From: Sasha Levin Date: Fri, 10 Jan 2025 14:26:05 +0000 (-0500) Subject: Fixes for 6.6 X-Git-Tag: v6.1.125~70 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=88ca924ab033d453c5e233a81794727d4ee2c14d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/bluetooth-btnxpuart-fix-driver-sending-truncated-dat.patch b/queue-6.6/bluetooth-btnxpuart-fix-driver-sending-truncated-dat.patch new file mode 100644 index 00000000000..82b82e2a878 --- /dev/null +++ b/queue-6.6/bluetooth-btnxpuart-fix-driver-sending-truncated-dat.patch @@ -0,0 +1,40 @@ +From 0cfebc93271d766dd75f3f185111dd3c0b86b012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 18:32:52 +0530 +Subject: Bluetooth: btnxpuart: Fix driver sending truncated data + +From: Neeraj Sanjay Kale + +[ Upstream commit 8023dd2204254a70887f5ee58d914bf70a060b9d ] + +This fixes the apparent controller hang issue seen during stress test +where the host sends a truncated payload, followed by HCI commands. The +controller treats these HCI commands as a part of previously truncated +payload, leading to command timeouts. + +Adding a serdev_device_wait_until_sent() call after +serdev_device_write_buf() fixed the issue. + +Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets") +Signed-off-by: Neeraj Sanjay Kale +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btnxpuart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c +index 5ee9a8b8dcfd..e809bb2dbe5e 100644 +--- a/drivers/bluetooth/btnxpuart.c ++++ b/drivers/bluetooth/btnxpuart.c +@@ -1280,6 +1280,7 @@ static void btnxpuart_tx_work(struct work_struct *work) + + while ((skb = nxp_dequeue(nxpdev))) { + len = serdev_device_write_buf(serdev, skb->data, skb->len); ++ serdev_device_wait_until_sent(serdev, 0); + hdev->stat.byte_tx += len; + + skb_pull(skb, len); +-- +2.39.5 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch b/queue-6.6/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch new file mode 100644 index 00000000000..12c7ddedc99 --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-not-setting-random-address-wh.patch @@ -0,0 +1,76 @@ +From d42bd692f1784c64bb7ebe52bf3a6a62ac777515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 15:42:09 -0500 +Subject: Bluetooth: hci_sync: Fix not setting Random Address when required + +From: Luiz Augusto von Dentz + +[ Upstream commit c2994b008492db033d40bd767be1620229a3035e ] + +This fixes errors such as the following when Own address type is set to +Random Address but it has not been programmed yet due to either be +advertising or connecting: + +< HCI Command: LE Set Exte.. (0x08|0x0041) plen 13 + Own address type: Random (0x03) + Filter policy: Ignore not in accept list (0x01) + PHYs: 0x05 + Entry 0: LE 1M + Type: Passive (0x00) + Interval: 60.000 msec (0x0060) + Window: 30.000 msec (0x0030) + Entry 1: LE Coded + Type: Passive (0x00) + Interval: 180.000 msec (0x0120) + Window: 90.000 msec (0x0090) +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Exten.. (0x08|0x0042) plen 6 + Extended scan: Enabled (0x01) + Filter duplicates: Enabled (0x01) + Duration: 0 msec (0x0000) + Period: 0.00 sec (0x0000) +> HCI Event: Command Complete (0x0e) plen 4 + LE Set Extended Scan Enable (0x08|0x0042) ncmd 1 + Status: Invalid HCI Command Parameters (0x12) + +Fixes: c45074d68a9b ("Bluetooth: Fix not generating RPA when required") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index d95e2b55badb..d6f40806ee51 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1049,9 +1049,9 @@ static bool adv_use_rpa(struct hci_dev *hdev, uint32_t flags) + + static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa) + { +- /* If we're advertising or initiating an LE connection we can't +- * go ahead and change the random address at this time. This is +- * because the eventual initiator address used for the ++ /* If a random_addr has been set we're advertising or initiating an LE ++ * connection we can't go ahead and change the random address at this ++ * time. This is because the eventual initiator address used for the + * subsequently created connection will be undefined (some + * controllers use the new address and others the one we had + * when the operation started). +@@ -1059,8 +1059,9 @@ static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa) + * In this kind of scenario skip the update and let the random + * address be updated at the next cycle. + */ +- if (hci_dev_test_flag(hdev, HCI_LE_ADV) || +- hci_lookup_le_connect(hdev)) { ++ if (bacmp(&hdev->random_addr, BDADDR_ANY) && ++ (hci_dev_test_flag(hdev, HCI_LE_ADV) || ++ hci_lookup_le_connect(hdev))) { + bt_dev_dbg(hdev, "Deferring random address update"); + hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); + return 0; +-- +2.39.5 + diff --git a/queue-6.6/bluetooth-mgmt-fix-add-device-to-responding-before-c.patch b/queue-6.6/bluetooth-mgmt-fix-add-device-to-responding-before-c.patch new file mode 100644 index 00000000000..9e4bffe4ace --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-fix-add-device-to-responding-before-c.patch @@ -0,0 +1,89 @@ +From 149bfa9e1d18adf7ab0e5e2372e54fa9cf64c885 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 15:42:10 -0500 +Subject: Bluetooth: MGMT: Fix Add Device to responding before completing + +From: Luiz Augusto von Dentz + +[ Upstream commit a182d9c84f9c52fb5db895ecceeee8b3a1bf661e ] + +Add Device with LE type requires updating resolving/accept list which +requires quite a number of commands to complete and each of them may +fail, so instead of pretending it would always work this checks the +return of hci_update_passive_scan_sync which indicates if everything +worked as intended. + +Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 1175248e4bec..e3440f0d7d9d 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -7589,6 +7589,24 @@ static void device_added(struct sock *sk, struct hci_dev *hdev, + mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk); + } + ++static void add_device_complete(struct hci_dev *hdev, void *data, int err) ++{ ++ struct mgmt_pending_cmd *cmd = data; ++ struct mgmt_cp_add_device *cp = cmd->param; ++ ++ if (!err) { ++ device_added(cmd->sk, hdev, &cp->addr.bdaddr, cp->addr.type, ++ cp->action); ++ device_flags_changed(NULL, hdev, &cp->addr.bdaddr, ++ cp->addr.type, hdev->conn_flags, ++ PTR_UINT(cmd->user_data)); ++ } ++ ++ mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_ADD_DEVICE, ++ mgmt_status(err), &cp->addr, sizeof(cp->addr)); ++ mgmt_pending_free(cmd); ++} ++ + static int add_device_sync(struct hci_dev *hdev, void *data) + { + return hci_update_passive_scan_sync(hdev); +@@ -7597,6 +7615,7 @@ static int add_device_sync(struct hci_dev *hdev, void *data) + static int add_device(struct sock *sk, struct hci_dev *hdev, + void *data, u16 len) + { ++ struct mgmt_pending_cmd *cmd; + struct mgmt_cp_add_device *cp = data; + u8 auto_conn, addr_type; + struct hci_conn_params *params; +@@ -7677,9 +7696,24 @@ static int add_device(struct sock *sk, struct hci_dev *hdev, + current_flags = params->flags; + } + +- err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL); +- if (err < 0) ++ cmd = mgmt_pending_new(sk, MGMT_OP_ADD_DEVICE, hdev, data, len); ++ if (!cmd) { ++ err = -ENOMEM; + goto unlock; ++ } ++ ++ cmd->user_data = UINT_PTR(current_flags); ++ ++ err = hci_cmd_sync_queue(hdev, add_device_sync, cmd, ++ add_device_complete); ++ if (err < 0) { ++ err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE, ++ MGMT_STATUS_FAILED, &cp->addr, ++ sizeof(cp->addr)); ++ mgmt_pending_free(cmd); ++ } ++ ++ goto unlock; + + added: + device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action); +-- +2.39.5 + diff --git a/queue-6.6/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch b/queue-6.6/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch new file mode 100644 index 00000000000..65799fdc111 --- /dev/null +++ b/queue-6.6/bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch @@ -0,0 +1,47 @@ +From a8f58bbf061f8908e34cf5d1d68877651adc4d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 20:38:47 -0800 +Subject: bnxt_en: Fix possible memory leak when hwrm_req_replace fails + +From: Kalesh AP + +[ Upstream commit c8dafb0e4398dacc362832098a04b97da3b0395b ] + +When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop() +which could cause a memory leak. + +Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs") +Reviewed-by: Pavan Chebbi +Signed-off-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250104043849.3482067-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +index 7689086371e0..2980963208cb 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -159,7 +159,7 @@ int bnxt_send_msg(struct bnxt_en_dev *edev, + + rc = hwrm_req_replace(bp, req, fw_msg->msg, fw_msg->msg_len); + if (rc) +- return rc; ++ goto drop_req; + + hwrm_req_timeout(bp, req, fw_msg->timeout); + resp = hwrm_req_hold(bp, req); +@@ -171,6 +171,7 @@ int bnxt_send_msg(struct bnxt_en_dev *edev, + + memcpy(fw_msg->resp, resp, resp_len); + } ++drop_req: + hwrm_req_drop(bp, req); + return rc; + } +-- +2.39.5 + diff --git a/queue-6.6/btrfs-avoid-null-pointer-dereference-if-no-valid-ext.patch b/queue-6.6/btrfs-avoid-null-pointer-dereference-if-no-valid-ext.patch new file mode 100644 index 00000000000..18d7c5e84b6 --- /dev/null +++ b/queue-6.6/btrfs-avoid-null-pointer-dereference-if-no-valid-ext.patch @@ -0,0 +1,91 @@ +From 638fbd13ff8653035cf7ce52b60052c5e3cfaf8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 14:44:16 +1030 +Subject: btrfs: avoid NULL pointer dereference if no valid extent tree + +From: Qu Wenruo + +[ Upstream commit 6aecd91a5c5b68939cf4169e32bc49f3cd2dd329 ] + +[BUG] +Syzbot reported a crash with the following call trace: + + BTRFS info (device loop0): scrub: started on devid 1 + BUG: kernel NULL pointer dereference, address: 0000000000000208 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 + Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 + Tainted: [O]=OOT_MODULE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 + RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] + Call Trace: + + scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] + scrub_simple_mirror+0x175/0x260 [btrfs] + scrub_stripe+0x5d4/0x6c0 [btrfs] + scrub_chunk+0xbb/0x170 [btrfs] + scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] + btrfs_scrub_dev+0x240/0x600 [btrfs] + btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] + ? do_sys_openat2+0xa5/0xf0 + __x64_sys_ioctl+0x97/0xc0 + do_syscall_64+0x4f/0x120 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + +[CAUSE] +The reproducer is using a corrupted image where extent tree root is +corrupted, thus forcing to use "rescue=all,ro" mount option to mount the +image. + +Then it triggered a scrub, but since scrub relies on extent tree to find +where the data/metadata extents are, scrub_find_fill_first_stripe() +relies on an non-empty extent root. + +But unfortunately scrub_find_fill_first_stripe() doesn't really expect +an NULL pointer for extent root, it use extent_root to grab fs_info and +triggered a NULL pointer dereference. + +[FIX] +Add an extra check for a valid extent root at the beginning of +scrub_find_fill_first_stripe(). + +The new error path is introduced by 42437a6386ff ("btrfs: introduce +mount option rescue=ignorebadroots"), but that's pretty old, and later +commit b979547513ff ("btrfs: scrub: introduce helper to find and fill +sector info for a scrub_stripe") changed how we do scrub. + +So for kernels older than 6.6, the fix will need manual backport. + +Reported-by: syzbot+339e9dbe3a2ca419b85d@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/67756935.050a0220.25abdd.0a12.GAE@google.com/ +Fixes: 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots") +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index a2d91d9f8a10..6be092bb814f 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -1538,6 +1538,10 @@ static int scrub_find_fill_first_stripe(struct