 +R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004 +FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? xt_find_table_lock (net/netfilter/x_tables.c:1259) + ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) + ? page_fault_oops (arch/x86/mm/fault.c:727) + ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) + ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570) + ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat + xt_find_table_lock (net/netfilter/x_tables.c:1259) + xt_request_find_table_lock (net/netfilter/x_tables.c:1287) + get_info (net/ipv4/netfilter/ip_tables.c:965) + ? security_capable (security/security.c:809 (discriminator 13)) + ? ns_capable (kernel/capability.c:376 kernel/capability.c:397) + ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656) + ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter + nf_getsockopt (net/netfilter/nf_sockopt.c:116) + ip_getsockopt (net/ipv4/ip_sockglue.c:1827) + __sys_getsockopt (net/socket.c:2327) + __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339) + do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) +RIP: 0033:0x7f62844685ee +Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09 +RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee +RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0 +R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2 +R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008 + +Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs +CR2: 0000000000000013 + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Reported-by: Takahiro Kawahara +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/iptable_nat.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c +index 56f6ecc43451e..12ca666d6e2c1 100644 +--- a/net/ipv4/netfilter/iptable_nat.c ++++ b/net/ipv4/netfilter/iptable_nat.c +@@ -145,25 +145,27 @@ static struct pernet_operations iptable_nat_net_ops = { + + static int __init iptable_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv4_table, +- iptable_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[iptable_nat_net_id] must be allocated ++ * before calling iptable_nat_table_init(). ++ */ ++ ret = register_pernet_subsys(&iptable_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&iptable_nat_net_ops); +- if (ret < 0) { +- xt_unregister_template(&nf_nat_ipv4_table); +- return ret; +- } ++ ret = xt_register_template(&nf_nat_ipv4_table, ++ iptable_nat_table_init); ++ if (ret < 0) ++ unregister_pernet_subsys(&iptable_nat_net_ops); + + return ret; + } + + static void __exit iptable_nat_exit(void) + { +- unregister_pernet_subsys(&iptable_nat_net_ops); + xt_unregister_template(&nf_nat_ipv4_table); ++ unregister_pernet_subsys(&iptable_nat_net_ops); + } + + module_init(iptable_nat_init); +-- +2.43.0 + diff --git a/queue-6.6/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch b/queue-6.6/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch new file mode 100644 index 00000000000..301aaaef44c --- /dev/null +++ b/queue-6.6/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch @@ -0,0 +1,65 @@ +From d3794ccc7d0eb0c513e5c0aadc4daad1b5984f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:21 -0700 +Subject: netfilter: iptables: Fix potential null-ptr-deref in + ip6table_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit c22921df777de5606f1047b1345b8d22ef1c0b34 ] + +ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id], +but the function is exposed to user space before the entry is allocated +via register_pernet_subsys(). + +Let's call register_pernet_subsys() before xt_register_template(). + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6table_nat.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c +index bf3cb3a13600c..52d597b16b658 100644 +--- a/net/ipv6/netfilter/ip6table_nat.c ++++ b/net/ipv6/netfilter/ip6table_nat.c +@@ -147,23 +147,27 @@ static struct pernet_operations ip6table_nat_net_ops = { + + static int __init ip6table_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv6_table, +- ip6table_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[ip6table_nat_net_id] must be allocated ++ * before calling ip6t_nat_register_lookups(). ++ */ ++ ret = register_pernet_subsys(&ip6table_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&ip6table_nat_net_ops); ++ ret = xt_register_template(&nf_nat_ipv6_table, ++ ip6table_nat_table_init); + if (ret) +- xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + + return ret; + } + + static void __exit ip6table_nat_exit(void) + { +- unregister_pernet_subsys(&ip6table_nat_net_ops); + xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + } + + module_init(ip6table_nat_init); +-- +2.43.0 + diff --git a/queue-6.6/perf-riscv-fix-selecting-counters-in-legacy-mode.patch b/queue-6.6/perf-riscv-fix-selecting-counters-in-legacy-mode.patch new file mode 100644 index 00000000000..4fdad634289 --- /dev/null +++ b/queue-6.6/perf-riscv-fix-selecting-counters-in-legacy-mode.patch @@ -0,0 +1,47 @@ +From