From: Greg Kroah-Hartman Date: Mon, 26 Aug 2024 12:10:59 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.1.107~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a5da7368dafb52363bebd8a3bde8b5082cc91ce6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch acpi-video-add-dell-uart-backlight-controller-detection.patch ata-pata_macio-fix-dma-table-overflow.patch cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch mptcp-pm-fullmesh-select-the-right-id-later.patch mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch mptcp-pm-only-mark-subflow-endp-as-available.patch mptcp-pm-re-using-id-of-unused-flushed-subflows.patch mptcp-pm-re-using-id-of-unused-removed-add_addr.patch mptcp-pm-re-using-id-of-unused-removed-subflows.patch mptcp-pm-remove-mptcp_pm_remove_subflow.patch nouveau-firmware-use-dma-non-coherent-allocator.patch pmdomain-imx-scu-pd-remove-duplicated-clocks.patch pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch smb3-fix-broken-cached-reads-when-posix-locks.patch thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch --- diff --git a/queue-6.10/acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch b/queue-6.10/acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch new file mode 100644 index 00000000000..ec4471e8968 --- /dev/null +++ b/queue-6.10/acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch @@ -0,0 +1,63 @@ +From 5c7bb62cb8f53de71d8ab3d619be22740da0b837 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 14 Aug 2024 21:01:59 +0200 +Subject: ACPI: video: Add backlight=native quirk for Dell OptiPlex 7760 AIO + +From: Hans de Goede + +commit 5c7bb62cb8f53de71d8ab3d619be22740da0b837 upstream. + +Dell All In One (AIO) models released after 2017 may use a backlight +controller board connected to an UART. + +In DSDT this uart port will be defined as: + + Name (_HID, "DELL0501") + Name (_CID, EisaId ("PNP0501") + +The Dell OptiPlex 7760 AIO has an ACPI device for one if its UARTs with +the above _HID + _CID. Loading the dell-uart-backlight driver shows that +there actually is a backlight controller board attached to the UART, +which reports a firmware version of "G&MX01-V15". + +But the backlight controller board does not actually control the backlight +brightness and the GPU's native backlight control method does work. + +Add a quirk to use the GPU's native backlight control method on this model. + +Fixes: 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver") +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2303936 +Cc: All applicable +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20240814190159.15650-4-hdegoede@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -808,6 +808,21 @@ static const struct dmi_system_id video_ + }, + + /* ++ * Dell AIO (All in Ones) which advertise an UART attached backlight ++ * controller board in their ACPI tables (and may even have one), but ++ * which need native backlight control nevertheless. ++ */ ++ { ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=2303936 */ ++ .callback = video_detect_force_native, ++ /* Dell OptiPlex 7760 AIO */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 7760 AIO"), ++ }, ++ }, ++ ++ /* + * Models which have nvidia-ec-wmi support, but should not use it. + * Note this indicates a likely firmware bug on these models and should + * be revisited if/when Linux gets support for dynamic mux mode. diff --git a/queue-6.10/acpi-video-add-dell-uart-backlight-controller-detection.patch b/queue-6.10/acpi-video-add-dell-uart-backlight-controller-detection.patch new file mode 100644 index 00000000000..4baaad120f7 --- /dev/null +++ b/queue-6.10/acpi-video-add-dell-uart-backlight-controller-detection.patch @@ -0,0 +1,88 @@ +From cd8e468efb4fb2742e06328a75b282c35c1abf8d Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 14 Aug 2024 21:01:57 +0200 +Subject: ACPI: video: Add Dell UART backlight controller detection + +From: Hans de Goede + +commit cd8e468efb4fb2742e06328a75b282c35c1abf8d upstream. + +Dell All In One (AIO) models released after 2017 use a backlight +controller board connected to an UART. + +In DSDT this uart port will be defined as: + + Name (_HID, "DELL0501") + Name (_CID, EisaId ("PNP0501") + +Commit 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver") +has added support for this, but I neglected to tie this into +acpi_video_get_backlight_type(). + +Now the first AIO has turned up which has not only the DSDT bits for this, +but also an actual controller attached to the UART, yet it is not using +this controller for backlight control. + +Add support to acpi_video_get_backlight_type() for a new dell_uart +backlight type. So that the existing infra to override the backlight +control method on the commandline or with DMI quirks can be used. + +Fixes: 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver") +Cc: All applicable +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20240814190159.15650-2-hdegoede@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 7 +++++++ + include/acpi/video.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -54,6 +54,8 @@ static void acpi_video_parse_cmdline(voi + acpi_backlight_cmdline = acpi_backlight_nvidia_wmi_ec; + if (!strcmp("apple_gmux", acpi_video_backlight_string)) + acpi_backlight_cmdline = acpi_backlight_apple_gmux; ++ if (!strcmp("dell_uart", acpi_video_backlight_string)) ++ acpi_backlight_cmdline = acpi_backlight_dell_uart; + if (!strcmp("none", acpi_video_backlight_string)) + acpi_backlight_cmdline = acpi_backlight_none; + } +@@ -902,6 +904,7 @@ enum acpi_backlight_type __acpi_video_ge + static DEFINE_MUTEX(init_mutex); + static bool nvidia_wmi_ec_present; + static bool apple_gmux_present; ++ static bool dell_uart_present; + static bool native_available; + static bool init_done; + static long video_caps; +@@ -916,6 +919,7 @@ enum acpi_backlight_type __acpi_video_ge + &video_caps, NULL); + nvidia_wmi_ec_present = nvidia_wmi_ec_supported(); + apple_gmux_present = apple_gmux_detect(NULL, NULL); ++ dell_uart_present = acpi_dev_present("DELL0501", NULL, -1); + init_done = true; + } + if (native) +@@ -946,6 +950,9 @@ enum acpi_backlight_type __acpi_video_ge + if (apple_gmux_present) + return acpi_backlight_apple_gmux; + ++ if (dell_uart_present) ++ return acpi_backlight_dell_uart; ++ + /* Use ACPI video if available, except when native should be preferred. */ + if ((video_caps & ACPI_VIDEO_BACKLIGHT) && + !(native_available && prefer_native_over_acpi_video())) +--- a/include/acpi/video.h ++++ b/include/acpi/video.h +@@ -50,6 +50,7 @@ enum acpi_backlight_type { + acpi_backlight_native, + acpi_backlight_nvidia_wmi_ec, + acpi_backlight_apple_gmux, ++ acpi_backlight_dell_uart, + }; + + #if IS_ENABLED(CONFIG_ACPI_VIDEO) diff --git a/queue-6.10/ata-pata_macio-fix-dma-table-overflow.patch b/queue-6.10/ata-pata_macio-fix-dma-table-overflow.patch new file mode 100644 index 00000000000..a89066295c9 --- /dev/null +++ b/queue-6.10/ata-pata_macio-fix-dma-table-overflow.patch @@ -0,0 +1,120 @@ +From 822c8020aebcf5804a143b891e34f29873fee5e2 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 20 Aug 2024 13:03:58 +1000 +Subject: ata: pata_macio: Fix DMA table overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +commit 822c8020aebcf5804a143b891e34f29873fee5e2 upstream. + +Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing +in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix +max_segment_size with PAGE_SIZE == 64K"). + +For example: + + kernel BUG at drivers/ata/pata_macio.c:544! + Oops: Exception in kernel mode, sig: 5 [#1] + BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac + ... + NIP pata_macio_qc_prep+0xf4/0x190 + LR pata_macio_qc_prep+0xfc/0x190 + Call Trace: + 0xc1421660 (unreliable) + ata_qc_issue+0x14c/0x2d4 + __ata_scsi_queuecmd+0x200/0x53c + ata_scsi_queuecmd+0x50/0xe0 + scsi_queue_rq+0x788/0xb1c + __blk_mq_issue_directly+0x58/0xf4 + blk_mq_plug_issue_direct+0x8c/0x1b4 + blk_mq_flush_plug_list.part.0+0x584/0x5e0 + __blk_flush_plug+0xf8/0x194 + __submit_bio+0x1b8/0x2e0 + submit_bio_noacct_nocheck+0x230/0x304 + btrfs_work_helper+0x200/0x338 + process_one_work+0x1a8/0x338 + worker_thread+0x364/0x4c0 + kthread+0x100/0x104 + start_kernel_thread+0x10/0x14 + +That commit increased max_segment_size to 64KB, with the justification +that the SCSI core was already using that size when PAGE_SIZE == 64KB, +and that there was existing logic to split over-sized requests. + +However with a sufficiently large request, the splitting logic causes +each sg to be split into two commands in the DMA table, leading to +overflow of the DMA table, triggering the BUG_ON(). + +With default settings the bug doesn't trigger, because the request size +is limited by max_sectors_kb == 1280, however max_sectors_kb can be +increased, and apparently some distros do that by default using udev +rules. + +Fix the bug for 4KB kernels by reverting to the old max_segment_size. + +For 64KB kernels the sg_tablesize needs to be halved, to allow for the +possibility that each sg will be split into two. + +Fixes: 09fe2bfa6b83 ("ata: pata_macio: Fix max_segment_size with PAGE_SIZE == 64K") +Cc: stable@vger.kernel.org # v6.10+ +Reported-by: Kolbjørn Barmen +Closes: https://lore.kernel.org/all/62d248bb-e97a-25d2-bcf2-9160c518cae5@kolla.no/ +Reported-by: Jonáš Vidra +Closes: https://lore.kernel.org/all/3b6441b8-06e6-45da-9e55-f92f2c86933e@ufal.mff.cuni.cz/ +Tested-by: Kolbjørn Barmen +Signed-off-by: Michael Ellerman +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_macio.