btrfs_block_group *bg, + u64 extent_gen; + int ret; + ++ if (unlikely(!extent_root)) { ++ btrfs_err(fs_info, "no valid extent root for scrub"); ++ return -EUCLEAN; ++ } + memset(stripe->sectors, 0, sizeof(struct scrub_sector_verification) * + stripe->nr_sectors); + scrub_stripe_reset_bitmaps(stripe); +-- +2.39.5 + diff --git a/queue-6.6/cxgb4-avoid-removal-of-uninserted-tid.patch b/queue-6.6/cxgb4-avoid-removal-of-uninserted-tid.patch new file mode 100644 index 00000000000..94494271158 --- /dev/null +++ b/queue-6.6/cxgb4-avoid-removal-of-uninserted-tid.patch @@ -0,0 +1,42 @@ +From 9c33e242d434328e9649c1b52f541f93181168ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 14:53:27 +0530 +Subject: cxgb4: Avoid removal of uninserted tid + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 ] + +During ARP failure, tid is not inserted but _c4iw_free_ep() +attempts to remove tid which results in error. +This patch fixes the issue by avoiding removal of uninserted tid. + +Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Link: https://patch.msgid.link/20250103092327.1011925-1-anumula@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index b215ff14da1b..3989c9491f0f 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -1799,7 +1799,10 @@ void cxgb4_remove_tid(struct tid_info *t, unsigned int chan, unsigned int tid, + struct adapter *adap = container_of(t, struct adapter, tids); + struct sk_buff *skb; + +- WARN_ON(tid_out_of_range(&adap->tids, tid)); ++ if (tid_out_of_range(&adap->tids, tid)) { ++ dev_err(adap->pdev_dev, "tid %d out of range\n", tid); ++ return; ++ } + + if (t->tid_tab[tid - adap->tids.tid_base]) { + t->tid_tab[tid - adap->tids.tid_base] = NULL; +-- +2.39.5 + diff --git a/queue-6.6/eth-gve-use-appropriate-helper-to-set-xdp_features.patch b/queue-6.6/eth-gve-use-appropriate-helper-to-set-xdp_features.patch new file mode 100644 index 00000000000..28ee37e094e --- /dev/null +++ b/queue-6.6/eth-gve-use-appropriate-helper-to-set-xdp_features.patch @@ -0,0 +1,59 @@ +From 84d40dedb40338c5fd557d308313ac1f6b01d566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jan 2025 10:02:10 -0800 +Subject: eth: gve: use appropriate helper to set xdp_features + +From: Jakub Kicinski + +[ Upstream commit db78475ba0d3c66d430f7ded2388cc041078a542 ] + +Commit f85949f98206 ("xdp: add xdp_set_features_flag utility routine") +added routines to inform the core about XDP flag changes. +GVE support was added around the same time and missed using them. + +GVE only changes the flags on error recover or resume. +Presumably the flags may change during resume if VM migrated. +User would not get the notification and upper devices would +not get a chance to recalculate their flags. + +Fixes: 75eaae158b1b ("gve: Add XDP DROP and TX support for GQI-QPL format") +Reviewed-By: Jeroen de Borst +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250106180210.1861784-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index d70305654e7d..90d433b36799 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -2009,14 +2009,18 @@ static void gve_service_task(struct work_struct *work) + + static void gve_set_netdev_xdp_features(struct gve_priv *priv) + { ++ xdp_features_t xdp_features; ++ + if (priv->queue_format == GVE_GQI_QPL_FORMAT) { +- priv->dev->xdp_features = NETDEV_XDP_ACT_BASIC; +- priv->dev->xdp_features |= NETDEV_XDP_ACT_REDIRECT; +- priv->dev->xdp_features |= NETDEV_XDP_ACT_NDO_XMIT; +- priv->dev->xdp_features |= NETDEV_XDP_ACT_XSK_ZEROCOPY; ++ xdp_features = NETDEV_XDP_ACT_BASIC; ++ xdp_features |= NETDEV_XDP_ACT_REDIRECT; ++ xdp_features |= NETDEV_XDP_ACT_NDO_XMIT; ++ xdp_features |= NETDEV_XDP_ACT_XSK_ZEROCOPY; + } else { +- priv->dev->xdp_features = 0; ++ xdp_features = 0; + } ++ ++ xdp_set_features_flag(priv->dev, xdp_features); + } + + static int gve_init_priv(struct gve_priv *priv, bool skip_describe_device) +-- +2.39.5 + diff --git a/queue-6.6/ice-fix-incorrect-phy-settings-for-100-gb-s.patch b/queue-6.6/ice-fix-incorrect-phy-settings-for-100-gb-s.patch new file mode 100644 index 00000000000..f5739608ce5 --- /dev/null +++ b/queue-6.6/ice-fix-incorrect-phy-settings-for-100-gb-s.patch @@ -0,0 +1,65 @@ +From dbb62bbe9a3d44199c5c29d5b82d78891e9307e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:22:18 +0100 +Subject: ice: fix incorrect PHY settings for 100 GB/s + +From: Przemyslaw Korba + +[ Upstream commit 6c5b989116083a98f45aada548ff54e7a83a9c2d ] + +ptp4l application reports too high offset when ran on E823 device +with a 100GB/s link. Those values cannot go under 100ns, like in a +working case when using 100 GB/s cable. + +This is due to incorrect frequency settings on the PHY clocks for +100 GB/s speed. Changes are introduced to align with the internal +hardware documentation, and correctly initialize frequency in PHY +clocks with the frequency values that are in our HW spec. + +To reproduce the issue run ptp4l as a Time Receiver on E823 device, +and observe the offset, which will never approach values seen +in the PTP working case. + +Reproduction output: +ptp4l -i enp137s0f3 -m -2 -s -f /etc/ptp4l_8275.conf +ptp4l[5278.775]: master offset 12470 s2 freq +41288 path delay -3002 +ptp4l[5278.837]: master offset 10525 s2 freq +39202 path delay -3002 +ptp4l[5278.900]: master offset -24840 s2 freq -20130 path delay -3002 +ptp4l[5278.963]: master offset 10597 s2 freq +37908 path delay -3002 +ptp4l[5279.025]: master offset 8883 s2 freq +36031 path delay -3002 +ptp4l[5279.088]: master offset 7267 s2 freq +34151 path delay -3002 +ptp4l[5279.150]: master offset 5771 s2 freq +32316 path delay -3002 +ptp4l[5279.213]: master offset 4388 s2 freq +30526 path delay -3002 +ptp4l[5279.275]: master offset -30434 s2 freq -28485 path delay -3002 +ptp4l[5279.338]: master offset -28041 s2 freq -27412 path delay -3002 +ptp4l[5279.400]: master offset 7870 s2 freq +31118 path delay -3002 + +Fixes: 3a7496234d17 ("ice: implement basic E822 PTP support") +Reviewed-by: Milena Olech +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h +index 4109aa3b2fcd..87ce20540f57 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h ++++ b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h +@@ -359,9 +359,9 @@ const struct ice_vernier_info_e822 e822_vernier[NUM_ICE_PTP_LNK_SPD] = { + /* rx_desk_rsgb_par */ + 644531250, /* 644.53125 MHz Reed Solomon gearbox */ + /* tx_desk_rsgb_pcs */ +- 644531250, /* 644.53125 MHz Reed Solomon gearbox */ ++ 390625000, /* 390.625 MHz Reed Solomon gearbox */ + /* rx_desk_rsgb_pcs */ +- 644531250, /* 644.53125 MHz Reed Solomon gearbox */ ++ 390625000, /* 390.625 MHz Reed Solomon gearbox */ + /* tx_fixed_delay */ + 1620, + /* pmd_adj_divisor */ +-- +2.39.5 + diff --git a/queue-6.6/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch b/queue-6.6/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch new file mode 100644 index 00000000000..04f7239ff85 --- /dev/null +++ b/queue-6.6/ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch @@ -0,0 +1,45 @@ +From 693b136cc5962e511fde94ba8a421472be41b389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2024 19:27:12 +0100 +Subject: ieee802154: ca8210: Add missing check for kfifo_alloc() in + ca8210_probe() + +From: Keisuke Nishimura + +[ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ] + +ca8210_test_interface_init() returns the result of kfifo_alloc(), +which can be non-zero in case of an error. The caller, ca8210_probe(), +should check the return value and do error-handling if it fails. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Keisuke Nishimura +Reviewed-by: Simon Horman +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 4ec0dab38872..0a0ad3d77557 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -3078,7 +3078,11 @@ static int ca8210_probe(struct spi_device *spi_device) + spi_set_drvdata(priv->spi, priv); + if (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) { + cascoda_api_upstream = ca8210_test_int_driver_write; +- ca8210_test_interface_init(priv); ++ ret = ca8210_test_interface_init(priv); ++ if (ret) { ++ dev_crit(&spi_device->dev, "ca8210_test_interface_init failed\n"); ++ goto error; ++ } + } else { + cascoda_api_upstream = NULL; + } +-- +2.39.5 + diff --git a/queue-6.6/igc-field-get-conversion.patch b/queue-6.6/igc-field-get-conversion.patch new file mode 100644 index 00000000000..19bc69cb5f0 --- /dev/null +++ b/queue-6.6/igc-field-get-conversion.patch @@ -0,0 +1,130 @@ +From 65858a8a1322b3909faa505b52e6065698bcc55b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 17:01:09 -0800 +Subject: igc: field get conversion + +From: Jesse Brandeburg + +[ Upstream commit a8e0c7a6800dc466ac815264c16971b9adf7ffbd ] + +Refactor the igc driver to use FIELD_GET() for mask and shift reads, +which reduces lines of code and adds clarity of intent. + +This code was generated by the following coccinelle/spatch script and +then manually repaired in a later patch. + +@get@ +constant shift,mask; +type T; +expression a; +@@ +-((T)((a) & mask) >> shift) ++FIELD_GET(mask, a) + +and applied via: +spatch --sp-file field_prep.cocci --in-place --dir \ + drivers/net/ethernet/intel/ + +Cc: Julia Lawall +Reviewed-by: Marcin Szycik +Reviewed-by: Simon Horman +Signed-off-by: Jesse Brandeburg +Signed-off-by: Tony Nguyen +Stable-dep-of: bd2776e39c2a ("igc: return early when failing to read EECD register") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_base.c | 6 ++---- + drivers/net/ethernet/intel/igc/igc_i225.c | 5 ++--- + drivers/net/ethernet/intel/igc/igc_main.c | 6 ++---- + drivers/net/ethernet/intel/igc/igc_phy.c | 4 ++-- + 4 files changed, 8 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_base.c b/drivers/net/ethernet/intel/igc/igc_base.c +index a1d815af507d..9fae8bdec2a7 100644 +--- a/drivers/net/ethernet/intel/igc/igc_base.c ++++ b/drivers/net/ethernet/intel/igc/igc_base.c +@@ -68,8 +68,7 @@ static s32 igc_init_nvm_params_base(struct igc_hw *hw) + u32 eecd = rd32(IGC_EECD); + u16 size; + +- size = (u16)((eecd & IGC_EECD_SIZE_EX_MASK) >> +- IGC_EECD_SIZE_EX_SHIFT); ++ size = FIELD_GET(IGC_EECD_SIZE_EX_MASK, eecd); + + /* Added to a constant, "size" becomes the left-shift value + * for setting word_size. +@@ -162,8 +161,7 @@ static s32 igc_init_phy_params_base(struct igc_hw *hw) + phy->reset_delay_us = 100; + + /* set lan id */ +- hw->bus.func = (rd32(IGC_STATUS) & IGC_STATUS_FUNC_MASK) >> +- IGC_STATUS_FUNC_SHIFT; ++ hw->bus.func = FIELD_GET(IGC_STATUS_FUNC_MASK, rd32(IGC_STATUS)); + + /* Make sure the PHY is in a good state. Several people have reported + * firmware leaving the PHY's page select register set to something +diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c +index d2562c8e8015..0dd61719f1ed 100644 +--- a/drivers/net/ethernet/intel/igc/igc_i225.c ++++ b/drivers/net/ethernet/intel/igc/igc_i225.c +@@ -579,9 +579,8 @@ s32 igc_set_ltr_i225(struct igc_hw *hw, bool link) + + /* Calculate tw_system (nsec). */ + if (speed == SPEED_100) { +- tw_system = ((rd32(IGC_EEE_SU) & +- IGC_TW_SYSTEM_100_MASK) >> +- IGC_TW_SYSTEM_100_SHIFT) * 500; ++ tw_system = FIELD_GET(IGC_TW_SYSTEM_100_MASK, ++ rd32(IGC_EEE_SU)) * 500; + } else { + tw_system = (rd32(IGC_EEE_SU) & + IGC_TW_SYSTEM_1000_MASK) * 500; +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index da1018d83262..91a4722460f6 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -3708,8 +3708,7 @@ static int igc_enable_nfc_rule(struct igc_adapter *adapter, + } + + if (rule->filter.match_flags & IGC_FILTER_FLAG_VLAN_TCI) { +- int prio = (rule->filter.vlan_tci & VLAN_PRIO_MASK) >> +- VLAN_PRIO_SHIFT; ++ int prio = FIELD_GET(VLAN_PRIO_MASK, rule->filter.vlan_tci); + + err = igc_add_vlan_prio_filter(adapter, prio, rule->action); + if (err) +@@ -3731,8 +3730,7 @@ static void igc_disable_nfc_rule(struct igc_adapter *adapter, + igc_del_etype_filter(adapter, rule->filter.etype); + + if (rule->filter.match_flags & IGC_FILTER_FLAG_VLAN_TCI) { +- int prio = (rule->filter.vlan_tci & VLAN_PRIO_MASK) >> +- VLAN_PRIO_SHIFT; ++ int prio = FIELD_GET(VLAN_PRIO_MASK, rule->filter.vlan_tci); + + igc_del_vlan_prio_filter(adapter, prio); + } +diff --git a/drivers/net/ethernet/intel/igc/igc_phy.c b/drivers/net/ethernet/intel/igc/igc_phy.c +index d0d9e7170154..7cd8716d2ffa 100644 +--- a/drivers/net/ethernet/intel/igc/igc_phy.c ++++ b/drivers/net/ethernet/intel/igc/igc_phy.c +@@ -727,7 +727,7 @@ static s32 igc_write_xmdio_reg(struct igc_hw *hw, u16 addr, + */ + s32 igc_write_phy_reg_gpy(struct igc_hw *hw, u32 offset, u16 data) + { +- u8 dev_addr = (offset & GPY_MMD_MASK) >> GPY_MMD_SHIFT; ++ u8 dev_addr = FIELD_GET(GPY_MMD_MASK, offset); + s32 ret_val; + + offset = offset & GPY_REG_MASK; +@@ -758,7 +758,7 @@ s32 igc_write_phy_reg_gpy(struct igc_hw *hw, u32 offset, u16 data) + */ + s32 igc_read_phy_reg_gpy(struct igc_hw *hw, u32 offset, u16 *data) + { +- u8 dev_addr = (offset & GPY_MMD_MASK) >> GPY_MMD_SHIFT; ++ u8 dev_addr = FIELD_GET(GPY_MMD_MASK, offset); + s32 ret_val; + + offset = offset & GPY_REG_MASK; +-- +2.39.5 + diff --git a/queue-6.6/igc-return-early-when-failing-to-read-eecd-register.patch b/queue-6.6/igc-return-early-when-failing-to-read-eecd-register.patch new file mode 100644 index 00000000000..ff282ac9129 --- /dev/null +++ b/queue-6.6/igc-return-early-when-failing-to-read-eecd-register.patch @@ -0,0 +1,78 @@ +From 29d76d10f4b541ef44531f8cb479bb3b9bb0fdd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 10:37:42 +0800 +Subject: igc: return early when failing to read EECD register + +From: En-Wei Wu + +[ Upstream commit bd2776e39c2a82ef4681d02678bb77b3d41e79be ] + +When booting with a dock connected, the igc driver may get stuck for ~40 +seconds if PCIe link is lost during initialization. + +This happens because the driver access device after EECD register reads +return all F's, indicating failed reads. Consequently, hw->hw_addr is set +to NULL, which impacts subsequent rd32() reads. This leads to the driver +hanging in igc_get_hw_semaphore_i225(), as the invalid hw->hw_addr +prevents retrieving the expected value. + +To address this, a validation check and a corresponding return value +catch is added for the EECD register read result. If all F's are +returned, indicating PCIe link loss, the driver will return -ENXIO +immediately. This avoids the 40-second hang and significantly improves +boot time when using a dock with an igc NIC. + +Log before the patch: +[ 0.911913] igc 0000:70:00.0: enabling device (0000 -> 0002) +[ 0.912386] igc 0000:70:00.0: PTM enabled, 4ns granularity +[ 1.571098] igc 0000:70:00.0 (unnamed net_device) (uninitialized): PCIe link lost, device now detached +[ 43.449095] igc_get_hw_semaphore_i225: igc 0000:70:00.0 (unnamed net_device) (uninitialized): Driver can't access device - SMBI bit is set. +[ 43.449186] igc 0000:70:00.0: probe with driver igc failed with error -13 +[ 46.345701] igc 0000:70:00.0: enabling device (0000 -> 0002) +[ 46.345777] igc 0000:70:00.0: PTM enabled, 4ns granularity + +Log after the patch: +[ 1.031000] igc 0000:70:00.0: enabling device (0000 -> 0002) +[ 1.032097] igc 0000:70:00.0: PTM enabled, 4ns granularity +[ 1.642291] igc 0000:70:00.0 (unnamed net_device) (uninitialized): PCIe link lost, device now detached +[ 5.480490] igc 0000:70:00.0: enabling device (0000 -> 0002) +[ 5.480516] igc 0000:70:00.0: PTM enabled, 4ns granularity + +Fixes: ab4056126813 ("igc: Add NVM support") +Cc: Chia-Lin Kao (AceLan) +Signed-off-by: En-Wei Wu +Reviewed-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_base.c b/drivers/net/ethernet/intel/igc/igc_base.c +index 9fae8bdec2a7..1613b562d17c 100644 +--- a/drivers/net/ethernet/intel/igc/igc_base.c ++++ b/drivers/net/ethernet/intel/igc/igc_base.c +@@ -68,6 +68,10 @@ static s32 igc_init_nvm_params_base(struct igc_hw *hw) + u32 eecd = rd32(IGC_EECD); + u16 size; + ++ /* failed to read reg and got all F's */ ++ if (!(~eecd)) ++ return -ENXIO; ++ + size = FIELD_GET(IGC_EECD_SIZE_EX_MASK, eecd); + + /* Added to a constant, "size" becomes the left-shift value +@@ -221,6 +225,8 @@ static s32 igc_get_invariants_base(struct igc_hw *hw) + + /* NVM initialization */ + ret_val = igc_init_nvm_params_base(hw); ++ if (ret_val) ++ goto out; + switch (hw->mac.type) { + case igc_i225: + ret_val = igc_init_nvm_params_i225(hw); +-- +2.39.5 + diff --git a/queue-6.6/ipvlan-fix-use-after-free-in-ipvlan_get_iflink.patch b/queue-6.6/ipvlan-fix-use-after-free-in-ipvlan_get_iflink.patch new file mode 100644 index 00000000000..4920d8102ce --- /dev/null +++ b/queue-6.6/ipvlan-fix-use-after-free-in-ipvlan_get_iflink.patch @@ -0,0 +1,205 @@ +From 1bca04cf59f38cdb725f81b92f29c542299597f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jan 2025 16:19:11 +0900 +Subject: ipvlan: Fix use-after-free in ipvlan_get_iflink(). + +From: Kuniyuki Iwashima + +[ Upstream commit cb358ff94154774d031159b018adf45e17673941 ] + +syzbot presented an use-after-free report [0] regarding ipvlan and +linkwatch. + +ipvlan does not hold a refcnt of the lower device unlike vlan and +macvlan. + +If the linkwatch work is triggered for the ipvlan dev, the lower dev +might have already been freed, resulting in UAF of ipvlan->phy_dev in +ipvlan_get_iflink(). + +We can delay the lower dev unregistration like vlan and macvlan by +holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and +releasing it in dev->priv_destructor(). + +Jakub pointed out calling .ndo_XXX after unregister_netdevice() has +returned is error prone and suggested [1] addressing this UAF in the +core by taking commit 750e51603395 ("net: avoid potential UAF in +default_operstate()") further. + +Let's assume unregistering devices DOWN and use RCU protection in +default_operstate() not to race with the device unregistration. + +[0]: +BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 +Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944 + +CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 +Hardware name: linux,dummy-virt (DT) +Workqueue: events_unbound linkwatch_event +Call trace: + show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x16c/0x6f0 mm/kasan/report.c:489 + kasan_report+0xc0/0x120 mm/kasan/report.c:602 + __asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380 + ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353 + dev_get_iflink+0x7c/0xd8 net/core/dev.c:674 + default_operstate net/core/link_watch.c:45 [inline] + rfc2863_policy+0x144/0x360 net/core/link_watch.c:72 + linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175 + __linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239 + linkwatch_event+0x64/0xa8 net/core/link_watch.c:282 + process_one_work+0x700/0x1398 kernel/workqueue.c:3229 + process_scheduled_works kernel/workqueue.c:3310 [inline] + worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391 + kthread+0x2b0/0x360 kernel/kthread.c:389 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 + +Allocated by task 9303: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4283 [inline] + __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289 + __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650 + alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209 + rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595 + rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771 + __rtnl_newlink net/core/rtnetlink.c:3896 [inline] + rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 + netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg net/socket.c:726 [inline] + __sys_sendto+0x2ec/0x438 net/socket.c:2197 + __do_sys_sendto net/socket.c:2204 [inline] + __se_sys_sendto net/socket.c:2200 [inline] + __arm64_sys_sendto+0xe4/0x110 net/socket.c:2200 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +Freed by task 10200: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x30/0x68 mm/kasan/common.c:68 + kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x48/0x68 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2338 [inline] + slab_free mm/slub.c:4598 [inline] + kfree+0x140/0x420 mm/slub.c:4746 + kvfree+0x4c/0x68 mm/util.c:693 + netdev_release+0x94/0xc8 net/core/net-sysfs.c:2034 + device_release+0x98/0x1c0 + kobject_cleanup lib/kobject.c:689 [inline] + kobject_release lib/kobject.c:720 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x2b0/0x438 lib/kobject.c:737 + netdev_run_todo+0xdd8/0xf48 net/core/dev.c:10924 + rtnl_unlock net/core/rtnetlink.c:152 [inline] + rtnl_net_unlock net/core/rtnetlink.c:209 [inline] + rtnl_dellink+0x484/0x680 net/core/rtnetlink.c:3526 + rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901 + netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542 + rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928 + netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] + netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347 + netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg net/socket.c:726 [inline] + ____sys_sendmsg+0x410/0x708 net/socket.c:2583 + ___sys_sendmsg+0x178/0x1d8 net/socket.c:2637 + __sys_sendmsg net/socket.c:2669 [inline] + __do_sys_sendmsg net/socket.c:2674 [inline] + __se_sys_sendmsg net/socket.c:2672 [inline] + __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2672 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 + el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 + +The buggy address belongs to the object at ffff0000d768c000 + which belongs to the cache kmalloc-cg-4k of size 4096 +The buggy address is located 224 bytes inside of + freed 4096-byte region [ffff0000d768c000, ffff0000d768d000) + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117688 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff0000c77ef981 +flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) +page_type: f5(slab) +raw: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 +raw: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 +head: 0bfffe0000000040 ffff0000c000f500 dead000000000100 dead000000000122 +head: 0000000000000000 0000000000040004 00000001f5000000 ffff0000c77ef981 +head: 0bfffe0000000003 fffffdffc35da201 ffffffffffffffff 0000000000000000 +head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff0000d768bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff0000d768c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff0000d768c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff0000d768c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff0000d768c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 8c55facecd7a ("net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down") +Reported-by: syzkaller +Suggested-by: Jakub Kicinski +Link: https://lore.kernel.org/netdev/20250102174400.085fd8ac@kernel.org/ [1] +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250106071911.64355-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/link_watch.