From: Sasha Levin Date: Mon, 17 Jul 2023 01:01:19 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.15.121~100^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8865cb3e4345496968128cc95f6467da2e5672eb;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bpf-cpumap-fix-memory-leak-in-cpu_map_update_elem.patch b/queue-5.15/bpf-cpumap-fix-memory-leak-in-cpu_map_update_elem.patch new file mode 100644 index 00000000000..fd93d201e74 --- /dev/null +++ b/queue-5.15/bpf-cpumap-fix-memory-leak-in-cpu_map_update_elem.patch @@ -0,0 +1,138 @@ +From 45b1b44a8c10a6d827b89abc0f463a3299adc57f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 19:58:48 +0800 +Subject: bpf: cpumap: Fix memory leak in cpu_map_update_elem + +From: Pu Lehui + +[ Upstream commit 4369016497319a9635702da010d02af1ebb1849d ] + +Syzkaller reported a memory leak as follows: + +BUG: memory leak +unreferenced object 0xff110001198ef748 (size 192): + comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) + hex dump (first 32 bytes): + 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... + 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... + backtrace: + [] __cpu_map_entry_alloc+0xf7/0xb00 + [] cpu_map_update_elem+0x2fe/0x3d0 + [] bpf_map_update_value.isra.0+0x2bd/0x520 + [] map_update_elem+0x4cb/0x720 + [] __se_sys_bpf+0x8c3/0xb90 + [] do_syscall_64+0x30/0x40 + [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +BUG: memory leak +unreferenced object 0xff110001198ef528 (size 192): + comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __cpu_map_entry_alloc+0x260/0xb00 + [] cpu_map_update_elem+0x2fe/0x3d0 + [] bpf_map_update_value.isra.0+0x2bd/0x520 + [] map_update_elem+0x4cb/0x720 + [] __se_sys_bpf+0x8c3/0xb90 + [] do_syscall_64+0x30/0x40 + [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +BUG: memory leak +unreferenced object 0xff1100010fd93d68 (size 8): + comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) + hex dump (first 8 bytes): + 00 00 00 00 00 00 00 00 ........ + backtrace: + [] kvmalloc_node+0x11e/0x170 + [] __cpu_map_entry_alloc+0x2f0/0xb00 + [] cpu_map_update_elem+0x2fe/0x3d0 + [] bpf_map_update_value.isra.0+0x2bd/0x520 + [] map_update_elem+0x4cb/0x720 + [] __se_sys_bpf+0x8c3/0xb90 + [] do_syscall_64+0x30/0x40 + [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +In the cpu_map_update_elem flow, when kthread_stop is called before +calling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bit +of kthread has been set by kthread_stop, the threadfn of rcpu->kthread +will never be executed, and rcpu->refcnt will never be 0, which will +lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be +released. + +Calling kthread_stop before executing kthread's threadfn will return +-EINTR. We can complete the release of memory resources in this state. + +Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") +Signed-off-by: Pu Lehui +Acked-by: Jesper Dangaard Brouer +Acked-by: Hou Tao +Link: https://lore.kernel.org/r/20230711115848.2701559-1-pulehui@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/cpumap.c | 40 ++++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c +index 585b2b77ccc4f..db6221773e43f 100644 +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -126,22 +126,6 @@ static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu) + atomic_inc(&rcpu->refcnt); + } + +-/* called from workqueue, to workaround syscall using preempt_disable */ +-static void cpu_map_kthread_stop(struct work_struct *work) +-{ +- struct bpf_cpu_map_entry *rcpu; +- +- rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq); +- +- /* Wait for flush in __cpu_map_entry_free(), via full RCU barrier, +- * as it waits until all in-flight call_rcu() callbacks complete. +- */ +- rcu_barrier(); +- +- /* kthread_stop will wake_up_process and wait for it to complete */ +- kthread_stop(rcpu->kthread); +-} +- + static void __cpu_map_ring_cleanup(struct ptr_ring *ring) + { + /* The tear-down procedure should have made sure that queue is +@@ -169,6 +153,30 @@ static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu) + } + } + ++/* called from workqueue, to workaround syscall using preempt_disable */ ++static void cpu_map_kthread_stop(struct work_struct *work) ++{ ++ struct bpf_cpu_map_entry *rcpu; ++ int err; ++ ++ rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq); ++ ++ /* Wait for flush in __cpu_map_entry_free(), via full RCU barrier, ++ * as it waits until all in-flight call_rcu() callbacks complete. ++ */ ++ rcu_barrier(); ++ ++ /* kthread_stop will wake_up_process and wait for it to complete */ ++ err = kthread_stop(rcpu->kthread); ++ if (err) { ++ /* kthread_stop may be called before cpu_map_kthread_run ++ * is executed, so we need to release the memory related ++ * to rcpu. ++ */ ++ put_cpu_map_entry(rcpu); ++ } ++} ++ + static void cpu_map_bpf_prog_run_skb(struct bpf_cpu_map_entry *rcpu, + struct list_head *listp, + struct xdp_cpumap_stats *stats) +-- +2.39.2 + diff --git a/queue-5.15/bpf-fix-max-stack-depth-check-for-async-callbacks.patch b/queue-5.15/bpf-fix-max-stack-depth-check-for-async-callbacks.patch new file mode 100644 index 00000000000..7933b609c6b --- /dev/null +++ b/queue-5.15/bpf-fix-max-stack-depth-check-for-async-callbacks.patch @@ -0,0 +1,59 @@ +From 55cdae98eb5599d22f834a51825f1a914abbf29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 20:17:29 +0530 +Subject: bpf: Fix max stack depth check for async callbacks + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 5415ccd50a8620c8cbaa32d6f18c946c453566f5 ] + +The check_max_stack_depth pass happens after the verifier's symbolic +execution, and attempts to walk the call graph of the BPF program, +ensuring that the stack usage stays within bounds for all possible call +chains. There are two cases to consider: bpf_pseudo_func and +bpf_pseudo_call. In the former case, the callback pointer is loaded into +a register, and is assumed that it is passed to some helper later which +calls it (however there is no way to be sure), but the check remains +conservative and accounts the stack usage anyway. For this particular +case, asynchronous callbacks are skipped as they execute asynchronously +when their corresponding event fires. + +The case of bpf_pseudo_call is simpler and we know that the call is +definitely made, hence the stack depth of the subprog is accounted for. + +However, the current check still skips an asynchronous callback even if +a bpf_pseudo_call was made for it. This is erroneous, as it will miss +accounting for the stack usage of the asynchronous callback, which can +be used to breach the maximum stack depth limit. + +Fix this by only skipping asynchronous callbacks when the instruction is +not a pseudo call to the subprog. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230705144730.235802-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 7a70595c3c15a..bd31aa6407a78 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3765,8 +3765,9 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + verbose(env, "verifier bug. subprog has tail_call and async cb\n"); + return -EFAULT; + } +- /* async callbacks don't increase bpf prog stack size */ +- continue; ++ /* async callbacks don't increase bpf prog stack size unless called directly */ ++ if (!bpf_pseudo_call(insn + i)) ++ continue; + } + i = next_insn; + +-- +2.39.2 + diff --git a/queue-5.15/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch b/queue-5.15/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch new file mode 100644 index 00000000000..3a57151dfec --- /dev/null +++ b/queue-5.15/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch @@ -0,0 +1,75 @@ +From 2a1cf795e868d7f8e25c072723014a450378c0c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 17:28:11 +0800 +Subject: bpf, riscv: Support riscv jit to provide bpf_line_info + +From: Pu Lehui + +[ Upstream commit 3cb70413041fdf028fa1ba3986fd0c6aec9e3dcb ] + +Add support for riscv jit to provide bpf_line_info. We need to +consider the prologue offset in ctx->offset, but unlike x86 and +arm64, ctx->offset of riscv does not provide an extra slot for +the prologue, so here we just calculate the len of prologue and +add it to ctx->offset at the end. Both RV64 and RV32 have been +tested. + +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220530092815.1112406-3-pulehui@huawei.com +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 1 + + arch/riscv/net/bpf_jit_core.c | 8 +++++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index 75c1e99968675..ab0cd6d10ccf3 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,6 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; ++ int body_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index 753d85bdfad07..ff644452b88db 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, i; ++ int pass = 0, prev_ninsns = 0, prologue_len, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -95,6 +95,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ctx->body_len = ctx->ninsns; + bpf_jit_build_prologue(ctx); + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); +@@ -154,6 +155,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); ++ prologue_len = ctx->epilogue_offset - ctx->body_len; ++ for (i = 0; i < prog->len; i++) ++ ctx->offset[i] = ninsns_rvoff(prologue_len + ++ ctx->offset[i]); ++ bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); + kfree(jit_data); +-- +2.39.2 + diff --git a/queue-5.15/drm-bridge-ti-sn65dsi86-fix-auxiliary-bus-lifetime.patch b/queue-5.15/drm-bridge-ti-sn65dsi86-fix-auxiliary-bus-lifetime.patch new file mode 100644 index 00000000000..61feab6c822 --- /dev/null +++ b/queue-5.15/drm-bridge-ti-sn65dsi86-fix-auxiliary-bus-lifetime.patch @@ -0,0 +1,110 @@ +From 1988a81913c7178e56bb2c95b48f1c61485216bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 06:58:13 -0700 +Subject: drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime + +From: Douglas Anderson + +[ Upstream commit 7aa83fbd712a6f08ffa67890061f26d140c2a84f ] + +Memory for the "struct device" for any given device isn't supposed to +be released until the device's release() is called. This is important +because someone might be holding a kobject reference to the "struct +device" and might try to access one of its members even after any +other cleanup/uninitialization has happened. + +Code analysis of ti-sn65dsi86 shows that this isn't quite right. When +the code was written, it was believed that we could rely on the fact +that the child devices would all be freed before the parent devices +and thus we didn't need to worry about a release() function. While I +still believe that the parent's "struct device" is guaranteed to +outlive the child's "struct device" (because the child holds a kobject +reference to the parent), the parent's "devm" allocated memory is a +different story. That appears to be freed much earlier. + +Let's make this better for ti-sn65dsi86 by allocating each auxiliary +with kzalloc and then free that memory in the release(). + +Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers") +Suggested-by: Stephen Boyd +Reviewed-by: Stephen Boyd +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20230613065812.v2.1.I24b838a5b4151fb32bccd6f36397998ea2df9fbb@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 33 +++++++++++++++++---------- + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index bbedce0eeddae..22c2ff5272c60 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -147,9 +147,9 @@ + * each other's read-modify-write. + */ + struct ti_sn65dsi86 { +- struct auxiliary_device bridge_aux; +- struct auxiliary_device gpio_aux; +- struct auxiliary_device aux_aux; ++ struct auxiliary_device *bridge_aux; ++ struct auxiliary_device *gpio_aux; ++ struct auxiliary_device *aux_aux; + + struct device *dev; + struct regmap *regmap; +@@ -412,27 +412,34 @@ static void ti_sn65dsi86_delete_aux(void *data) + auxiliary_device_delete(data); + } + +-/* +- * AUX bus docs say that a non-NULL release is mandatory, but it makes no +- * sense for the model used here where all of the aux devices are allocated +- * in the single shared structure. We'll use this noop as a workaround. +- */ +-static void ti_sn65dsi86_noop(struct device *dev) {} ++static void ti_sn65dsi86_aux_device_release(struct device *dev) ++{ ++ struct auxiliary_device *aux = container_of(dev, struct auxiliary_device, dev); ++ ++ kfree(aux); ++} + + static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, +- struct auxiliary_device *aux, ++ struct auxiliary_device **aux_out, + const char *name) + { + struct device *dev = pdata->dev; ++ struct auxiliary_device *aux; + int ret; + ++ aux = kzalloc(sizeof(*aux), GFP_KERNEL); ++ if (!aux) ++ return -ENOMEM; ++ + aux->name = name; + aux->dev.parent = dev; +- aux->dev.release = ti_sn65dsi86_noop; ++ aux->dev.release = ti_sn65dsi86_aux_device_release; + device_set_of_node_from_dev(&aux->dev, dev); + ret = auxiliary_device_init(aux); +- if (ret) ++ if (ret) { ++ kfree(aux); + return ret; ++ } + ret = devm_add_action_or_reset(dev, ti_sn65dsi86_uninit_aux, aux); + if (ret) + return ret; +@@ -441,6 +448,8 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, + if (ret) + return ret; + ret = devm_add_action_or_reset(dev, ti_sn65dsi86_delete_aux, aux); ++ if (!ret) ++ *aux_out = aux; + + return ret; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-i915-fix-one-wrong-caching-mode-enum-usage.patch b/queue-5.15/drm-i915-fix-one-wrong-caching-mode-enum-usage.patch new file mode 100644 index 00000000000..2a7a20d3ed4 --- /dev/null +++ b/queue-5.15/drm-i915-fix-one-wrong-caching-mode-enum-usage.patch @@ -0,0 +1,45 @@ +From 738cb33610deac306e20935bc4eb7e297519b060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:55:03 +0100 +Subject: drm/i915: Fix one wrong caching mode enum usage + +From: Tvrtko Ursulin + +[ Upstream commit 113899c2669dff148b2a5bea4780123811aecc13 ] + +Commit a4d86249c773 ("drm/i915/gt: Provide a utility to create a scratch +buffer") mistakenly passed in uapi I915_CACHING_CACHED as argument to +i915_gem_object_set_cache_coherency(), which actually takes internal +enum i915_cache_level. + +No functional issue since the value matches I915_CACHE_LLC (1 == 1), which +is the intended caching mode, but lets clean it up nevertheless. + +Signed-off-by: Tvrtko Ursulin +Fixes: a4d86249c773 ("drm/i915/gt: Provide a utility to create a scratch buffer") +Cc: Daniele Ceraolo Spurio +Reviewed-by: Tejas Upadhyay +Link: https://patchwork.freedesktop.org/patch/msgid/20230707125503.3965817-1-tvrtko.ursulin@linux.intel.com +(cherry picked from commit 49c60b2f0867ac36fd54d513882a48431aeccae7) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_gtt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gtt.c b/drivers/gpu/drm/i915/gt/intel_gtt.c +index 2d3a979736cc1..f9d4094916e3d 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gtt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gtt.c +@@ -547,7 +547,7 @@ __vm_create_scratch_for_read(struct i915_address_space *vm, unsigned long size) + if (IS_ERR(obj)) + return ERR_CAST(obj); + +- i915_gem_object_set_cache_coherency(obj, I915_CACHING_CACHED); ++ i915_gem_object_set_cache_coherency(obj, I915_CACHE_LLC); + + vma = i915_vma_instance(obj, vm, NULL); + if (IS_ERR(vma)) { +-- +2.39.2 + diff --git a/queue-5.15/drm-panel-simple-add-connector_type-for-innolux_at04.patch b/queue-5.15/drm-panel-simple-add-connector_type-for-innolux_at04.patch new file mode 100644 index 00000000000..ab4b3837537 --- /dev/null +++ b/queue-5.15/drm-panel-simple-add-connector_type-for-innolux_at04.patch @@ -0,0 +1,39 @@ +From adebed5d4cf8db520ee5829eff7ae641ce7a659f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 08:22:02 -0300 +Subject: drm/panel: simple: Add connector_type for innolux_at043tn24 + +From: Fabio Estevam + +[ Upstream commit 2c56a751845ddfd3078ebe79981aaaa182629163 ] + +The innolux at043tn24 display is a parallel LCD. Pass the 'connector_type' +information to avoid the following warning: + +panel-simple panel: Specify missing connector_type + +Signed-off-by: Fabio Estevam +Fixes: 41bcceb4de9c ("drm/panel: simple: Add support for Innolux AT043TN24") +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230620112202.654981-1-festevam@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 2f85266cdb2e3..2b628b6be08f3 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2469,6 +2469,7 @@ static const struct panel_desc innolux_at043tn24 = { + .height = 54, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .connector_type = DRM_MODE_CONNECTOR_DPI, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + }; + +-- +2.39.2 + diff --git a/queue-5.15/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch b/queue-5.15/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch new file mode 100644 index 00000000000..08ec978f606 --- /dev/null +++ b/queue-5.15/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch @@ -0,0 +1,38 @@ +From 95d5b0261cebe41f81a2a8abe75eb7cac171d537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 22:16:02 +0200 +Subject: drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags + +From: Marek Vasut + +[ Upstream commit 1c519980aced3da1fae37c1339cf43b24eccdee7 ] + +Add missing drm_display_mode DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC +flags. Those are used by various bridges in the pipeline to correctly +configure its sync signals polarity. + +Fixes: d69de69f2be1 ("drm/panel: simple: Add Powertip PH800480T013 panel") +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230615201602.565948-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 2b628b6be08f3..391d73d2638a8 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -3651,6 +3651,7 @@ static const struct drm_display_mode powertip_ph800480t013_idf02_mode = { + .vsync_start = 480 + 49, + .vsync_end = 480 + 49 + 2, + .vtotal = 480 + 49 + 2 + 22, ++ .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC, + }; + + static const struct panel_desc powertip_ph800480t013_idf02 = { +-- +2.39.2 + diff --git a/queue-5.15/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch b/queue-5.15/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch new file mode 100644 index 00000000000..01f68588beb --- /dev/null +++ b/queue-5.15/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch @@ -0,0 +1,54 @@ +From e91f73caf4336f047ff714b7ad27d0759c2801eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:34:10 +0800 +Subject: erofs: avoid infinite loop in z_erofs_do_read_page() when reading + beyond EOF + +From: Chunhai Guo + +[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ] + +z_erofs_do_read_page() may loop infinitely due to the inappropriate +truncation in the below statement. Since the offset is 64 bits and min_t() +truncates the result to 32 bits. The solution is to replace unsigned int +with a 64-bit type, such as erofs_off_t. + cur = end - min_t(unsigned int, offset + end - map->m_la, end); + + - For example: + - offset = 0x400160000 + - end = 0x370 + - map->m_la = 0x160370 + - offset + end - map->m_la = 0x400000000 + - offset + end - map->m_la = 0x00000000 (truncated as unsigned int) + - Expected result: + - cur = 0 + - Actual result: + - cur = 0x370 + +Signed-off-by: Chunhai Guo +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index eb51df4a9f770..3fd91a0efdbb7 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -713,7 +713,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, + tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED && + clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE); + +- cur = end - min_t(unsigned int, offset + end - map->m_la, end); ++ cur = end - min_t(erofs_off_t, offset + end - map->m_la, end); + if (!(map->m_flags & EROFS_MAP_MAPPED)) { + zero_user_segment(page, cur, end); + goto next_part; +-- +2.39.2 + diff --git a/queue-5.15/erofs-decouple-basic-mount-options-from-fs_context.patch b/queue-5.15/erofs-decouple-basic-mount-options-from-fs_context.patch new file mode 100644 index 00000000000..8a08de48323 --- /dev/null +++ b/queue-5.15/erofs-decouple-basic-mount-options-from-fs_context.patch @@ -0,0 +1,330 @@ +From 3384e34175abf8b05dfe534bbb8afe900f35a556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 15:02:23 +0800 +Subject: erofs: decouple basic mount options from fs_context + +From: Gao Xiang + +[ Upstream commit e62424651f43cb37e17ca26a7ee9ee42675f24bd ] + +Previously, EROFS mount options are all in the basic types, so +erofs_fs_context can be directly copied with assignment. However, +when the multiple device feature is introduced, it's hard to handle +multiple device information like the other basic mount options. + +Let's separate basic mount option usage from fs_context, thus +multiple device information can be handled gracefully then. + +No logic changes. + +Link: https://lore.kernel.org/r/20211007070224.12833-1-hsiangkao@linux.alibaba.com +Reviewed-by: Chao Yu +Reviewed-by: Liu Bo +Signed-off-by: Gao Xiang +Stable-dep-of: 18bddc5b6703 ("erofs: fix fsdax unavailability for chunk-based regular files") +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 2 +- + fs/erofs/internal.h | 16 ++++++++----- + fs/erofs/super.c | 58 ++++++++++++++++++++++----------------------- + fs/erofs/xattr.c | 4 ++-- + fs/erofs/zdata.c | 8 +++---- + 5 files changed, 45 insertions(+), 43 deletions(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index 0c293ff6697b5..3ff36514cff25 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -192,7 +192,7 @@ static struct page *erofs_read_inode(struct inode *inode, + inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec; + + inode->i_flags &= ~S_DAX; +- if (test_opt(&sbi->ctx, DAX_ALWAYS) && S_ISREG(inode->i_mode) && ++ if (test_opt(&sbi->opt, DAX_ALWAYS) && S_ISREG(inode->i_mode) && + vi->datalayout == EROFS_INODE_FLAT_PLAIN) + inode->i_flags |= S_DAX; + if (!nblks) +diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h +index beadb06d8feb9..323e46d800e9e 100644 +--- a/fs/erofs/internal.h ++++ b/fs/erofs/internal.h +@@ -47,7 +47,7 @@ typedef u64 erofs_off_t; + /* data type for filesystem-wide blocks number */ + typedef u32 erofs_blk_t; + +-struct erofs_fs_context { ++struct erofs_mount_opts { + #ifdef CONFIG_EROFS_FS_ZIP + /* current strategy of how to use managed cache */ + unsigned char cache_strategy; +@@ -60,6 +60,10 @@ struct erofs_fs_context { + unsigned int mount_opt; + }; + ++struct erofs_fs_context { ++ struct erofs_mount_opts opt; ++}; ++ + /* all filesystem-wide lz4 configurations */ + struct erofs_sb_lz4_info { + /* # of pages needed for EROFS lz4 rolling decompression */ +@@ -69,6 +73,8 @@ struct erofs_sb_lz4_info { + }; + + struct erofs_sb_info { ++ struct erofs_mount_opts opt; /* options */ ++ + #ifdef CONFIG_EROFS_FS_ZIP + /* list for all registered superblocks, mainly for shrinker */ + struct list_head list; +@@ -108,8 +114,6 @@ struct erofs_sb_info { + u8 volume_name[16]; /* volume name */ + u32 feature_compat; + u32 feature_incompat; +- +- struct erofs_fs_context ctx; /* options */ + }; + + #define EROFS_SB(sb) ((struct erofs_sb_info *)(sb)->s_fs_info) +@@ -121,9 +125,9 @@ struct erofs_sb_info { + #define EROFS_MOUNT_DAX_ALWAYS 0x00000040 + #define EROFS_MOUNT_DAX_NEVER 0x00000080 + +-#define clear_opt(ctx, option) ((ctx)->mount_opt &= ~EROFS_MOUNT_##option) +-#define set_opt(ctx, option) ((ctx)->mount_opt |= EROFS_MOUNT_##option) +-#define test_opt(ctx, option) ((ctx)->mount_opt & EROFS_MOUNT_##option) ++#define clear_opt(opt, option) ((opt)->mount_opt &= ~EROFS_MOUNT_##option) ++#define set_opt(opt, option) ((opt)->mount_opt |= EROFS_MOUNT_##option) ++#define test_opt(opt, option) ((opt)->mount_opt & EROFS_MOUNT_##option) + + enum { + EROFS_ZIP_CACHE_DISABLED, +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 11b88559f8bfa..25f6b8b37f287 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -340,15 +340,15 @@ static int erofs_read_superblock(struct super_block *sb) + static void erofs_default_options(struct erofs_fs_context *ctx) + { + #ifdef CONFIG_EROFS_FS_ZIP +- ctx->cache_strategy = EROFS_ZIP_CACHE_READAROUND; +- ctx->max_sync_decompress_pages = 3; +- ctx->readahead_sync_decompress = false; ++ ctx->opt.cache_strategy = EROFS_ZIP_CACHE_READAROUND; ++ ctx->opt.max_sync_decompress_pages = 3; ++ ctx->opt.readahead_sync_decompress = false; + #endif + #ifdef CONFIG_EROFS_FS_XATTR +- set_opt(ctx, XATTR_USER); ++ set_opt(&ctx->opt, XATTR_USER); + #endif + #ifdef CONFIG_EROFS_FS_POSIX_ACL +- set_opt(ctx, POSIX_ACL); ++ set_opt(&ctx->opt, POSIX_ACL); + #endif + } + +@@ -392,12 +392,12 @@ static bool erofs_fc_set_dax_mode(struct fs_context *fc, unsigned int mode) + switch (mode) { + case EROFS_MOUNT_DAX_ALWAYS: + warnfc(fc, "DAX enabled. Warning: EXPERIMENTAL, use at your own risk"); +- set_opt(ctx, DAX_ALWAYS); +- clear_opt(ctx, DAX_NEVER); ++ set_opt(&ctx->opt, DAX_ALWAYS); ++ clear_opt(&ctx->opt, DAX_NEVER); + return true; + case EROFS_MOUNT_DAX_NEVER: +- set_opt(ctx, DAX_NEVER); +- clear_opt(ctx, DAX_ALWAYS); ++ set_opt(&ctx->opt, DAX_NEVER); ++ clear_opt(&ctx->opt, DAX_ALWAYS); + return true; + default: + DBG_BUGON(1); +@@ -424,9 +424,9 @@ static int erofs_fc_parse_param(struct fs_context *fc, + case Opt_user_xattr: + #ifdef CONFIG_EROFS_FS_XATTR + if (result.boolean) +- set_opt(ctx, XATTR_USER); ++ set_opt(&ctx->opt, XATTR_USER); + else +- clear_opt(ctx, XATTR_USER); ++ clear_opt(&ctx->opt, XATTR_USER); + #else + errorfc(fc, "{,no}user_xattr options not supported"); + #endif +@@ -434,16 +434,16 @@ static int erofs_fc_parse_param(struct fs_context *fc, + case Opt_acl: + #ifdef CONFIG_EROFS_FS_POSIX_ACL + if (result.boolean) +- set_opt(ctx, POSIX_ACL); ++ set_opt(&ctx->opt, POSIX_ACL); + else +- clear_opt(ctx, POSIX_ACL); ++ clear_opt(&ctx->opt, POSIX_ACL); + #else + errorfc(fc, "{,no}acl options not supported"); + #endif + break; + case Opt_cache_strategy: + #ifdef CONFIG_EROFS_FS_ZIP +- ctx->cache_strategy = result.uint_32; ++ ctx->opt.cache_strategy = result.uint_32; + #else + errorfc(fc, "compression not supported, cache_strategy ignored"); + #endif +@@ -540,15 +540,16 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + return -ENOMEM; + + sb->s_fs_info = sbi; ++ sbi->opt = ctx->opt; + sbi->dax_dev = fs_dax_get_by_bdev(sb->s_bdev); + err = erofs_read_superblock(sb); + if (err) + return err; + +- if (test_opt(ctx, DAX_ALWAYS) && ++ if (test_opt(&sbi->opt, DAX_ALWAYS) && + !dax_supported(sbi->dax_dev, sb->s_bdev, EROFS_BLKSIZ, 0, bdev_nr_sectors(sb->s_bdev))) { + errorfc(fc, "DAX unsupported by block device. Turning off DAX."); +- clear_opt(ctx, DAX_ALWAYS); ++ clear_opt(&sbi->opt, DAX_ALWAYS); + } + sb->s_flags |= SB_RDONLY | SB_NOATIME; + sb->s_maxbytes = MAX_LFS_FILESIZE; +@@ -557,13 +558,11 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + sb->s_op = &erofs_sops; + sb->s_xattr = erofs_xattr_handlers; + +- if (test_opt(ctx, POSIX_ACL)) ++ if (test_opt(&sbi->opt, POSIX_ACL)) + sb->s_flags |= SB_POSIXACL; + else + sb->s_flags &= ~SB_POSIXACL; + +- sbi->ctx = *ctx; +- + #ifdef CONFIG_EROFS_FS_ZIP + xa_init(&sbi->managed_pslots); + #endif +@@ -607,12 +606,12 @@ static int erofs_fc_reconfigure(struct fs_context *fc) + + DBG_BUGON(!sb_rdonly(sb)); + +- if (test_opt(ctx, POSIX_ACL)) ++ if (test_opt(&ctx->opt, POSIX_ACL)) + fc->sb_flags |= SB_POSIXACL; + else + fc->sb_flags &= ~SB_POSIXACL; + +- sbi->ctx = *ctx; ++ sbi->opt = ctx->opt; + + fc->sb_flags |= SB_RDONLY; + return 0; +@@ -640,7 +639,6 @@ static int erofs_init_fs_context(struct fs_context *fc) + erofs_default_options(fc->fs_private); + + fc->ops = &erofs_context_ops; +- + return 0; + } + +@@ -763,31 +761,31 @@ static int erofs_statfs(struct dentry *dentry, struct kstatfs *buf) + static int erofs_show_options(struct seq_file *seq, struct dentry *root) + { + struct erofs_sb_info *sbi = EROFS_SB(root->d_sb); +- struct erofs_fs_context *ctx = &sbi->ctx; ++ struct erofs_mount_opts *opt = &sbi->opt; + + #ifdef CONFIG_EROFS_FS_XATTR +- if (test_opt(ctx, XATTR_USER)) ++ if (test_opt(opt, XATTR_USER)) + seq_puts(seq, ",user_xattr"); + else + seq_puts(seq, ",nouser_xattr"); + #endif + #ifdef CONFIG_EROFS_FS_POSIX_ACL +- if (test_opt(ctx, POSIX_ACL)) ++ if (test_opt(opt, POSIX_ACL)) + seq_puts(seq, ",acl"); + else + seq_puts(seq, ",noacl"); + #endif + #ifdef CONFIG_EROFS_FS_ZIP +- if (ctx->cache_strategy == EROFS_ZIP_CACHE_DISABLED) ++ if (opt->cache_strategy == EROFS_ZIP_CACHE_DISABLED) + seq_puts(seq, ",cache_strategy=disabled"); +- else if (ctx->cache_strategy == EROFS_ZIP_CACHE_READAHEAD) ++ else if (opt->cache_strategy == EROFS_ZIP_CACHE_READAHEAD) + seq_puts(seq, ",cache_strategy=readahead"); +- else if (ctx->cache_strategy == EROFS_ZIP_CACHE_READAROUND) ++ else if (opt->cache_strategy == EROFS_ZIP_CACHE_READAROUND) + seq_puts(seq, ",cache_strategy=readaround"); + #endif +- if (test_opt(ctx, DAX_ALWAYS)) ++ if (test_opt(opt, DAX_ALWAYS)) + seq_puts(seq, ",dax=always"); +- if (test_opt(ctx, DAX_NEVER)) ++ if (test_opt(opt, DAX_NEVER)) + seq_puts(seq, ",dax=never"); + return 0; + } +diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c +index 778f2c52295d1..01c581e93c5f8 100644 +--- a/fs/erofs/xattr.c ++++ b/fs/erofs/xattr.c +@@ -429,7 +429,7 @@ static int shared_getxattr(struct inode *inode, struct getxattr_iter *it) + + static bool erofs_xattr_user_list(struct dentry *dentry) + { +- return test_opt(&EROFS_SB(dentry->d_sb)->ctx, XATTR_USER); ++ return test_opt(&EROFS_SB(dentry->d_sb)->opt, XATTR_USER); + } + + static bool erofs_xattr_trusted_list(struct dentry *dentry) +@@ -476,7 +476,7 @@ static int erofs_xattr_generic_get(const struct xattr_handler *handler, + + switch (handler->flags) { + case EROFS_XATTR_INDEX_USER: +- if (!test_opt(&sbi->ctx, XATTR_USER)) ++ if (!test_opt(&sbi->opt, XATTR_USER)) + return -EOPNOTSUPP; + break; + case EROFS_XATTR_INDEX_TRUSTED: +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 3fd91a0efdbb7..c247b1bf57cc8 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -695,7 +695,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, + goto err_out; + + /* preload all compressed pages (maybe downgrade role if necessary) */ +- if (should_alloc_managed_pages(fe, sbi->ctx.cache_strategy, map->m_la)) ++ if (should_alloc_managed_pages(fe, sbi->opt.cache_strategy, map->m_la)) + cache_strategy = TRYALLOC; + else + cache_strategy = DONTALLOC; +@@ -797,7 +797,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + /* Use workqueue and sync decompression for atomic contexts only */ + if (in_atomic() || irqs_disabled()) { + queue_work(z_erofs_workqueue, &io->u.work); +- sbi->ctx.readahead_sync_decompress = true; ++ sbi->opt.readahead_sync_decompress = true; + return; + } + z_erofs_decompressqueue_work(&io->u.work); +@@ -1412,8 +1412,8 @@ static void z_erofs_readahead(struct readahead_control *rac) + struct erofs_sb_info *const sbi = EROFS_I_SB(inode); + + unsigned int nr_pages = readahead_count(rac); +- bool sync = (sbi->ctx.readahead_sync_decompress && +- nr_pages <= sbi->ctx.max_sync_decompress_pages); ++ bool sync = (sbi->opt.readahead_sync_decompress && ++ nr_pages <= sbi->opt.max_sync_decompress_pages); + struct z_erofs_decompress_frontend f = DECOMPRESS_FRONTEND_INIT(inode); + struct page *page, *head = NULL; + LIST_HEAD(pagepool); +-- +2.39.2 + diff --git a/queue-5.15/erofs-fix-fsdax-unavailability-for-chunk-based-regul.patch b/queue-5.15/erofs-fix-fsdax-unavailability-for-chunk-based-regul.patch new file mode 100644 index 00000000000..7dfbd51fee6 --- /dev/null +++ b/queue-5.15/erofs-fix-fsdax-unavailability-for-chunk-based-regul.patch @@ -0,0 +1,42 @@ +From 5de6c17168f163c7f0f91dc8d407fb8e5192bd2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 14:21:30 +0800 +Subject: erofs: fix fsdax unavailability for chunk-based regular files + +From: Xin Yin + +[ Upstream commit 18bddc5b67038722cb88fcf51fbf41a0277092cb ] + +DAX can be used to share page cache between VMs, reducing guest memory +overhead. And chunk based data format is widely used for VM and +container image. So enable dax support for it, make erofs better used +for VM scenarios. + +Fixes: c5aa903a59db ("erofs: support reading chunk-based uncompressed files") +Signed-off-by: Xin Yin +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230711062130.7860-1-yinxin.x@bytedance.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index 3ff36514cff25..638bb70d0d65b 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -193,7 +193,8 @@ static struct page *erofs_read_inode(struct inode *inode, + + inode->i_flags &= ~S_DAX; + if (test_opt(&sbi->opt, DAX_ALWAYS) && S_ISREG(inode->i_mode) && +- vi->datalayout == EROFS_INODE_FLAT_PLAIN) ++ (vi->datalayout == EROFS_INODE_FLAT_PLAIN || ++ vi->datalayout == EROFS_INODE_CHUNK_BASED)) + inode->i_flags |= S_DAX; + if (!nblks) + /* measure inode.i_blocks as generic filesystems */ +-- +2.39.2 + diff --git a/queue-5.15/gve-set-default-duplex-configuration-to-full.patch b/queue-5.15/gve-set-default-duplex-configuration-to-full.patch new file mode 100644 index 00000000000..3c21b05ecf9 --- /dev/null +++ b/queue-5.15/gve-set-default-duplex-configuration-to-full.patch @@ -0,0 +1,43 @@ +From 64c90d58bff99ed864149056fccab860788024b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 12:41:28 +0800 +Subject: gve: Set default duplex configuration to full + +From: Junfeng Guo + +[ Upstream commit 0503efeadbf6bb8bf24397613a73b67e665eac5f ] + +Current duplex mode was unset in the driver, resulting in the default +parameter being set to 0, which corresponds to half duplex. It might +mislead users to have incorrect expectation about the driver's +transmission capabilities. +Set the default duplex configuration to full, as the driver runs in +full duplex mode at this point. + +Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.") +Signed-off-by: Junfeng Guo +Reviewed-by: Leon Romanovsky +Message-ID: <20230706044128.2726747-1-junfeng.guo@intel.com> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c +index 6a0663aadd1e9..1f8cc722aae30 100644 +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -532,6 +532,9 @@ static int gve_get_link_ksettings(struct net_device *netdev, + err = gve_adminq_report_link_speed(priv); + + cmd->base.speed = priv->link_speed; ++ ++ cmd->base.duplex = DUPLEX_FULL; ++ + return err; + } + +-- +2.39.2 + diff --git a/queue-5.15/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/queue-5.15/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..206b8c2f3a9 --- /dev/null +++ b/queue-5.15/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From 0d387327c93d9935b1b3c8900414753c6abf12a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 716e7717fe8fe..71a69166a6bd2 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -430,7 +430,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/queue-5.15/igc-fix-inserting-of-empty-frame-for-launchtime.patch b/queue-5.15/igc-fix-inserting-of-empty-frame-for-launchtime.patch new file mode 100644 index 00000000000..3d1134ab9fc --- /dev/null +++ b/queue-5.15/igc-fix-inserting-of-empty-frame-for-launchtime.patch @@ -0,0 +1,128 @@ +From e12b128ab3cdcdc5a42f45bb4880e80f599c7de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:14 +0200 +Subject: igc: Fix inserting of empty frame for launchtime + +From: Florian Kauer + +[ Upstream commit 0bcc62858d6ba62cbade957d69745e6adeed5f3d ] + +The insertion of an empty frame was introduced with +commit db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +in order to ensure that the current cycle has at least one packet if +there is some packet to be scheduled for the next cycle. + +However, the current implementation does not properly check if +a packet is already scheduled for the current cycle. Currently, +an empty packet is always inserted if and only if +txtime >= end_of_cycle && txtime > last_tx_cycle +but since last_tx_cycle is always either the end of the current +cycle (end_of_cycle) or the end of a previous cycle, the +second part (txtime > last_tx_cycle) is always true unless +txtime == last_tx_cycle. + +What actually needs to be checked here is if the last_tx_cycle +was already written within the current cycle, so an empty frame +should only be inserted if and only if +txtime >= end_of_cycle && end_of_cycle > last_tx_cycle. + +This patch does not only avoid an unnecessary insertion, but it +can actually be harmful to insert an empty packet if packets +are already scheduled in the current cycle, because it can lead +to a situation where the empty packet is actually processed +as the first packet in the upcoming cycle shifting the packet +with the first_flag even one cycle into the future, finally leading +to a TX hang. + +The TX hang can be reproduced on a i225 with: + + sudo tc qdisc replace dev enp1s0 parent root handle 100 taprio \ + num_tc 1 \ + map 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \ + queues 1@0 \ + base-time 0 \ + sched-entry S 01 300000 \ + flags 0x1 \ + txtime-delay 500000 \ + clockid CLOCK_TAI + sudo tc qdisc replace dev enp1s0 parent 100:1 etf \ + clockid CLOCK_TAI \ + delta 500000 \ + offload \ + skip_sock_check + +and traffic generator + + sudo trafgen -i traffic.cfg -o enp1s0 --cpp -n0 -q -t1400ns + +with traffic.cfg + + #define ETH_P_IP 0x0800 + + { + /* Ethernet Header */ + 0x30, 0x1f, 0x9a, 0xd0, 0xf0, 0x0e, # MAC Dest - adapt as needed + 0x24, 0x5e, 0xbe, 0x57, 0x2e, 0x36, # MAC Src - adapt as needed + const16(ETH_P_IP), + + /* IPv4 Header */ + 0b01000101, 0, # IPv4 version, IHL, TOS + const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header)) + const16(2), # IPv4 ident + 0b01000000, 0, # IPv4 flags, fragmentation off + 64, # IPv4 TTL + 17, # Protocol UDP + csumip(14, 33), # IPv4 checksum + + /* UDP Header */ + 10, 0, 48, 1, # IP Src - adapt as needed + 10, 0, 48, 10, # IP Dest - adapt as needed + const16(5555), # UDP Src Port + const16(6666), # UDP Dest Port + const16(1008), # UDP length (UDP header 8 bytes + payload length) + csumudp(14, 34), # UDP checksum + + /* Payload */ + fill('W', 1000), + } + +and the observed message with that is for example + + igc 0000:01:00.0 enp1s0: Detected Tx Unit Hang + Tx Queue <0> + TDH <32> + TDT <3c> + next_to_use <3c> + next_to_clean <32> + buffer_info[next_to_clean] + time_stamp + next_to_watch <00000000632a1828> + jiffies + desc.status <1048000> + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 491b80407df49..db48979cdecbc 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1026,7 +1026,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + *first_flag = true; + ring->last_ff_cycle = baset_est; + +- if (ktime_compare(txtime, ring->last_tx_cycle) > 0) ++ if (ktime_compare(end_of_cycle, ring->last_tx_cycle) > 0) + *insert_empty = true; + } + } +-- +2.39.2 + diff --git a/queue-5.15/igc-fix-launchtime-before-start-of-cycle.patch b/queue-5.15/igc-fix-launchtime-before-start-of-cycle.patch new file mode 100644 index 00000000000..59cc7140d3d --- /dev/null +++ b/queue-5.15/igc-fix-launchtime-before-start-of-cycle.patch @@ -0,0 +1,46 @@ +From b12ced94910b133fa504dc2c81a9f876f1a96c84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:13 +0200 +Subject: igc: Fix launchtime before start of cycle + +From: Florian Kauer + +[ Upstream commit c1bca9ac0bcb355be11354c2e68bc7bf31f5ac5a ] + +It is possible (verified on a running system) that frames are processed +by igc_tx_launchtime with a txtime before the start of the cycle +(baset_est). + +However, the result of txtime - baset_est is written into a u32, +leading to a wrap around to a positive number. The following +launchtime > 0 check will only branch to executing launchtime = 0 +if launchtime is already 0. + +Fix it by using a s32 before checking launchtime > 0. + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index e5cbf867034e3..491b80407df49 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1013,7 +1013,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + ktime_t base_time = adapter->base_time; + ktime_t now = ktime_get_clocktai(); + ktime_t baset_est, end_of_cycle; +- u32 launchtime; ++ s32 launchtime; + s64 n; + + n = div64_s64(ktime_sub_ns(now, base_time), cycle_time); +-- +2.39.2 + diff --git a/queue-5.15/igc-handle-pps-start-time-programming-for-past-time-.patch b/queue-5.15/igc-handle-pps-start-time-programming-for-past-time-.patch new file mode 100644 index 00000000000..fe07062b623 --- /dev/null +++ b/queue-5.15/igc-handle-pps-start-time-programming-for-past-time-.patch @@ -0,0 +1,109 @@ +From ee4b190bc6ab1fb3c0f0aea2842e01edc5150410 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:00:43 +0530 +Subject: igc: Handle PPS start time programming for past time values + +From: Aravindhan Gunasekaran + +[ Upstream commit 84a192e46106355de1a314d709e657231d4b1026 ] + +I225/6 hardware can be programmed to start PPS output once +the time in Target Time registers is reached. The time +programmed in these registers should always be into future. +Only then PPS output is triggered when SYSTIM register +reaches the programmed value. There are two modes in i225/6 +hardware to program PPS, pulse and clock mode. + +There were issues reported where PPS is not generated when +start time is in past. + +Example 1, "echo 0 0 0 2 0 > /sys/class/ptp/ptp0/period" + +In the current implementation, a value of '0' is programmed +into Target time registers and PPS output is in pulse mode. +Eventually an interrupt which is triggered upon SYSTIM +register reaching Target time is not fired. Thus no PPS +output is generated. + +Example 2, "echo 0 0 0 1 0 > /sys/class/ptp/ptp0/period" + +Above case, a value of '0' is programmed into Target time +registers and PPS output is in clock mode. Here, HW tries to +catch-up the current time by incrementing Target Time +register. This catch-up time seem to vary according to +programmed PPS period time as per the HW design. In my +experiments, the delay ranged between few tens of seconds to +few minutes. The PPS output is only generated after the +Target time register reaches current time. + +In my experiments, I also observed PPS stopped working with +below test and could not recover until module is removed and +loaded again. + +1) echo 0 0 1 0 > /sys/class/ptp/ptp1/period +2) echo 0 0 0 1 0 > /sys/class/ptp/ptp1/period +3) echo 0 0 0 1 0 > /sys/class/ptp/ptp1/period + +After this PPS did not work even if i re-program with proper +values. I could only get this back working by reloading the +driver. + +This patch takes care of calculating and programming +appropriate future time value into Target Time registers. + +Fixes: 5e91c72e560c ("igc: Fix PPS delta between two synchronized end-points") +Signed-off-by: Aravindhan Gunasekaran +Reviewed-by: Muhammad Husaini Zulkifli +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 25 +++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 6803d91cf71cd..556750b61c98f 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -357,16 +357,35 @@ static int igc_ptp_feature_enable_i225(struct ptp_clock_info *ptp, + tsim &= ~IGC_TSICR_TT0; + } + if (on) { ++ struct timespec64 safe_start; + int i = rq->perout.index; + + igc_pin_perout(igc, i, pin, use_freq); +- igc->perout[i].start.tv_sec = rq->perout.start.sec; ++ igc_ptp_read(igc, &safe_start); ++ ++ /* PPS output start time is triggered by Target time(TT) ++ * register. Programming any past time value into TT ++ * register will cause PPS to never start. Need to make ++ * sure we program the TT register a time ahead in ++ * future. There isn't a stringent need to fire PPS out ++ * right away. Adding +2 seconds should take care of ++ * corner cases. Let's say if the SYSTIML is close to ++ * wrap up and the timer keeps ticking as we program the ++ * register, adding +2seconds is safe bet. ++ */ ++ safe_start.tv_sec += 2; ++ ++ if (rq->perout.start.sec < safe_start.tv_sec) ++ igc->perout[i].start.tv_sec = safe_start.tv_sec; ++ else ++ igc->perout[i].start.tv_sec = rq->perout.start.sec; + igc->perout[i].start.tv_nsec = rq->perout.start.nsec; + igc->perout[i].period.tv_sec = ts.tv_sec; + igc->perout[i].period.tv_nsec = ts.tv_nsec; +- wr32(trgttimh, rq->perout.start.sec); ++ wr32(trgttimh, (u32)igc->perout[i].start.tv_sec); + /* For now, always select timer 0 as source. */ +- wr32(trgttiml, rq->perout.start.nsec | IGC_TT_IO_TIMER_SEL_SYSTIM0); ++ wr32(trgttiml, (u32)(igc->perout[i].start.tv_nsec | ++ IGC_TT_IO_TIMER_SEL_SYSTIM0)); + if (use_freq) + wr32(freqout, ns); + tsauxc |= tsauxc_mask; +-- +2.39.2 + diff --git a/queue-5.15/igc-remove-delay-during-tx-ring-configuration.patch b/queue-5.15/igc-remove-delay-during-tx-ring-configuration.patch new file mode 100644 index 00000000000..ca4c283d3a0 --- /dev/null +++ b/queue-5.15/igc-remove-delay-during-tx-ring-configuration.patch @@ -0,0 +1,46 @@ +From 3313141ca663dc0f23bc910e0298cc2a1975a8ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 08:18:12 +0800 +Subject: igc: Remove delay during TX ring configuration + +From: Muhammad Husaini Zulkifli + +[ Upstream commit cca28ceac7c7857bc2d313777017585aef00bcc4 ] + +Remove unnecessary delay during the TX ring configuration. +This will cause delay, especially during link down and +link up activity. + +Furthermore, old SKUs like as I225 will call the reset_adapter +to reset the controller during TSN mode Gate Control List (GCL) +setting. This will add more time to the configuration of the +real-time use case. + +It doesn't mentioned about this delay in the Software User Manual. +It might have been ported from legacy code I210 in the past. + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Signed-off-by: Muhammad Husaini Zulkifli +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index abc63ca9d28bf..e5cbf867034e3 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -708,7 +708,6 @@ static void igc_configure_tx_ring(struct igc_adapter *adapter, + /* disable the queue */ + wr32(IGC_TXDCTL(reg_idx), 0); + wrfl(); +- mdelay(10); + + wr32(IGC_TDLEN(reg_idx), + ring->count * sizeof(union igc_adv_tx_desc)); +-- +2.39.2 + diff --git a/queue-5.15/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch b/queue-5.15/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch new file mode 100644 index 00000000000..d918c842dd1 --- /dev/null +++ b/queue-5.15/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch @@ -0,0 +1,39 @@ +From 588a2be7bea7d92cdfa528bd4b68700843bae107 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 11:09:01 -0700 +Subject: igc: set TP bit in 'supported' and 'advertising' fields of + ethtool_link_ksettings + +From: Prasad Koya + +[ Upstream commit 9ac3fc2f42e5ffa1e927dcbffb71b15fa81459e2 ] + +set TP bit in the 'supported' and 'advertising' fields. i225/226 parts +only support twisted pair copper. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Prasad Koya +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index e0a76ac1bbbcd..859ddc07fbbfe 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1701,6 +1701,8 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev, + /* twisted pair */ + cmd->base.port = PORT_TP; + cmd->base.phy_address = hw->phy.addr; ++ ethtool_link_ksettings_add_link_mode(cmd, supported, TP); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, TP); + + /* advertising link modes */ + if (hw->phy.autoneg_advertised & ADVERTISE_10_HALF) +-- +2.39.2 + diff --git a/queue-5.15/ionic-remove-warn_on-to-prevent-panic_on_warn.patch b/queue-5.15/ionic-remove-warn_on-to-prevent-panic_on_warn.patch new file mode 100644 index 00000000000..2660a655e24 --- /dev/null +++ b/queue-5.15/ionic-remove-warn_on-to-prevent-panic_on_warn.patch @@ -0,0 +1,42 @@ +From 377bc5d0afdf35a34e63a584f51807b7d81dc4b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:20:06 -0700 +Subject: ionic: remove WARN_ON to prevent panic_on_warn + +From: Nitya Sunkad + +[ Upstream commit abfb2a58a5377ebab717d4362d6180f901b6e5c1 ] + +Remove unnecessary early code development check and the WARN_ON +that it uses. The irq alloc and free paths have long been +cleaned up and this check shouldn't have stuck around so long. + +Fixes: 77ceb68e29cc ("ionic: Add notifyq support") +Signed-off-by: Nitya Sunkad +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 6fbd2a51d66ce..2cc126d378353 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -451,11 +451,6 @@ static void ionic_qcqs_free(struct ionic_lif *lif) + static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq, + struct ionic_qcq *n_qcq) + { +- if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) { +- ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index); +- n_qcq->flags &= ~IONIC_QCQ_F_INTR; +- } +- + n_qcq->intr.vector = src_qcq->intr.vector; + n_qcq->intr.index = src_qcq->intr.index; + } +-- +2.39.2 + diff --git a/queue-5.15/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/queue-5.15/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..787833f61bd --- /dev/null +++ b/queue-5.15/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From efe85c6893ae4fac909f925a76c4dd2c75b4015a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 6ba34f51c411f..e0d3909172a84 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -323,9 +323,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/queue-5.15/kernel-trace-fix-cleanup-logic-of-enable_trace_eprob.patch b/queue-5.15/kernel-trace-fix-cleanup-logic-of-enable_trace_eprob.patch new file mode 100644 index 00000000000..ae8885132d7 --- /dev/null +++ b/queue-5.15/kernel-trace-fix-cleanup-logic-of-enable_trace_eprob.patch @@ -0,0 +1,71 @@ +From 25fb63b80c864a4788aec31778e7dff5a315a323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 07:28:53 +0300 +Subject: kernel/trace: Fix cleanup logic of enable_trace_eprobe + +From: Tzvetomir Stoyanov (VMware) + +[ Upstream commit cf0a624dc706c306294c14e6b3e7694702f25191 ] + +The enable_trace_eprobe() function enables all event probes, attached +to given trace probe. If an error occurs in enabling one of the event +probes, all others should be roll backed. There is a bug in that roll +back logic - instead of all event probes, only the failed one is +disabled. + +Link: https://lore.kernel.org/all/20230703042853.1427493-1-tz.stoyanov@gmail.com/ + +Reported-by: Dan Carpenter +Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") +Signed-off-by: Tzvetomir Stoyanov (VMware) +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_eprobe.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c +index 9806316af1279..085f056e66f19 100644 +--- a/kernel/trace/trace_eprobe.c ++++ b/kernel/trace/trace_eprobe.c +@@ -725,6 +725,7 @@ static int enable_trace_eprobe(struct trace_event_call *call, + struct trace_eprobe *ep; + bool enabled; + int ret = 0; ++ int cnt = 0; + + tp = trace_probe_primary_from_call(call); + if (WARN_ON_ONCE(!tp)) +@@ -748,12 +749,25 @@ static int enable_trace_eprobe(struct trace_event_call *call, + if (ret) + break; + enabled = true; ++ cnt++; + } + + if (ret) { + /* Failed to enable one of them. Roll back all */ +- if (enabled) +- disable_eprobe(ep, file->tr); ++ if (enabled) { ++ /* ++ * It's a bug if one failed for something other than memory ++ * not being available but another eprobe succeeded. ++ */ ++ WARN_ON_ONCE(ret != -ENOMEM); ++ ++ list_for_each_entry(pos, trace_probe_probe_list(tp), list) { ++ ep = container_of(pos, struct trace_eprobe, tp); ++ disable_eprobe(ep, file->tr); ++ if (!--cnt) ++ break; ++ } ++ } + if (file) + trace_probe_remove_file(tp, file); + else +-- +2.39.2 + diff --git a/queue-5.15/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch b/queue-5.15/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch new file mode 100644 index 00000000000..55c41b098b0 --- /dev/null +++ b/queue-5.15/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch @@ -0,0 +1,55 @@ +From b332ea06653a19cb4f111ba3e9a526a9e8ec4491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 08:53:25 +0200 +Subject: net: bgmac: postpone turning IRQs off to avoid SoC hangs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit e7731194fdf085f46d58b1adccfddbd0dfee4873 ] + +Turning IRQs off is done by accessing Ethernet controller registers. +That can't be done until device's clock is enabled. It results in a SoC +hang otherwise. + +This bug remained unnoticed for years as most bootloaders keep all +Ethernet interfaces turned on. It seems to only affect a niche SoC +family BCM47189. It has two Ethernet controllers but CFE bootloader uses +only the first one. + +Fixes: 34322615cbaa ("net: bgmac: Mask interrupts during probe") +Signed-off-by: Rafał Miłecki +Reviewed-by: Michal Kubiak +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index f8fd65ab663ee..54ff28c9b2148 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -1492,8 +1492,6 @@ int bgmac_enet_probe(struct bgmac *bgmac) + + bgmac->in_init = true; + +- bgmac_chip_intrs_off(bgmac); +- + net_dev->irq = bgmac->irq; + SET_NETDEV_DEV(net_dev, bgmac->dev); + dev_set_drvdata(bgmac->dev, bgmac); +@@ -1511,6 +1509,8 @@ int bgmac_enet_probe(struct bgmac *bgmac) + */ + bgmac_clk_enable(bgmac, 0); + ++ bgmac_chip_intrs_off(bgmac); ++ + /* This seems to be fixing IRQ by assigning OOB #6 to the core */ + if (!