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c +index 1b85e8bf4ef9..1cb8d24b088f 100644 +--- a/drivers/ata/pata_macio.c ++++ b/drivers/ata/pata_macio.c +@@ -208,6 +208,19 @@ static const char* macio_ata_names[] = { + /* Don't let a DMA segment go all the way to 64K */ + #define MAX_DBDMA_SEG 0xff00 + ++#ifdef CONFIG_PAGE_SIZE_64KB ++/* ++ * The SCSI core requires the segment size to cover at least a page, so ++ * for 64K page size kernels it must be at least 64K. However the ++ * hardware can't handle 64K, so pata_macio_qc_prep() will split large ++ * requests. To handle the split requests the tablesize must be halved. ++ */ ++#define PATA_MACIO_MAX_SEGMENT_SIZE SZ_64K ++#define PATA_MACIO_SG_TABLESIZE (MAX_DCMDS / 2) ++#else ++#define PATA_MACIO_MAX_SEGMENT_SIZE MAX_DBDMA_SEG ++#define PATA_MACIO_SG_TABLESIZE MAX_DCMDS ++#endif + + /* + * Wait 1s for disk to answer on IDE bus after a hard reset +@@ -912,16 +925,10 @@ static int pata_macio_do_resume(struct pata_macio_priv *priv) + + static const struct scsi_host_template pata_macio_sht = { + __ATA_BASE_SHT(DRV_NAME), +- .sg_tablesize = MAX_DCMDS, ++ .sg_tablesize = PATA_MACIO_SG_TABLESIZE, + /* We may not need that strict one */ + .dma_boundary = ATA_DMA_BOUNDARY, +- /* +- * The SCSI core requires the segment size to cover at least a page, so +- * for 64K page size kernels this must be at least 64K. However the +- * hardware can't handle 64K, so pata_macio_qc_prep() will split large +- * requests. +- */ +- .max_segment_size = SZ_64K, ++ .max_segment_size = PATA_MACIO_MAX_SEGMENT_SIZE, + .device_configure = pata_macio_device_configure, + .sdev_groups = ata_common_sdev_groups, + .can_queue = ATA_DEF_QUEUE, +-- +2.46.0 + diff --git a/queue-6.10/cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch b/queue-6.10/cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch new file mode 100644 index 00000000000..33ef6924260 --- /dev/null +++ b/queue-6.10/cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch @@ -0,0 +1,57 @@ +From 311a1bdc44a8e06024df4fd3392be0dfc8298655 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sun, 4 Aug 2024 21:30:16 -0400 +Subject: cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if cpus.exclusive not set + +From: Waiman Long + +commit 311a1bdc44a8e06024df4fd3392be0dfc8298655 upstream. + +Commit e2ffe502ba45 ("cgroup/cpuset: Add cpuset.cpus.exclusive for +v2") adds a user writable cpuset.cpus.exclusive file for setting +exclusive CPUs to be used for the creation of partitions. Since then +effective_xcpus depends on both the cpuset.cpus and cpuset.cpus.exclusive +setting. If cpuset.cpus.exclusive is set, effective_xcpus will depend +only on cpuset.cpus.exclusive. When it is not set, effective_xcpus +will be set according to the cpuset.cpus value when the cpuset becomes +a valid partition root. + +When cpuset.cpus is being cleared by the user, effective_xcpus should +only be cleared when cpuset.cpus.exclusive is not set. However, that +is not currently the case. + + # cd /sys/fs/cgroup/ + # mkdir test + # echo +cpuset > cgroup.subtree_control + # cd test + # echo 3 > cpuset.cpus.exclusive + # cat cpuset.cpus.exclusive.effective + 3 + # echo > cpuset.cpus + # cat cpuset.cpus.exclusive.effective // was cleared + +Fix it by clearing effective_xcpus only if cpuset.cpus.exclusive is +not set. + +Fixes: e2ffe502ba45 ("cgroup/cpuset: Add cpuset.cpus.exclusive for v2") +Cc: stable@vger.kernel.org # v6.7+ +Reported-by: Chen Ridong +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2474,7 +2474,8 @@ static int update_cpumask(struct cpuset + */ + if (!*buf) { + cpumask_clear(trialcs->cpus_allowed); +- cpumask_clear(trialcs->effective_xcpus); ++ if (cpumask_empty(trialcs->exclusive_cpus)) ++ cpumask_clear(trialcs->effective_xcpus); + } else { + retval = cpulist_parse(buf, trialcs->cpus_allowed); + if (retval < 0) diff --git a/queue-6.10/cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch b/queue-6.10/cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch new file mode 100644 index 00000000000..b55b67ddde7 --- /dev/null +++ b/queue-6.10/cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch @@ -0,0 +1,97 @@ +From 959ab6350add903e352890af53e86663739fcb9a Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Sun, 4 Aug 2024 21:30:15 -0400 +Subject: cgroup/cpuset: fix panic caused by partcmd_update + +From: Chen Ridong + +commit 959ab6350add903e352890af53e86663739fcb9a upstream. + +We find a bug as below: +BUG: unable to handle page fault for address: 00000003 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4 +RIP: 0010:partition_sched_domains_locked+0x483/0x600 +Code: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9 +RSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202 +RAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80 +RBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000 +R10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002 +R13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0 +Call Trace: + + ? show_regs+0x8c/0xa0 + ? __die_body+0x23/0xa0 + ? __die+0x3a/0x50 + ? page_fault_oops+0x1d2/0x5c0 + ? partition_sched_domains_locked+0x483/0x600 + ? search_module_extables+0x2a/0xb0 + ? search_exception_tables+0x67/0x90 + ? kernelmode_fixup_or_oops+0x144/0x1b0 + ? __bad_area_nosemaphore+0x211/0x360 + ? up_read+0x3b/0x50 + ? bad_area_nosemaphore+0x1a/0x30 + ? exc_page_fault+0x890/0xd90 + ? __lock_acquire.constprop.0+0x24f/0x8d0 + ? __lock_acquire.constprop.0+0x24f/0x8d0 + ? asm_exc_page_fault+0x26/0x30 + ? partition_sched_domains_locked+0x483/0x600 + ? partition_sched_domains_locked+0xf0/0x600 + rebuild_sched_domains_locked+0x806/0xdc0 + update_partition_sd_lb+0x118/0x130 + cpuset_write_resmask+0xffc/0x1420 + cgroup_file_write+0xb2/0x290 + kernfs_fop_write_iter+0x194/0x290 + new_sync_write+0xeb/0x160 + vfs_write+0x16f/0x1d0 + ksys_write+0x81/0x180 + __x64_sys_write+0x21/0x30 + x64_sys_call+0x2f25/0x4630 + do_syscall_64+0x44/0xb0 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 +RIP: 0033:0x7f44a553c887 + +It can be reproduced with cammands: +cd /sys/fs/cgroup/ +mkdir test +cd test/ +echo +cpuset > ../cgroup.subtree_control +echo root > cpuset.cpus.partition +cat /sys/fs/cgroup/cpuset.cpus.effective +0-3 +echo 0-3 > cpuset.cpus // taking away all cpus from root + +This issue is caused by the incorrect rebuilding of scheduling domains. +In this scenario, test/cpuset.cpus.partition should be an invalid root +and should not trigger the rebuilding of scheduling domains. When calling +update_parent_effective_cpumask with partcmd_update, if newmask is not +null, it should recheck newmask whether there are cpus is available +for parect/cs that has tasks. + +Fixes: 0c7f293efc87 ("cgroup/cpuset: Add cpuset.cpus.exclusive.effective for v2") +Cc: stable@vger.kernel.org # v6.7+ +Signed-off-by: Chen Ridong +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1940,6 +1940,8 @@ static int update_parent_effective_cpuma + part_error = PERR_CPUSEMPTY; + goto write_error; + } ++ /* Check newmask again, whether cpus are available for parent/cs */ ++ nocpu |= tasks_nocpu_error(parent, cs, newmask); + + /* + * partcmd_update with newmask: diff --git a/queue-6.10/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch b/queue-6.10/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch new file mode 100644 index 00000000000..7bed87b8cc1 --- /dev/null +++ b/queue-6.10/cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch @@ -0,0 +1,38 @@ +From 80a1e7b83bb1834b5568a3872e64c05795d88f31 Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Mon, 19 Aug 2024 10:54:08 +0300 +Subject: cxgb4: add forgotten u64 ivlan cast before shift + +From: Nikolay Kuratov + +commit 80a1e7b83bb1834b5568a3872e64c05795d88f31 upstream. + +It is done everywhere in cxgb4 code, e.g. in is_filter_exact_match() +There is no reason it should not be done here + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Signed-off-by: Nikolay Kuratov +Cc: stable@vger.kernel.org +Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20240819075408.92378-1-kniv@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -1244,7 +1244,8 @@ static u64 hash_filter_ntuple(struct ch_ + * in the Compressed Filter Tuple. + */ + if (tp->vlan_shift >= 0 && fs->mask.ivlan) +- ntuple |= (FT_VLAN_VLD_F | fs->val.ivlan) << tp->vlan_shift; ++ ntuple |= (u64)(FT_VLAN_VLD_F | ++ fs->val.ivlan) << tp->vlan_shift; + + if (tp->port_shift >= 0 && fs->mask.iport) + ntuple |= (u64)fs->val.iport << tp->port_shift; diff --git a/queue-6.10/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch b/queue-6.10/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch new file mode 100644 index 00000000000..34b3f765bbf --- /dev/null +++ b/queue-6.10/input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch @@ -0,0 +1,117 @@ +From 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Thu, 4 Jan 2024 19:31:17 +0100 +Subject: Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 + +From: Werner Sembach + +commit 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 upstream. + +On s3 resume the i8042 driver tries to restore the controller to a known +state by reinitializing things, however this can confuse the controller +with different effects. Mostly occasionally unresponsive keyboards after +resume. + +These issues do not rise on s0ix resume as here the controller is assumed +to preserved its state from before suspend. + +This patch adds a quirk for devices where the reinitialization on s3 resume +is not needed and might be harmful as described above. It does this by +using the s0ix resume code path at selected locations. + +This new quirk goes beyond what the preexisting reset=never quirk does, +which only skips some reinitialization steps. + +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20240104183118.779778-2-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 10 +++++++--- + drivers/input/serio/i8042.c | 10 +++++++--- + 2 files changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -83,6 +83,7 @@ static inline void i8042_write_command(i + #define SERIO_QUIRK_KBDRESET BIT(12) + #define SERIO_QUIRK_DRITEK BIT(13) + #define SERIO_QUIRK_NOPNP BIT(14) ++#define SERIO_QUIRK_FORCENORESTORE BIT(15) + + /* Quirk table for different mainboards. Options similar or identical to i8042 + * module parameters. +@@ -1685,6 +1686,8 @@ static void __init i8042_check_quirks(vo + if (quirks & SERIO_QUIRK_NOPNP) + i8042_nopnp = true; + #endif ++ if (quirks & SERIO_QUIRK_FORCENORESTORE) ++ i8042_forcenorestore = true; + } + #else + static inline void i8042_check_quirks(void) {} +@@ -1718,7 +1721,7 @@ static int __init i8042_platform_init(vo + + i8042_check_quirks(); + +- pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + i8042_nokbd ? " nokbd" : "", + i8042_noaux ? " noaux" : "", + i8042_nomux ? " nomux" : "", +@@ -1738,10 +1741,11 @@ static int __init i8042_platform_init(vo + "", + #endif + #ifdef CONFIG_PNP +- i8042_nopnp ? " nopnp" : ""); ++ i8042_nopnp ? " nopnp" : "", + #else +- ""); ++ "", + #endif ++ i8042_forcenorestore ? " forcenorestore" : ""); + + retval = i8042_pnp_init(); + if (retval) +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -115,6 +115,10 @@ module_param_named(nopnp, i8042_nopnp, b + MODULE_PARM_DESC(nopnp, "Do not use PNP to detect controller settings"); + #endif + ++static bool i8042_forcenorestore; ++module_param_named(forcenorestore, i8042_forcenorestore, bool, 0); ++MODULE_PARM_DESC(forcenorestore, "Force no restore on s3 resume, copying s2idle behaviour"); ++ + #define DEBUG + #ifdef DEBUG + static bool i8042_debug; +@@ -1232,7 +1236,7 @@ static int i8042_pm_suspend(struct devic + { + int i; + +- if (pm_suspend_via_firmware()) ++ if (!i8042_forcenorestore && pm_suspend_via_firmware()) + i8042_controller_reset(true); + + /* Set up serio interrupts for system wakeup. */ +@@ -1248,7 +1252,7 @@ static int i8042_pm_suspend(struct devic + + static int i8042_pm_resume_noirq(struct device *dev) + { +- if (!pm_resume_via_firmware()) ++ if (i8042_forcenorestore || !pm_resume_via_firmware()) + i8042_interrupt(0, NULL); + + return 0; +@@ -1271,7 +1275,7 @@ static int i8042_pm_resume(struct device + * not restore the controller state to whatever it had been at boot + * time, so we do not need to do anything. + */ +- if (!pm_suspend_via_firmware()) ++ if (i8042_forcenorestore || !pm_suspend_via_firmware()) + return 0; + + /* diff --git a/queue-6.10/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch b/queue-6.10/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch new file mode 100644 index 00000000000..5deb2ceb8d3 --- /dev/null +++ b/queue-6.10/input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch @@ -0,0 +1,46 @@ +From aaa4ca873d3da768896ffc909795359a01e853ef Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Thu, 4 Jan 2024 19:31:18 +0100 +Subject: Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination + +From: Werner Sembach + +commit aaa4ca873d3da768896ffc909795359a01e853ef upstream. + +The old quirk combination sometimes cause a laggy keyboard after boot. With +the new quirk the initial issue of an unresponsive keyboard after s3 resume +is also fixed, but it doesn't have the negative side effect of the +sometimes laggy keyboard. + +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20240104183118.779778-3-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -1150,18 +1150,10 @@ static const struct dmi_system_id i8042_ + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, + { +- /* +- * Setting SERIO_QUIRK_NOMUX or SERIO_QUIRK_RESET_ALWAYS makes +- * the keyboard very laggy for ~5 seconds after boot and +- * sometimes also after resume. +- * However both are required for the keyboard to not fail +- * completely sometimes after boot or resume. +- */ + .matches = { + DMI_MATCH(DMI_BOARD_NAME, "N150CU"), + }, +- .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | +- SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ .driver_data = (void *)(SERIO_QUIRK_FORCENORESTORE) + }, + { + .matches = { diff --git a/queue-6.10/iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch b/queue-6.10/iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch new file mode 100644 index 00000000000..b610b17ef10 --- /dev/null +++ b/queue-6.10/iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch @@ -0,0 +1,33 @@ +From 950aeefb34923fe3c28ade35fe05f24e2c5b1d55 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Wed, 17 Jul 2024 22:01:30 -0700 +Subject: iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace() + +From: Nicolin Chen + +commit 950aeefb34923fe3c28ade35fe05f24e2c5b1d55 upstream. + +The rewind routine should remove the reserved iovas added to the new hwpt. + +Fixes: 89db31635c87 ("iommufd: Derive iommufd_hwpt_paging from iommufd_hw_pagetable") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/r/20240718050130.1956804-1-nicolinc@nvidia.com +Signed-off-by: Nicolin Chen +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/iommufd/device.c ++++ b/drivers/iommu/iommufd/device.c +@@ -525,7 +525,7 @@ iommufd_device_do_replace(struct iommufd + err_unresv: + if (hwpt_is_paging(hwpt)) + iommufd_group_remove_reserved_iova(igroup, +- to_hwpt_paging(old_hwpt)); ++ to_hwpt_paging(hwpt)); + err_unlock: + mutex_unlock(&idev->igroup->lock); + return ERR_PTR(rc); diff --git a/queue-6.10/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch b/queue-6.10/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch new file mode 100644 index 00000000000..634f620829e --- /dev/null +++ b/queue-6.10/kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch @@ -0,0 +1,66 @@ +From 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 20 Aug 2024 11:03:38 +0100 +Subject: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 + +From: Marc Zyngier + +commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream. + +On a system with a GICv3, if a guest hasn't been configured with +GICv3 and that the host is not capable of GICv2 emulation, +a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. + +We therefore try to emulate the SGI access, only to hit a NULL +pointer as no private interrupt is allocated (no GIC, remember?). + +The obvious fix is to give the guest what it deserves, in the +shape of a UNDEF exception. + +Reported-by: Alexander Potapenko +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/sys_regs.c | 6 ++++++ + arch/arm64/kvm/vgic/vgic.h | 7 +++++++ + 2 files changed, 13 insertions(+) + +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -33,6 +33,7 @@ + #include + + #include "sys_regs.h" ++#include "vgic/vgic.h" + + #include "trace.h" + +@@ -428,6 +429,11 @@ static bool access_gic_sgi(struct kvm_vc + { + bool g1; + ++ if (!kvm_has_gicv3(vcpu->kvm)) { ++ kvm_inject_undefined(vcpu); ++ return false; ++ } ++ + if (!p->is_write) + return read_from_write_only(vcpu, p, r); + +--- a/arch/arm64/kvm/vgic/vgic.h ++++ b/arch/arm64/kvm/vgic/vgic.h +@@ -346,4 +346,11 @@ void vgic_v4_configure_vsgis(struct kvm + void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val); + int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq); + ++static inline bool kvm_has_gicv3(struct kvm *kvm) ++{ ++ return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) && ++ irqchip_in_kernel(kvm) && ++ kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3); ++} ++ + #endif diff --git a/queue-6.10/kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch b/queue-6.10/kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch new file mode 100644 index 00000000000..1b9595e43ad --- /dev/null +++ b/queue-6.10/kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch @@ -0,0 +1,37 @@ +From 2240a50e6294214de791729e9dcba6880fa7e44e Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Sat, 17 Aug 2024 18:15:41 +0800 +Subject: KVM: arm64: vgic-debug: Don't put unmarked LPIs + +From: Zenghui Yu + +commit 2240a50e6294214de791729e9dcba6880fa7e44e upstream. + +If there were LPIs being mapped behind our back (i.e., between .start() and +.stop()), we would put them at iter_unmark_lpis() without checking if they +were actually *marked*, which is obviously not good. + +Switch to use the xa_for_each_marked() iterator to fix it. + +Cc: stable@vger.kernel.org +Fixes: 85d3ccc8b75b ("KVM: arm64: vgic-debug: Use an xarray mark for debug iterator") +Signed-off-by: Zenghui Yu +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240817101541.1664-1-yuzenghui@huawei.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kvm/vgic/vgic-debug.c ++++ b/arch/arm64/kvm/vgic/vgic-debug.c +@@ -84,7 +84,7 @@ static void iter_unmark_lpis(struct kvm + struct vgic_irq *irq; + unsigned long intid; + +- xa_for_each(&dist->lpi_xa, intid, irq) { ++ xa_for_each_marked(&dist->lpi_xa, intid, irq, LPI_XA_MARK_DEBUG_ITER) { + xa_clear_mark(&dist->lpi_xa, intid, LPI_XA_MARK_DEBUG_ITER); + vgic_put_irq(kvm, irq); + } diff --git a/queue-6.10/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch b/queue-6.10/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch new file mode 100644 index 00000000000..9650e5fa899 --- /dev/null +++ b/queue-6.10/mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch @@ -0,0 +1,47 @@ +From 6275c7bc8dd07644ea8142a1773d826800f0f3f7 Mon Sep 17 00:00:00 2001 +From: Ben Whitten +Date: Sun, 11 Aug 2024 22:22:11 +0100 +Subject: mmc: dw_mmc: allow biu and ciu clocks to defer + +From: Ben Whitten + +commit 6275c7bc8dd07644ea8142a1773d826800f0f3f7 upstream. + +Fix a race condition if the clock provider comes up after mmc is probed, +this causes mmc to fail without retrying. +When given the DEFER error from the clk source, pass it on up the chain. + +Fixes: f90a0612f0e1 ("mmc: dw_mmc: lookup for optional biu and ciu clocks") +Signed-off-by: Ben Whitten +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240811212212.123255-1-ben.whitten@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -3293,6 +3293,10 @@ int dw_mci_probe(struct dw_mci *host) + host->biu_clk = devm_clk_get(host->dev, "biu"); + if (IS_ERR(host->biu_clk)) { + dev_dbg(host->dev, "biu clock not available\n"); ++ ret = PTR_ERR(host->biu_clk); ++ if (ret == -EPROBE_DEFER) ++ return ret; ++ + } else { + ret = clk_prepare_enable(host->biu_clk); + if (ret) { +@@ -3304,6 +3308,10 @@ int dw_mci_probe(struct dw_mci *host) + host->ciu_clk = devm_clk_get(host->dev, "ciu"); + if (IS_ERR(host->ciu_clk)) { + dev_dbg(host->dev, "ciu clock not available\n"); ++ ret = PTR_ERR(host->ciu_clk); ++ if (ret == -EPROBE_DEFER) ++ goto err_clk_biu; ++ + host->bus_hz = host->pdata->bus_hz; + } else { + ret = clk_prepare_enable(host->ciu_clk); diff --git a/queue-6.10/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch b/queue-6.10/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch new file mode 100644 index 00000000000..ac4df990d4d --- /dev/null +++ b/queue-6.10/mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch @@ -0,0 +1,49 @@ +From 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d Mon Sep 17 00:00:00 2001 +From: Mengqi Zhang +Date: Tue, 16 Jul 2024 09:37:04 +0800 +Subject: mmc: mtk-sd: receive cmd8 data when hs400 tuning fail + +From: Mengqi Zhang + +commit 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d upstream. + +When we use cmd8 as the tuning command in hs400 mode, the command +response sent back by some eMMC devices cannot be correctly sampled +by MTK eMMC controller at some weak sample timing. In this case, +command timeout error may occur. So we must receive the following +data to make sure the next cmd8 send correctly. + +Signed-off-by: Mengqi Zhang +Fixes: c4ac38c6539b ("mmc: mtk-sd: Add HS400 online tuning support") +Cc: stable@vger.stable.com +Link: https://lore.kernel.org/r/20240716013704.10578-1-mengqi.zhang@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -1230,7 +1230,7 @@ static bool msdc_cmd_done(struct msdc_ho + } + + if (!sbc_error && !(events & MSDC_INT_CMDRDY)) { +- if (events & MSDC_INT_CMDTMO || ++ if ((events & MSDC_INT_CMDTMO && !host->hs400_tuning) || + (!mmc_op_tuning(cmd->opcode) && !host->hs400_tuning)) + /* + * should not clear fifo/interrupt as the tune data +@@ -1323,9 +1323,9 @@ static void msdc_start_command(struct ms + static void msdc_cmd_next(struct msdc_host *host, + struct mmc_request *mrq, struct mmc_command *cmd) + { +- if ((cmd->error && +- !(cmd->error == -EILSEQ && +- (mmc_op_tuning(cmd->opcode) || host->hs400_tuning))) || ++ if ((cmd->error && !host->hs400_tuning && ++ !(cmd->error == -EILSEQ && ++ mmc_op_tuning(cmd->opcode))) || + (mrq->sbc && mrq->sbc->error)) + msdc_request_done(host, mrq); + else if (cmd == mrq->sbc) diff --git a/queue-6.10/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch b/queue-6.10/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch new file mode 100644 index 00000000000..4a9d160dc98 --- /dev/null +++ b/queue-6.10/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch @@ -0,0 +1,171 @@ +From 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:32 +0200 +Subject: mptcp: pm: avoid possible UaF when selecting endp + +From: Matthieu Baerts (NGI0) + +commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream. + +select_local_address() and select_signal_address() both select an +endpoint entry from the list inside an RCU protected section, but return +a reference to it, to be read later on. If the entry is dereferenced +after the RCU unlock, reading info could cause a Use-after-Free. + +A simple solution is to copy the required info while inside the RCU +protected section to avoid any risk of UaF later. The address ID might +need to be modified later to handle the ID0 case later, so a copy seems +OK to deal with. + +Reported-by: Paolo Abeni +Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com +Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 64 ++++++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 30 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -143,11 +143,13 @@ static bool lookup_subflow_by_daddr(cons + return false; + } + +-static struct mptcp_pm_addr_entry * ++static bool + select_local_address(const struct pm_nl_pernet *pernet, +- const struct mptcp_sock *msk) ++ const struct mptcp_sock *msk, ++ struct mptcp_pm_addr_entry *new_entry) + { +- struct mptcp_pm_addr_entry *entry, *ret = NULL; ++ struct mptcp_pm_addr_entry *entry; ++ bool found = false; + + msk_owned_by_me(msk); + +@@ -159,17 +161,21 @@ select_local_address(const struct pm_nl_ + if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap)) + continue; + +- ret = entry; ++ *new_entry = *entry; ++ found = true; + break; + } + rcu_read_unlock(); +- return ret; ++ ++ return found; + } + +-static struct mptcp_pm_addr_entry * +-select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk) ++static bool ++select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk, ++ struct mptcp_pm_addr_entry *new_entry) + { +- struct mptcp_pm_addr_entry *entry, *ret = NULL; ++ struct mptcp_pm_addr_entry *entry; ++ bool found = false; + + rcu_read_lock(); + /* do not keep any additional per socket state, just signal +@@ -184,11 +190,13 @@ select_signal_address(struct pm_nl_perne + if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) + continue; + +- ret = entry; ++ *new_entry = *entry; ++ found = true; + break; + } + rcu_read_unlock(); +- return ret; ++ ++ return found; + } + + unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk) +@@ -512,9 +520,10 @@ __lookup_addr(struct pm_nl_pernet *perne + + static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) + { +- struct mptcp_pm_addr_entry *local, *signal_and_subflow = NULL; + struct sock *sk = (struct sock *)msk; ++ struct mptcp_pm_addr_entry local; + unsigned int add_addr_signal_max; ++ bool signal_and_subflow = false; + unsigned int local_addr_max; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; +@@ -565,23 +574,22 @@ static void mptcp_pm_create_subflow_or_s + if (msk->pm.addr_signal & BIT(MPTCP_ADD_ADDR_SIGNAL)) + return; + +- local = select_signal_address(pernet, msk); +- if (!local) ++ if (!select_signal_address(pernet, msk, &local)) + goto subflow; + + /* If the alloc fails, we are on memory pressure, not worth + * continuing, and trying to create subflows. + */ +- if (!mptcp_pm_alloc_anno_list(msk, &local->addr)) ++ if (!mptcp_pm_alloc_anno_list(msk, &local.addr)) + return; + +- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); ++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); + msk->pm.add_addr_signaled++; +- mptcp_pm_announce_addr(msk, &local->addr, false); ++ mptcp_pm_announce_addr(msk, &local.addr, false); + mptcp_pm_nl_addr_send_ack(msk); + +- if (local->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) +- signal_and_subflow = local; ++ if (local.flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) ++ signal_and_subflow = true; + } + + subflow: +@@ -592,26 +600,22 @@ subflow: + bool fullmesh; + int i, nr; + +- if (signal_and_subflow) { +- local = signal_and_subflow; +- signal_and_subflow = NULL; +- } else { +- local = select_local_address(pernet, msk); +- if (!local) +- break; +- } ++ if (signal_and_subflow) ++ signal_and_subflow = false; ++ else if (!select_local_address(pernet, msk, &local)) ++ break; + +- fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH); ++ fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH); + + msk->pm.local_addr_used++; +- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); +- nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs); ++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); ++ nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs); + if (nr == 0) + continue; + + spin_unlock_bh(&msk->pm.lock); + for (i = 0; i < nr; i++) +- __mptcp_subflow_connect(sk, &local->addr, &addrs[i]); ++ __mptcp_subflow_connect(sk, &local.addr, &addrs[i]); + spin_lock_bh(&msk->pm.lock); + } + mptcp_pm_nl_check_work_pending(msk); diff --git a/queue-6.10/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch b/queue-6.10/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch new file mode 100644 index 00000000000..9e2183c1253 --- /dev/null +++ b/queue-6.10/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch @@ -0,0 +1,36 @@ +From 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:28 +0200 +Subject: mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR + +From: Matthieu Baerts (NGI0) + +commit 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb upstream. + +The limits might have changed in between, it is best to check them +before accepting new ADD_ADDR. + +Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-10-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -848,8 +848,8 @@ static void mptcp_pm_nl_rm_addr_or_subfl + /* Note: if the subflow has been closed before, this + * add_addr_accepted counter will not be decremented. + */ +- msk->pm.add_addr_accepted--; +- WRITE_ONCE(msk->pm.accept_addr, true); ++ if (--msk->pm.add_addr_accepted < mptcp_pm_get_add_addr_accept_max(msk)) ++ WRITE_ONCE(msk->pm.accept_addr, true); + } + } + } diff --git a/queue-6.10/mptcp-pm-fullmesh-select-the-right-id-later.patch b/queue-6.10/mptcp-pm-fullmesh-select-the-right-id-later.patch new file mode 100644 index 00000000000..55589dbe3e4 --- /dev/null +++ b/queue-6.10/mptcp-pm-fullmesh-select-the-right-id-later.patch @@ -0,0 +1,64 @@ +From 09355f7abb9fbfc1a240be029837921ea417bf4f Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:30 +0200 +Subject: mptcp: pm: fullmesh: select the right ID later + +From: Matthieu Baerts (NGI0) + +commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream. + +When reacting upon the reception of an ADD_ADDR, the in-kernel PM first +looks for fullmesh endpoints. If there are some, it will pick them, +using their entry ID. + +It should set the ID 0 when using the endpoint corresponding to the +initial subflow, it is a special case imposed by the MPTCP specs. + +Note that msk->mpc_endpoint_id might not be set when receiving the first +ADD_ADDR from the server. So better to compare the addresses. + +Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -636,6 +636,7 @@ static unsigned int fill_local_addresses + { + struct sock *sk = (struct sock *)msk; + struct mptcp_pm_addr_entry *entry; ++ struct mptcp_addr_info