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/core/link_watch.c b/net/core/link_watch.c +index 66422c95c83c..e2e8a341318b 100644 +--- a/net/core/link_watch.c ++++ b/net/core/link_watch.c +@@ -42,14 +42,18 @@ static unsigned char default_operstate(const struct net_device *dev) + * first check whether lower is indeed the source of its down state. + */ + if (!netif_carrier_ok(dev)) { +- int iflink = dev_get_iflink(dev); + struct net_device *peer; ++ int iflink; + + /* If called from netdev_run_todo()/linkwatch_sync_dev(), + * dev_net(dev) can be already freed, and RTNL is not held. + */ +- if (dev->reg_state == NETREG_UNREGISTERED || +- iflink == dev->ifindex) ++ if (dev->reg_state <= NETREG_REGISTERED) ++ iflink = dev_get_iflink(dev); ++ else ++ iflink = dev->ifindex; ++ ++ if (iflink == dev->ifindex) + return IF_OPER_DOWN; + + ASSERT_RTNL(); +-- +2.39.5 + diff --git a/queue-6.6/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch b/queue-6.6/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch new file mode 100644 index 00000000000..4a47cf104cd --- /dev/null +++ b/queue-6.6/net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch @@ -0,0 +1,56 @@ +From e774cbdc742635bec0ad8511904f0f0df08ad724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:23:00 -0500 +Subject: net: 802: LLC+SNAP OID:PID lookup on start of skb data + +From: Antonio Pastor + +[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ] + +802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA +have skb->transport_header set two bytes short, or pointing 2 bytes +before network_header & skb->data. This was an issue as snap_rcv() +expected offset to point to SNAP header (OID:PID), causing packet to +be dropped. + +A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any +LLC consumers that may care about it, and stops SNAP packets from being +dropped, but doesn't fix the problem which is that LLC and SNAP should +not use transport_header offset. + +Ths patch eliminates the use of transport_header offset for SNAP lookup +of OID:PID so that SNAP does not rely on the offset at all. +The offset is reset after pull for any SNAP packet consumers that may +(but shouldn't) use it. + +Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()") +Signed-off-by: Antonio Pastor +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/802/psnap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/802/psnap.c b/net/802/psnap.c +index 1406bfdbda13..dbd9647f2ef1 100644 +--- a/net/802/psnap.c ++++ b/net/802/psnap.c +@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev, + goto drop; + + rcu_read_lock(); +- proto = find_snap_client(skb_transport_header(skb)); ++ proto = find_snap_client(skb->data); + if (proto) { + /* Pass the frame on. */ +- skb->transport_header += 5; + skb_pull_rcsum(skb, 5); ++ skb_reset_transport_header(skb); + rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev); + } + rcu_read_unlock(); +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-don-t-auto-enable-misc-vector.patch b/queue-6.6/net-hns3-don-t-auto-enable-misc-vector.patch new file mode 100644 index 00000000000..be27050c919 --- /dev/null +++ b/queue-6.6/net-hns3-don-t-auto-enable-misc-vector.patch @@ -0,0 +1,97 @@ +From e83e7b58611667b0c4ea5b5ee313a4ff946340fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:35 +0800 +Subject: net: hns3: don't auto enable misc vector + +From: Jian Shen + +[ Upstream commit 5f62009ff10826fefa215da68831f42b0c36b6fb ] + +Currently, there is a time window between misc irq enabled +and service task inited. If an interrupte is reported at +this time, it will cause warning like below: + +[ 16.324639] Call trace: +[ 16.324641] __queue_delayed_work+0xb8/0xe0 +[ 16.324643] mod_delayed_work_on+0x78/0xd0 +[ 16.324655] hclge_errhand_task_schedule+0x58/0x90 [hclge] +[ 16.324662] hclge_misc_irq_handle+0x168/0x240 [hclge] +[ 16.324666] __handle_irq_event_percpu+0x64/0x1e0 +[ 16.324667] handle_irq_event+0x80/0x170 +[ 16.324670] handle_fasteoi_edge_irq+0x110/0x2bc +[ 16.324671] __handle_domain_irq+0x84/0xfc +[ 16.324673] gic_handle_irq+0x88/0x2c0 +[ 16.324674] el1_irq+0xb8/0x140 +[ 16.324677] arch_cpu_idle+0x18/0x40 +[ 16.324679] default_idle_call+0x5c/0x1bc +[ 16.324682] cpuidle_idle_call+0x18c/0x1c4 +[ 16.324684] do_idle+0x174/0x17c +[ 16.324685] cpu_startup_entry+0x30/0x6c +[ 16.324687] secondary_start_kernel+0x1a4/0x280 +[ 16.324688] ---[ end trace 6aa0bff672a964aa ]--- + +So don't auto enable misc vector when request irq.. + +Fixes: 7be1b9f3e99f ("net: hns3: make hclge_service use delayed workqueue") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 9650ce594e2f..72f8f0de1079 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3713,7 +3714,7 @@ static int hclge_misc_irq_init(struct hclge_dev *hdev) + snprintf(hdev->misc_vector.name, HNAE3_INT_NAME_LEN, "%s-misc-%s", + HCLGE_NAME, pci_name(hdev->pdev)); + ret = request_irq(hdev->misc_vector.vector_irq, hclge_misc_irq_handle, +- 0, hdev->misc_vector.name, hdev); ++ IRQ_NOAUTOEN, hdev->misc_vector.name, hdev); + if (ret) { + hclge_free_vector(hdev, 0); + dev_err(&hdev->pdev->dev, "request misc irq(%d) fail\n", +@@ -11805,9 +11806,6 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + + hclge_init_rxd_adv_layout(hdev); + +- /* Enable MISC vector(vector0) */ +- hclge_enable_vector(&hdev->misc_vector, true); +- + ret = hclge_init_wol(hdev); + if (ret) + dev_warn(&pdev->dev, +@@ -11820,6 +11818,10 @@ static int hclge_init_ae_dev(struct hnae3_ae_dev *ae_dev) + hclge_state_init(hdev); + hdev->last_reset_time = jiffies; + ++ /* Enable MISC vector(vector0) */ ++ enable_irq(hdev->misc_vector.vector_irq); ++ hclge_enable_vector(&hdev->misc_vector, true); ++ + dev_info(&hdev->pdev->dev, "%s driver initialization finished.\n", + HCLGE_DRIVER_NAME); + +@@ -12223,7 +12225,7 @@ static void hclge_uninit_ae_dev(struct hnae3_ae_dev *ae_dev) + + /* Disable MISC vector(vector0) */ + hclge_enable_vector(&hdev->misc_vector, false); +- synchronize_irq(hdev->misc_vector.vector_irq); ++ disable_irq(hdev->misc_vector.vector_irq); + + /* Disable all hw interrupts */ + hclge_config_mac_tnl_int(hdev, false); +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch b/queue-6.6/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch new file mode 100644 index 00000000000..ad8929fdc2d --- /dev/null +++ b/queue-6.6/net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch @@ -0,0 +1,96 @@ +From 059463613c74de2b3ca96a2ff54eafbb1eac5c42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:38 +0800 +Subject: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices + +From: Jie Wang + +[ Upstream commit 2cf246143519ecc11dab754385ec42d78b6b6a05 ] + +Currently, HIP08 devices does not register the ptp devices, so the +hdev->ptp is NULL. But the tx process would still try to set hardware time +stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. + +[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 +... +[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge] +[ 128.292938] sp : ffff800059b93140 +[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280 +[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080 +[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001 +[ 128.315969] x23: 0000000000000000 x22: 0000000000000194 +[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000 +[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000 +[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24 +[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000 +[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368 +[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02 +[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0 +[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000 +[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff +[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294 +[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080 +[ 128.390626] Call trace: +[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge] +[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3] +[ 128.405468] xmit_one.constprop.0+0xc4/0x200 +[ 128.410600] dev_hard_start_xmit+0x54/0xf0 +[ 128.415556] sch_direct_xmit+0xe8/0x634 +[ 128.420246] __dev_queue_xmit+0x224/0xc70 +[ 128.425101] dev_queue_xmit+0x1c/0x40 +[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch] +[ 128.435409] do_output+0x60/0x17c [openvswitch] +[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch] +[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch] +[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch] +[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch] +[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch] +[ 128.471460] xmit_one.constprop.0+0xc4/0x200 +[ 128.476561] dev_hard_start_xmit+0x54/0xf0 +[ 128.481489] __dev_queue_xmit+0x968/0xc70 +[ 128.486330] dev_queue_xmit+0x1c/0x40 +[ 128.490856] ip_finish_output2+0x250/0x570 +[ 128.495810] __ip_finish_output+0x170/0x1e0 +[ 128.500832] ip_finish_output+0x3c/0xf0 +[ 128.505504] ip_output+0xbc/0x160 +[ 128.509654] ip_send_skb+0x58/0xd4 +[ 128.513892] udp_send_skb+0x12c/0x354 +[ 128.518387] udp_sendmsg+0x7a8/0x9c0 +[ 128.522793] inet_sendmsg+0x4c/0x8c +[ 128.527116] __sock_sendmsg+0x48/0x80 +[ 128.531609] __sys_sendto+0x124/0x164 +[ 128.536099] __arm64_sys_sendto+0x30/0x5c +[ 128.540935] invoke_syscall+0x50/0x130 +[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124 +[ 128.551205] do_el0_svc+0x34/0xdc +[ 128.555347] el0_svc+0x20/0x30 +[ 128.559227] el0_sync_handler+0xb8/0xc0 +[ 128.563883] el0_sync+0x160/0x180 + +Fixes: 0bf5eb788512 ("net: hns3: add support for PTP") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +index 507d7ce26d83..0ddf102c76f7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c +@@ -58,6 +58,9 @@ bool hclge_ptp_set_tx_info(struct hnae3_handle *handle, struct sk_buff *skb) + struct hclge_dev *hdev = vport->back; + struct hclge_ptp *ptp = hdev->ptp; + ++ if (!ptp) ++ return false; ++ + if (!test_bit(HCLGE_PTP_FLAG_TX_EN, &ptp->flags) || + test_and_set_bit(HCLGE_STATE_PTP_TX_HANDLING, &hdev->state)) { + ptp->tx_skipped++; +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-fix-missing-features-due-to-dev-features-co.patch b/queue-6.6/net-hns3-fix-missing-features-due-to-dev-features-co.patch new file mode 100644 index 00000000000..69b1465d5ca --- /dev/null +++ b/queue-6.6/net-hns3-fix-missing-features-due-to-dev-features-co.patch @@ -0,0 +1,39 @@ +From 59411264b78e775eb2621549ae53822383e213e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:33 +0800 +Subject: net: hns3: fix missing features due to dev->features configuration + too early + +From: Hao Lan + +[ Upstream commit 662ecfc46690e92cf630f51b5d4bbbcffe102980 ] + +Currently, the netdev->features is configured in hns3_nic_set_features. +As a result, __netdev_update_features considers that there is no feature +difference, and the procedures of the real features are missing. + +Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver") +Signed-off-by: Hao Lan +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 14d086b535a2..bb9f34239278 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2456,7 +2456,6 @@ static int hns3_nic_set_features(struct net_device *netdev, + return ret; + } + +- netdev->features = features; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-fixed-hclge_fetch_pf_reg-accesses-bar-space.patch b/queue-6.6/net-hns3-fixed-hclge_fetch_pf_reg-accesses-bar-space.patch new file mode 100644 index 00000000000..4e747243e45 --- /dev/null +++ b/queue-6.6/net-hns3-fixed-hclge_fetch_pf_reg-accesses-bar-space.patch @@ -0,0 +1,115 @@ +From 37fb9ea98dc6ec323752308cfe9c835770e38dfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:37 +0800 +Subject: net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds + issue + +From: Hao Lan + +[ Upstream commit 3e22b7de34cbdb991a2c9c5413eeb8a6fb7da2a5 ] + +The TQP BAR space is divided into two segments. TQPs 0-1023 and TQPs +1024-1279 are in different BAR space addresses. However, +hclge_fetch_pf_reg does not distinguish the tqp space information when +reading the tqp space information. When the number of TQPs is greater +than 1024, access bar space overwriting occurs. +The problem of different segments has been considered during the +initialization of tqp.io_base. Therefore, tqp.io_base is directly used +when the queue is read in hclge_fetch_pf_reg. + +The error message: + +Unable to handle kernel paging request at virtual address ffff800037200000 +pc : hclge_fetch_pf_reg+0x138/0x250 [hclge] +lr : hclge_get_regs+0x84/0x1d0 [hclge] +Call trace: + hclge_fetch_pf_reg+0x138/0x250 [hclge] + hclge_get_regs+0x84/0x1d0 [hclge] + hns3_get_regs+0x2c/0x50 [hns3] + ethtool_get_regs+0xf4/0x270 + dev_ethtool+0x674/0x8a0 + dev_ioctl+0x270/0x36c + sock_do_ioctl+0x110/0x2a0 + sock_ioctl+0x2ac/0x530 + __arm64_sys_ioctl+0xa8/0x100 + invoke_syscall+0x4c/0x124 + el0_svc_common.constprop.0+0x140/0x15c + do_el0_svc+0x30/0xd0 + el0_svc+0x1c/0x2c + el0_sync_handler+0xb0/0xb4 + el0_sync+0x168/0x180 + +Fixes: 939ccd107ffc ("net: hns3: move dump regs function to a separate file") +Signed-off-by: Hao Lan +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c | 9 +++++---- + .