From: Sasha Levin Date: Sun, 15 Dec 2024 16:51:59 +0000 (-0500) Subject: Fixes for 6.12 X-Git-Tag: v5.4.288~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab6659f3b7149f1a8521d0f91cd14fa2c13d107e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch b/queue-6.12/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch new file mode 100644 index 00000000000..8a76d6dfaad --- /dev/null +++ b/queue-6.12/acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch @@ -0,0 +1,63 @@ +From 902567d5d7229ded6fd8b2f750a12b7db863ee72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 21:56:09 +0530 +Subject: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl + +From: Suraj Sonawane + +[ Upstream commit 265e98f72bac6c41a4492d3e30a8e5fd22fe0779 ] + +Fix an issue detected by syzbot with KASAN: + +BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/ +core.c:416 [inline] +BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0 +drivers/acpi/nfit/core.c:459 + +The issue occurs in cmd_to_func when the call_pkg->nd_reserved2 +array is accessed without verifying that call_pkg points to a buffer +that is appropriately sized as a struct nd_cmd_pkg. This can lead +to out-of-bounds access and undefined behavior if the buffer does not +have sufficient space. + +To address this, a check was added in acpi_nfit_ctl() to ensure that +buf is not NULL and that buf_len is less than sizeof(*call_pkg) +before accessing it. This ensures safe access to the members of +call_pkg, including the nd_reserved2 array. + +Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3 +Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com +Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation") +Signed-off-by: Suraj Sonawane +Reviewed-by: Alison Schofield +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20241118162609.29063-1-surajsonawane0215@gmail.com +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/acpi/nfit/core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 5429ec9ef06f..a5d47819b3a4 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + if (cmd_rc) + *cmd_rc = -EINVAL; + +- if (cmd == ND_CMD_CALL) ++ if (cmd == ND_CMD_CALL) { ++ if (!buf || buf_len < sizeof(*call_pkg)) ++ return -EINVAL; ++ + call_pkg = buf; ++ } ++ + func = cmd_to_func(nfit_mem, cmd, call_pkg, &family); + if (func < 0) + return func; +-- +2.39.5 + diff --git a/queue-6.12/acpi-resource-fix-memory-resource-type-union-access.patch b/queue-6.12/acpi-resource-fix-memory-resource-type-union-access.patch new file mode 100644 index 00000000000..53ae4f219df --- /dev/null +++ b/queue-6.12/acpi-resource-fix-memory-resource-type-union-access.patch @@ -0,0 +1,55 @@ +From 49a017046f3b63b5c6c94ba35a058b0e90fb72e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 12:06:13 +0200 +Subject: ACPI: resource: Fix memory resource type union access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 7899ca9f3bd2b008e9a7c41f2a9f1986052d7e96 ] + +In acpi_decode_space() addr->info.mem.caching is checked on main level +for any resource type but addr->info.mem is part of union and thus +valid only if the resource type is memory range. + +Move the check inside the preceeding switch/case to only execute it +when the union is of correct type. + +Fixes: fcb29bbcd540 ("ACPI: Add prefetch decoding to the address space parser") +Signed-off-by: Ilpo Järvinen +Link: https://patch.msgid.link/20241202100614.20731-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 7fe842dae1ec..821867de43be 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -250,6 +250,9 @@ static bool acpi_decode_space(struct resource_win *win, + switch (addr->resource_type) { + case ACPI_MEMORY_RANGE: + acpi_dev_memresource_flags(res, len, wp); ++ ++ if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY) ++ res->flags |= IORESOURCE_PREFETCH; + break; + case ACPI_IO_RANGE: + acpi_dev_ioresource_flags(res, len, iodec, +@@ -265,9 +268,6 @@ static bool acpi_decode_space(struct resource_win *win, + if (addr->producer_consumer == ACPI_PRODUCER) + res->flags |= IORESOURCE_WINDOW; + +- if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY) +- res->flags |= IORESOURCE_PREFETCH; +- + return !(res->flags & IORESOURCE_DISABLED); + } + +-- +2.39.5 + diff --git a/queue-6.12/acpica-events-evxfregn-don-t-release-the-contextmute.patch b/queue-6.12/acpica-events-evxfregn-don-t-release-the-contextmute.patch new file mode 100644 index 00000000000..3b47c6f9578 --- /dev/null +++ b/queue-6.12/acpica-events-evxfregn-don-t-release-the-contextmute.patch @@ -0,0 +1,41 @@ +From ae7b7116ae798b9a81b2fb0cf38551d84b9ebb37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 11:29:54 +0300 +Subject: ACPICA: events/evxfregn: don't release the ContextMutex that was + never acquired + +From: Daniil Tatianin + +[ Upstream commit c53d96a4481f42a1635b96d2c1acbb0a126bfd54 ] + +This bug was first introduced in c27f3d011b08, where the author of the +patch probably meant to do DeleteMutex instead of ReleaseMutex. The +mutex leak was noticed later on and fixed in e4dfe108371, but the bogus +MutexRelease line was never removed, so do it now. + +Link: https://github.com/acpica/acpica/pull/982 +Fixes: c27f3d011b08 ("ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling") +Signed-off-by: Daniil Tatianin +Link: https://patch.msgid.link/20241122082954.658356-1-d-tatianin@yandex-team.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/evxfregn.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/acpi/acpica/evxfregn.c b/drivers/acpi/acpica/evxfregn.c +index 95f78383bbdb..bff2d099f469 100644 +--- a/drivers/acpi/acpica/evxfregn.c ++++ b/drivers/acpi/acpica/evxfregn.c +@@ -232,8 +232,6 @@ acpi_remove_address_space_handler(acpi_handle device, + + /* Now we can delete the handler object */ + +- acpi_os_release_mutex(handler_obj->address_space. +- context_mutex); + acpi_ut_remove_reference(handler_obj); + goto unlock_and_exit; + } +-- +2.39.5 + diff --git a/queue-6.12/alsa-control-avoid-warn-for-symlink-errors.patch b/queue-6.12/alsa-control-avoid-warn-for-symlink-errors.patch new file mode 100644 index 00000000000..11eea21a003 --- /dev/null +++ b/queue-6.12/alsa-control-avoid-warn-for-symlink-errors.patch @@ -0,0 +1,57 @@ +From 752454fd9dfb90546d296a567878dc585f7e81a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 10:56:12 +0100 +Subject: ALSA: control: Avoid WARN() for symlink errors + +From: Takashi Iwai + +[ Upstream commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 ] + +Using WARN() for showing the error of symlink creations don't give +more information than telling that something goes wrong, since the +usual code path is a lregister callback from each control element +creation. More badly, the use of WARN() rather confuses fuzzer as if +it were serious issues. + +This patch downgrades the warning messages to use the normal dev_err() +instead of WARN(). For making it clearer, add the function name to +the prefix, too. + +Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer") +Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com +Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/control_led.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/sound/core/control_led.c b/sound/core/control_led.c +index 65a1ebe87776..e33dfcf863cf 100644 +--- a/sound/core/control_led.c ++++ b/sound/core/control_led.c +@@ -668,10 +668,16 @@ static void snd_ctl_led_sysfs_add(struct snd_card *card) + goto cerr; + led->cards[card->number] = led_card; + snprintf(link_name, sizeof(link_name), "led-%s", led->name); +- WARN(sysfs_create_link(&card->ctl_dev->kobj, &led_card->dev.kobj, link_name), +- "can't create symlink to controlC%i device\n", card->number); +- WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"), +- "can't create symlink to card%i\n", card->number); ++ if (sysfs_create_link(&card->ctl_dev->kobj, &led_card->dev.kobj, ++ link_name)) ++ dev_err(card->dev, ++ "%s: can't create symlink to controlC%i device\n", ++ __func__, card->number); ++ if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, ++ "card")) ++ dev_err(card->dev, ++ "%s: can't create symlink to card%i\n", ++ __func__, card->number); + + continue; + cerr: +-- +2.39.5 + diff --git a/queue-6.12/amdgpu-uvd-get-ring-reference-from-rq-scheduler.patch b/queue-6.12/amdgpu-uvd-get-ring-reference-from-rq-scheduler.patch new file mode 100644 index 00000000000..2f60bb9b4bb --- /dev/null +++ b/queue-6.12/amdgpu-uvd-get-ring-reference-from-rq-scheduler.patch @@ -0,0 +1,40 @@ +From 11353444cff82115202210e81a1698886ee62958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 11:30:01 -0500 +Subject: amdgpu/uvd: get ring reference from rq scheduler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David (Ming Qiang) Wu + +[ Upstream commit 47f402a3e08113e0f5d8e1e6fcc197667a16022f ] + +base.sched may not be set for each instance and should not +be used for cases such as non-IB tests. + +Fixes: 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") +Signed-off-by: David (Ming Qiang) Wu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +index 6068b784dc69..9a30b8c10838 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +@@ -1289,7 +1289,7 @@ static int uvd_v7_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p, + struct amdgpu_job *job, + struct amdgpu_ib *ib) + { +- struct amdgpu_ring *ring = to_amdgpu_ring(job->base.sched); ++ struct amdgpu_ring *ring = amdgpu_job_ring(job); + unsigned i; + + /* No patching necessary for the first instance */ +-- +2.39.5 + diff --git a/queue-6.12/asoc-amd-yc-fix-the-wrong-return-value.patch b/queue-6.12/asoc-amd-yc-fix-the-wrong-return-value.patch new file mode 100644 index 00000000000..4f867326081 --- /dev/null +++ b/queue-6.12/asoc-amd-yc-fix-the-wrong-return-value.patch @@ -0,0 +1,57 @@ +From af392f1b136bc3a450a747c067506bfb92ca9182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 14:40:25 +0530 +Subject: ASoC: amd: yc: Fix the wrong return value + +From: Venkata Prasad Potturu + +[ Upstream commit 984795e76def5c903724b8d6a8228e356bbdf2af ] + +With the current implementation, when ACP driver fails to read +ACPI _WOV entry then the DMI overrides code won't invoke, +may cause regressions for some BIOS versions. + +Add a condition check to jump to check the DMI entries incase of +ACP driver fail to read ACPI _WOV method. + +Fixes: 4095cf872084 (ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry) + +Signed-off-by: Venkata Prasad Potturu +Link: https://patch.msgid.link/20241210091026.996860-1-venkataprasad.potturu@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index e38c5885dadf..ecf57a6cb7c3 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -578,14 +578,19 @@ static int acp6x_probe(struct platform_device *pdev) + + handle = ACPI_HANDLE(pdev->dev.parent); + ret = acpi_evaluate_integer(handle, "_WOV", NULL, &dmic_status); +- if (!ACPI_FAILURE(ret)) ++ if (!ACPI_FAILURE(ret)) { + wov_en = dmic_status; ++ if (!wov_en) ++ return -ENODEV; ++ } else { ++ /* Incase of ACPI method read failure then jump to check_dmi_entry */ ++ goto check_dmi_entry; ++ } + +- if (is_dmic_enable && wov_en) ++ if (is_dmic_enable) + platform_set_drvdata(pdev, &acp6x_card); +- else +- return 0; + ++check_dmi_entry: + /* check for any DMI overrides */ + dmi_id = dmi_first_match(yc_acp_quirk_table); + if (dmi_id) +-- +2.39.5 + diff --git a/queue-6.12/asoc-fsl_spdif-change-iface_pcm-to-iface_mixer.patch b/queue-6.12/asoc-fsl_spdif-change-iface_pcm-to-iface_mixer.patch new file mode 100644 index 00000000000..ffa69cd9e93 --- /dev/null +++ b/queue-6.12/asoc-fsl_spdif-change-iface_pcm-to-iface_mixer.patch @@ -0,0 +1,40 @@ +From e5342f86ce92d26dce6cc4f0450dcef1cf4301f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 13:32:54 +0800 +Subject: ASoC: fsl_spdif: change IFACE_PCM to IFACE_MIXER + +From: Shengjiu Wang + +[ Upstream commit bb76e82bfe57fdd1fe595cb0ccd33159df49ed09 ] + +As the snd_soc_card_get_kcontrol() is updated to use +snd_ctl_find_id_mixer() in +commit 897cc72b0837 ("ASoC: soc-card: Use +snd_ctl_find_id_mixer() instead of open-coding") +which make the iface fix to be