(bgmac->feature_flags & BGMAC_FEAT_IDM_MASK)) { + if (bgmac->feature_flags & BGMAC_FEAT_IRQ_ID_OOB_6) +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch b/queue-5.15/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch new file mode 100644 index 00000000000..be0be45c1dc --- /dev/null +++ b/queue-5.15/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch @@ -0,0 +1,133 @@ +From eaf6ba5c401bce0407ef41a83ae165183d027eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 09:32:10 +0200 +Subject: net/mlx5e: Check for NOT_READY flag state after locking + +From: Vlad Buslov + +[ Upstream commit 65e64640e97c0f223e77f9ea69b5a46186b93470 ] + +Currently the check for NOT_READY flag is performed before obtaining the +necessary lock. This opens a possibility for race condition when the flow +is concurrently removed from unready_flows list by the workqueue task, +which causes a double-removal from the list and a crash[0]. Fix the issue +by moving the flag check inside the section protected by +uplink_priv->unready_flows_lock mutex. + +[0]: +[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP +[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1 +[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[44376.406339] Call Trace: +[44376.406651] +[44376.406939] ? die_addr+0x33/0x90 +[44376.407311] ? exc_general_protection+0x192/0x390 +[44376.407795] ? asm_exc_general_protection+0x22/0x30 +[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core] +[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core] +[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core] +[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core] +[44376.411043] tc_setup_cb_reoffload+0x22/0x80 +[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower] +[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.413044] tcf_block_playback_offloads+0x76/0x170 +[44376.413497] tcf_block_unbind+0x7b/0xd0 +[44376.413881] tcf_block_setup+0x17d/0x1c0 +[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130 +[44376.414725] tcf_block_offload_unbind+0x43/0x70 +[44376.415153] __tcf_block_put+0x82/0x150 +[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress] +[44376.415986] qdisc_destroy+0x3b/0xd0 +[44376.416343] qdisc_graft+0x4d0/0x620 +[44376.416706] tc_get_qdisc+0x1c9/0x3b0 +[44376.417074] rtnetlink_rcv_msg+0x29c/0x390 +[44376.419978] ? rep_movs_alternative+0x3a/0xa0 +[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120 +[44376.420813] netlink_rcv_skb+0x54/0x100 +[44376.421192] netlink_unicast+0x1f6/0x2c0 +[44376.421573] netlink_sendmsg+0x232/0x4a0 +[44376.421980] sock_sendmsg+0x38/0x60 +[44376.422328] ____sys_sendmsg+0x1d0/0x1e0 +[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0 +[44376.423127] ___sys_sendmsg+0x80/0xc0 +[44376.423495] ? ___sys_recvmsg+0x8b/0xc0 +[44376.423869] __sys_sendmsg+0x51/0x90 +[44376.424226] do_syscall_64+0x3d/0x90 +[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[44376.425046] RIP: 0033:0x7f045134f887 +[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +[44376.426914] RSP: 002b:00007ffd63a82b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[44376.427592] RAX: ffffffffffffffda RBX: 000000006481955f RCX: 00007f045134f887 +[44376.428195] RDX: 0000000000000000 RSI: 00007ffd63a82c00 RDI: 0000000000000003 +[44376.428796] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +[44376.429404] R10: 00007f0451208708 R11: 0000000000000246 R12: 0000000000000001 +[44376.430039] R13: 0000000000409980 R14: 000000000047e538 R15: 0000000000485400 +[44376.430644] +[44376.430907] Modules linked in: mlx5_ib mlx5_core act_mirred act_tunnel_key cls_flower vxlan dummy sch_ingress openvswitch nsh rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_g +ss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core] +[44376.433936] ---[ end trace 0000000000000000 ]--- +[44376.434373] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.434951] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.436452] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.436924] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.437530] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.438179] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.438786] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.439393] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.439998] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.440714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.441225] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.441843] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.442471] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: ad86755b18d5 ("net/mlx5e: Protect unready flows with dedicated lock") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 5cef556223e2c..d123d9b4adf5e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1282,7 +1282,8 @@ static void remove_unready_flow(struct mlx5e_tc_flow *flow) + uplink_priv = &rpriv->uplink_priv; + + mutex_lock(&uplink_priv->unready_flows_lock); +- unready_flow_del(flow); ++ if (flow_flag_test(flow, NOT_READY)) ++ unready_flow_del(flow); + mutex_unlock(&uplink_priv->unready_flows_lock); + } + +@@ -1525,8 +1526,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + esw_attr = attr->esw_attr; + mlx5e_put_flow_tunnel_id(flow); + +- if (flow_flag_test(flow, NOT_READY)) +- remove_unready_flow(flow); ++ remove_unready_flow(flow); + + if (mlx5e_is_offloaded_flow(flow)) { + if (flow_flag_test(flow, SLOW)) +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch b/queue-5.15/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch new file mode 100644 index 00000000000..3be3297ecde --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch @@ -0,0 +1,38 @@ +From 8c2284fd513f74f18890f19294ab4e05aa8e47d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 08:59:34 +0800 +Subject: net/mlx5e: fix double free in mlx5e_destroy_flow_table + +From: Zhengchao Shao + +[ Upstream commit 884abe45a9014d0de2e6edb0630dfd64f23f1d1b ] + +In function accel_fs_tcp_create_groups(), when the ft->g memory is +successfully allocated but the 'in' memory fails to be allocated, the +memory pointed to by ft->g is released once. And in function +accel_fs_tcp_create_table, mlx5e_destroy_flow_table is called to release +the memory pointed to by ft->g again. This will cause double free problem. + +Fixes: c062d52ac24c ("net/mlx5e: Receive flow steering framework for accelerated TCP flows") +Signed-off-by: Zhengchao Shao +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +index 4c4ee524176c7..153c16e3ff3bf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +@@ -194,6 +194,7 @@ static int accel_fs_tcp_create_groups(struct mlx5e_flow_table *ft, + in = kvzalloc(inlen, GFP_KERNEL); + if (!in || !ft->g) { + kfree(ft->g); ++ ft->g = NULL; + kvfree(in); + return -ENOMEM; + } +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-fix-memory-leak-in-mlx5e_ptp_open.patch b/queue-5.15/net-mlx5e-fix-memory-leak-in-mlx5e_ptp_open.patch new file mode 100644 index 00000000000..05bb9b4d3af --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-memory-leak-in-mlx5e_ptp_open.patch @@ -0,0 +1,44 @@ +From 216f20de5eb5d285043eccb89c7cbb4b37dd6e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 09:49:03 +0800 +Subject: net/mlx5e: fix memory leak in mlx5e_ptp_open + +From: Zhengchao Shao + +[ Upstream commit d543b649ffe58a0cb4b6948b3305069c5980a1fa ] + +When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory +pointed by "c" or "cparams" is not freed, which can lead to a memory +leak. Fix by freeing the array in the error path. + +Fixes: 145e5637d941 ("net/mlx5e: Add TX PTP port object support") +Signed-off-by: Zhengchao Shao +Reviewed-by: Rahul Rameshbabu +Reviewed-by: Gal Pressman +Reviewed-by: Simon Horman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c +index ee95cc3a03786..ce941e6091c57 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c +@@ -676,8 +676,10 @@ int mlx5e_ptp_open(struct mlx5e_priv *priv, struct mlx5e_params *params, + + c = kvzalloc_node(sizeof(*c), GFP_KERNEL, dev_to_node(mlx5_core_dma_dev(mdev))); + cparams = kvzalloc(sizeof(*cparams), GFP_KERNEL); +- if (!c || !cparams) +- return -ENOMEM; ++ if (!c || !cparams) { ++ err = -ENOMEM; ++ goto err_free; ++ } + + c->priv = priv; + c->mdev = priv->mdev; +-- +2.39.2 + diff --git a/queue-5.15/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/queue-5.15/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..e0b160e3ef9 --- /dev/null +++ b/queue-5.15/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From 6987c59b41eac027a149a810085d2efbbdeea4ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 5c431a3697622..f5b5ae58c2691 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1474,7 +1474,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -4185,7 +4185,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/queue-5.15/net-prevent-skb-corruption-on-frag-list-segmentation.patch b/queue-5.15/net-prevent-skb-corruption-on-frag-list-segmentation.patch new file mode 100644 index 00000000000..9052c720eb7 --- /dev/null +++ b/queue-5.15/net-prevent-skb-corruption-on-frag-list-segmentation.patch @@ -0,0 +1,102 @@ +From e7d9176fca675a364948af3046519d0abca3f57a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 10:11:10 +0200 +Subject: net: prevent skb corruption on frag list segmentation + +From: Paolo Abeni + +[ Upstream commit c329b261afe71197d9da83c1f18eb45a7e97e089 ] + +Ian reported several skb corruptions triggered by rx-gro-list, +collecting different oops alike: + +[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 +[ 62.631083] #PF: supervisor read access in kernel mode +[ 62.636312] #PF: error_code(0x0000) - not-present page +[ 62.641541] PGD 0 P4D 0 +[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 +[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 +[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 +./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 +net/ipv4/udp_offload.c:277) +[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 +[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 +[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 +[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 +[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 +[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 +[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) +knlGS:0000000000000000 +[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 +[ 62.749948] Call Trace: +[ 62.752498] +[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) +[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) +[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) +[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 +net/core/dev.c:3659) +[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) +[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) +[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) +net/netfilter/core.c:626) +[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) +[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) +[ 62.829420] br_flood (net/bridge/br_forward.c:233) +[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) +[ 62.837403] br_handle_frame (net/bridge/br_input.c:298 +net/bridge/br_input.c:416) +[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) +[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) +[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 +net/core/dev.c:5727) +[ 62.876795] napi_complete_done (./include/linux/list.h:37 +./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) +[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) +[ 62.893534] __napi_poll (net/core/dev.c:6498) +[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 +net/core/dev.c:6640) +[ 62.905276] kthread (kernel/kthread.c:379) +[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) +[ 62.917119] + +In the critical scenario, rx-gro-list GRO-ed packets are fed, via a +bridge, both to the local input path and to an egress device (tun). + +The segmentation of such packets unsafely writes to the cloned skbs +with shared heads. + +This change addresses the issue by uncloning as needed the +to-be-segmented skbs. + +Reported-by: Ian Kumlien +Tested-by: Ian Kumlien +Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index f3850c88cdda2..e01dd4cad0fc0 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3882,6 +3882,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + + skb_push(skb, -skb_network_offset(skb) + offset); + ++ /* Ensure the head is writeable before touching the shared info */ ++ err = skb_unclone(skb, GFP_ATOMIC); ++ if (err) ++ goto err_linearize; ++ + skb_shinfo(skb)->frag_list = NULL; + + while (list_skb) { +-- +2.39.2 + diff --git a/queue-5.15/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch b/queue-5.15/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch new file mode 100644 index 00000000000..4d7b6a1c842 --- /dev/null +++ b/queue-5.15/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From 5cd2235cbcfe698a051c0c291ee3571932772730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +From: M A Ramdhan + +[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index 8654b0ce997c1..ea52c320f67c4 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -210,11 +210,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -231,6 +226,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.15/net-sched-flower-ensure-both-minimum-and-maximum-por.patch b/queue-5.15/net-sched-flower-ensure-both-minimum-and-maximum-por.patch new file mode 100644 index 00000000000..392487bd5be --- /dev/null +++ b/queue-5.15/net-sched-flower-ensure-both-minimum-and-maximum-por.patch @@ -0,0 +1,82 @@ +From 44622fbc074e9b9ae5c44939d4a707ac687c3e4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 10:08:09 +0300 +Subject: net/sched: flower: Ensure both minimum and maximum ports are + specified + +From: Ido Schimmel + +[ Upstream commit d3f87278bcb80bd7f9519669d928b43320363d4f ] + +The kernel does not currently validate that both the minimum and maximum +ports of a port range are specified. This can lead user space to think +that a filter matching on a port range was successfully added, when in +fact it was not. For example, with a patched (buggy) iproute2 that only +sends the minimum port, the following commands do not return an error: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + + # tc filter show dev swp1 ingress + filter protocol ip pref 1 flower chain 0 + filter protocol ip pref 1 flower chain 0 handle 0x1 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + + filter protocol ip pref 1 flower chain 0 handle 0x2 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 2 ref 1 bind 1 + +Fix by returning an error unless both ports are specified: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + Error: Both min and max source ports must be specified. + We have an error talking to the kernel + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + Error: Both min and max destination ports must be specified. + We have an error talking to the kernel + +Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index ee137d5c20a4f..bff0a5f24aca8 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -784,6 +784,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + ++ if (mask->tp_range.tp_min.dst != mask->tp_range.tp_max.dst) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max destination ports must be specified"); ++ return -EINVAL; ++ } ++ if (mask->tp_range.tp_min.src != mask->tp_range.tp_max.src) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max source ports must be specified"); ++ return -EINVAL; ++ } + if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && + ntohs(key->tp_range.tp_max.dst) <= + ntohs(key->tp_range.tp_min.dst)) { +-- +2.39.2 + diff --git a/queue-5.15/net-sched-make-psched_mtu-rtnl-less-safe.patch b/queue-5.15/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..08d95286a3b --- /dev/null +++ b/queue-5.15/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From df78367e2626cd92a32e4625af3b52a641f51857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index 9cd2d4e84913f..d0d9dd2483dd3 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -141,7 +141,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/queue-5.15/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch b/queue-5.15/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch new file mode 100644 index 00000000000..422ff5bc980 --- /dev/null +++ b/queue-5.15/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch @@ -0,0 +1,96 @@ +From bc4da92bf8187d27dfa4d9cd8c4a72d1f2c94199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 18:01:02 -0300 +Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue + +From: Pedro Tammela + +[ Upstream commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 ] + +Lion says: +------- +In the QFQ scheduler a similar issue to CVE-2023-31436 +persists. + +Consider the following code in net/sched/sch_qfq.c: + +static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sk_buff **to_free) +{ + unsigned int len = qdisc_pkt_len(skb), gso_segs; + + // ... + + if (unlikely(cl->agg->lmax < len)) { + pr_debug("qfq: increasing maxpkt from %u to %u for class %u", + cl->agg->lmax, len, cl->common.classid); + err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); + if (err) { + cl->qstats.drops++; + return qdisc_drop(skb, sch, to_free); + } + + // ... + + } + +Similarly to CVE-2023-31436, "lmax" is increased without any bounds +checks according to the packet length "len". Usually this would not +impose a problem because packet sizes are naturally limited. + +This is however not the actual packet length, rather the +"qdisc_pkt_len(skb)" which might apply size transformations according to +"struct qdisc_size_table" as created by "qdisc_get_stab()" in +net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. + +A user may choose virtually any size using such a table. + +As a result the same issue as in CVE-2023-31436 can occur, allowing heap +out-of-bounds read / writes in the kmalloc-8192 cache. +------- + +We can create the issue with the following commands: + +tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ +overhead 999999999 linklayer ethernet qfq +tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k +tc filter add dev $DEV parent 1: matchall classid 1:1 +ping -I $DEV 1.1.1.2 + +This is caused by incorrectly assuming that qdisc_pkt_len() returns a +length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: Lion +Reviewed-by: Eric Dumazet +Signed-off-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 8fb30b20425f8..3ba6a766601cf 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -381,8 +381,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight, + u32 lmax) + { + struct qfq_sched *q = qdisc_priv(sch); +- struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight); ++ struct qfq_aggregate *new_agg; + ++ /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */ ++ if (lmax > QFQ_MAX_LMAX) ++ return -EINVAL; ++ ++ new_agg = qfq_find_agg(q, lmax, weight); + if (new_agg == NULL) { /* create new aggregate */ + new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC); + if (new_agg == NULL) +-- +2.39.2 + diff --git a/queue-5.15/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch b/queue-5.15/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch new file mode 100644 index 00000000000..f230af07292 --- /dev/null +++ b/queue-5.15/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch @@ -0,0 +1,87 @@ +From dd001548e7c56b718402923a327fac8681e8fec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 12:56:11 -0300 +Subject: net/sched: sch_qfq: refactor parsing of netlink parameters + +From: Pedro Tammela + +[ Upstream commit 25369891fcef373540f8b4e0b3bccf77a04490d5 ] + +Two parameters can be transformed into netlink policies and +validated while parsing the netlink message. + +Reviewed-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Signed-off-by: David S. Miller +Stable-dep-of: 3e337087c3b5 ("net/sched: sch_qfq: account for stab overhead in qfq_enqueue") +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 4c51aeb78f141..8fb30b20425f8 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -113,6 +113,7 @@ + + #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */ + #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */ ++#define QFQ_MAX_LMAX (1UL << QFQ_MTU_SHIFT) + + #define QFQ_MAX_AGG_CLASSES 8 /* max num classes per aggregate allowed */ + +@@ -214,9 +215,14 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid) + return container_of(clc, struct qfq_class, common); + } + ++static struct netlink_range_validation lmax_range = { ++ .min = QFQ_MIN_LMAX, ++ .max = QFQ_MAX_LMAX, ++}; ++ + static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = { +- [TCA_QFQ_WEIGHT] = { .type = NLA_U32 }, +- [TCA_QFQ_LMAX] = { .type = NLA_U32 }, ++ [TCA_QFQ_WEIGHT] = NLA_POLICY_RANGE(NLA_U32, 1, QFQ_MAX_WEIGHT), ++ [TCA_QFQ_LMAX] = NLA_POLICY_FULL_RANGE(NLA_U32, &lmax_range), + }; + + /* +@@ -408,17 +414,13 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } + + err = nla_parse_nested_deprecated(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS], +- qfq_policy, NULL); ++ qfq_policy, extack); + if (err < 0) + return err; + +- if (tb[TCA_QFQ_WEIGHT]) { ++ if (tb[TCA_QFQ_WEIGHT]) + weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]); +- if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) { +- pr_notice("qfq: invalid weight %u\n", weight); +- return -EINVAL; +- } +- } else ++ else + weight = 1; + + if (tb[TCA_QFQ_LMAX]) +@@ -426,11 +428,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + else + lmax = psched_mtu(qdisc_dev(sch)); + +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.39.2 + diff --git a/queue-5.15/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch b/queue-5.15/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch new file mode 100644 index 00000000000..64f1cd0de3b --- /dev/null +++ b/queue-5.15/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch @@ -0,0 +1,55 @@ +From 545d27957daccdd4feda04e785a0256c46ac004a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 11:52:26 +0300 +Subject: netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write() + +From: Dan Carpenter + +[ Upstream commit f72207a5c0dbaaf6921cf9a6c0d2fd0bc249ea78 ] + +The simple_write_to_buffer() function is designed to handle partial +writes. It returns negatives on error, otherwise it returns the number +of bytes that were able to be copied. This code doesn't check the +return properly. We only know that the first byte is written, the rest +of the buffer might be uninitialized. + +There is no need to use the simple_write_to_buffer() function. +Partial writes are prohibited by the "if (*ppos != 0)" check at the +start of the function. Just use memdup_user() and copy the whole +buffer. + +Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata") +Signed-off-by: Dan Carpenter +Reviewed-by: Pavan Chebbi +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/7c1f950b-3a7d-4252-82a6-876e53078ef7@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/dev.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 94490dfae6568..a7279356299af 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -168,13 +168,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file, + cookie_len = (count - 1) / 2; + if ((count - 1) % 2) + return -EINVAL; +- buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN); +- if (!buf) +- return -ENOMEM; + +- ret = simple_write_to_buffer(buf, count, ppos, data, count); +- if (ret < 0) +- goto free_buf; ++ buf = memdup_user(data, count); ++ if (IS_ERR(buf)) ++ return PTR_ERR(buf); + + fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len, + GFP_KERNEL | __GFP_NOWARN); +-- +2.39.2 + diff --git a/queue-5.15/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/queue-5.15/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..1acb50df7c3 --- /dev/null +++ b/queue-5.15/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From 7a3367eb6384d797bcdb727dcd047d232a3a41ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 87847c3800516..1c03a78c125b0 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1336,12 +1336,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.15/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/queue-5.15/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..3301e93bcf1 --- /dev/null +++ b/queue-5.15/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 6138a10490cf126eb0122ccc1d95553a24bbd4ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index 733557231ed0b..72060acb9cafc 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2891,6 +2891,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2898,7 +2899,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.15/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/queue-5.15/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..a75160bc4f2 --- /dev/null +++ b/queue-5.15/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From 95fe5c8810bafa8b84d1e7ab1a995ca4a8fcb871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index e5f14e20a9ff7..41897167abc71 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2060,12 +2060,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/queue-5.15/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/queue-5.15/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..5ab539fe07f --- /dev/null +++ b/queue-5.15/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From fd1eae568cc3501fd2054b3b56a21a47c615394e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 5ee0afa621a95..eeeb4b1c97d2c 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/queue-5.15/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/queue-5.15/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..5d1f0425de8 --- /dev/null +++ b/queue-5.15/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From 941723092892a50b12ab43d8de7f97457df1c671 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index a9b97ebc71ac5..2abd2235bbcab 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -410,7 +410,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/queue-5.15/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch b/queue-5.15/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch new file mode 100644 index 00000000000..79c05d4264f --- /dev/null +++ b/queue-5.15/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch @@ -0,0 +1,40 @@ +From ec938d787af448ae6f83fabdf14cb5dc51f7c9d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:26:20 +0800 +Subject: nvme-pci: fix DMA direction of unmapping integrity data + +From: Ming Lei + +[ Upstream commit b8f6446b6853768cb99e7c201bddce69ca60c15e ] + +DMA direction should be taken in dma_unmap_page() for unmapping integrity +data. + +Fix this DMA direction, and reported in Guangwu's test. + +Reported-by: Guangwu Zhang +Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 26b315c5025ad..bb3813e8474f4 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -965,7 +965,7 @@ static void nvme_pci_complete_rq(struct request *req) + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); + + dma_unmap_page(dev->dev, iod->meta_dma, +- rq_integrity_vec(req)->bv_len, rq_data_dir(req)); ++ rq_integrity_vec(req)->bv_len, rq_dma_dir(req)); + } + + if (blk_rq_nr_phys_segments(req)) +-- +2.39.2 + diff --git a/queue-5.15/nvme-pci-remove-nvme_queue-from-nvme_iod.patch b/queue-5.15/nvme-pci-remove-nvme_queue-from-nvme_iod.patch new file mode 100644 index 00000000000..7fa7777eda9 --- /dev/null +++ b/queue-5.15/nvme-pci-remove-nvme_queue-from-nvme_iod.patch @@ -0,0 +1,121 @@ +From 2949c5431c2aa6a207eb437ab0e8e6a223f79bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 09:07:35 -0700 +Subject: nvme-pci: remove nvme_queue from nvme_iod + +From: Keith Busch + +[ Upstream commit a53232cb3abef51524f06ee9d8fbc3364ad95794 ] + +We can get the nvme_queue from the req just as easily, so remove the +duplicate path to the same structure to save some space. + +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +Stable-dep-of: b8f6446b6853 ("nvme-pci: fix DMA direction of unmapping integrity data") +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index a646757f76b34..26b315c5025ad 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -224,7 +224,6 @@ struct nvme_queue { + struct nvme_iod { + struct nvme_request req; + struct nvme_command cmd; +- struct nvme_queue *nvmeq; + bool use_sgl; + int aborted; + int npages; /* In the PRP list. 0 means small pool in use */ +@@ -422,11 +421,6 @@ static int nvme_init_request(struct blk_mq_tag_set *set, struct request *req, + { + struct nvme_dev *dev = set->driver_data; + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); +- int queue_idx = (set == &dev->tagset) ? hctx_idx + 1 : 0; +- struct nvme_queue *nvmeq = &dev->queues[queue_idx]; +- +- BUG_ON(!nvmeq); +- iod->nvmeq = nvmeq; + + nvme_req(req)->ctrl = &dev->ctrl; + nvme_req(req)->cmd = &iod->cmd; +@@ -529,7 +523,7 @@ static void **nvme_pci_iod_list(struct request *req) + + static inline bool nvme_pci_use_sgls(struct nvme_dev *dev, struct request *req) + { +- struct nvme_iod *iod = blk_mq_rq_to_pdu(req); ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; + int nseg = blk_rq_nr_phys_segments(req); + unsigned int avg_seg_size; + +@@ -537,7 +531,7 @@ static