From: Sasha Levin Date: Sat, 28 Oct 2023 02:53:50 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.1.61~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8bddfb054eca7ec02eb9b4b678ae2a3b9a045846;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch b/queue-5.15/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch new file mode 100644 index 00000000000..994df65d41e --- /dev/null +++ b/queue-5.15/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch @@ -0,0 +1,84 @@ +From fc2bd66cfaee20c2988212bff3829003155b0da0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 17:16:03 -0700 +Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ] + +Fix kernel-doc warnings reported by the kernel test robot: + +timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; ' +timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64' +timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k' + +Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement") +Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/ +Cc: Arnd Bergmann +Cc: Vaibhav Hiremath +Cc: Felipe Balbi +Cc: Tony Lindgren +Cc: Xunlei Pang +Cc: John Stultz +Cc: Ingo Molnar +Cc: Aaro Koskinen +Cc: Janusz Krzysztofik +Cc: linux-omap@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Message-ID: <20231007001603.24972-1-rdunlap@infradead.org> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer32k.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c +index 11958ccd894dc..747899083f238 100644 +--- a/arch/arm/mach-omap1/timer32k.c ++++ b/arch/arm/mach-omap1/timer32k.c +@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void) + return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; + } + ++static struct timespec64 persistent_ts; ++static cycles_t cycles; ++static unsigned int persistent_mult, persistent_shift; ++ + /** + * omap_read_persistent_clock64 - Return time from a persistent clock. ++ * @ts: &struct timespec64 for the returned time + * + * Reads the time from a source which isn't disabled during PM, the + * 32k sync timer. Convert the cycles elapsed since last read into + * nsecs and adds to a monotonically increasing timespec64. + */ +-static struct timespec64 persistent_ts; +-static cycles_t cycles; +-static unsigned int persistent_mult, persistent_shift; +- + static void omap_read_persistent_clock64(struct timespec64 *ts) + { + unsigned long long nsecs; +@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts) + /** + * omap_init_clocksource_32k - setup and register counter 32k as a + * kernel clocksource +- * @pbase: base addr of counter_32k module +- * @size: size of counter_32k to map ++ * @vbase: base addr of counter_32k module + * +- * Returns 0 upon success or negative error code upon failure. ++ * Returns: %0 upon success or negative error code upon failure. + * + */ + int __init omap_init_clocksource_32k(void __iomem *vbase) +-- +2.42.0 + diff --git a/queue-5.15/arm-omap1-move-32k-counter-from-plat-omap-to-mach-om.patch b/queue-5.15/arm-omap1-move-32k-counter-from-plat-omap-to-mach-om.patch new file mode 100644 index 00000000000..6dc85a4246f --- /dev/null +++ b/queue-5.15/arm-omap1-move-32k-counter-from-plat-omap-to-mach-om.patch @@ -0,0 +1,346 @@ +From 6c253f436849316a5f057130c516efc4a5af9b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2019 13:57:31 +0200 +Subject: ARM: omap1: move 32k counter from plat-omap to mach-omap1 + +From: Arnd Bergmann + +[ Upstream commit d379e8899a8da1041c347ae5b792773c48a559a9 ] + +omap2 stopped using this code with commit 8d39ff3d1696 ("ARM: OMAP2+: +Remove unused legacy code for timer"), so just move it to mach-omap1 now, +along with the other half of that driver. + +Acked-by: Tony Lindgren +Signed-off-by: Arnd Bergmann +Stable-dep-of: 7eeca8ccd106 ("ARM: OMAP: timer32K: fix all kernel-doc warnings") +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/Kconfig | 16 +++ + arch/arm/mach-omap1/timer32k.c | 96 ++++++++++++++- + arch/arm/plat-omap/Kconfig | 17 --- + arch/arm/plat-omap/Makefile | 2 +- + arch/arm/plat-omap/counter_32k.c | 114 ------------------ + arch/arm/plat-omap/include/plat/counter-32k.h | 1 - + 6 files changed, 110 insertions(+), 136 deletions(-) + delete mode 100644 arch/arm/plat-omap/counter_32k.c + delete mode 100644 arch/arm/plat-omap/include/plat/counter-32k.h + +diff --git a/arch/arm/mach-omap1/Kconfig b/arch/arm/mach-omap1/Kconfig +index 208c700c2455c..04155b5ce9786 100644 +--- a/arch/arm/mach-omap1/Kconfig ++++ b/arch/arm/mach-omap1/Kconfig +@@ -53,6 +53,22 @@ config OMAP_MUX_WARNINGS + to change the pin multiplexing setup. When there are no warnings + printed, it's safe to deselect OMAP_MUX for your product. + ++config OMAP_32K_TIMER ++ bool "Use 32KHz timer" ++ depends on ARCH_OMAP16XX ++ default ARCH_OMAP16XX ++ help ++ Select this option if you want to enable the OMAP 32KHz timer. ++ This timer saves power compared to the OMAP_MPU_TIMER, and has ++ support for no tick during idle. The 32KHz timer provides less ++ intra-tick resolution than OMAP_MPU_TIMER. The 32KHz timer is ++ currently only available for OMAP16XX, 24XX, 34XX, OMAP4/5 and DRA7XX. ++ ++ On OMAP2PLUS this value is only used for CONFIG_HZ and ++ CLOCK_TICK_RATE compile time calculation. ++ The actual timer selection is done in the board file ++ through the (DT_)MACHINE_START structure. ++ + comment "OMAP Board Type" + + config MACH_OMAP_INNOVATOR +diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c +index 780fdf03c3cee..11958ccd894dc 100644 +--- a/arch/arm/mach-omap1/timer32k.c ++++ b/arch/arm/mach-omap1/timer32k.c +@@ -45,15 +45,13 @@ + #include + #include + #include ++#include + + #include + #include + #include + +-#include +- + #include +- + #include "common.h" + + /* +@@ -159,6 +157,98 @@ static __init void omap_init_32k_timer(void) + OMAP_32K_TICKS_PER_SEC, 1, 0xfffffffe); + } + ++/* OMAP2_32KSYNCNT_CR_OFF: offset of 32ksync counter register */ ++#define OMAP2_32KSYNCNT_REV_OFF 0x0 ++#define OMAP2_32KSYNCNT_REV_SCHEME (0x3 << 30) ++#define OMAP2_32KSYNCNT_CR_OFF_LOW 0x10 ++#define OMAP2_32KSYNCNT_CR_OFF_HIGH 0x30 ++ ++/* ++ * 32KHz clocksource ... always available, on pretty most chips except ++ * OMAP 730 and 1510. Other timers could be used as clocksources, with ++ * higher resolution in free-running counter modes (e.g. 12 MHz xtal), ++ * but systems won't necessarily want to spend resources that way. ++ */ ++static void __iomem *sync32k_cnt_reg; ++ ++static u64 notrace omap_32k_read_sched_clock(void) ++{ ++ return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; ++} ++ ++/** ++ * omap_read_persistent_clock64 - Return time from a persistent clock. ++ * ++ * Reads the time from a source which isn't disabled during PM, the ++ * 32k sync timer. Convert the cycles elapsed since last read into ++ * nsecs and adds to a monotonically increasing timespec64. ++ */ ++static struct timespec64 persistent_ts; ++static cycles_t cycles; ++static unsigned int persistent_mult, persistent_shift; ++ ++static void omap_read_persistent_clock64(struct timespec64 *ts) ++{ ++ unsigned long long nsecs; ++ cycles_t last_cycles; ++ ++ last_cycles = cycles; ++ cycles = sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; ++ ++ nsecs = clocksource_cyc2ns(cycles - last_cycles, ++ persistent_mult, persistent_shift); ++ ++ timespec64_add_ns(&persistent_ts, nsecs); ++ ++ *ts = persistent_ts; ++} ++ ++/** ++ * omap_init_clocksource_32k - setup and register counter 32k as a ++ * kernel clocksource ++ * @pbase: base addr of counter_32k module ++ * @size: size of counter_32k to map ++ * ++ * Returns 0 upon success or negative error code upon failure. ++ * ++ */ ++int __init omap_init_clocksource_32k(void __iomem *vbase) ++{ ++ int ret; ++ ++ /* ++ * 32k sync Counter IP register offsets vary between the ++ * highlander version and the legacy ones. ++ * The 'SCHEME' bits(30-31) of the revision register is used ++ * to identify the version. ++ */ ++ if (readl_relaxed(vbase + OMAP2_32KSYNCNT_REV_OFF) & ++ OMAP2_32KSYNCNT_REV_SCHEME) ++ sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_HIGH; ++ else ++ sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_LOW; ++ ++ /* ++ * 120000 rough estimate from the calculations in ++ * __clocksource_update_freq_scale. ++ */ ++ clocks_calc_mult_shift(&persistent_mult, &persistent_shift, ++ 32768, NSEC_PER_SEC, 120000); ++ ++ ret = clocksource_mmio_init(sync32k_cnt_reg, "32k_counter", 32768, ++ 250, 32, clocksource_mmio_readl_up); ++ if (ret) { ++ pr_err("32k_counter: