From: Sasha Levin Date: Fri, 4 Oct 2024 16:20:10 +0000 (-0400) Subject: Fixes for 6.11 X-Git-Tag: v6.6.55~159 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2592f94ad29c8b56e365a5d10730b1cc4920d32;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.11 Signed-off-by: Sasha Levin --- diff --git a/queue-6.11/afs-fix-missing-wire-up-of-afs_retry_request.patch b/queue-6.11/afs-fix-missing-wire-up-of-afs_retry_request.patch new file mode 100644 index 00000000000..4d9798859d7 --- /dev/null +++ b/queue-6.11/afs-fix-missing-wire-up-of-afs_retry_request.patch @@ -0,0 +1,46 @@ +From fcd5b391641e2e3c0e1fc27f4c276c1837f6c596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Sep 2024 21:40:02 +0100 +Subject: afs: Fix missing wire-up of afs_retry_request() + +From: David Howells + +[ Upstream commit 2cf36327ee1e47733aba96092d7bd082a4056ff5 ] + +afs_retry_request() is supposed to be pointed to by the afs_req_ops netfs +operations table, but the pointer got lost somewhere. The function is used +during writeback to rotate through the authentication keys that were in +force when the file was modified locally. + +Fix this by adding the pointer to the function. + +Fixes: 1ecb146f7cd8 ("netfs, afs: Use writeback retry to deal with alternate keys") +Reported-by: Dr. David Alan Gilbert +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/1690847.1726346402@warthog.procyon.org.uk +cc: Marc Dionne +cc: Jeff Layton +cc: linux-afs@lists.infradead.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/file.c b/fs/afs/file.c +index ec1be0091fdb5..290f60460ec75 100644 +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -404,6 +404,7 @@ const struct netfs_request_ops afs_req_ops = { + .begin_writeback = afs_begin_writeback, + .prepare_write = afs_prepare_write, + .issue_write = afs_issue_write, ++ .retry_request = afs_retry_request, + }; + + static void afs_add_open_mmap(struct afs_vnode *vnode) +-- +2.43.0 + diff --git a/queue-6.11/afs-fix-the-setting-of-the-server-responding-flag.patch b/queue-6.11/afs-fix-the-setting-of-the-server-responding-flag.patch new file mode 100644 index 00000000000..c14521d8565 --- /dev/null +++ b/queue-6.11/afs-fix-the-setting-of-the-server-responding-flag.patch @@ -0,0 +1,45 @@ +From 357c34290aa5ca6e43398b8725b1bea664124688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 16:07:50 +0100 +Subject: afs: Fix the setting of the server responding flag + +From: David Howells + +[ Upstream commit ff98751bae40faed1ba9c6a7287e84430f7dec64 ] + +In afs_wait_for_operation(), we set transcribe the call responded flag to +the server record that we used after doing the fileserver iteration loop - +but it's possible to exit the loop having had a response from the server +that we've discarded (e.g. it returned an abort or we started receiving +data, but the call didn't complete). + +This means that op->server might be NULL, but we don't check that before +attempting to set the server flag. + +Fixes: 98f9fda2057b ("afs: Fold the afs_addr_cursor struct in") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20240923150756.902363-7-dhowells@redhat.com +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/fs_operation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/fs_operation.c b/fs/afs/fs_operation.c +index 3546b087e791d..428721bbe4f6e 100644 +--- a/fs/afs/fs_operation.c ++++ b/fs/afs/fs_operation.c +@@ -201,7 +201,7 @@ void afs_wait_for_operation(struct afs_operation *op) + } + } + +- if (op->call_responded) ++ if (op->call_responded && op->server) + set_bit(AFS_SERVER_FL_RESPONDING, &op->server->flags); + + if (!afs_op_error(op)) { +-- +2.43.0 + diff --git a/queue-6.11/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch b/queue-6.11/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch new file mode 100644 index 00000000000..f7ccbda0faa --- /dev/null +++ b/queue-6.11/bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch @@ -0,0 +1,45 @@ +From c47280dcf3356ca5c1c2ba95bf111d605bb10fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:12:04 +0800 +Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmrvl_sdio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index 85b7f2bb42598..07cd308f7abf6 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -92,7 +92,7 @@ static int btmrvl_sdio_probe_of(struct device *dev, + } else { + ret = devm_request_irq(dev, cfg->irq_bt, + btmrvl_wake_irq_bt, +- 0, "bt_wake", card); ++ IRQF_NO_AUTOEN, "bt_wake", card); + if (ret) { + dev_err(dev, + "Failed to request irq_bt %d (%d)\n", +@@ -101,7 +101,6 @@ static int btmrvl_sdio_probe_of(struct device *dev, + + /* Configure wakeup (enabled by default) */ + device_init_wakeup(dev, true); +- disable_irq(cfg->irq_bt); + } + } + +-- +2.43.0 + diff --git a/queue-6.11/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch b/queue-6.11/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch new file mode 100644 index 00000000000..c1b28c69c06 --- /dev/null +++ b/queue-6.11/bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch @@ -0,0 +1,129 @@ +From 0c3ed2df6b23f97034beca3fda644fe57208595b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 12:47:39 -0400 +Subject: Bluetooth: L2CAP: Fix uaf in l2cap_connect + +From: Luiz Augusto von Dentz + +[ Upstream commit 333b4fd11e89b29c84c269123f871883a30be586 ] + +[Syzbot reported] +BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 +Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 + +CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Workqueue: hci2 hci_rx_work +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:488 + kasan_report+0xd9/0x110 mm/kasan/report.c:601 + l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 + l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] + l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] + l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] + l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 + l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 + hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] + hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 + process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 +... + +Freed by task 5245: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 + poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 + __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2256 [inline] + slab_free mm/slub.c:4477 [inline] + kfree+0x12a/0x3b0 mm/slub.c:4598 + l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] + l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 + l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 + hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] + hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 + hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 + abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 + hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 + process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 + process_scheduled_works kernel/workqueue.c:3312 [inline] + worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 + kthread+0x2c1/0x3a0 kernel/kthread.c:389 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com +Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c +Fixes: 7b064edae38d ("Bluetooth: Fix authentication if acl data comes before remote feature evt") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 ++ + net/bluetooth/hci_event.c | 2 +- + net/bluetooth/l2cap_core.c | 8 -------- + 3 files changed, 3 insertions(+), 9 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index d6976db02c06c..b2f8f9c5b6106 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3782,6 +3782,8 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) + + hci_dev_lock(hdev); + conn = hci_conn_hash_lookup_handle(hdev, handle); ++ if (conn && hci_dev_test_flag(hdev, HCI_MGMT)) ++ mgmt_device_connected(hdev, conn, NULL, 0); + hci_dev_unlock(hdev); + + if (conn) { +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 1c82dcdf6e8fc..b87c0f1dab9e3 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3706,7 +3706,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev, void *data, + goto unlock; + } + +- if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { ++ if (!ev->status) { + struct hci_cp_remote_name_req cp; + memset(&cp, 0, sizeof(cp)); + bacpy(&cp.bdaddr, &conn->dst); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 9988ba382b686..6544c1ed71434 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4066,17 +4066,9 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, + static int l2cap_connect_req(struct l2cap_conn *conn, + struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) + { +- struct hci_dev *hdev = conn->hcon->hdev; +- struct hci_conn *hcon = conn->hcon; +- + if (cmd_len < sizeof(struct l2cap_conn_req)) + return -EPROTO; + +- hci_dev_lock(hdev); +- if (hci_dev_test_flag(hdev, HCI_MGMT)) +- mgmt_device_connected(hdev, hcon, NULL, 0); +- hci_dev_unlock(hdev); +- + l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP); + return 0; + } +-- +2.43.0 + diff --git a/queue-6.11/bluetooth-mgmt-fix-possible-crash-on-mgmt_index_remo.patch b/queue-6.11/bluetooth-mgmt-fix-possible-crash-on-mgmt_index_remo.patch new file mode 100644 index 00000000000..6f19f0e241c --- /dev/null +++ b/queue-6.11/bluetooth-mgmt-fix-possible-crash-on-mgmt_index_remo.patch @@ -0,0 +1,93 @@ +From 536b4f9cef799e8e4da35a274955fa71e12cb8e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 12:34:42 -0400 +Subject: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed + +From: Luiz Augusto von Dentz + +[ Upstream commit f53e1c9c726d83092167f2226f32bd3b73f26c21 ] + +If mgmt_index_removed is called while there are commands queued on +cmd_sync it could lead to crashes like the bellow trace: + +0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc +0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth] +0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth] +0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth] + +So while handling mgmt_index_removed this attempts to dequeue +commands passed as user_data to cmd_sync. + +Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") +Reported-by: jiaymao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index e4f564d6f6fbf..4157d9f23f46e 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1453,10 +1453,15 @@ static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data) + + static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data) + { +- if (cmd->cmd_complete) { +- u8 *status = data; ++ struct cmd_lookup *match = data; ++ ++ /* dequeue cmd_sync entries using cmd as data as that is about to be ++ * removed/freed. ++ */ ++ hci_cmd_sync_dequeue(match->hdev, NULL, cmd, NULL); + +- cmd->cmd_complete(cmd, *status); ++ if (cmd->cmd_complete) { ++ cmd->cmd_complete(cmd, match->mgmt_status); + mgmt_pending_remove(cmd); + + return; +@@ -9394,12 +9399,12 @@ void mgmt_index_added(struct hci_dev *hdev) + void mgmt_index_removed(struct hci_dev *hdev) + { + struct mgmt_ev_ext_index ev; +- u8 status = MGMT_STATUS_INVALID_INDEX; ++ struct cmd_lookup match = { NULL, hdev, MGMT_STATUS_INVALID_INDEX }; + + if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) + return; + +- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status); ++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match); + + if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { + mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, +@@ -9450,7 +9455,7 @@ void mgmt_power_on(struct hci_dev *hdev, int err) + void __mgmt_power_off(struct hci_dev *hdev) + { + struct cmd_lookup match = { NULL, hdev }; +- u8 status, zero_cod[] = { 0, 0, 0 }; ++ u8 zero_cod[] = { 0, 0, 0 }; + + mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match); + +@@ -9462,11 +9467,11 @@ void __mgmt_power_off(struct hci_dev *hdev) + * status responses. + */ + if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) +- status = MGMT_STATUS_INVALID_INDEX; ++ match.mgmt_status = MGMT_STATUS_INVALID_INDEX; + else +- status = MGMT_STATUS_NOT_POWERED; ++ match.mgmt_status = MGMT_STATUS_NOT_POWERED; + +- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status); ++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match); + + if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) { + mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, +-- +2.43.0 + diff --git a/queue-6.11/bridge-mcast-fail-mdb-get-request-on-empty-entry.patch b/queue-6.11/bridge-mcast-fail-mdb-get-request-on-empty-entry.patch new file mode 100644 index 00000000000..f6111c04c41 --- /dev/null +++ b/queue-6.11/bridge-mcast-fail-mdb-get-request-on-empty-entry.patch @@ -0,0 +1,52 @@ +From 65aabed3432e1afae4f5d03bf317520cf696bdf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2024 15:36:40 +0300 +Subject: bridge: mcast: Fail MDB get request on empty entry + +From: Ido Schimmel + +[ Upstream commit 555f45d24ba7cd5527716553031641cdebbe76c7 ] + +When user space deletes a port from an MDB entry, the port is removed +synchronously. If this was the last port in the entry and the entry is +not joined by the host itself, then the entry is scheduled for deletion +via a timer. + +The above means that it is possible for the MDB get netlink request to +retrieve an empty entry which is scheduled for deletion. This is +problematic as after deleting the last port in an entry, user space +cannot rely on a non-zero return code from the MDB get request as an +indication that the port was successfully removed. + +Fix by returning an error when the entry's port list is empty and the +entry is not joined by the host. + +Fixes: 68b380a395a7 ("bridge: mcast: Add MDB get support") +Reported-by: Jamie Bainbridge +Closes: https://lore.kernel.org/netdev/c92569919307749f879b9482b0f3e125b7d9d2e3.1726480066.git.jamie.bainbridge@gmail.com/ +Tested-by: Jamie Bainbridge +Signed-off-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20240929123640.558525-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index bc37e47ad8299..1a52a0bca086d 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -1674,7 +1674,7 @@ int br_mdb_get(struct net_device *dev, struct nlattr *tb[], u32 portid, u32 seq, + spin_lock_bh(&br->multicast_lock); + + mp = br_mdb_ip_get(br, &group); +- if (!mp) { ++ if (!mp || (!mp->ports && !mp->host_joined)) { + NL_SET_ERR_MSG_MOD(extack, "MDB entry not found"); + err = -ENOENT; + goto unlock; +-- +2.43.0 + diff --git a/queue-6.11/ceph-fix-a-memory-leak-on-cap_auths-in-mds-client.patch b/queue-6.11/ceph-fix-a-memory-leak-on-cap_auths-in-mds-client.patch new file mode 100644 index 00000000000..54ce1ed3427 --- /dev/null +++ b/queue-6.11/ceph-fix-a-memory-leak-on-cap_auths-in-mds-client.patch @@ -0,0 +1,48 @@ +From f4966701b041defc008220dae6dac9c277ab959d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 10:52:17 +0100 +Subject: ceph: fix a memory leak on cap_auths in MDS client + +From: Luis Henriques (SUSE) + +[ Upstream commit d97079e97eab20e08afc507f2bed4501e2824717 ] + +The cap_auths that are allocated during an MDS session opening are never +released, causing a memory leak detected by kmemleak. Fix this by freeing +the memory allocated when shutting down the MDS client. + +Fixes: 1d17de9534cb ("ceph: save cap_auths in MDS client when session is opened") +Signed-off-by: Luis Henriques (SUSE) +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 276e34ab3e2cc..2e4b3ee7446c8 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -6015,6 +6015,18 @@ static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) + ceph_mdsmap_destroy(mdsc->mdsmap); + kfree(mdsc->sessions); + ceph_caps_finalize(mdsc); ++ ++ if (mdsc->s_cap_auths) { ++ int i; ++ ++ for (i = 0; i < mdsc->s_cap_auths_num; i++) { ++ kfree(mdsc->s_cap_auths[i].match.gids); ++ kfree(mdsc->s_cap_auths[i].match.path); ++ kfree(mdsc->s_cap_auths[i].match.fs_name); ++ } ++ kfree(mdsc->s_cap_auths); ++ } ++ + ceph_pool_perm_destroy(mdsc); + } + +-- +2.43.0 + diff --git a/queue-6.11/ceph-remove-the-incorrect-fw-reference-check-when-di.patch b/queue-6.11/ceph-remove-the-incorrect-fw-reference-check-when-di.patch new file mode 100644 index 00000000000..d793408d596 --- /dev/null +++ b/queue-6.11/ceph-remove-the-incorrect-fw-reference-check-when-di.patch @@ -0,0 +1,37 @@ +From 561d4aa3cc9157c5e615bd2b5d90faba5b37012e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 06:22:18 +0800 +Subject: ceph: remove the incorrect Fw reference check when dirtying pages + +From: Xiubo Li + +[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ] + +When doing the direct-io reads it will also try to mark pages dirty, +but for the read path it won't hold the Fw caps and there is case +will it get the Fw reference. + +Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference") +Signed-off-by: Xiubo Li +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/addr.