IFACE_MIXER. + +Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20241126053254.3657344-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_spdif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_spdif.c b/sound/soc/fsl/fsl_spdif.c +index b6ff04f7138a..ee946e0d3f49 100644 +--- a/sound/soc/fsl/fsl_spdif.c ++++ b/sound/soc/fsl/fsl_spdif.c +@@ -1204,7 +1204,7 @@ static struct snd_kcontrol_new fsl_spdif_ctrls[] = { + }, + /* DPLL lock info get controller */ + { +- .iface = SNDRV_CTL_ELEM_IFACE_PCM, ++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER, + .name = RX_SAMPLE_RATE_KCONTROL, + .access = SNDRV_CTL_ELEM_ACCESS_READ | + SNDRV_CTL_ELEM_ACCESS_VOLATILE, +-- +2.39.5 + diff --git a/queue-6.12/asoc-fsl_xcvr-change-iface_pcm-to-iface_mixer.patch b/queue-6.12/asoc-fsl_xcvr-change-iface_pcm-to-iface_mixer.patch new file mode 100644 index 00000000000..b361e92d889 --- /dev/null +++ b/queue-6.12/asoc-fsl_xcvr-change-iface_pcm-to-iface_mixer.patch @@ -0,0 +1,40 @@ +From 7b3f4d309e15f40867145745152a090c8b910d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 13:32:53 +0800 +Subject: ASoC: fsl_xcvr: change IFACE_PCM to IFACE_MIXER + +From: Shengjiu Wang + +[ Upstream commit 7c17f7780a48b5ed36b6d13a06004fac993e75af ] + +As the snd_soc_card_get_kcontrol() is updated to use +snd_ctl_find_id_mixer() in +commit 897cc72b0837 ("ASoC: soc-card: Use +snd_ctl_find_id_mixer() instead of open-coding") +which make the iface fix to be IFACE_MIXER. + +Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20241126053254.3657344-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_xcvr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c +index beede7344efd..4341269eb977 100644 +--- a/sound/soc/fsl/fsl_xcvr.c ++++ b/sound/soc/fsl/fsl_xcvr.c +@@ -169,7 +169,7 @@ static int fsl_xcvr_capds_put(struct snd_kcontrol *kcontrol, + } + + static struct snd_kcontrol_new fsl_xcvr_earc_capds_kctl = { +- .iface = SNDRV_CTL_ELEM_IFACE_PCM, ++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER, + .name = "Capabilities Data Structure", + .access = SNDRV_CTL_ELEM_ACCESS_READWRITE, + .info = fsl_xcvr_type_capds_bytes_info, +-- +2.39.5 + diff --git a/queue-6.12/asoc-intel-sof_sdw-add-space-for-a-terminator-into-d.patch b/queue-6.12/asoc-intel-sof_sdw-add-space-for-a-terminator-into-d.patch new file mode 100644 index 00000000000..adfb07c946a --- /dev/null +++ b/queue-6.12/asoc-intel-sof_sdw-add-space-for-a-terminator-into-d.patch @@ -0,0 +1,51 @@ +From e7988d3100ffd08556ec07d3f4ed40c997e3a913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 10:57:42 +0000 +Subject: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Charles Keepax + +[ Upstream commit 255cc582e6e16191a20d54bcdbca6c91d3e90c5e ] + +The code uses the initialised member of the asoc_sdw_dailink struct to +determine if a member of the array is in use. However in the case the +array is completely full this will lead to an access 1 past the end of +the array, expand the array by one entry to include a space for a +terminator. + +Fixes: 27fd36aefa00 ("ASoC: Intel: sof-sdw: Add new code for parsing the snd_soc_acpi structs") +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20241212105742.1508574-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_sdw.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index a58842a8c8a6..db57292c00ca 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -1003,8 +1003,12 @@ static int sof_card_dai_links_create(struct snd_soc_card *card) + return ret; + } + +- /* One per DAI link, worst case is a DAI link for every endpoint */ +- sof_dais = kcalloc(num_ends, sizeof(*sof_dais), GFP_KERNEL); ++ /* ++ * One per DAI link, worst case is a DAI link for every endpoint, also ++ * add one additional to act as a terminator such that code can iterate ++ * until it hits an uninitialised DAI. ++ */ ++ sof_dais = kcalloc(num_ends + 1, sizeof(*sof_dais), GFP_KERNEL); + if (!sof_dais) + return -ENOMEM; + +-- +2.39.5 + diff --git a/queue-6.12/asoc-tas2781-fix-calibration-issue-in-stress-test.patch b/queue-6.12/asoc-tas2781-fix-calibration-issue-in-stress-test.patch new file mode 100644 index 00000000000..c7a02796cc6 --- /dev/null +++ b/queue-6.12/asoc-tas2781-fix-calibration-issue-in-stress-test.patch @@ -0,0 +1,50 @@ +From 3df4b48177ac6d2cc94bc6331f08b8ec99a18199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 12:38:59 +0800 +Subject: ASoC: tas2781: Fix calibration issue in stress test + +From: Shenghao Ding + +[ Upstream commit 2aa13da97e2b92d20a8ad4ead10da89f880b64e7 ] + +One specific test condition: the default registers of p[j].reg ~ +p[j+3].reg are 0, TASDEVICE_REG(0x00, 0x14, 0x38)(PLT_FLAG_REG), +TASDEVICE_REG(0x00, 0x14, 0x40)(SINEGAIN_REG), and +TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN2_REG). After first calibration, +they are freshed to TASDEVICE_REG(0x00, 0x1a, 0x20), TASDEVICE_REG(0x00, +0x16, 0x58)(PLT_FLAG_REG), TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN_REG), +and TASDEVICE_REG(0x00, 0x16, 0x64)(SINEGAIN2_REG) via "Calibration Start" +kcontrol. In second calibration, the p[j].reg ~ p[j+3].reg have already +become tas2781_cali_start_reg. However, p[j+2].reg, TASDEVICE_REG(0x00, +0x14, 0x44)(SINEGAIN_REG), will be freshed to TASDEVICE_REG(0x00, 0x16, +0x64), which is the third register in the input params of the kcontrol. +This is why only first calibration can work, the second-time, third-time +or more-time calibration always failed without reboot. Of course, if no +p[j].reg is in the list of tas2781_cali_start_reg, this stress test can +work well. + +Fixes: 49e2e353fb0d ("ASoC: tas2781: Add Calibration Kcontrols for Chromebook") +Signed-off-by: Shenghao Ding +Link: https://patch.msgid.link/20241211043859.1328-1-shenghao-ding@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index 12d093437ba9..1b2f55030c39 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -370,7 +370,7 @@ static void sngl_calib_start(struct tasdevice_priv *tas_priv, int i, + tasdevice_dev_read(tas_priv, i, p[j].reg, + (int *)&p[j].val[0]); + } else { +- switch (p[j].reg) { ++ switch (tas2781_cali_start_reg[j].reg) { + case 0: { + if (!reg[0]) + continue; +-- +2.39.5 + diff --git a/queue-6.12/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch b/queue-6.12/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch new file mode 100644 index 00000000000..511c043b0ec --- /dev/null +++ b/queue-6.12/batman-adv-do-not-let-tt-changes-list-grows-indefini.patch @@ -0,0 +1,77 @@ +From ed178a58f78b453390c4df519ce1dd19c784582b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:50 +0100 +Subject: batman-adv: Do not let TT changes list grows indefinitely + +From: Remi Pommarel + +[ Upstream commit fff8f17c1a6fc802ca23bbd3a276abfde8cc58e6 ] + +When TT changes list is too big to fit in packet due to MTU size, an +empty OGM is sent expected other node to send TT request to get the +changes. The issue is that tt.last_changeset was not built thus the +originator was responding with previous changes to those TT requests +(see batadv_send_my_tt_response). Also the changes list was never +cleaned up effectively never ending growing from this point onwards, +repeatedly sending the same TT response changes over and over, and +creating a new empty OGM every OGM interval expecting for the local +changes to be purged. + +When there is more TT changes that can fit in packet, drop all changes, +send empty OGM and wait for TT request so we can respond with a full +table instead. + +Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") +Signed-off-by: Remi Pommarel +Acked-by: Antonio Quartulli +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index bbab7491c83f..53dea8ae96e4 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + int tt_diff_len, tt_change_len = 0; + int tt_diff_entries_num = 0; + int tt_diff_entries_count = 0; ++ bool drop_changes = false; + size_t tt_extra_len = 0; + u16 tvlv_len; + +@@ -997,10 +998,17 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + tt_diff_len = batadv_tt_len(tt_diff_entries_num); + + /* if we have too many changes for one packet don't send any +- * and wait for the tt table request which will be fragmented ++ * and wait for the tt table request so we can reply with the full ++ * (fragmented) table. ++ * ++ * The local change history should still be cleaned up so the next ++ * TT round can start again with a clean state. + */ +- if (tt_diff_len > bat_priv->soft_iface->mtu) ++ if (tt_diff_len > bat_priv->soft_iface->mtu) { + tt_diff_len = 0; ++ tt_diff_entries_num = 0; ++ drop_changes = true; ++ } + + tvlv_len = batadv_tt_prepare_tvlv_local_data(bat_priv, &tt_data, + &tt_change, &tt_diff_len); +@@ -1009,7 +1017,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + + tt_data->flags = BATADV_TT_OGM_DIFF; + +- if (tt_diff_len == 0) ++ if (!drop_changes && tt_diff_len == 0) + goto container_register; + + spin_lock_bh(&bat_priv->tt.changes_list_lock); +-- +2.39.5 + diff --git a/queue-6.12/batman-adv-do-not-send-uninitialized-tt-changes.patch b/queue-6.12/batman-adv-do-not-send-uninitialized-tt-changes.patch new file mode 100644 index 00000000000..611d53a7be4 --- /dev/null +++ b/queue-6.12/batman-adv-do-not-send-uninitialized-tt-changes.patch @@ -0,0 +1,78 @@ +From 24fb10a2708c61d449640b5f3f5ae941ae1bc89a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:48 +0100 +Subject: batman-adv: Do not send uninitialized TT changes + +From: Remi Pommarel + +[ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ] + +The number of TT changes can be less than initially expected in +batadv_tt_tvlv_container_update() (changes can be removed by +batadv_tt_local_event() in ADD+DEL sequence between reading +tt_diff_entries_num and actually iterating the change list under lock). + +Thus tt_diff_len could be bigger than the actual changes size that need +to be sent. Because batadv_send_my_tt_response sends the whole +packet, uninitialized data can be interpreted as TT changes on other +nodes leading to weird TT global entries on those nodes such as: + + * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) + * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) + +All of the above also applies to OGM tvlv container buffer's tvlv_len. + +Remove the extra allocated space to avoid sending uninitialized TT +changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif(). + +Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 2243cec18ecc..f0590f9bc2b1 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + int tt_diff_len, tt_change_len = 0; + int tt_diff_entries_num = 0; + int tt_diff_entries_count = 0; ++ size_t tt_extra_len = 0; + u16 tvlv_len; + + tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes); +@@ -1027,6 +1028,9 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + } + spin_unlock_bh(&bat_priv->tt.changes_list_lock); + ++ tt_extra_len = batadv_tt_len(tt_diff_entries_num - ++ tt_diff_entries_count); ++ + /* Keep the buffer for possible tt_request */ + spin_lock_bh(&bat_priv->tt.last_changeset_lock); + kfree(bat_priv->tt.last_changeset); +@@ -1035,6 +1039,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + tt_change_len = batadv_tt_len(tt_diff_entries_count); + /* check whether this new OGM has no changes due to size problems */ + if (tt_diff_entries_count > 0) { ++ tt_diff_len -= tt_extra_len; + /* if kmalloc() fails we will reply with the full table + * instead of providing the diff + */ +@@ -1047,6 +1052,8 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) + } + spin_unlock_bh(&bat_priv->tt.last_changeset_lock); + ++ /* Remove extra packet space for OGM */ ++ tvlv_len -= tt_extra_len; + container_register: + batadv_tvlv_container_register(bat_priv, BATADV_TVLV_TT, 1, tt_data, + tvlv_len); +-- +2.39.5 + diff --git a/queue-6.12/batman-adv-remove-uninitialized-data-in-full-table-t.patch b/queue-6.12/batman-adv-remove-uninitialized-data-in-full-table-t.patch new file mode 100644 index 00000000000..a6970d669d8 --- /dev/null +++ b/queue-6.12/batman-adv-remove-uninitialized-data-in-full-table-t.patch @@ -0,0 +1,115 @@ +From 0b2ca01bbb9b5123cec64c675eb48cc1214bc775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 16:52:49 +0100 +Subject: batman-adv: Remove uninitialized data in full table TT response + +From: Remi