From: Sasha Levin Date: Sat, 14 Oct 2023 12:58:43 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.1.58~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8b38fbe58362c007de19f88378c6d47e6e27092f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/bpf-fix-verifier-log-for-async-callback-return-value.patch b/queue-5.15/bpf-fix-verifier-log-for-async-callback-return-value.patch new file mode 100644 index 00000000000..f3c84f9d99c --- /dev/null +++ b/queue-5.15/bpf-fix-verifier-log-for-async-callback-return-value.patch @@ -0,0 +1,60 @@ +From 68d240c535beb5315ce604406dbcc1370f50c3af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 11:14:13 -0500 +Subject: bpf: Fix verifier log for async callback return values + +From: David Vernet + +[ Upstream commit 829955981c557c7fc7416581c4cd68a8a0c28620 ] + +The verifier, as part of check_return_code(), verifies that async +callbacks such as from e.g. timers, will return 0. It does this by +correctly checking that R0->var_off is in tnum_const(0), which +effectively checks that it's in a range of 0. If this condition fails, +however, it prints an error message which says that the value should +have been in (0x0; 0x1). This results in possibly confusing output such +as the following in which an async callback returns 1: + + At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1) + +The fix is easy -- we should just pass the tnum_const(0) as the correct +range to verbose_invalid_scalar(), which will then print the following: + + At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0) + +Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.") +Signed-off-by: David Vernet +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231009161414.235829-1-void@manifault.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index ecf4332ff312f..a4be7c1c11aaf 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -9570,7 +9570,7 @@ static int check_return_code(struct bpf_verifier_env *env) + struct tnum enforce_attach_type_range = tnum_unknown; + const struct bpf_prog *prog = env->prog; + struct bpf_reg_state *reg; +- struct tnum range = tnum_range(0, 1); ++ struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0); + enum bpf_prog_type prog_type = resolve_prog_type(env->prog); + int err; + struct bpf_func_state *frame = env->cur_state->frame[0]; +@@ -9608,8 +9608,8 @@ static int check_return_code(struct bpf_verifier_env *env) + return -EINVAL; + } + +- if (!tnum_in(tnum_const(0), reg->var_off)) { +- verbose_invalid_scalar(env, reg, &range, "async callback", "R0"); ++ if (!tnum_in(const_0, reg->var_off)) { ++ verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0"); + return -EINVAL; + } + return 0; +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch b/queue-5.15/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch new file mode 100644 index 00000000000..2c8bb4355cd --- /dev/null +++ b/queue-5.15/drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch @@ -0,0 +1,74 @@ +From 7ac14f0fc36e5e654d179a10256a53a6692503b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 15:19:50 -0700 +Subject: drm/msm/dp: do not reinitialize phy unless retry during link training + +From: Kuogee Hsieh + +[ Upstream commit 0c1a2e69bcb506f48ebf94bd199bab0b93f66da2 ] + +DP PHY re-initialization done using dp_ctrl_reinitialize_mainlink() will +cause PLL unlocked initially and then PLL gets locked at the end of +initialization. PLL_UNLOCKED interrupt will fire during this time if the +interrupt mask is enabled. + +However currently DP driver link training implementation incorrectly +re-initializes PHY unconditionally during link training as the PHY was +already configured in dp_ctrl_enable_mainlink_clocks(). + +Fix this by re-initializing the PHY only if the previous link training +failed. + +[drm:dp_aux_isr] *ERROR* Unexpected DP AUX IRQ 0x01000000 when not busy + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/30 +Signed-off-by: Kuogee Hsieh +Tested-by: Abhinav Kumar # sc7280 +Reviewed-by: Abhinav Kumar +Reviewed-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/551847/ +Link: https://lore.kernel.org/r/1691533190-19335-1-git-send-email-quic_khsieh@quicinc.com +[quic_abhinavk@quicinc.com: added line break in commit text] +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 6d9eec98e0d38..854173df67018 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1682,13 +1682,6 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl) + return rc; + + while (--link_train_max_retries) { +- rc = dp_ctrl_reinitialize_mainlink(ctrl); +- if (rc) { +- DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n", +- rc); +- break; +- } +- + training_step = DP_TRAINING_NONE; + rc = dp_ctrl_setup_main_link(ctrl, &training_step); + if (rc == 0) { +@@ -1740,6 +1733,12 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl) + /* stop link training before start re training */ + dp_ctrl_clear_training_pattern(ctrl); + } ++ ++ rc = dp_ctrl_reinitialize_mainlink(ctrl); ++ if (rc) { ++ DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n", rc); ++ break; ++ } + } + + if (ctrl->link->sink_request & DP_TEST_LINK_PHY_TEST_PATTERN) +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch b/queue-5.15/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch new file mode 100644 index 00000000000..5f20b4b5803 --- /dev/null +++ b/queue-5.15/drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch @@ -0,0 +1,67 @@ +From 158bb106212372819445cf98e0a07a82905430a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 18:26:16 -0700 +Subject: drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow + +From: Abhinav Kumar + +[ Upstream commit 95e681ca3b65e4ce3d2537b47672d787b7d30375 ] + +_dpu_plane_calc_bw() uses integer variables to calculate the bandwidth +used during plane bandwidth calculations. However for high resolution +displays this overflows easily and leads to below errors + +[dpu error]crtc83 failed performance check -7 + +Promote the intermediate variables to u64 to avoid overflow. + +changes in v2: + - change to u64 where actually needed in the math + +Fixes: c33b7c0389e1 ("drm/msm/dpu: add support for clk and bw scaling for display") +Reviewed-by: Dmitry Baryshkov +Reported-by: Nia Espera +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/32 +Tested-by: Nia Espera +Patchwork: https://patchwork.freedesktop.org/patch/556288/ +Link: https://lore.kernel.org/r/20230908012616.20654-1-quic_abhinavk@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +index 59390dc3d1b8c..9c30ab106b0a1 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -158,6 +158,7 @@ static void _dpu_plane_calc_bw(struct drm_plane *plane, + const struct dpu_format *fmt = NULL; + struct dpu_kms *dpu_kms = _dpu_plane_get_kms(plane); + int src_width, src_height, dst_height, fps; ++ u64 plane_pixel_rate, plane_bit_rate; + u64 plane_prefill_bw; + u64 plane_bw; + u32 hw_latency_lines; +@@ -180,13 +181,12 @@ static void _dpu_plane_calc_bw(struct drm_plane *plane, + scale_factor = src_height > dst_height ? + mult_frac(src_height, 1, dst_height) : 1; + +- plane_bw = +- src_width * mode->vtotal * fps * fmt->bpp * +- scale_factor; ++ plane_pixel_rate = src_width * mode->vtotal * fps; ++ plane_bit_rate = plane_pixel_rate * fmt->bpp; + +- plane_prefill_bw = +- src_width * hw_latency_lines * fps * fmt->bpp * +- scale_factor * mode->vtotal; ++ plane_bw = plane_bit_rate * scale_factor; ++ ++ plane_prefill_bw = plane_bw * hw_latency_lines; + + if ((vbp+vpw) > hw_latency_lines) + do_div(plane_prefill_bw, (vbp+vpw)); +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch b/queue-5.15/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch new file mode 100644 index 00000000000..3ceefa236d2 --- /dev/null +++ b/queue-5.15/drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch @@ -0,0 +1,45 @@ +From aaf4caf1e9fe7fbf6c98660fa35714dc67845073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:59:40 +0300 +Subject: drm/msm/dsi: fix irq_of_parse_and_map() error checking + +From: Dan Carpenter + +[ Upstream commit 6a1d4c7976dd1ee7c9f80bc8e62801ec7b1f2f58 ] + +The irq_of_parse_and_map() function returns zero on error. It +never returns negative error codes. Fix the check. + +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Dan Carpenter +Reviewed-by: Konrad Dybcio +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/557715/ +Link: https://lore.kernel.org/r/4f3c5c98-04f7-43f7-900f-5d7482c83eef@moroto.mountain +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index b577fed38c6d4..85dec6167e0b6 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1917,10 +1917,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + } + + msm_host->irq = irq_of_parse_and_map(pdev->dev.of_node, 0); +- if (msm_host->irq < 0) { +- ret = msm_host->irq; +- dev_err(&pdev->dev, "failed to get irq: %d\n", ret); +- return ret; ++ if (!msm_host->irq) { ++ dev_err(&pdev->dev, "failed to get irq\n"); ++ return -EINVAL; + } + + /* do not autoenable, will be enabled later */ +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch b/queue-5.15/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch new file mode 100644 index 00000000000..58393860f58 --- /dev/null +++ b/queue-5.15/drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch @@ -0,0 +1,65 @@ +From b4cf3de07f9ccfc79a190ea840000c10377003bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 13:44:25 -0700 +Subject: drm/msm/dsi: skip the wait for video mode done if not applicable + +From: Abhinav Kumar + +[ Upstream commit ab483e3adcc178254eb1ce0fbdfbea65f86f1006 ] + +dsi_wait4video_done() API waits for the DSI video mode engine to +become idle so that we can transmit the DCS commands in the +beginning of BLLP. However, with the current sequence, the MDP +timing engine is turned on after the panel's pre_enable() callback +which can send out the DCS commands needed to power up the panel. + +During those cases, this API will always timeout and print out the +error spam leading to long bootup times and log flooding. + +Fix this by checking if the DSI video engine was actually busy before +waiting for it to become idle otherwise this is a redundant wait. + +changes in v2: + - move the reg read below the video mode check + - minor fixes in commit text + +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/34 +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/557853/ +Link: https://lore.kernel.org/r/20230915204426.19011-1-quic_abhinavk@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index d3ec4d67a9a35..b577fed38c6d4 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1079,9 +1079,21 @@ static void dsi_wait4video_done(struct msm_dsi_host *msm_host) + + static void dsi_wait4video_eng_busy(struct msm_dsi_host *msm_host) + { ++ u32 data; ++ + if (!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) + return; + ++ data = dsi_read(msm_host, REG_DSI_STATUS0); ++ ++ /* if video mode engine is not busy, its because ++ * either timing engine was not turned on or the ++ * DSI controller has finished transmitting the video ++ * data already, so no need to wait in those cases ++ */ ++ if (!(data & DSI_STATUS0_VIDEO_MODE_ENGINE_BUSY)) ++ return; ++ + if (msm_host->power_on && msm_host->enabled) { + dsi_wait4video_done(msm_host); + /* delay 4 ms to skip BLLP */ +-- +2.40.1 + diff --git a/queue-5.15/drm-vmwgfx-fix-typo-of-sizeof-argument.patch b/queue-5.15/drm-vmwgfx-fix-typo-of-sizeof-argument.patch new file mode 100644 index 00000000000..4f8dae6c149 --- /dev/null +++ b/queue-5.15/drm-vmwgfx-fix-typo-of-sizeof-argument.patch @@ -0,0 +1,40 @@ +From 8a03a8ac4a7268bd8a17d04052c77d57bfb10816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 18:02:03 +0800 +Subject: drm/vmwgfx: fix typo of sizeof argument + +From: Konstantin Meskhidze + +[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ] + +Since size of 'header' pointer and '*header' structure is equal on 64-bit +machines issue probably didn't cause any wrong behavior. But anyway, +fixing typo is required. + +Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index ed75622bf7082..b91f8d17404d6 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1632,7 +1632,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv, + { + VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSetTextureState); + SVGA3dTextureState *last_state = (SVGA3dTextureState *) +- ((unsigned long) header + header->size + sizeof(header)); ++ ((unsigned long) header + header->size + sizeof(*header)); + SVGA3dTextureState *cur_state = (SVGA3dTextureState *) + ((unsigned long) header + sizeof(*cmd)); + struct vmw_resource *ctx; +-- +2.40.1 + diff --git a/queue-5.15/eth-remove-copies-of-the-napi_poll_weight-define.patch b/queue-5.15/eth-remove-copies-of-the-napi_poll_weight-define.patch new file mode 100644 index 00000000000..b204518b011 --- /dev/null +++ b/queue-5.15/eth-remove-copies-of-the-napi_poll_weight-define.patch @@ -0,0 +1,184 @@ +From f3de2bace51da30bd319a101f437bfdbf6e85216 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 14:23:09 -0700 +Subject: eth: remove copies of the NAPI_POLL_WEIGHT define + +From: Jakub Kicinski + +[ Upstream commit 5f012b40ef639343a976553bf3cc26dd0474756e ] + +Defining local versions of NAPI_POLL_WEIGHT with the same +values in the drivers just makes refactoring harder. + +Drop the special defines in a bunch of drivers where the +removal is relatively simple so grouping into one patch +does not impact reviewability. + +Signed-off-by: Jakub Kicinski +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Stable-dep-of: 66cf7435a269 ("xen-netback: use default TX queue size for vifs") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 4 +--- + drivers/net/ethernet/marvell/skge.c | 3 +-- + drivers/net/ethernet/marvell/sky2.c | 3 +-- + drivers/net/ethernet/mediatek/mtk_star_emac.c | 3 +-- + drivers/net/ethernet/ti/davinci_emac.c | 3 +-- + drivers/net/ethernet/ti/netcp_core.c | 5 ++--- + drivers/net/xen-netback/interface.c | 3 +-- + 7 files changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 8361faf03e429..d0ba5ca862cf5 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -68,7 +68,6 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + #define DEFAULT_GMAC_RXQ_ORDER 9 + #define DEFAULT_GMAC_TXQ_ORDER 8 + #define DEFAULT_RX_BUF_ORDER 11 +-#define DEFAULT_NAPI_WEIGHT 64 + #define TX_MAX_FRAGS 16 + #define TX_QUEUE_NUM 1 /* max: 6 */ + #define RX_MAX_ALLOC_ORDER 2 +@@ -2466,8 +2465,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev) + netdev->max_mtu = 10236 - VLAN_ETH_HLEN; + + port->freeq_refill = 0; +- netif_napi_add(netdev, &port->napi, gmac_napi_poll, +- DEFAULT_NAPI_WEIGHT); ++ netif_napi_add(netdev, &port->napi, gmac_napi_poll, NAPI_POLL_WEIGHT); + + if (is_valid_ether_addr((void *)port->mac_addr)) { + memcpy(netdev->dev_addr, port->mac_addr, ETH_ALEN); +diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c +index 051dd3fb5b038..791a209158cd1 100644 +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -50,7 +50,6 @@ + #define PHY_RETRIES 1000 + #define ETH_JUMBO_MTU 9000 + #define TX_WATCHDOG (5 * HZ) +-#define NAPI_WEIGHT 64 + #define BLINK_MS 250 + #define LINK_HZ HZ + +@@ -3828,7 +3827,7 @@ static struct net_device *skge_devinit(struct skge_hw *hw, int port, + dev->features |= NETIF_F_HIGHDMA; + + skge = netdev_priv(dev); +- netif_napi_add(dev, &skge->napi, skge_poll, NAPI_WEIGHT); ++ netif_napi_add(dev, &skge->napi, skge_poll, NAPI_POLL_WEIGHT); + skge->netdev = dev; + skge->hw = hw; + skge->msg_enable = netif_msg_init(debug, default_msg); +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index ac0dbf1b97437..a1a182bb47c77 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -63,7 +63,6 @@ + #define TX_DEF_PENDING 63 + + #define TX_WATCHDOG (5 * HZ) +-#define NAPI_WEIGHT 64 + #define PHY_RETRIES 1000 + + #define SKY2_EEPROM_MAGIC 0x9955aabb +@@ -5073,7 +5072,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + } + +- netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_WEIGHT); ++ netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_POLL_WEIGHT); + + err = register_netdev(dev); + if (err) { +diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c +index 1d5dd2015453f..8f3493e146e50 100644 +--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c ++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c +@@ -30,7 +30,6 @@ + #define MTK_STAR_WAIT_TIMEOUT 300 + #define MTK_STAR_MAX_FRAME_SIZE 1514 + #define MTK_STAR_SKB_ALIGNMENT 16 +-#define MTK_STAR_NAPI_WEIGHT 64 + #define MTK_STAR_HASHTABLE_MC_LIMIT 256 + #define MTK_STAR_HASHTABLE_SIZE_MAX 512 + +@@ -1551,7 +1550,7 @@ static int mtk_star_probe(struct platform_device *pdev) + ndev->netdev_ops = &mtk_star_netdev_ops; + ndev->ethtool_ops = &mtk_star_ethtool_ops; + +- netif_napi_add(ndev, &priv->napi, mtk_star_poll, MTK_STAR_NAPI_WEIGHT); ++ netif_napi_add(ndev, &priv->napi, mtk_star_poll, NAPI_POLL_WEIGHT); + + return devm_register_netdev(dev, ndev); + } +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index fbd6bd80f51f4..305779f9685a7 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -113,7 +113,6 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1"; + #define EMAC_DEF_RX_NUM_DESC (128) + #define EMAC_DEF_MAX_TX_CH (1) /* Max TX channels configured */ + #define EMAC_DEF_MAX_RX_CH (1) /* Max RX channels configured */ +-#define EMAC_POLL_WEIGHT (64) /* Default NAPI poll weight */ + + /* Buffer descriptor parameters */ + #define EMAC_DEF_TX_MAX_SERVICE (32) /* TX max service BD's */ +@@ -1923,7 +1922,7 @@ static int davinci_emac_probe(struct platform_device *pdev) + + ndev->netdev_ops = &emac_netdev_ops; + ndev->ethtool_ops = ðtool_ops; +- netif_napi_add(ndev, &priv->napi, emac_poll, EMAC_POLL_WEIGHT); ++ netif_napi_add(ndev, &priv->napi, emac_poll, NAPI_POLL_WEIGHT); + + pm_runtime_enable(&pdev->dev); + rc = pm_runtime_get_sync(&pdev->dev); +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index a6450055908db..2f00be789a8a9 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -24,7 +24,6 @@ + #include "netcp.h" + + #define NETCP_SOP_OFFSET (NET_IP_ALIGN + NET_SKB_PAD) +-#define NETCP_NAPI_WEIGHT 64 + #define NETCP_TX_TIMEOUT (5 * HZ) + #define NETCP_PACKET_SIZE (ETH_FRAME_LEN + ETH_FCS_LEN) + #define NETCP_MIN_PACKET_SIZE ETH_ZLEN +@@ -2096,8 +2095,8 @@ static int netcp_create_interface(struct netcp_device *netcp_device, + } + + /* NAPI register */ +- netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NETCP_NAPI_WEIGHT); +- netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NETCP_NAPI_WEIGHT); ++ netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NAPI_POLL_WEIGHT); ++ netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NAPI_POLL_WEIGHT); + + /* Register the network device */ + ndev->dev_id = 0; +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index e1a5610b1747e..e321669bc37af 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -42,7 +42,6 @@ + #include + + #define XENVIF_QUEUE_LENGTH 32 +-#define XENVIF_NAPI_WEIGHT 64 + + /* Number of bytes allowed on the internal guest Rx queue. */ + #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE) +@@ -725,7 +724,7 @@ int xenvif_connect_data(struct xenvif_queue *queue, + atomic_set(&queue->inflight_packets, 0); + + netif_napi_add(queue->vif->dev, &queue->napi, xenvif_poll, +- XENVIF_NAPI_WEIGHT); ++ NAPI_POLL_WEIGHT); + + queue->stalled = true; + +-- +2.40.1 + diff --git a/queue-5.15/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch b/queue-5.15/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch new file mode 100644 index 00000000000..24bcc3e4bf4 --- /dev/null +++ b/queue-5.15/ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch @@ -0,0 +1,104 @@ +From aa33590a57ca33b47f9f686d021f74ad53c26cd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 15:36:45 +0200 +Subject: ethtool: Fix mod state of verbose no_mask bitset + +From: Kory Maincent + +[ Upstream commit 108a36d07c01edbc5942d27c92494d1c6e4d45a0 ] + +A bitset without mask in a _SET request means we want exactly the bits in +the bitset to be set. This works correctly for compact format but when +verbose format is parsed, ethnl_update_bitset32_verbose() only sets the +bits present in the request bitset but does not clear the rest. The commit +6699170376ab fixes this issue by clearing the whole target bitmap before we +start iterating. The solution proposed brought an issue with the behavior +of the mod variable. As the bitset is always cleared the old val will +always differ to the new val. + +Fix it by adding a new temporary variable which save the state of the old +bitmap. + +Fixes: 6699170376ab ("ethtool: fix application of verbose no_mask bitset") +Signed-off-by: Kory Maincent +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009133645.44503-1-kory.maincent@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/bitset.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c +index 0515d6604b3b9..883ed9be81f9f 100644 +--- a/net/ethtool/bitset.c ++++ b/net/ethtool/bitset.c +@@ -431,8 +431,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + ethnl_string_array_t names, + struct netlink_ext_ack *extack, bool *mod) + { ++ u32 *orig_bitmap, *saved_bitmap = NULL; + struct nlattr *bit_attr; + bool no_mask; ++ bool dummy; + int rem; + int ret; + +@@ -448,8 +450,22 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + } + + no_mask = tb[ETHTOOL_A_BITSET_NOMASK]; +- if (no_mask) +- ethnl_bitmap32_clear(bitmap, 0, nbits, mod); ++ if (no_mask) { ++ unsigned int nwords = DIV_ROUND_UP(nbits, 32); ++ unsigned int nbytes = nwords * sizeof(u32); ++ ++ /* The bitmap size is only the size of the map part without ++ * its mask part. ++ */ ++ saved_bitmap = kcalloc(nwords, sizeof(u32), GFP_KERNEL); ++ if (!saved_bitmap) ++ return -ENOMEM; ++ memcpy(saved_bitmap, bitmap, nbytes); ++ ethnl_bitmap32_clear(bitmap, 0, nbits, &dummy); ++ orig_bitmap = saved_bitmap; ++ } else { ++ orig_bitmap = bitmap; ++ } + + nla_for_each_nested(bit_attr, tb[ETHTOOL_A_BITSET_BITS], rem) { + bool old_val, new_val; +@@ -458,13 +474,14 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + if (nla_type(bit_attr) != ETHTOOL_A_BITSET_BITS_BIT) { + NL_SET_ERR_MSG_ATTR(extack, bit_attr, + "only ETHTOOL_A_BITSET_BITS_BIT allowed in