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index c4744a02db753..0df4623785ddb 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -95,7 +95,6 @@ static bool ceph_dirty_folio(struct address_space *mapping, struct folio *folio) + + /* dirty the head */ + spin_lock(&ci->i_ceph_lock); +- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference + if (__ceph_have_pending_cap_snap(ci)) { + struct ceph_cap_snap *capsnap = + list_last_entry(&ci->i_cap_snaps, +-- +2.43.0 + diff --git a/queue-6.11/drm-amd-display-handle-nulled-pipe-context-in-dce110.patch b/queue-6.11/drm-amd-display-handle-nulled-pipe-context-in-dce110.patch new file mode 100644 index 00000000000..b0cfc03ac0d --- /dev/null +++ b/queue-6.11/drm-amd-display-handle-nulled-pipe-context-in-dce110.patch @@ -0,0 +1,62 @@ +From 8b1bc590f962e64a20a792f8122ef47dd74946ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 14:54:05 +0200 +Subject: drm/amd/display: handle nulled pipe context in DCE110's set_drr() + +From: Tobias Jakobi + +[ Upstream commit e7d4e1438533abe448813bdc45691f9c230aa307 ] + +As set_drr() is called from IRQ context, it can happen that the +pipe context has been nulled by dc_state_destruct(). + +Apply the same protection here that is already present for +dcn35_set_drr() and dcn10_set_drr(). I.e. fetch the tg pointer +first (to avoid a race with dc_state_destruct()), and then +check the local copy before using it. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3142 +Fixes: 06ad7e164256 ("drm/amd/display: Destroy DC context while keeping DML and DML2") +Acked-by: Alex Deucher +Signed-off-by: Tobias Jakobi +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/hwss/dce110/dce110_hwseq.c | 21 ++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +index 4d6e90c49ad53..fc0d2077aaec4 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +@@ -2085,13 +2085,20 @@ static void set_drr(struct pipe_ctx **pipe_ctx, + * as well. + */ + for (i = 0; i < num_pipes; i++) { +- pipe_ctx[i]->stream_res.tg->funcs->set_drr( +- pipe_ctx[i]->stream_res.tg, ¶ms); +- +- if (adjust.v_total_max != 0 && adjust.v_total_min != 0) +- pipe_ctx[i]->stream_res.tg->funcs->set_static_screen_control( +- pipe_ctx[i]->stream_res.tg, +- event_triggers, num_frames); ++ /* dc_state_destruct() might null the stream resources, so fetch tg ++ * here first to avoid a race condition. The lifetime of the pointee ++ * itself (the timing_generator object) is not a problem here. ++ */ ++ struct timing_generator *tg = pipe_ctx[i]->stream_res.tg; ++ ++ if ((tg != NULL) && tg->funcs) { ++ if (tg->funcs->set_drr) ++ tg->funcs->set_drr(tg, ¶ms); ++ if (adjust.v_total_max != 0 && adjust.v_total_min != 0) ++ if (tg->funcs->set_static_screen_control) ++ tg->funcs->set_static_screen_control( ++ tg, event_triggers, num_frames); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-6.11/drm-amdgpu-fix-get-each-xcp-macro.patch b/queue-6.11/drm-amdgpu-fix-get-each-xcp-macro.patch new file mode 100644 index 00000000000..d038feec546 --- /dev/null +++ b/queue-6.11/drm-amdgpu-fix-get-each-xcp-macro.patch @@ -0,0 +1,35 @@ +From e69a7215618be77dc5555f3ce07248c6abfba4c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 19:45:11 +0800 +Subject: drm/amdgpu: Fix get each xcp macro + +From: Asad Kamal + +[ Upstream commit ef126c06a98bde1a41303970eb0fc0ac33c3cc02 ] + +Fix get each xcp macro to loop over each partition correctly + +Fixes: 4bdca2057933 ("drm/amdgpu: Add utility functions for xcp") +Signed-off-by: Asad Kamal +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h +index 90138bc5f03d1..32775260556f4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h +@@ -180,6 +180,6 @@ amdgpu_get_next_xcp(struct amdgpu_xcp_mgr *xcp_mgr, int *from) + + #define for_each_xcp(xcp_mgr, xcp, i) \ + for (i = 0, xcp = amdgpu_get_next_xcp(xcp_mgr, &i); xcp; \ +- xcp = amdgpu_get_next_xcp(xcp_mgr, &i)) ++ ++i, xcp = amdgpu_get_next_xcp(xcp_mgr, &i)) + + #endif +-- +2.43.0 + diff --git a/queue-6.11/drm-i915-display-bmg-supports-uhbr13.5.patch b/queue-6.11/drm-i915-display-bmg-supports-uhbr13.5.patch new file mode 100644 index 00000000000..01b51604935 --- /dev/null +++ b/queue-6.11/drm-i915-display-bmg-supports-uhbr13.5.patch @@ -0,0 +1,61 @@ +From 80deb0dc7d18cbe24348948e4e910894e5ebbd09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 13:42:05 +0530 +Subject: drm/i915/display: BMG supports UHBR13.5 + +From: Arun R Murthy + +[ Upstream commit fcd33d434d31a210bc9f209b5bfd92f3b91a2dda ] + +UHBR20 is not supported by battlemage and the maximum link rate +supported is UHBR13.5 + +v2: Replace IS_DGFX with IS_BATTLEMAGE (Jani) + +HSD: 16023263677 +Signed-off-by: Arun R Murthy +Reviewed-by: Mika Kahola +Fixes: 98b1c87a5e51 ("drm/i915/xe2hpd: Set maximum DP rate to UHBR13.5") +Signed-off-by: Suraj Kandpal +Link: https://patchwork.freedesktop.org/patch/msgid/20240827081205.136569-1-arun.r.murthy@intel.com +(cherry picked from commit 9c2338ac4543e0fab3a1e0f9f025591e0f0d9f8f) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_dp.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index ebe7fe5417ae4..2a7deac73b2eb 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -535,6 +535,10 @@ static void + intel_dp_set_source_rates(struct intel_dp *intel_dp) + { + /* The values must be in increasing order */ ++ static const int bmg_rates[] = { ++ 162000, 216000, 243000, 270000, 324000, 432000, 540000, 675000, ++ 810000, 1000000, 1350000, ++ }; + static const int mtl_rates[] = { + 162000, 216000, 243000, 270000, 324000, 432000, 540000, 675000, + 810000, 1000000, 2000000, +@@ -565,8 +569,13 @@ intel_dp_set_source_rates(struct intel_dp *intel_dp) + intel_dp->source_rates || intel_dp->num_source_rates); + + if (DISPLAY_VER(dev_priv) >= 14) { +- source_rates = mtl_rates; +- size = ARRAY_SIZE(mtl_rates); ++ if (IS_BATTLEMAGE(dev_priv)) { ++ source_rates = bmg_rates; ++ size = ARRAY_SIZE(bmg_rates); ++ } else { ++ source_rates = mtl_rates; ++ size = ARRAY_SIZE(mtl_rates); ++ } + max_rate = mtl_max_source_rate(intel_dp); + } else if (DISPLAY_VER(dev_priv) >= 11) { + source_rates = icl_rates; +-- +2.43.0 + diff --git a/queue-6.11/drm-i915-dp-fix-aux-io-power-enabling-for-edp-psr.patch b/queue-6.11/drm-i915-dp-fix-aux-io-power-enabling-for-edp-psr.patch new file mode 100644 index 00000000000..1fb6a4be217 --- /dev/null +++ b/queue-6.11/drm-i915-dp-fix-aux-io-power-enabling-for-edp-psr.patch @@ -0,0 +1,101 @@ +From e29110bb17105963f6ca4421742edf1d3099d478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 14:18:47 +0300 +Subject: drm/i915/dp: Fix AUX IO power enabling for eDP PSR + +From: Imre Deak + +[ Upstream commit ec2231b8dd2dc515912ff7816c420153b4a95e92 ] + +Panel Self Refresh on eDP requires the AUX IO power to be enabled +whenever the output (main link) is enabled. This is required by the +AUX_PHY_WAKE/ML_PHY_LOCK signaling initiated by the HW automatically to +re-enable the main link after it got disabled in power saving states +(see eDP v1.4b, sections 5.1, 6.1.3.3.1.1). + +The Panel Replay mode on non-eDP outputs on the other hand is only +supported by keeping the main link active, thus not requiring the above +AUX_PHY_WAKE/ML_PHY_LOCK signaling (eDP v1.4b, section 6.1.3.3.1.2). +Thus enabling the AUX IO power for this case is not required either. + +Based on the above enable the AUX IO power only for eDP/PSR outputs. + +Bspec: 49274, 53370 + +v2: +- Add a TODO comment to adjust the requirement for AUX IO based on + whether the ALPM/main-link off mode gets enabled. (Rodrigo) + +Cc: Animesh Manna +Fixes: b8cf5b5d266e ("drm/i915/panelreplay: Initializaton and compute config for panel replay") +Reviewed-by: Rodrigo Vivi +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20240910111847.2995725-1-imre.deak@intel.com +(cherry picked from commit f7c2ed9d4ce80a2570c492825de239dc8b500f2e) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_ddi.c | 2 +- + drivers/gpu/drm/i915/display/intel_psr.c | 19 +++++++++++++++++++ + drivers/gpu/drm/i915/display/intel_psr.h | 2 ++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_ddi.c b/drivers/gpu/drm/i915/display/intel_ddi.c +index a07aca96e5517..5b6aabce4c32f 100644 +--- a/drivers/gpu/drm/i915/display/intel_ddi.c ++++ b/drivers/gpu/drm/i915/display/intel_ddi.c +@@ -916,7 +916,7 @@ intel_ddi_main_link_aux_domain(struct intel_digital_port *dig_port, + * instead of a specific AUX_IO_ reference without powering up any + * extra wells. + */ +- if (intel_encoder_can_psr(&dig_port->base)) ++ if (intel_psr_needs_aux_io_power(&dig_port->base, crtc_state)) + return intel_display_power_aux_io_domain(i915, dig_port->aux_ch); + else if (DISPLAY_VER(i915) < 14 && + (intel_crtc_has_dp_encoder(crtc_state) || +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index d404ad93e91c7..da242ba19ed95 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -203,6 +203,25 @@ bool intel_encoder_can_psr(struct intel_encoder *encoder) + return false; + } + ++bool intel_psr_needs_aux_io_power(struct intel_encoder *encoder, ++ const struct intel_crtc_state *crtc_state) ++{ ++ /* ++ * For PSR/PR modes only eDP requires the AUX IO power to be enabled whenever ++ * the output is enabled. For non-eDP outputs the main link is always ++ * on, hence it doesn't require the HW initiated AUX wake-up signaling used ++ * for eDP. ++ * ++ * TODO: ++ * - Consider leaving AUX IO disabled for eDP / PR as well, in case ++ * the ALPM with main-link off mode is not enabled. ++ * - Leave AUX IO enabled for DP / PR, once support for ALPM with ++ * main-link off mode is added for it and this mode gets enabled. ++ */ ++ return intel_crtc_has_type(crtc_state, INTEL_OUTPUT_EDP) && ++ intel_encoder_can_psr(encoder); ++} ++ + static bool psr_global_enabled(struct intel_dp *intel_dp) + { + struct intel_connector *connector = intel_dp->attached_connector; +diff --git a/drivers/gpu/drm/i915/display/intel_psr.h b/drivers/gpu/drm/i915/display/intel_psr.h +index d483c85870e1d..e719f548e1606 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.h ++++ b/drivers/gpu/drm/i915/display/intel_psr.h +@@ -25,6 +25,8 @@ struct intel_plane_state; + (intel_dp)->psr.source_panel_replay_support) + + bool intel_encoder_can_psr(struct intel_encoder *encoder); ++bool intel_psr_needs_aux_io_power(struct intel_encoder *encoder, ++ const struct intel_crtc_state *crtc_state); + void intel_psr_init_dpcd(struct intel_dp *intel_dp); + void intel_psr_enable_sink(struct intel_dp *intel_dp, + const struct intel_crtc_state *crtc_state); +-- +2.43.0 + diff --git a/queue-6.11/drm-i915-dp-fix-colorimetry-detection.patch b/queue-6.11/drm-i915-dp-fix-colorimetry-detection.patch new file mode 100644 index 00000000000..b98c42d1707 --- /dev/null +++ b/queue-6.11/drm-i915-dp-fix-colorimetry-detection.patch @@ -0,0 +1,65 @@ +From fc4bae5b34fb5718561557e2da7d272827c73563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 22:04:39 +0300 +Subject: drm/i915/dp: Fix colorimetry detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit e860513f56d8428fcb2bd0282ac8ab691a53fc6c ] + +intel_dp_init_connector() is no place for detecting stuff via +DPCD (except perhaps for eDP). Move the colorimetry stuff into +a more appropriate place. + +Cc: Jouni Högander +Fixes: 00076671a648 ("drm/i915/display: Move colorimetry_support from intel_psr to intel_dp") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240918190441.29071-1-ville.syrjala@linux.intel.com +Reviewed-by: Jouni Högander +(cherry picked from commit 35dba4834bded843d5416e8caadfe82bd0ce1904) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_dp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index 2a7deac73b2eb..ffc0d1b140455 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -3964,6 +3964,9 @@ intel_edp_init_dpcd(struct intel_dp *intel_dp, struct intel_connector *connector + drm_dp_is_branch(intel_dp->dpcd)); + intel_init_dpcd_quirks(intel_dp, &intel_dp->desc.ident); + ++ intel_dp->colorimetry_support = ++ intel_dp_get_colorimetry_status(intel_dp); ++ + /* + * Read the eDP display control registers. + * +@@ -4077,6 +4080,9 @@ intel_dp_get_dpcd(struct intel_dp *intel_dp) + + intel_init_dpcd_quirks(intel_dp, &intel_dp->desc.ident); + ++ intel_dp->colorimetry_support = ++ intel_dp_get_colorimetry_status(intel_dp); ++ + intel_dp_update_sink_caps(intel_dp); + } + +@@ -6861,9 +6867,6 @@ intel_dp_init_connector(struct intel_digital_port *dig_port, + "HDCP init failed, skipping.\n"); + } + +- intel_dp->colorimetry_support = +- intel_dp_get_colorimetry_status(intel_dp); +- + intel_dp->frl.is_trained = false; + intel_dp->frl.trained_rate_gbps = 0; + +-- +2.43.0 + diff --git a/queue-6.11/drm-i915-psr-do-not-wait-for-psr-being-idle-on-on-pa.patch b/queue-6.11/drm-i915-psr-do-not-wait-for-psr-being-idle-on-on-pa.patch new file mode 100644 index 00000000000..ef491be065f --- /dev/null +++ b/queue-6.11/drm-i915-psr-do-not-wait-for-psr-being-idle-on-on-pa.patch @@ -0,0 +1,70 @@ +From fc9fac7f40cb6c5ee5a238f1c36504407799c023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 10:00:33 +0300 +Subject: drm/i915/psr: Do not wait for PSR being idle on on Panel Replay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +[ Upstream commit 9498f2e24ee0133d486667c9fa4c27ecdaadc272 ] + +We do not have ALPM on DP Panel Replay. Due to this SRD_STATUS[SRD State] +doesn't change from SRDENT_ON after Panel Replay is enabled until it gets +disabled. + +On eDP Panel Replay DEEP_SLEEP is not reached. +_psr2_ready_for_pipe_update_locked is waiting DEEP_SLEEP bit getting reset. + +Take these into account in Panel Replay code by not waiting PSR getting +idle after enabling VBI. + +Fixes: 29fb595d4875 ("drm/i915/psr: Panel replay uses SRD_STATUS to track it's status") +Cc: Animesh Manna +Signed-off-by: Jouni Högander +Reviewed-by: Animesh Manna +Link: https://patchwork.freedesktop.org/patch/msgid/20240906070033.289015-5-jouni.hogander@intel.com +(cherry picked from commit a2d98feb4b0013ef4f9db0d8f642a8ac1f5ecbb9) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 9cb1cdaaeefa7..d404ad93e91c7 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -2746,13 +2746,6 @@ static int _psr1_ready_for_pipe_update_locked(struct intel_dp *intel_dp) + EDP_PSR_STATUS_STATE_MASK, 50); + } + +-static int _panel_replay_ready_for_pipe_update_locked(struct intel_dp *intel_dp) +-{ +- return intel_dp_is_edp(intel_dp) ? +- _psr2_ready_for_pipe_update_locked(intel_dp) : +- _psr1_ready_for_pipe_update_locked(intel_dp); +-} +- + /** + * intel_psr_wait_for_idle_locked - wait for PSR be ready for a pipe update + * @new_crtc_state: new CRTC state +@@ -2775,12 +2768,10 @@ void intel_psr_wait_for_idle_locked(const struct intel_crtc_state *new_crtc_stat + + lockdep_assert_held(&intel_dp->psr.lock); + +- if (!intel_dp->psr.enabled) ++ if (!intel_dp->psr.enabled || intel_dp->psr.panel_replay_enabled) + continue; + +- if (intel_dp->psr.panel_replay_enabled) +- ret = _panel_replay_ready_for_pipe_update_locked(intel_dp); +- else if (intel_dp->psr.sel_update_enabled) ++ if (intel_dp->psr.sel_update_enabled) + ret = _psr2_ready_for_pipe_update_locked(intel_dp); + else + ret = _psr1_ready_for_pipe_update_locked(intel_dp); +-- +2.43.0 + diff --git a/queue-6.11/dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch b/queue-6.11/dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch new file mode 100644 index 00000000000..8c3a111faf7 --- /dev/null +++ b/queue-6.11/dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch @@ -0,0 +1,59 @@ +From c95617ebdb4ef7661743537c48933ae7199cd979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 00:43:35 +0530 +Subject: dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems + +From: Ravikanth Tuniki + +[ Upstream commit c6929644c1e0d6108e57061d427eb966e1746351 ] + +Add missing reg minItems as based on current binding document +only ethernet MAC IO space is a supported configuration. + +There is a bug in schema, current examples contain 64-bit +addressing as well as 32-bit addressing. The schema validation +does pass incidentally considering one 64-bit reg address as +two 32-bit reg address entries. If we change axi_ethernet_eth1 +example node reg addressing to 32-bit schema validation reports: + +Documentation/devicetree/bindings/net/xlnx,axi-ethernet.example.dtb: +ethernet@40000000: reg: [[1073741824, 262144]] is too short + +To fix it add missing reg minItems constraints and to make things clearer +stick to 32-bit addressing in examples. + +Fixes: cbb1ca6d5f9a ("dt-bindings: net: xlnx,axi-ethernet: convert bindings document to yaml") +Signed-off-by: Ravikanth Tuniki +Signed-off-by: Radhey Shyam Pandey +Acked-by: Conor Dooley +Link: https://patch.msgid.link/1727723615-2109795-1-git-send-email-radhey.shyam.pandey@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml +index bbe89ea9590ce..e95c216282818 100644 +--- a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml ++++ b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml +@@ -34,6 +34,7 @@ properties: + and length of the AXI DMA controller IO space, unless + axistream-connected is specified, in which case the reg + attribute of the node referenced by it is used. ++ minItems: 1 + maxItems: 2 + + interrupts: +@@ -181,7 +182,7 @@ examples: + clock-names = "s_axi_lite_clk", "axis_clk", "ref_clk", "mgt_clk"; + clocks = <&axi_clk>, <&axi_clk>, <&pl_enet_ref_clk>, <&mgt_clk>; + phy-mode = "mii"; +- reg = <0x00 0x40000000 0x00 0x40000>; ++ reg = <0x40000000 0x40000>; + xlnx,rxcsum = <0x2>; + xlnx,rxmem = <0x800>; + xlnx,txcsum = <0x2>; +-- +2.43.0 + diff --git a/queue-6.11/ieee802154-fix-build-error.patch b/queue-6.11/ieee802154-fix-build-error.patch new file mode 100644 index 00000000000..5946f257f58 --- /dev/null +++ b/queue-6.11/ieee802154-fix-build-error.patch @@ -0,0 +1,40 @@ +From bc0a002a49f2974dfb1f36aade8d67893dd18fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 21:17:40 +0800 +Subject: ieee802154: Fix build error + +From: Jinjie Ruan + +[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ] + +If REGMAP_SPI is m and IEEE802154_MCR20A is y, + + mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi' + ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi' + +Select REGMAP_SPI for IEEE802154_MCR20A to fix it. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig +index 95da876c56138..1075e24b11def 100644 +--- a/drivers/net/ieee802154/Kconfig ++++ b/drivers/net/ieee802154/Kconfig +@@ -101,6 +101,7 @@ config IEEE802154_CA8210_DEBUGFS + + config IEEE802154_MCR20A + tristate "MCR20A transceiver driver" ++ select REGMAP_SPI + depends on IEEE802154_DRIVERS && MAC802154 + depends on SPI + help +-- +2.43.0 + diff --git a/queue-6.11/iomap-constrain-the-file-range-passed-to-iomap_file_.patch b/queue-6.11/iomap-constrain-the-file-range-passed-to-iomap_file_.patch new file mode 100644 index 00000000000..344058d834a --- /dev/null +++ b/queue-6.11/iomap-constrain-the-file-range-passed-to-iomap_file_.patch @@ -0,0 +1,70 @@ +From 3199b70a86527d7b575adbe56a4dd95ad8802c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 08:02:13 -0700 +Subject: iomap: constrain the file range passed to iomap_file_unshare + +From: Darrick J. Wong + +[ Upstream commit a311a08a4237241fb5b9d219d3e33346de6e83e0 ] + +File contents can only be shared (i.e. reflinked) below EOF, so it makes +no sense to try to unshare ranges beyond EOF. Constrain the file range +parameters here so that we don't have to do that in the callers. + +Fixes: 5f4e5752a8a3 ("fs: add iomap_file_dirty") +Signed-off-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20241002150213.GC21853@frogsfrogsfrogs +Reviewed-by: Christoph Hellwig +Reviewed-by: Brian Foster +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/dax.c | 6 +++++- + fs/iomap/buffered-io.c | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/dax.c b/fs/dax.c +index becb4a6920c6a..c62acd2812f8d 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1305,11 +1305,15 @@ int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len, + struct iomap_iter iter = { + .inode = inode, + .pos = pos, +- .len = len, + .flags = IOMAP_WRITE | IOMAP_UNSHARE | IOMAP_DAX, + }; ++ loff_t size = i_size_read(inode); + int ret; + ++ if (pos < 0 || pos >= size) ++ return 0; ++ ++ iter.len = min(len, size - pos); + while ((ret = iomap_iter(&iter, ops)) > 0) + iter.processed = dax_unshare_iter(&iter); + return ret; +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index f420c53d86acc..389de94715b53 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1382,11 +1382,15 @@ iomap_file_unshare(struct inode *inode, loff_t pos, loff_t len, + struct iomap_iter iter = { + .inode = inode, + .pos = pos, +- .len = len, + .flags = IOMAP_WRITE | IOMAP_UNSHARE, + }; ++ loff_t size = i_size_read(inode); + int ret; + ++ if (pos < 0 || pos >= size) ++ return 0; ++ ++ iter.len = min(len, size - pos); + while ((ret = iomap_iter(&iter, ops)) > 0) + iter.processed = iomap_unshare_iter(&iter); + return ret; +-- +2.43.0 + diff --git a/queue-6.11/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch b/queue-6.11/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch new file mode 100644 index 00000000000..03611386a85 --- /dev/null +++ b/queue-6.11/ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch @@ -0,0 +1,89 @@ +From ca11e5eb807d2e34751a2a8c92ac1ea130e4de92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 02:51:59 +0300 +Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit + +From: Anton Danilov + +[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ] + +Regression Description: + +Depending on the options specified for the GRE tunnel device, small +packets may be dropped. This occurs because the pskb_network_may_pull +function fails due to the packet's insufficient length. + +For example, if only the okey option is specified for the tunnel device, +original (before encapsulation) packets smaller than 28 bytes (including +the IPv4 header) will be dropped. This happens because the required +length is calculated relative to the network header, not the skb->head. + +Here is how the required length is computed and checked: + +* The pull_len variable is set to 28 bytes, consisting of: + * IPv4 header: 20 bytes + * GRE header with Key field: 8 bytes + +* The pskb_network_may_pull function adds the network offset, shifting +the checkable space further to the beginning of the network header and +extending it to the beginning of the packet. As a result, the end of +the checkable space occurs beyond the actual end of the packet. + +Instead of ensuring that 28 bytes are present in skb->head, the function +is requesting these 28 bytes starting from the network header. For small +packets, this requested length exceeds the actual packet size, causing +the check to fail and the packets to be dropped. + +This issue affects both locally originated and forwarded packets in +DMVPN-like setups. + +How to reproduce (for local originated packets): + + ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \ + local remote 0.0.0.0 + + ip link set mtu 1400 dev gre1 + ip link set up dev gre1 + ip address add 192.168.13.1/24 dev gre1 + ip neighbor add 192.168.13.2 lladdr dev gre1 + ping -s 1374 -c 10 192.168.13.2 + tcpdump -vni gre1 + tcpdump -vni 'ip proto 47' + ip -s -s -d link show dev gre1 + +Solution: + +Use the pskb_may_pull function instead the pskb_network_may_pull. + +Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()") +Signed-off-by: Anton Danilov +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index ba205473522e4..868ef18ad656c 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -661,11 +661,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + if (skb_cow_head(skb, 0)) + goto free_skb; + +- tnl_params = (const struct iphdr *)skb->data; +- +- if (!pskb_network_may_pull(skb, pull_len)) ++ if (!pskb_may_pull(skb, pull_len)) + goto free_skb; + ++ tnl_params = (const struct iphdr *)skb->data; ++ + /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ + skb_pull(skb, pull_len); + skb_reset_mac_header(skb); +-- +2.43.0 + diff --git a/queue-6.11/jump_label-fix-static_key_slow_dec-yet-again.patch b/queue-6.11/jump_label-fix-static_key_slow_dec-yet-again.patch new file mode 100644 index 00000000000..682de923dba --- /dev/null +++ b/queue-6.11/jump_label-fix-static_key_slow_dec-yet-again.patch @@ -0,0 +1,125 @@ +From c85e5dfdf56ef270bd4c22cfeae57fd4351c8d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 12:50:09 +0200 +Subject: jump_label: Fix static_key_slow_dec() yet again + +From: Peter Zijlstra + +[ Upstream commit 1d7f856c2ca449f04a22d876e36b464b7a9d28b6 ] + +While commit 83ab38ef0a0b ("jump_label: Fix concurrency issues in +static_key_slow_dec()") fixed one problem, it created yet another, +notably the following is now possible: + + slow_dec + if (try_dec) // dec_not_one-ish, false + // enabled == 1 + slow_inc + if (inc_not_disabled) // inc_not_zero-ish + // enabled == 2 + return + + guard((mutex)(&jump_label_mutex); + if (atomic_cmpxchg(1,0)==1) // false, we're 2 + + slow_dec + if (try-dec) // dec_not_one, true + // enabled == 1 + return + else + try_dec() // dec_not_one, false + WARN + +Use dec_and_test instead of cmpxchg(), like it was prior to +83ab38ef0a0b. Add a few WARNs for the paranoid. + +Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()") +Reported-by: "Darrick J. Wong" +Tested-by: Klara Modin +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/jump_label.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/kernel/jump_label.c b/kernel/jump_label.c +index 6dc76b590703e..93a822d3c468c 100644 +--- a/kernel/jump_label.c ++++ b/kernel/jump_label.c +@@ -168,7 +168,7 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key) + jump_label_update(key); + /* + * Ensure that when static_key_fast_inc_not_disabled() or +- * static_key_slow_try_dec() observe the positive value, ++ * static_key_dec_not_one() observe the positive value, + * they must also observe all the text changes. + */ + atomic_set_release(&key->enabled, 1); +@@ -250,7 +250,7 @@ void static_key_disable(struct static_key *key) + } + EXPORT_SYMBOL_GPL(static_key_disable); + +-static bool static_key_slow_try_dec(struct static_key *key) ++static bool static_key_dec_not_one(struct static_key *key) + { + int v; + +@@ -274,6 +274,14 @@ static bool static_key_slow_try_dec(struct static_key *key) + * enabled. This suggests an ordering problem on the user side. + */ + WARN_ON_ONCE(v < 0); ++ ++ /* ++ * Warn about underflow, and lie about success in an attempt to ++ * not make things worse. ++ */ ++ if (WARN_ON_ONCE(v == 0)) ++ return true; ++ + if (v <= 1) + return false; + } while (!likely(atomic_try_cmpxchg(&key->enabled, &v, v - 1))); +@@ -284,15 +292,27 @@ static bool static_key_slow_try_dec(struct static_key *key) + static void __static_key_slow_dec_cpuslocked(struct static_key *key) + { + lockdep_assert_cpus_held(); ++ int val; + +- if (static_key_slow_try_dec(key)) ++ if (static_key_dec_not_one(key)) + return; + + guard(mutex)(&jump_label_mutex); +- if (atomic_cmpxchg(&key->enabled, 1, 0) == 1) ++ val = atomic_read(&key->enabled); ++ /* ++ * It should be impossible to observe -1 with jump_label_mutex held, ++ * see static_key_slow_inc_cpuslocked(). ++ */ ++ if (WARN_ON_ONCE(val == -1)) ++ return; ++ /* ++ * Cannot already be 0, something went sideways. ++ */ ++ if (WARN_ON_ONCE(val == 0)) ++ return; ++ ++ if (atomic_dec_and_test(&key->enabled)) + jump_label_update(key); +- else +- WARN_ON_ONCE(!static_key_slow_try_dec(key)); + } + + static void __static_key_slow_dec(struct static_key *key) +@@ -329,7 +349,7 @@ void __static_key_slow_dec_deferred(struct static_key *key, + { + STATIC_KEY_CHECK_USE(key); + +- if (static_key_slow_try_dec(key)) ++ if (static_key_dec_not_one(key)) + return; + + schedule_delayed_work(work, timeout); +-- +2.43.0 + diff --git a/queue-6.11/ksmbd-fix-warning-comparison-of-distinct-pointer-typ.patch b/queue-6.11/ksmbd-fix-warning-comparison-of-distinct-pointer-typ.patch new file mode 100644 index 00000000000..8396b15691b --- /dev/null +++ b/queue-6.11/ksmbd-fix-warning-comparison-of-distinct-pointer-typ.patch @@ -0,0 +1,73 @@ +From 9ce178c2a01a06a66dd2d1a0cc9a379c64f63ea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2024 09:22:57 +0900 +Subject: ksmbd: fix warning: comparison of distinct pointer types lacks a cast +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namjae Jeon + +[ Upstream commit 289ebd9afeb94862d96c89217068943f1937df5b ] + +smb2pdu.c: In function ‘smb2_open’: +./include/linux/minmax.h:20:28: warning: comparison of distinct +pointer types lacks a cast + 20 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) + | ^~ +./include/linux/minmax.h:26:4: note: in expansion of macro ‘__typecheck’ + 26 | (__typecheck(x, y) && __no_side_effects(x, y)) + | ^~~~~~~~~~~ +./include/linux/minmax.h:36:24: note: in expansion of macro ‘__safe_cmp’ + 36 | __builtin_choose_expr(__safe_cmp(x, y), \ + | ^~~~~~~~~~ +./include/linux/minmax.h:45:19: note: in expansion of macro ‘__careful_cmp’ + 45 | #define min(x, y) __careful_cmp(x, y, <) + | ^~~~~~~~~~~~~ +/home/linkinjeon/git/smbd_work/ksmbd/smb2pdu.c:3713:27: note: in +expansion of macro ‘min’ + 3713 | fp->durable_timeout = min(dh_info.timeout, + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 5 +++-- + fs/smb/server/vfs_cache.h | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 8bdc592514188..065adfb985fe2 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3531,8 +3531,9 @@ int smb2_open(struct ksmbd_work *work) + memcpy(fp->create_guid, dh_info.CreateGuid, + SMB2_CREATE_GUID_SIZE); + if (dh_info.timeout) +- fp->durable_timeout = min(dh_info.timeout, +- DURABLE_HANDLE_MAX_TIMEOUT); ++ fp->durable_timeout = ++ min_t(unsigned int, dh_info.timeout, ++ DURABLE_HANDLE_MAX_TIMEOUT); + else + fp->durable_timeout = 60; + } +diff --git a/fs/smb/server/vfs_cache.h b/fs/smb/server/vfs_cache.h +index b0f6d0f94cb8d..5bbb179736c29 100644 +--- a/fs/smb/server/vfs_cache.h ++++ b/fs/smb/server/vfs_cache.h +@@ -100,8 +100,8 @@ struct ksmbd_file { + struct list_head blocked_works; + struct list_head lock_list; + +- int durable_timeout; +- int durable_scavenger_timeout; ++ unsigned int durable_timeout; ++ unsigned int durable_scavenger_timeout; + + /* if ls is happening on directory, below is valid*/ + struct ksmbd_readdir_data readdir_data; +-- +2.43.0 + diff --git a/queue-6.11/mailbox-arm_mhu_v3-should-depend-on-arm64.patch b/queue-6.11/mailbox-arm_mhu_v3-should-depend-on-arm64.patch new file mode 100644 index 00000000000..1441b72ad09 --- /dev/null +++ b/queue-6.11/mailbox-arm_mhu_v3-should-depend-on-arm64.patch @@ -0,0 +1,37 @@ +From d6a66b9a37fff47d3ce4d2084137ea62d40f3d75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 15:58:53 +0200 +Subject: mailbox: ARM_MHU_V3 should depend on ARM64 + +From: Geert Uytterhoeven + +[ Upstream commit 0e4ed48292c55eeb0afab22f8930b556f17eaad2 ] + +The ARM MHUv3 controller is only present on ARM64 SoCs. Hence add a +dependency on ARM64, to prevent asking the user about this driver when +configuring a kernel for a different architecture than ARM64. + +Fixes: ca1a8680b134b5e6 ("mailbox: arm_mhuv3: Add driver") +Signed-off-by: Geert Uytterhoeven +Acked-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mailbox/Kconfig b/drivers/mailbox/Kconfig +index 4eed972959279..cbd9206cd7de3 100644 +--- a/drivers/mailbox/Kconfig ++++ b/drivers/mailbox/Kconfig +@@ -25,6 +25,7 @@ config ARM_MHU_V2 + + config ARM_MHU_V3 + tristate "ARM MHUv3 Mailbox" ++ depends on ARM64 || COMPILE_TEST + depends on HAS_IOMEM || COMPILE_TEST + depends on OF + help +-- +2.43.0 + diff --git a/queue-6.11/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch b/queue-6.11/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch new file mode 100644 index 00000000000..db0f684dcc3 --- /dev/null +++ b/queue-6.11/mailbox-bcm2835-fix-timeout-during-suspend-mode.patch @@ -0,0 +1,78 @@ +From 6d982f0a36fe79cb87ce372599ee706b7a32295e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 23:40:44 +0200 +Subject: mailbox: bcm2835: Fix timeout during suspend mode + +From: Stefan Wahren + +[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ] + +During noirq suspend phase the Raspberry Pi power driver suffer of +firmware property timeouts. The reason is that the IRQ of the underlying +BCM2835 mailbox is disabled and rpi_firmware_property_list() will always +run into a timeout [1]. + +Since the VideoCore side isn't consider as a wakeup source, set the +IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled +during suspend-resume cycle. + +[1] +PM: late suspend of devices complete after 1.754 msecs +WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 + rpi_firmware_property_list+0x204/0x22c +Firmware transaction 0x00028001 timeout +Modules linked in: +CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 +Hardware name: BCM2835 +Call trace: +unwind_backtrace from show_stack+0x18/0x1c +show_stack from dump_stack_lvl+0x34/0x44 +dump_stack_lvl from __warn+0x88/0xec +__warn from warn_slowpath_fmt+0x7c/0xb0 +warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c +rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c +rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 +rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 +_genpd_power_off from genpd_sync_power_off+0x7c/0x11c +genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 +genpd_finish_suspend from dpm_run_callback+0x78/0xd0 +dpm_run_callback from device_suspend_noirq+0xc0/0x238 +device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 +dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac +suspend_devices_and_enter from pm_suspend+0x254/0x2e4 +pm_suspend from state_store+0xa8/0xd4 +state_store from kernfs_fop_write_iter+0x154/0x1a0 +kernfs_fop_write_iter from vfs_write+0x12c/0x184 +vfs_write from ksys_write+0x78/0xc0 +ksys_write from ret_fast_syscall+0x0/0x54 +Exception stack(0xcc93dfa8 to 0xcc93dff0) +[...] +PM: noirq suspend of devices complete after 3095.584 msecs + +Link: https://github.com/raspberrypi/firmware/issues/1894 +Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm2835-mailbox.