Pommarel + +[ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ] + +The number of entries filled by batadv_tt_tvlv_generate() can be less +than initially expected in batadv_tt_prepare_tvlv_{global,local}_data() +(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence +in the meantime as the lock held during the whole tvlv global/local data +generation). + +Thus tvlv_len could be bigger than the actual TT entry size that need +to be sent so full table TT_RESPONSE could hold invalid TT entries such +as below. + + * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) + * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) + +Remove the extra allocated space to avoid sending uninitialized entries +for full table TT_RESPONSE in both batadv_send_other_tt_response() and +batadv_send_my_tt_response(). + +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 37 ++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index f0590f9bc2b1..bbab7491c83f 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -2754,14 +2754,16 @@ static bool batadv_tt_global_valid(const void *entry_ptr, + * + * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb + * is not provided then this becomes a no-op. ++ * ++ * Return: Remaining unused length in tvlv_buff. + */ +-static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, +- struct batadv_hashtable *hash, +- void *tvlv_buff, u16 tt_len, +- bool (*valid_cb)(const void *, +- const void *, +- u8 *flags), +- void *cb_data) ++static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, ++ struct batadv_hashtable *hash, ++ void *tvlv_buff, u16 tt_len, ++ bool (*valid_cb)(const void *, ++ const void *, ++ u8 *flags), ++ void *cb_data) + { + struct batadv_tt_common_entry *tt_common_entry; + struct batadv_tvlv_tt_change *tt_change; +@@ -2775,7 +2777,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, + tt_change = tvlv_buff; + + if (!valid_cb) +- return; ++ return tt_len; + + rcu_read_lock(); + for (i = 0; i < hash->size; i++) { +@@ -2801,6 +2803,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, + } + } + rcu_read_unlock(); ++ ++ return batadv_tt_len(tt_tot - tt_num_entries); + } + + /** +@@ -3076,10 +3080,11 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv, + goto out; + + /* fill the rest of the tvlv with the real TT entries */ +- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash, +- tt_change, tt_len, +- batadv_tt_global_valid, +- req_dst_orig_node); ++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv, ++ bat_priv->tt.global_hash, ++ tt_change, tt_len, ++ batadv_tt_global_valid, ++ req_dst_orig_node); + } + + /* Don't send the response, if larger than fragmented packet. */ +@@ -3203,9 +3208,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv, + goto out; + + /* fill the rest of the tvlv with the real TT entries */ +- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash, +- tt_change, tt_len, +- batadv_tt_local_valid, NULL); ++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv, ++ bat_priv->tt.local_hash, ++ tt_change, tt_len, ++ batadv_tt_local_valid, ++ NULL); + } + + tvlv_tt_data->flags = BATADV_TT_RESPONSE; +-- +2.39.5 + diff --git a/queue-6.12/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch b/queue-6.12/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch new file mode 100644 index 00000000000..650cab8ac09 --- /dev/null +++ b/queue-6.12/blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch @@ -0,0 +1,77 @@ +From cbd4b00e15391c5ae95f61b5db20744b74b7cd8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 10:13:29 -0700 +Subject: blk-iocost: Avoid using clamp() on inuse in __propagate_weights() + +From: Nathan Chancellor + +[ Upstream commit 57e420c84f9ab55ba4c5e2ae9c5f6c8e1ea834d2 ] + +After a recent change to clamp() and its variants [1] that increases the +coverage of the check that high is greater than low because it can be +done through inlining, certain build configurations (such as s390 +defconfig) fail to build with clang with: + + block/blk-iocost.c:1101:11: error: call to '__compiletime_assert_557' declared with 'error' attribute: clamp() low limit 1 greater than high limit active + 1101 | inuse = clamp_t(u32, inuse, 1, active); + | ^ + include/linux/minmax.h:218:36: note: expanded from macro 'clamp_t' + 218 | #define clamp_t(type, val, lo, hi) __careful_clamp(type, val, lo, hi) + | ^ + include/linux/minmax.h:195:2: note: expanded from macro '__careful_clamp' + 195 | __clamp_once(type, val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_)) + | ^ + include/linux/minmax.h:188:2: note: expanded from macro '__clamp_once' + 188 | BUILD_BUG_ON_MSG(statically_true(ulo > uhi), \ + | ^ + +__propagate_weights() is called with an active value of zero in +ioc_check_iocgs(), which results in the high value being less than the +low value, which is undefined because the value returned depends on the +order of the comparisons. + +The purpose of this expression is to ensure inuse is not more than +active and at least 1. This could be written more simply with a ternary +expression that uses min(inuse, active) as the condition so that the +value of that condition can be used if it is not zero and one if it is. +Do this conversion to resolve the error and add a comment to deter +people from turning this back into clamp(). + +Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") +Link: https://lore.kernel.org/r/34d53778977747f19cce2abb287bb3e6@AcuMS.aculab.com/ [1] +Suggested-by: David Laight +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/llvm/CA+G9fYsD7mw13wredcZn0L-KBA3yeoVSTuxnss-AEWMN3ha0cA@mail.gmail.com/ +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202412120322.3GfVe3vF-lkp@intel.com/ +Signed-off-by: Nathan Chancellor +Acked-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index 384aa15e8260..a5894ec9696e 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1098,7 +1098,14 @@ static void __propagate_weights(struct ioc_gq *iocg, u32 active, u32 inuse, + inuse = DIV64_U64_ROUND_UP(active * iocg->child_inuse_sum, + iocg->child_active_sum); + } else { +- inuse = clamp_t(u32, inuse, 1, active); ++ /* ++ * It may be tempting to turn this into a clamp expression with ++ * a lower limit of 1 but active may be 0, which cannot be used ++ * as an upper limit in that situation. This expression allows ++ * active to clamp inuse unless it is 0, in which case inuse ++ * becomes 1. ++ */ ++ inuse = min(inuse, active) ?: 1; + } + + iocg->last_inuse = iocg->inuse; +-- +2.39.5 + diff --git a/queue-6.12/blk-mq-move-cpuhp-callback-registering-out-of-q-sysf.patch b/queue-6.12/blk-mq-move-cpuhp-callback-registering-out-of-q-sysf.patch new file mode 100644 index 00000000000..4570d8cb818 --- /dev/null +++ b/queue-6.12/blk-mq-move-cpuhp-callback-registering-out-of-q-sysf.patch @@ -0,0 +1,187 @@ +From 1ad7642fb5443445525a974e997da0e77598a57e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:16:07 +0800 +Subject: blk-mq: move cpuhp callback registering out of q->sysfs_lock + +From: Ming Lei + +[ Upstream commit 22465bbac53c821319089016f268a2437de9b00a ] + +Registering and unregistering cpuhp callback requires global cpu hotplug lock, +which is used everywhere. Meantime q->sysfs_lock is used in block layer +almost everywhere. + +It is easy to trigger lockdep warning[1] by connecting the two locks. + +Fix the warning by moving blk-mq's cpuhp callback registering out of +q->sysfs_lock. Add one dedicated global lock for covering registering & +unregistering hctx's cpuhp, and it is safe to do so because hctx is +guaranteed to be live if our request_queue is live. + +[1] https://lore.kernel.org/lkml/Z04pz3AlvI4o0Mr8@agluck-desk3/ + +Cc: Reinette Chatre +Cc: Fenghua Yu +Cc: Peter Newman +Cc: Babu Moger +Reported-by: Luck Tony +Signed-off-by: Ming Lei +Tested-by: Tony Luck +Link: https://lore.kernel.org/r/20241206111611.978870-3-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Stable-dep-of: be26ba96421a ("block: Fix potential deadlock while freezing queue and acquiring sysfs_lock") +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 92 insertions(+), 6 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index b4fba7b398e5..1030875a3e95 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -43,6 +43,7 @@ + + static DEFINE_PER_CPU(struct llist_head, blk_cpu_done); + static DEFINE_PER_CPU(call_single_data_t, blk_cpu_csd); ++static DEFINE_MUTEX(blk_mq_cpuhp_lock); + + static void blk_mq_insert_request(struct request *rq, blk_insert_t flags); + static void blk_mq_request_bypass_insert(struct request *rq, +@@ -3740,13 +3741,91 @@ static int blk_mq_hctx_notify_dead(unsigned int cpu, struct hlist_node *node) + return 0; + } + +-static void blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx) ++static void __blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx) + { +- if (!(hctx->flags & BLK_MQ_F_STACKING)) ++ lockdep_assert_held(&blk_mq_cpuhp_lock); ++ ++ if (!(hctx->flags & BLK_MQ_F_STACKING) && ++ !hlist_unhashed(&hctx->cpuhp_online)) { + cpuhp_state_remove_instance_nocalls(CPUHP_AP_BLK_MQ_ONLINE, + &hctx->cpuhp_online); +- cpuhp_state_remove_instance_nocalls(CPUHP_BLK_MQ_DEAD, +- &hctx->cpuhp_dead); ++ INIT_HLIST_NODE(&hctx->cpuhp_online); ++ } ++ ++ if (!hlist_unhashed(&hctx->cpuhp_dead)) { ++ cpuhp_state_remove_instance_nocalls(CPUHP_BLK_MQ_DEAD, ++ &hctx->cpuhp_dead); ++ INIT_HLIST_NODE(&hctx->cpuhp_dead); ++ } ++} ++ ++static void blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx) ++{ ++ mutex_lock(&blk_mq_cpuhp_lock); ++ __blk_mq_remove_cpuhp(hctx); ++ mutex_unlock(&blk_mq_cpuhp_lock); ++} ++ ++static void __blk_mq_add_cpuhp(struct blk_mq_hw_ctx *hctx) ++{ ++ lockdep_assert_held(&blk_mq_cpuhp_lock); ++ ++ if (!(hctx->flags & BLK_MQ_F_STACKING) && ++ hlist_unhashed(&hctx->cpuhp_online)) ++ cpuhp_state_add_instance_nocalls(CPUHP_AP_BLK_MQ_ONLINE, ++ &hctx->cpuhp_online); ++ ++ if (hlist_unhashed(&hctx->cpuhp_dead)) ++ cpuhp_state_add_instance_nocalls(CPUHP_BLK_MQ_DEAD, ++ &hctx->cpuhp_dead); ++} ++ ++static void __blk_mq_remove_cpuhp_list(struct list_head *head) ++{ ++ struct blk_mq_hw_ctx *hctx; ++ ++ lockdep_assert_held(&blk_mq_cpuhp_lock); ++ ++ list_for_each_entry(hctx, head, hctx_list) ++ __blk_mq_remove_cpuhp(hctx); ++} ++ ++/* ++ * Unregister cpuhp callbacks from exited hw queues ++ * ++ * Safe to call if this `request_queue` is live ++ */ ++static void blk_mq_remove_hw_queues_cpuhp(struct request_queue *q) ++{ ++ LIST_HEAD(hctx_list); ++ ++ spin_lock(&q->unused_hctx_lock); ++ list_splice_init(&q->unused_hctx_list, &hctx_list); ++ spin_unlock(&q->unused_hctx_lock); ++ ++ mutex_lock(&blk_mq_cpuhp_lock); ++ __blk_mq_remove_cpuhp_list(&hctx_list); ++ mutex_unlock(&blk_mq_cpuhp_lock); ++ ++ spin_lock(&q->unused_hctx_lock); ++ list_splice(&hctx_list, &q->unused_hctx_list); ++ spin_unlock(&q->unused_hctx_lock); ++} ++ ++/* ++ * Register cpuhp callbacks from all hw queues ++ * ++ * Safe to call if this `request_queue` is live ++ */ ++static void blk_mq_add_hw_queues_cpuhp(struct request_queue *q) ++{ ++ struct blk_mq_hw_ctx *hctx; ++ unsigned long i; ++ ++ mutex_lock(&blk_mq_cpuhp_lock); ++ queue_for_each_hw_ctx(q, hctx, i) ++ __blk_mq_add_cpuhp(hctx); ++ mutex_unlock(&blk_mq_cpuhp_lock); + } + + /* +@@ -3797,8 +3876,6 @@ static void blk_mq_exit_hctx(struct request_queue *q, + if (set->ops->exit_hctx) + set->ops->exit_hctx(hctx, hctx_idx); + +- blk_mq_remove_cpuhp(hctx); +- + xa_erase(&q->hctx_table, hctx_idx); + + spin_lock(&q->unused_hctx_lock); +@@ -3815,6 +3892,7 @@ static void blk_mq_exit_hw_queues(struct request_queue *q, + queue_for_each_hw_ctx(q, hctx, i) { + if (i == nr_queue) + break; ++ blk_mq_remove_cpuhp(hctx); + blk_mq_exit_hctx(q, set, hctx, i); + } + } +@@ -3878,6 +3956,8 @@ blk_mq_alloc_hctx(struct request_queue *q, struct blk_mq_tag_set *set, + INIT_DELAYED_WORK(&hctx->run_work, blk_mq_run_work_fn); + spin_lock_init(&hctx->lock); + INIT_LIST_HEAD(&hctx->dispatch); ++ INIT_HLIST_NODE(&hctx->cpuhp_dead); ++ INIT_HLIST_NODE(&hctx->cpuhp_online); + hctx->queue = q; + hctx->flags = set->flags & ~BLK_MQ_F_TAG_QUEUE_SHARED; + +@@ -4416,6 +4496,12 