be0bc64eafbe1e55f6379171d0904bcef2a1f1de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 15:58:58 +0300 +Subject: perf: riscv: Fix selecting counters in legacy mode + +From: Shifrin Dmitry + +[ Upstream commit 941a8e9b7a86763ac52d5bf6ccc9986d37fde628 ] + +It is required to check event type before checking event config. +Events with the different types can have the same config. +This check is missed for legacy mode code + +For such perf usage: + sysctl -w kernel.perf_user_access=2 + perf stat -e cycles,L1-dcache-loads -- +driver will try to force both events to CYCLE counter. + +This commit implements event type check before forcing +events on the special counters. + +Signed-off-by: Shifrin Dmitry +Reviewed-by: Atish Patra +Fixes: cc4c07c89aad ("drivers: perf: Implement perf event mmap support in the SBI backend") +Link: https://lore.kernel.org/r/20240729125858.630653-1-dmitry.shifrin@syntacore.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + drivers/perf/riscv_pmu_sbi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c +index ae16ecb15f2d9..901da688ea3f8 100644 +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -355,7 +355,7 @@ static int pmu_sbi_ctr_get_idx(struct perf_event *event) + * but not in the user access mode as we want to use the other counters + * that support sampling/filtering. + */ +- if (hwc->flags & PERF_EVENT_FLAG_LEGACY) { ++ if ((hwc->flags & PERF_EVENT_FLAG_LEGACY) && (event->attr.type == PERF_TYPE_HARDWARE)) { + if (event->attr.config == PERF_COUNT_HW_CPU_CYCLES) { + cflags |= SBI_PMU_CFG_FLAG_SKIP_MATCH; + cmask = 1; +-- +2.43.0 + diff --git a/queue-6.6/perf-tool-fix-dereferencing-null-al-maps.patch b/queue-6.6/perf-tool-fix-dereferencing-null-al-maps.patch new file mode 100644 index 00000000000..ddff9e144ea --- /dev/null +++ b/queue-6.6/perf-tool-fix-dereferencing-null-al-maps.patch @@ -0,0 +1,58 @@ +From e79632b2232d7ec08d58e5bf7da01b4194bf946f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 15:15:48 -0600 +Subject: perf tool: fix dereferencing NULL al->maps + +From: Casey Chen + +[ Upstream commit 4c17736689ccfc44ec7dcc472577f25c34cf8724 ] + +With 0dd5041c9a0e ("perf addr_location: Add init/exit/copy functions"), +when cpumode is 3 (macro PERF_RECORD_MISC_HYPERVISOR), +thread__find_map() could return with al->maps being NULL. + +The path below could add a callchain_cursor_node with NULL ms.maps. + +add_callchain_ip() + thread__find_symbol(.., &al) + thread__find_map(.., &al) // al->maps becomes NULL + ms.maps = maps__get(al.maps) + callchain_cursor_append(..., &ms, ...) + node->ms.maps = maps__get(ms->maps) + +Then the path below would dereference NULL maps and get segfault. + +fill_callchain_info() + maps__machine(node->ms.maps); + +Fix it by checking if maps is NULL in fill_callchain_info(). + +Fixes: 0dd5041c9a0e ("perf addr_location: Add init/exit/copy functions") +Signed-off-by: Casey Chen +Reviewed-by: Ian Rogers +Reviewed-by: Arnaldo Carvalho de Melo +Acked-by: Namhyung Kim +Cc: yzhong@purestorage.com +Link: https://lore.kernel.org/r/20240722211548.61455-1-cachen@purestorage.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/callchain.c b/tools/perf/util/callchain.c +index aee937d14fbbf..09e6b4e1401c9 100644 +--- a/tools/perf/util/callchain.c ++++ b/tools/perf/util/callchain.c +@@ -1126,7 +1126,7 @@ int hist_entry__append_callchain(struct hist_entry *he, struct perf_sample *samp + int fill_callchain_info(struct addr_location *al, struct callchain_cursor_node *node, + bool hide_unresolved) + { +- struct machine *machine = maps__machine(node->ms.maps); ++ struct machine *machine = node->ms.maps ? maps__machine(node->ms.maps) : NULL; + + maps__put(al->maps); + al->maps = maps__get(node->ms.maps); +-- +2.43.0 + diff --git a/queue-6.6/riscv-fix-linear-mapping-checks-for-non-contiguous-m.patch b/queue-6.6/riscv-fix-linear-mapping-checks-for-non-contiguous-m.patch new file mode 100644 index 00000000000..f95da1ec5d2 --- /dev/null +++ b/queue-6.6/riscv-fix-linear-mapping-checks-for-non-contiguous-m.patch @@ -0,0 +1,138 @@ +From 55dcf4997230c40f6310ca3fb94930da49d2702b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jun 2024 12:42:16 +0100 +Subject: riscv: Fix linear mapping checks for non-contiguous memory regions + +From: Stuart Menefy + +[ Upstream commit 3b6564427aea83b7a35a15ca278291d50a1edcfc ] + +The RISC-V kernel already has checks to ensure that memory which would +lie outside of the linear mapping is not used. However those checks +use memory_limit, which is used to implement the mem= kernel command +line option (to limit the total amount of memory, not its address +range). When memory is made up of two or more non-contiguous memory +banks this check is incorrect. + +Two changes are made here: + - add a call in setup_bootmem() to memblock_cap_memory_range() which + will cause any memory which falls outside the linear mapping to be + removed from the memory regions. + - remove the check in create_linear_mapping_page_table() which was + intended to remove