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c +index fbfd0202047c3..ea12fb8d24015 100644 +--- a/drivers/mailbox/bcm2835-mailbox.c ++++ b/drivers/mailbox/bcm2835-mailbox.c +@@ -145,7 +145,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev) + spin_lock_init(&mbox->lock); + + ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0), +- bcm2835_mbox_irq, 0, dev_name(dev), mbox); ++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev), ++ mbox); + if (ret) { + dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n", + ret); +-- +2.43.0 + diff --git a/queue-6.11/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch b/queue-6.11/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch new file mode 100644 index 00000000000..cc019225de0 --- /dev/null +++ b/queue-6.11/mailbox-rockchip-fix-a-typo-in-module-autoloading.patch @@ -0,0 +1,39 @@ +From 8abebe0424cffe32772c67362928205c9e3a2735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 02:51:47 +0000 +Subject: mailbox: rockchip: fix a typo in module autoloading + +From: Liao Chen + +[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ] + +MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module +properly autoloaded based on the alias from of_device_id table. It +should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match', +just fix it. + +Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver") +Signed-off-by: Liao Chen +Reviewed-by: Heiko Stuebner +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/rockchip-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c +index 8ffad059e8984..4d966cb2ed036 100644 +--- a/drivers/mailbox/rockchip-mailbox.c ++++ b/drivers/mailbox/rockchip-mailbox.c +@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = { + { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data}, + { }, + }; +-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match); ++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match); + + static int rockchip_mbox_probe(struct platform_device *pdev) + { +-- +2.43.0 + diff --git a/queue-6.11/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch b/queue-6.11/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch new file mode 100644 index 00000000000..6d1a9f3a1d5 --- /dev/null +++ b/queue-6.11/net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch @@ -0,0 +1,64 @@ +From 3dcb70447c797a072549f679a13743431f36abd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:57 +0000 +Subject: net: add more sanity checks to qdisc_pkt_len_init() + +From: Eric Dumazet + +[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ] + +One path takes care of SKB_GSO_DODGY, assuming +skb->len is bigger than hdr_len. + +virtio_net_hdr_to_skb() does not fully dissect TCP headers, +it only make sure it is at least 20 bytes. + +It is possible for an user to provide a malicious 'GSO' packet, +total length of 80 bytes. + +- 20 bytes of IPv4 header +- 60 bytes TCP header +- a small gso_size like 8 + +virtio_net_hdr_to_skb() would declare this packet as a normal +GSO packet, because it would see 40 bytes of payload, +bigger than gso_size. + +We need to make detect this case to not underflow +qdisc_skb_cb(skb)->pkt_len. + +Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 7f2355574ceca..dd87f5fb2f3a7 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3758,10 +3758,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + hdr_len += sizeof(struct udphdr); + } + +- if (shinfo->gso_type & SKB_GSO_DODGY) +- gso_segs = DIV_ROUND_UP(skb->len - hdr_len, +- shinfo->gso_size); ++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) { ++ int payload = skb->len - hdr_len; + ++ /* Malicious packet. */ ++ if (payload <= 0) ++ return; ++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size); ++ } + qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + } + } +-- +2.43.0 + diff --git a/queue-6.11/net-add-netif_get_gro_max_size-helper-for-gro.patch b/queue-6.11/net-add-netif_get_gro_max_size-helper-for-gro.patch new file mode 100644 index 00000000000..0d8d9336e22 --- /dev/null +++ b/queue-6.11/net-add-netif_get_gro_max_size-helper-for-gro.patch @@ -0,0 +1,78 @@ +From eed475ef49d58fd66ff5e889282bc3427cee69a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:22:41 +0200 +Subject: net: Add netif_get_gro_max_size helper for GRO + +From: Daniel Borkmann + +[ Upstream commit e8d4d34df715133c319fabcf63fdec684be75ff8 ] + +Add a small netif_get_gro_max_size() helper which returns the maximum IPv4 +or IPv6 GRO size of the netdevice. + +We later add a netif_get_gso_max_size() equivalent as well for GSO, so that +these helpers can be used consistently instead of open-coded checks. + +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Cc: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240923212242.15669-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Stable-dep-of: e609c959a939 ("net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size") +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 9 +++++++++ + net/core/gro.c | 9 ++------- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 607009150b5fa..23d90c7e915f0 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -5026,6 +5026,15 @@ void netif_set_tso_max_segs(struct net_device *dev, unsigned int segs); + void netif_inherit_tso_max(struct net_device *to, + const struct net_device *from); + ++static inline unsigned int ++netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb) ++{ ++ /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */ ++ return skb->protocol == htons(ETH_P_IPV6) ? ++ READ_ONCE(dev->gro_max_size) : ++ READ_ONCE(dev->gro_ipv4_max_size); ++} ++ + static inline bool netif_is_macsec(const struct net_device *dev) + { + return dev->priv_flags & IFF_MACSEC; +diff --git a/net/core/gro.c b/net/core/gro.c +index b3b43de1a6502..87708483a5f46 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -98,7 +98,6 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) + unsigned int headlen = skb_headlen(skb); + unsigned int len = skb_gro_len(skb); + unsigned int delta_truesize; +- unsigned int gro_max_size; + unsigned int new_truesize; + struct sk_buff *lp; + int segs; +@@ -112,12 +111,8 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) + if (p->pp_recycle != skb->pp_recycle) + return -ETOOMANYREFS; + +- /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */ +- gro_max_size = p->protocol == htons(ETH_P_IPV6) ? +- READ_ONCE(p->dev->gro_max_size) : +- READ_ONCE(p->dev->gro_ipv4_max_size); +- +- if (unlikely(p->len + len >= gro_max_size || NAPI_GRO_CB(skb)->flush)) ++ if (unlikely(p->len + len >= netif_get_gro_max_size(p->dev, p) || ++ NAPI_GRO_CB(skb)->flush)) + return -E2BIG; + + if (unlikely(p->len + len >= GRO_LEGACY_MAX_SIZE)) { +-- +2.43.0 + diff --git a/queue-6.11/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch b/queue-6.11/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch new file mode 100644 index 00000000000..2962c2de4a4 --- /dev/null +++ b/queue-6.11/net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch @@ -0,0 +1,141 @@ +From 9cd0596b7e57f0b2de9ed0ccf79ce3813e0c2d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:02:56 +0000 +Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO + +From: Eric Dumazet + +[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ] + +After commit 7c6d2ecbda83 ("net: be more gentle about silly gso +requests coming from user") virtio_net_hdr_to_skb() had sanity check +to detect malicious attempts from user space to cook a bad GSO packet. + +Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count +transport header in UFO") while fixing one issue, allowed user space +to cook a GSO packet with the following characteristic : + +IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. + +When this packet arrives in qdisc_pkt_len_init(), we end up +with hdr_len = 28 (IPv4 header + UDP header), matching skb->len + +Then the following sets gso_segs to 0 : + +gso_segs = DIV_ROUND_UP(skb->len - hdr_len, + shinfo->gso_size); + +Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ + +qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; + +This leads to the following crash in fq_codel [1] + +qdisc_pkt_len_init() is best effort, we only want an estimation +of the bytes sent on the wire, not crashing the kernel. + +This patch is fixing this particular issue, a following one +adds more sanity checks for another potential bug. + +[1] +[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 70.724561] #PF: supervisor read access in kernel mode +[ 70.724561] #PF: error_code(0x0000) - not-present page +[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 +[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI +[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 +[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 +All code +======== + 0: 24 08 and $0x8,%al + 2: 49 c1 e1 06 shl $0x6,%r9 + 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) + b: 45 31 ed xor %r13d,%r13d + e: 45 31 c0 xor %r8d,%r8d + 11: 31 ff xor %edi,%edi + 13: 89 44 24 14 mov %eax,0x14(%rsp) + 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 + 1e: eb 04 jmp 0x24 + 20: 39 ca cmp %ecx,%edx + 22: 73 37 jae 0x5b + 24: 4d 8b 39 mov (%r9),%r15 + 27: 83 c7 01 add $0x1,%edi + 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction + 2d: 49 89 11 mov %rdx,(%r9) + 30: 41 8b 57 28 mov 0x28(%r15),%edx + 34: 45 8b 5f 34 mov 0x34(%r15),%r11d + 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 3f: 49 rex.WB + +Code starting with the faulting instruction +=========================================== + 0: 49 8b 17 mov (%r15),%rdx + 3: 49 89 11 mov %rdx,(%r9) + 6: 41 8b 57 28 mov 0x28(%r15),%edx + a: 45 8b 5f 34 mov 0x34(%r15),%r11d + e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) + 15: 49 rex.WB +[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 +[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 +[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 +[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 +[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 +[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 +[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 +[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0 +[ 70.724561] Call Trace: +[ 70.724561] +[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) +[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715) +[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) +[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) +[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel +[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784) +[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2)) +[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237) +[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2)) +[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4)) +[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1)) +[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) +[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) +[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1)) +[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) +[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) +[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) +[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +[ 70.724561] RIP: 0033:0x41ae09 + +Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jonathan Davies +Reviewed-by: Willem de Bruijn +Reviewed-by: Jonathan Davies +Reviewed-by: David Ahern +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 03fb8ae459c0e..7f2355574ceca 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3750,7 +3750,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb) + sizeof(_tcphdr), &_tcphdr); + if (likely(th)) + hdr_len += __tcp_hdrlen(th); +- } else { ++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) { + struct udphdr _udphdr; + + if (skb_header_pointer(skb, hdr_len, +-- +2.43.0 + diff --git a/queue-6.11/net-dsa-improve-shutdown-sequence.patch b/queue-6.11/net-dsa-improve-shutdown-sequence.patch new file mode 100644 index 00000000000..0f07df55f5e --- /dev/null +++ b/queue-6.11/net-dsa-improve-shutdown-sequence.patch @@ -0,0 +1,121 @@ +From 002efbeb696165c893b73bd436541343dcf99528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 23:35:49 +0300 +Subject: net: dsa: improve shutdown sequence + +From: Vladimir Oltean + +[ Upstream commit 6c24a03a61a245fe34d47582898331fa034b6ccd ] + +Alexander Sverdlin presents 2 problems during shutdown with the +lan9303 driver. One is specific to lan9303 and the other just happens +to reproduce there. + +The first problem is that lan9303 is unique among DSA drivers in that it +calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, +not remove): + +phy_state_machine() +-> ... + -> dsa_user_phy_read() + -> ds->ops->phy_read() + -> lan9303_phy_read() + -> chip->ops->phy_read() + -> lan9303_mdio_phy_read() + -> dev_get_drvdata() + +But we never stop the phy_state_machine(), so it may continue to run +after dsa_switch_shutdown(). Our common pattern in all DSA drivers is +to set drvdata to NULL to suppress the remove() method that may come +afterwards. But in this case it will result in an NPD. + +The second problem is that the way in which we set +dp->conduit->dsa_ptr = NULL; is concurrent with receive packet +processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL, +but afterwards, rather than continuing to use that non-NULL value, +dev->dsa_ptr is dereferenced again and again without NULL checks: +dsa_conduit_find_user() and many other places. In between dereferences, +there is no locking to ensure that what was valid once continues to be +valid. + +Both problems have the common aspect that closing the conduit interface +solves them. + +In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN +event in dsa_user_netdevice_event() which closes user ports as well. +dsa_port_disable_rt() calls phylink_stop(), which synchronously stops +the phylink state machine, and ds->ops->phy_read() will thus no longer +call into the driver after this point. + +In the second case, dev_close(conduit) should do this, as per +Documentation/networking/driver.rst: + +| Quiescence +| ---------- +| +| After the ndo_stop routine has been called, the hardware must +| not receive or transmit any data. All in flight packets must +| be aborted. If necessary, poll or wait for completion of +| any reset commands. + +So it should be sufficient to ensure that later, when we zeroize +conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call +on this conduit. + +The addition of the netif_device_detach() function is to ensure that +ioctls, rtnetlinks and ethtool requests on the user ports no longer +propagate down to the driver - we're no longer prepared to handle them. + +The race condition actually did not exist when commit 0650bf52b31f +("net: dsa: be compatible with masters which unregister on shutdown") +first introduced dsa_switch_shutdown(). It was created later, when we +stopped unregistering the user interfaces from a bad spot, and we just +replaced that sequence with a racy zeroization of conduit->dsa_ptr +(one which doesn't ensure that the interfaces aren't up). + +Reported-by: Alexander Sverdlin +Closes: https://lore.kernel.org/netdev/2d2e3bba17203c14a5ffdabc174e3b6bbb9ad438.camel@siemens.com/ +Closes: https://lore.kernel.org/netdev/c1bf4de54e829111e0e4a70e7bd1cf523c9550ff.camel@siemens.com/ +Fixes: ee534378f005 ("net: dsa: fix panic when DSA master device unbinds on shutdown") +Reviewed-by: Alexander Sverdlin +Tested-by: Alexander Sverdlin +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20240913203549.3081071-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index 668c729946ea6..1664547deffd0 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -1577,6 +1577,7 @@ EXPORT_SYMBOL_GPL(dsa_unregister_switch); + void dsa_switch_shutdown(struct dsa_switch *ds) + { + struct net_device *conduit, *user_dev; ++ LIST_HEAD(close_list); + struct dsa_port *dp; + + mutex_lock(&dsa2_mutex); +@@ -1586,10 +1587,16 @@ void dsa_switch_shutdown(struct dsa_switch *ds) + + rtnl_lock(); + ++ dsa_switch_for_each_cpu_port(dp, ds) ++ list_add(&dp->conduit->close_list, &close_list); ++ ++ dev_close_many(&close_list, true); ++ + dsa_switch_for_each_user_port(dp, ds) { + conduit = dsa_port_to_conduit(dp); + user_dev = dp->user; + ++ netif_device_detach(user_dev); + netdev_upper_dev_unlink(conduit, user_dev); + } + +-- +2.43.0 + diff --git a/queue-6.11/net-ethernet-lantiq_etop-fix-memory-disclosure.patch b/queue-6.11/net-ethernet-lantiq_etop-fix-memory-disclosure.patch new file mode 100644 index 00000000000..a5aa3ea95f7 --- /dev/null +++ b/queue-6.11/net-ethernet-lantiq_etop-fix-memory-disclosure.patch @@ -0,0 +1,52 @@ +From 34d8b3fe94bca59eeef4e407be033322a3596649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:49:49 +0200 +Subject: net: ethernet: lantiq_etop: fix memory disclosure + +From: Aleksander Jan Bajkowski + +[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ] + +When applying padding, the buffer is not zeroed, which results in memory +disclosure. The mentioned data is observed on the wire. This patch uses +skb_put_padto() to pad Ethernet frames properly. The mentioned function +zeroes the expanded buffer. + +In case the packet cannot be padded it is silently dropped. Statistics +are also not incremented. This driver does not support statistics in the +old 32-bit format or the new 64-bit format. These will be added in the +future. In its current form, the patch should be easily backported to +stable versions. + +Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets +in hardware, so software padding must be applied. + +Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") +Signed-off-by: Aleksander Jan Bajkowski +Reviewed-by: Jacob Keller +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 9e69848153864..804914e7d9a83 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -482,7 +482,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + unsigned long flags; + u32 byte_offset; + +- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; ++ if (skb_put_padto(skb, ETH_ZLEN)) ++ return NETDEV_TX_OK; ++ len = skb->len; + + if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) { + netdev_err(dev, "tx ring full\n"); +-- +2.43.0 + diff --git a/queue-6.11/net-fec-reload-ptp-registers-after-link-state-change.patch