can't register clocksource\n"); ++ return ret; ++ } ++ ++ sched_clock_register(omap_32k_read_sched_clock, 32, 32768); ++ register_persistent_clock(omap_read_persistent_clock64); ++ pr_info("OMAP clocksource: 32k_counter at 32768 Hz\n"); ++ ++ return 0; ++} ++ + /* + * --------------------------------------------------------------------------- + * Timer initialization +diff --git a/arch/arm/plat-omap/Kconfig b/arch/arm/plat-omap/Kconfig +index 272670ef1e92d..dfa19d5030e35 100644 +--- a/arch/arm/plat-omap/Kconfig ++++ b/arch/arm/plat-omap/Kconfig +@@ -72,23 +72,6 @@ config OMAP_MPU_TIMER + timer provides more intra-tick resolution than the 32KHz timer, + but consumes more power. + +-config OMAP_32K_TIMER +- bool "Use 32KHz timer" +- depends on ARCH_OMAP16XX || ARCH_OMAP2PLUS +- default y if (ARCH_OMAP16XX || ARCH_OMAP2PLUS) +- help +- Select this option if you want to enable the OMAP 32KHz timer. +- This timer saves power compared to the OMAP_MPU_TIMER, and has +- support for no tick during idle. The 32KHz timer provides less +- intra-tick resolution than OMAP_MPU_TIMER. The 32KHz timer is +- currently only available for OMAP16XX, 24XX, 34XX, OMAP4/5 and DRA7XX. +- +- On OMAP2PLUS this value is only used for CONFIG_HZ and +- CLOCK_TICK_RATE compile time calculation. +- The actual timer selection is done in the board file +- through the (DT_)MACHINE_START structure. +- +- + config OMAP3_L2_AUX_SECURE_SAVE_RESTORE + bool "OMAP3 HS/EMU save and restore for L2 AUX control register" + depends on ARCH_OMAP3 && PM +diff --git a/arch/arm/plat-omap/Makefile b/arch/arm/plat-omap/Makefile +index 371f2ed00eda2..98a7b607873a2 100644 +--- a/arch/arm/plat-omap/Makefile ++++ b/arch/arm/plat-omap/Makefile +@@ -6,7 +6,7 @@ + ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/arch/arm/plat-omap/include + + # Common support +-obj-y := sram.o dma.o counter_32k.o ++obj-y := sram.o dma.o + + # omap_device support (OMAP2+ only at the moment) + +diff --git a/arch/arm/plat-omap/counter_32k.c b/arch/arm/plat-omap/counter_32k.c +deleted file mode 100644 +index 7a729ade21057..0000000000000 +--- a/arch/arm/plat-omap/counter_32k.c ++++ /dev/null +@@ -1,114 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0-only +-/* +- * OMAP 32ksynctimer/counter_32k-related code +- * +- * Copyright (C) 2009 Texas Instruments +- * Copyright (C) 2010 Nokia Corporation +- * Tony Lindgren +- * Added OMAP4 support - Santosh Shilimkar +- * +- * NOTE: This timer is not the same timer as the old OMAP1 MPU timer. +- */ +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include +- +-#include +- +-/* OMAP2_32KSYNCNT_CR_OFF: offset of 32ksync counter register */ +-#define OMAP2_32KSYNCNT_REV_OFF 0x0 +-#define OMAP2_32KSYNCNT_REV_SCHEME (0x3 << 30) +-#define OMAP2_32KSYNCNT_CR_OFF_LOW 0x10 +-#define OMAP2_32KSYNCNT_CR_OFF_HIGH 0x30 +- +-/* +- * 32KHz clocksource ... always available, on pretty most chips except +- * OMAP 730 and 1510. Other timers could be used as clocksources, with +- * higher resolution in free-running counter modes (e.g. 12 MHz xtal), +- * but systems won't necessarily want to spend resources that way. +- */ +-static void __iomem *sync32k_cnt_reg; +- +-static u64 notrace omap_32k_read_sched_clock(void) +-{ +- return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; +-} +- +-/** +- * omap_read_persistent_clock64 - Return time from a persistent clock. +- * +- * Reads the time from a source which isn't disabled during PM, the +- * 32k sync timer. Convert the cycles elapsed since last read into +- * nsecs and adds to a monotonically increasing timespec64. +- */ +-static struct timespec64 persistent_ts; +-static cycles_t cycles; +-static unsigned int persistent_mult, persistent_shift; +- +-static void omap_read_persistent_clock64(struct timespec64 *ts) +-{ +- unsigned long long nsecs; +- cycles_t last_cycles; +- +- last_cycles = cycles; +- cycles = sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; +- +- nsecs = clocksource_cyc2ns(cycles - last_cycles, +- persistent_mult, persistent_shift); +- +- timespec64_add_ns(&persistent_ts, nsecs); +- +- *ts = persistent_ts; +-} +- +-/** +- * omap_init_clocksource_32k - setup and register counter 32k as a +- * kernel clocksource +- * @pbase: base addr of counter_32k module +- * @size: size of counter_32k to map +- * +- * Returns 0 upon success or negative error code upon failure. +- * +- */ +-int __init omap_init_clocksource_32k(void __iomem *vbase) +-{ +- int ret; +- +- /* +- * 32k sync Counter IP register offsets vary between the +- * highlander version and the legacy ones. +- * The 'SCHEME' bits(30-31) of the revision register is used +- * to identify the version. +- */ +- if (readl_relaxed(vbase + OMAP2_32KSYNCNT_REV_OFF) & +- OMAP2_32KSYNCNT_REV_SCHEME) +- sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_HIGH; +- else +- sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_LOW; +- +- /* +- * 120000 rough estimate from the calculations in +- * __clocksource_update_freq_scale. +- */ +- clocks_calc_mult_shift(&persistent_mult, &persistent_shift, +- 32768, NSEC_PER_SEC, 120000); +- +- ret = clocksource_mmio_init(sync32k_cnt_reg, "32k_counter", 32768, +- 250, 32, clocksource_mmio_readl_up); +- if (ret) { +- pr_err("32k_counter: can't register clocksource\n"); +- return ret; +- } +- +- sched_clock_register(omap_32k_read_sched_clock, 32, 32768); +- register_persistent_clock(omap_read_persistent_clock64); +- pr_info("OMAP clocksource: 32k_counter at 32768 Hz\n"); +- +- return 0; +-} +diff --git a/arch/arm/plat-omap/include/plat/counter-32k.h b/arch/arm/plat-omap/include/plat/counter-32k.h +deleted file mode 100644 +index da000d482ff26..0000000000000 +--- a/arch/arm/plat-omap/include/plat/counter-32k.h ++++ /dev/null +@@ -1 +0,0 @@ +-int omap_init_clocksource_32k(void __iomem *vbase); +-- +2.42.0 + diff --git a/queue-5.15/drm-dp_mst-fix-null-deref-in-get_mst_branch_device_b.patch b/queue-5.15/drm-dp_mst-fix-null-deref-in-get_mst_branch_device_b.patch new file mode 100644 index 00000000000..38c72df0623 --- /dev/null +++ b/queue-5.15/drm-dp_mst-fix-null-deref-in-get_mst_branch_device_b.patch @@ -0,0 +1,72 @@ +From d8baf23c13cb3c590b2028d19db906ffba74122b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 08:34:10 +0200 +Subject: drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() + +From: Lukasz Majczak + +[ Upstream commit 3d887d512494d678b17c57b835c32f4e48d34f26 ] + +As drm_dp_get_mst_branch_device_by_guid() is called from +drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked, +otherwise NULL dereference may occur in the call to +the memcpy() and cause following: + +[12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049 +[12579.365878] #PF: supervisor read access in kernel mode +[12579.365880] #PF: error_code(0x0000) - not-present page +[12579.365882] PGD 0 P4D 0 +[12579.365887] Oops: 0000 [#1] PREEMPT SMP NOPTI +... +[12579.365895] Workqueue: events_long drm_dp_mst_up_req_work +[12579.365899] RIP: 0010:memcmp+0xb/0x29 +[12579.365921] Call Trace: +[12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64 +[12579.365930] drm_dp_mst_up_req_work+0x137/0x416 +[12579.365933] process_one_work+0x1d0/0x419 +[12579.365935] worker_thread+0x11a/0x289 +[12579.365938] kthread+0x13e/0x14f +[12579.365941] ? process_one_work+0x419/0x419 +[12579.365943] ? kthread_blkcg+0x31/0x31 +[12579.365946] ret_from_fork+0x1f/0x30 + +As get_mst_branch_device_by_guid_helper() is recursive, moving condition +to the first line allow to remove a similar one for step over of NULL elements +inside a loop. + +Fixes: 5e93b8208d3c ("drm/dp/mst: move GUID storage from mgr, port to only mst branch") +Cc: # 4.14+ +Signed-off-by: Lukasz Majczak +Reviewed-by: Radoslaw Biernacki +Signed-off-by: Manasi Navare +Link: https://patchwork.freedesktop.org/patch/msgid/20230922063410.23626-1-lma@semihalf.