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set, + xa_for_each_start(&q->hctx_table, j, hctx, j) + blk_mq_exit_hctx(q, set, hctx, j); + mutex_unlock(&q->sysfs_lock); ++ ++ /* unregister cpuhp callbacks for exited hctxs */ ++ blk_mq_remove_hw_queues_cpuhp(q); ++ ++ /* register cpuhp for new initialized hctxs */ ++ blk_mq_add_hw_queues_cpuhp(q); + } + + int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, +-- +2.39.5 + diff --git a/queue-6.12/block-fix-potential-deadlock-while-freezing-queue-an.patch b/queue-6.12/block-fix-potential-deadlock-while-freezing-queue-an.patch new file mode 100644 index 00000000000..494937401c8 --- /dev/null +++ b/queue-6.12/block-fix-potential-deadlock-while-freezing-queue-an.patch @@ -0,0 +1,334 @@ +From 1c427ba428d7f4a51f1d5a99a1630de483029251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 20:11:43 +0530 +Subject: block: Fix potential deadlock while freezing queue and acquiring + sysfs_lock + +From: Nilay Shroff + +[ Upstream commit be26ba96421ab0a8fa2055ccf7db7832a13c44d2 ] + +For storing a value to a queue attribute, the queue_attr_store function +first freezes the queue (->q_usage_counter(io)) and then acquire +->sysfs_lock. This seems not correct as the usual ordering should be to +acquire ->sysfs_lock before freezing the queue. This incorrect ordering +causes the following lockdep splat which we are able to reproduce always +simply by accessing /sys/kernel/debug file using ls command: + +[ 57.597146] WARNING: possible circular locking dependency detected +[ 57.597154] 6.12.0-10553-gb86545e02e8c #20 Tainted: G W +[ 57.597162] ------------------------------------------------------ +[ 57.597168] ls/4605 is trying to acquire lock: +[ 57.597176] c00000003eb56710 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0x58/0xc0 +[ 57.597200] + but task is already holding lock: +[ 57.597207] c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4 +[ 57.597226] + which lock already depends on the new lock. + +[ 57.597233] + the existing dependency chain (in reverse order) is: +[ 57.597241] + -> #5 (&sb->s_type->i_mutex_key#3){++++}-{4:4}: +[ 57.597255] down_write+0x6c/0x18c +[ 57.597264] start_creating+0xb4/0x24c +[ 57.597274] debugfs_create_dir+0x2c/0x1e8 +[ 57.597283] blk_register_queue+0xec/0x294 +[ 57.597292] add_disk_fwnode+0x2e4/0x548 +[ 57.597302] brd_alloc+0x2c8/0x338 +[ 57.597309] brd_init+0x100/0x178 +[ 57.597317] do_one_initcall+0x88/0x3e4 +[ 57.597326] kernel_init_freeable+0x3cc/0x6e0 +[ 57.597334] kernel_init+0x34/0x1cc +[ 57.597342] ret_from_kernel_user_thread+0x14/0x1c +[ 57.597350] + -> #4 (&q->debugfs_mutex){+.+.}-{4:4}: +[ 57.597362] __mutex_lock+0xfc/0x12a0 +[ 57.597370] blk_register_queue+0xd4/0x294 +[ 57.597379] add_disk_fwnode+0x2e4/0x548 +[ 57.597388] brd_alloc+0x2c8/0x338 +[ 57.597395] brd_init+0x100/0x178 +[ 57.597402] do_one_initcall+0x88/0x3e4 +[ 57.597410] kernel_init_freeable+0x3cc/0x6e0 +[ 57.597418] kernel_init+0x34/0x1cc +[ 57.597426] ret_from_kernel_user_thread+0x14/0x1c +[ 57.597434] + -> #3 (&q->sysfs_lock){+.+.}-{4:4}: +[ 57.597446] __mutex_lock+0xfc/0x12a0 +[ 57.597454] queue_attr_store+0x9c/0x110 +[ 57.597462] sysfs_kf_write+0x70/0xb0 +[ 57.597471] kernfs_fop_write_iter+0x1b0/0x2ac +[ 57.597480] vfs_write+0x3dc/0x6e8 +[ 57.597488] ksys_write+0x84/0x140 +[ 57.597495] system_call_exception+0x130/0x360 +[ 57.597504] system_call_common+0x160/0x2c4 +[ 57.597516] + -> #2 (&q->q_usage_counter(io)#21){++++}-{0:0}: +[ 57.597530] __submit_bio+0x5ec/0x828 +[ 57.597538] submit_bio_noacct_nocheck+0x1e4/0x4f0 +[ 57.597547] iomap_readahead+0x2a0/0x448 +[ 57.597556] xfs_vm_readahead+0x28/0x3c +[ 57.597564] read_pages+0x88/0x41c +[ 57.597571] page_cache_ra_unbounded+0x1ac/0x2d8 +[ 57.597580] filemap_get_pages+0x188/0x984 +[ 57.597588] filemap_read+0x13c/0x4bc +[ 57.597596] xfs_file_buffered_read+0x88/0x17c +[ 57.597605] xfs_file_read_iter+0xac/0x158 +[ 57.597614] vfs_read+0x2d4/0x3b4 +[ 57.597622] ksys_read+0x84/0x144 +[ 57.597629] system_call_exception+0x130/0x360 +[ 57.597637] system_call_common+0x160/0x2c4 +[ 57.597647] + -> #1 (mapping.invalidate_lock#2){++++}-{4:4}: +[ 57.597661] down_read+0x6c/0x220 +[ 57.597669] filemap_fault+0x870/0x100c +[ 57.597677] xfs_filemap_fault+0xc4/0x18c +[ 57.597684] __do_fault+0x64/0x164 +[ 57.597693] __handle_mm_fault+0x1274/0x1dac +[ 57.597702] handle_mm_fault+0x248/0x484 +[ 57.597711] ___do_page_fault+0x428/0xc0c +[ 57.597719] hash__do_page_fault+0x30/0x68 +[ 57.597727] do_hash_fault+0x90/0x35c +[ 57.597736] data_access_common_virt+0x210/0x220 +[ 57.597745] _copy_from_user+0xf8/0x19c +[ 57.597754] sel_write_load+0x178/0xd54 +[ 57.597762] vfs_write+0x108/0x6e8 +[ 57.597769] ksys_write+0x84/0x140 +[ 57.597777] system_call_exception+0x130/0x360 +[ 57.597785] system_call_common+0x160/0x2c4 +[ 57.597794] + -> #0 (&mm->mmap_lock){++++}-{4:4}: +[ 57.597806] __lock_acquire+0x17cc/0x2330 +[ 57.597814] lock_acquire+0x138/0x400 +[ 57.597822] __might_fault+0x7c/0xc0 +[ 57.597830] filldir64+0xe8/0x390 +[ 57.597839] dcache_readdir+0x80/0x2d4 +[ 57.597846] iterate_dir+0xd8/0x1d4 +[ 57.597855] sys_getdents64+0x88/0x2d4 +[ 57.597864] system_call_exception+0x130/0x360 +[ 57.597872] system_call_common+0x160/0x2c4 +[ 57.597881] + other info that might help us debug this: + +[ 57.597888] Chain exists of: + &mm->mmap_lock --> &q->debugfs_mutex --> &sb->s_type->i_mutex_key#3 + +[ 57.597905] Possible unsafe locking scenario: + +[ 57.597911] CPU0 CPU1 +[ 57.597917] ---- ---- +[ 57.597922] rlock(&sb->s_type->i_mutex_key#3); +[ 57.597932] lock(&q->debugfs_mutex); +[ 57.597940] lock(&sb->s_type->i_mutex_key#3); +[ 57.597950] rlock(&mm->mmap_lock); +[ 57.597958] + *** DEADLOCK *** + +[ 57.597965] 2 locks held by ls/4605: +[ 57.597971] #0: c0000000137c12f8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0xcc/0x154 +[ 57.597989] #1: c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4 + +Prevent the above lockdep warning by acquiring ->sysfs_lock before +freezing the queue while storing a queue attribute in queue_attr_store +function. Later, we also found[1] another function __blk_mq_update_nr_ +hw_queues where we first freeze queue and then acquire the ->sysfs_lock. +So we've also updated lock ordering in __blk_mq_update_nr_hw_queues +function and ensured that in all code paths we follow the correct lock +ordering i.e. acquire ->sysfs_lock before freezing the queue. + +[1] https://lore.kernel.org/all/CAFj5m9Ke8+EHKQBs_Nk6hqd=LGXtk4mUxZUN5==ZcCjnZSBwHw@mail.gmail.com/ + +Reported-by: kjain@linux.ibm.com +Fixes: af2814149883 ("block: freeze the queue in queue_attr_store") +Tested-by: kjain@linux.ibm.com +Cc: hch@lst.de +Cc: axboe@kernel.dk +Cc: ritesh.list@gmail.com +Cc: ming.lei@redhat.com +Cc: gjoyce@linux.ibm.com +Signed-off-by: Nilay Shroff +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241210144222.1066229-1-nilay@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sysfs.c | 16 ++++++---------- + block/blk-mq.c | 29 ++++++++++++++++++----------- + block/blk-sysfs.c | 4 ++-- + 3 files changed, 26 insertions(+), 23 deletions(-) + +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c +index 156e9bb07abf..cd5ea6eaa76b 100644 +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -275,15 +275,13 @@ void blk_mq_sysfs_unregister_hctxs(struct request_queue *q) + struct blk_mq_hw_ctx *hctx; + unsigned long i; + +- mutex_lock(&q->sysfs_dir_lock); ++ lockdep_assert_held(&q->sysfs_dir_lock); ++ + if (!q->mq_sysfs_init_done) +- goto unlock; ++ return; + + queue_for_each_hw_ctx(q, hctx, i) + blk_mq_unregister_hctx(hctx); +- +-unlock: +- mutex_unlock(&q->sysfs_dir_lock); + } + + int blk_mq_sysfs_register_hctxs(struct request_queue *q) +@@ -292,9 +290,10 @@ int blk_mq_sysfs_register_hctxs(struct request_queue *q) + unsigned long i; + int ret = 0; + +- mutex_lock(&q->sysfs_dir_lock); ++ lockdep_assert_held(&q->sysfs_dir_lock); ++ + if (!q->mq_sysfs_init_done) +- goto unlock; ++ return ret; + + queue_for_each_hw_ctx(q, hctx, i) { + ret = blk_mq_register_hctx(hctx); +@@ -302,8 +301,5 @@ int blk_mq_sysfs_register_hctxs(struct request_queue *q) + break; + } + +-unlock: +- mutex_unlock(&q->sysfs_dir_lock); +- + return ret; + } +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 1030875a3e95..cc1b32023838 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -4462,7 +4462,8 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set, + unsigned long i, j; + + /* protect against switching io scheduler */ +- mutex_lock(&q->sysfs_lock); ++ lockdep_assert_held(&q->sysfs_lock); ++ + for (i = 0; i < set->nr_hw_queues; i++) { + int old_node; + int node = blk_mq_get_hctx_node(set, i); +@@ -4495,7 +4496,6 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set, + + xa_for_each_start(&q->hctx_table, j, hctx, j) + blk_mq_exit_hctx(q, set, hctx, j); +- mutex_unlock(&q->sysfs_lock); + + /* unregister cpuhp callbacks for exited hctxs */ + blk_mq_remove_hw_queues_cpuhp(q); +@@ -4527,10 +4527,14 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, + + xa_init(&q->hctx_table); + ++ mutex_lock(&q->sysfs_lock); ++ + blk_mq_realloc_hw_ctxs(set, q); + if (!q->nr_hw_queues) + goto err_hctxs; + ++ mutex_unlock(&q->sysfs_lock); ++ + INIT_WORK(&q->timeout_work, blk_mq_timeout_work); + blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ); + +@@ -4549,6 +4553,7 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, + return 0; + + err_hctxs: ++ mutex_unlock(&q->sysfs_lock); + blk_mq_release(q); + err_exit: + q->mq_ops = NULL; +@@ -4929,12 +4934,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + return false; + + /* q->elevator needs protection from ->sysfs_lock */ +- mutex_lock(&q->sysfs_lock); ++ lockdep_assert_held(&q->sysfs_lock); + + /* the check has to be done with holding sysfs_lock */ + if (!q->elevator) { + kfree(qe); +- goto unlock; ++ goto out; + } + + INIT_LIST_HEAD(&qe->node); +@@ -4944,9 +4949,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + __elevator_get(qe->type); + list_add(&qe->node, head); + elevator_disable(q); +-unlock: +- mutex_unlock(&q->sysfs_lock); +- ++out: + return true; + } + +@@ -4975,11 +4978,9 @@ static void blk_mq_elv_switch_back(struct list_head *head, + list_del(&qe->node); + kfree(qe); + +- mutex_lock(&q->sysfs_lock); + elevator_switch(q, t); + /* drop the reference acquired in blk_mq_elv_switch_none */ + elevator_put(t); +- mutex_unlock(&q->sysfs_lock); + } + + static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set, +@@ -4999,8 +5000,11 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set, + if (set->nr_maps == 1 && nr_hw_queues == set->nr_hw_queues) + return; + +- list_for_each_entry(q, &set->tag_list, tag_set_list) ++ list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ mutex_lock(&q->sysfs_dir_lock); ++ mutex_lock(&q->sysfs_lock); + blk_mq_freeze_queue(q); ++ } + /* + * Switch IO scheduler to 'none', cleaning up the data associated + * with the previous scheduler. We will switch back once we are done +@@ -5056,8 +5060,11 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set, + list_for_each_entry(q, &set->tag_list, tag_set_list) + blk_mq_elv_switch_back(&head, q); + +- list_for_each_entry(q, &set->tag_list, tag_set_list) ++ list_for_each_entry(q, &set->tag_list, tag_set_list) { + blk_mq_unfreeze_queue(q); ++ mutex_unlock(&q->sysfs_lock); ++ mutex_unlock(&q->sysfs_dir_lock); ++ } + + /* Free the excess tags when nr_hw_queues shrink. */ + for (i = set->nr_hw_queues; i < prev_nr_hw_queues; i++) +diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c +index 207577145c54..42c2cb97d778 100644 +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -690,11 +690,11 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, + return res; + } + +- blk_mq_freeze_queue(q); + mutex_lock(&q->sysfs_lock); ++ blk_mq_freeze_queue(q); + res = entry->store(disk, page, length); +- mutex_unlock(&q->sysfs_lock); + blk_mq_unfreeze_queue(q); ++ mutex_unlock(&q->sysfs_lock); + return res; + } + +-- +2.39.5 + diff --git a/queue-6.12/block-get-wp_offset-by-bdev_offset_from_zone_start.patch b/queue-6.12/block-get-wp_offset-by-bdev_offset_from_zone_start.patch new file mode 100644 index 00000000000..28ba6b937ad --- /dev/null +++ b/queue-6.12/block-get-wp_offset-by-bdev_offset_from_zone_start.patch @@ -0,0 +1,38 @@ +From 042d8ff457039fc227e730d8680c6349d77c5853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:04:41 +0800 +Subject: block: get wp_offset by bdev_offset_from_zone_start + +From: LongPing Wei + +[ Upstream commit 790eb09e59709a1ffc1c64fe4aae2789120851b0 ] + +Call bdev_offset_from_zone_start() instead of open-coding it. + +Fixes: dd291d77cc90 ("block: Introduce zone write plugging") +Signed-off-by: LongPing Wei +Reviewed-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Link: https://lore.kernel.org/r/20241107020439.1644577-1-weilongping@oppo.