ETHTOOL_A_BITSET_BITS"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; + } + ret = ethnl_parse_bit(&idx, &new_val, nbits, bit_attr, no_mask, + names, extack); + if (ret < 0) +- return ret; +- old_val = bitmap[idx / 32] & ((u32)1 << (idx % 32)); ++ goto out; ++ old_val = orig_bitmap[idx / 32] & ((u32)1 << (idx % 32)); + if (new_val != old_val) { + if (new_val) + bitmap[idx / 32] |= ((u32)1 << (idx % 32)); +@@ -474,7 +491,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits, + } + } + +- return 0; ++ ret = 0; ++out: ++ kfree(saved_bitmap); ++ return ret; + } + + static int ethnl_compact_sanity_checks(unsigned int nbits, +-- +2.40.1 + diff --git a/queue-5.15/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch b/queue-5.15/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch new file mode 100644 index 00000000000..95a64fc423d --- /dev/null +++ b/queue-5.15/ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch @@ -0,0 +1,75 @@ +From 0e2791b5d4c3a79d9f21072f60e01acb9f0c42ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:30:49 +0800 +Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe + +From: Dinghao Liu + +[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ] + +If of_clk_add_provider() fails in ca8210_register_ext_clock(), +it calls clk_unregister() to release priv->clk and returns an +error. However, the caller ca8210_probe() then calls ca8210_remove(), +where priv->clk is freed again in ca8210_unregister_ext_clock(). In +this case, a use-after-free may happen in the second time we call +clk_unregister(). + +Fix this by removing the first clk_unregister(). Also, priv->clk could +be an error code on failure of clk_register_fixed_rate(). Use +IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Dinghao Liu +Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 5834d3ed6dcf5..dc786c3bbccf8 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2783,7 +2783,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + struct device_node *np = spi->dev.of_node; + struct ca8210_priv *priv = spi_get_drvdata(spi); + struct ca8210_platform_data *pdata = spi->dev.platform_data; +- int ret = 0; + + if (!np) + return -EFAULT; +@@ -2800,18 +2799,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi) + dev_crit(&spi->dev, "Failed to register external clk\n"); + return PTR_ERR(priv->clk); + } +- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); +- if (ret) { +- clk_unregister(priv->clk); +- dev_crit( +- &spi->dev, +- "Failed to register external clock as clock provider\n" +- ); +- } else { +- dev_info(&spi->dev, "External clock set as clock provider\n"); +- } + +- return ret; ++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk); + } + + /** +@@ -2823,8 +2812,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi) + { + struct ca8210_priv *priv = spi_get_drvdata(spi); + +- if (!priv->clk) +- return ++ if (IS_ERR_OR_NULL(priv->clk)) ++ return; + + of_clk_del_provider(spi->dev.of_node); + clk_unregister(priv->clk); +-- +2.40.1 + diff --git a/queue-5.15/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch b/queue-5.15/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch new file mode 100644 index 00000000000..11460c9bf6c --- /dev/null +++ b/queue-5.15/ixgbe-fix-crash-with-empty-vf-macvlan-list.patch @@ -0,0 +1,49 @@ +From 15373a67b97abad54769660d783d9a3118170a07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 15:53:09 +0300 +Subject: ixgbe: fix crash with empty VF macvlan list + +From: Dan Carpenter + +[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ] + +The adapter->vf_mvs.l list needs to be initialized even if the list is +empty. Otherwise it will lead to crashes. + +Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +index 0078ae5926164..5eba086690efa 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -28,6 +28,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + struct vf_macvlans *mv_list; + int num_vf_macvlans, i; + ++ /* Initialize list of VF macvlans */ ++ INIT_LIST_HEAD(&adapter->vf_mvs.l); ++ + num_vf_macvlans = hw->mac.num_rar_entries - + (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs); + if (!num_vf_macvlans) +@@ -36,8 +39,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter, + mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans), + GFP_KERNEL); + if (mv_list) { +- /* Initialize list of VF macvlans */ +- INIT_LIST_HEAD(&adapter->vf_mvs.l); + for (i = 0; i < num_vf_macvlans; i++) { + mv_list[i].vf = -1; + mv_list[i].free = true; +-- +2.40.1 + diff --git a/queue-5.15/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch b/queue-5.15/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch new file mode 100644 index 00000000000..959aef64f69 --- /dev/null +++ b/queue-5.15/mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch @@ -0,0 +1,40 @@ +From 0c945708ee1b99af6279373c4241de2172095963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 17:00:12 +0300 +Subject: mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type + +From: Dan Carpenter + +[ Upstream commit 1e0b72a2a6432c0ef67ee5ce8d9172a7c20bba25 ] + +The mlxsw_sp2_nve_vxlan_learning_set() function is supposed to return +zero on success or negative error codes. So it needs to be type int +instead of bool. + +Fixes: 4ee70efab68d ("mlxsw: spectrum_nve: Add support for VXLAN on Spectrum-2") +Signed-off-by: Dan Carpenter +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +index d018d2da59499..5e020d0addc67 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c +@@ -245,8 +245,8 @@ const struct mlxsw_sp_nve_ops mlxsw_sp1_nve_vxlan_ops = { + .fdb_clear_offload = mlxsw_sp_nve_vxlan_clear_offload, + }; + +-static bool mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, +- bool learning_en) ++static int mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp, ++ bool learning_en) + { + char tnpc_pl[MLXSW_REG_TNPC_LEN]; + +-- +2.40.1 + diff --git a/queue-5.15/net-macsec-indicate-next-pn-update-when-offloading.patch b/queue-5.15/net-macsec-indicate-next-pn-update-when-offloading.patch new file mode 100644 index 00000000000..b90997e1946 --- /dev/null +++ b/queue-5.15/net-macsec-indicate-next-pn-update-when-offloading.patch @@ -0,0 +1,73 @@ +From 75f27d221f93a443e5cf6b6ae201a942d14582fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:33 +0300 +Subject: net: macsec: indicate next pn update when offloading + +From: Radu Pirea (NXP OSS) + +[ Upstream commit 0412cc846a1ef38697c3f321f9b174da91ecd3b5 ] + +Indicate next PN update using update_pn flag in macsec_context. +Offloaded MACsec implementations does not know whether or not the +MACSEC_SA_ATTR_PN attribute was passed for an SA update and assume +that next PN should always updated, but this is not always true. + +The PN can be reset to its initial value using the following command: +$ ip macsec set macsec0 tx sa 0 off #octeontx2-pf case + +Or, the update PN command will succeed even if the driver does not support +PN updates. +$ ip macsec set macsec0 tx sa 0 pn 1 on #mscc phy driver case + +Comparing the initial PN with the new PN value is not a solution. When +the user updates the PN using its initial value the command will +succeed, even if the driver does not support it. Like this: +$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \ +ead3664f508eb06c40ac7104cdae4ce5 +$ ip macsec set macsec0 tx sa 0 pn 1 on #mlx5 case + +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Stable-dep-of: e0a8c918daa5 ("net: phy: mscc: macsec: reject PN update requests") +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 ++ + include/net/macsec.