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c | 9 +++++---- + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c +index 43c1c18fa81f..8c057192aae6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_regs.c +@@ -510,9 +510,9 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) + static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data, + struct hnae3_knic_private_info *kinfo) + { +-#define HCLGE_RING_REG_OFFSET 0x200 + #define HCLGE_RING_INT_REG_OFFSET 0x4 + ++ struct hnae3_queue *tqp; + int i, j, reg_num; + int data_num_sum; + u32 *reg = data; +@@ -533,10 +533,11 @@ static int hclge_fetch_pf_reg(struct hclge_dev *hdev, void *data, + reg_num = ARRAY_SIZE(ring_reg_addr_list); + for (j = 0; j < kinfo->num_tqps; j++) { + reg += hclge_reg_get_tlv(HCLGE_REG_TAG_RING, reg_num, reg); ++ tqp = kinfo->tqp[j]; + for (i = 0; i < reg_num; i++) +- *reg++ = hclge_read_dev(&hdev->hw, +- ring_reg_addr_list[i] + +- HCLGE_RING_REG_OFFSET * j); ++ *reg++ = readl_relaxed(tqp->io_base - ++ HCLGE_TQP_REG_OFFSET + ++ ring_reg_addr_list[i]); + } + data_num_sum += (reg_num + HCLGE_REG_TLV_SPACE) * kinfo->num_tqps; + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c +index 65b9dcd38137..6ecf936c79b2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_regs.c +@@ -123,10 +123,10 @@ int hclgevf_get_regs_len(struct hnae3_handle *handle) + void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version, + void *data) + { +-#define HCLGEVF_RING_REG_OFFSET 0x200 + #define HCLGEVF_RING_INT_REG_OFFSET 0x4 + + struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle); ++ struct hnae3_queue *tqp; + int i, j, reg_um; + u32 *reg = data; + +@@ -147,10 +147,11 @@ void hclgevf_get_regs(struct hnae3_handle *handle, u32 *version, + reg_um = sizeof(ring_reg_addr_list) / sizeof(u32); + for (j = 0; j < hdev->num_tqps; j++) { + reg += hclgevf_reg_get_tlv(HCLGEVF_REG_TAG_RING, reg_um, reg); ++ tqp = &hdev->htqp[j].q; + for (i = 0; i < reg_um; i++) +- *reg++ = hclgevf_read_dev(&hdev->hw, +- ring_reg_addr_list[i] + +- HCLGEVF_RING_REG_OFFSET * j); ++ *reg++ = readl_relaxed(tqp->io_base - ++ HCLGEVF_TQP_REG_OFFSET + ++ ring_reg_addr_list[i]); + } + + reg_um = sizeof(tqp_intr_reg_addr_list) / sizeof(u32); +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch b/queue-6.6/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch new file mode 100644 index 00000000000..d2141b3bf3b --- /dev/null +++ b/queue-6.6/net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch @@ -0,0 +1,45 @@ +From 208faf518f9ebe2722db758140247893a69f028c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:36 +0800 +Subject: net: hns3: initialize reset_timer before hclgevf_misc_irq_init() + +From: Jian Shen + +[ Upstream commit d1c2e2961ab460ac2433ff8ad46000582abc573c ] + +Currently the misc irq is initialized before reset_timer setup. But +it will access the reset_timer in the irq handler. So initialize +the reset_timer earlier. + +Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index affdd9d70549..46163c2d7c7c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2252,6 +2252,7 @@ static void hclgevf_state_init(struct hclgevf_dev *hdev) + clear_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state); + + INIT_DELAYED_WORK(&hdev->service_task, hclgevf_service_task); ++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + mutex_init(&hdev->mbx_resp.mbx_mutex); + sema_init(&hdev->reset_sem, 1); +@@ -2948,7 +2949,6 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev) + HCLGEVF_DRIVER_NAME); + + hclgevf_task_schedule(hdev, round_jiffies_relative(HZ)); +- timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0); + + return 0; + +-- +2.39.5 + diff --git a/queue-6.6/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch b/queue-6.6/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch new file mode 100644 index 00000000000..547ccb3b4da --- /dev/null +++ b/queue-6.6/net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch @@ -0,0 +1,47 @@ +From 02f7387120cf972c3ab0a6102c43ab545c03a239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 17:29:34 +0800 +Subject: net: hns3: Resolved the issue that the debugfs query result is + inconsistent. + +From: Hao Lan + +[ Upstream commit 2758f18a83ef283d50c0566d3f672621cc658a1a ] + +This patch modifies the implementation of debugfs: +When the user process stops unexpectedly, not all data of the file system +is read. In this case, the save_buf pointer is not released. When the user +process is called next time, save_buf is used to copy the cached data +to the user space. As a result, the queried data is inconsistent. To solve +this problem, determine whether the function is invoked for the first time +based on the value of *ppos. If *ppos is 0, obtain the actual data. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Hao Lan +Signed-off-by: Guangwei Zhang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 4f385a18d288..9dbb8e8d2a23 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1288,8 +1288,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer, + + /* save the buffer addr until the last read operation */ + *save_buf = read_buf; ++ } + +- /* get data ready for the first time to read */ ++ /* get data ready for the first time to read */ ++ if (!*ppos) { + ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd, + read_buf, hns3_dbg_cmd[index].buf_len); + if (ret) +-- +2.39.5 + diff --git a/queue-6.6/net-libwx-fix-firmware-mailbox-abnormal-return.patch b/queue-6.6/net-libwx-fix-firmware-mailbox-abnormal-return.patch new file mode 100644 index 00000000000..22eb9ec07ce --- /dev/null +++ b/queue-6.6/net-libwx-fix-firmware-mailbox-abnormal-return.patch @@ -0,0 +1,76 @@ +From 6939fa03dd2057ce417e1e97b3b93668859e11db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 16:10:13 +0800 +Subject: net: libwx: fix firmware mailbox abnormal return + +From: Jiawen Wu + +[ Upstream commit 8ce4f287524c74a118b0af1eebd4b24a8efca57a ] + +The existing SW-FW interaction flow on the driver is wrong. Follow this +wrong flow, driver would never return error if there is a unknown command. +Since firmware writes back 'firmware ready' and 'unknown command' in the +mailbox message if there is an unknown command sent by driver. So reading +'firmware ready' does not timeout. Then driver would mistakenly believe +that the interaction has completed successfully. + +It tends to happen with the use of custom firmware. Move the check for +'unknown command' out of the poll timeout for 'firmware ready'. And adjust +the debug log so that mailbox messages are always printed when commands +timeout. + +Fixes: 1efa9bfe58c5 ("net: libwx: Implement interaction with firmware") +Signed-off-by: Jiawen Wu +Link: https://patch.msgid.link/20250103081013.1995939-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/libwx/wx_hw.c | 24 ++++++++++------------ + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +index 52130df26aee..d6bc2309d2a3 100644 +--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +@@ -242,27 +242,25 @@ int wx_host_interface_command(struct wx *wx, u32 *buffer, + status = read_poll_timeout(rd32, hicr, hicr & WX_MNG_MBOX_CTL_FWRDY, 1000, + timeout * 1000, false, wx, WX_MNG_MBOX_CTL); + ++ buf[0] = rd32(wx, WX_MNG_MBOX); ++ if ((buf[0] & 0xff0000) >> 16 == 0x80) { ++ wx_err(wx, "Unknown FW command: 0x%x\n", buffer[0] & 0xff); ++ status = -EINVAL; ++ goto rel_out; ++ } ++ + /* Check command completion */ + if (status) { +- wx_dbg(wx, "Command has failed with no status valid.\n"); +- +- buf[0] = rd32(wx, WX_MNG_MBOX); +- if ((buffer[0] & 0xff) != (~buf[0] >> 24)) { +- status = -EINVAL; +- goto rel_out; +- } +- if ((buf[0] & 0xff0000) >> 16 == 0x80) { +- wx_dbg(wx, "It's unknown cmd.\n"); +- status = -EINVAL; +- goto rel_out; +- } +- ++ wx_err(wx, "Command has failed with no status valid.\n"); + wx_dbg(wx, "write value:\n"); + for (i = 0; i < dword_len; i++) + wx_dbg(wx, "%x ", buffer[i]); + wx_dbg(wx, "read value:\n"); + for (i = 0; i < dword_len; i++) + wx_dbg(wx, "%x ", buf[i]); ++ wx_dbg(wx, "\ncheck: %x %x\n", buffer[0] & 0xff, ~buf[0] >> 24); ++ ++ goto rel_out; + } + + if (!return_data) +-- +2.39.5 + diff --git a/queue-6.6/net-mlx5-fix-variable-not-being-completed-when-funct.patch b/queue-6.6/net-mlx5-fix-variable-not-being-completed-when-funct.patch new file mode 100644 index 00000000000..4a12381e9c6 --- /dev/null +++ b/queue-6.6/net-mlx5-fix-variable-not-being-completed-when-funct.patch @@ -0,0 +1,62 @@ +From 37313e9437a3459c417717bb67b12eb5ae65ca70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 11:00:09 +0800 +Subject: net/mlx5: Fix variable not being completed when function returns + +From: Chenguang Zhao + +[ Upstream commit 0e2909c6bec9048f49d0c8e16887c63b50b14647 ] + +When cmd_alloc_index(), fails cmd_work_handler() needs +to complete ent->slotted before returning early. +Otherwise the task which issued the command may hang: + + mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry + INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. + Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + kworker/13:2 D 0 4055883 2 0x00000228 + Workqueue: events mlx5e_tx_dim_work [mlx5_core] + Call trace: + __switch_to+0xe8/0x150 + __schedule+0x2a8/0x9b8 + schedule+0x2c/0x88 + schedule_timeout+0x204/0x478 + wait_for_common+0x154/0x250 + wait_for_completion+0x28/0x38 + cmd_exec+0x7a0/0xa00 [mlx5_core] + mlx5_cmd_exec+0x54/0x80 [mlx5_core] + mlx5_core_modify_cq+0x6c/0x80 [mlx5_core] + mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core] + mlx5e_tx_dim_work+0x54/0x68 [mlx5_core] + process_one_work+0x1b0/0x448 + worker_thread+0x54/0x468 + kthread+0x134/0x138 + ret_from_fork+0x10/0x18 + +Fixes: 485d65e13571 ("net/mlx5: Add a timeout to acquire the command queue semaphore") +Signed-off-by: Chenguang Zhao +Reviewed-by: Moshe Shemesh +Acked-by: Tariq Toukan +Link: https://patch.msgid.link/20250108030009.68520-1-zhaochenguang@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 80af0fc7101f..3e6bd27f6315 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1006,6 +1006,7 @@ static void cmd_work_handler(struct work_struct *work) + complete(&ent->done); + } + up(&cmd->vars.sem); ++ complete(&ent->slotted); + return; + } + } else { +-- +2.39.5 + diff --git a/queue-6.6/net-stmmac-dwmac-tegra-read-iommu-stream-id-from-dev.patch b/queue-6.6/net-stmmac-dwmac-tegra-read-iommu-stream-id-from-dev.patch new file mode 100644 index 00000000000..f812a0b43c8 --- /dev/null +++ b/queue-6.6/net-stmmac-dwmac-tegra-read-iommu-stream-id-from-dev.patch @@ -0,0 +1,217 @@ +From b888cf4a1fe4b0a8c42a4679881ec425ea586bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 16:24:59 -0500 +Subject: net: stmmac: dwmac-tegra: Read iommu stream id from device tree + +From: Parker Newman + +[ Upstream commit 426046e2d62dd19533808661e912b8e8a9eaec16 ] + +Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be +written to the MGBE_WRAP_AXI_ASID0_CTRL register. + +The current driver is hard coded to use MGBE0's SID for all controllers. +This causes softirq time outs and kernel panics when using controllers +other than MGBE0. + +Example dmesg errors when an ethernet cable is connected to MGBE1: + +[ 116.133290] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx +[ 121.851283] tegra-mgbe 6910000.ethernet eth1: NETDEV WATCHDOG: CPU: 5: transmit queue 0 timed out 5690 ms +[ 121.851782] tegra-mgbe 6910000.ethernet eth1: Reset adapter. +[ 121.892464] tegra-mgbe 6910000.ethernet eth1: Register MEM_TYPE_PAGE_POOL RxQ-0 +[ 121.905920] tegra-mgbe 6910000.ethernet eth1: PHY [stmmac-1:00] driver [Aquantia AQR113] (irq=171) +[ 121.907356] tegra-mgbe 6910000.ethernet eth1: Enabling Safety Features +[ 121.907578] tegra-mgbe 6910000.ethernet eth1: IEEE 1588-2008 Advanced