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index 6d21693f39b7..767bcbce74fa 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -568,7 +568,7 @@ static struct blk_zone_wplug *disk_get_and_lock_zone_wplug(struct gendisk *disk, + spin_lock_init(&zwplug->lock); + zwplug->flags = 0; + zwplug->zone_no = zno; +- zwplug->wp_offset = sector & (disk->queue->limits.chunk_sectors - 1); ++ zwplug->wp_offset = bdev_offset_from_zone_start(disk->part0, sector); + bio_list_init(&zwplug->bio_list); + INIT_WORK(&zwplug->bio_work, blk_zone_wplug_bio_work); + zwplug->disk = disk; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-btmtk-avoid-uaf-in-btmtk_process_coredump.patch b/queue-6.12/bluetooth-btmtk-avoid-uaf-in-btmtk_process_coredump.patch new file mode 100644 index 00000000000..052f0c5f74a --- /dev/null +++ b/queue-6.12/bluetooth-btmtk-avoid-uaf-in-btmtk_process_coredump.patch @@ -0,0 +1,141 @@ +From 9428deadcea2e8b992f9120ee0c64f652bcde0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 16:36:10 -0300 +Subject: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit b548f5e9456c568155499d9ebac675c0d7a296e8 ] + +hci_devcd_append may lead to the release of the skb, so it cannot be +accessed once it is called. + +================================================================== +BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] +Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 + +CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c +Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 +Workqueue: events btusb_rx_work [btusb] +Call Trace: + + dump_stack_lvl+0xfd/0x150 + print_report+0x131/0x780 + kasan_report+0x177/0x1c0 + btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] + btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] + btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] + worker_thread+0xe44/0x2cc0 + kthread+0x2ff/0x3a0 + ret_from_fork+0x51/0x80 + ret_from_fork_asm+0x1b/0x30 + + +Allocated by task 82: + stack_trace_save+0xdc/0x190 + kasan_set_track+0x4e/0x80 + __kasan_slab_alloc+0x4e/0x60 + kmem_cache_alloc+0x19f/0x360 + skb_clone+0x132/0xf70 + btusb_recv_acl_mtk+0x104/0x1a0 [btusb] + btusb_rx_work+0x9e/0xe0 [btusb] + worker_thread+0xe44/0x2cc0 + kthread+0x2ff/0x3a0 + ret_from_fork+0x51/0x80 + ret_from_fork_asm+0x1b/0x30 + +Freed by task 1733: + stack_trace_save+0xdc/0x190 + kasan_set_track+0x4e/0x80 + kasan_save_free_info+0x28/0xb0 + ____kasan_slab_free+0xfd/0x170 + kmem_cache_free+0x183/0x3f0 + hci_devcd_rx+0x91a/0x2060 [bluetooth] + worker_thread+0xe44/0x2cc0 + kthread+0x2ff/0x3a0 + ret_from_fork+0x51/0x80 + ret_from_fork_asm+0x1b/0x30 + +The buggy address belongs to the object at ffff888033cfab40 + which belongs to the cache skbuff_head_cache of size 232 +The buggy address is located 112 bytes inside of + freed 232-byte region [ffff888033cfab40, ffff888033cfac28) + +The buggy address belongs to the physical page: +page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa +head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0x4000000000000840(slab|head|zone=1) +page_type: 0xffffffff() +raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 +raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc + ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb +>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc + ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Check if we need to call hci_devcd_complete before calling +hci_devcd_append. That requires that we check data->cd_info.cnt >= +MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we +increment data->cd_info.cnt only once the call to hci_devcd_append +succeeds. + +Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtk.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c +index 480e4adba9fa..85e99641eaae 100644 +--- a/drivers/bluetooth/btmtk.c ++++ b/drivers/bluetooth/btmtk.c +@@ -395,6 +395,7 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb) + { + struct btmtk_data *data = hci_get_priv(hdev); + int err; ++ bool complete = false; + + if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) { + kfree_skb(skb); +@@ -416,19 +417,22 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb) + fallthrough; + case HCI_DEVCOREDUMP_ACTIVE: + default: ++ /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */ ++ if (data->cd_info.cnt >= MTK_COREDUMP_NUM && ++ skb->len > MTK_COREDUMP_END_LEN) ++ if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN], ++ MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) ++ complete = true; ++ + err = hci_devcd_append(hdev, skb); + if (err < 0) + break; + data->cd_info.cnt++; + +- /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */ +- if (data->cd_info.cnt > MTK_COREDUMP_NUM && +- skb->len > MTK_COREDUMP_END_LEN) +- if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN], +- MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) { +- bt_dev_info(hdev, "Mediatek coredump end"); +- hci_devcd_complete(hdev); +- } ++ if (complete) { ++ bt_dev_info(hdev, "Mediatek coredump end"); ++ hci_devcd_complete(hdev); ++ } + + break; + } +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch b/queue-6.12/bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch new file mode 100644 index 00000000000..d4daa27589f --- /dev/null +++ b/queue-6.12/bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch @@ -0,0 +1,89 @@ +From 1f2cf2487b4fe4f3ae42a30bb04ed48697d8ca12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 11:40:59 -0500 +Subject: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating + +From: Luiz Augusto von Dentz + +[ Upstream commit 581dd2dc168fe0ed2a7a5534a724f0d3751c93ae ] + +The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is +not safe since for the most part entries fetched this way shall be +treated as rcu_dereference: + + Note that the value returned by rcu_dereference() is valid + only within the enclosing RCU read-side critical section [1]_. + For example, the following is **not** legal:: + + rcu_read_lock(); + p = rcu_dereference(head.next); + rcu_read_unlock(); + x = p->address; /* BUG!!! */ + rcu_read_lock(); + y = p->data; /* BUG!!! */ + rcu_read_unlock(); + +Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 33 +++++++++++---------------------- + 1 file changed, 11 insertions(+), 22 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 2b5ba8acd1d8..388d46c6a043 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6872,38 +6872,27 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, + return; + + hci_dev_lock(hdev); +- rcu_read_lock(); + + /* Connect all BISes that are bound to the BIG */ +- list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { +- if (bacmp(&conn->dst, BDADDR_ANY) || +- conn->type != ISO_LINK || +- conn->iso_qos.bcast.big != ev->handle) ++ while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle, ++ BT_BOUND))) { ++ if (ev->status) { ++ hci_connect_cfm(conn, ev->status); ++ hci_conn_del(conn); + continue; ++ } + + if (hci_conn_set_handle(conn, + __le16_to_cpu(ev->bis_handle[i++]))) + continue; + +- if (!ev->status) { +- conn->state = BT_CONNECTED; +- set_bit(HCI_CONN_BIG_CREATED, &conn->flags); +- rcu_read_unlock(); +- hci_debugfs_create_conn(conn); +- hci_conn_add_sysfs(conn); +- hci_iso_setup_path(conn); +- rcu_read_lock(); +- continue; +- } +- +- hci_connect_cfm(conn, ev->status); +- rcu_read_unlock(); +- hci_conn_del(conn); +- rcu_read_lock(); ++ conn->state = BT_CONNECTED; ++ set_bit(HCI_CONN_BIG_CREATED, &conn->flags); ++ hci_debugfs_create_conn(conn); ++ hci_conn_add_sysfs(conn); ++ hci_iso_setup_path(conn); + } + +- rcu_read_unlock(); +- + if (!ev->status && !i) + /* If no BISes have been connected for the BIG, + * terminate. This is in case all bound connections +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-improve-setsockopt-handling-of-malformed-u.patch b/queue-6.12/bluetooth-improve-setsockopt-handling-of-malformed-u.patch new file mode 100644 index 00000000000..9fba9e7e1bf --- /dev/null +++ b/queue-6.12/bluetooth-improve-setsockopt-handling-of-malformed-u.patch @@ -0,0 +1,338 @@ +From 3aa11cd5a6144dba244630540f34ca73d7beb29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 14:31:40 +0100 +Subject: Bluetooth: Improve setsockopt() handling of malformed user input + +From: Michal Luczaj + +[ Upstream commit 3e643e4efa1e87432204b62f9cfdea3b2508c830 ] + +The bt_copy_from_sockptr() return value is being misinterpreted by most +users: a non-zero result is mistakenly assumed to represent an error code, +but actually indicates the number of bytes that could not be copied. + +Remove bt_copy_from_sockptr() and adapt callers to use +copy_safe_from_sockptr(). + +For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to +scrub parts of uninitialized buffer. + +Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old() +and hci_sock_setsockopt(). + +Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input") +Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input") +Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input") +Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input") +Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input") +Reviewed-by: Luiz Augusto von Dentz +Reviewed-by: David Wei +Signed-off-by: Michal Luczaj +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 9 --------- + net/bluetooth/hci_sock.c | 14 +++++++------- + net/bluetooth/iso.c | 10 +++++----- + net/bluetooth/l2cap_sock.c | 20 +++++++++++--------- + net/bluetooth/rfcomm/sock.c | 9 ++++----- + net/bluetooth/sco.c | 11 ++++++----- + 6 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index f66bc85c6411..e6760c11f007 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -590,15 +590,6 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, + return skb; + } + +-static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, +- sockptr_t src, size_t src_size) +-{ +- if (dst_size > src_size) +- return -EINVAL; +- +- return copy_from_sockptr(dst, src, dst_size); +-} +- + int bt_to_errno(u16 code); + __u8 bt_status(int err); + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 2272e1849ebd..022b86797acd 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -1926,7 +1926,7 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, + } + + static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, +- sockptr_t optval, unsigned int len) ++ sockptr_t optval, unsigned int optlen) + { + struct hci_ufilter uf = { .opcode = 0 }; + struct sock *sk = sock->sk; +@@ -1943,7 +1943,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + + switch (optname) { + case HCI_DATA_DIR: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1954,7 +1954,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + break; + + case HCI_TIME_STAMP: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1974,7 +1974,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + +- err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len); ++ err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen); + if (err) + break; + +@@ -2005,7 +2005,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname, + } + + static int hci_sock_setsockopt(struct socket *sock, int level, int optname, +- sockptr_t optval, unsigned int len) ++ sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; + int err = 0; +@@ -2015,7 +2015,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, + + if (level == SOL_HCI) + return hci_sock_setsockopt_old(sock, level, optname, optval, +- len); ++ optlen); + + if (level != SOL_BLUETOOTH) + return -ENOPROTOOPT; +@@ -2035,7 +2035,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, + goto