mpc_addr; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; + int i = 0; +@@ -643,6 +644,8 @@ static unsigned int fill_local_addresses + pernet = pm_nl_get_pernet_from_msk(msk); + subflows_max = mptcp_pm_get_subflows_max(msk); + ++ mptcp_local_address((struct sock_common *)msk, &mpc_addr); ++ + rcu_read_lock(); + list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) { + if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH)) +@@ -653,7 +656,13 @@ static unsigned int fill_local_addresses + + if (msk->pm.subflows < subflows_max) { + msk->pm.subflows++; +- addrs[i++] = entry->addr; ++ addrs[i] = entry->addr; ++ ++ /* Special case for ID0: set the correct ID */ ++ if (mptcp_addresses_equal(&entry->addr, &mpc_addr, entry->addr.port)) ++ addrs[i].id = 0; ++ ++ i++; + } + } + rcu_read_unlock(); diff --git a/queue-6.10/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch b/queue-6.10/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch new file mode 100644 index 00000000000..8aba13427da --- /dev/null +++ b/queue-6.10/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch @@ -0,0 +1,62 @@ +From 1c1f721375989579e46741f59523e39ec9b2a9bd Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:27 +0200 +Subject: mptcp: pm: only decrement add_addr_accepted for MPJ req + +From: Matthieu Baerts (NGI0) + +commit 1c1f721375989579e46741f59523e39ec9b2a9bd upstream. + +Adding the following warning ... + + WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) + +... before decrementing the add_addr_accepted counter helped to find a +bug when running the "remove single subflow" subtest from the +mptcp_join.sh selftest. + +Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the +subflow closure. Before this patch, and upon the reception of the +RM_ADDR, the other peer will then try to decrement this +add_addr_accepted. That's not correct because the attached subflows have +not been created upon the reception of an ADD_ADDR. + +A way to solve that is to decrement the counter only if the attached +subflow was an MP_JOIN to a remote id that was not 0, and initiated by +the host receiving the RM_ADDR. + +Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -829,7 +829,7 @@ static void mptcp_pm_nl_rm_addr_or_subfl + mptcp_close_ssk(sk, ssk, subflow); + spin_lock_bh(&msk->pm.lock); + +- removed = true; ++ removed |= subflow->request_join; + if (rm_type == MPTCP_MIB_RMSUBFLOW) + __MPTCP_INC_STATS(sock_net(sk), rm_type); + } +@@ -843,7 +843,11 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (!mptcp_pm_is_kernel(msk)) + continue; + +- if (rm_type == MPTCP_MIB_RMADDR) { ++ if (rm_type == MPTCP_MIB_RMADDR && rm_id && ++ !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) { ++ /* Note: if the subflow has been closed before, this ++ * add_addr_accepted counter will not be decremented. ++ */ + msk->pm.add_addr_accepted--; + WRITE_ONCE(msk->pm.accept_addr, true); + } diff --git a/queue-6.10/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch b/queue-6.10/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch new file mode 100644 index 00000000000..c2ed8b03a25 --- /dev/null +++ b/queue-6.10/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch @@ -0,0 +1,53 @@ +From ca6e55a703ca2894611bb5c5bca8bfd2290fd91e Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:29 +0200 +Subject: mptcp: pm: only in-kernel cannot have entries with ID 0 + +From: Matthieu Baerts (NGI0) + +commit ca6e55a703ca2894611bb5c5bca8bfd2290fd91e upstream. + +The ID 0 is specific per MPTCP connections. The per netns entries cannot +have this special ID 0 then. + +But that's different for the userspace PM where the entries are per +connection, they can then use this special ID 0. + +Fixes: f40be0db0b76 ("mptcp: unify pm get_flags_and_ifindex_by_id") +Cc: stable@vger.kernel.org +Acked-by: Geliang Tang +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-11-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 3 --- + net/mptcp/pm_netlink.c | 4 ++++ + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -434,9 +434,6 @@ int mptcp_pm_get_flags_and_ifindex_by_id + *flags = 0; + *ifindex = 0; + +- if (!id) +- return 0; +- + if (mptcp_pm_is_userspace(msk)) + return mptcp_userspace_pm_get_flags_and_ifindex_by_id(msk, id, flags, ifindex); + return mptcp_pm_nl_get_flags_and_ifindex_by_id(msk, id, flags, ifindex); +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1395,6 +1395,10 @@ int mptcp_pm_nl_get_flags_and_ifindex_by + struct sock *sk = (struct sock *)msk; + struct net *net = sock_net(sk); + ++ /* No entries with ID 0 */ ++ if (id == 0) ++ return 0; ++ + rcu_read_lock(); + entry = __lookup_addr_by_id(pm_nl_get_pernet(net), id); + if (entry) { diff --git a/queue-6.10/mptcp-pm-only-mark-subflow-endp-as-available.patch b/queue-6.10/mptcp-pm-only-mark-subflow-endp-as-available.patch new file mode 100644 index 00000000000..46445c3d83f --- /dev/null +++ b/queue-6.10/mptcp-pm-only-mark-subflow-endp-as-available.patch @@ -0,0 +1,114 @@ +From 322ea3778965da72862cca2a0c50253aacf65fe6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:26 +0200 +Subject: mptcp: pm: only mark 'subflow' endp as available + +From: Matthieu Baerts (NGI0) + +commit 322ea3778965da72862cca2a0c50253aacf65fe6 upstream. + +Adding the following warning ... + + WARN_ON_ONCE(msk->pm.local_addr_used == 0) + +... before decrementing the local_addr_used counter helped to find a bug +when running the "remove single address" subtest from the mptcp_join.sh +selftests. + +Removing a 'signal' endpoint will trigger the removal of all subflows +linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with +rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used +counter, which is wrong in this case because this counter is linked to +'subflow' endpoints, and here it is a 'signal' endpoint that is being +removed. + +Now, the counter is decremented, only if the ID is being used outside +of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and +if the ID is not 0 -- local_addr_used is not taking into account these +ones. This marking of the ID as being available, and the decrement is +done no matter if a subflow using this ID is currently available, +because the subflow could have been closed before. + +Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-8-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -833,10 +833,10 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (rm_type == MPTCP_MIB_RMSUBFLOW) + __MPTCP_INC_STATS(sock_net(sk), rm_type); + } +- if (rm_type == MPTCP_MIB_RMSUBFLOW) +- __set_bit(rm_id ? rm_id : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap); +- else if (rm_type == MPTCP_MIB_RMADDR) ++ ++ if (rm_type == MPTCP_MIB_RMADDR) + __MPTCP_INC_STATS(sock_net(sk), rm_type); ++ + if (!removed) + continue; + +@@ -846,8 +846,6 @@ static void mptcp_pm_nl_rm_addr_or_subfl + if (rm_type == MPTCP_MIB_RMADDR) { + msk->pm.add_addr_accepted--; + WRITE_ONCE(msk->pm.accept_addr, true); +- } else if (rm_type == MPTCP_MIB_RMSUBFLOW) { +- msk->pm.local_addr_used--; + } + } + } +@@ -1441,6 +1439,14 @@ static bool mptcp_pm_remove_anno_addr(st + return ret; + } + ++static void __mark_subflow_endp_available(struct mptcp_sock *msk, u8 id) ++{ ++ /* If it was marked as used, and not ID 0, decrement local_addr_used */ ++ if (!__test_and_set_bit(id ? : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap) && ++ id && !WARN_ON_ONCE(msk->pm.local_addr_used == 0)) ++ msk->pm.local_addr_used--; ++} ++ + static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net, + const struct mptcp_pm_addr_entry *entry) + { +@@ -1474,11 +1480,11 @@ static int mptcp_nl_remove_subflow_and_s + spin_lock_bh(&msk->pm.lock); + mptcp_pm_nl_rm_subflow_received(msk, &list); + spin_unlock_bh(&msk->pm.lock); +- } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { +- /* If the subflow has been used, but now closed */ ++ } ++ ++ if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { + spin_lock_bh(&msk->pm.lock); +- if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap)) +- msk->pm.local_addr_used--; ++ __mark_subflow_endp_available(msk, list.ids[0]); + spin_unlock_bh(&msk->pm.lock); + } + +@@ -1516,6 +1522,7 @@ static int mptcp_nl_remove_id_zero_addre + spin_lock_bh(&msk->pm.lock); + mptcp_pm_remove_addr(msk, &list); + mptcp_pm_nl_rm_subflow_received(msk, &list); ++ __mark_subflow_endp_available(msk, 0); + spin_unlock_bh(&msk->pm.lock); + release_sock(sk); + +@@ -1917,6 +1924,7 @@ static void mptcp_pm_nl_fullmesh(struct + + spin_lock_bh(&msk->pm.lock); + mptcp_pm_nl_rm_subflow_received(msk, &list); ++ __mark_subflow_endp_available(msk, list.ids[0]); + mptcp_pm_create_subflow_or_signal_addr(msk); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.10/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch b/queue-6.10/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch new file mode 100644 index 00000000000..33f1be6468e --- /dev/null +++ b/queue-6.10/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch @@ -0,0 +1,49 @@ +From ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:23 +0200 +Subject: mptcp: pm: re-using ID of unused flushed subflows + +From: Matthieu Baerts (NGI0) + +commit ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 upstream. + +If no subflows are attached to the 'subflow' endpoints that are being +flushed, the corresponding addr IDs will not be marked as available +again. + +Mark all ID as being available when flushing all the 'subflow' +endpoints, and reset local_addr_used counter to cover these cases. + +Note that mptcp_pm_remove_addrs_and_subflows() helper is only called for +flushing operations, not to remove a specific set of addresses and +subflows. + +Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-5-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1623,8 +1623,15 @@ static void mptcp_pm_remove_addrs_and_su + mptcp_pm_remove_addr(msk, &alist); + spin_unlock_bh(&msk->pm.lock); + } ++ + if (slist.nr) + mptcp_pm_remove_subflow(msk, &slist); ++ ++ /* Reset counters: maybe some subflows have been removed before */ ++ spin_lock_bh(&msk->pm.lock); ++ bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); ++ msk->pm.local_addr_used = 0; ++ spin_unlock_bh(&msk->pm.lock); + } + + static void mptcp_nl_remove_addrs_list(struct net *net, diff --git a/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch b/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch new file mode 100644 index 00000000000..822bc32b1b1 --- /dev/null +++ b/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch @@ -0,0 +1,40 @@ +From e255683c06df572ead96db5efb5d21be30c0efaa Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:19 +0200 +Subject: mptcp: pm: re-using ID of unused removed ADD_ADDR + +From: Matthieu Baerts (NGI0) + +commit e255683c06df572ead96db5efb5d21be30c0efaa upstream. + +If no subflow is attached to the 'signal' endpoint that is being +removed, the addr ID will not be marked as available again. + +Mark the linked ID as available when removing the address entry from the +list to cover this case. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-1-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1431,7 +1431,10 @@ static bool mptcp_pm_remove_anno_addr(st + ret = remove_anno_list_by_saddr(msk, addr); + if (ret || force) { + spin_lock_bh(&msk->pm.lock); +- msk->pm.add_addr_signaled -= ret; ++ if (ret) { ++ __set_bit(addr->id, msk->pm.id_avail_bitmap); ++ msk->pm.add_addr_signaled--; ++ } + mptcp_pm_remove_addr(msk, &list); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-subflows.patch b/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-subflows.patch new file mode 100644 index 00000000000..839a70cfb0c --- /dev/null +++ b/queue-6.10/mptcp-pm-re-using-id-of-unused-removed-subflows.patch @@ -0,0 +1,51 @@ +From edd8b5d868a4d459f3065493001e293901af758d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:21 +0200 +Subject: mptcp: pm: re-using ID of unused removed subflows + +From: Matthieu Baerts (NGI0) + +commit edd8b5d868a4d459f3065493001e293901af758d upstream. + +If no subflow is attached to the 'subflow' endpoint that is being +removed, the addr ID will not be marked as available again. + +Mark the linked ID as available when removing the 'subflow' endpoint if +no subflow is attached to it. + +While at it, the local_addr_used counter is decremented if the ID was +marked as being used to reflect the reality, but also to allow adding +new endpoints after that. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-3-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1469,8 +1469,17 @@ static int mptcp_nl_remove_subflow_and_s + remove_subflow = lookup_subflow_by_saddr(&msk->conn_list, addr); + mptcp_pm_remove_anno_addr(msk, addr, remove_subflow && + !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT)); +- if (remove_subflow) ++ ++ if (remove_subflow) { + mptcp_pm_remove_subflow(msk, &list); ++ } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { ++ /* If the subflow has been used, but now closed */ ++ spin_lock_bh(&msk->pm.lock); ++ if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap)) ++ msk->pm.local_addr_used--; ++ spin_unlock_bh(&msk->pm.lock); ++ } ++ + release_sock(sk); + + next: diff --git a/queue-6.10/mptcp-pm-remove-mptcp_pm_remove_subflow.patch b/queue-6.10/mptcp-pm-remove-mptcp_pm_remove_subflow.patch new file mode 100644 index 00000000000..f960f42041c --- /dev/null +++ b/queue-6.10/mptcp-pm-remove-mptcp_pm_remove_subflow.patch @@ -0,0 +1,121 @@ +From f448451aa62d54be16acb0034223c17e0d12bc69 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:25 +0200 +Subject: mptcp: pm: remove mptcp_pm_remove_subflow() + +From: Matthieu Baerts (NGI0) + +commit f448451aa62d54be16acb0034223c17e0d12bc69 upstream. + +This helper is confusing. It is in pm.c, but it is specific to the +in-kernel PM and it cannot be used by the userspace one. Also, it simply +calls one in-kernel specific function with the PM lock, while the +similar mptcp_pm_remove_addr() helper requires the PM lock. + +What's left is the pr_debug(), which is not that useful, because a +similar one is present in the only function called by this helper: + + mptcp_pm_nl_rm_subflow_received() + +After these modifications, this helper can be marked as 'static', and +the lock can be taken only once in mptcp_pm_flush_addrs_and_subflows(). + +Note that it is not a bug fix, but it will help backporting the +following commits. + +Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-7-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 10 ---------- + net/mptcp/pm_netlink.c | 16 +++++++--------- + net/mptcp/protocol.h | 3 --- + 3 files changed, 7 insertions(+), 22 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -60,16 +60,6 @@ int mptcp_pm_remove_addr(struct mptcp_so + return 0; + } + +-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list) +-{ +- pr_debug("msk=%p, rm_list_nr=%d", msk, rm_list->nr); +- +- spin_lock_bh(&msk->pm.lock); +- mptcp_pm_nl_rm_subflow_received(msk, rm_list); +- spin_unlock_bh(&msk->pm.lock); +- return 0; +-} +- + /* path manager event handlers */ + + void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int server_side) +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -857,8 +857,8 @@ static void mptcp_pm_nl_rm_addr_received + mptcp_pm_nl_rm_addr_or_subflow(msk, &msk->pm.rm_list_rx, MPTCP_MIB_RMADDR); + } + +-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, +- const struct mptcp_rm_list *rm_list) ++static void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, ++ const struct mptcp_rm_list *rm_list) + { + mptcp_pm_nl_rm_addr_or_subflow(msk, rm_list, MPTCP_MIB_RMSUBFLOW); + } +@@ -1471,7 +1471,9 @@ static int mptcp_nl_remove_subflow_and_s + !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT)); + + if (remove_subflow) { +- mptcp_pm_remove_subflow(msk, &list); ++ spin_lock_bh(&msk->pm.lock); ++ mptcp_pm_nl_rm_subflow_received(msk, &list); ++ spin_unlock_bh(&msk->pm.lock); + } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { + /* If the subflow has been used, but now closed */ + spin_lock_bh(&msk->pm.lock); +@@ -1617,18 +1619,14 @@ static void mptcp_pm_remove_addrs_and_su + alist.ids[alist.nr++] = entry->addr.id; + } + ++ spin_lock_bh(&msk->pm.lock); + if (alist.nr) { +- spin_lock_bh(&msk->pm.lock); + msk->pm.add_addr_signaled -= alist.nr; + mptcp_pm_remove_addr(msk, &alist); +- spin_unlock_bh(&msk->pm.lock); + } +- + if (slist.nr) +- mptcp_pm_remove_subflow(msk, &slist); +- ++ mptcp_pm_nl_rm_subflow_received(msk, &slist); + /* Reset counters: maybe some subflows have been removed before */ +- spin_lock_bh(&msk->pm.lock); + bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); + msk->pm.local_addr_used = 0; + spin_unlock_bh(&msk->pm.lock); +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -1021,7 +1021,6 @@ int mptcp_pm_announce_addr(struct mptcp_ + const struct mptcp_addr_info *addr, + bool echo); + int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); +-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); + void mptcp_pm_remove_addrs(struct mptcp_sock *msk, struct list_head *rm_list); + + void mptcp_free_local_addr_list(struct mptcp_sock *msk); +@@ -1128,8 +1127,6 @@ static inline u8 subflow_get_local_id(co + + void __init mptcp_pm_nl_init(void); + void mptcp_pm_nl_work(struct mptcp_sock *msk); +-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, +- const struct mptcp_rm_list *rm_list); + unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk); + unsigned int mptcp_pm_get_add_addr_accept_max(const struct mptcp_sock *msk); + unsigned int mptcp_pm_get_subflows_max(const struct mptcp_sock *msk); diff --git a/queue-6.10/nouveau-firmware-use-dma-non-coherent-allocator.patch b/queue-6.10/nouveau-firmware-use-dma-non-coherent-allocator.patch new file mode 100644 index 00000000000..80107e8ac3c --- /dev/null +++ b/queue-6.10/nouveau-firmware-use-dma-non-coherent-allocator.patch @@ -0,0 +1,108 @@ +From 9b340aeb26d50e9a9ec99599e2a39b035fac978e Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 16 Aug 2024 06:19:23 +1000 +Subject: nouveau/firmware: use dma non-coherent allocator + +From: Dave Airlie + +commit 9b340aeb26d50e9a9ec99599e2a39b035fac978e upstream. + +Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a +BUG() on startup, when the iommu is enabled: + +kernel BUG at include/linux/scatterlist.h:187! +invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30 +Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019 +RIP: 0010:sg_init_one+0x85/0xa0 +Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54 +24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b +0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00 +RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b +RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000 +RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508 +R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018 +FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0 +Call Trace: + + ? die+0x36/0x90 + ? do_trap+0xdd/0x100 + ? sg_init_one+0x85/0xa0 + ? do_error_trap+0x65/0x80 + ? sg_init_one+0x85/0xa0 + ? exc_invalid_op+0x50/0x70 + ? sg_init_one+0x85/0xa0 + ? asm_exc_invalid_op+0x1a/0x20 + ? sg_init_one+0x85/0xa0 + nvkm_firmware_ctor+0x14a/0x250 [nouveau] + nvkm_falcon_fw_ctor+0x42/0x70 [nouveau] + ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau] + r535_gsp_oneinit+0xb3/0x15f0 [nouveau] + ? srso_return_thunk+0x5/0x5f + ? srso_return_thunk+0x5/0x5f + ? nvkm_udevice_new+0x95/0x140 [nouveau] + ? srso_return_thunk+0x5/0x5f + ? srso_return_thunk+0x5/0x5f + ? ktime_get+0x47/0xb0 + +Fix this by using the non-coherent allocator instead, I think there +might be a better answer to this, but it involve ripping up some of +APIs using sg lists. + +Cc: stable@vger.kernel.org +Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs") +Signed-off-by: Dave Airlie +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240815201923.632803-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 ++++++--- + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 ++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/core/firmware.c ++++ b/drivers/gpu/drm/nouveau/nvkm/core/firmware.c +@@ -205,7 +205,8 @@ nvkm_firmware_dtor(struct nvkm_firmware + break; + case NVKM_FIRMWARE_IMG_DMA: + nvkm_memory_unref(&memory); +- dma_free_coherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), fw->img, fw->phys); ++ dma_free_noncoherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), ++ fw->img, fw->phys, DMA_TO_DEVICE); + break; + case NVKM_FIRMWARE_IMG_SGT: + nvkm_memory_unref(&memory); +@@ -236,10 +237,12 @@ nvkm_firmware_ctor(const struct nvkm_fir + break; + case NVKM_FIRMWARE_IMG_DMA: { + dma_addr_t addr; +- + len = ALIGN(fw->len, PAGE_SIZE); + +- fw->img = dma_alloc_coherent(fw->device->dev, len, &addr, GFP_KERNEL); ++ fw->img = dma_alloc_noncoherent(fw->device->dev, ++ len, &addr, ++ DMA_TO_DEVICE, ++ GFP_KERNEL); + if (fw->img) { + memcpy(fw->img, src, fw->len); + fw->phys = addr; +--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c ++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c +@@ -89,6 +89,12 @@ nvkm_falcon_fw_boot(struct nvkm_falcon_f + nvkm_falcon_fw_dtor_sigs(fw); + } + ++ /* after last write to the img, sync dma mappings */ ++ dma_sync_single_for_device(fw->fw.device->dev, ++ fw->fw.phys, ++ sg_dma_len(&fw->fw.mem.sgl), ++ DMA_TO_DEVICE); ++ + FLCNFW_DBG(fw, "resetting"); + fw->func->reset(fw); + diff --git a/queue-6.10/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch b/queue-6.10/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch new file mode 100644 index 00000000000..cd47d4358b2 --- /dev/null +++ b/queue-6.10/pmdomain-imx-scu-pd-remove-duplicated-clocks.patch @@ -0,0 +1,35 @@ +From 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 17 Jul 2024 10:03:33 +0200 +Subject: pmdomain: imx: scu-pd: Remove duplicated clocks + +From: Alexander Stein + +commit 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 upstream. + +These clocks are already added to the list. Remove the duplicates ones. + +Fixes: a67d780720ff ("genpd: imx: scu-pd: add more PDs") +Signed-off-by: Alexander Stein +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240717080334.2210988-1-alexander.stein@ew.tq-group.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/scu-pd.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/pmdomain/imx/scu-pd.c ++++ b/drivers/pmdomain/imx/scu-pd.c +@@ -223,11 +223,6 @@ static const struct imx_sc_pd_range imx8 + { "lvds1-pwm", IMX_SC_R_LVDS_1_PWM_0, 1, false, 0 }, + { "lvds1-lpi2c", IMX_SC_R_LVDS_1_I2C_0, 2, true, 0 }, + +- { "mipi1", IMX_SC_R_MIPI_1, 1, 0 }, +- { "mipi1-pwm0", IMX_SC_R_MIPI_1_PWM_0, 1, 0 }, +- { "mipi1-i2c", IMX_SC_R_MIPI_1_I2C_0, 2, 1 }, +- { "lvds1", IMX_SC_R_LVDS_1, 1, 0 }, +- + /* DC SS */ + { "dc0", IMX_SC_R_DC_0, 1, false, 0 }, + { "dc0-pll", IMX_SC_R_DC_0_PLL_0, 2, true, 0 }, diff --git a/queue-6.10/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch b/queue-6.10/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch new file mode 100644 index 00000000000..2fec8bc6d01 --- /dev/null +++ b/queue-6.10/pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch @@ -0,0 +1,62 @@ +From 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Wed, 14 Aug 2024 20:47:40 +0800 +Subject: pmdomain: imx: wait SSAR when i.MX93 power domain on + +From: Peng Fan + +commit 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb upstream. + +With "quiet" set in bootargs, there is power domain failure: +"imx93_power_domain 44462400.power-domain: pd_off timeout: name: + 44462400.power-domain, stat: 4" + +The current power on opertation takes ISO state as power on finished +flag, but it is wrong. Before powering on operation really finishes, +powering off comes and powering off will never finish because the last +powering on still not finishes, so the following powering off actually +not trigger hardware state machine to run. SSAR is the last step when +powering on a domain, so need to wait SSAR done when powering on. + +Since EdgeLock Enclave(ELE) handshake is involved in the flow, enlarge +the waiting time to 10ms for both on and off to avoid timeout. + +Cc: stable@vger.kernel.org +Fixes: 0a0f7cc25d4a ("soc: imx: add i.MX93 SRC power domain driver") +Reviewed-by: Jacky Bai +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20240814124740.2778952-1-peng.fan@oss.nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/imx93-pd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pmdomain/imx/imx93-pd.c ++++ b/drivers/pmdomain/imx/imx93-pd.c +@@ -20,6 +20,7 @@ + #define FUNC_STAT_PSW_STAT_MASK BIT(0) + #define FUNC_STAT_RST_STAT_MASK BIT(2) + #define FUNC_STAT_ISO_STAT_MASK BIT(4) ++#define FUNC_STAT_SSAR_STAT_MASK BIT(8) + + struct imx93_power_domain { + struct generic_pm_domain genpd; +@@ -50,7 +51,7 @@ static int imx93_pd_on(struct generic_pm + writel(val, addr + MIX_SLICE_SW_CTRL_OFF); + + ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val, +- !(val & FUNC_STAT_ISO_STAT_MASK), 1, 10000); ++ !(val & FUNC_STAT_SSAR_STAT_MASK), 1, 10000); + if (ret) { + dev_err(domain->dev, "pd_on timeout: name: %s, stat: %x\n", genpd->name, val); + return ret; +@@ -72,7 +73,7 @@ static int imx93_pd_off(struct generic_p + writel(val, addr + MIX_SLICE_SW_CTRL_OFF); + + ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val, +- val & FUNC_STAT_PSW_STAT_MASK, 1, 1000); ++ val & FUNC_STAT_PSW_STAT_MASK, 1, 10000); + if (ret) { + dev_err(domain->dev, "pd_off timeout: name: %s, stat: %x\n", genpd->name, val); + return ret; diff --git a/queue-6.10/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch b/queue-6.10/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch new file mode 100644 index 00000000000..c8a792f3cfd --- /dev/null +++ b/queue-6.10/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch @@ -0,0 +1,94 @@ +From 65fb58afa341ad68e71e5c4d816b407e6a683a66 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:22 +0200 +Subject: selftests: mptcp: join: check re-using ID of closed subflow + +From: Matthieu Baerts (NGI0) + +commit 65fb58afa341ad68e71e5c4d816b407e6a683a66 upstream. + +This test extends "delete and re-add" to validate the previous commit. A +new 'subflow' endpoint is added, but the subflow request will be +rejected. The result is that no subflow will be established from this +address. + +Later, the endpoint is removed and re-added after having cleared the +firewall rule. Before the previous commit, the client would not have +been able to create this new subflow. + +While at it, extra checks have been added to validate the expected +numbers of MPJ and RM_ADDR. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-4-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 +++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -436,9 +436,10 @@ reset_with_tcp_filter() + local ns="${!1}" + local src="${2}" + local target="${3}" ++ local chain="${4:-INPUT}" + + if ! ip netns exec "${ns}" ${iptables} \ +- -A INPUT \ ++ -A "${chain}" \ + -s "${src}" \ + -p tcp \ + -j "${target}"; then +@@ -3572,10 +3573,10 @@ endpoint_tests() + mptcp_lib_kill_wait $tests_pid + fi + +- if reset "delete and re-add" && ++ if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && + mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then +- pm_nl_set_limits $ns1 1 1 +- pm_nl_set_limits $ns2 1 1 ++ pm_nl_set_limits $ns1 0 2 ++ pm_nl_set_limits $ns2 0 2 + pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow + test_linkfail=4 speed=20 \ + run_tests $ns1 $ns2 10.0.1.1 & +@@ -3592,11 +3593,27 @@ endpoint_tests() + chk_subflow_nr "after delete" 1 + chk_mptcp_info subflows 0 subflows 0 + +- pm_nl_add_endpoint $ns2 10.0.2.2 dev ns2eth2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow + wait_mpj $ns2 + chk_subflow_nr "after re-add" 2 + chk_mptcp_info subflows 1 subflows 1 ++ ++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow ++ wait_attempt_fail $ns2 ++ chk_subflow_nr "after new reject" 2 ++ chk_mptcp_info subflows 1 subflows 1 ++ ++ ip netns exec "${ns2}" ${iptables} -D OUTPUT -s "10.0.3.2" -p tcp -j REJECT ++ pm_nl_del_endpoint $ns2 3 10.0.3.2 ++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow ++ wait_mpj $ns2 ++ chk_subflow_nr "after no reject" 3 ++ chk_mptcp_info subflows 2 subflows 2 ++ + mptcp_lib_kill_wait $tests_pid ++ ++ chk_join_nr 3 3 3 ++ chk_rm_nr 1 1 + fi + } + diff --git a/queue-6.10/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch b/queue-6.10/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch new file mode 100644 index 00000000000..c4b915d3897 --- /dev/null +++ b/queue-6.10/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch @@ -0,0 +1,40 @@ +From 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 19 Aug 2024 21:45:31 +0200 +Subject: selftests: mptcp: join: validate fullmesh endp on 1st sf + +From: Matthieu Baerts (NGI0) + +commit 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 upstream. + +This case was not covered, and the wrong ID was set before the previous +commit. + +The rest is not modified, it is just that it will increase the code +coverage. + +The right address ID can be verified by looking at the packet traces. We +could automate that using Netfilter with some cBPF code for example, but +that's always a bit cryptic. Packetdrill seems better fitted for that. + +Fixes: 4f49d63352da ("selftests: mptcp: add fullmesh testcases") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-13-38035d40de5b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3058,6 +3058,7 @@ fullmesh_tests() + pm_nl_set_limits $ns1 1 3 + pm_nl_set_limits $ns2 1 3 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh + fullmesh=1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 diff --git a/queue-6.10/series b/queue-6.10/series index 482dc4862e9..4a6ec29cba7 