Timestamp supported +[ 121.908399] tegra-mgbe 6910000.ethernet eth1: registered PTP clock +[ 121.908582] tegra-mgbe 6910000.ethernet eth1: configuring for phy/10gbase-r link mode +[ 125.961292] tegra-mgbe 6910000.ethernet eth1: Link is Up - 1Gbps/Full - flow control rx/tx +[ 181.921198] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: +[ 181.921404] rcu: 7-....: (1 GPs behind) idle=540c/1/0x4000000000000002 softirq=1748/1749 fqs=2337 +[ 181.921684] rcu: (detected by 4, t=6002 jiffies, g=1357, q=1254 ncpus=8) +[ 181.921878] Sending NMI from CPU 4 to CPUs 7: +[ 181.921886] NMI backtrace for cpu 7 +[ 181.922131] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 +[ 181.922390] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 +[ 181.922658] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 181.922847] pc : handle_softirqs+0x98/0x368 +[ 181.922978] lr : __do_softirq+0x18/0x20 +[ 181.923095] sp : ffff80008003bf50 +[ 181.923189] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 +[ 181.923379] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 +[ 181.924486] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 +[ 181.925568] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 +[ 181.926655] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 +[ 181.931455] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d +[ 181.938628] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 +[ 181.945804] x8 : ffff8000827b3160 x7 : f9157b241586f343 x6 : eeb6502a01c81c74 +[ 181.953068] x5 : a4acfcdd2e8096bb x4 : ffffce78ea277340 x3 : 00000000ffffd1e1 +[ 181.960329] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 +[ 181.967591] Call trace: +[ 181.970043] handle_softirqs+0x98/0x368 (P) +[ 181.974240] __do_softirq+0x18/0x20 +[ 181.977743] ____do_softirq+0x14/0x28 +[ 181.981415] call_on_irq_stack+0x24/0x30 +[ 181.985180] do_softirq_own_stack+0x20/0x30 +[ 181.989379] __irq_exit_rcu+0x114/0x140 +[ 181.993142] irq_exit_rcu+0x14/0x28 +[ 181.996816] el1_interrupt+0x44/0xb8 +[ 182.000316] el1h_64_irq_handler+0x14/0x20 +[ 182.004343] el1h_64_irq+0x80/0x88 +[ 182.007755] cpuidle_enter_state+0xc4/0x4a8 (P) +[ 182.012305] cpuidle_enter+0x3c/0x58 +[ 182.015980] cpuidle_idle_call+0x128/0x1c0 +[ 182.020005] do_idle+0xe0/0xf0 +[ 182.023155] cpu_startup_entry+0x3c/0x48 +[ 182.026917] secondary_start_kernel+0xdc/0x120 +[ 182.031379] __secondary_switched+0x74/0x78 +[ 212.971162] rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 7-.... } 6103 jiffies s: 417 root: 0x80/. +[ 212.985935] rcu: blocking rcu_node structures (internal RCU debug): +[ 212.992758] Sending NMI from CPU 0 to CPUs 7: +[ 212.998539] NMI backtrace for cpu 7 +[ 213.004304] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Kdump: loaded Not tainted 6.13.0-rc3+ #6 +[ 213.016116] Hardware name: NVIDIA CTI Forge + Orin AGX/Jetson, BIOS 202402.1-Unknown 10/28/2024 +[ 213.030817] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 213.040528] pc : handle_softirqs+0x98/0x368 +[ 213.046563] lr : __do_softirq+0x18/0x20 +[ 213.051293] sp : ffff80008003bf50 +[ 213.055839] x29: ffff80008003bf50 x28: 0000000000000008 x27: 0000000000000000 +[ 213.067304] x26: ffffce78ea277000 x25: 0000000000000000 x24: 0000001c61befda0 +[ 213.077014] x23: 0000000060400009 x22: ffffce78e99918bc x21: ffff80008018bd70 +[ 213.087339] x20: ffffce78e8bb00d8 x19: ffff80008018bc20 x18: 0000000000000000 +[ 213.097313] x17: ffff318ebe7d3000 x16: ffff800080038000 x15: 0000000000000000 +[ 213.107201] x14: ffff000080816680 x13: ffff318ebe7d3000 x12: 000000003464d91d +[ 213.116651] x11: 0000000000000040 x10: ffff000080165a70 x9 : ffffce78e8bb0160 +[ 213.127500] x8 : ffff8000827b3160 x7 : 0a37b344852820af x6 : 3f049caedd1ff608 +[ 213.138002] x5 : cff7cfdbfaf31291 x4 : ffffce78ea277340 x3 : 00000000ffffde04 +[ 213.150428] x2 : 0000000000000101 x1 : ffffce78ea277340 x0 : ffff318ebe7d3000 +[ 213.162063] Call trace: +[ 213.165494] handle_softirqs+0x98/0x368 (P) +[ 213.171256] __do_softirq+0x18/0x20 +[ 213.177291] ____do_softirq+0x14/0x28 +[ 213.182017] call_on_irq_stack+0x24/0x30 +[ 213.186565] do_softirq_own_stack+0x20/0x30 +[ 213.191815] __irq_exit_rcu+0x114/0x140 +[ 213.196891] irq_exit_rcu+0x14/0x28 +[ 213.202401] el1_interrupt+0x44/0xb8 +[ 213.207741] el1h_64_irq_handler+0x14/0x20 +[ 213.213519] el1h_64_irq+0x80/0x88 +[ 213.217541] cpuidle_enter_state+0xc4/0x4a8 (P) +[ 213.224364] cpuidle_enter+0x3c/0x58 +[ 213.228653] cpuidle_idle_call+0x128/0x1c0 +[ 213.233993] do_idle+0xe0/0xf0 +[ 213.237928] cpu_startup_entry+0x3c/0x48 +[ 213.243791] secondary_start_kernel+0xdc/0x120 +[ 213.249830] __secondary_switched+0x74/0x78 + +This bug has existed since the dwmac-tegra driver was added in Dec 2022 +(See Fixes tag below for commit hash). + +The Tegra234 SOC has 4 MGBE controllers, however Nvidia's Developer Kit +only uses MGBE0 which is why the bug was not found previously. Connect Tech +has many products that use 2 (or more) MGBE controllers. + +The solution is to read the controller's SID from the existing "iommus" +device tree property. The 2nd field of the "iommus" device tree property +is the controller's SID. + +Device tree snippet from tegra234.dtsi showing MGBE1's "iommus" property: + +smmu_niso0: iommu@12000000 { + compatible = "nvidia,tegra234-smmu", "nvidia,smmu-500"; +... +} + +/* MGBE1 */ +ethernet@6900000 { + compatible = "nvidia,tegra234-mgbe"; +... + iommus = <&smmu_niso0 TEGRA234_SID_MGBE_VF1>; +... +} + +Nvidia's arm-smmu driver reads the "iommus" property and stores the SID in +the MGBE device's "fwspec" struct. The dwmac-tegra driver can access the +SID using the tegra_dev_iommu_get_stream_id() helper function found in +linux/iommu.h. + +Calling tegra_dev_iommu_get_stream_id() should not fail unless the "iommus" +property is removed from the device tree or the IOMMU is disabled. + +While the Tegra234 SOC technically supports bypassing the IOMMU, it is not +supported by the current firmware, has not been tested and not recommended. +More detailed discussion with Thierry Reding from Nvidia linked below. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Link: https://lore.kernel.org/netdev/cover.1731685185.git.pnewman@connecttech.com +Signed-off-by: Parker Newman +Reviewed-by: Andrew Lunn +Acked-by: Thierry Reding +Link: https://patch.msgid.link/6fb97f32cf4accb4f7cf92846f6b60064ba0a3bd.1736284360.git.pnewman@connecttech.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index e2d61a3a7712..760405b805f4 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0-only ++#include + #include + #include + #include +@@ -19,6 +20,8 @@ struct tegra_mgbe { + struct reset_control *rst_mac; + struct reset_control *rst_pcs; + ++ u32 iommu_sid; ++ + void __iomem *hv; + void __iomem *regs; + void __iomem *xpcs; +@@ -50,7 +53,6 @@ struct tegra_mgbe { + #define MGBE_WRAP_COMMON_INTR_ENABLE 0x8704 + #define MAC_SBD_INTR BIT(2) + #define MGBE_WRAP_AXI_ASID0_CTRL 0x8400 +-#define MGBE_SID 0x6 + + static int __maybe_unused tegra_mgbe_suspend(struct device *dev) + { +@@ -84,7 +86,7 @@ static int __maybe_unused tegra_mgbe_resume(struct device *dev) + writel(MAC_SBD_INTR, mgbe->regs + MGBE_WRAP_COMMON_INTR_ENABLE); + + /* Program SID */ +- writel(MGBE_SID, mgbe->hv + MGBE_WRAP_AXI_ASID0_CTRL); ++ writel(mgbe->iommu_sid, mgbe->hv + MGBE_WRAP_AXI_ASID0_CTRL); + + value = readl(mgbe->xpcs + XPCS_WRAP_UPHY_STATUS); + if ((value & XPCS_WRAP_UPHY_STATUS_TX_P_UP) == 0) { +@@ -241,6 +243,12 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + if (IS_ERR(mgbe->xpcs)) + return PTR_ERR(mgbe->xpcs); + ++ /* get controller's stream id from iommu property in device tree */ ++ if (!tegra_dev_iommu_get_stream_id(mgbe->dev, &mgbe->iommu_sid)) { ++ dev_err(mgbe->dev, "failed to get iommu stream id\n"); ++ return -EINVAL; ++ } ++ + res.addr = mgbe->regs; + res.irq = irq; + +@@ -346,7 +354,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + writel(MAC_SBD_INTR, mgbe->regs + MGBE_WRAP_COMMON_INTR_ENABLE); + + /* Program SID */ +- writel(MGBE_SID, mgbe->hv + MGBE_WRAP_AXI_ASID0_CTRL); ++ writel(mgbe->iommu_sid, mgbe->hv + MGBE_WRAP_AXI_ASID0_CTRL); + + plat->flags |= STMMAC_FLAG_SERDES_UP_AFTER_PHY_LINKUP; + +-- +2.39.5 + diff --git a/queue-6.6/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch b/queue-6.6/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch new file mode 100644 index 00000000000..8b917102cf4 --- /dev/null +++ b/queue-6.6/net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch @@ -0,0 +1,74 @@ +From 940302bc53c925cadde03f32723b2ac31ba29537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 10:45:46 +0000 +Subject: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute + +From: Eric Dumazet + +[ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ] + +syzbot found that TCA_FLOW_RSHIFT attribute was not validated. +Right shitfing a 32bit integer is undefined for large shift values. + +UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 +shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1771 [inline] + tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867 + sfb_classify net/sched/sch_sfb.c:260 [inline] + sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318 + dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793 + __dev_xmit_skb net/core/dev.c:3889 [inline] + __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400 + dev_queue_xmit include/linux/netdevice.h:3168 [inline] + neigh_hh_output include/net/neighbour.h:523 [inline] + neigh_output include/net/neighbour.h:537 [inline] + ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 + iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82 + udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173 + geneve_xmit_skb drivers/net/geneve.c:916 [inline] + geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039 + __netdev_start_xmit include/linux/netdevice.h:5002 [inline] + netdev_start_xmit include/linux/netdevice.h:5011 [inline] + xmit_one net/core/dev.c:3590 [inline] + dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606 + __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434 + +Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier") +Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_flow.