b/queue-6.11/net-fec-reload-ptp-registers-after-link-state-change.patch new file mode 100644 index 00000000000..6a051740a8e --- /dev/null +++ b/queue-6.11/net-fec-reload-ptp-registers-after-link-state-change.patch @@ -0,0 +1,95 @@ +From 98296d55ebed0153c4080cd9a52b220439b35b4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 11:37:06 +0200 +Subject: net: fec: Reload PTP registers after link-state change +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Csókás, Bence + +[ Upstream commit d9335d0232d2da605585eea1518ac6733518f938 ] + +On link-state change, the controller gets reset, +which clears all PTP registers, including PHC time, +calibrated clock correction values etc. For correct +IEEE 1588 operation we need to restore these after +the reset. + +Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock") +Signed-off-by: Csókás, Bence +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20240924093705.2897329-2-csokas.bence@prolan.hu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec.h | 3 +++ + drivers/net/ethernet/freescale/fec_ptp.c | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h +index 0552317a2554b..1cca0425d4939 100644 +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -693,6 +693,9 @@ struct fec_enet_private { + + struct { + int pps_enable; ++ u64 ns_sys, ns_phc; ++ u32 at_corr; ++ u8 at_inc_corr; + } ptp_saved_state; + + u64 ethtool_stats[]; +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 8027b532de078..5e8fac50f945d 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -773,24 +773,44 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx) + void fec_ptp_save_state(struct fec_enet_private *fep) + { + unsigned long flags; ++ u32 atime_inc_corr; + + spin_lock_irqsave(&fep->tmreg_lock, flags); + + fep->ptp_saved_state.pps_enable = fep->pps_enable; + ++ fep->ptp_saved_state.ns_phc = timecounter_read(&fep->tc); ++ fep->ptp_saved_state.ns_sys = ktime_get_ns(); ++ ++ fep->ptp_saved_state.at_corr = readl(fep->hwp + FEC_ATIME_CORR); ++ atime_inc_corr = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_CORR_MASK; ++ fep->ptp_saved_state.at_inc_corr = (u8)(atime_inc_corr >> FEC_T_INC_CORR_OFFSET); ++ + spin_unlock_irqrestore(&fep->tmreg_lock, flags); + } + + /* Restore PTP functionality after a reset */ + void fec_ptp_restore_state(struct fec_enet_private *fep) + { ++ u32 atime_inc = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_MASK; + unsigned long flags; ++ u32 counter; ++ u64 ns; + + spin_lock_irqsave(&fep->tmreg_lock, flags); + + /* Reset turned it off, so adjust our status flag */ + fep->pps_enable = 0; + ++ writel(fep->ptp_saved_state.at_corr, fep->hwp + FEC_ATIME_CORR); ++ atime_inc |= ((u32)fep->ptp_saved_state.at_inc_corr) << FEC_T_INC_CORR_OFFSET; ++ writel(atime_inc, fep->hwp + FEC_ATIME_INC); ++ ++ ns = ktime_get_ns() - fep->ptp_saved_state.ns_sys + fep->ptp_saved_state.ns_phc; ++ counter = ns & fep->cc.mask; ++ writel(counter, fep->hwp + FEC_ATIME); ++ timecounter_init(&fep->tc, &fep->cc, ns); ++ + spin_unlock_irqrestore(&fep->tmreg_lock, flags); + + /* Restart PPS if needed */ +-- +2.43.0 + diff --git a/queue-6.11/net-fec-restart-pps-after-link-state-change.patch b/queue-6.11/net-fec-restart-pps-after-link-state-change.patch new file mode 100644 index 00000000000..6c9923cd928 --- /dev/null +++ b/queue-6.11/net-fec-restart-pps-after-link-state-change.patch @@ -0,0 +1,136 @@ +From 05c7ab33e4f36d1c8bc589a9d70e6fd57d91f5db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 11:37:04 +0200 +Subject: net: fec: Restart PPS after link state change +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Csókás, Bence + +[ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ] + +On link state change, the controller gets reset, +causing PPS to drop out. Re-enable PPS if it was +enabled before the controller reset. + +Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock") +Signed-off-by: Csókás, Bence +Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec.h | 6 +++++ + drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++- + drivers/net/ethernet/freescale/fec_ptp.c | 30 +++++++++++++++++++++++ + 3 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h +index a19cb2a786fd2..0552317a2554b 100644 +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -691,10 +691,16 @@ struct fec_enet_private { + /* XDP BPF Program */ + struct bpf_prog *xdp_prog; + ++ struct { ++ int pps_enable; ++ } ptp_saved_state; ++ + u64 ethtool_stats[]; + }; + + void fec_ptp_init(struct platform_device *pdev, int irq_idx); ++void fec_ptp_restore_state(struct fec_enet_private *fep); ++void fec_ptp_save_state(struct fec_enet_private *fep); + void fec_ptp_stop(struct platform_device *pdev); + void fec_ptp_start_cyclecounter(struct net_device *ndev); + int fec_ptp_set(struct net_device *ndev, struct kernel_hwtstamp_config *config, +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index a923cb95cdc62..570f8a14d975b 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1077,6 +1077,8 @@ fec_restart(struct net_device *ndev) + u32 rcntl = OPT_FRAME_SIZE | 0x04; + u32 ecntl = FEC_ECR_ETHEREN; + ++ fec_ptp_save_state(fep); ++ + /* Whack a reset. We should wait for this. + * For i.MX6SX SOC, enet use AXI bus, we use disable MAC + * instead of reset MAC itself. +@@ -1244,8 +1246,10 @@ fec_restart(struct net_device *ndev) + writel(ecntl, fep->hwp + FEC_ECNTRL); + fec_enet_active_rxring(ndev); + +- if (fep->bufdesc_ex) ++ if (fep->bufdesc_ex) { + fec_ptp_start_cyclecounter(ndev); ++ fec_ptp_restore_state(fep); ++ } + + /* Enable interrupts we wish to service */ + if (fep->link) +@@ -1336,6 +1340,8 @@ fec_stop(struct net_device *ndev) + netdev_err(ndev, "Graceful transmit stop did not complete!\n"); + } + ++ fec_ptp_save_state(fep); ++ + /* Whack a reset. We should wait for this. + * For i.MX6SX SOC, enet use AXI bus, we use disable MAC + * instead of reset MAC itself. +@@ -1366,6 +1372,9 @@ fec_stop(struct net_device *ndev) + val = readl(fep->hwp + FEC_ECNTRL); + val |= FEC_ECR_EN1588; + writel(val, fep->hwp + FEC_ECNTRL); ++ ++ fec_ptp_start_cyclecounter(ndev); ++ fec_ptp_restore_state(fep); + } + } + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 2e4f3e1782a25..8027b532de078 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -770,6 +770,36 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx) + schedule_delayed_work(&fep->time_keep, HZ); + } + ++void fec_ptp_save_state(struct fec_enet_private *fep) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&fep->tmreg_lock, flags); ++ ++ fep->ptp_saved_state.pps_enable = fep->pps_enable; ++ ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); ++} ++ ++/* Restore PTP functionality after a reset */ ++void fec_ptp_restore_state(struct fec_enet_private *fep) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&fep->tmreg_lock, flags); ++ ++ /* Reset turned it off, so adjust our status flag */ ++ fep->pps_enable = 0; ++ ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); ++ ++ /* Restart PPS if needed */ ++ if (fep->ptp_saved_state.pps_enable) { ++ /* Re-enable PPS */ ++ fec_ptp_enable_pps(fep, 1); ++ } ++} ++ + void fec_ptp_stop(struct platform_device *pdev) + { + struct net_device *ndev = platform_get_drvdata(pdev); +-- +2.43.0 + diff --git a/queue-6.11/net-fix-gso_features_check-to-check-for-both-dev-gso.patch b/queue-6.11/net-fix-gso_features_check-to-check-for-both-dev-gso.patch new file mode 100644 index 00000000000..2508f66d8ac --- /dev/null +++ b/queue-6.11/net-fix-gso_features_check-to-check-for-both-dev-gso.patch @@ -0,0 +1,71 @@ +From 46be9b2b989360f37564702d8205ad84a2619ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 23:22:42 +0200 +Subject: net: Fix gso_features_check to check for both + dev->gso_{ipv4_,}max_size + +From: Daniel Borkmann + +[ Upstream commit e609c959a939660c7519895f853dfa5624c6827a ] + +Commit 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()") +added a dev->gso_max_size test to gso_features_check() in order to fall +back to GSO when needed. + +This was added as it was noticed that some drivers could misbehave if TSO +packets get too big. However, the check doesn't respect dev->gso_ipv4_max_size +limit. For instance, a device could be configured with BIG TCP for IPv4, +but not IPv6. + +Therefore, add a netif_get_gso_max_size() equivalent to netif_get_gro_max_size() +and use the helper to respect both limits before falling back to GSO engine. + +Fixes: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()") +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Cc: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240923212242.15669-2-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 9 +++++++++ + net/core/dev.c | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 23d90c7e915f0..59fb3cb8538fd 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -5035,6 +5035,15 @@ netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb) + READ_ONCE(dev->gro_ipv4_max_size); + } + ++static inline unsigned int ++netif_get_gso_max_size(const struct net_device *dev, const struct sk_buff *skb) ++{ ++ /* pairs with WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */ ++ return skb->protocol == htons(ETH_P_IPV6) ? ++ READ_ONCE(dev->gso_max_size) : ++ READ_ONCE(dev->gso_ipv4_max_size); ++} ++ + static inline bool netif_is_macsec(const struct net_device *dev) + { + return dev->priv_flags & IFF_MACSEC; +diff --git a/net/core/dev.c b/net/core/dev.c +index f66e614078832..03fb8ae459c0e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3504,7 +3504,7 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb, + if (gso_segs > READ_ONCE(dev->gso_max_segs)) + return features & ~NETIF_F_GSO_MASK; + +- if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size))) ++ if (unlikely(skb->len >= netif_get_gso_max_size(dev, skb))) + return features & ~NETIF_F_GSO_MASK; + + if (!skb_shinfo(skb)->gso_type) { +-- +2.43.0 + diff --git a/queue-6.11/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch b/queue-6.11/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch new file mode 100644 index 00000000000..99911b6b027 --- /dev/null +++ b/queue-6.11/net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch @@ -0,0 +1,48 @@ +From 8355a9f9e47c099c28ca8c358fab592466fb83b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:42:34 +0800 +Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Reviewed-by: Miquel Raynal +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mcr20a.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c +index 433fb58392031..020d392a98b69 100644 +--- a/drivers/net/ieee802154/mcr20a.c ++++ b/drivers/net/ieee802154/mcr20a.c +@@ -1302,16 +1302,13 @@ mcr20a_probe(struct spi_device *spi) + irq_type = IRQF_TRIGGER_FALLING; + + ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr, +- irq_type, dev_name(&spi->dev), lp); ++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp); + if (ret) { + dev_err(&spi->dev, "could not request_irq for mcr20a\n"); + ret = -ENODEV; + goto free_dev; + } + +- /* disable_irq by default and wait for starting hardware */ +- disable_irq(spi->irq); +- + ret = ieee802154_register_hw(hw); + if (ret) { + dev_crit(&spi->dev, "ieee802154_register_hw failed\n"); +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5-added-cond_resched-to-crdump-collection.patch b/queue-6.11/net-mlx5-added-cond_resched-to-crdump-collection.patch new file mode 100644 index 00000000000..ee8cecce5b5 --- /dev/null +++ b/queue-6.11/net-mlx5-added-cond_resched-to-crdump-collection.patch @@ -0,0 +1,83 @@ +From a323691edb4be917b54d5e032d46e58d5b97a016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 22:02:48 -0600 +Subject: net/mlx5: Added cond_resched() to crdump collection + +From: Mohamed Khalfella + +[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ] + +Collecting crdump involves reading vsc registers from pci config space +of mlx device, which can take long time to complete. This might result +in starving other threads waiting to run on the cpu. + +Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab: + +- mlx5_vsc_gw_read_block_fast() was called with length = 1310716. +- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to + read the entire 1310716 bytes. It was called 53813 times because + there are jumps in read_addr. +- On average mlx5_vsc_gw_read_fast() took 35284.4ns. +- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times. + The average time for each call was 17548.3ns. In some instances + vsc_read() was called more than one time when the flag was not set. + As expected the thread released the cpu after 16 iterations in + mlx5_vsc_wait_on_flag(). +- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s. + +It was seen in the field that crdump can take more than 5 seconds to +complete. During that time mlx5_vsc_wait_on_flag() did not release the +cpu because it did not complete 16 iterations. It is believed that pci +config reads were slow. Adding cond_resched() every 128 register read +improves the situation. In the common case the, crdump takes ~1.8989s, +the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread +yields the cpu every ~18.0ms. + +Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support") +Reviewed-by: Yuanyuan Zhong +Signed-off-by: Mohamed Khalfella +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +index d0b595ba61101..432c98f2626db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c +@@ -24,6 +24,11 @@ + pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val)) + #define VSC_MAX_RETRIES 2048 + ++/* Reading VSC registers can take relatively long time. ++ * Yield the cpu every 128 registers read. ++ */ ++#define VSC_GW_READ_BLOCK_COUNT 128 ++ + enum { + VSC_CTRL_OFFSET = 0x4, + VSC_COUNTER_OFFSET = 0x8, +@@ -273,6 +278,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + { + unsigned int next_read_addr = 0; + unsigned int read_addr = 0; ++ unsigned int count = 0; + + while (read_addr < length) { + if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr, +@@ -280,6 +286,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data, + return read_addr; + + read_addr = next_read_addr; ++ if (++count == VSC_GW_READ_BLOCK_COUNT) { ++ cond_resched(); ++ count = 0; ++ } + } + return length; + } +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch b/queue-6.11/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch new file mode 100644 index 00000000000..618a07d75df --- /dev/null +++ b/queue-6.11/net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch @@ -0,0 +1,49 @@ +From b3f30919245643c5c40b79a45952b80f8ec3573f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 10:53:51 +0200 +Subject: net/mlx5: Fix error path in multi-packet WQE transmit + +From: Gerd Bayer + +[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ] + +Remove the erroneous unmap in case no DMA mapping was established + +The multi-packet WQE transmit code attempts to obtain a DMA mapping for +the skb. This could fail, e.g. under memory pressure, when the IOMMU +driver just can't allocate more memory for page tables. While the code +tries to handle this in the path below the err_unmap label it erroneously +unmaps one entry from the sq's FIFO list of active mappings. Since the +current map attempt failed this unmap is removing some random DMA mapping +that might still be required. If the PCI function now presents that IOVA, +the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI +function in error state. + +The erroneous behavior was seen in a stress-test environment that created +memory pressure. + +Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs") +Signed-off-by: Gerd Bayer +Reviewed-by: Zhu Yanjun +Acked-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +index b09e9abd39f37..f8c7912abe0e3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -642,7 +642,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb, + return; + + err_unmap: +- mlx5e_dma_unmap_wqe_err(sq, 1); + sq->stats->dropped++; + dev_kfree_skb_any(skb); + mlx5e_tx_flush(sq); +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5e-fix-crash-caused-by-calling-__xfrm_state_d.patch b/queue-6.11/net-mlx5e-fix-crash-caused-by-calling-__xfrm_state_d.patch new file mode 100644 index 00000000000..6e77cf7c65b --- /dev/null +++ b/queue-6.11/net-mlx5e-fix-crash-caused-by-calling-__xfrm_state_d.patch @@ -0,0 +1,101 @@ +From 0559701edaf196dafe945de948d25c3aff729cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 09:40:58 +0300 +Subject: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice + +From: Jianbo Liu + +[ Upstream commit 7b124695db40d5c9c5295a94ae928a8d67a01c3d ] + +The km.state is not checked in driver's delayed work. When +xfrm_state_check_expire() is called, the state can be reset to +XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This +happens when xfrm state is deleted, but not freed yet. As +__xfrm_state_delete() is called again in xfrm timer, the following +crash occurs. + +To fix this issue, skip xfrm_state_check_expire() if km.state is not +XFRM_STATE_VALID. + + Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP + CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core] + RIP: 0010:__xfrm_state_delete+0x3d/0x1b0 + Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 + RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 + RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 + RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 + RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 + R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 + R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 + FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ? die_addr+0x33/0x90 + ? exc_general_protection+0x1a2/0x390 + ? asm_exc_general_protection+0x22/0x30 + ? __xfrm_state_delete+0x3d/0x1b0 + ? __xfrm_state_delete+0x2f/0x1b0 + xfrm_timer_handler+0x174/0x350 + ? __xfrm_state_delete+0x1b0/0x1b0 + __hrtimer_run_queues+0x121/0x270 + hrtimer_run_softirq+0x88/0xd0 + handle_softirqs+0xcc/0x270 + do_softirq+0x3c/0x50 + + + __local_bh_enable_ip+0x47/0x50 + mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core] + process_one_work+0x137/0x2d0 + worker_thread+0x28d/0x3a0 + ? rescuer_thread+0x480/0x480 + kthread+0xb8/0xe0 + ? kthread_park+0x80/0x80 + ret_from_fork+0x2d/0x50 + ? kthread_park+0x80/0x80 + ret_from_fork_asm+0x11/0x20 + + +Fixes: b2f7b01d36a9 ("net/mlx5e: Simulate missing IPsec TX limits hardware functionality") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 3d274599015be..ca92e518be766 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -67,7 +67,6 @@ static void mlx5e_ipsec_handle_sw_limits(struct work_struct *_work) + return; + + spin_lock_bh(&x->lock); +- xfrm_state_check_expire(x); + if (x->km.state == XFRM_STATE_EXPIRED) { + sa_entry->attrs.drop = true; + spin_unlock_bh(&x->lock); +@@ -75,6 +74,13 @@ static void mlx5e_ipsec_handle_sw_limits(struct work_struct *_work) + mlx5e_accel_ipsec_fs_modify(sa_entry); + return; + } ++ ++ if (x->km.state != XFRM_STATE_VALID) { ++ spin_unlock_bh(&x->lock); ++ return; ++ } ++ ++ xfrm_state_check_expire(x); + spin_unlock_bh(&x->lock); + + queue_delayed_work(sa_entry->ipsec->wq, &dwork->dwork, +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch b/queue-6.11/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch new file mode 100644 index 00000000000..af9a35a6e70 --- /dev/null +++ b/queue-6.11/net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch @@ -0,0 +1,44 @@ +From 1d2bbb38f09e9b9747e779ef93dce889109c7826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 19:00:18 +0300 +Subject: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() + +From: Elena Salomatkina + +[ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ] + +In mlx5e_tir_builder_alloc() kvzalloc() may return NULL +which is dereferenced on the next line in a reference +to the modify field. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object") +Signed-off-by: Elena Salomatkina +Reviewed-by: Simon Horman +Reviewed-by: Kalesh AP +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +index d4239e3b3c88e..11f724ad90dbf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +@@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify) + struct mlx5e_tir_builder *builder; + + builder = kvzalloc(sizeof(*builder), GFP_KERNEL); ++ if (!builder) ++ return NULL; ++ + builder->modify = modify; + + return builder; +-- +2.43.0 + diff --git a/queue-6.11/net-mlx5e-shampo-fix-overflow-of-hd_per_wq.patch b/queue-6.11/net-mlx5e-shampo-fix-overflow-of-hd_per_wq.patch new file mode 100644 index 00000000000..02e0059a8ca --- /dev/null +++ b/queue-6.11/net-mlx5e-shampo-fix-overflow-of-hd_per_wq.patch @@ -0,0 +1,50 @@ +From 860a0f95ccc8e074432df1972bfdf159fc2e428c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 13:34:54 +0300 +Subject: net/mlx5e: SHAMPO, Fix overflow of hd_per_wq + +From: Dragos Tatulea + +[ Upstream commit 023d2a43ed0d9ab73d4a35757121e4c8e01298e5 ] + +When having larger RQ sizes and small MTUs sizes, the hd_per_wq variable +can overflow. Like in the following case: + +$> ethtool --set-ring eth1 rx 8192 +$> ip link set dev eth1 mtu 144 +$> ethtool --features eth1 rx-gro-hw on + +... yields in dmesg: + +mlx5_core 0000:08:00.1: mlx5_cmd_out_err:808:(pid 194797): CREATE_MKEY(0x200) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x3bf6f), err(-22) + +because hd_per_wq is 64K which overflows to 0 and makes the command +fail. + +This patch increases the variable size to 32 bit. + +Fixes: 99be56171fa9 ("net/mlx5e: SHAMPO, Re-enable HW-GRO") +Signed-off-by: Dragos Tatulea +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index d9e241423bc56..6cff0c45ff981 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -627,7 +627,7 @@ struct mlx5e_shampo_hd { + struct mlx5e_dma_info *info; + struct mlx5e_frag_page *pages; + u16 curr_page_index; +- u16 hd_per_wq; ++ u32 hd_per_wq; + u16 hd_per_wqe; + unsigned long *bitmap; + u16 pi; +-- +2.43.0 + diff --git a/queue-6.11/net-ncsi-disable-the-ncsi-work-before-freeing-the-as.patch b/queue-6.11/net-ncsi-disable-the-ncsi-work-before-freeing-the-as.patch new file mode 100644 index 00000000000..5155ea0ec8f --- /dev/null +++ b/queue-6.11/net-ncsi-disable-the-ncsi-work-before-freeing-the-as.patch @@ -0,0 +1,38 @@ +From f34d1e5dfc7d1df2fa87faa99155ee5fb0c066d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 10:55:23 -0500 +Subject: net/ncsi: Disable the ncsi work before freeing the associated + structure + +From: Eddie James + +[ Upstream commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c ] + +The work function can run after the ncsi device is freed, resulting +in use-after-free bugs or kernel panic. + +Fixes: 2d283bdd079c ("net/ncsi: Resource management") +Signed-off-by: Eddie James +Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ncsi/ncsi-manage.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c +index 5ecf611c88200..5cf55bde366d1 100644 +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1954,6 +1954,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) + list_del_rcu(&ndp->node); + spin_unlock_irqrestore(&ncsi_dev_lock, flags); + ++ disable_work_sync(&ndp->work); ++ + kfree(ndp); + } + EXPORT_SYMBOL_GPL(ncsi_unregister_dev); +-- +2.43.0 + diff --git a/queue-6.11/net-phy-realtek-check-the-index-value-in-led_hw_cont.patch b/queue-6.11/net-phy-realtek-check-the-index-value-in-led_hw_cont.patch new file mode 100644 index 00000000000..bd46bafcc0a --- /dev/null +++ b/queue-6.11/net-phy-realtek-check-the-index-value-in-led_hw_cont.patch @@ -0,0 +1,41 @@ +From a2ee7089bb163d5080e1fbc1dd4a741879e2eba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 19:46:10 +0800 +Subject: net: phy: realtek: Check the index value in led_hw_control_get + +From: Hui Wang + +[ Upstream commit c283782fc5d60c4d8169137c6f955aa3553d3b3d ] + +Just like rtl8211f_led_hw_is_supported() and +rtl8211f_led_hw_control_set(), the rtl8211f_led_hw_control_get() also +needs to check the index value, otherwise the caller is likely to get +an incorrect rules. + +Fixes: 17784801d888 ("net: phy: realtek: Add support for PHY LEDs on RTL8211F") +Signed-off-by: Hui Wang +Reviewed-by: Marek Vasut +Link: https://patch.msgid.link/20240927114610.1278935-1-hui.wang@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c +index 25e5bfbb6f89b..c15d2f66ef0dc 100644 +--- a/drivers/net/phy/realtek.c ++++ b/drivers/net/phy/realtek.c +@@ -527,6 +527,9 @@ static int rtl8211f_led_hw_control_get(struct phy_device *phydev, u8 index, + { + int val; + ++ if (index >= RTL8211F_LED_COUNT) ++ return -EINVAL; ++ + val = phy_read_paged(phydev, 0xd04, RTL8211F_LEDCR); + if (val < 0) + return val; +-- +2.43.0 + diff --git a/queue-6.11/net-sparx5-fix-invalid-timestamps.patch b/queue-6.11/net-sparx5-fix-invalid-timestamps.patch new file mode 100644 index 00000000000..45611bef57d --- /dev/null +++ b/queue-6.11/net-sparx5-fix-invalid-timestamps.patch @@ -0,0 +1,45 @@ +From 5644e09ed068a421172db8964ece5cbd98f98de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 22:18:29 -0700 +Subject: net: sparx5: Fix invalid timestamps + +From: Aakash Menon + +[ Upstream commit 151ac45348afc5b56baa584c7cd4876addf461ff ] + +Bit 270-271 are occasionally unexpectedly set by the hardware. This issue +was observed with 10G SFPs causing huge time errors (> 30ms) in PTP. Only +30 bits are needed for the nanosecond part of the timestamp, clear 2 most +significant bits before extracting timestamp from the internal frame +header. + +Fixes: 70dfe25cd866 ("net: sparx5: Update extraction/injection for timestamping") +Signed-off-by: Aakash Menon +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index f3f5fb4204689..70427643f777c 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -45,8 +45,12 @@ void sparx5_ifh_parse(u32 *ifh, struct frame_info *info) + fwd = (fwd >> 5); + info->src_port = FIELD_GET(GENMASK(7, 1), fwd); + ++ /* ++ * Bit 270-271 are occasionally unexpectedly set by the hardware, ++ * clear bits before extracting timestamp ++ */ + info->timestamp = +- ((u64)xtr_hdr[2] << 24) | ++ ((u64)(xtr_hdr[2] & GENMASK(5, 0)) << 24) | + ((u64)xtr_hdr[3] << 16) | + ((u64)xtr_hdr[4] << 8) | + ((u64)xtr_hdr[5] << 0); +-- +2.43.0 + diff --git a/queue-6.11/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch b/queue-6.11/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch new file mode 100644 index 00000000000..aa867f80900 --- /dev/null +++ b/queue-6.11/net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch @@ -0,0 +1,79 @@ +From 7f5211646c4372badfa7d5d876d22bf4cdf106d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 15:54:24 -0500 +Subject: net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shenwei Wang + +[ Upstream commit 4c1b56671b68ffcbe6b78308bfdda6bcce6491ae ] + +Increase the timeout for checking the busy bit of the VLAN Tag register +from 10µs to 500ms. This change is necessary to accommodate scenarios +where Energy Efficient Ethernet (EEE) is enabled. + +Overnight testing revealed that when EEE is active, the busy bit can +remain set for up to approximately 300ms. The new 500ms timeout provides +a safety margin. + +Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering") +Reviewed-by: Andrew Lunn +Signed-off-by: Shenwei Wang +Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 31c387cc5f269..5e64cf15670b1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "stmmac.h" + #include "stmmac_pcs.h" + #include "dwmac4.h" +@@ -475,7 +476,7 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + u8 index, u32 data) + { + void __iomem *ioaddr = (void __iomem *)dev->base_addr; +- int i, timeout = 10; ++ int ret; + u32 val; + + if (index >= hw->num_vlan) +@@ -491,16 +492,15 @@ static int dwmac4_write_vlan_filter(struct net_device *dev, + + writel(val, ioaddr + GMAC_VLAN_TAG); + +- for (i = 0; i < timeout; i++) { +- val = readl(ioaddr + GMAC_VLAN_TAG); +- if (!(val & GMAC_VLAN_TAG_CTRL_OB)) +- return 0; +- udelay(1); ++ ret = readl_poll_timeout(ioaddr + GMAC_VLAN_TAG, val, ++ !(val & GMAC_VLAN_TAG_CTRL_OB), ++ 1000, 500000); ++ if (ret) { ++ netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); ++ return -EBUSY; + } + +- netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n"); +- +- return -EBUSY; ++ return 0; + } + + static int dwmac4_add_hw_vlan_rx_fltr(struct net_device *dev, +-- +2.43.0 + diff --git a/queue-6.11/net-test-for-not-too-small-csum_start-in-virtio_net_.patch b/queue-6.11/net-test-for-not-too-small-csum_start-in-virtio_net_.patch new file mode 100644 index 00000000000..4f19b84e3db --- /dev/null +++ b/queue-6.11/net-test-for-not-too-small-csum_start-in-virtio_net_.patch @@ -0,0 +1,112 @@ +From b8d36fa0097e6271e65f927816f94824d234b33c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 16:58:36 +0000 +Subject: net: test for not too small csum_start in virtio_net_hdr_to_skb() + +From: Eric Dumazet + +[ Upstream commit 49d14b54a527289d09a9480f214b8c586322310a ] + +syzbot was able to trigger this warning [1], after injecting a +malicious packet through af_packet, setting skb->csum_start and thus +the transport header to an incorrect value. + +We can at least make sure the transport header is after +the end of the network header (with a estimated minimal size). + +[1] +[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0 +mac=(-1,-1) mac_len=0 net=(16,-6) trans=10 +shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0)) +csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0) +hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0 +priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0 +encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) +[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9 +[ 67.877764] sk family=17 type=3 proto=0 +[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00 +[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02 +[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00 +[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e +[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00 +[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 67.887384] skb frag: 00000100: 00 00 +[ 67.887878] ------------[ cut here ]------------ +[ 67.887908] offset (-6) >= skb_headlen() (14) +[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) +[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs +[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011 +[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) +[ 67.891043] Call Trace: +[ 67.891173] +[ 67.891274] ? __warn (kernel/panic.c:741) +[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) +[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219) +[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239) +[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) +[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) +[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) +[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) +[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1)) +[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113) +[ 67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200) +[ 67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13)) +[ 67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1)) +[ 67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670) +[ 67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227) +[ 67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604) +[ 67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25)) +[ 67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1)) +[ 67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4)) +[ 67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657) +[ 67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3)) +[ 67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1)) +[ 67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4)) +[ 67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1)) +[ 67.891734] ? do_sock_setsockopt (net/socket.c:2335) +[ 67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355) +[ 67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1)) +[ 67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +[ 67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fixes: 9181d6f8a2bb ("net: add more sanity check in virtio_net_hdr_to_skb()") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/virtio_net.