memory which is outside the liner mapping based + on memory_limit, as it is no longer needed. Note a check for + mapping more memory than memory_limit (to implement mem=) is + unnecessary because of the existing call to + memblock_enforce_memory_limit(). + +This issue was seen when booting on a SV39 platform with two memory +banks: + 0x00,80000000 1GiB + 0x20,00000000 32GiB +This memory range is 158GiB from top to bottom, but the linear mapping +is limited to 128GiB, so the lower block of RAM will be mapped at +PAGE_OFFSET, and the upper block straddles the top of the linear +mapping. + +This causes the following Oops: +[ 0.000000] Linux version 6.10.0-rc2-gd3b8dd5b51dd-dirty (stuart.menefy@codasip.com) (riscv64-codasip-linux-gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41.0.20231213) #20 SMP Sat Jun 22 11:34:22 BST 2024 +[ 0.000000] memblock_add: [0x0000000080000000-0x00000000bfffffff] early_init_dt_add_memory_arch+0x4a/0x52 +[ 0.000000] memblock_add: [0x0000002000000000-0x00000027ffffffff] early_init_dt_add_memory_arch+0x4a/0x52 +... +[ 0.000000] memblock_alloc_try_nid: 23724 bytes align=0x8 nid=-1 from=0x0000000000000000 max_addr=0x0000000000000000 early_init_dt_alloc_memory_arch+0x1e/0x48 +[ 0.000000] memblock_reserve: [0x00000027ffff5350-0x00000027ffffaffb] memblock_alloc_range_nid+0xb8/0x132 +[ 0.000000] Unable to handle kernel paging request at virtual address fffffffe7fff5350 +[ 0.000000] Oops [#1] +[ 0.000000] Modules linked in: +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.10.0-rc2-gd3b8dd5b51dd-dirty #20 +[ 0.000000] Hardware name: codasip,a70x (DT) +[ 0.000000] epc : __memset+0x8c/0x104 +[ 0.000000] ra : memblock_alloc_try_nid+0x74/0x84 +[ 0.000000] epc : ffffffff805e88c8 ra : ffffffff806148f6 sp : ffffffff80e03d50 +[ 0.000000] gp : ffffffff80ec4158 tp : ffffffff80e0bec0 t0 : fffffffe7fff52f8 +[ 0.000000] t1 : 00000027ffffb000 t2 : 5f6b636f6c626d65 s0 : ffffffff80e03d90 +[ 0.000000] s1 : 0000000000005cac a0 : fffffffe7fff5350 a1 : 0000000000000000 +[ 0.000000] a2 : 0000000000005cac a3 : fffffffe7fffaff8 a4 : 000000000000002c +[ 0.000000] a5 : ffffffff805e88c8 a6 : 0000000000005cac a7 : 0000000000000030 +[ 0.000000] s2 : fffffffe7fff5350 s3 : ffffffffffffffff s4 : 0000000000000000 +[ 0.000000] s5 : ffffffff8062347e s6 : 0000000000000000 s7 : 0000000000000001 +[ 0.000000] s8 : 0000000000002000 s9 : 00000000800226d0 s10: 0000000000000000 +[ 0.000000] s11: 0000000000000000 t3 : ffffffff8080a928 t4 : ffffffff8080a928 +[ 0.000000] t5 : ffffffff8080a928 t6 : ffffffff8080a940 +[ 0.000000] status: 0000000200000100 badaddr: fffffffe7fff5350 cause: 000000000000000f +[ 0.000000] [] __memset+0x8c/0x104 +[ 0.000000] [] early_init_dt_alloc_memory_arch+0x1e/0x48 +[ 0.000000] [] __unflatten_device_tree+0x52/0x114 +[ 0.000000] [] unflatten_device_tree+0x9e/0xb8 +[ 0.000000] [] setup_arch+0xd4/0x5bc +[ 0.000000] [] start_kernel+0x76/0x81a +[ 0.000000] Code: b823 02b2 bc23 02b2 b023 04b2 b423 04b2 b823 04b2 (bc23) 04b2 +[ 0.000000] ---[ end trace 0000000000000000 ]--- +[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! +[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- + +The problem is that memblock (unaware that some physical memory cannot +be used) has allocated memory from the top of memory but which is +outside the linear mapping region. + +Signed-off-by: Stuart Menefy +Fixes: c99127c45248 ("riscv: Make sure the linear mapping does not use the kernel mapping") +Reviewed-by: David McKay +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240622114217.2158495-1-stuart.menefy@codasip.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/init.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index 8adcb9419ad50..9b10e9655df8c 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -217,8 +217,6 @@ static void __init setup_bootmem(void) + */ + memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); + +- phys_ram_end = memblock_end_of_DRAM(); +- + /* + * Make sure we align the start of the memory on a PMD boundary so that + * at worst, we map the linear mapping with PMD mappings. +@@ -233,6 +231,16 @@ static void __init setup_bootmem(void) + if (IS_ENABLED(CONFIG_64BIT) && IS_ENABLED(CONFIG_MMU)) + kernel_map.va_pa_offset = PAGE_OFFSET - phys_ram_base; + ++ /* ++ * The size of the linear page mapping may restrict the amount of ++ * usable RAM. ++ */ ++ if (IS_ENABLED(CONFIG_64BIT)) { ++ max_mapped_addr = __pa(PAGE_OFFSET) + KERN_VIRT_SIZE; ++ memblock_cap_memory_range(phys_ram_base, ++ max_mapped_addr - phys_ram_base); ++ } ++ + /* + * Reserve physical address space that would be mapped to virtual + * addresses greater than (void *)(-PAGE_SIZE) because: +@@ -249,6 +257,7 @@ static void __init setup_bootmem(void) + memblock_reserve(max_mapped_addr, (phys_addr_t)-max_mapped_addr); + } + ++ phys_ram_end = memblock_end_of_DRAM(); + min_low_pfn = PFN_UP(phys_ram_base); + max_low_pfn = max_pfn = PFN_DOWN(phys_ram_end); + high_memory = (void *)(__va(PFN_PHYS(max_low_pfn))); +@@ -1269,8 +1278,6 @@ static void __init create_linear_mapping_page_table(void) + if (start <= __pa(PAGE_OFFSET) && + __pa(PAGE_OFFSET) < end) + start = __pa(PAGE_OFFSET); +- if (end >= __pa(PAGE_OFFSET) + memory_limit) +- end = __pa(PAGE_OFFSET) + memory_limit; + + create_linear_mapping_range(start, end, 0); + } +-- +2.43.0 + diff --git a/queue-6.6/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch b/queue-6.6/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch new file mode 100644 index 00000000000..e60f8788fd3 --- /dev/null +++ b/queue-6.6/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch @@ -0,0 +1,65 @@ +From e8b5f652295e912b2b1a211bc42091e6a3fb2ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 16:45:47 +0800 +Subject: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() + +From: Zhe Qiao + +[ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ] + +Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly +kill the process and we don't BUG() the kernel. + +Fixes: 07037db5d479 ("RISC-V: Paging and MMU") +Signed-off-by: Zhe Qiao +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/fault.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c +index 90d4ba36d1d06..655b2b1bb529f 100644 +--- a/arch/riscv/mm/fault.c ++++ b/arch/riscv/mm/fault.c +@@ -61,26 +61,27 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr) + + static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault) + { ++ if (!user_mode(regs)) { ++ no_context(regs, addr); ++ return; ++ } ++ + if (fault & VM_FAULT_OOM) { + /* + * We ran out of memory, call the OOM killer, and return the userspace + * (which will retry the fault, or kill us if we got oom-killed). + */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + pagefault_out_of_memory(); + return; + } else if (fault & (VM_FAULT_SIGBUS | VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)) { + /* Kernel mode? Handle exceptions or die */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + do_trap(regs, SIGBUS, BUS_ADRERR, addr); + return; ++ } else if (fault & VM_FAULT_SIGSEGV) { ++ do_trap(regs, SIGSEGV, SEGV_MAPERR, addr); ++ return; + } ++ + BUG(); + } + +-- +2.43.0 + diff --git a/queue-6.6/riscv-remove-unused-functions-in-traps_misaligned.c.patch b/queue-6.6/riscv-remove-unused-functions-in-traps_misaligned.c.patch new file mode 100644 index 00000000000..c8bf6b0135e --- /dev/null +++ b/queue-6.6/riscv-remove-unused-functions-in-traps_misaligned.c.patch @@ -0,0 +1,90 @@ +From 41b8e0a28b0eac32ea64bb75236aceb865083c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 17:13:58 +0200 +Subject: riscv: remove unused functions in traps_misaligned.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit f19c3b4239f5bfb69aacbaf75d4277c095e7aa7d ] + +Replace macros by the only two function calls that are done from this +file, store_u8() and load_u8(). + +Signed-off-by: Clément Léger +Link: https://lore.kernel.org/r/20231004151405.521596-2-cleger@rivosinc.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: fb197c5d2fd2 ("riscv/purgatory: align riscv_kernel_entry") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps_misaligned.c | 46 +++++----------------------- + 1 file changed, 7 insertions(+), 39 deletions(-) + +diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c +index 5348d842c7453..e867fe465164e 100644 +--- a/arch/riscv/kernel/traps_misaligned.c ++++ b/arch/riscv/kernel/traps_misaligned.c +@@ -151,51 +151,19 @@ + #define PRECISION_S 0 + #define PRECISION_D 1 + +-#define DECLARE_UNPRIVILEGED_LOAD_FUNCTION(type, insn) \ +-static inline type load_##type(const type *addr) \ +-{ \ +- type val; \ +- asm (#insn " %0, %1" \ +- : "=&r" (val) : "m" (*addr)); \ +- return val; \ +-} ++static inline u8 load_u8(const u8 *addr) ++{ ++ u8 val; + +-#define DECLARE_UNPRIVILEGED_STORE_FUNCTION(type, insn) \ +-static inline void store_##type(type *addr, type val) \ +-{ \ +- asm volatile (#insn " %0, %1\n" \ +- : : "r" (val), "m" (*addr)); \ +-} ++ asm volatile("lbu %0, %1" : "=&r" (val) : "m" (*addr)); + +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(u8, lbu) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(u16, lhu) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(s8, lb) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(s16, lh) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(s32, lw) +-DECLARE_UNPRIVILEGED_STORE_FUNCTION(u8, sb) +-DECLARE_UNPRIVILEGED_STORE_FUNCTION(u16, sh) +-DECLARE_UNPRIVILEGED_STORE_FUNCTION(u32, sw) +-#if defined(CONFIG_64BIT) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(u32, lwu) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(u64, ld) +-DECLARE_UNPRIVILEGED_STORE_FUNCTION(u64, sd) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(ulong, ld) +-#else +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(u32, lw) +-DECLARE_UNPRIVILEGED_LOAD_FUNCTION(ulong, lw) +- +-static inline u64 load_u64(const u64 *addr) +-{ +- return load_u32((u32 *)addr) +- + ((u64)load_u32((u32 *)addr + 1) << 32); ++ return