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index d02e323a4ecde..865c7f39143ec 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2615,14 +2615,14 @@ static struct drm_dp_mst_branch *get_mst_branch_device_by_guid_helper( + struct drm_dp_mst_branch *found_mstb; + struct drm_dp_mst_port *port; + ++ if (!mstb) ++ return NULL; ++ + if (memcmp(mstb->guid, guid, 16) == 0) + return mstb; + + + list_for_each_entry(port, &mstb->ports, next) { +- if (!port->mstb) +- continue; +- + found_mstb = get_mst_branch_device_by_guid_helper(port->mstb, guid); + + if (found_mstb) +-- +2.42.0 + diff --git a/queue-5.15/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch b/queue-5.15/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch new file mode 100644 index 00000000000..3b087b2085b --- /dev/null +++ b/queue-5.15/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch @@ -0,0 +1,42 @@ +From 94d755db19fb948386773a925449fad8ae9b54fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Oct 2023 11:29:08 +0800 +Subject: firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() + +From: Hao Ge + +[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ] + +dsp_chan->name and chan_name points to same block of memory, +because dev_err still needs to be used it,so we need free +it's memory after use to avoid use_after_free. + +Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()") +Signed-off-by: Hao Ge +Reviewed-by: Daniel Baluta +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-dsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c +index 1f410809d3ee4..0f656e4191d5c 100644 +--- a/drivers/firmware/imx/imx-dsp.c ++++ b/drivers/firmware/imx/imx-dsp.c +@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc) + dsp_chan->idx = i % 2; + dsp_chan->ch = mbox_request_channel_byname(cl, chan_name); + if (IS_ERR(dsp_chan->ch)) { +- kfree(dsp_chan->name); + ret = PTR_ERR(dsp_chan->ch); + if (ret != -EPROBE_DEFER) + dev_err(dev, "Failed to request mbox chan %s ret %d\n", + chan_name, ret); ++ kfree(dsp_chan->name); + goto out; + } + +-- +2.42.0 + diff --git a/queue-5.15/gtp-fix-fragmentation-needed-check-with-gso.patch b/queue-5.15/gtp-fix-fragmentation-needed-check-with-gso.patch new file mode 100644 index 00000000000..c8105879ff0 --- /dev/null +++ b/queue-5.15/gtp-fix-fragmentation-needed-check-with-gso.patch @@ -0,0 +1,38 @@ +From 10bc3cc9231534dfbae51d1f4b143cdc6795005d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:18 +0200 +Subject: gtp: fix fragmentation needed check with gso + +From: Pablo Neira Ayuso + +[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ] + +Call skb_gso_validate_network_len() to check if packet is over PMTU. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index a3878aef0ea4a..69bbc868b9477 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -543,8 +543,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev, + + rt->dst.ops->update_pmtu(&rt->dst, NULL, skb, mtu, false); + +- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) && +- mtu < ntohs(iph->tot_len)) { ++ if (iph->frag_off & htons(IP_DF) && ++ ((!skb_is_gso(skb) && skb->len > mtu) || ++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) { + netdev_dbg(dev, "packet too big, fragmentation needed\n"); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); +-- +2.42.0 + diff --git a/queue-5.15/gtp-uapi-fix-gtpa_max.patch b/queue-5.15/gtp-uapi-fix-gtpa_max.patch new file mode 100644 index 00000000000..4392c74e643 --- /dev/null +++ b/queue-5.15/gtp-uapi-fix-gtpa_max.patch @@ -0,0 +1,34 @@ +From 5ddc9eb7bdd01d9f434d2b96f643682e7648d1d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:17 +0200 +Subject: gtp: uapi: fix GTPA_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ] + +Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/uapi/linux/gtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h +index 79f9191bbb24c..82d0e58ec3ce2 100644 +--- a/include/uapi/linux/gtp.h ++++ b/include/uapi/linux/gtp.h +@@ -32,6 +32,6 @@ enum gtp_attrs { + GTPA_PAD, + __GTPA_MAX, + }; +-#define GTPA_MAX (__GTPA_MAX + 1) ++#define GTPA_MAX (__GTPA_MAX - 1) + + #endif /* _UAPI_LINUX_GTP_H_ */ +-- +2.42.0 + diff --git a/queue-5.15/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch b/queue-5.15/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch new file mode 100644 index 00000000000..1707b820f56 --- /dev/null +++ b/queue-5.15/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch @@ -0,0 +1,63 @@ +From cede9bd53c2703e7887255af5d8b59ac6386a01d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 18:37:20 +0200 +Subject: i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value + +From: Ivan Vecera + +[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ] + +Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new +PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with +existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag. + +Move the affected flag at the end of the flags and fix its value. + +Reproducer: +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off +[ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled) +netlink error: Operation not supported +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off + +The link-down-on-close flag cannot be modified after setting vf-vlan-pruning +because vf-vlan-pruning shares the same bit with total-port-shutdown flag +that prevents any modification of link-down-on-close flag. + +Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning") +Cc: Mateusz Palczewski +Cc: Simon Horman +Signed-off-by: Ivan Vecera +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index b76e6f94edb05..22802222d34d1 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -566,7 +566,6 @@ struct i40e_pf { + #define I40E_FLAG_DISABLE_FW_LLDP BIT(24) + #define I40E_FLAG_RS_FEC BIT(25) + #define I40E_FLAG_BASE_R_FEC BIT(26) +-#define I40E_FLAG_VF_VLAN_PRUNING BIT(27) + /* TOTAL_PORT_SHUTDOWN + * Allows to physically disable the link on the NIC's port. + * If enabled, (after link down request from the OS) +@@ -589,6 +588,7 @@ struct i40e_pf { + * in abilities field of i40e_aq_set_phy_config structure + */ + #define I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED BIT(27) ++#define I40E_FLAG_VF_VLAN_PRUNING BIT(28) + + struct i40e_client_instance *cinst; + bool stat_offsets_loaded; +-- +2.42.0 + diff --git a/queue-5.15/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch b/queue-5.15/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch new file mode 100644 index 00000000000..0d16b60878d --- /dev/null +++ b/queue-5.15/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch @@ -0,0 +1,38 @@ +From c5c60ed48f610c4c6e1386731526d850f3c42735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 14:27:14 -0700 +Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR + +From: Ivan Vecera + +[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ] + +The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one. + +Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722") +Signed-off-by: Ivan Vecera +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 9787e794eeda6..1d096141625eb 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2759,7 +2759,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget) + return budget; + } + +- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR) ++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR) + q_vector->arm_wb_state = false; + + /* Exit the polling mode, but don't re-enable interrupts if stack might +-- +2.42.0 + diff --git a/queue-5.15/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch b/queue-5.15/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch new file mode 100644 index 00000000000..7b9dfaae3e7 --- /dev/null +++ b/queue-5.15/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch @@ -0,0 +1,47 @@ +From d02ece7a96d6c81c70db377549b6725f31c6f697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:40:35 -0700 +Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry + +From: Mateusz Palczewski + +[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ] + +Add check for return of igb_update_ethtool_nfc_entry so that in case +of any potential errors the memory alocated for input will be freed. + +Fixes: 0e71def25281 ("igb: add support of RX network flow classification") +Reviewed-by: Wojciech Drewek +Signed-off-by: Mateusz Palczewski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index b2f46004a3d0f..39c7bdf8c0e2d 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -2974,11 +2974,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter, + if (err) + goto err_out_w_lock; + +- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ if (err) ++ goto err_out_input_filter; + + spin_unlock(&adapter->nfc_lock); + return 0; + ++err_out_input_filter: ++ igb_erase_filter(adapter, input); + err_out_w_lock: + spin_unlock(&adapter->nfc_lock); + err_out: +-- +2.42.0 + diff --git a/queue-5.15/igc-fix-ambiguity-in-the-ethtool-advertising.patch b/queue-5.15/igc-fix-ambiguity-in-the-ethtool-advertising.patch new file mode 100644 index 00000000000..ac6ad21d3ee --- /dev/null +++ b/queue-5.15/igc-fix-ambiguity-in-the-ethtool-advertising.patch @@ -0,0 +1,86 @@ +From 34623fe06d65ee65f255f1f9515000c480c84ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:36:41 -0700 +Subject: igc: Fix ambiguity in the ethtool advertising + +From: Sasha Neftin + +[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ] + +The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to +advertise 2500M speed support and TP (twisted pair) properly. Convert to +'ethtool_link_ksettings_test_link_mode' to advertise supported speed and +eliminate ambiguity. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Suggested-by: Dima Ruinskiy +Suggested-by: Vitaly Lifshits +Signed-off-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------ + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index 17cb4c13d0020..3bffd2729a439 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1810,7 +1810,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + struct igc_adapter *adapter = netdev_priv(netdev); + struct net_device *dev = adapter->netdev; + struct igc_hw *hw = &adapter->hw; +- u32 advertising; ++ u16 advertised = 0; + + /* When adapter in resetting mode, autoneg/speed/duplex + * cannot be changed +@@ -1835,18 +1835,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + while (test_and_set_bit(__IGC_RESETTING, &adapter->state)) + usleep_range(1000, 2000); + +- ethtool_convert_link_mode_to_legacy_u32(&advertising, +- cmd->link_modes.advertising); +- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT. +- * We have to check this and convert it to ADVERTISE_2500_FULL +- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly. +- */ +- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full)) +- advertising |= ADVERTISE_2500_FULL; ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 2500baseT_Full)) ++ advertised |= ADVERTISE_2500_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 1000baseT_Full)) ++ advertised |= ADVERTISE_1000_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Full)) ++ advertised |= ADVERTISE_100_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Half)) ++ advertised |= ADVERTISE_100_HALF; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Full)) ++ advertised |= ADVERTISE_10_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Half)) ++ advertised |= ADVERTISE_10_HALF; + + if (cmd->base.autoneg == AUTONEG_ENABLE) { + hw->mac.autoneg = 1; +- hw->phy.autoneg_advertised = advertising; ++ hw->phy.autoneg_advertised = advertised; + if (adapter->fc_autoneg) + hw->fc.requested_mode = igc_fc_default; + } else { +-- +2.42.0 + diff --git a/queue-5.15/neighbour-fix-various-data-races.patch b/queue-5.15/neighbour-fix-various-data-races.patch new file mode 100644 index 00000000000..344b4f31b0b --- /dev/null +++ b/queue-5.15/neighbour-fix-various-data-races.patch @@ -0,0 +1,176 @@ +From 2e0ceb62f7e89c9b0410a3a13eed81499139255e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 12:21:04 +0000 +Subject: neighbour: fix various data-races + +From: Eric Dumazet + +[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ] + +1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval + can be written from sysfs. + +2) tbl->last_flush is read locklessly from neigh_alloc() + +3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info() + +4) neightbl_fill_info() reads cpu stats that can be changed concurrently. + +Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 67 +++++++++++++++++++++++--------------------- + 1 file changed, 35 insertions(+), 32 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index a385086091fd3..927c4db2703ff 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -223,7 +223,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl) + + static int neigh_forced_gc(struct neigh_table *tbl) + { +- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2; ++ int max_clean = atomic_read(&tbl->gc_entries) - ++ READ_ONCE(tbl->gc_thresh2); + unsigned long tref = jiffies - 5 * HZ; + struct neighbour *n, *tmp; + int shrunk = 0; +@@ -252,7 +253,7 @@ static int neigh_forced_gc(struct neigh_table *tbl) + } + } + +- tbl->last_flush = jiffies; ++ WRITE_ONCE(tbl->last_flush, jiffies); + + write_unlock_bh(&tbl->lock); + +@@ -408,17 +409,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, + { + struct neighbour *n = NULL; + unsigned long now = jiffies; +- int entries; ++ int entries, gc_thresh3; + + if (exempt_from_gc) + goto do_alloc; + + entries = atomic_inc_return(&tbl->gc_entries) - 1; +- if (entries >= tbl->gc_thresh3 || +- (entries >= tbl->gc_thresh2 && +- time_after(now, tbl->last_flush + 5 * HZ))) { +- if (!neigh_forced_gc(tbl) && +- entries >= tbl->gc_thresh3) { ++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3); ++ if (entries >= gc_thresh3 || ++ (entries >= READ_ONCE(tbl->gc_thresh2) && ++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) { ++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) { + net_info_ratelimited("%s: neighbor table overflow!\n", + tbl->id); + NEIGH_CACHE_STAT_INC(tbl, table_fulls); +@@ -897,13 +898,14 @@ static void neigh_periodic_work(struct work_struct *work) + + if (time_after(jiffies, tbl->last_rand + 300 * HZ)) { + struct neigh_parms *p; +- tbl->last_rand = jiffies; ++ ++ WRITE_ONCE(tbl->last_rand, jiffies); + list_for_each_entry(p, &tbl->parms_list, list) + p->reachable_time = + neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME)); + } + +- if (atomic_read(&tbl->entries) < tbl->gc_thresh1) ++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1)) + goto out; + + for (i = 0 ; i < (1 << nht->hash_shift); i++) { +@@ -2047,15 +2049,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + ndtmsg->ndtm_pad2 = 0; + + if (nla_put_string(skb, NDTA_NAME, tbl->id) || +- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) || +- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) || +- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) || +- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3)) ++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval), ++ NDTA_PAD) || ++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) || ++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) || ++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3))) + goto nla_put_failure; + { + unsigned long now = jiffies; +- long flush_delta = now - tbl->last_flush; +- long rand_delta = now - tbl->last_rand; ++ long flush_delta = now - READ_ONCE(tbl->last_flush); ++ long rand_delta = now - READ_ONCE(tbl->last_rand); + struct neigh_hash_table *nht; + struct ndt_config ndc = { + .ndtc_key_len = tbl->key_len, +@@ -2063,7 +2066,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + .ndtc_entries = atomic_read(&tbl->entries), + .ndtc_last_flush = jiffies_to_msecs(flush_delta), + .ndtc_last_rand = jiffies_to_msecs(rand_delta), +- .ndtc_proxy_qlen = tbl->proxy_queue.qlen, ++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen), + }; + + rcu_read_lock_bh(); +@@ -2086,17 +2089,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + struct neigh_statistics *st; + + st = per_cpu_ptr(tbl->stats, cpu); +- ndst.ndts_allocs += st->allocs; +- ndst.ndts_destroys += st->destroys; +- ndst.ndts_hash_grows += st->hash_grows; +- ndst.ndts_res_failed += st->res_failed; +- ndst.ndts_lookups += st->lookups; +- ndst.ndts_hits += st->hits; +- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast; +- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast; +- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs; +- ndst.ndts_forced_gc_runs += st->forced_gc_runs; +- ndst.ndts_table_fulls += st->table_fulls; ++ ndst.ndts_allocs += READ_ONCE(st->allocs); ++ ndst.ndts_destroys += READ_ONCE(st->destroys); ++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows); ++ ndst.ndts_res_failed += READ_ONCE(st->res_failed); ++ ndst.ndts_lookups += READ_ONCE(st->lookups); ++ ndst.ndts_hits += READ_ONCE(st->hits); ++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast); ++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast); ++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs); ++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs); ++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls); + } + + if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst, +@@ -2320,16 +2323,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, + goto errout_tbl_lock; + + if (tb[NDTA_THRESH1]) +- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]); ++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1])); + + if (tb[NDTA_THRESH2]) +- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]); ++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2])); + + if (tb[NDTA_THRESH3]) +- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]); ++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3])); + + if (tb[NDTA_GC_INTERVAL]) +- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]); ++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL])); + + err = 0; + +-- +2.42.0 + diff --git a/queue-5.15/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch b/queue-5.15/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch new file mode 100644 index 00000000000..1eb33266a08 --- /dev/null +++ b/queue-5.15/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch @@ -0,0 +1,47 @@ +From 1241a157c8223e8009e3b40c398b07fa4ab8e20f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 20:03:53 +0200 +Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in + adf7242_stats_show() + +From: Christophe JAILLET + +[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ] + +strncat() usage in adf7242_debugfs_init() is wrong. +The size given to strncat() is the maximum number of bytes that can be +written, excluding the trailing NULL. + +Here, the size that is passed, DNAME_INLINE_LEN, does not take into account +the size of "adf7242-" that is already in the array. + +In order to fix it, use snprintf() instead. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 07adbeec19787..14cf8b0dfad90 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset) + + static void adf7242_debugfs_init(struct adf7242_local *lp) + { +- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-"; ++ char debugfs_dir_name[DNAME_INLINE_LEN + 1]; + +- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN); ++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name), ++ "adf7242-%s", dev_name(&lp->spi->dev)); + + lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL); + +-- +2.42.0 + diff --git a/queue-5.15/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch b/queue-5.15/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch new file mode 100644 index 00000000000..4c55cd7fb82 --- /dev/null +++ b/queue-5.15/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch @@ -0,0 +1,103 @@ +From 2ff0d24de6187e05919d24a9a92c7e591dd7ff1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 02:03:44 +0900 +Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg + +From: Shigeru Yoshida + +[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ] + +syzbot reported the following uninit-value access issue [1]: + +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD +===================================================== +BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750 + usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207 + usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238 + usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589 + hub_port_connect drivers/usb/core/hub.c:5440 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] + port_event drivers/usb/core/hub.c:5740 [inline] + hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703 + worker_thread+0xf45/0x1490 kernel/workqueue.c:2784 + kthread+0x3e8/0x540 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Local variable buf.i225 created at: + smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline] + smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + +CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Workqueue: usb_hub_wq hub_event +===================================================== + +Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in +__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads +less bytes than requested (zero byte in the reproducer). In this case, +'buf' is not properly filled. + +This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads +less bytes than requested. + +sysbot reported similar uninit-value access issue [2]. The root cause is +the same as mentioned above, and this patch addresses it as well. + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1] +Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2] +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 16a6cdf025151..5f962f58ff496 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -84,7 +84,9 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (ret < 0) { ++ if (ret < 4) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + if (ret != -ENODEV) + netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", + index, ret); +-- +2.42.0 + diff --git a/queue-5.15/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch b/queue-5.15/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch new file mode 100644 index 00000000000..80de8b20c67 --- /dev/null +++ b/queue-5.15/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch @@ -0,0 +1,37 @@ +From 8faa375d0ef9ca783f32a80e9241f18c401b2f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:54 -0700 +Subject: r8152: Cancel hw_phy_work if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ] + +The error handling in rtl8152_probe() is missing a call to cancel the +hw_phy_work. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 52056b296b9f7..baa3c57d16427 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9799,6 +9799,7 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); +-- +2.42.0 + diff --git a/queue-5.15/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch b/queue-5.15/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch new file mode 100644 index 00000000000..b29d937dcf8 --- /dev/null +++ b/queue-5.15/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch @@ -0,0 +1,77 @@ +From de23b8aacd63de682a096ccbc43ae189e28dac31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:52 -0700 +Subject: r8152: Increase USB control msg timeout to 5000ms as per spec + +From: Douglas Anderson + +[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ] + +According to the comment next to USB_CTRL_GET_TIMEOUT and +USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is +usually quite fast, the spec allows them to take up to 5 seconds. +Let's increase the timeout in the Realtek driver from 500ms to 5000ms +(using the #defines) to account for this. + +This is not just a theoretical change. The need for the longer timeout +was seen in testing. Specifically, if you drop a sc7180-trogdor based +Chromebook into the kdb debugger and then "go" again after sitting in +the debugger for a while, the next USB control message takes a long +time. Out of ~40 tests the slowest USB control message was 4.5 +seconds. + +While dropping into kdb is not exactly an end-user scenario, the above +is similar to what could happen due to an temporary interrupt storm, +what could happen if there was a host controller (HW or SW) issue, or +what could happen if the Realtek device got into a confused state and +needed time to recover. + +This change is fairly critical since the r8152 driver in Linux doesn't +expect register reads/writes (which are backed by USB control +messages) to fail. + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Suggested-by: Hayes Wang +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 4cd9bcca84c5b..89a1e40ff7005 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1208,7 +1208,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in, + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT); + if (ret < 0) + memset(data, 0xff, size); + else +@@ -1231,7 +1231,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out, + RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT); + + kfree(tmp); + +@@ -9538,7 +9538,8 @@ u8 rtl8152_get_version(struct usb_interface *intf) + + ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500); ++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), ++ USB_CTRL_GET_TIMEOUT); + if (ret > 0) + ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK; + +-- +2.42.0 + diff --git a/queue-5.15/r8152-release-firmware-if-we-have-an-error-in-probe.patch b/queue-5.15/r8152-release-firmware-if-we-have-an-error-in-probe.patch new file mode 100644 index 00000000000..99544c0bc19 --- /dev/null +++ b/queue-5.15/r8152-release-firmware-if-we-have-an-error-in-probe.patch @@ -0,0 +1,37 @@ +From 88e0f926807394324fd360488da37b1b29287714 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:55 -0700 +Subject: r8152: Release firmware if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ] + +The error handling in rtl8152_probe() is missing a call to release +firmware. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index baa3c57d16427..f6d5fbb9dee07 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9802,6 +9802,7 @@ static int rtl8152_probe(struct usb_interface *intf, + cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); ++ rtl8152_release_firmware(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-5.15/r8152-run-the-unload-routine-if-we-have-errors-durin.patch b/queue-5.15/r8152-run-the-unload-routine-if-we-have-errors-durin.patch new file mode 100644 index 00000000000..ee952e81daf --- /dev/null +++ b/queue-5.15/r8152-run-the-unload-routine-if-we-have-errors-durin.patch @@ -0,0 +1,38 @@ +From 75fb49249a8e6fec93a3f69399dccbca62734d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:53 -0700 +Subject: r8152: Run the unload routine if we have errors during probe + +From: Douglas Anderson + +[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ] + +The rtl8152_probe() function lacks a call to the chip-specific +unload() routine when it sees an error in probe. Add it in to match +the cleanup code in rtl8152_disconnect(). + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 89a1e40ff7005..52056b296b9f7 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9799,6 +9799,8 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ if (tp->rtl_ops.unload) ++ tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch new file mode 100644 index 00000000000..66e2ae1af17 --- /dev/null +++ b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch @@ -0,0 +1,105 @@ +From 6f1d0ab6a768263f7c6b2662555784ece948b6ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:38 +0200 +Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading + desc->opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ] + +KCSAN reported the following data-race bug: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 + +race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x80003fff -> 0x3402805f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +drivers/net/ethernet/realtek/r8169_main.c: +========================================== + 4429 + → 4430 status = le32_to_cpu(desc->opts1); + 4431 if (status & DescOwn) + 4432 break; + 4433 + 4434 /* This barrier is needed to keep us from reading + 4435 * any other fields out of the Rx descriptor until + 4436 * we know the status of DescOwn + 4437 */ + 4438 dma_rmb(); + 4439 + 4440 if (unlikely(status & RxRES)) { + 4441 if (net_ratelimit()) + 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", + +Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to +desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from +happening: + + 4429 + → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); + 4431 if (status & DescOwn) + 4432 break; + 4433 + +As the consequence of this fix, this KCSAN warning was eliminated. + +Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private") +Suggested-by: Marco Elver +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index d5a52fcd57cd0..1cd0928472c0c 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4513,7 +4513,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, int budget + dma_addr_t addr; + u32 status; + +- status = le32_to_cpu(desc->opts1); ++ status = le32_to_cpu(READ_ONCE(desc->opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch new file mode 100644 index 00000000000..0d4206c1364 --- /dev/null +++ b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch @@ -0,0 +1,175 @@ +From 5bc21074ae4b5521342e7ff4f69751670b79f11e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:34 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx() while reading + tp->cur_tx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169] + +write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29: +rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169 +dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560) +sch_direct_xmit (net/sched/sch_generic.c:342) +__dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306) +ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233) +__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293) +ip_finish_output (net/ipv4/ip_output.c:328) +ip_output (net/ipv4/ip_output.c:435) +ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486) +udp_send_skb (net/ipv4/udp.c:963) +udp_sendmsg (net/ipv4/udp.c:1246) +inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4)) +sock_sendmsg (net/socket.c:730 net/socket.c:753) +__sys_sendto (net/socket.c:2177) +__x64_sys_sendto (net/socket.c:2185) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) +asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x002f4815 -> 0x002f4816 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The write side of drivers/net/ethernet/realtek/r8169_main.c is: +================== + 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ + 4252 smp_wmb(); + 4253 + → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); + 4255 + 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp), + 4257 R8169_TX_STOP_THRS, + 4258 R8169_TX_START_THRS); + +The read side is the function rtl_tx(): + + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + → 4397 if (tp->cur_tx != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the +line 4363: + + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + +but the same solution is required for protecting the other access to tp->cur_tx: + + → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + +The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397 +might have suffered read tearing under some compiler optimisations. + +The fix eliminated the KCSAN data-race report for this bug. + +It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363 +and line 4397. This test should certainly not be cached by the compiler in some register +for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line +4254 in the meantime. + +Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings") +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 264bb3ec44a59..2ecfff54339ac 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4480,7 +4480,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + * If skb is NULL then we come here again once a tx irq is + * triggered after the last fragment is marked transmitted. + */ +- if (tp->cur_tx != dirty_tx && skb) ++ if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + rtl8169_doorbell(tp); + } + } +-- +2.42.0 + diff --git a/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-409 b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-409 new file mode 100644 index 00000000000..78131717eff --- /dev/null +++ b/queue-5.15/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-409 @@ -0,0 +1,136 @@ +From 51c4549f5a28d1aa96e5c0e91ef4fbbd2872d697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:36 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading + TxDescArray[entry].opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 + +race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0xb0000042 -> 0x00000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The read side is in + +drivers/net/ethernet/realtek/r8169_main.c +========================================= + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes +this KCSAN warning. + + 4366 + → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + 4368 if (status & DescOwn) + 4369 break; + 4370 + +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 2ecfff54339ac..d5a52fcd57cd0 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4443,7 +4443,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + unsigned int entry = dirty_tx % NUM_TX_DESC; + u32 status; + +- status = le32_to_cpu(tp->TxDescArray[entry].opts1); ++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 8fb515799a8..55bbbbd095d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -27,3 +27,28 @@ mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch mm-migrate-fix-do_pages_move-for-compat-pointers.patch nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch +vsock-virtio-factor-our-the-code-to-initialize-and-d.patch +vsock-virtio-add-support-for-device-suspend-resume.patch +vsock-virtio-initialize-the_virtio_vsock-before-usin.patch +drm-dp_mst-fix-null-deref-in-get_mst_branch_device_b.patch +arm-omap1-move-32k-counter-from-plat-omap-to-mach-om.patch +arm-omap-timer32k-fix-all-kernel-doc-warnings.patch +firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-409 +r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch +i40e-fix-i40e_flag_vf_vlan_pruning-value.patch +treewide-spelling-fix-in-comment.patch +igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch +neighbour-fix-various-data-races.patch +igc-fix-ambiguity-in-the-ethtool-advertising.patch +net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch +net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch +r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch +r8152-run-the-unload-routine-if-we-have-errors-durin.patch +r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch +r8152-release-firmware-if-we-have-an-error-in-probe.patch +tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch +gtp-uapi-fix-gtpa_max.patch +gtp-fix-fragmentation-needed-check-with-gso.patch +i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch diff --git a/queue-5.15/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch b/queue-5.15/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch new file mode 100644 index 00000000000..044d3a4bf17 --- /dev/null +++ b/queue-5.15/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch @@ -0,0 +1,96 @@ +From 10ec092f5a7aecafc08712a0804d0b7091aad11d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 08:19:47 +0800 +Subject: tcp: fix wrong RTO timeout when received SACK reneging + +From: Fred Chen + +[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ] + +This commit fix wrong RTO timeout when received SACK reneging. + +When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging() +will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future. + +But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when +CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer() +is moved after tcp_fastretrans_alert()(which do the SACK reneging check), +so the RTO timeout will be overwrited by tcp_set_xmit_timer() with +icsk_rto instead of 1/2*srtt. + +Here is a packetdrill script to check this bug: +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++0 bind(3, ..., ...) = 0 ++0 listen(3, 1) = 0 + +// simulate srtt to 100ms ++0 < S 0:0(0) win 32792 ++0 > S. 0:0(0) ack 1 ++.1 < . 1:1(0) ack 1 win 1024 + ++0 accept(3, ..., ...) = 4 + ++0 write(4, ..., 10000) = 10000 ++0 > P. 1:10001(10000) ack 1 + +// inject sack ++.1 < . 1:1(0) ack 1 win 257 ++0 > . 1:1001(1000) ack 1 + +// inject sack reneging ++.1 < . 1:1(0) ack 1001 win 257 + +// we expect rto fired in 1/2*srtt (50ms) ++.05 > . 1001:2001(1000) ack 1 + +This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when +tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid +being overwrited later. + +Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") +Signed-off-by: Fred Chen +Reviewed-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d1e431ad5f619..8e4b42d394bed 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2195,16 +2195,17 @@ void tcp_enter_loss(struct sock *sk) + * restore sanity to the SACK scoreboard. If the apparent reneging + * persists until this RTO then we'll clear the SACK scoreboard. + */ +-static bool tcp_check_sack_reneging(struct sock *sk, int flag) ++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag) + { +- if (flag & FLAG_SACK_RENEGING && +- flag & FLAG_SND_UNA_ADVANCED) { ++ if (*ack_flag & FLAG_SACK_RENEGING && ++ *ack_flag & FLAG_SND_UNA_ADVANCED) { + struct tcp_sock *tp = tcp_sk(sk); + unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4), + msecs_to_jiffies(10)); + + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, + delay, TCP_RTO_MAX); ++ *ack_flag &= ~FLAG_SET_XMIT_TIMER; + return true; + } + return false; +@@ -2974,7 +2975,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + tp->prior_ssthresh = 0; + + /* B. In all the states check for reneging SACKs. */ +- if (tcp_check_sack_reneging(sk, flag)) ++ if (tcp_check_sack_reneging(sk, ack_flag)) + return; + + /* C. Check consistency of the current state. */ +-- +2.42.0 + diff --git a/queue-5.15/treewide-spelling-fix-in-comment.patch b/queue-5.15/treewide-spelling-fix-in-comment.patch new file mode 100644 index 00000000000..b8d68e04a1b --- /dev/null +++ b/queue-5.15/treewide-spelling-fix-in-comment.patch @@ -0,0 +1,36 @@ +From 36f0666dc21ebe84851e40c88ce0768bf6bda2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:31:56 +0800 +Subject: treewide: Spelling fix in comment + +From: Kunwu Chan + +[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ] + +reques -> request + +Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3") +Signed-off-by: Kunwu Chan +Reviewed-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +index dc14a66583ff3..44488c153ea25 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev, + key_index = wl->current_key; + + if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) { +- /* reques to change default key index */ ++ /* request to change default key index */ + pr_debug("%s: request to change default key to %d\n", + __func__, key_index); + wl->current_key = key_index; +-- +2.42.0 + diff --git a/queue-5.15/vsock-virtio-add-support-for-device-suspend-resume.patch b/queue-5.15/vsock-virtio-add-support-for-device-suspend-resume.patch new file mode 100644 index 00000000000..abd222eb192 --- /dev/null +++ b/queue-5.15/vsock-virtio-add-support-for-device-suspend-resume.patch @@ -0,0 +1,93 @@ +From e3b4ae71e5e449e443770308ffff0e58b23fd16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 15:22:41 +0200 +Subject: vsock/virtio: add support for device suspend/resume + +From: Stefano Garzarella + +[ Upstream commit bd50c5dc182b0a52599f87b429f9a5a9cbfc9b1c ] + +Implement .freeze and .restore callbacks of struct virtio_driver +to support device suspend/resume. + +During suspension all connected sockets are reset and VQs deleted. +During resume the VQs are re-initialized. + +Reported by: Vilas R K +Signed-off-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Signed-off-by: Jakub Kicinski +Stable-dep-of: 53b08c498515 ("vsock/virtio: initialize the_virtio_vsock before using VQs") +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 47 ++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index e4773ae6a54d6..f6fa26228e5cf 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -743,6 +743,49 @@ static void virtio_vsock_remove(struct virtio_device *vdev) + kfree(vsock); + } + ++#ifdef CONFIG_PM_SLEEP ++static int virtio_vsock_freeze(struct virtio_device *vdev) ++{ ++ struct virtio_vsock *vsock = vdev->priv; ++ ++ mutex_lock(&the_virtio_vsock_mutex); ++ ++ rcu_assign_pointer(the_virtio_vsock, NULL); ++ synchronize_rcu(); ++ ++ virtio_vsock_vqs_del(vsock); ++ ++ mutex_unlock(&the_virtio_vsock_mutex); ++ ++ return 0; ++} ++ ++static int virtio_vsock_restore(struct virtio_device *vdev) ++{ ++ struct virtio_vsock *vsock = vdev->priv; ++ int ret; ++ ++ mutex_lock(&the_virtio_vsock_mutex); ++ ++ /* Only one virtio-vsock device per guest is supported */ ++ if (rcu_dereference_protected(the_virtio_vsock, ++ lockdep_is_held(&the_virtio_vsock_mutex))) { ++ ret = -EBUSY; ++ goto out; ++ } ++ ++ ret = virtio_vsock_vqs_init(vsock); ++ if (ret < 0) ++ goto out; ++ ++ rcu_assign_pointer(the_virtio_vsock, vsock); ++ ++out: ++ mutex_unlock(&the_virtio_vsock_mutex); ++ return ret; ++} ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct virtio_device_id id_table[] = { + { VIRTIO_ID_VSOCK, VIRTIO_DEV_ANY_ID }, + { 0 }, +@@ -760,6 +803,10 @@ static struct virtio_driver virtio_vsock_driver = { + .id_table = id_table, + .probe = virtio_vsock_probe, + .remove = virtio_vsock_remove, ++#ifdef CONFIG_PM_SLEEP ++ .freeze = virtio_vsock_freeze, ++ .restore = virtio_vsock_restore, ++#endif + }; + + static int __init virtio_vsock_init(void) +-- +2.42.0 + diff --git a/queue-5.15/vsock-virtio-factor-our-the-code-to-initialize-and-d.patch b/queue-5.15/vsock-virtio-factor-our-the-code-to-initialize-and-d.patch new file mode 100644 index 00000000000..600eb66ca78 --- /dev/null +++ b/queue-5.15/vsock-virtio-factor-our-the-code-to-initialize-and-d.patch @@ -0,0 +1,222 @@ +From 091a0c2493b3743b9114f5e772166a235c5ee73a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 15:22:40 +0200 +Subject: vsock/virtio: factor our the code to initialize and delete VQs + +From: Stefano Garzarella + +[ Upstream commit a103209886264a3289f7e53e7ed389d0391fb23f ] + +Add virtio_vsock_vqs_init() and virtio_vsock_vqs_del() with the code +that was in virtio_vsock_probe() and virtio_vsock_remove to initialize +and delete VQs. + +These new functions