done; + } + +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 5e2d9758bd3c..7212fd6047b9 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1566,7 +1566,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1577,7 +1577,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_PKT_STATUS: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1596,7 +1596,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen); ++ err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen); + if (err) + break; + +@@ -1617,8 +1617,8 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval, +- optlen); ++ err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval, ++ optlen); + if (err) + break; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 18e89e764f3b..3d2553dcdb1b 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -755,7 +755,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + opts.max_tx = chan->max_tx; + opts.txwin_size = chan->tx_win; + +- err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen); ++ err = copy_safe_from_sockptr(&opts, sizeof(opts), optval, ++ optlen); + if (err) + break; + +@@ -800,7 +801,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, + break; + + case L2CAP_LM: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -909,7 +910,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) + break; + +@@ -956,7 +957,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -970,7 +971,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_FLUSHABLE: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1004,7 +1005,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + + pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; + +- err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen); ++ err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen); + if (err) + break; + +@@ -1015,7 +1016,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_CHANNEL_POLICY: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -1046,7 +1047,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen); ++ err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen); + if (err) + break; + +@@ -1076,7 +1077,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen); ++ err = copy_safe_from_sockptr(&mode, sizeof(mode), optval, ++ optlen); + if (err) + break; + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 40766f8119ed..913402806fa0 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -629,10 +629,9 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, + + switch (optname) { + case RFCOMM_LM: +- if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { +- err = -EFAULT; ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt & RFCOMM_LM_FIPS) { + err = -EINVAL; +@@ -685,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, + + sec.level = BT_SECURITY_LOW; + +- err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) + break; + +@@ -703,7 +702,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 1c7252a36866..700abb639a55 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -853,7 +853,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -872,8 +872,8 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + + voice.setting = sco_pi(sk)->setting; + +- err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, +- optlen); ++ err = copy_safe_from_sockptr(&voice, sizeof(voice), optval, ++ optlen); + if (err) + break; + +@@ -898,7 +898,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + + case BT_PKT_STATUS: +- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) + break; + +@@ -941,7 +941,8 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- err = bt_copy_from_sockptr(buffer, optlen, optval, optlen); ++ err = copy_struct_from_sockptr(buffer, sizeof(buffer), optval, ++ optlen); + if (err) { + hci_dev_put(hdev); + break; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-iso-always-release-hdev-at-the-end-of-iso_.patch b/queue-6.12/bluetooth-iso-always-release-hdev-at-the-end-of-iso_.patch new file mode 100644 index 00000000000..948bc8af1a0 --- /dev/null +++ b/queue-6.12/bluetooth-iso-always-release-hdev-at-the-end-of-iso_.patch @@ -0,0 +1,40 @@ +From b54dc682a0d0296ea3729759e4dbc323e6e30db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:28:48 +0200 +Subject: Bluetooth: iso: Always release hdev at the end of iso_listen_bis + +From: Iulia Tanasescu + +[ Upstream commit 9c76fff747a73ba01d1d87ed53dd9c00cb40ba05 ] + +Since hci_get_route holds the device before returning, the hdev +should be released with hci_dev_put at the end of iso_listen_bis +even if the function returns with an error. + +Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk") +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 7212fd6047b9..34eade4b0587 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1158,10 +1158,9 @@ static int iso_listen_bis(struct sock *sk) + goto unlock; + } + +- hci_dev_put(hdev); +- + unlock: + hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + return err; + } + +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_conn_big_sync.patch b/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_conn_big_sync.patch new file mode 100644 index 00000000000..f395e54be21 --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_conn_big_sync.patch @@ -0,0 +1,182 @@ +From 76eee9f0fc7d5ca13db482035c9db20d5eb1458f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:42:18 +0200 +Subject: Bluetooth: iso: Fix circular lock in iso_conn_big_sync + +From: Iulia Tanasescu + +[ Upstream commit 7a17308c17880d259105f6e591eb1bc77b9612f0 ] + +This fixes the circular locking dependency warning below, by reworking +iso_sock_recvmsg, to ensure that the socket lock is always released +before calling a function that locks hdev. + +[ 561.670344] ====================================================== +[ 561.670346] WARNING: possible circular locking dependency detected +[ 561.670349] 6.12.0-rc6+ #26 Not tainted +[ 561.670351] ------------------------------------------------------ +[ 561.670353] iso-tester/3289 is trying to acquire lock: +[ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3}, + at: iso_conn_big_sync+0x73/0x260 [bluetooth] +[ 561.670405] + but task is already holding lock: +[ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, + at: iso_sock_recvmsg+0xbf/0x500 [bluetooth] +[ 561.670450] + which lock already depends on the new lock. + +[ 561.670452] + the existing dependency chain (in reverse order) is: +[ 561.670453] + -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: +[ 561.670458] lock_acquire+0x7c/0xc0 +[ 561.670463] lock_sock_nested+0x3b/0xf0 +[ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth] +[ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth] +[ 561.670547] do_accept+0x3dd/0x610 +[ 561.670550] __sys_accept4+0xd8/0x170 +[ 561.670553] __x64_sys_accept+0x74/0xc0 +[ 561.670556] x64_sys_call+0x17d6/0x25f0 +[ 561.670559] do_syscall_64+0x87/0x150 +[ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 561.670567] + -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: +[ 561.670571] lock_acquire+0x7c/0xc0 +[ 561.670574] lock_sock_nested+0x3b/0xf0 +[ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth] +[ 561.670617] __sys_listen_socket+0xef/0x130 +[ 561.670620] __x64_sys_listen+0xe1/0x190 +[ 561.670623] x64_sys_call+0x2517/0x25f0 +[ 561.670626] do_syscall_64+0x87/0x150 +[ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 561.670632] + -> #0 (&hdev->lock){+.+.}-{3:3}: +[ 561.670636] __lock_acquire+0x32ad/0x6ab0 +[ 561.670639] lock_acquire.part.0+0x118/0x360 +[ 561.670642] lock_acquire+0x7c/0xc0 +[ 561.670644] __mutex_lock+0x18d/0x12f0 +[ 561.670647] mutex_lock_nested+0x1b/0x30 +[ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth] +[ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth] +[ 561.670722] sock_recvmsg+0x1d5/0x240 +[ 561.670725] sock_read_iter+0x27d/0x470 +[ 561.670727] vfs_read+0x9a0/0xd30 +[ 561.670731] ksys_read+0x1a8/0x250 +[ 561.670733] __x64_sys_read+0x72/0xc0 +[ 561.670736] x64_sys_call+0x1b12/0x25f0 +[ 561.670738] do_syscall_64+0x87/0x150 +[ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 561.670744] + other info that might help us debug this: + +[ 561.670745] Chain exists of: +&hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH + +[ 561.670751] Possible unsafe locking scenario: + +[ 561.670753] CPU0 CPU1 +[ 561.670754] ---- ---- +[ 561.670756] lock(sk_lock-AF_BLUETOOTH); +[ 561.670758] lock(sk_lock + AF_BLUETOOTH-BTPROTO_ISO); +[ 561.670761] lock(sk_lock-AF_BLUETOOTH); +[ 561.670764] lock(&hdev->lock); +[ 561.670767] + *** DEADLOCK *** + +Fixes: 07a9342b94a9 ("Bluetooth: ISO: Send BIG Create Sync via hci_sync") +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 809e88fd3fcb..644b606743e2 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1411,6 +1411,7 @@ static void iso_conn_big_sync(struct sock *sk) + * change. + */ + hci_dev_lock(hdev); ++ lock_sock(sk); + + if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) { + err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon, +@@ -1423,6 +1424,7 @@ static void iso_conn_big_sync(struct sock *sk) + err); + } + ++ release_sock(sk); + hci_dev_unlock(hdev); + } + +@@ -1431,39 +1433,57 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, + { + struct sock *sk = sock->sk; + struct iso_pinfo *pi = iso_pi(sk); ++ bool early_ret = false; ++ int err = 0; + + BT_DBG("sk %p", sk); + + if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { ++ sock_hold(sk); + lock_sock(sk); ++ + switch (sk->sk_state) { + case BT_CONNECT2: + if (test_bit(BT_SK_PA_SYNC, &pi->flags)) { ++ release_sock(sk); + iso_conn_big_sync(sk); ++ lock_sock(sk); ++ + sk->sk_state = BT_LISTEN; + } else { + iso_conn_defer_accept(pi->conn->hcon); + sk->sk_state = BT_CONFIG; + } +- release_sock(sk); +- return 0; ++ ++ early_ret = true; ++ break; + case BT_CONNECTED: + if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) { ++ release_sock(sk); + iso_conn_big_sync(sk); ++ lock_sock(sk); ++ + sk->sk_state = BT_LISTEN; +- release_sock(sk); +- return 0; ++ early_ret = true; + } + +- release_sock(sk); + break; + case BT_CONNECT: + release_sock(sk); +- return iso_connect_cis(sk); ++ err = iso_connect_cis(sk); ++ lock_sock(sk); ++ ++ early_ret = true; ++ break; + default: +- release_sock(sk); + break; + } ++ ++ release_sock(sk); ++ sock_put(sk); ++ ++ if (early_ret) ++ return err; + } + + return bt_sock_recvmsg(sock, msg, len, flags); +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_listen_bis.patch b/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_listen_bis.patch new file mode 100644 index 00000000000..42413266a2e --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-circular-lock-in-iso_listen_bis.patch @@ -0,0 +1,146 @@ +From f634a7bec5f43ceafcb5113d11d96a58d62f646a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:42:17 +0200 +Subject: Bluetooth: iso: Fix circular lock in iso_listen_bis + +From: Iulia Tanasescu + +[ Upstream commit 168e28305b871d8ec604a8f51f35467b8d7ba05b ] + +This fixes the circular locking dependency warning below, by +releasing the socket lock before enterning iso_listen_bis, to +avoid any potential deadlock with hdev lock. + +[ 75.307983] ====================================================== +[ 75.307984] WARNING: possible circular locking dependency detected +[ 75.307985] 6.12.0-rc6+ #22 Not tainted +[ 75.307987] ------------------------------------------------------ +[ 75.307987] kworker/u81:2/2623 is trying to acquire lock: +[ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO) + at: iso_connect_cfm+0x253/0x840 [bluetooth] +[ 75.308021] + but task is already holding lock: +[ 75.308022] ffff8fdd61a10078 (&hdev->lock) + at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] +[ 75.308053] + which lock already depends on the new lock. + +[ 75.308054] + the existing dependency chain (in reverse order) is: +[ 75.308055] + -> #1 (&hdev->lock){+.+.