val; + } + +-static inline void store_u64(u64 *addr, u64 val) ++static inline void store_u8(u8 *addr, u8 val) + { +- store_u32((u32 *)addr, val); +- store_u32((u32 *)addr + 1, val >> 32); ++ asm volatile ("sb %0, %1\n" : : "r" (val), "m" (*addr)); + } +-#endif + + static inline ulong get_insn(ulong mepc) + { +-- +2.43.0 + diff --git a/queue-6.6/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch b/queue-6.6/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch new file mode 100644 index 00000000000..b4b372111b9 --- /dev/null +++ b/queue-6.6/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch @@ -0,0 +1,42 @@ +From 011b85a91f50554b061d4097dfad2680248217c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 17:19:53 -0700 +Subject: rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified + in rtnl_dellink(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9415d375d8520e0ed55f0c0b058928da9a5b5b3d ] + +The cited commit accidentally replaced tgt_net with net in rtnl_dellink(). + +As a result, IFLA_TARGET_NETNSID is ignored if the interface is specified +with IFLA_IFNAME or IFLA_ALT_IFNAME. + +Let's pass tgt_net to rtnl_dev_get(). + +Fixes: cc6090e985d7 ("net: rtnetlink: introduce helper to get net_device instance by ifname") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 7ea66de1442cc..8573dad6d8171 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3263,7 +3263,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(tgt_net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, tb); ++ dev = rtnl_dev_get(tgt_net, tb); + else if (tb[IFLA_GROUP]) + err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP])); + else +-- +2.43.0 + diff --git a/queue-6.6/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch b/queue-6.6/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch new file mode 100644 index 00000000000..37ca31ccee2 --- /dev/null +++ b/queue-6.6/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch @@ -0,0 +1,90 @@ +From 5390274c64dd684edf5f3b7c93e05045994b89a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 09:27:45 +0000 +Subject: sched: act_ct: take care of padding in struct zones_ht_key + +From: Eric Dumazet + +[ Upstream commit 2191a54f63225b548fd8346be3611c3219a24738 ] + +Blamed commit increased lookup key size from 2 bytes to 16 bytes, +because zones_ht_key got a struct net pointer. + +Make sure rhashtable_lookup() is not using the padding bytes +which are not initialized. + + BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425 + tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488 + tcf_action_add net/sched/act_api.c:2061 [inline] + tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118 + rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550 + rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2597 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651 + __sys_sendmsg net/socket.c:2680 [inline] + __do_sys_sendmsg net/socket.c:2689 [inline] + __se_sys_sendmsg net/socket.c:2687 [inline] + __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687 + x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable key created at: + tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + +Fixes: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table") +Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 3ac19516ed803..50d24e240e8fb 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -44,6 +44,8 @@ static DEFINE_MUTEX(zones_mutex); + struct zones_ht_key { + struct net *net; + u16 zone; ++ /* Note : pad[] must be the last field. */ ++ u8 pad[]; + }; + + struct tcf_ct_flow_table { +@@ -60,7 +62,7 @@ struct tcf_ct_flow_table { + static const struct rhashtable_params zones_params = { + .head_offset = offsetof(struct tcf_ct_flow_table, node), + .key_offset = offsetof(struct tcf_ct_flow_table, key), +- .key_len = sizeof_field(struct tcf_ct_flow_table, key), ++ .key_len = offsetof(struct zones_ht_key, pad), + .automatic_shrinking = true, + }; + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index e8fc4a61cec..3758c1fccd7 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -47,3 +47,47 @@ perf-imx_perf-fix-counter-start-and-config-sequence.patch mips-loongson64-dts-fix-pcie-port-nodes-for-ls7a.patch mips-dts-loongson-fix-liointc-irq-polarity.patch mips-dts-loongson-fix-ls2k1000-rtc-interrupt.patch +arm-9406-1-fix-callchain_trace-return-value.patch +hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch +perf-tool-fix-dereferencing-null-al-maps.patch +drm-nouveau-prime-fix-refcount-underflow.patch +drm-vmwgfx-fix-overlay-when-using-screen-targets.patch +drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch +sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch +wifi-cfg80211-fix-reporting-failed-mlo-links-status-.patch +net-phy-realtek-add-support-for-rtl8366s-gigabit-phy.patch +alsa-hda-conexant-reduce-config_pm-dependencies.patch +alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch +bluetooth-btintel-fail-setup-on-error.patch +bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch +mptcp-give-rcvlowat-some-love.patch +tcp-annotate-data-races-around-tp-window_clamp.patch +tcp-adjust-clamping-window-for-applications-specifyi.patch +net-axienet-start-napi-before-enabling-rx-tx.patch +rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch +i915-perf-remove-code-to-update-pwr_clk_state-for-ge.patch +ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch +ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch +ice-replace-synchronize_rcu-with-synchronize_net.patch +ice-add-missing-write_once-when-clearing-ice_rx_ring.patch +net-iucv-fix-use-after-free-in-iucv_sock_close.patch +drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch +net-mvpp2-don-t-re-use-loop-iterator.patch +net-phy-micrel-fix-the-ksz9131-mdi-x-status-issue.patch +alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch +netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch +netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch +net-mlx5-always-drain-health-in-shutdown-callback.patch +net-mlx5-fix-error-handling-in-irq_pool_request_irq.patch +net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch +net-mlx5-fix-missing-lock-on-sync-reset-reload.patch +net-mlx5e-require-mlx5-tc-classifier-action-support-.patch +net-mlx5e-fix-ct-entry-update-leaks-of-modify-header.patch +net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch +igc-fix-double-reset-adapter-triggered-from-a-single.patch +ipv6-fix-ndisc_is_useropt-handling-for-pio.patch +riscv-remove-unused-functions-in-traps_misaligned.c.patch +perf-riscv-fix-selecting-counters-in-legacy-mode.patch +riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch +riscv-fix-linear-mapping-checks-for-non-contiguous-m.patch +arm64-jump_label-ensure-patched-jump_labels-are-visi.patch diff --git a/queue-6.6/tcp-adjust-clamping-window-for-applications-specifyi.patch b/queue-6.6/tcp-adjust-clamping-window-for-applications-specifyi.patch new file mode 100644 index 00000000000..40b9c866415 --- /dev/null +++ b/queue-6.6/tcp-adjust-clamping-window-for-applications-specifyi.patch @@ -0,0 +1,86 @@ +From d8f859f100583556cca6732218cb7ff371b19e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 13:41:05 -0700 +Subject: tcp: Adjust clamping window for applications specifying SO_RCVBUF + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit 05f76b2d634e65ab34472802d9b142ea9e03f74e ] + +tp->scaling_ratio is not updated based on skb->len/skb->truesize once +SO_RCVBUF is set leading to the maximum window scaling to be 25% of +rcvbuf after +commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale") +and 50% of rcvbuf after +commit 697a6c8cec03 ("tcp: increase the default TCP scaling ratio"). +50% tries to emulate the behavior of older kernels using +sysctl_tcp_adv_win_scale with default value. + +Systems which were using a different values of sysctl_tcp_adv_win_scale +in older kernels ended up seeing reduced download speeds in certain +cases as covered in https://lists.openwall.net/netdev/2024/05/15/13 +While the sysctl scheme is no longer acceptable, the value of 50% is +a bit conservative when the skb->len/skb->truesize ratio is later +determined to be ~0.66. + +Applications not specifying SO_RCVBUF update the window scaling and +the receiver buffer every time data is copied to userspace. This +computation is now used for applications setting SO_RCVBUF to update +the maximum window scaling while ensuring that the receive buffer +is within the application specified limit. + +Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale") +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 13464e35d7565..d0364cff65c9f 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -748,8 +748,7 @@ void tcp_rcv_space_adjust(struct sock *sk) + * + */ + +- if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) && +- !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf)) { + u64 rcvwin, grow; + int rcvbuf; + +@@ -765,12 +764,22 @@ void tcp_rcv_space_adjust(struct sock *sk) + + rcvbuf = min_t(u64, tcp_space_from_win(sk, rcvwin), + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])); +- if (rcvbuf > sk->sk_rcvbuf) { +- WRITE_ONCE(sk->sk_rcvbuf, rcvbuf); ++ if (!(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { ++ if (rcvbuf > sk->sk_rcvbuf) { ++ WRITE_ONCE(sk->sk_rcvbuf, rcvbuf); + +- /* Make the window clamp follow along. */ +- WRITE_ONCE(tp->window_clamp, +- tcp_win_from_space(sk, rcvbuf)); ++ /* Make the window clamp follow along. */ ++ WRITE_ONCE(tp->window_clamp, ++ tcp_win_from_space(sk, rcvbuf)); ++ } ++ } else { ++ /* Make the window clamp follow along while being bounded ++ * by SO_RCVBUF. ++ */ ++ int clamp = tcp_win_from_space(sk, min(rcvbuf, sk->sk_rcvbuf)); ++ ++ if (clamp > tp->window_clamp) ++ WRITE_ONCE(tp->window_clamp, clamp); + } + } + tp->rcvq_space.space = copied; +-- +2.43.0 + diff --git a/queue-6.6/tcp-annotate-data-races-around-tp-window_clamp.patch b/queue-6.6/tcp-annotate-data-races-around-tp-window_clamp.patch