will be used in the next commit to support device +suspend/resume + +Signed-off-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Signed-off-by: Jakub Kicinski +Stable-dep-of: 53b08c498515 ("vsock/virtio: initialize the_virtio_vsock before using VQs") +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 150 +++++++++++++++++-------------- + 1 file changed, 84 insertions(+), 66 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index c5f936fbf876d..e4773ae6a54d6 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -566,67 +566,28 @@ static void virtio_transport_rx_work(struct work_struct *work) + mutex_unlock(&vsock->rx_lock); + } + +-static int virtio_vsock_probe(struct virtio_device *vdev) ++static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) + { +- vq_callback_t *callbacks[] = { +- virtio_vsock_rx_done, +- virtio_vsock_tx_done, +- virtio_vsock_event_done, +- }; ++ struct virtio_device *vdev = vsock->vdev; + static const char * const names[] = { + "rx", + "tx", + "event", + }; +- struct virtio_vsock *vsock = NULL; ++ vq_callback_t *callbacks[] = { ++ virtio_vsock_rx_done, ++ virtio_vsock_tx_done, ++ virtio_vsock_event_done, ++ }; + int ret; + +- ret = mutex_lock_interruptible(&the_virtio_vsock_mutex); +- if (ret) +- return ret; +- +- /* Only one virtio-vsock device per guest is supported */ +- if (rcu_dereference_protected(the_virtio_vsock, +- lockdep_is_held(&the_virtio_vsock_mutex))) { +- ret = -EBUSY; +- goto out; +- } +- +- vsock = kzalloc(sizeof(*vsock), GFP_KERNEL); +- if (!vsock) { +- ret = -ENOMEM; +- goto out; +- } +- +- vsock->vdev = vdev; +- +- ret = virtio_find_vqs(vsock->vdev, VSOCK_VQ_MAX, +- vsock->vqs, callbacks, names, ++ ret = virtio_find_vqs(vdev, VSOCK_VQ_MAX, vsock->vqs, callbacks, names, + NULL); + if (ret < 0) +- goto out; ++ return ret; + + virtio_vsock_update_guest_cid(vsock); + +- vsock->rx_buf_nr = 0; +- vsock->rx_buf_max_nr = 0; +- atomic_set(&vsock->queued_replies, 0); +- +- mutex_init(&vsock->tx_lock); +- mutex_init(&vsock->rx_lock); +- mutex_init(&vsock->event_lock); +- spin_lock_init(&vsock->send_pkt_list_lock); +- INIT_LIST_HEAD(&vsock->send_pkt_list); +- INIT_WORK(&vsock->rx_work, virtio_transport_rx_work); +- INIT_WORK(&vsock->tx_work, virtio_transport_tx_work); +- INIT_WORK(&vsock->event_work, virtio_transport_event_work); +- INIT_WORK(&vsock->send_pkt_work, virtio_transport_send_pkt_work); +- +- if (virtio_has_feature(vdev, VIRTIO_VSOCK_F_SEQPACKET)) +- vsock->seqpacket_allow = true; +- +- vdev->priv = vsock; +- + virtio_device_ready(vdev); + + mutex_lock(&vsock->tx_lock); +@@ -643,30 +604,15 @@ static int virtio_vsock_probe(struct virtio_device *vdev) + vsock->event_run = true; + mutex_unlock(&vsock->event_lock); + +- rcu_assign_pointer(the_virtio_vsock, vsock); +- +- mutex_unlock(&the_virtio_vsock_mutex); +- + return 0; +- +-out: +- kfree(vsock); +- mutex_unlock(&the_virtio_vsock_mutex); +- return ret; + } + +-static void virtio_vsock_remove(struct virtio_device *vdev) ++static void virtio_vsock_vqs_del(struct virtio_vsock *vsock) + { +- struct virtio_vsock *vsock = vdev->priv; ++ struct virtio_device *vdev = vsock->vdev; + struct virtio_vsock_pkt *pkt; + +- mutex_lock(&the_virtio_vsock_mutex); +- +- vdev->priv = NULL; +- rcu_assign_pointer(the_virtio_vsock, NULL); +- synchronize_rcu(); +- +- /* Reset all connected sockets when the device disappear */ ++ /* Reset all connected sockets when the VQs disappear */ + vsock_for_each_connected_socket(&virtio_transport.transport, + virtio_vsock_reset_sock); + +@@ -711,6 +657,78 @@ static void virtio_vsock_remove(struct virtio_device *vdev) + + /* Delete virtqueues and flush outstanding callbacks if any */ + vdev->config->del_vqs(vdev); ++} ++ ++static int virtio_vsock_probe(struct virtio_device *vdev) ++{ ++ struct virtio_vsock *vsock = NULL; ++ int ret; ++ ++ ret = mutex_lock_interruptible(&the_virtio_vsock_mutex); ++ if (ret) ++ return ret; ++ ++ /* Only one virtio-vsock device per guest is supported */ ++ if (rcu_dereference_protected(the_virtio_vsock, ++ lockdep_is_held(&the_virtio_vsock_mutex))) { ++ ret = -EBUSY; ++ goto out; ++ } ++ ++ vsock = kzalloc(sizeof(*vsock), GFP_KERNEL); ++ if (!vsock) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ ++ vsock->vdev = vdev; ++ ++ vsock->rx_buf_nr = 0; ++ vsock->rx_buf_max_nr = 0; ++ atomic_set(&vsock->queued_replies, 0); ++ ++ mutex_init(&vsock->tx_lock); ++ mutex_init(&vsock->rx_lock); ++ mutex_init(&vsock->event_lock); ++ spin_lock_init(&vsock->send_pkt_list_lock); ++ INIT_LIST_HEAD(&vsock->send_pkt_list); ++ INIT_WORK(&vsock->rx_work, virtio_transport_rx_work); ++ INIT_WORK(&vsock->tx_work, virtio_transport_tx_work); ++ INIT_WORK(&vsock->event_work, virtio_transport_event_work); ++ INIT_WORK(&vsock->send_pkt_work, virtio_transport_send_pkt_work); ++ ++ if (virtio_has_feature(vdev, VIRTIO_VSOCK_F_SEQPACKET)) ++ vsock->seqpacket_allow = true; ++ ++ vdev->priv = vsock; ++ ++ ret = virtio_vsock_vqs_init(vsock); ++ if (ret < 0) ++ goto out; ++ ++ rcu_assign_pointer(the_virtio_vsock, vsock); ++ ++ mutex_unlock(&the_virtio_vsock_mutex); ++ ++ return 0; ++ ++out: ++ kfree(vsock); ++ mutex_unlock(&the_virtio_vsock_mutex); ++ return ret; ++} ++ ++static void virtio_vsock_remove(struct virtio_device *vdev) ++{ ++ struct virtio_vsock *vsock = vdev->priv; ++ ++ mutex_lock(&the_virtio_vsock_mutex); ++ ++ vdev->priv = NULL; ++ rcu_assign_pointer(the_virtio_vsock, NULL); ++ synchronize_rcu(); ++ ++ virtio_vsock_vqs_del(vsock); + + /* Other works can be queued before 'config->del_vqs()', so we flush + * all works before to free the vsock object to avoid use after free. +-- +2.42.0 + diff --git a/queue-5.15/vsock-virtio-initialize-the_virtio_vsock-before-usin.patch b/queue-5.15/vsock-virtio-initialize-the_virtio_vsock-before-usin.patch new file mode 100644 index 00000000000..1da9078a5c1 --- /dev/null +++ b/queue-5.15/vsock-virtio-initialize-the_virtio_vsock-before-usin.patch @@ -0,0 +1,81 @@ +From d3c4405dd2c5a68ee68aca6fd723df8ebb27d54e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 22:17:42 +0300 +Subject: vsock/virtio: initialize the_virtio_vsock before using VQs + +From: Alexandru Matei + +[ Upstream commit 53b08c4985158430fd6d035fb49443bada535210 ] + +Once VQs are filled with empty buffers and we kick the host, it can send +connection requests. If the_virtio_vsock is not initialized before, +replies are silently dropped and do not reach the host. + +virtio_transport_send_pkt() can queue packets once the_virtio_vsock is +set, but they won't be processed until vsock->tx_run is set to true. We +queue vsock->send_pkt_work when initialization finishes to send those +packets queued earlier. + +Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") +Signed-off-by: Alexandru Matei +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20231024191742.14259-1-alexandru.matei@uipath.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index f6fa26228e5cf..0b41028ed544a 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -590,6 +590,11 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) + + virtio_device_ready(vdev); + ++ return 0; ++} ++ ++static void virtio_vsock_vqs_start(struct virtio_vsock *vsock) ++{ + mutex_lock(&vsock->tx_lock); + vsock->tx_run = true; + mutex_unlock(&vsock->tx_lock); +@@ -604,7 +609,16 @@ static int virtio_vsock_vqs_init(struct virtio_vsock *vsock) + vsock->event_run = true; + mutex_unlock(&vsock->event_lock); + +- return 0; ++ /* virtio_transport_send_pkt() can queue packets once ++ * the_virtio_vsock is set, but they won't be processed until ++ * vsock->tx_run is set to true. We queue vsock->send_pkt_work ++ * when initialization finishes to send those packets queued ++ * earlier. ++ * We don't need to queue the other workers (rx, event) because ++ * as long as we don't fill the queues with empty buffers, the ++ * host can't send us any notification. ++ */ ++ queue_work(virtio_vsock_workqueue, &vsock->send_pkt_work); + } + + static void virtio_vsock_vqs_del(struct virtio_vsock *vsock) +@@ -707,6 +721,7 @@ static int virtio_vsock_probe(struct virtio_device *vdev) + goto out; + + rcu_assign_pointer(the_virtio_vsock, vsock); ++ virtio_vsock_vqs_start(vsock); + + mutex_unlock(&the_virtio_vsock_mutex); + +@@ -779,6 +794,7 @@ static int virtio_vsock_restore(struct virtio_device *vdev) + goto out; + + rcu_assign_pointer(the_virtio_vsock, vsock); ++ virtio_vsock_vqs_start(vsock); + + out: + mutex_unlock(&the_virtio_vsock_mutex); +-- +2.42.0 +