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c +index 6ab317b48d6c..815216b564f3 100644 +--- a/net/sched/cls_flow.c ++++ b/net/sched/cls_flow.c +@@ -356,7 +356,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = { + [TCA_FLOW_KEYS] = { .type = NLA_U32 }, + [TCA_FLOW_MODE] = { .type = NLA_U32 }, + [TCA_FLOW_BASECLASS] = { .type = NLA_U32 }, +- [TCA_FLOW_RSHIFT] = { .type = NLA_U32 }, ++ [TCA_FLOW_RSHIFT] = NLA_POLICY_MAX(NLA_U32, ++ 31 /* BITS_PER_U32 - 1 */), + [TCA_FLOW_ADDEND] = { .type = NLA_U32 }, + [TCA_FLOW_MASK] = { .type = NLA_U32 }, + [TCA_FLOW_XOR] = { .type = NLA_U32 }, +-- +2.39.5 + diff --git a/queue-6.6/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch b/queue-6.6/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch new file mode 100644 index 00000000000..b3140cc67a2 --- /dev/null +++ b/queue-6.6/netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch @@ -0,0 +1,48 @@ +From f678ba1f8aee674b849d43e537e309cdf3ae85d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 22:56:33 +0100 +Subject: netfilter: conntrack: clamp maximum hashtable size to INT_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ] + +Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it +is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when +resizing hashtable because __GFP_NOWARN is unset. See: + + 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") + +Note: hashtable resize is only possible from init_netns. + +Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index e4ae2a08da6a..34ad5975fbf3 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -2568,12 +2568,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) + struct hlist_nulls_head *hash; + unsigned int nr_slots, i; + +- if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head))) ++ if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head))) + return NULL; + + BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head)); + nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head)); + ++ if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head))) ++ return NULL; ++ + hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL); + + if (hash && nulls) +-- +2.39.5 + diff --git a/queue-6.6/netfilter-nf_tables-imbalance-in-flowtable-binding.patch b/queue-6.6/netfilter-nf_tables-imbalance-in-flowtable-binding.patch new file mode 100644 index 00000000000..7f4c76a92d9 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-imbalance-in-flowtable-binding.patch @@ -0,0 +1,117 @@ +From b3bb40c6761b84991c78dae6d7e6873e25863135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 13:01:13 +0100 +Subject: netfilter: nf_tables: imbalance in flowtable binding + +From: Pablo Neira Ayuso + +[ Upstream commit 13210fc63f353fe78584048079343413a3cdf819 ] + +All these cases cause imbalance between BIND and UNBIND calls: + +- Delete an interface from a flowtable with multiple interfaces + +- Add a (device to a) flowtable with --check flag + +- Delete a netns containing a flowtable + +- In an interactive nft session, create a table with owner flag and + flowtable inside, then quit. + +Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then +remove late FLOW_BLOCK_UNBIND call when destroying flowtable. + +Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()") +Reported-by: Phil Sutter +Tested-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a110aad45fe4..1d1e998acd67 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8375,6 +8375,7 @@ static void nft_unregister_flowtable_hook(struct net *net, + } + + static void __nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list, + bool release_netdev) + { +@@ -8382,6 +8383,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + + list_for_each_entry_safe(hook, next, hook_list, list) { + nf_unregister_net_hook(net, &hook->ops); ++ flowtable->data.type->setup(&flowtable->data, hook->ops.dev, ++ FLOW_BLOCK_UNBIND); + if (release_netdev) { + list_del(&hook->list); + kfree_rcu(hook, rcu); +@@ -8390,9 +8393,10 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, + } + + static void nft_unregister_flowtable_net_hooks(struct net *net, ++ struct nft_flowtable *flowtable, + struct list_head *hook_list) + { +- __nft_unregister_flowtable_net_hooks(net, hook_list, false); ++ __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false); + } + + static int nft_register_flowtable_net_hooks(struct net *net, +@@ -9028,8 +9032,6 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) + + flowtable->data.type->free(&flowtable->data); + list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { +- flowtable->data.type->setup(&flowtable->data, hook->ops.dev, +- FLOW_BLOCK_UNBIND); + list_del_rcu(&hook->list); + kfree_rcu(hook, rcu); + } +@@ -10399,6 +10401,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + &nft_trans_flowtable_hooks(trans), + trans->msg_type); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + list_del_rcu(&nft_trans_flowtable(trans)->list); +@@ -10407,6 +10410,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + NULL, + trans->msg_type); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -10659,11 +10663,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + case NFT_MSG_NEWFLOWTABLE: + if (nft_trans_flowtable_update(trans)) { + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable_hooks(trans)); + } else { + nft_use_dec_restore(&trans->ctx.table->use); + list_del_rcu(&nft_trans_flowtable(trans)->list); + nft_unregister_flowtable_net_hooks(net, ++ nft_trans_flowtable(trans), + &nft_trans_flowtable(trans)->hook_list); + } + break; +@@ -11224,7 +11230,8 @@ static void __nft_release_hook(struct net *net, struct nft_table *table) + list_for_each_entry(chain, &table->chains, list) + __nf_tables_unregister_hook(net, table, chain, true); + list_for_each_entry(flowtable, &table->flowtables, list) +- __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, ++ __nft_unregister_flowtable_net_hooks(net, flowtable, ++ &flowtable->hook_list, + true); + } + +-- +2.39.5 + diff --git a/queue-6.6/pds_core-limit-loop-over-fw-name-list.patch b/queue-6.6/pds_core-limit-loop-over-fw-name-list.patch new file mode 100644 index 00000000000..e3bb6369a9e --- /dev/null +++ b/queue-6.6/pds_core-limit-loop-over-fw-name-list.patch @@ -0,0 +1,42 @@ +From 62dcb6a0bdec045fc4263507c806639f73dc6b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 11:51:47 -0800 +Subject: pds_core: limit loop over fw name list + +From: Shannon Nelson + +[ Upstream commit 8c817eb26230dc0ae553cee16ff43a4a895f6756 ] + +Add an array size limit to the for-loop to be sure we don't try +to reference a fw_version string off the end of the fw info names +array. We know that our firmware only has a limited number +of firmware slot names, but we shouldn't leave this unchecked. + +Fixes: 45d76f492938 ("pds_core: set up device and adminq") +Signed-off-by: Shannon Nelson +Reviewed-by: Simon Horman +Reviewed-by: Brett Creeley +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250103195147.7408-1-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/pds_core/devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/pds_core/devlink.c b/drivers/net/ethernet/amd/pds_core/devlink.c +index d8218bb153d9..971d4278280d 100644 +--- a/drivers/net/ethernet/amd/pds_core/devlink.c ++++ b/drivers/net/ethernet/amd/pds_core/devlink.c +@@ -117,7 +117,7 @@ int pdsc_dl_info_get(struct devlink *dl, struct devlink_info_req *req, + if (err && err != -EIO) + return err; + +- listlen = fw_list.num_fw_slots; ++ listlen = min(fw_list.num_fw_slots, ARRAY_SIZE(fw_list.fw_names)); + for (i = 0; i < listlen; i++) { + if (i < ARRAY_SIZE(fw_slotnames)) + strscpy(buf, fw_slotnames[i], sizeof(buf)); +-- +2.39.5 + diff --git a/queue-6.6/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch b/queue-6.6/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch new file mode 100644 index 00000000000..7f232690f95 --- /dev/null +++ b/queue-6.6/sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch @@ -0,0 +1,290 @@ +From 2af9b7bd278c9588a0a3d7e41b1745bd40c3123a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 13:01:05 +0100 +Subject: sched: sch_cake: add bounds checks to host bulk flow fairness counts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 737d4d91d35b5f7fa5bb442651472277318b0bfd ] + +Even though we fixed a logic error in the commit cited below, syzbot +still managed to trigger an underflow of the per-host bulk flow +counters, leading to an out of bounds memory access. + +To avoid any such logic errors causing out of bounds memory accesses, +this commit factors out all accesses to the per-host bulk flow counters +to a series of helpers that perform bounds-checking before any +increments and decrements. This also has the benefit of improving +readability by moving the conditional checks for the flow mode into +these helpers, instead of having them spread out throughout the +code (which was the cause of the original logic error). + +As part of this change, the flow quantum calculation is consolidated +into a helper function, which means that the dithering applied to the +ost load scaling is now applied both in the DRR rotation and when a +sparse flow's quantum is first initiated. The only user-visible effect +of this is that the maximum packet size that can be sent while a flow +stays sparse will now vary with +/- one byte in some cases. This should +not make a noticeable difference in practice, and thus it's not worth +complicating the code to preserve the old behaviour. + +Fixes: 546ea84d07e3 ("sched: sch_cake: fix bulk flow accounting logic for host fairness") +Reported-by: syzbot+f63600d288bfb7057424@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Dave Taht +Link: https://patch.msgid.link/20250107120105.70685-1-toke@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 140 +++++++++++++++++++++++-------------------- + 1 file changed, 75 insertions(+), 65 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index a65fad45d556..09242578dac5 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -644,6 +644,63 @@ static bool cake_ddst(int flow_mode) + return (flow_mode & CAKE_FLOW_DUAL_DST) == CAKE_FLOW_DUAL_DST; + } + ++static void cake_dec_srchost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_dsrc(flow_mode) && ++ q->hosts[flow->srchost].srchost_bulk_flow_count)) ++ q->hosts[flow->srchost].srchost_bulk_flow_count--; ++} ++ ++static void cake_inc_srchost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_dsrc(flow_mode) && ++ q->hosts[flow->srchost].srchost_bulk_flow_count < CAKE_QUEUES)) ++ q->hosts[flow->srchost].srchost_bulk_flow_count++; ++} ++ ++static void cake_dec_dsthost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_ddst(flow_mode) && ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count)) ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count--; ++} ++ ++static void cake_inc_dsthost_bulk_flow_count(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ if (likely(cake_ddst(flow_mode) && ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count < CAKE_QUEUES)) ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count++; ++} ++ ++static u16 cake_get_flow_quantum(struct cake_tin_data *q, ++ struct cake_flow *flow, ++ int flow_mode) ++{ ++ u16 host_load = 1; ++ ++ if (cake_dsrc(flow_mode)) ++ host_load = max(host_load, ++ q->hosts[flow->srchost].srchost_bulk_flow_count); ++ ++ if (cake_ddst(flow_mode)) ++ host_load = max(host_load, ++ q->hosts[flow->dsthost].dsthost_bulk_flow_count); ++ ++ /* The get_random_u16() is a way to apply dithering to avoid ++ * accumulating roundoff errors ++ */ ++ return (q->flow_quantum * quantum_div[host_load] + ++ get_random_u16()) >> 16; ++} ++ + static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + int flow_mode, u16 flow_override, u16 host_override) + { +@@ -790,10 +847,8 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + allocate_dst = cake_ddst(flow_mode); + + if (q->flows[outer_hash + k].set == CAKE_SET_BULK) { +- if (allocate_src) +- q->hosts[q->flows[reduced_hash].srchost].srchost_bulk_flow_count--; +- if (allocate_dst) +- q->hosts[q->flows[reduced_hash].dsthost].dsthost_bulk_flow_count--; ++ cake_dec_srchost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode); ++ cake_dec_dsthost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode); + } + found: + /* reserve queue for future packets in same flow */ +@@ -818,9 +873,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + q->hosts[outer_hash + k].srchost_tag = srchost_hash; + found_src: + srchost_idx = outer_hash + k; +- if (q->flows[reduced_hash].set == CAKE_SET_BULK) +- q->hosts[srchost_idx].srchost_bulk_flow_count++; + q->flows[reduced_hash].srchost = srchost_idx; ++ ++ if (q->flows[reduced_hash].set == CAKE_SET_BULK) ++ cake_inc_srchost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode); + } + + if (allocate_dst) { +@@ -841,9 +897,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb, + q->hosts[outer_hash + k].dsthost_tag = dsthost_hash; + found_dst: + dsthost_idx = outer_hash + k; +- if (q->flows[reduced_hash].set == CAKE_SET_BULK) +- q->hosts[dsthost_idx].dsthost_bulk_flow_count++; + q->flows[reduced_hash].dsthost = dsthost_idx; ++ ++ if (q->flows[reduced_hash].set == CAKE_SET_BULK) ++ cake_inc_dsthost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode); + } + } + +@@ -1856,10 +1913,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + /* flowchain */ + if (!flow->set || flow->set == CAKE_SET_DECAYING) { +- struct cake_host *srchost = &b->hosts[flow->srchost]; +- struct cake_host *dsthost = &b->hosts[flow->dsthost]; +- u16 host_load = 1; +- + if (!flow->set) { + list_add_tail(&flow->flowchain, &b->new_flows); + } else { +@@ -1869,18 +1922,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + flow->set = CAKE_SET_SPARSE; + b->sparse_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- host_load = max(host_load, srchost->srchost_bulk_flow_count); +- +- if (cake_ddst(q->flow_mode)) +- host_load = max(host_load, dsthost->dsthost_bulk_flow_count); +- +- flow->deficit = (b->flow_quantum * +- quantum_div[host_load]) >> 16; ++ flow->deficit = cake_get_flow_quantum(b, flow, q->flow_mode); + } else if (flow->set == CAKE_SET_SPARSE_WAIT) { +- struct cake_host *srchost = &b->hosts[flow->srchost]; +- struct cake_host *dsthost = &b->hosts[flow->dsthost]; +- + /* this flow was empty, accounted as a sparse flow, but actually + * in the bulk rotation. + */ +@@ -1888,12 +1931,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + b->sparse_flow_count--; + b->bulk_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count++; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count++; +- ++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode); + } + + if (q->buffer_used > q->buffer_max_used) +@@ -1950,13 +1989,11 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + { + struct cake_sched_data *q = qdisc_priv(sch); + struct cake_tin_data *b = &q->tins[q->cur_tin]; +- struct cake_host *srchost, *dsthost; + ktime_t now = ktime_get(); + struct cake_flow *flow; + struct list_head *head; + bool first_flow = true; + struct sk_buff *skb; +- u16 host_load; + u64 delay; + u32 len; + +@@ -2056,11 +2093,6 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + q->cur_flow = flow - b->flows; + first_flow = false; + +- /* triple isolation (modified DRR++) */ +- srchost = &b->hosts[flow->srchost]; +- dsthost = &b->hosts[flow->dsthost]; +- host_load = 1; +- + /* flow isolation (DRR++) */ + if (flow->deficit <= 0) { + /* Keep all flows with deficits out of the sparse and decaying +@@ -2072,11 +2104,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + b->sparse_flow_count--; + b->bulk_flow_count++; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count++; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count++; ++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode); + + flow->set = CAKE_SET_BULK; + } else { +@@ -2088,19 +2117,7 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + } + } + +- if (cake_dsrc(q->flow_mode)) +- host_load = max(host_load, srchost->srchost_bulk_flow_count); +- +- if (cake_ddst(q->flow_mode)) +- host_load = max(host_load, dsthost->dsthost_bulk_flow_count); +- +- WARN_ON(host_load > CAKE_QUEUES); +- +- /* The get_random_u16() is a way to apply dithering to avoid +- * accumulating roundoff errors +- */ +- flow->deficit += (b->flow_quantum * quantum_div[host_load] + +- get_random_u16()) >> 16; ++ flow->deficit += cake_get_flow_quantum(b, flow, q->flow_mode); + list_move_tail(&flow->flowchain, &b->old_flows); + + goto retry; +@@ -2124,11 +2141,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + if (flow->set == CAKE_SET_BULK) { + b->bulk_flow_count--; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count--; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count--; ++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode); + + b->decaying_flow_count++; + } else if (flow->set == CAKE_SET_SPARSE || +@@ -2146,12 +2160,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch) + else if (flow->set == CAKE_SET_BULK) { + b->bulk_flow_count--; + +- if (cake_dsrc(q->flow_mode)) +- srchost->srchost_bulk_flow_count--; +- +- if (cake_ddst(q->flow_mode)) +- dsthost->dsthost_bulk_flow_count--; +- ++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode); ++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode); + } else + b->decaying_flow_count--; + +-- +2.39.5 + diff --git a/queue-6.6/series b/queue-6.6/series index 8d2b0e0ecbf..887110d5a74 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -15,3 +15,34 @@ erofs-fix-psi-memstall-accounting.patch asoc-rt722-add-delay-time-to-wait-for-the-calibratio.patch asoc-mediatek-disable-buffer-pre-allocation.patch selftests-alsa-fix-circular-dependency-involving-glo.patch +ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch +net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch +tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch +tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch +net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch +net-libwx-fix-firmware-mailbox-abnormal-return.patch +btrfs-avoid-null-pointer-dereference-if-no-valid-ext.patch +pds_core-limit-loop-over-fw-name-list.patch +bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch +cxgb4-avoid-removal-of-uninserted-tid.patch +ice-fix-incorrect-phy-settings-for-100-gb-s.patch +igc-field-get-conversion.patch +igc-return-early-when-failing-to-read-eecd-register.patch +tls-fix-tls_sw_sendmsg-error-handling.patch +ipvlan-fix-use-after-free-in-ipvlan_get_iflink.patch +eth-gve-use-appropriate-helper-to-set-xdp_features.patch +bluetooth-hci_sync-fix-not-setting-random-address-wh.patch +bluetooth-mgmt-fix-add-device-to-responding-before-c.patch +bluetooth-btnxpuart-fix-driver-sending-truncated-dat.patch +tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch +net-hns3-fix-missing-features-due-to-dev-features-co.patch +net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch +net-hns3-don-t-auto-enable-misc-vector.patch +net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch +net-hns3-fixed-hclge_fetch_pf_reg-accesses-bar-space.patch +net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch +netfilter-nf_tables-imbalance-in-flowtable-binding.patch +netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch +sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch +net-stmmac-dwmac-tegra-read-iommu-stream-id-from-dev.patch +net-mlx5-fix-variable-not-being-completed-when-funct.patch diff --git a/queue-6.6/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch b/queue-6.6/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch new file mode 100644 index 00000000000..615c10ec7fa --- /dev/null +++ b/queue-6.6/tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch @@ -0,0 +1,40 @@ +From 213fce72c2d4760f17a9d4252b5ed6e1d055c4c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 11:14:39 +0100 +Subject: tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset + +From: Daniel Borkmann + +[ Upstream commit 80fb40baba19e25a1b6f3ecff6fc5c0171806bde ] + +This is a follow-up to 3c5b4d69c358 ("net: annotate data-races around +sk->sk_mark"). sk->sk_mark can be read and written without holding +the socket lock. IPv6 equivalent is already covered with READ_ONCE() +annotation in tcp_v6_send_response(). + +Fixes: 3c5b4d69c358 ("net: annotate data-races around sk->sk_mark") +Signed-off-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/f459d1fc44f205e13f6d8bdca2c8bfb9902ffac9.1736244569.git.daniel@iogearbox.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index df3ddf31f8e6..705320f160ac 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -832,7 +832,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + sock_net_set(ctl_sk, net); + if (sk) { + ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ? +- inet_twsk(sk)->tw_mark : sk->sk_mark; ++ inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark); + ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ? + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); +-- +2.39.5 + diff --git a/queue-6.6/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch b/queue-6.6/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch new file mode 100644 index 00000000000..98d8b09bb4d --- /dev/null +++ b/queue-6.6/tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch @@ -0,0 +1,47 @@ +From 280917575802dc088efbf6fa0984671116c964e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:14:26 +0000 +Subject: tcp/dccp: allow a connection when sk_max_ack_backlog is zero + +From: Zhongqiu Duan + +[ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ] + +If the backlog of listen() is set to zero, sk_acceptq_is_full() allows +one connection to be made, but inet_csk_reqsk_queue_is_full() does not. +When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full() +will cause an immediate drop before the sk_acceptq_is_full() check in +tcp_conn_request(), resulting in no connection can be made. + +This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert +incorrect accept queue backlog changes."). + +Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/ +Fixes: ef547f2ac16b ("tcp: remove max_qlen_log") +Signed-off-by: Zhongqiu Duan +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 7b5e783ea24d..e85834722b8f 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -282,7 +282,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); ++ return inet_csk_reqsk_queue_len(sk) > READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-6.6/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch b/queue-6.6/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch new file mode 100644 index 00000000000..354e544b0e1 --- /dev/null +++ b/queue-6.6/tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch @@ -0,0 +1,40 @@ +From e1a8f9816b18db742f8ba1dab14d186b3f896654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 17:05:21 +0800 +Subject: tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog + +From: Jason Xing + +[ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ] + +Since commit 099ecf59f05b ("net: annotate lockless accesses to +sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog +locklessly, there is one more function mostly called in TCP/DCCP +cases. So this patch completes it:) + +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240331090521.71965-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero") +Signed-off-by: Sasha Levin +--- + include/net/inet_connection_sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index fee1e5650551..7b5e783ea24d 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -282,7 +282,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) + + static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) + { +- return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; ++ return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog); + } + + bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req); +-- +2.39.5 + diff --git a/queue-6.6/tls-fix-tls_sw_sendmsg-error-handling.patch b/queue-6.6/tls-fix-tls_sw_sendmsg-error-handling.patch new file mode 100644 index 00000000000..ca1f7a503d4 --- /dev/null +++ b/queue-6.6/tls-fix-tls_sw_sendmsg-error-handling.patch @@ -0,0 +1,46 @@ +From 0611b622967cd508013ed5cb7251d76f8d3860c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 10:29:45 -0500 +Subject: tls: Fix tls_sw_sendmsg error handling + +From: Benjamin Coddington + +[ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ] + +We've noticed that NFS can hang when using RPC over TLS on an unstable +connection, and investigation shows that the RPC layer is stuck in a tight +loop attempting to transmit, but forever getting -EBADMSG back from the +underlying network. The loop begins when tcp_sendmsg_locked() returns +-EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when +calling the socket's error reporting handler. + +Instead of converting errors from tcp_sendmsg_locked(), let's pass them +along in this path. The RPC layer handles -EPIPE by reconnecting the +transport, which prevents the endless attempts to transmit on a broken +connection. + +Signed-off-by: Benjamin Coddington +Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") +Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index df166f6afad8..6e30fe879d53 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -458,7 +458,7 @@ int tls_tx_records(struct sock *sk, int flags) + + tx_err: + if (rc < 0 && rc != -EAGAIN) +- tls_err_abort(sk, -EBADMSG); ++ tls_err_abort(sk, rc); + + return rc; + } +-- +2.39.5 +