new file mode 100644 index 00000000000..1e3c6c5f051 --- /dev/null +++ b/queue-6.6/tcp-annotate-data-races-around-tp-window_clamp.patch @@ -0,0 +1,234 @@ +From 231bff96b8693b52addc626827160785be520a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 11:42:31 +0000 +Subject: tcp: annotate data-races around tp->window_clamp + +From: Eric Dumazet + +[ Upstream commit f410cbea9f3d2675b4c8e52af1d1985b11b387d1 ] + +tp->window_clamp can be read locklessly, add READ_ONCE() +and WRITE_ONCE() annotations. + +Signed-off-by: Eric Dumazet +Reviewed-by: Jason Xing +Link: https://lore.kernel.org/r/20240404114231.2195171-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 05f76b2d634e ("tcp: Adjust clamping window for applications specifying SO_RCVBUF") +Signed-off-by: Sasha Levin +--- + net/ipv4/syncookies.c | 3 ++- + net/ipv4/tcp.c | 8 ++++---- + net/ipv4/tcp_input.c | 17 ++++++++++------- + net/ipv4/tcp_output.c | 18 ++++++++++-------- + net/ipv6/syncookies.c | 2 +- + net/mptcp/protocol.c | 2 +- + net/mptcp/sockopt.c | 2 +- + 7 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index 3b4dafefb4b03..e143562077958 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -424,7 +424,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) + } + + /* Try to redo what tcp_v4_send_synack did. */ +- req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW); ++ req->rsk_window_clamp = READ_ONCE(tp->window_clamp) ? : ++ dst_metric(&rt->dst, RTAX_WINDOW); + /* limit the window selection if the user enforce a smaller rx buffer */ + full_space = tcp_full_space(sk); + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 91c3d8264059d..1e3202f2b7a87 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1723,7 +1723,7 @@ int tcp_set_rcvlowat(struct sock *sk, int val) + space = tcp_space_from_win(sk, val); + if (space > sk->sk_rcvbuf) { + WRITE_ONCE(sk->sk_rcvbuf, space); +- tcp_sk(sk)->window_clamp = val; ++ WRITE_ONCE(tcp_sk(sk)->window_clamp, val); + } + return 0; + } +@@ -3386,7 +3386,7 @@ int tcp_set_window_clamp(struct sock *sk, int val) + if (!val) { + if (sk->sk_state != TCP_CLOSE) + return -EINVAL; +- tp->window_clamp = 0; ++ WRITE_ONCE(tp->window_clamp, 0); + } else { + u32 new_rcv_ssthresh, old_window_clamp = tp->window_clamp; + u32 new_window_clamp = val < SOCK_MIN_RCVBUF / 2 ? +@@ -3395,7 +3395,7 @@ int tcp_set_window_clamp(struct sock *sk, int val) + if (new_window_clamp == old_window_clamp) + return 0; + +- tp->window_clamp = new_window_clamp; ++ WRITE_ONCE(tp->window_clamp, new_window_clamp); + if (new_window_clamp < old_window_clamp) { + /* need to apply the reserved mem provisioning only + * when shrinking the window clamp +@@ -4020,7 +4020,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: +- val = tp->window_clamp; ++ val = READ_ONCE(tp->window_clamp); + break; + case TCP_INFO: { + struct tcp_info info; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index c2e4dac42453b..13464e35d7565 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -570,19 +570,20 @@ static void tcp_init_buffer_space(struct sock *sk) + maxwin = tcp_full_space(sk); + + if (tp->window_clamp >= maxwin) { +- tp->window_clamp = maxwin; ++ WRITE_ONCE(tp->window_clamp, maxwin); + + if (tcp_app_win && maxwin > 4 * tp->advmss) +- tp->window_clamp = max(maxwin - +- (maxwin >> tcp_app_win), +- 4 * tp->advmss); ++ WRITE_ONCE(tp->window_clamp, ++ max(maxwin - (maxwin >> tcp_app_win), ++ 4 * tp->advmss)); + } + + /* Force reservation of one segment. */ + if (tcp_app_win && + tp->window_clamp > 2 * tp->advmss && + tp->window_clamp + tp->advmss > maxwin) +- tp->window_clamp = max(2 * tp->advmss, maxwin - tp->advmss); ++ WRITE_ONCE(tp->window_clamp, ++ max(2 * tp->advmss, maxwin - tp->advmss)); + + tp->rcv_ssthresh = min(tp->rcv_ssthresh, tp->window_clamp); + tp->snd_cwnd_stamp = tcp_jiffies32; +@@ -768,7 +769,8 @@ void tcp_rcv_space_adjust(struct sock *sk) + WRITE_ONCE(sk->sk_rcvbuf, rcvbuf); + + /* Make the window clamp follow along. */ +- tp->window_clamp = tcp_win_from_space(sk, rcvbuf); ++ WRITE_ONCE(tp->window_clamp, ++ tcp_win_from_space(sk, rcvbuf)); + } + } + tp->rcvq_space.space = copied; +@@ -6347,7 +6349,8 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + + if (!tp->rx_opt.wscale_ok) { + tp->rx_opt.snd_wscale = tp->rx_opt.rcv_wscale = 0; +- tp->window_clamp = min(tp->window_clamp, 65535U); ++ WRITE_ONCE(tp->window_clamp, ++ min(tp->window_clamp, 65535U)); + } + + if (tp->rx_opt.saw_tstamp) { +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 5631041ae12cb..15c49d559db53 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -203,16 +203,17 @@ static inline void tcp_event_ack_sent(struct sock *sk, u32 rcv_nxt) + * This MUST be enforced by all callers. + */ + void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, +- __u32 *rcv_wnd, __u32 *window_clamp, ++ __u32 *rcv_wnd, __u32 *__window_clamp, + int wscale_ok, __u8 *rcv_wscale, + __u32 init_rcv_wnd) + { + unsigned int space = (__space < 0 ? 