inline bool nvme_pci_use_sgls(struct nvme_dev *dev, struct request *req) + + if (!nvme_ctrl_sgl_supported(&dev->ctrl)) + return false; +- if (!iod->nvmeq->qid) ++ if (!nvmeq->qid) + return false; + if (!sgl_threshold || avg_seg_size < sgl_threshold) + return false; +@@ -846,6 +840,7 @@ static blk_status_t nvme_map_data(struct nvme_dev *dev, struct request *req, + int nr_mapped; + + if (blk_rq_nr_phys_segments(req) == 1) { ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; + struct bio_vec bv = req_bvec(req); + + if (!is_pci_p2pdma_page(bv.bv_page)) { +@@ -853,7 +848,7 @@ static blk_status_t nvme_map_data(struct nvme_dev *dev, struct request *req, + return nvme_setup_prp_simple(dev, req, + &cmnd->rw, &bv); + +- if (iod->nvmeq->qid && sgl_threshold && ++ if (nvmeq->qid && sgl_threshold && + nvme_ctrl_sgl_supported(&dev->ctrl)) + return nvme_setup_sgl_simple(dev, req, + &cmnd->rw, &bv); +@@ -963,12 +958,16 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx, + + static void nvme_pci_complete_rq(struct request *req) + { +- struct nvme_iod *iod = blk_mq_rq_to_pdu(req); +- struct nvme_dev *dev = iod->nvmeq->dev; ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; ++ struct nvme_dev *dev = nvmeq->dev; ++ ++ if (blk_integrity_rq(req)) { ++ struct nvme_iod *iod = blk_mq_rq_to_pdu(req); + +- if (blk_integrity_rq(req)) + dma_unmap_page(dev->dev, iod->meta_dma, + rq_integrity_vec(req)->bv_len, rq_data_dir(req)); ++ } ++ + if (blk_rq_nr_phys_segments(req)) + nvme_unmap_data(dev, req); + nvme_complete_rq(req); +@@ -1194,8 +1193,7 @@ static int adapter_delete_sq(struct nvme_dev *dev, u16 sqid) + + static void abort_endio(struct request *req, blk_status_t error) + { +- struct nvme_iod *iod = blk_mq_rq_to_pdu(req); +- struct nvme_queue *nvmeq = iod->nvmeq; ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; + + dev_warn(nvmeq->dev->ctrl.device, + "Abort status: 0x%x", nvme_req(req)->status); +@@ -1249,7 +1247,7 @@ static void nvme_warn_reset(struct nvme_dev *dev, u32 csts) + static enum blk_eh_timer_return nvme_timeout(struct request *req, bool reserved) + { + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); +- struct nvme_queue *nvmeq = iod->nvmeq; ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; + struct nvme_dev *dev = nvmeq->dev; + struct request *abort_req; + struct nvme_command cmd = { }; +-- +2.39.2 + diff --git a/queue-5.15/octeontx2-pf-add-additional-check-for-mcam-rules.patch b/queue-5.15/octeontx2-pf-add-additional-check-for-mcam-rules.patch new file mode 100644 index 00000000000..1e1828ccee1 --- /dev/null +++ b/queue-5.15/octeontx2-pf-add-additional-check-for-mcam-rules.patch @@ -0,0 +1,71 @@ +From e1868fd98f774cd9994c7d3b52d188104e5ff612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 16:00:27 +0530 +Subject: octeontx2-pf: Add additional check for MCAM rules + +From: Suman Ghosh + +[ Upstream commit 8278ee2a2646b9acf747317895e47a640ba933c9 ] + +Due to hardware limitation, MCAM drop rule with +ether_type == 802.1Q and vlan_id == 0 is not supported. Hence rejecting +such rules. + +Fixes: dce677da57c0 ("octeontx2-pf: Add vlan-etype to ntuple filters") +Signed-off-by: Suman Ghosh +Link: https://lore.kernel.org/r/20230710103027.2244139-1-sumang@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_flows.c | 8 ++++++++ + .../net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 15 +++++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +index 63889449b8f61..483f660cebc40 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +@@ -827,6 +827,14 @@ static int otx2_prepare_flow_request(struct ethtool_rx_flow_spec *fsp, + return -EINVAL; + + vlan_etype = be16_to_cpu(fsp->h_ext.vlan_etype); ++ ++ /* Drop rule with vlan_etype == 802.1Q ++ * and vlan_id == 0 is not supported ++ */ ++ if (vlan_etype == ETH_P_8021Q && !fsp->m_ext.vlan_tci && ++ fsp->ring_cookie == RX_CLS_FLOW_DISC) ++ return -EINVAL; ++ + /* Only ETH_P_8021Q and ETH_P_802AD types supported */ + if (vlan_etype != ETH_P_8021Q && + vlan_etype != ETH_P_8021AD) +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +index a42373e6f2593..26231c59b0241 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +@@ -536,6 +536,21 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node, + return -EOPNOTSUPP; + } + ++ if (!match.mask->vlan_id) { ++ struct flow_action_entry *act; ++ int i; ++ ++ flow_action_for_each(i, act, &rule->action) { ++ if (act->id == FLOW_ACTION_DROP) { ++ netdev_err(nic->netdev, ++ "vlan tpid 0x%x with vlan_id %d is not supported for DROP rule.\n", ++ ntohs(match.key->vlan_tpid), ++ match.key->vlan_id); ++ return -EOPNOTSUPP; ++ } ++ } ++ } ++ + if (match.mask->vlan_id || + match.mask->vlan_dei || + match.mask->vlan_priority) { +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-wmi-break-possible-infinite-loop-when-p.patch b/queue-5.15/platform-x86-wmi-break-possible-infinite-loop-when-p.patch new file mode 100644 index 00000000000..06452ada256 --- /dev/null +++ b/queue-5.15/platform-x86-wmi-break-possible-infinite-loop-when-p.patch @@ -0,0 +1,84 @@ +From b699e076bfd54e82c238f8758903584e83f2c020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 18:11:54 +0300 +Subject: platform/x86: wmi: Break possible infinite loop when parsing GUID + +From: Andy Shevchenko + +[ Upstream commit 028e6e204ace1f080cfeacd72c50397eb8ae8883 ] + +The while-loop may break on one of the two conditions, either ID string +is empty or GUID matches. The second one, may never be reached if the +parsed string is not correct GUID. In such a case the loop will never +advance to check the next ID. + +Break possible infinite loop by factoring out guid_parse_and_compare() +helper which may be moved to the generic header for everyone later on +and preventing from similar mistake in the future. + +Interestingly that firstly it appeared when WMI was turned into a bus +driver, but later when duplicated GUIDs were checked, the while-loop +has been replaced by for-loop and hence no mistake made again. + +Fixes: a48e23385fcf ("platform/x86: wmi: add context pointer field to struct wmi_device_id") +Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621151155.78279-1-andriy.shevchenko@linux.intel.com +Tested-by: Armin Wolf +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 6a51220c37a2b..7ce0408d3bfdd 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -133,6 +133,16 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + return false; + } + ++static bool guid_parse_and_compare(const char *string, const guid_t *guid) ++{ ++ guid_t guid_input; ++ ++ if (guid_parse(string, &guid_input)) ++ return false; ++ ++ return guid_equal(&guid_input, guid); ++} ++ + static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { +@@ -145,11 +155,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { +- guid_t guid_input; +- +- if (guid_parse(id->guid_string, &guid_input)) +- continue; +- if (guid_equal(&wblock->gblock.guid, &guid_input)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return id->context; + id++; + } +@@ -811,11 +817,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + return 0; + + while (*id->guid_string) { +- guid_t driver_guid; +- +- if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) +- continue; +- if (guid_equal(&driver_guid, &wblock->gblock.guid)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return 1; + + id++; +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-wmi-move-variables.patch b/queue-5.15/platform-x86-wmi-move-variables.patch new file mode 100644 index 00000000000..15e0b0f2d29 --- /dev/null +++ b/queue-5.15/platform-x86-wmi-move-variables.patch @@ -0,0 +1,80 @@ +From bb3aa58a0937fa07d34d0a2acf165bbed5b50555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:10 +0000 +Subject: platform/x86: wmi: move variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit f5431bf1e6781e876bdc8ae10fb1e7da6f1aa9b5 ] + +Move some variables in order to keep them +in the narrowest possible scope. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-22-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index d55770711a831..6a51220c37a2b 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -137,7 +137,6 @@ static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { + const struct wmi_device_id *id; +- guid_t guid_input; + + if (wblock == NULL || wdriver == NULL) + return NULL; +@@ -146,6 +145,8 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { ++ guid_t guid_input; ++ + if (guid_parse(id->guid_string, &guid_input)) + continue; + if (guid_equal(&wblock->gblock.guid, &guid_input)) +@@ -618,7 +619,6 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + { + struct acpi_object_list input; + union acpi_object params[1]; +- struct guid_block *gblock; + struct wmi_block *wblock; + + input.count = 1; +@@ -627,7 +627,7 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + params[0].integer.value = event; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- gblock = &wblock->gblock; ++ struct guid_block *gblock = &wblock->gblock; + + if ((gblock->flags & ACPI_WMI_EVENT) && + (gblock->notify_id == event)) +@@ -1282,12 +1282,11 @@ acpi_wmi_ec_space_handler(u32 function, acpi_physical_address address, + static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + void *context) + { +- struct guid_block *block; + struct wmi_block *wblock; + bool found_it = false; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- block = &wblock->gblock; ++ struct guid_block *block = &wblock->gblock; + + if (wblock->acpi_device->handle == handle && + (block->flags & ACPI_WMI_EVENT) && +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-wmi-remove-unnecessary-argument.patch b/queue-5.15/platform-x86-wmi-remove-unnecessary-argument.patch new file mode 100644 index 00000000000..93ed25dcbfe --- /dev/null +++ b/queue-5.15/platform-x86-wmi-remove-unnecessary-argument.patch @@ -0,0 +1,75 @@ +From b39874d4130dbd333f1f8d07508a1de2694a475c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:16 +0000 +Subject: platform/x86: wmi: remove unnecessary argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 84eacf7e6413d5e2d2f4f9dddf9216c18a3631cf ] + +The GUID block is available for `wmi_create_device()` +through `wblock->gblock`. Use that consistently in +the function instead of using a mix of `gblock` and +`wblock->gblock`. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-8-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index c4f917d45b51d..529f725271e99 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1046,7 +1046,6 @@ static const struct device_type wmi_type_data = { + }; + + static int wmi_create_device(struct device *wmi_bus_dev, +- const struct guid_block *gblock, + struct wmi_block *wblock, + struct acpi_device *device) + { +@@ -1054,12 +1053,12 @@ static int wmi_create_device(struct device *wmi_bus_dev, + char method[5]; + int result; + +- if (gblock->flags & ACPI_WMI_EVENT) { ++ if (wblock->gblock.flags & ACPI_WMI_EVENT) { + wblock->dev.dev.type = &wmi_type_event; + goto out_init; + } + +- if (gblock->flags & ACPI_WMI_METHOD) { ++ if (wblock->gblock.flags & ACPI_WMI_METHOD) { + wblock->dev.dev.type = &wmi_type_method; + mutex_init(&wblock->char_mutex); + goto out_init; +@@ -1109,7 +1108,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", gblock->guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1201,7 +1200,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + wblock->acpi_device = device; + wblock->gblock = gblock[i]; + +- retval = wmi_create_device(wmi_bus_dev, &gblock[i], wblock, device); ++ retval = wmi_create_device(wmi_bus_dev, wblock, device); + if (retval) { + kfree(wblock); + continue; +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-wmi-use-guid_t-and-guid_equal.patch b/queue-5.15/platform-x86-wmi-use-guid_t-and-guid_equal.patch new file mode 100644 index 00000000000..9767aac42bf --- /dev/null +++ b/queue-5.15/platform-x86-wmi-use-guid_t-and-guid_equal.patch @@ -0,0 +1,177 @@ +From bf3bf85fd547854a57a1b4a114bf75bfe407d556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:39 +0000 +Subject: platform/x86: wmi: use guid_t and guid_equal() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 67f472fdacf4a691b1c3c20c27800b23ce31e2de ] + +Instead of hard-coding a 16 long byte array, +use the available `guid_t` type and related methods. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-15-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 529f725271e99..d55770711a831 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -39,7 +39,7 @@ MODULE_LICENSE("GPL"); + static LIST_HEAD(wmi_block_list); + + struct guid_block { +- char guid[16]; ++ guid_t guid; + union { + char object_id[2]; + struct { +@@ -124,7 +124,7 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + list_for_each_entry(wblock, &wmi_block_list, list) { + block = &wblock->gblock; + +- if (memcmp(block->guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->guid, &guid_input)) { + if (out) + *out = wblock; + return true; +@@ -148,7 +148,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + while (*id->guid_string) { + if (guid_parse(id->guid_string, &guid_input)) + continue; +- if (!memcmp(wblock->gblock.guid, &guid_input, 16)) ++ if (guid_equal(&wblock->gblock.guid, &guid_input)) + return id->context; + id++; + } +@@ -460,7 +460,7 @@ EXPORT_SYMBOL_GPL(wmi_set_block); + + static void wmi_dump_wdg(const struct guid_block *g) + { +- pr_info("%pUL:\n", g->guid); ++ pr_info("%pUL:\n", &g->guid); + if (g->flags & ACPI_WMI_EVENT) + pr_info("\tnotify_id: 0x%02X\n", g->notify_id); + else +@@ -542,7 +542,7 @@ wmi_notify_handler handler, void *data) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (block->handler && + block->handler != wmi_notify_debug) + return AE_ALREADY_ACQUIRED; +@@ -582,7 +582,7 @@ acpi_status wmi_remove_notify_handler(const char *guid) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (!block->handler || + block->handler == wmi_notify_debug) + return AE_NULL_ENTRY; +@@ -693,7 +693,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "wmi:%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "wmi:%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(modalias); + +@@ -702,7 +702,7 @@ static ssize_t guid_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(guid); + +@@ -785,10 +785,10 @@ static int wmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env) + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- if (add_uevent_var(env, "MODALIAS=wmi:%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "MODALIAS=wmi:%pUL", &wblock->gblock.guid)) + return -ENOMEM; + +- if (add_uevent_var(env, "WMI_GUID=%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "WMI_GUID=%pUL", &wblock->gblock.guid)) + return -ENOMEM; + + return 0; +@@ -815,7 +815,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + + if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) + continue; +- if (!memcmp(&driver_guid, wblock->gblock.guid, 16)) ++ if (guid_equal(&driver_guid, &wblock->gblock.guid)) + return 1; + + id++; +@@ -1108,7 +1108,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", &wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1128,12 +1128,12 @@ static void wmi_free_devices(struct acpi_device *device) + } + } + +-static bool guid_already_parsed(struct acpi_device *device, const u8 *guid) ++static bool guid_already_parsed(struct acpi_device *device, const guid_t *guid) + { + struct wmi_block *wblock; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- if (memcmp(wblock->gblock.guid, guid, 16) == 0) { ++ if (guid_equal(&wblock->gblock.guid, guid)) { + /* + * Because we historically didn't track the relationship + * between GUIDs and ACPI nodes, we don't know whether +@@ -1188,7 +1188,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + * case yet, so for now, we'll just ignore the duplicate + * for device creation. + */ +- if (guid_already_parsed(device, gblock[i].guid)) ++ if (guid_already_parsed(device, &gblock[i].guid)) + continue; + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); +@@ -1225,7 +1225,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + retval = device_add(&wblock->dev.dev); + if (retval) { + dev_err(wmi_bus_dev, "failed to register %pUL\n", +- wblock->gblock.guid); ++ &wblock->gblock.guid); + if (debug_event) + wmi_method_enable(wblock, 0); + list_del(&wblock->list); +@@ -1333,7 +1333,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + } + + if (debug_event) +- pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid); ++ pr_info("DEBUG Event GUID: %pUL\n", &wblock->gblock.guid); + + acpi_bus_generate_netlink_event( + wblock->acpi_device->pnp.device_class, +-- +2.39.2 + diff --git a/queue-5.15/riscv-bpf-fix-inconsistent-jit-image-generation.patch b/queue-5.15/riscv-bpf-fix-inconsistent-jit-image-generation.patch new file mode 100644 index 00000000000..bfc522d6093 --- /dev/null +++ b/queue-5.15/riscv-bpf-fix-inconsistent-jit-image-generation.patch @@ -0,0 +1,137 @@ +From 5bf82cf91133bef91c06c0975ea8b26b24e3a36c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 09:41:31 +0200 +Subject: riscv, bpf: Fix inconsistent JIT image generation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit c56fb2aab23505bb7160d06097c8de100b82b851 ] + +In order to generate the prologue and epilogue, the BPF JIT needs to +know which registers that are clobbered. Therefore, the during +pre-final passes, the prologue is generated after the body of the +program body-prologue-epilogue. Then, in the final pass, a proper +prologue-body-epilogue JITted image is generated. + +This scheme has worked most of the time. However, for some large +programs with many jumps, e.g. the test_kmod.sh BPF selftest with +hardening enabled (blinding constants), this has shown to be +incorrect. For the final pass, when the proper prologue-body-epilogue +is generated, the image has not converged. This will lead to that the +final image will have incorrect jump offsets. The following is an +excerpt from an incorrect image: + + | ... + | 3b8: 00c50663 beq a0,a2,3c4 <.text+0x3c4> + | 3bc: 0020e317 auipc t1,0x20e + | 3c0: 49630067 jalr zero,1174(t1) # 20e852 <.text+0x20e852> + | ... + | 20e84c: 8796 c.mv a5,t0 + | 20e84e: 6422 c.ldsp s0,8(sp) # Epilogue start + | 20e850: 6141 c.addi16sp sp,16 + | 20e852: 853e c.mv a0,a5 # Incorrect jump target + | 20e854: 8082 c.jr ra + +The image has shrunk, and the epilogue offset is incorrect in the +final pass. + +Correct the problem by always generating proper prologue-body-epilogue +outputs, which means that the first pass will only generate the body +to track what registers that are touched. + +Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230710074131.19596-1-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 6 +++--- + arch/riscv/net/bpf_jit_core.c | 19 +++++++++++++------ + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index ab0cd6d10ccf3..ef336fe160044 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,7 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; +- int body_len; ++ int prologue_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +@@ -215,8 +215,8 @@ static inline int rv_offset(int insn, int off, struct rv_jit_context *ctx) + int from, to; + + off++; /* BPF branch is from PC+1, RV is from PC */ +- from = (insn > 0) ? ctx->offset[insn - 1] : 0; +- to = (insn + off > 0) ? ctx->offset[insn + off - 1] : 0; ++ from = (insn > 0) ? ctx->offset[insn - 1] : ctx->prologue_len; ++ to = (insn + off > 0) ? ctx->offset[insn + off - 1] : ctx->prologue_len; + return ninsns_rvoff(to - from); + } + +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index ff644452b88db..b95c60f663d44 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, prologue_len, i; ++ int pass = 0, prev_ninsns = 0, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -83,6 +83,12 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ++ if (build_body(ctx, extra_pass, NULL)) { ++ prog = orig_prog; ++ goto out_offset; ++ } ++ + for (i = 0; i < prog->len; i++) { + prev_ninsns += 32; + ctx->offset[i] = prev_ninsns; +@@ -91,12 +97,15 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + for (i = 0; i < NR_JIT_ITERATIONS; i++) { + pass++; + ctx->ninsns = 0; ++ ++ bpf_jit_build_prologue(ctx); ++ ctx->prologue_len = ctx->ninsns; ++ + if (build_body(ctx, extra_pass, ctx->offset)) { + prog = orig_prog; + goto out_offset; + } +- ctx->body_len = ctx->ninsns; +- bpf_jit_build_prologue(ctx); ++ + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); + +@@ -155,10 +164,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); +- prologue_len = ctx->epilogue_offset - ctx->body_len; + for (i = 0; i < prog->len; i++) +- ctx->offset[i] = ninsns_rvoff(prologue_len + +- ctx->offset[i]); ++ ctx->offset[i] = ninsns_rvoff(ctx->offset[i]); + bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); +-- +2.39.2 + diff --git a/queue-5.15/riscv-mm-fix-truncation-warning-on-rv32.patch b/queue-5.15/riscv-mm-fix-truncation-warning-on-rv32.patch new file mode 100644 index 00000000000..df2014e99b3 --- /dev/null +++ b/queue-5.15/riscv-mm-fix-truncation-warning-on-rv32.patch @@ -0,0 +1,46 @@ +From 62b852f87a381fad15c88d1537b4ce16b42d9a24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 01:10:36 +0800 +Subject: riscv: mm: fix truncation warning on RV32 + +From: Jisheng Zhang + +[ Upstream commit b690e266dae2f85f4dfea21fa6a05e3500a51054 ] + +lkp reports below sparse warning when building for RV32: +arch/riscv/mm/init.c:1204:48: sparse: warning: cast truncates bits from +constant value (100000000 becomes 0) + +IMO, the reason we didn't see this truncates bug in real world is "0" +means MEMBLOCK_ALLOC_ACCESSIBLE in memblock and there's no RV32 HW +with more than 4GB memory. + +Fix it anyway to make sparse happy. + +Fixes: decf89f86ecd ("riscv: try to allocate crashkern region from 32bit addressible memory") +Signed-off-by: Jisheng Zhang +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202306080034.SLiCiOMn-lkp@intel.com/ +Link: https://lore.kernel.org/r/20230709171036.1906-1-jszhang@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index f8bfbe983517c..d7115acab3501 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -843,7 +843,7 @@ static void __init reserve_crashkernel(void) + */ + crash_base = memblock_phys_alloc_range(crash_size, PMD_SIZE, + search_start, +- min(search_end, (unsigned long) SZ_4G)); ++ min(search_end, (unsigned long)(SZ_4G - 1))); + if (crash_base == 0) { + /* Try again without restricting region to 32bit addressible memory */ + crash_base = memblock_phys_alloc_range(crash_size, PMD_SIZE, +-- +2.39.2 + diff --git a/queue-5.15/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch b/queue-5.15/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch new file mode 100644 index 00000000000..74b38548ab1 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch @@ -0,0 +1,38 @@ +From 8c2f4754fc535e4c50b9dccff123bc772f37ef9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 13:58:47 +0300 +Subject: scsi: qla2xxx: Fix error code in qla2x00_start_sp() + +From: Dan Carpenter + +[ Upstream commit e579b007eff3ff8d29d59d16214cd85fb9e573f7 ] + +This should be negative -EAGAIN instead of positive. The callers treat +non-zero error codes the same so it doesn't really impact runtime beyond +some trivial differences to debug output. + +Fixes: 80676d054e5a ("scsi: qla2xxx: Fix session cleanup hang") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/49866d28-4cfe-47b0-842b-78f110e61aab@moroto.mountain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_iocb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index 4f48f098ea5a6..605e94f973189 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -3898,7 +3898,7 @@ qla2x00_start_sp(srb_t *sp) + + pkt = __qla2x00_alloc_iocbs(sp->qpair, sp); + if (!pkt) { +- rval = EAGAIN; ++ rval = -EAGAIN; + ql_log(ql_log_warn, vha, 0x700c, + "qla2x00_alloc_iocbs failed.\n"); + goto done; +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index f67d81bf1e5..497eab40f9b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -386,3 +386,52 @@ tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch block-partition-fix-signedness-issue-for-amiga-partitions.patch io_uring-use-io_schedule-in-cqring-wait.patch io_uring-add-reschedule-point-to-handle_tw_list.patch +drm-panel-simple-add-connector_type-for-innolux_at04.patch +drm-bridge-ti-sn65dsi86-fix-auxiliary-bus-lifetime.patch +drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch +igc-remove-delay-during-tx-ring-configuration.patch +net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch +net-mlx5e-fix-memory-leak-in-mlx5e_ptp_open.patch +net-mlx5e-check-for-not_ready-flag-state-after-locki.patch +igc-set-tp-bit-in-supported-and-advertising-fields-o.patch +igc-handle-pps-start-time-programming-for-past-time-.patch +scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch +bpf-fix-max-stack-depth-check-for-async-callbacks.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +net-sched-cls_fw-fix-improper-refcount-update-leads-.patch +gve-set-default-duplex-configuration-to-full.patch +ionic-remove-warn_on-to-prevent-panic_on_warn.patch +net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch +net-prevent-skb-corruption-on-frag-list-segmentation.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +platform-x86-wmi-remove-unnecessary-argument.patch +platform-x86-wmi-use-guid_t-and-guid_equal.patch +platform-x86-wmi-move-variables.patch +platform-x86-wmi-break-possible-infinite-loop-when-p.patch +kernel-trace-fix-cleanup-logic-of-enable_trace_eprob.patch +igc-fix-launchtime-before-start-of-cycle.patch +igc-fix-inserting-of-empty-frame-for-launchtime.patch +bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch +riscv-bpf-fix-inconsistent-jit-image-generation.patch +drm-i915-fix-one-wrong-caching-mode-enum-usage.patch +octeontx2-pf-add-additional-check-for-mcam-rules.patch +erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch +erofs-decouple-basic-mount-options-from-fs_context.patch +erofs-fix-fsdax-unavailability-for-chunk-based-regul.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +bpf-cpumap-fix-memory-leak-in-cpu_map_update_elem.patch +net-sched-flower-ensure-both-minimum-and-maximum-por.patch +riscv-mm-fix-truncation-warning-on-rv32.patch +netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch +net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch +net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch +nvme-pci-remove-nvme_queue-from-nvme_iod.patch +nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch diff --git a/queue-5.15/udp6-fix-udp6_ehashfn-typo.patch b/queue-5.15/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..e21104b8f1e --- /dev/null +++ b/queue-5.15/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From f63bff8bc395960a5e6d9545ab4f26638784ff93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 5161e98f6fcfd..a746abbe81b5f 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -88,7 +88,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/queue-5.15/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/queue-5.15/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..edf567eb512 --- /dev/null +++ b/queue-5.15/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From f6e504ab4ef0b23e302e77eabce8b8a229925637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index fc19ecbc4c088..bcbf197fa9372 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6147,8 +6147,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 +