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 21f41f25a8abe..07c822c301185 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2410,6 +2410,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) + + ctx.sa.assoc_num = assoc_num; + ctx.sa.tx_sa = tx_sa; ++ ctx.sa.update_pn = !!prev_pn.full64; + ctx.secy = secy; + + ret = macsec_offload(ops->mdo_upd_txsa, &ctx); +@@ -2503,6 +2504,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) + + ctx.sa.assoc_num = assoc_num; + ctx.sa.rx_sa = rx_sa; ++ ctx.sa.update_pn = !!prev_pn.full64; + ctx.secy = secy; + + ret = macsec_offload(ops->mdo_upd_rxsa, &ctx); +diff --git a/include/net/macsec.h b/include/net/macsec.h +index d6fa6b97f6efa..0dc4303329391 100644 +--- a/include/net/macsec.h ++++ b/include/net/macsec.h +@@ -240,6 +240,7 @@ struct macsec_context { + struct macsec_secy *secy; + struct macsec_rx_sc *rx_sc; + struct { ++ bool update_pn; + unsigned char assoc_num; + u8 key[MACSEC_MAX_KEY_LEN]; + union { +-- +2.40.1 + diff --git a/queue-5.15/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch b/queue-5.15/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch new file mode 100644 index 00000000000..73da3b9fe91 --- /dev/null +++ b/queue-5.15/net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch @@ -0,0 +1,57 @@ +From 2ac781154dcb584e25193f33aa1d51f223b98168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 22:37:06 -0700 +Subject: net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp + +From: Will Mortensen + +[ Upstream commit da6192ca72d5ad913d109d43dc896290ad05d98f ] + +Commit 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs +flag change") seems to have accidentally inverted the logic added in +commit 0bc73ad46a76 ("net/mlx5e: Mutually exclude RX-FCS and +RX-port-timestamp"). + +The impact of this is a little unclear since it seems the FCS scattered +with RX-FCS is (usually?) correct regardless. + +Fixes: 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change") +Tested-by: Charlotte Tan +Reviewed-by: Charlotte Tan +Cc: Adham Faris +Cc: Aya Levin +Cc: Tariq Toukan +Cc: Moshe Shemesh +Cc: Saeed Mahameed +Signed-off-by: Will Mortensen +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20231006053706.514618-1-will@extrahop.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index fdc4a5a80da41..923be5fb7d216 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3373,13 +3373,14 @@ static int set_feature_rx_fcs(struct net_device *netdev, bool enable) + struct mlx5e_channels *chs = &priv->channels; + struct mlx5e_params new_params; + int err; ++ bool rx_ts_over_crc = !enable; + + mutex_lock(&priv->state_lock); + + new_params = chs->params; + new_params.scatter_fcs_en = enable; + err = mlx5e_safe_switch_params(priv, &new_params, mlx5e_set_rx_port_ts_wrap, +- &new_params.scatter_fcs_en, true); ++ &rx_ts_over_crc, true); + mutex_unlock(&priv->state_lock); + return err; + } +-- +2.40.1 + diff --git a/queue-5.15/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch b/queue-5.15/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch new file mode 100644 index 00000000000..9e71920e9c0 --- /dev/null +++ b/queue-5.15/net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch @@ -0,0 +1,130 @@ +From 53cbbc343774e1f4198a24e2867e889eefa63e9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 12:31:10 +0000 +Subject: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() + +From: Eric Dumazet + +[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ] + +Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. + +Getting a reference on the socket found in a lookup while +holding a lock should happen before releasing the lock. + +nfc_llcp_sock_get_sn() has a similar problem. + +Finally nfc_llcp_recv_snl() needs to make sure the socket +found by nfc_llcp_sock_from_sn() does not disappear. + +Fixes: 8f50020ed9b8 ("NFC: LLCP late binding") +Reported-by: Sili Luo +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 30 ++++++++++++------------------ + 1 file changed, 12 insertions(+), 18 deletions(-) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index b1107570eaee8..92f70686bee0a 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -205,17 +205,13 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local, + + if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) { + llcp_sock = tmp_sock; ++ sock_hold(&llcp_sock->sk); + break; + } + } + + read_unlock(&local->sockets.lock); + +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- + return llcp_sock; + } + +@@ -348,7 +344,8 @@ static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- const u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len, ++ bool needref) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -384,6 +381,8 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, + + if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) { + llcp_sock = tmp_sock; ++ if (needref) ++ sock_hold(&llcp_sock->sk); + break; + } + } +@@ -425,7 +424,8 @@ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + * to this service name. + */ + if (nfc_llcp_sock_from_sn(local, sock->service_name, +- sock->service_name_len) != NULL) { ++ sock->service_name_len, ++ false) != NULL) { + mutex_unlock(&local->sdp_lock); + + return LLCP_SAP_MAX; +@@ -833,16 +833,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + const u8 *sn, size_t sn_len) + { +- struct nfc_llcp_sock *llcp_sock; +- +- llcp_sock = nfc_llcp_sock_from_sn(local, sn, sn_len); +- +- if (llcp_sock == NULL) +- return NULL; +- +- sock_hold(&llcp_sock->sk); +- +- return llcp_sock; ++ return nfc_llcp_sock_from_sn(local, sn, sn_len, true); + } + + static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) +@@ -1307,7 +1298,8 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + } + + llcp_sock = nfc_llcp_sock_from_sn(local, service_name, +- service_name_len); ++ service_name_len, ++ true); + if (!llcp_sock) { + sap = 0; + goto add_snl; +@@ -1327,6 +1319,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + if (sap == LLCP_SAP_MAX) { + sap = 0; ++ nfc_llcp_sock_put(llcp_sock); + goto add_snl; + } + +@@ -1344,6 +1337,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, + + pr_debug("%p %d\n", llcp_sock, sap); + ++ nfc_llcp_sock_put(llcp_sock); + add_snl: + sdp = nfc_llcp_build_sdres_tlv(tid, sap); + if (sdp == NULL) +-- +2.40.1 + diff --git a/queue-5.15/net-phy-mscc-macsec-reject-pn-update-requests.patch b/queue-5.15/net-phy-mscc-macsec-reject-pn-update-requests.patch new file mode 100644 index 00000000000..1682aa7deb8 --- /dev/null +++ b/queue-5.15/net-phy-mscc-macsec-reject-pn-update-requests.patch @@ -0,0 +1,52 @@ +From 00de3fb9c7b59ba7456466f779760a52e0cc1928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 21:06:35 +0300 +Subject: net: phy: mscc: macsec: reject PN update requests + +From: Radu Pirea (NXP OSS) + +[ Upstream commit e0a8c918daa58700609ebd45e3fcd49965be8bbc ] + +Updating the PN is not supported. +Return -EINVAL if update_pn is true. + +The following command succeeded, but it should fail because the driver +does not update the PN: +ip macsec set macsec0 tx sa 0 pn 232 on + +Fixes: 28c5107aa904 ("net: phy: mscc: macsec support") +Signed-off-by: Radu Pirea (NXP OSS) +Reviewed-by: Sabrina Dubroca +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_macsec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c +index c00eef457b850..bec270785c594 100644 +--- a/drivers/net/phy/mscc/mscc_macsec.c ++++ b/drivers/net/phy/mscc/mscc_macsec.c +@@ -880,6 +880,9 @@ static int vsc8584_macsec_upd_rxsa(struct macsec_context *ctx) + { + struct macsec_flow *flow; + ++ if (ctx->sa.update_pn) ++ return -EINVAL; ++ + flow = vsc8584_macsec_find_flow(ctx, MACSEC_INGR); + if (IS_ERR(flow)) + return PTR_ERR(flow); +@@ -929,6 +932,9 @@ static int vsc8584_macsec_upd_txsa(struct macsec_context *ctx) + { + struct macsec_flow *flow; + ++ if (ctx->sa.update_pn) ++ return -EINVAL; ++ + flow = vsc8584_macsec_find_flow(ctx, MACSEC_EGR); + if (IS_ERR(flow)) + return PTR_ERR(flow); +-- +2.40.1 + diff --git a/queue-5.15/net-smc-fix-pos-miscalculation-in-statistics.patch b/queue-5.15/net-smc-fix-pos-miscalculation-in-statistics.patch new file mode 100644 index 00000000000..e6623428882 --- /dev/null +++ b/queue-5.15/net-smc-fix-pos-miscalculation-in-statistics.patch @@ -0,0 +1,91 @@ +From 184134ea780900b9a11d3e117327c55884a1a02c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:40:48 +0200 +Subject: net/smc: Fix pos miscalculation in statistics + +From: Nils Hoppmann + +[ Upstream commit a950a5921db450c74212327f69950ff03419483a ] + +SMC_STAT_PAYLOAD_SUB(_smc_stats, _tech, key, _len, _rc) will calculate +wrong bucket positions for payloads of exactly 4096 bytes and +(1 << (m + 12)) bytes, with m == SMC_BUF_MAX - 1. + +Intended bucket distribution: +Assume l == size of payload, m == SMC_BUF_MAX - 1. + +Bucket 0 : 0 < l <= 2^13 +Bucket n, 1 <= n <= m-1 : 2^(n+12) < l <= 2^(n+13) +Bucket m : l > 2^(m+12) + +Current solution: +_pos = fls64((l) >> 13) +[...] +_pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m + +For l == 4096, _pos == -1, but should be _pos == 0. +For l == (1 << (m + 12)), _pos == m, but should be _pos == m - 1. + +In order to avoid special treatment of these corner cases, the +calculation is adjusted. The new solution first subtracts the length by +one, and then calculates the correct bucket by shifting accordingly, +i.e. _pos = fls64((l - 1) >> 13), l > 0. +This not only fixes the issues named above, but also makes the whole +bucket assignment easier to follow. + +Same is done for SMC_STAT_RMB_SIZE_SUB(_smc_stats, _tech, k, _len), +where the calculation of the bucket position is similar to the one +named above. + +Fixes: e0e4b8fa5338 ("net/smc: Add SMC statistics support") +Suggested-by: Halil Pasic +Signed-off-by: Nils Hoppmann +Reviewed-by: Halil Pasic +Reviewed-by: Wenjia Zhang +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_stats.h | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h +index 84b7ecd8c05ca..415131a975b11 100644 +--- a/net/smc/smc_stats.h ++++ b/net/smc/smc_stats.h +@@ -93,13 +93,14 @@ do { \ + typeof(_smc_stats) stats = (_smc_stats); \ + typeof(_tech) t = (_tech); \ + typeof(_len) l = (_len); \ +- int _pos = fls64((l) >> 13); \ ++ int _pos; \ + typeof(_rc) r = (_rc); \ + int m = SMC_BUF_MAX - 1; \ + this_cpu_inc((*stats).smc[t].key ## _cnt); \ +- if (r <= 0) \ ++ if (r <= 0 || l <= 0) \ + break; \ +- _pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \ ++ _pos = fls64((l - 1) >> 13); \ ++ _pos = (_pos <= m) ? _pos : m; \ + this_cpu_inc((*stats).smc[t].key ## _pd.buf[_pos]); \ + this_cpu_add((*stats).smc[t].key ## _bytes, r); \ + } \ +@@ -139,9 +140,12 @@ while (0) + do { \ + typeof(_len) _l = (_len); \ + typeof(_tech) t = (_tech); \ +- int _pos = fls((_l) >> 13); \ ++ int _pos; \ + int m = SMC_BUF_MAX - 1; \ +- _pos = (_pos < m) ? ((_l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \ ++ if (_l <= 0) \ ++ break; \ ++ _pos = fls((_l - 1) >> 13); \ ++ _pos = (_pos <= m) ? _pos : m; \ + this_cpu_inc((*(_smc_stats)).smc[t].k ## _rmbsize.buf[_pos]); \ + } \ + while (0) +-- +2.40.1 + diff --git a/queue-5.15/nfc-nci-assert-requested-protocol-is-valid.patch b/queue-5.15/nfc-nci-assert-requested-protocol-is-valid.patch new file mode 100644 index 00000000000..040cdff9edb --- /dev/null +++ b/queue-5.15/nfc-nci-assert-requested-protocol-is-valid.patch @@ -0,0 +1,45 @@ +From 7f4502b175eec0c87c1c5af0550afb326aa5b2ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 16:00:54 -0400 +Subject: nfc: nci: assert requested protocol is valid + +From: Jeremy Cline + +[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ] + +The protocol is used in a bit mask to determine if the protocol is +supported. Assert the provided protocol is less than the maximum +defined so it doesn't potentially perform a shift-out-of-bounds and +provide a clearer error for undefined protocols vs unsupported ones. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78 +Signed-off-by: Jeremy Cline +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 7b6cf9a44aea7..643dfc90b0636 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -908,6 +908,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev, + return -EINVAL; + } + ++ if (protocol >= NFC_PROTO_MAX) { ++ pr_err("the requested nfc protocol is invalid\n"); ++ return -EINVAL; ++ } ++ + if (!(nci_target->supported_protocols & (1 << protocol))) { + pr_err("target does not support the requested protocol 0x%x\n", + protocol); +-- +2.40.1 + diff --git a/queue-5.15/pinctrl-renesas-rzn1-enable-missing-pinmux.patch b/queue-5.15/pinctrl-renesas-rzn1-enable-missing-pinmux.patch new file mode 100644 index 00000000000..bbf1ef34e49 --- /dev/null +++ b/queue-5.15/pinctrl-renesas-rzn1-enable-missing-pinmux.patch @@ -0,0 +1,43 @@ +From efb9d01d247a45dee815286210f8e8ef823245f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 16:00:08 -0400 +Subject: pinctrl: renesas: rzn1: Enable missing PINMUX + +From: Ralph Siemsen + +[ Upstream commit f055ff23c331f28aa4ace4b72dc56f63b9a726c8 ] + +Enable pin muxing (eg. programmable function), so that the RZ/N1 GPIO +pins will be configured as specified by the pinmux in the DTS. + +This used to be enabled implicitly via CONFIG_GENERIC_PINMUX_FUNCTIONS, +however that was removed, since the RZ/N1 driver does not call any of +the generic pinmux functions. + +Fixes: 1308fb4e4eae14e6 ("pinctrl: rzn1: Do not select GENERIC_PIN{CTRL_GROUPS,MUX_FUNCTIONS}") +Signed-off-by: Ralph Siemsen +Reviewed-by: Miquel Raynal +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20231004200008.1306798-1-ralph.siemsen@linaro.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/renesas/Kconfig b/drivers/pinctrl/renesas/Kconfig +index 9a72999084b36..ba7224a4c352d 100644 +--- a/drivers/pinctrl/renesas/Kconfig ++++ b/drivers/pinctrl/renesas/Kconfig +@@ -228,6 +228,7 @@ config PINCTRL_RZN1 + depends on OF + depends on ARCH_RZN1 || COMPILE_TEST + select GENERIC_PINCONF ++ select PINMUX + help + This selects pinctrl driver for Renesas RZ/N1 devices. + +-- +2.40.1 + diff --git a/queue-5.15/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch b/queue-5.15/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch new file mode 100644 index 00000000000..ec35edec55b --- /dev/null +++ b/queue-5.15/ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch @@ -0,0 +1,47 @@ +From 562f9fc4b4a196603b80ab9022bbe13f9b6360ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:12:00 +0900 +Subject: ravb: Fix up dma_free_coherent() call in ravb_remove() + +From: Yoshihiro Shimoda + +[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ] + +In ravb_remove(), dma_free_coherent() should be call after +unregister_netdev(). Otherwise, this controller is possible to use +the freed buffer. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231005011201.14368-2-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 4ee72d33e9cb7..a866a38ebea55 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2382,14 +2382,14 @@ static int ravb_remove(struct platform_device *pdev) + + clk_disable_unprepare(priv->refclk); + +- dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, +- priv->desc_bat_dma); + /* Set reset mode */ + ravb_write(ndev, CCC_OPC_RESET, CCC); + unregister_netdev(ndev); + netif_napi_del(&priv->napi[RAVB_NC]); + netif_napi_del(&priv->napi[RAVB_BE]); + ravb_mdio_release(priv); ++ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat, ++ priv->desc_bat_dma); + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + reset_control_assert(priv->rstc); +-- +2.40.1 + diff --git a/queue-5.15/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch b/queue-5.15/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch new file mode 100644 index 00000000000..e8f5a9f6ec4 --- /dev/null +++ b/queue-5.15/ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch @@ -0,0 +1,55 @@ +From c2873350b75a60a06dbbb019bb57ca0cedc53d97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:12:01 +0900 +Subject: ravb: Fix use-after-free issue in ravb_tx_timeout_work() + +From: Yoshihiro Shimoda + +[ Upstream commit 3971442870713de527684398416970cf025b4f89 ] + +The ravb_stop() should call cancel_work_sync(). Otherwise, +ravb_tx_timeout_work() is possible to use the freed priv after +ravb_remove() was called like below: + +CPU0 CPU1 + ravb_tx_timeout() +ravb_remove() +unregister_netdev() +free_netdev(ndev) +// free priv + ravb_tx_timeout_work() + // use priv + +unregister_netdev() will call .ndo_stop() so that ravb_stop() is +called. And, after phy_stop() is called, netif_carrier_off() +is also called. So that .ndo_tx_timeout() will not be called +after phy_stop(). + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reported-by: Zheng Wang +Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231005011201.14368-3-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index a866a38ebea55..19733c9a7c25e 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1774,6 +1774,8 @@ static int ravb_close(struct net_device *ndev) + of_phy_deregister_fixed_link(np); + } + ++ cancel_work_sync(&priv->work); ++ + if (info->multi_irqs) { + free_irq(priv->tx_irqs[RAVB_NC], ndev); + free_irq(priv->rx_irqs[RAVB_NC], ndev); +-- +2.40.1 + diff --git a/queue-5.15/riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch b/queue-5.15/riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch new file mode 100644 index 00000000000..477215e8dc4 --- /dev/null +++ b/queue-5.15/riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch @@ -0,0 +1,120 @@ +From 5ad563abc897723f899755bb85b3cc41c9735c3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 21:52:03 +0800 +Subject: riscv, bpf: Factor out emit_call for kernel and bpf context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pu Lehui + +[ Upstream commit 0fd1fd0104954380477353aea29c347e85dff16d ] + +The current emit_call function is not suitable for kernel function call as +it store return value to bpf R0 register. We can separate it out for common +use. Meanwhile, simplify judgment logic, that is, fixed function address +can use jal or auipc+jalr, while the unfixed can use only auipc+jalr. + +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Tested-by: Björn Töpel +Acked-by: Björn Töpel +Link: https://lore.kernel.org/bpf/20230215135205.1411105-3-pulehui@huaweicloud.com +Stable-dep-of: 2f1b0d3d7331 ("riscv, bpf: Sign-extend return values") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 2e3f1a626a3af..5fc1386bf311d 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -413,12 +413,12 @@ static void emit_sext_32_rd(u8 *rd, struct rv_jit_context *ctx) + *rd = RV_REG_T2; + } + +-static int emit_jump_and_link(u8 rd, s64 rvoff, bool force_jalr, ++static int emit_jump_and_link(u8 rd, s64 rvoff, bool fixed_addr, + struct rv_jit_context *ctx) + { + s64 upper, lower; + +- if (rvoff && is_21b_int(rvoff) && !force_jalr) { ++ if (rvoff && fixed_addr && is_21b_int(rvoff)) { + emit(rv_jal(rd, rvoff >> 1), ctx); + return 0; + } else if (in_auipc_jalr_range(rvoff)) { +@@ -439,24 +439,17 @@ static bool is_signed_bpf_cond(u8 cond) + cond == BPF_JSGE || cond == BPF_JSLE; + } + +-static int emit_call(bool fixed, u64 addr, struct rv_jit_context *ctx) ++static int emit_call(u64 addr, bool fixed_addr, struct rv_jit_context *ctx) + { + s64 off = 0; + u64 ip; +- u8 rd; +- int ret; + + if (addr && ctx->insns) { + ip = (u64)(long)(ctx->insns + ctx->ninsns); + off = addr - ip; + } + +- ret = emit_jump_and_link(RV_REG_RA, off, !fixed, ctx); +- if (ret) +- return ret; +- rd = bpf_to_rv_reg(BPF_REG_0, ctx); +- emit_mv(rd, RV_REG_A0, ctx); +- return 0; ++ return emit_jump_and_link(RV_REG_RA, off, fixed_addr, ctx); + } + + int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, +@@ -750,7 +743,7 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, + /* JUMP off */ + case BPF_JMP | BPF_JA: + rvoff = rv_offset(i, off, ctx); +- ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx); ++ ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx); + if (ret) + return ret; + break; +@@ -869,17 +862,20 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, + /* function call */ + case BPF_JMP | BPF_CALL: + { +- bool fixed; ++ bool fixed_addr; + u64 addr; + + mark_call(ctx); +- ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass, &addr, +- &fixed); ++ ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass, ++ &addr, &fixed_addr); + if (ret < 0) + return ret; +- ret = emit_call(fixed, addr, ctx); ++ ++ ret = emit_call(addr, fixed_addr, ctx); + if (ret) + return ret; ++ ++ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx); + break; + } + /* tail call */ +@@ -894,7 +890,7 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, + break; + + rvoff = epilogue_offset(ctx); +- ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx); ++ ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx); + if (ret) + return ret; + break; +-- +2.40.1 + diff --git a/queue-5.15/riscv-bpf-sign-extend-return-values.patch b/queue-5.15/riscv-bpf-sign-extend-return-values.patch new file mode 100644 index 00000000000..9148ceb8f65 --- /dev/null +++ b/queue-5.15/riscv-bpf-sign-extend-return-values.patch @@ -0,0 +1,83 @@ +From f894c1b7edb30c0a1f2c71a9cb1cca81d8484355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 14:07:05 +0200 +Subject: riscv, bpf: Sign-extend return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 2f1b0d3d733169eb11680bfa97c266ae5e757148 ] + +The RISC-V architecture does not expose sub-registers, and hold all +32-bit values in a sign-extended format [1] [2]: + + | The compiler and calling convention maintain an invariant that all + | 32-bit values are held in a sign-extended format in 64-bit + | registers. Even 32-bit unsigned integers extend bit 31 into bits + | 63 through 32. Consequently, conversion between unsigned and + | signed 32-bit integers is a no-op, as is conversion from a signed + | 32-bit integer to a signed 64-bit integer. + +While BPF, on the other hand, exposes sub-registers, and use +zero-extension (similar to arm64/x86). + +This has led to some subtle bugs, where a BPF JITted program has not +sign-extended the a0 register (return value in RISC-V land), passed +the return value up the kernel, e.g.: + + | int from_bpf(void); + | + | long foo(void) + | { + | return from_bpf(); + | } + +Here, a0 would be 0xffff_ffff, instead of the expected +0xffff_ffff_ffff_ffff. + +Internally, the RISC-V JIT uses a5 as a dedicated register for BPF +return values. + +Keep a5 zero-extended, but explicitly sign-extend a0 (which is used +outside BPF land). Now that a0 (RISC-V ABI) and a5 (BPF ABI) differs, +a0 is only moved to a5 for non-BPF native calls (BPF_PSEUDO_CALL). + +Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://github.com/riscv/riscv-isa-manual/releases/download/riscv-isa-release-056b6ff-2023-10-02/unpriv-isa-asciidoc.pdf # [2] +Link: https://github.com/riscv-non-isa/riscv-elf-psabi-doc/releases/download/draft-20230929-e5c800e661a53efe3c2678d71a306323b60eb13b/riscv-abi.pdf # [2] +Link: https://lore.kernel.org/bpf/20231004120706.52848-2-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index 5fc1386bf311d..3f471884816af 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -220,7 +220,7 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx) + emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx); + /* Set return value. */ + if (!is_tail_call) +- emit_mv(RV_REG_A0, RV_REG_A5, ctx); ++ emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx); + emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA, + is_tail_call ? 4 : 0, /* skip TCC init */ + ctx); +@@ -875,7 +875,8 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx, + if (ret) + return ret; + +- emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx); ++ if (insn->src_reg != BPF_PSEUDO_CALL) ++ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx); + break; + } + /* tail call */ +-- +2.40.1 + diff --git a/queue-5.15/series b/queue-5.15/series index fca365fc4e3..fa728ee54af 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -15,3 +15,27 @@ net-prevent-address-rewrite-in-kernel_bind.patch alsa-usb-audio-fix-microphone-sound-on-opencomm2-headset.patch keys-trusted-allow-use-of-kernel-rng-for-key-materia.patch keys-trusted-remove-redundant-static-calls-usage.patch +drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch +drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch +drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch +drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch +ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch +ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch +ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch +mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch +eth-remove-copies-of-the-napi_poll_weight-define.patch +xen-netback-use-default-tx-queue-size-for-vifs.patch +riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch +riscv-bpf-sign-extend-return-values.patch +drm-vmwgfx-fix-typo-of-sizeof-argument.patch +bpf-fix-verifier-log-for-async-callback-return-value.patch +net-macsec-indicate-next-pn-update-when-offloading.patch +net-phy-mscc-macsec-reject-pn-update-requests.patch +ixgbe-fix-crash-with-empty-vf-macvlan-list.patch +net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch +net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch +ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch +net-smc-fix-pos-miscalculation-in-statistics.patch +pinctrl-renesas-rzn1-enable-missing-pinmux.patch +nfc-nci-assert-requested-protocol-is-valid.patch +workqueue-override-implicit-ordered-attribute-in-wor.patch diff --git a/queue-5.15/workqueue-override-implicit-ordered-attribute-in-wor.patch b/queue-5.15/workqueue-override-implicit-ordered-attribute-in-wor.patch new file mode 100644 index 00000000000..0b3db1c6d1c --- /dev/null +++ b/queue-5.15/workqueue-override-implicit-ordered-attribute-in-wor.patch @@ -0,0 +1,58 @@ +From b576fe0b85ab550dbc4d3106c7c0fa064dabc72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 22:48:42 -0400 +Subject: workqueue: Override implicit ordered attribute in + workqueue_apply_unbound_cpumask() + +From: Waiman Long + +[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ] + +Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 +to be ordered") enabled implicit ordered attribute to be added to +WQ_UNBOUND workqueues with max_active of 1. This prevented the changing +of attributes to these workqueues leading to fix commit 0a94efb5acbb +("workqueue: implicit ordered attribute should be overridable"). + +However, workqueue_apply_unbound_cpumask() was not updated at that time. +So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND +workqueues with implicit ordered attribute. Since not all WQ_UNBOUND +workqueues are visible on sysfs, we are not able to make all the +necessary cpumask changes even if we iterates all the workqueue cpumasks +in sysfs and changing them one by one. + +Fix this problem by applying the corresponding change made +to apply_workqueue_attrs_locked() in the fix commit to +workqueue_apply_unbound_cpumask(). + +Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 8e108c040cc35..19868cf588779 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5379,9 +5379,13 @@ static int workqueue_apply_unbound_cpumask(void) + list_for_each_entry(wq, &workqueues, list) { + if (!(wq->flags & WQ_UNBOUND)) + continue; ++ + /* creating multiple pwqs breaks ordering guarantee */ +- if (wq->flags & __WQ_ORDERED) +- continue; ++ if (!list_empty(&wq->pwqs)) { ++ if (wq->flags & __WQ_ORDERED_EXPLICIT) ++ continue; ++ wq->flags &= ~__WQ_ORDERED; ++ } + + ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs); + if (!ctx) { +-- +2.40.1 + diff --git a/queue-5.15/xen-netback-use-default-tx-queue-size-for-vifs.patch b/queue-5.15/xen-netback-use-default-tx-queue-size-for-vifs.patch new file mode 100644 index 00000000000..cde8265a8f6 --- /dev/null +++ b/queue-5.15/xen-netback-use-default-tx-queue-size-for-vifs.patch @@ -0,0 +1,57 @@ +From cfe8bd8e7af10a2af7aea0bee4d547d80a9e0276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 16:08:31 +0200 +Subject: xen-netback: use default TX queue size for vifs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 66cf7435a26917c0c4d6245ad9137e7606e84fdf ] + +Do not set netback interfaces (vifs) default TX queue size to the ring size. +The TX queue size is not related to the ring size, and using the ring size (32) +as the queue size can lead to packet drops. Note the TX side of the vif +interface in the netback domain is the one receiving packets to be injected +to the guest. + +Do not explicitly set the TX queue length to any value when creating the +interface, and instead use the system default. Note that the queue length can +also be adjusted at runtime. + +Fixes: f942dc2552b8 ('xen network backend driver') +Signed-off-by: Roger Pau Monné +Reviewed-by: Ross Lagerwall +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index e321669bc37af..f20ddaaa24518 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -41,8 +41,6 @@ + #include + #include + +-#define XENVIF_QUEUE_LENGTH 32 +- + /* Number of bytes allowed on the internal guest Rx queue. */ + #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE) + +@@ -527,8 +525,6 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, + dev->features = dev->hw_features | NETIF_F_RXCSUM; + dev->ethtool_ops = &xenvif_ethtool_ops; + +- dev->tx_queue_len = XENVIF_QUEUE_LENGTH; +- + dev->min_mtu = ETH_MIN_MTU; + dev->max_mtu = ETH_MAX_MTU - VLAN_ETH_HLEN; + +-- +2.40.1 +