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h +index 276ca543ef44d..02a9f4dc594d0 100644 +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -103,8 +103,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, + + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; ++ if (skb_transport_offset(skb) < nh_min_len) ++ return -EINVAL; + +- nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb)); ++ nh_min_len = skb_transport_offset(skb); + p_off = nh_min_len + thlen; + if (!pskb_may_pull(skb, p_off)) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.11/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch b/queue-6.11/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch new file mode 100644 index 00000000000..392f9365ed1 --- /dev/null +++ b/queue-6.11/net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch @@ -0,0 +1,68 @@ +From 02efe6a6d67d8dfd774b14469a005d14a42eb7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Sep 2024 19:57:43 +0800 +Subject: net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() + +From: Jinjie Ruan + +[ Upstream commit d505d3593b52b6c43507f119572409087416ba28 ] + +It's important to undo pm_runtime_use_autosuspend() with +pm_runtime_dont_use_autosuspend() at driver exit time. + +But the pm_runtime_disable() and pm_runtime_dont_use_autosuspend() +is missing in the error path for bam_dmux_probe(). So add it. + +Found by code review. Compile-tested only. + +Fixes: 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver") +Suggested-by: Stephan Gerhold +Signed-off-by: Jinjie Ruan +Reviewed-by: Stephan Gerhold +Reviewed-by: Sergey Ryazanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/qcom_bam_dmux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wwan/qcom_bam_dmux.c b/drivers/net/wwan/qcom_bam_dmux.c +index 26ca719fa0de4..5dcb9a84a12e3 100644 +--- a/drivers/net/wwan/qcom_bam_dmux.c ++++ b/drivers/net/wwan/qcom_bam_dmux.c +@@ -823,17 +823,17 @@ static int bam_dmux_probe(struct platform_device *pdev) + ret = devm_request_threaded_irq(dev, pc_ack_irq, NULL, bam_dmux_pc_ack_irq, + IRQF_ONESHOT, NULL, dmux); + if (ret) +- return ret; ++ goto err_disable_pm; + + ret = devm_request_threaded_irq(dev, dmux->pc_irq, NULL, bam_dmux_pc_irq, + IRQF_ONESHOT, NULL, dmux); + if (ret) +- return ret; ++ goto err_disable_pm; + + ret = irq_get_irqchip_state(dmux->pc_irq, IRQCHIP_STATE_LINE_LEVEL, + &dmux->pc_state); + if (ret) +- return ret; ++ goto err_disable_pm; + + /* Check if remote finished initialization before us */ + if (dmux->pc_state) { +@@ -844,6 +844,11 @@ static int bam_dmux_probe(struct platform_device *pdev) + } + + return 0; ++ ++err_disable_pm: ++ pm_runtime_disable(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ return ret; + } + + static void bam_dmux_remove(struct platform_device *pdev) +-- +2.43.0 + diff --git a/queue-6.11/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch b/queue-6.11/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch new file mode 100644 index 00000000000..9f668314b90 --- /dev/null +++ b/queue-6.11/netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch @@ -0,0 +1,134 @@ +From d6734529c947b6a332203a3344aaf98435a0b24c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:11 +0000 +Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption + +From: Eric Dumazet + +[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ] + +syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write +per-cpu variable nf_skb_duplicated in an unsafe way [1]. + +Disabling preemption as hinted by the splat is not enough, +we have to disable soft interrupts as well. + +[1] +BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316 + caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 +CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49 + nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87 + nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 + nf_hook+0x2c4/0x450 include/linux/netfilter.h:269 + NF_HOOK_COND include/linux/netfilter.h:302 [inline] + ip_output+0x185/0x230 net/ipv4/ip_output.c:433 + ip_local_out net/ipv4/ip_output.c:129 [inline] + ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495 + udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981 + udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 + ___sys_sendmsg net/socket.c:2651 [inline] + __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 + __do_sys_sendmmsg net/socket.c:2766 [inline] + __se_sys_sendmmsg net/socket.c:2763 [inline] + __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f4ce4f7def9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 +RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 +RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 + + +Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++-- + net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c +index 6cc5743c553a0..9a21175693db5 100644 +--- a/net/ipv4/netfilter/nf_dup_ipv4.c ++++ b/net/ipv4/netfilter/nf_dup_ipv4.c +@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + { + struct iphdr *iph; + ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + /* + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for + * the original skb, which should continue on its way as if nothing has +@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + */ + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + /* Avoid counting cloned packets towards the original connection. */ +@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv4); + +diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c +index a0a2de30be3e7..0c39c77fe8a8a 100644 +--- a/net/ipv6/netfilter/nf_dup_ipv6.c ++++ b/net/ipv6/netfilter/nf_dup_ipv6.c +@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, + void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + const struct in6_addr *gw, int oif) + { ++ local_bh_disable(); + if (this_cpu_read(nf_skb_duplicated)) +- return; ++ goto out; + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) +- return; ++ goto out; + + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_reset_ct(skb); +@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, + } else { + kfree_skb(skb); + } ++out: ++ local_bh_enable(); + } + EXPORT_SYMBOL_GPL(nf_dup_ipv6); + +-- +2.43.0 + diff --git a/queue-6.11/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch b/queue-6.11/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch new file mode 100644 index 00000000000..d96ed646131 --- /dev/null +++ b/queue-6.11/netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch @@ -0,0 +1,35 @@ +From 0fc82af41c58983939c2bb9fc54b614e1d3fc9a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 20:01:20 +0200 +Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED + +From: Phil Sutter + +[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ] + +Fix the comment which incorrectly defines it as NLA_U32. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 639894ed1b973..2f71d91462331 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -1694,7 +1694,7 @@ enum nft_flowtable_flags { + * + * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) + * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) +- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) ++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED) + * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) + * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) + * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) +-- +2.43.0 + diff --git a/queue-6.11/netfs-fix-missing-wakeup-after-issuing-writes.patch b/queue-6.11/netfs-fix-missing-wakeup-after-issuing-writes.patch new file mode 100644 index 00000000000..3c6692d35c0 --- /dev/null +++ b/queue-6.11/netfs-fix-missing-wakeup-after-issuing-writes.patch @@ -0,0 +1,122 @@ +From 2e0d0ce01e8e37cbe02264d1be6f3bd64c99cad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 15:45:50 +0100 +Subject: netfs: Fix missing wakeup after issuing writes + +From: David Howells + +[ Upstream commit 1ca4169c391c370e0f3a92938df2862900575096 ] + +After dividing up a proposed write into subrequests, netfslib sets +NETFS_RREQ_ALL_QUEUED to indicate to the collector that it can move on to +the final cleanup once it has emptied the subrequest queues. + +Now, whilst the collector will normally end up running at least once after +this bit is set just because it takes a while to process all the write +subrequests before the collector runs out of subrequests, there exists the +possibility that the issuing thread will be forced to sleep and the +collector thread will clean up all the subrequests before ALL_QUEUED gets +set. + +In such a case, the collector thread will not get triggered again and will +never clear NETFS_RREQ_IN_PROGRESS thus leaving a request uncompleted and +causing a potential futute hang. + +Fix this by scheduling the write collector if all the subrequest queues are +empty (and thus no writes pending issuance). + +Note that we'd do this ideally before queuing the subrequest, but in the +case of buffered writeback, at least, we can't find out that we've run out +of folios until after we've called writeback_iter() and it has returned +NULL - at which point we might not actually have any subrequests still +under construction. + +Fixes: 288ace2f57c9 ("netfs: New writeback implementation") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/3317784.1727880350@warthog.procyon.org.uk +cc: Jeff Layton +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/netfs/write_issue.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c +index 3f7e37e50c7d0..9486e54b1e563 100644 +--- a/fs/netfs/write_issue.c ++++ b/fs/netfs/write_issue.c +@@ -494,6 +494,30 @@ static int netfs_write_folio(struct netfs_io_request *wreq, + return 0; + } + ++/* ++ * End the issuing of writes, letting the collector know we're done. ++ */ ++static void netfs_end_issue_write(struct netfs_io_request *wreq) ++{ ++ bool needs_poke = true; ++ ++ smp_wmb(); /* Write subreq lists before ALL_QUEUED. */ ++ set_bit(NETFS_RREQ_ALL_QUEUED, &wreq->flags); ++ ++ for (int s = 0; s < NR_IO_STREAMS; s++) { ++ struct netfs_io_stream *stream = &wreq->io_streams[s]; ++ ++ if (!stream->active) ++ continue; ++ if (!list_empty(&stream->subrequests)) ++ needs_poke = false; ++ netfs_issue_write(wreq, stream); ++ } ++ ++ if (needs_poke) ++ netfs_wake_write_collector(wreq, false); ++} ++ + /* + * Write some of the pending data back to the server + */ +@@ -541,10 +565,7 @@ int netfs_writepages(struct address_space *mapping, + break; + } while ((folio = writeback_iter(mapping, wbc, folio, &error))); + +- for (int s = 0; s < NR_IO_STREAMS; s++) +- netfs_issue_write(wreq, &wreq->io_streams[s]); +- smp_wmb(); /* Write lists before ALL_QUEUED. */ +- set_bit(NETFS_RREQ_ALL_QUEUED, &wreq->flags); ++ netfs_end_issue_write(wreq); + + mutex_unlock(&ictx->wb_lock); + +@@ -632,10 +653,7 @@ int netfs_end_writethrough(struct netfs_io_request *wreq, struct writeback_contr + if (writethrough_cache) + netfs_write_folio(wreq, wbc, writethrough_cache); + +- netfs_issue_write(wreq, &wreq->io_streams[0]); +- netfs_issue_write(wreq, &wreq->io_streams[1]); +- smp_wmb(); /* Write lists before ALL_QUEUED. */ +- set_bit(NETFS_RREQ_ALL_QUEUED, &wreq->flags); ++ netfs_end_issue_write(wreq); + + mutex_unlock(&ictx->wb_lock); + +@@ -680,13 +698,7 @@ int netfs_unbuffered_write(struct netfs_io_request *wreq, bool may_wait, size_t + break; + } + +- netfs_issue_write(wreq, upload); +- +- smp_wmb(); /* Write lists before ALL_QUEUED. */ +- set_bit(NETFS_RREQ_ALL_QUEUED, &wreq->flags); +- if (list_empty(&upload->subrequests)) +- netfs_wake_write_collector(wreq, false); +- ++ netfs_end_issue_write(wreq); + _leave(" = %d", error); + return error; + } +-- +2.43.0 + diff --git a/queue-6.11/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch b/queue-6.11/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch new file mode 100644 index 00000000000..225d8038a7d --- /dev/null +++ b/queue-6.11/ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch @@ -0,0 +1,142 @@ +From d57a2f65ae3a8cea0d08efbd5e68b17ec1e6e90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 07:45:53 +0000 +Subject: ppp: do not assume bh is held in ppp_channel_bridge_input() + +From: Eric Dumazet + +[ Upstream commit aec7291003df78cb71fd461d7b672912bde55807 ] + +Networking receive path is usually handled from BH handler. +However, some protocols need to acquire the socket lock, and +packets might be stored in the socket backlog is the socket was +owned by a user process. + +In this case, release_sock(), __release_sock(), and sk_backlog_rcv() +might call the sk->sk_backlog_rcv() handler in process context. + +sybot caught ppp was not considering this case in +ppp_channel_bridge_input() : + +WARNING: inconsistent lock state +6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted +-------------------------------- +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes: + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 +{SOFTIRQ-ON-W} state was registered at: + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 + sk_backlog_rcv include/net/sock.h:1111 [inline] + __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 + release_sock+0x68/0x1b8 net/core/sock.c:3558 + pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x374/0x4f4 net/socket.c:2204 + __do_sys_sendto net/socket.c:2216 [inline] + __se_sys_sendto net/socket.c:2212 [inline] + __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 +irq event stamp: 282914 + hardirqs last enabled at (282914): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] + hardirqs last enabled at (282914): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 + hardirqs last disabled at (282913): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + hardirqs last disabled at (282913): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 + softirqs last enabled at (282904): [] softirq_handle_end kernel/softirq.c:400 [inline] + softirqs last enabled at (282904): [] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 + softirqs last disabled at (282909): [] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&pch->downl); + + lock(&pch->downl); + + *** DEADLOCK *** + +1 lock held by ksoftirqd/1/24: + #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325 + +stack backtrace: +CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +Call trace: + dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119 + dump_stack+0x1c/0x28 lib/dump_stack.c:128 + print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000 + mark_lock_irq+0x980/0xd2c + mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677 + __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096 + lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] + ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 + ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495 + tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785 + tasklet_action+0x68/0x8c kernel/softirq.c:811 + handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554 + run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 + smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164 + kthread+0x288/0x310 kernel/kthread.c:389 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 + +Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls") +Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Tom Parkin +Cc: James Chapman +Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index eb9acfcaeb097..9d2656afba660 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -2269,7 +2269,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + if (!pchb) + goto out_rcu; + +- spin_lock(&pchb->downl); ++ spin_lock_bh(&pchb->downl); + if (!pchb->chan) { + /* channel got unregistered */ + kfree_skb(skb); +@@ -2281,7 +2281,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb) + kfree_skb(skb); + + outl: +- spin_unlock(&pchb->downl); ++ spin_unlock_bh(&pchb->downl); + out_rcu: + rcu_read_unlock(); + +-- +2.43.0 + diff --git a/queue-6.11/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch b/queue-6.11/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch new file mode 100644 index 00000000000..7b89b35d11b --- /dev/null +++ b/queue-6.11/scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch @@ -0,0 +1,46 @@ +From a47f40d9ad7fe3ef7185ecb1da87839fea6cb949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 10:58:28 +0200 +Subject: scsi: pm8001: Do not overwrite PCI queue mapping + +From: Daniel Wagner + +[ Upstream commit a141c17a543332fc1238eb5cba562bfc66879126 ] + +blk_mq_pci_map_queues() maps all queues but right after this, we overwrite +these mappings by calling blk_mq_map_queues(). Just use one helper but not +both. + +Fixes: 42f22fe36d51 ("scsi: pm8001: Expose hardware queues for pm80xx") +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Signed-off-by: Daniel Wagner +Link: https://lore.kernel.org/r/20240912-do-not-overwrite-pci-mapping-v1-1-85724b6cec49@suse.de +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_init.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c +index 1e63cb6cd8e32..33e1eba62ca12 100644 +--- a/drivers/scsi/pm8001/pm8001_init.c ++++ b/drivers/scsi/pm8001/pm8001_init.c +@@ -100,10 +100,12 @@ static void pm8001_map_queues(struct Scsi_Host *shost) + struct pm8001_hba_info *pm8001_ha = sha->lldd_ha; + struct blk_mq_queue_map *qmap = &shost->tag_set.map[HCTX_TYPE_DEFAULT]; + +- if (pm8001_ha->number_of_intr > 1) ++ if (pm8001_ha->number_of_intr > 1) { + blk_mq_pci_map_queues(qmap, pm8001_ha->pdev, 1); ++ return; ++ } + +- return blk_mq_map_queues(qmap); ++ blk_mq_map_queues(qmap); + } + + /* +-- +2.43.0 + diff --git a/queue-6.11/scsi-st-fix-input-output-error-on-empty-drive-reset.patch b/queue-6.11/scsi-st-fix-input-output-error-on-empty-drive-reset.patch new file mode 100644 index 00000000000..cf3f3fc5ece --- /dev/null +++ b/queue-6.11/scsi-st-fix-input-output-error-on-empty-drive-reset.patch @@ -0,0 +1,75 @@ +From 7c0a5bb7574702a030c6e85e118306ea98584028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 12:39:21 -0500 +Subject: scsi: st: Fix input/output error on empty drive reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael Rocha + +[ Upstream commit 3d882cca73be830549833517ddccb3ac4668c04e ] + +A previous change was introduced to prevent data loss during a power-on +reset when a tape is present inside the drive. This commit set the +"pos_unknown" flag to true to avoid operations that could compromise data +by performing actions from an untracked position. The relevant change is +commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") + +As a consequence of this change, a new issue has surfaced: the driver now +returns an "Input/output error" even for empty drives when the drive, host, +or bus is reset. This issue stems from the "flush_buffer" function, which +first checks whether the "pos_unknown" flag is set. If the flag is set, the +user will encounter an "Input/output error" until the tape position is +known again. This behavior differs from the previous implementation, where +empty drives were not affected at system start up time, allowing tape +software to send commands to the driver to retrieve the drive's status and +other information. + +The current behavior prioritizes the "pos_unknown" flag over the +"ST_NO_TAPE" status, leading to issues for software that detects drives +during system startup. This software will receive an "Input/output error" +until a tape is loaded and its position is known. + +To resolve this, the "ST_NO_TAPE" status should take priority when the +drive is empty, allowing communication with the drive following a power-on +reset. At the same time, the change should continue to protect