}-{3:3}: +[ 75.308057] __mutex_lock+0xad/0xc50 +[ 75.308061] mutex_lock_nested+0x1b/0x30 +[ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth] +[ 75.308085] __sys_listen_socket+0x49/0x60 +[ 75.308088] __x64_sys_listen+0x4c/0x90 +[ 75.308090] x64_sys_call+0x2517/0x25f0 +[ 75.308092] do_syscall_64+0x87/0x150 +[ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 75.308098] + -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}: +[ 75.308100] __lock_acquire+0x155e/0x25f0 +[ 75.308103] lock_acquire+0xc9/0x300 +[ 75.308105] lock_sock_nested+0x32/0x90 +[ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth] +[ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth] +[ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth] +[ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth] +[ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth] +[ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth] +[ 75.308254] process_one_work+0x212/0x740 +[ 75.308256] worker_thread+0x1bd/0x3a0 +[ 75.308258] kthread+0xe4/0x120 +[ 75.308259] ret_from_fork+0x44/0x70 +[ 75.308261] ret_from_fork_asm+0x1a/0x30 +[ 75.308263] + other info that might help us debug this: + +[ 75.308264] Possible unsafe locking scenario: + +[ 75.308264] CPU0 CPU1 +[ 75.308265] ---- ---- +[ 75.308265] lock(&hdev->lock); +[ 75.308267] lock(sk_lock- + AF_BLUETOOTH-BTPROTO_ISO); +[ 75.308268] lock(&hdev->lock); +[ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO); +[ 75.308270] + *** DEADLOCK *** + +[ 75.308271] 4 locks held by kworker/u81:2/2623: +[ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0}, + at: process_one_work+0x443/0x740 +[ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)), + at: process_one_work+0x1ce/0x740 +[ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3} + at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth] +[ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2}, + at: hci_connect_cfm+0x29/0x190 [bluetooth] + +Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk") +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 269ce0bb73a1..809e88fd3fcb 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1129,6 +1129,7 @@ static int iso_listen_bis(struct sock *sk) + return -EHOSTUNREACH; + + hci_dev_lock(hdev); ++ lock_sock(sk); + + /* Fail if user set invalid QoS */ + if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) { +@@ -1159,6 +1160,7 @@ static int iso_listen_bis(struct sock *sk) + } + + unlock: ++ release_sock(sk); + hci_dev_unlock(hdev); + hci_dev_put(hdev); + return err; +@@ -1187,6 +1189,7 @@ static int iso_sock_listen(struct socket *sock, int backlog) + + BT_DBG("sk %p backlog %d", sk, backlog); + ++ sock_hold(sk); + lock_sock(sk); + + if (sk->sk_state != BT_BOUND) { +@@ -1199,10 +1202,16 @@ static int iso_sock_listen(struct socket *sock, int backlog) + goto done; + } + +- if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) ++ if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { + err = iso_listen_cis(sk); +- else ++ } else { ++ /* Drop sock lock to avoid potential ++ * deadlock with the hdev lock. ++ */ ++ release_sock(sk); + err = iso_listen_bis(sk); ++ lock_sock(sk); ++ } + + if (err) + goto done; +@@ -1214,6 +1223,7 @@ static int iso_sock_listen(struct socket *sock, int backlog) + + done: + release_sock(sk); ++ sock_put(sk); + return err; + } + +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-iso-fix-recursive-locking-warning.patch b/queue-6.12/bluetooth-iso-fix-recursive-locking-warning.patch new file mode 100644 index 00000000000..22c4efd2ad2 --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-recursive-locking-warning.patch @@ -0,0 +1,78 @@ +From 3c7954d458199def158e7839ca142070d1d2ecf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:28:49 +0200 +Subject: Bluetooth: iso: Fix recursive locking warning + +From: Iulia Tanasescu + +[ Upstream commit 9bde7c3b3ad0e1f39d6df93dd1c9caf63e19e50f ] + +This updates iso_sock_accept to use nested locking for the parent +socket, to avoid lockdep warnings caused because the parent and +child sockets are locked by the same thread: + +[ 41.585683] ============================================ +[ 41.585688] WARNING: possible recursive locking detected +[ 41.585694] 6.12.0-rc6+ #22 Not tainted +[ 41.585701] -------------------------------------------- +[ 41.585705] iso-tester/3139 is trying to acquire lock: +[ 41.585711] ffff988b29530a58 (sk_lock-AF_BLUETOOTH) + at: bt_accept_dequeue+0xe3/0x280 [bluetooth] +[ 41.585905] + but task is already holding lock: +[ 41.585909] ffff988b29533a58 (sk_lock-AF_BLUETOOTH) + at: iso_sock_accept+0x61/0x2d0 [bluetooth] +[ 41.586064] + other info that might help us debug this: +[ 41.586069] Possible unsafe locking scenario: + +[ 41.586072] CPU0 +[ 41.586076] ---- +[ 41.586079] lock(sk_lock-AF_BLUETOOTH); +[ 41.586086] lock(sk_lock-AF_BLUETOOTH); +[ 41.586093] + *** DEADLOCK *** + +[ 41.586097] May be due to missing lock nesting notation + +[ 41.586101] 1 lock held by iso-tester/3139: +[ 41.586107] #0: ffff988b29533a58 (sk_lock-AF_BLUETOOTH) + at: iso_sock_accept+0x61/0x2d0 [bluetooth] + +Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 34eade4b0587..269ce0bb73a1 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1225,7 +1225,11 @@ static int iso_sock_accept(struct socket *sock, struct socket *newsock, + long timeo; + int err = 0; + +- lock_sock(sk); ++ /* Use explicit nested locking to avoid lockdep warnings generated ++ * because the parent socket and the child socket are locked on the ++ * same thread. ++ */ ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + + timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK); + +@@ -1256,7 +1260,7 @@ static int iso_sock_accept(struct socket *sock, struct socket *newsock, + release_sock(sk); + + timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + } + remove_wait_queue(sk_sleep(sk), &wait); + +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-sco-add-support-for-16-bits-transparent-vo.patch b/queue-6.12/bluetooth-sco-add-support-for-16-bits-transparent-vo.patch new file mode 100644 index 00000000000..988fae1e6b4 --- /dev/null +++ b/queue-6.12/bluetooth-sco-add-support-for-16-bits-transparent-vo.patch @@ -0,0 +1,104 @@ +From 4a5dcf5e76cfa6513c835819f58abd0ed95d07f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:51:59 +0100 +Subject: Bluetooth: SCO: Add support for 16 bits transparent voice setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frédéric Danis + +[ Upstream commit 29a651451e6c264f58cd9d9a26088e579d17b242 ] + +The voice setting is used by sco_connect() or sco_conn_defer_accept() +after being set by sco_sock_setsockopt(). + +The PCM part of the voice setting is used for offload mode through PCM +chipset port. +This commits add support for mSBC 16 bits offloading, i.e. audio data +not transported over HCI. + +The BCM4349B1 supports 16 bits transparent data on its I2S port. +If BT_VOICE_TRANSPARENT is used when accepting a SCO connection, this +gives only garbage audio while using BT_VOICE_TRANSPARENT_16BIT gives +correct audio. +This has been tested with connection to iPhone 14 and Samsung S24. + +Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") +Signed-off-by: Frédéric Danis +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/bluetooth.h | 1 + + net/bluetooth/sco.c | 29 +++++++++++++++-------------- + 2 files changed, 16 insertions(+), 14 deletions(-) + +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h +index e6760c11f007..435250c72d56 100644 +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -123,6 +123,7 @@ struct bt_voice { + + #define BT_VOICE_TRANSPARENT 0x0003 + #define BT_VOICE_CVSD_16BIT 0x0060 ++#define BT_VOICE_TRANSPARENT_16BIT 0x0063 + + #define BT_SNDMTU 12 + #define BT_RCVMTU 13 +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 700abb639a55..b872a2ca3ff3 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -267,10 +267,13 @@ static int sco_connect(struct sock *sk) + else + type = SCO_LINK; + +- if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT && +- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) { +- err = -EOPNOTSUPP; +- goto unlock; ++ switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) { ++ case SCO_AIRMODE_TRANSP: ++ if (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)) { ++ err = -EOPNOTSUPP; ++ goto unlock; ++ } ++ break; + } + + hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst, +@@ -877,13 +880,6 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + if (err) + break; + +- /* Explicitly check for these values */ +- if (voice.setting != BT_VOICE_TRANSPARENT && +- voice.setting != BT_VOICE_CVSD_16BIT) { +- err = -EINVAL; +- break; +- } +- + sco_pi(sk)->setting = voice.setting; + hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, + BDADDR_BREDR); +@@ -891,9 +887,14 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, + err = -EBADFD; + break; + } +- if (enhanced_sync_conn_capable(hdev) && +- voice.setting == BT_VOICE_TRANSPARENT) +- sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT; ++ ++ switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) { ++ case SCO_AIRMODE_TRANSP: ++ if (enhanced_sync_conn_capable(hdev)) ++ sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT; ++ break; ++ } ++ + hci_dev_put(hdev); + break; + +-- +2.39.5 + diff --git a/queue-6.12/bnxt_en-fix-aggregation-id-mask-to-prevent-oops-on-5.patch b/queue-6.12/bnxt_en-fix-aggregation-id-mask-to-prevent-oops-on-5.patch new file mode 100644 index 00000000000..b3937ec4cfe --- /dev/null +++ b/queue-6.12/bnxt_en-fix-aggregation-id-mask-to-prevent-oops-on-5.patch @@ -0,0 +1,112 @@ +From f31d6d189118fddd9245a11f506ae0e6e15a594b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 17:54:48 -0800 +Subject: bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips + +From: Michael Chan + +[ Upstream commit 24c6843b7393ebc80962b59d7ae71af91bf0dcc1 ] + +The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of +the previous generation (5750X or P5). However, the aggregation ID +fields in the completion structures on P7 have been redefined from +16 bits to 12 bits. The freed up 4 bits are redefined for part of the +metadata such as the VLAN ID. The aggregation ID mask was not modified +when adding support for P7 chips. Including the extra 4 bits for the +aggregation ID can potentially cause the driver to store or fetch the +packet header of GRO/LRO packets in the wrong TPA buffer. It may hit +the BUG() condition in __skb_pull() because the SKB contains no valid +packet header: + +kernel BUG at include/linux/skbuff.h:2766! +Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI +CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7 +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022 +RIP: 0010:eth_type_trans+0xda/0x140 +Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48 +RSP: 0018:ff615003803fcc28 EFLAGS: 00010283 +RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040 +RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000 +RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001 +R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0 +R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000 +FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? die+0x33/0x90 + ? do_trap+0xd9/0x100 + ? eth_type_trans+0xda/0x140 + ? do_error_trap+0x65/0x80 + ? eth_type_trans+0xda/0x140 + ? exc_invalid_op+0x4e/0x70 + ? eth_type_trans+0xda/0x140 + ? asm_exc_invalid_op+0x16/0x20 + ? eth_type_trans+0xda/0x140 + bnxt_tpa_end+0x10b/0x6b0 [bnxt_en] + ? bnxt_tpa_start+0x195/0x320 [bnxt_en] + bnxt_rx_pkt+0x902/0xd90 [bnxt_en] + ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en] + ? kmem_cache_free+0x343/0x440 + ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en] + __bnxt_poll_work+0x193/0x370 [bnxt_en] + bnxt_poll_p5+0x9a/0x300 [bnxt_en] + ? try_to_wake_up+0x209/0x670 + __napi_poll+0x29/0x1b0 + +Fix it by redefining the aggregation ID mask for P5_PLUS chips to be +12 bits. This will work because the maximum aggregation ID is less +than 4096 on all P5_PLUS chips. + +Fixes: 13d2d3d381ee ("bnxt_en: Add new P7 hardware interface definitions") +Reviewed-by: Damodharam Ammepalli +Reviewed-by: Kalesh AP +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241209015448.1937766-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 1d97219369c5..9e05704d9445 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -381,7 +381,7 @@ struct rx_agg_cmp { + u32 