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -232,3 +232,35 @@ net-ngbe-fix-phy-mode-set-to-external-phy.patch net-dsa-microchip-fix-ptp-config-failure-when-using-multiple-ports.patch mips-loongson64-set-timer-mode-in-cpu-probe.patch hid-wacom-defer-calculation-of-resolution-until-resolution_code-is-known.patch +iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch +input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch +input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch +ata-pata_macio-fix-dma-table-overflow.patch +cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch +kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch +kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch +acpi-video-add-dell-uart-backlight-controller-detection.patch +acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch +cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch +cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch +mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch +mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch +smb3-fix-broken-cached-reads-when-posix-locks.patch +pmdomain-imx-scu-pd-remove-duplicated-clocks.patch +pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch +nouveau-firmware-use-dma-non-coherent-allocator.patch +thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch +thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch +thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch +mptcp-pm-re-using-id-of-unused-removed-add_addr.patch +mptcp-pm-re-using-id-of-unused-removed-subflows.patch +mptcp-pm-re-using-id-of-unused-flushed-subflows.patch +mptcp-pm-remove-mptcp_pm_remove_subflow.patch +mptcp-pm-only-mark-subflow-endp-as-available.patch +mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch +mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch +mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch +mptcp-pm-fullmesh-select-the-right-id-later.patch +mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch +selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch +selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch diff --git a/queue-6.10/smb3-fix-broken-cached-reads-when-posix-locks.patch b/queue-6.10/smb3-fix-broken-cached-reads-when-posix-locks.patch new file mode 100644 index 00000000000..b221e1e15aa --- /dev/null +++ b/queue-6.10/smb3-fix-broken-cached-reads-when-posix-locks.patch @@ -0,0 +1,50 @@ +From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 15 Aug 2024 18:31:36 -0500 +Subject: smb3: fix broken cached reads when posix locks + +From: Steve French + +commit e4be320eeca842a3d7648258ee3673f1755a5a59 upstream. + +Mandatory locking is enforced for cached reads, which violates +default posix semantics, and also it is enforced inconsistently. +This affected recent versions of libreoffice, and can be +demonstrated by opening a file twice from the same client, +locking it from handle one and trying to read from it from +handle two (which fails, returning EACCES). + +There is already a mount option "forcemandatorylock" +(which defaults to off), so with this change only when the user +intentionally specifies "forcemandatorylock" on mount will we +break posix semantics on read to a locked range (ie we will +only fail in this case, if the user mounts with +"forcemandatorylock"). + +An earlier patch fixed the write path. + +Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") +Cc: stable@vger.kernel.org +Cc: Pavel Shilovsky +Reviewed-by: David Howells +Reported-by: abartlet@samba.org +Reported-by: Kevin Ottens +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/file.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, st + if (!CIFS_CACHE_READ(cinode)) + return netfs_unbuffered_read_iter(iocb, to); + +- if (cap_unix(tcon->ses) && +- (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && +- ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { ++ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { + if (iocb->ki_flags & IOCB_DIRECT) + return netfs_unbuffered_read_iter(iocb, to); + return netfs_buffered_read_iter(iocb, to); diff --git a/queue-6.10/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch b/queue-6.10/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch new file mode 100644 index 00000000000..872584e64eb --- /dev/null +++ b/queue-6.10/thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch @@ -0,0 +1,68 @@ +From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 14 Aug 2024 21:58:23 +0200 +Subject: thermal: of: Fix OF node leak in of_thermal_zone_find() error paths + +From: Krzysztof Kozlowski + +commit c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 upstream. + +Terminating for_each_available_child_of_node() loop requires dropping OF +node reference, so bailing out on errors misses this. Solve the OF node +reference leak with scoped for_each_available_child_of_node_scoped(). + +Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Daniel Lezcano +Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_of.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -184,14 +184,14 @@ static struct device_node *of_thermal_zo + * Search for each thermal zone, a defined sensor + * corresponding to the one passed as parameter + */ +- for_each_available_child_of_node(np, tz) { ++ for_each_available_child_of_node_scoped(np, child) { + + int count, i; + +- count = of_count_phandle_with_args(tz, "thermal-sensors", ++ count = of_count_phandle_with_args(child, "thermal-sensors", + "#thermal-sensor-cells"); + if (count <= 0) { +- pr_err("%pOFn: missing thermal sensor\n", tz); ++ pr_err("%pOFn: missing thermal sensor\n", child); + tz = ERR_PTR(-EINVAL); + goto out; + } +@@ -200,18 +200,19 @@ static struct device_node *of_thermal_zo + + int ret; + +- ret = of_parse_phandle_with_args(tz, "thermal-sensors", ++ ret = of_parse_phandle_with_args(child, "thermal-sensors", + "#thermal-sensor-cells", + i, &sensor_specs); + if (ret < 0) { +- pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); ++ pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); + tz = ERR_PTR(ret); + goto out; + } + + if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? + sensor_specs.args[0] : 0)) { +- pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); ++ pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); ++ tz = no_free_ptr(child); + goto out; + } + } diff --git a/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch b/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch new file mode 100644 index 00000000000..4c9c4f486d1 --- /dev/null +++ b/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch @@ -0,0 +1,46 @@ +From afc954fd223ded70b1fa000767e2531db55cce58 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 14 Aug 2024 21:58:21 +0200 +Subject: thermal: of: Fix OF node leak in thermal_of_trips_init() error path + +From: Krzysztof Kozlowski + +commit afc954fd223ded70b1fa000767e2531db55cce58 upstream. + +Terminating for_each_child_of_node() loop requires dropping OF node +reference, so bailing out after thermal_of_populate_trip() error misses +this. Solve the OF node reference leak with scoped +for_each_child_of_node_scoped(). + +Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately") +Cc: All applicable +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Daniel Lezcano +Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_of.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -125,7 +125,7 @@ static int thermal_of_populate_trip(stru + static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips) + { + struct thermal_trip *tt; +- struct device_node *trips, *trip; ++ struct device_node *trips; + int ret, count; + + trips = of_get_child_by_name(np, "trips"); +@@ -150,7 +150,7 @@ static struct thermal_trip *thermal_of_t + *ntrips = count; + + count = 0; +- for_each_child_of_node(trips, trip) { ++ for_each_child_of_node_scoped(trips, trip) { + ret = thermal_of_populate_trip(trip, &tt[count++]); + if (ret) + goto out_kfree; diff --git a/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch b/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch new file mode 100644 index 00000000000..e9c911c98f0 --- /dev/null +++ b/queue-6.10/thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch @@ -0,0 +1,57 @@ +From 662b52b761bfe0ba970e5823759798faf809b896 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 14 Aug 2024 21:58:22 +0200 +Subject: thermal: of: Fix OF node leak in thermal_of_zone_register() + +From: Krzysztof Kozlowski + +commit 662b52b761bfe0ba970e5823759798faf809b896 upstream. + +thermal_of_zone_register() calls of_thermal_zone_find() which will +iterate over OF nodes with for_each_available_child_of_node() to find +matching thermal zone node. When it finds such, it exits the loop and +returns the node. Prematurely ending for_each_available_child_of_node() +loops requires dropping OF node reference, thus success of +of_thermal_zone_find() means that caller must drop the reference. + +Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") +Cc: All applicable +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Daniel Lezcano +Link: https://patch.msgid.link/20240814195823.437597-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_of.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -491,7 +491,8 @@ static struct thermal_zone_device *therm + trips = thermal_of_trips_init(np, &ntrips); + if (IS_ERR(trips)) { + pr_err("Failed to find trip points for %pOFn id=%d\n", sensor, id); +- return ERR_CAST(trips); ++ ret = PTR_ERR(trips); ++ goto out_of_node_put; + } + + ret = thermal_of_monitor_init(np, &delay, &pdelay); +@@ -519,6 +520,7 @@ static struct thermal_zone_device *therm + goto out_kfree_trips; + } + ++ of_node_put(np); + kfree(trips); + + ret = thermal_zone_device_enable(tz); +@@ -533,6 +535,8 @@ static struct thermal_zone_device *therm + + out_kfree_trips: + kfree(trips); ++out_of_node_put: ++ of_node_put(np); + + return ERR_PTR(ret); + }