0 : __space); ++ u32 window_clamp = READ_ONCE(*__window_clamp); + + /* If no clamp set the clamp to the max possible scaled window */ +- if (*window_clamp == 0) +- (*window_clamp) = (U16_MAX << TCP_MAX_WSCALE); +- space = min(*window_clamp, space); ++ if (window_clamp == 0) ++ window_clamp = (U16_MAX << TCP_MAX_WSCALE); ++ space = min(window_clamp, space); + + /* Quantize space offering to a multiple of mss if possible. */ + if (space > mss) +@@ -239,12 +240,13 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, + /* Set window scaling on max possible window */ + space = max_t(u32, space, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])); + space = max_t(u32, space, READ_ONCE(sysctl_rmem_max)); +- space = min_t(u32, space, *window_clamp); ++ space = min_t(u32, space, window_clamp); + *rcv_wscale = clamp_t(int, ilog2(space) - 15, + 0, TCP_MAX_WSCALE); + } + /* Set the clamp no higher than max representable value */ +- (*window_clamp) = min_t(__u32, U16_MAX << (*rcv_wscale), *window_clamp); ++ WRITE_ONCE(*__window_clamp, ++ min_t(__u32, U16_MAX << (*rcv_wscale), window_clamp)); + } + EXPORT_SYMBOL(tcp_select_initial_window); + +@@ -3787,7 +3789,7 @@ static void tcp_connect_init(struct sock *sk) + tcp_ca_dst_init(sk, dst); + + if (!tp->window_clamp) +- tp->window_clamp = dst_metric(dst, RTAX_WINDOW); ++ WRITE_ONCE(tp->window_clamp, dst_metric(dst, RTAX_WINDOW)); + tp->advmss = tcp_mss_clamp(tp, dst_metric_advmss(dst)); + + tcp_initialize_rcv_mss(sk); +@@ -3795,7 +3797,7 @@ static void tcp_connect_init(struct sock *sk) + /* limit the window selection if the user enforce a smaller rx buffer */ + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && + (tp->window_clamp > tcp_full_space(sk) || tp->window_clamp == 0)) +- tp->window_clamp = tcp_full_space(sk); ++ WRITE_ONCE(tp->window_clamp, tcp_full_space(sk)); + + rcv_wnd = tcp_rwnd_init_bpf(sk); + if (rcv_wnd == 0) +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index 8698b49dfc8de..593ead8a45d79 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -243,7 +243,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + goto out_free; + } + +- req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW); ++ req->rsk_window_clamp = READ_ONCE(tp->window_clamp) ? :dst_metric(dst, RTAX_WINDOW); + /* limit the window selection if the user enforce a smaller rx buffer */ + full_space = tcp_full_space(sk); + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index d2edd02a137bd..973290d08e796 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2024,7 +2024,7 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied) + ssk = mptcp_subflow_tcp_sock(subflow); + slow = lock_sock_fast(ssk); + WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf); +- tcp_sk(ssk)->window_clamp = window_clamp; ++ WRITE_ONCE(tcp_sk(ssk)->window_clamp, window_clamp); + tcp_cleanup_rbuf(ssk, 1); + unlock_sock_fast(ssk, slow); + } +diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c +index 6e254f10b41e6..3977332c44c0a 100644 +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -1564,7 +1564,7 @@ int mptcp_set_rcvlowat(struct sock *sk, int val) + + slow = lock_sock_fast(ssk); + WRITE_ONCE(ssk->sk_rcvbuf, space); +- tcp_sk(ssk)->window_clamp = val; ++ WRITE_ONCE(tcp_sk(ssk)->window_clamp, val); + unlock_sock_fast(ssk, slow); + } + return 0; +-- +2.43.0 + diff --git a/queue-6.6/wifi-cfg80211-fix-reporting-failed-mlo-links-status-.patch b/queue-6.6/wifi-cfg80211-fix-reporting-failed-mlo-links-status-.patch new file mode 100644 index 00000000000..f86a402c87d --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-reporting-failed-mlo-links-status-.patch @@ -0,0 +1,44 @@ +From 4bb58b509c2be506554876537eba126900683326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 18:23:27 +0530 +Subject: wifi: cfg80211: fix reporting failed MLO links status with + cfg80211_connect_done + +From: Veerendranath Jakkam + +[ Upstream commit baeaabf970b9a90999f62ae27edf63f6cb86c023 ] + +Individual MLO links connection status is not copied to +EVENT_CONNECT_RESULT data while processing the connect response +information in cfg80211_connect_done(). Due to this failed links +are wrongly indicated with success status in EVENT_CONNECT_RESULT. + +To fix this, copy the individual MLO links status to the +EVENT_CONNECT_RESULT data. + +Fixes: 53ad07e9823b ("wifi: cfg80211: support reporting failed links") +Signed-off-by: Veerendranath Jakkam +Reviewed-by: Carlos Llamas +Link: https://patch.msgid.link/20240724125327.3495874-1-quic_vjakkam@quicinc.com +[commit message editorial changes] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 9bba233b5a6ec..72d78dbc55ffd 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -1057,6 +1057,7 @@ void cfg80211_connect_done(struct net_device *dev, + cfg80211_hold_bss( + bss_from_pub(params->links[link].bss)); + ev->cr.links[link].bss = params->links[link].bss; ++ ev->cr.links[link].status = params->links[link].status; + + if (params->links[link].addr) { + ev->cr.links[link].addr = next; +-- +2.43.0 +