data by +maintaining the "pos_unknown" flag when the drive contains a tape and its +position is unknown. + +Signed-off-by: Rafael Rocha +Link: https://lore.kernel.org/r/20240905173921.10944-1-rrochavi@fnal.gov +Fixes: 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") +Acked-by: Kai Mäkisara +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 0d8ce1a92168c..d50bad3a2ce92 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -834,6 +834,9 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next) + int backspace, result; + struct st_partstat *STps; + ++ if (STp->ready != ST_READY) ++ return 0; ++ + /* + * If there was a bus reset, block further access + * to this device. +@@ -841,8 +844,6 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next) + if (STp->pos_unknown) + return (-EIO); + +- if (STp->ready != ST_READY) +- return 0; + STps = &(STp->ps[STp->partition]); + if (STps->rw == ST_WRITING) /* Writing */ + return st_flush_write_buffer(STp); +-- +2.43.0 + diff --git a/queue-6.11/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch b/queue-6.11/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch new file mode 100644 index 00000000000..c50c64c0943 --- /dev/null +++ b/queue-6.11/sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch @@ -0,0 +1,56 @@ +From 6febde446f4dbdfe0b213a53058716814d84dd22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2024 16:49:51 -0400 +Subject: sctp: set sk_state back to CLOSED if autobind fails in + sctp_listen_start + +From: Xin Long + +[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ] + +In sctp_listen_start() invoked by sctp_inet_listen(), it should set the +sk_state back to CLOSED if sctp_autobind() fails due to whatever reason. + +Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse +is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will +be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash +is NULL. + + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617 + Call Trace: + + __sys_listen_socket net/socket.c:1883 [inline] + __sys_listen+0x1b7/0x230 net/socket.c:1894 + __do_sys_listen net/socket.c:1902 [inline] + +Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code") +Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 32f76f1298da8..078bcb3858c79 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8557,8 +8557,10 @@ static int sctp_listen_start(struct sock *sk, int backlog) + */ + inet_sk_set_state(sk, SCTP_SS_LISTENING); + if (!ep->base.bind_addr.port) { +- if (sctp_autobind(sk)) ++ if (sctp_autobind(sk)) { ++ inet_sk_set_state(sk, SCTP_SS_CLOSED); + return -EAGAIN; ++ } + } else { + if (sctp_get_port(sk, inet_sk(sk)->inet_num)) { + inet_sk_set_state(sk, SCTP_SS_CLOSED); +-- +2.43.0 + diff --git a/queue-6.11/selftests-netfilter-add-missing-return-value.patch b/queue-6.11/selftests-netfilter-add-missing-return-value.patch new file mode 100644 index 00000000000..9f31ddd8e57 --- /dev/null +++ b/queue-6.11/selftests-netfilter-add-missing-return-value.patch @@ -0,0 +1,34 @@ +From 948c6ecf501435fcf7ef0918c60f18aa96464688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2024 11:22:05 +0800 +Subject: selftests: netfilter: Add missing return value + +From: zhang jiao + +[ Upstream commit 10dbd23633f0433f8d13c2803d687b36a675ef60 ] + +There is no return value in count_entries, just add it. + +Fixes: eff3c558bb7e ("netfilter: ctnetlink: support filtering by zone") +Signed-off-by: zhang jiao +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/netfilter/conntrack_dump_flush.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c +index bd9317bf5adaf..dc056fec993bd 100644 +--- a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c ++++ b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c +@@ -207,6 +207,7 @@ static int conntrack_data_generate_v6(struct mnl_socket *sock, + static int count_entries(const struct nlmsghdr *nlh, void *data) + { + reply_counter++; ++ return MNL_CB_OK; + } + + static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone) +-- +2.43.0 + diff --git a/queue-6.11/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch b/queue-6.11/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch new file mode 100644 index 00000000000..6f738b7b8b3 --- /dev/null +++ b/queue-6.11/selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch @@ -0,0 +1,134 @@ +From 17620704ce07362f7bc8e4e8f794f1510492afa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 18:56:31 +0200 +Subject: selftests: netfilter: Fix nft_audit.sh for newer nft binaries + +From: Phil Sutter + +[ Upstream commit 8a89015644513ef69193a037eb966f2d55fe385a ] + +As a side-effect of nftables' commit dbff26bfba833 ("cache: consolidate +reset command"), audit logs changed when more objects were reset than +fit into a single netlink message. + +Since the objects' distribution in netlink messages is not relevant, +implement a summarizing function which combines repeated audit logs into +a single one with summed up 'entries=' value. + +Fixes: 203bb9d39866 ("selftests: netfilter: Extend nft_audit.sh") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + .../selftests/net/netfilter/nft_audit.sh | 57 ++++++++++--------- + 1 file changed, 29 insertions(+), 28 deletions(-) + +diff --git a/tools/testing/selftests/net/netfilter/nft_audit.sh b/tools/testing/selftests/net/netfilter/nft_audit.sh +index 902f8114bc80f..87f2b4c725aa0 100755 +--- a/tools/testing/selftests/net/netfilter/nft_audit.sh ++++ b/tools/testing/selftests/net/netfilter/nft_audit.sh +@@ -48,12 +48,31 @@ logread_pid=$! + trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT + exec 3<"$logfile" + ++lsplit='s/^\(.*\) entries=\([^ ]*\) \(.*\)$/pfx="\1"\nval="\2"\nsfx="\3"/' ++summarize_logs() { ++ sum=0 ++ while read line; do ++ eval $(sed "$lsplit" <<< "$line") ++ [[ $sum -gt 0 ]] && { ++ [[ "$pfx $sfx" == "$tpfx $tsfx" ]] && { ++ let "sum += val" ++ continue ++ } ++ echo "$tpfx entries=$sum $tsfx" ++ } ++ tpfx="$pfx" ++ tsfx="$sfx" ++ sum=$val ++ done ++ echo "$tpfx entries=$sum $tsfx" ++} ++ + do_test() { # (cmd, log) + echo -n "testing for cmd: $1 ... " + cat <&3 >/dev/null + $1 >/dev/null || exit 1 + sleep 0.1 +- res=$(diff -a -u <(echo "$2") - <&3) ++ res=$(diff -a -u <(echo "$2") <(summarize_logs <&3)) + [ $? -eq 0 ] && { echo "OK"; return; } + echo "FAIL" + grep -v '^\(---\|+++\|@@\)' <<< "$res" +@@ -152,31 +171,17 @@ do_test 'nft reset rules t1 c2' \ + 'table=t1 family=2 entries=3 op=nft_reset_rule' + + do_test 'nft reset rules table t1' \ +-'table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule' ++'table=t1 family=2 entries=9 op=nft_reset_rule' + + do_test 'nft reset rules t2 c3' \ +-'table=t2 family=2 entries=189 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=126 op=nft_reset_rule' ++'table=t2 family=2 entries=503 op=nft_reset_rule' + + do_test 'nft reset rules t2' \ +-'table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=186 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=129 op=nft_reset_rule' ++'table=t2 family=2 entries=509 op=nft_reset_rule' + + do_test 'nft reset rules' \ +-'table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=180 op=nft_reset_rule +-table=t2 family=2 entries=188 op=nft_reset_rule +-table=t2 family=2 entries=135 op=nft_reset_rule' ++'table=t1 family=2 entries=9 op=nft_reset_rule ++table=t2 family=2 entries=509 op=nft_reset_rule' + + # resetting sets and elements + +@@ -200,13 +205,11 @@ do_test 'nft reset counters t1' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj' + + do_test 'nft reset counters t2' \ +-'table=t2 family=2 entries=342 op=nft_reset_obj +-table=t2 family=2 entries=158 op=nft_reset_obj' ++'table=t2 family=2 entries=500 op=nft_reset_obj' + + do_test 'nft reset counters' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj +-table=t2 family=2 entries=341 op=nft_reset_obj +-table=t2 family=2 entries=159 op=nft_reset_obj' ++table=t2 family=2 entries=500 op=nft_reset_obj' + + # resetting quotas + +@@ -217,13 +220,11 @@ do_test 'nft reset quotas t1' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj' + + do_test 'nft reset quotas t2' \ +-'table=t2 family=2 entries=315 op=nft_reset_obj +-table=t2 family=2 entries=185 op=nft_reset_obj' ++'table=t2 family=2 entries=500 op=nft_reset_obj' + + do_test 'nft reset quotas' \ + 'table=t1 family=2 entries=1 op=nft_reset_obj +-table=t2 family=2 entries=314 op=nft_reset_obj +-table=t2 family=2 entries=186 op=nft_reset_obj' ++table=t2 family=2 entries=500 op=nft_reset_obj' + + # deleting rules + +-- +2.43.0 + diff --git a/queue-6.11/series b/queue-6.11/series new file mode 100644 index 00000000000..81dc5f36b99 --- /dev/null +++ b/queue-6.11/series @@ -0,0 +1,54 @@ +static_call-handle-module-init-failure-correctly-in-.patch +static_call-replace-pointless-warn_on-in-static_call.patch +jump_label-fix-static_key_slow_dec-yet-again.patch +scsi-st-fix-input-output-error-on-empty-drive-reset.patch +scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch +drm-i915-psr-do-not-wait-for-psr-being-idle-on-on-pa.patch +drm-i915-display-bmg-supports-uhbr13.5.patch +drm-i915-dp-fix-aux-io-power-enabling-for-edp-psr.patch +drm-amdgpu-fix-get-each-xcp-macro.patch +drm-amd-display-handle-nulled-pipe-context-in-dce110.patch +ksmbd-fix-warning-comparison-of-distinct-pointer-typ.patch +mailbox-arm_mhu_v3-should-depend-on-arm64.patch +mailbox-rockchip-fix-a-typo-in-module-autoloading.patch +mailbox-bcm2835-fix-timeout-during-suspend-mode.patch +ceph-fix-a-memory-leak-on-cap_auths-in-mds-client.patch +ceph-remove-the-incorrect-fw-reference-check-when-di.patch +drm-i915-dp-fix-colorimetry-detection.patch +ieee802154-fix-build-error.patch +net-sparx5-fix-invalid-timestamps.patch +net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch +net-mlx5-added-cond_resched-to-crdump-collection.patch +net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch +net-mlx5e-shampo-fix-overflow-of-hd_per_wq.patch +net-mlx5e-fix-crash-caused-by-calling-__xfrm_state_d.patch +netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch +net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch +net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch +selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch +netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch +selftests-netfilter-add-missing-return-value.patch +bluetooth-mgmt-fix-possible-crash-on-mgmt_index_remo.patch +bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch +bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch +afs-fix-missing-wire-up-of-afs_retry_request.patch +afs-fix-the-setting-of-the-server-responding-flag.patch +net-dsa-improve-shutdown-sequence.patch +net-add-netif_get_gro_max_size-helper-for-gro.patch +net-fix-gso_features_check-to-check-for-both-dev-gso.patch +net-ethernet-lantiq_etop-fix-memory-disclosure.patch +net-fec-restart-pps-after-link-state-change.patch +net-fec-reload-ptp-registers-after-link-state-change.patch +net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch +net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch +net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch +ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch +netfs-fix-missing-wakeup-after-issuing-writes.patch +net-test-for-not-too-small-csum_start-in-virtio_net_.patch +ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch +net-phy-realtek-check-the-index-value-in-led_hw_cont.patch +bridge-mcast-fail-mdb-get-request-on-empty-entry.patch +net-ncsi-disable-the-ncsi-work-before-freeing-the-as.patch +iomap-constrain-the-file-range-passed-to-iomap_file_.patch +dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch +sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch diff --git a/queue-6.11/static_call-handle-module-init-failure-correctly-in-.patch b/queue-6.11/static_call-handle-module-init-failure-correctly-in-.patch new file mode 100644 index 00000000000..f7359656f39 --- /dev/null +++ b/queue-6.11/static_call-handle-module-init-failure-correctly-in-.patch @@ -0,0 +1,100 @@ +From f16eb27f6c8c14d29d90857754d5cf2829942251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:09:07 +0200 +Subject: static_call: Handle module init failure correctly in + static_call_del_module() + +From: Thomas Gleixner + +[ Upstream commit 4b30051c4864234ec57290c3d142db7c88f10d8a ] + +Module insertion invokes static_call_add_module() to initialize the static +calls in a module. static_call_add_module() invokes __static_call_init(), +which allocates a struct static_call_mod to either encapsulate the built-in +static call sites of the associated key into it so further modules can be +added or to append the module to the module chain. + +If that allocation fails the function returns with an error code and the +module core invokes static_call_del_module() to clean up eventually added +static_call_mod entries. + +This works correctly, when all keys used by the module were converted over +to a module chain before the failure. If not then static_call_del_module() +causes a #GP as it blindly assumes that key::mods points to a valid struct +static_call_mod. + +The problem is that key::mods is not a individual struct member of struct +static_call_key, it's part of a union to save space: + + union { + /* bit 0: 0 = mods, 1 = sites */ + unsigned long type; + struct static_call_mod *mods; + struct static_call_site *sites; + }; + +key::sites is a pointer to the list of built-in usage sites of the static +call. The type of the pointer is differentiated by bit 0. A mods pointer +has the bit clear, the sites pointer has the bit set. + +As static_call_del_module() blidly assumes that the pointer is a valid +static_call_mod type, it fails to check for this failure case and +dereferences the pointer to the list of built-in call sites, which is +obviously bogus. + +Cure it by checking whether the key has a sites or a mods pointer. + +If it's a sites pointer then the key is not to be touched. As the sites are +walked in the same order as in __static_call_init() the site walk can be +terminated because all subsequent sites have not been touched by the init +code due to the error exit. + +If it was converted before the allocation fail, then the inner loop which +searches for a module match will find nothing. + +A fail in the second allocation in __static_call_init() is harmless and +does not require special treatment. The first allocation succeeded and +converted the key to a module chain. That first entry has mod::mod == NULL +and mod::next == NULL, so the inner loop of static_call_del_module() will +neither find a module match nor a module chain. The next site in the walk +was either already converted, but can't match the module, or it will exit +the outer loop because it has a static_call_site pointer and not a +static_call_mod pointer. + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com +Reported-by: Jinjie Ruan +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Jinjie Ruan +Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index 639397b5491ca..7bb0962b52291 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -411,6 +411,17 @@ static void static_call_del_module(struct module *mod) + + for (site = start; site < stop; site++) { + key = static_call_key(site); ++ ++ /* ++ * If the key was not updated due to a memory allocation ++ * failure in __static_call_init() then treating key::sites ++ * as key::mods in the code below would cause random memory ++ * access and #GP. In that case all subsequent sites have ++ * not been touched either, so stop iterating. ++ */ ++ if (!static_call_key_has_mods(key)) ++ break; ++ + if (key == prev_key) + continue; + +-- +2.43.0 + diff --git a/queue-6.11/static_call-replace-pointless-warn_on-in-static_call.patch b/queue-6.11/static_call-replace-pointless-warn_on-in-static_call.patch new file mode 100644 index 00000000000..7fb889a12a4 --- /dev/null +++ b/queue-6.11/static_call-replace-pointless-warn_on-in-static_call.patch @@ -0,0 +1,47 @@ +From b7550c7f1d641541dbb613cfa430abc13c1b381d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 11:08:28 +0200 +Subject: static_call: Replace pointless WARN_ON() in + static_call_module_notify() + +From: Thomas Gleixner + +[ Upstream commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 ] + +static_call_module_notify() triggers a WARN_ON(), when memory allocation +fails in __static_call_add_module(). + +That's not really justified, because the failure case must be correctly +handled by the well known call chain and the error code is passed +through to the initiating userspace application. + +A memory allocation fail is not a fatal problem, but the WARN_ON() takes +the machine out when panic_on_warn is set. + +Replace it with a pr_warn(). + +Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") +Signed-off-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/static_call_inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c +index 7bb0962b52291..5259cda486d05 100644 +--- a/kernel/static_call_inline.c ++++ b/kernel/static_call_inline.c +@@ -453,7 +453,7 @@ static int static_call_module_notify(struct notifier_block *nb, + case MODULE_STATE_COMING: + ret = static_call_add_module(mod); + if (ret) { +- WARN(1, "Failed to allocate memory for static calls"); ++ pr_warn("Failed to allocate memory for static calls\n"); + static_call_del_module(mod); + } + break; +-- +2.43.0 +