rx_agg_cmp_opaque; + __le32 rx_agg_cmp_v; + #define RX_AGG_CMP_V (1 << 0) +- #define RX_AGG_CMP_AGG_ID (0xffff << 16) ++ #define RX_AGG_CMP_AGG_ID (0x0fff << 16) + #define RX_AGG_CMP_AGG_ID_SHIFT 16 + __le32 rx_agg_cmp_unused; + }; +@@ -419,7 +419,7 @@ struct rx_tpa_start_cmp { + #define RX_TPA_START_CMP_V3_RSS_HASH_TYPE_SHIFT 7 + #define RX_TPA_START_CMP_AGG_ID (0x7f << 25) + #define RX_TPA_START_CMP_AGG_ID_SHIFT 25 +- #define RX_TPA_START_CMP_AGG_ID_P5 (0xffff << 16) ++ #define RX_TPA_START_CMP_AGG_ID_P5 (0x0fff << 16) + #define RX_TPA_START_CMP_AGG_ID_SHIFT_P5 16 + #define RX_TPA_START_CMP_METADATA1 (0xf << 28) + #define RX_TPA_START_CMP_METADATA1_SHIFT 28 +@@ -543,7 +543,7 @@ struct rx_tpa_end_cmp { + #define RX_TPA_END_CMP_PAYLOAD_OFFSET_SHIFT 16 + #define RX_TPA_END_CMP_AGG_ID (0x7f << 25) + #define RX_TPA_END_CMP_AGG_ID_SHIFT 25 +- #define RX_TPA_END_CMP_AGG_ID_P5 (0xffff << 16) ++ #define RX_TPA_END_CMP_AGG_ID_P5 (0x0fff << 16) + #define RX_TPA_END_CMP_AGG_ID_SHIFT_P5 16 + + __le32 rx_tpa_end_cmp_tsdelta; +-- +2.39.5 + diff --git a/queue-6.12/bnxt_en-fix-gso-type-for-hw-gro-packets-on-5750x-chi.patch b/queue-6.12/bnxt_en-fix-gso-type-for-hw-gro-packets-on-5750x-chi.patch new file mode 100644 index 00000000000..6d76550b8d9 --- /dev/null +++ b/queue-6.12/bnxt_en-fix-gso-type-for-hw-gro-packets-on-5750x-chi.patch @@ -0,0 +1,92 @@ +From 395800cc25ce77ab841ff275170a661ef2326418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 13:59:17 -0800 +Subject: bnxt_en: Fix GSO type for HW GRO packets on 5750X chips + +From: Michael Chan + +[ Upstream commit de37faf41ac55619dd329229a9bd9698faeabc52 ] + +The existing code is using RSS profile to determine IPV4/IPV6 GSO type +on all chips older than 5760X. This won't work on 5750X chips that may +be using modified RSS profiles. This commit from 2018 has updated the +driver to not use RSS profile for HW GRO packets on newer chips: + +50f011b63d8c ("bnxt_en: Update RSS setup and GRO-HW logic according to the latest spec.") + +However, a recent commit to add support for the newest 5760X chip broke +the logic. If the GRO packet needs to be re-segmented by the stack, the +wrong GSO type will cause the packet to be dropped. + +Fix it to only use RSS profile to determine GSO type on the oldest +5730X/5740X chips which cannot use the new method and is safe to use the +RSS profiles. + +Also fix the L3/L4 hash type for RX packets by not using the RSS +profile for the same reason. Use the ITYPE field in the RX completion +to determine L3/L4 hash types correctly. + +Fixes: a7445d69809f ("bnxt_en: Add support for new RX and TPA_START completion types for P7") +Reviewed-by: Colin Winegarden +Reviewed-by: Somnath Kotur +Reviewed-by: Kalesh AP +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20241204215918.1692597-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 14 ++++++-------- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 +++ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 3d9ee91e1f8b..dafc5a4039cd 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1518,7 +1518,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, + if (TPA_START_IS_IPV6(tpa_start1)) + tpa_info->gso_type = SKB_GSO_TCPV6; + /* RSS profiles 1 and 3 with extract code 0 for inner 4-tuple */ +- else if (cmp_type == CMP_TYPE_RX_L2_TPA_START_CMP && ++ else if (!BNXT_CHIP_P4_PLUS(bp) && + TPA_START_HASH_TYPE(tpa_start) == 3) + tpa_info->gso_type = SKB_GSO_TCPV6; + tpa_info->rss_hash = +@@ -2212,15 +2212,13 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + if (cmp_type == CMP_TYPE_RX_L2_V3_CMP) { + type = bnxt_rss_ext_op(bp, rxcmp); + } else { +- u32 hash_type = RX_CMP_HASH_TYPE(rxcmp); ++ u32 itypes = RX_CMP_ITYPES(rxcmp); + +- /* RSS profiles 1 and 3 with extract code 0 for inner +- * 4-tuple +- */ +- if (hash_type != 1 && hash_type != 3) +- type = PKT_HASH_TYPE_L3; +- else ++ if (itypes == RX_CMP_FLAGS_ITYPE_TCP || ++ itypes == RX_CMP_FLAGS_ITYPE_UDP) + type = PKT_HASH_TYPE_L4; ++ else ++ type = PKT_HASH_TYPE_L3; + } + skb_set_hash(skb, le32_to_cpu(rxcmp->rx_cmp_rss_hash), type); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 69231e85140b..1d97219369c5 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -267,6 +267,9 @@ struct rx_cmp { + (((le32_to_cpu((rxcmp)->rx_cmp_misc_v1) & RX_CMP_RSS_HASH_TYPE) >>\ + RX_CMP_RSS_HASH_TYPE_SHIFT) & RSS_PROFILE_ID_MASK) + ++#define RX_CMP_ITYPES(rxcmp) \ ++ (le32_to_cpu((rxcmp)->rx_cmp_len_flags_type) & RX_CMP_FLAGS_ITYPES_MASK) ++ + #define RX_CMP_V3_HASH_TYPE_LEGACY(rxcmp) \ + ((le32_to_cpu((rxcmp)->rx_cmp_misc_v1) & RX_CMP_V3_RSS_EXT_OP_LEGACY) >>\ + RX_CMP_V3_RSS_EXT_OP_LEGACY_SHIFT) +-- +2.39.5 + diff --git a/queue-6.12/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch b/queue-6.12/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch new file mode 100644 index 00000000000..ce1352f55e6 --- /dev/null +++ b/queue-6.12/bonding-fix-feature-propagation-of-netif_f_gso_encap.patch @@ -0,0 +1,101 @@ +From ecb7f8d43973d5d35f1e0c7a1ef90f94fbf6b779 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:43 +0100 +Subject: bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL + +From: Daniel Borkmann + +[ Upstream commit 77b11c8bf3a228d1c63464534c2dcc8d9c8bf7ff ] + +Drivers like mlx5 expose NIC's vlan_features such as +NETIF_F_GSO_UDP_TUNNEL & NETIF_F_GSO_UDP_TUNNEL_CSUM which are +later not propagated when the underlying devices are bonded and +a vlan device created on top of the bond. + +Right now, the more cumbersome workaround for this is to create +the vlan on top of the mlx5 and then enslave the vlan devices +to a bond. + +To fix this, add NETIF_F_GSO_ENCAP_ALL to BOND_VLAN_FEATURES +such that bond_compute_features() can probe and propagate the +vlan_features from the slave devices up to the vlan device. + +Given the following bond: + + # ethtool -i enp2s0f{0,1}np{0,1} + driver: mlx5_core + [...] + + # ethtool -k enp2s0f0np0 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: on + rx-udp-gro-forwarding: off + + # ethtool -k enp2s0f1np1 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: on + rx-udp-gro-forwarding: off + + # ethtool -k bond0 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +Before: + + # ethtool -k bond0.100 | grep udp + tx-udp_tnl-segmentation: off [requested on] + tx-udp_tnl-csum-segmentation: off [requested on] + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +After: + + # ethtool -k bond0.100 | grep udp + tx-udp_tnl-segmentation: on + tx-udp_tnl-csum-segmentation: on + tx-udp-segmentation: on + rx-udp_tunnel-port-offload: off [fixed] + rx-udp-gro-forwarding: off + +Various users have run into this reporting performance issues when +configuring Cilium in vxlan tunneling mode and having the combination +of bond & vlan for the core devices connecting the Kubernetes cluster +to the outside world. + +Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-3-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index dfad7b6f9f35..4d73abae503d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1534,6 +1534,7 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + + #define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ ++ NETIF_F_GSO_ENCAP_ALL | \ + NETIF_F_HIGHDMA | NETIF_F_LRO) + + #define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +-- +2.39.5 + diff --git a/queue-6.12/bonding-fix-initial-vlan-mpls-_feature-set-in-bond_c.patch b/queue-6.12/bonding-fix-initial-vlan-mpls-_feature-set-in-bond_c.patch new file mode 100644 index 00000000000..0af67bd909e --- /dev/null +++ b/queue-6.12/bonding-fix-initial-vlan-mpls-_feature-set-in-bond_c.patch @@ -0,0 +1,53 @@ +From bb11905813fc70a80e568e1195b3e672e22674a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:42 +0100 +Subject: bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features + +From: Daniel Borkmann + +[ Upstream commit d064ea7fe2a24938997b5e88e6b61cbb0a4bb906 ] + +If a bonding device has slave devices, then the current logic to derive +the feature set for the master bond device is limited in that flags which +are fully supported by the underlying slave devices cannot be propagated +up to vlan devices which sit on top of bond devices. Instead, these get +blindly masked out via current NETIF_F_ALL_FOR_ALL logic. + +vlan_features and mpls_features should reuse netdev_base_features() in +order derive the set in the same way as ndo_fix_features before iterating +through the slave devices to refine the feature set. + +Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing") +Fixes: 2e770b507ccd ("net: bonding: Inherit MPLS features from slave devices") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-2-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 166910693fd7..dfad7b6f9f35 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1562,8 +1562,9 @@ static void bond_compute_features(struct bonding *bond) + + if (!bond_has_slaves(bond)) + goto done; +- vlan_features &= NETIF_F_ALL_FOR_ALL; +- mpls_features &= NETIF_F_ALL_FOR_ALL; ++ ++ vlan_features = netdev_base_features(vlan_features); ++ mpls_features = netdev_base_features(mpls_features); + + bond_for_each_slave(bond, slave, iter) { + vlan_features = netdev_increment_features(vlan_features, +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-rmdir-failure-due-to-ongoing-i-o-on-deleted.patch b/queue-6.12/cifs-fix-rmdir-failure-due-to-ongoing-i-o-on-deleted.patch new file mode 100644 index 00000000000..84218dbc4ba --- /dev/null +++ b/queue-6.12/cifs-fix-rmdir-failure-due-to-ongoing-i-o-on-deleted.patch @@ -0,0 +1,70 @@ +From 5b830ec5229762b4d7ff782b009aff28ad97fc16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:06:32 +0000 +Subject: cifs: Fix rmdir failure due to ongoing I/O on deleted file + +From: David Howells + +[ Upstream commit bb57c81e97e0082abfb0406ed6f67c615c3d206c ] + +The cifs_io_request struct (a wrapper around netfs_io_request) holds open +the file on the server, even beyond the local Linux file being closed. +This can cause problems with Windows-based filesystems as the file's name +still exists after deletion until the file is closed, preventing the parent +directory from being removed and causing spurious test failures in xfstests +due to inability to remove a directory. The symptom looks something like +this in the test output: + + rm: cannot remove '/mnt/scratch/test/p0/d3': Directory not empty + rm: cannot remove '/mnt/scratch/test/p1/dc/dae': Directory not empty + +Fix this by waiting in unlink and rename for any outstanding I/O requests +to be completed on the target file before removing that file. + +Note that this doesn't prevent Linux from trying to start new requests +after deletion if it still has the file open locally - something that's +perfectly acceptable on a UNIX system. + +Note also that whilst I've marked this as fixing the commit to make cifs +use netfslib, I don't know that it won't occur before that. + +Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib") +Signed-off-by: David Howells +Acked-by: Paulo Alcantara (Red Hat) +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index b35fe1075503..fafc07e38663 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1925,6 +1925,7 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + goto unlink_out; + } + ++ netfs_wait_for_outstanding_io(inode); + cifs_close_deferred_file_under_dentry(tcon, full_path); + #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY + if (cap_unix(tcon->ses) && (CIFS_UNIX_POSIX_PATH_OPS_CAP & +@@ -2442,8 +2443,10 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + } + + cifs_close_deferred_file_under_dentry(tcon, from_name); +- if (d_inode(target_dentry) != NULL) ++ if (d_inode(target_dentry) != NULL) { ++ netfs_wait_for_outstanding_io(d_inode(target_dentry)); + cifs_close_deferred_file_under_dentry(tcon, to_name); ++ } + + rc = cifs_do_rename(xid, source_dentry, from_name, target_dentry, + to_name); +-- +2.39.5 + diff --git a/queue-6.12/cxgb4-use-port-number-to-set-mac-addr.patch b/queue-6.12/cxgb4-use-port-number-to-set-mac-addr.patch new file mode 100644 index 00000000000..e7dffab232f --- /dev/null +++ b/queue-6.12/cxgb4-use-port-number-to-set-mac-addr.patch @@ -0,0 +1,83 @@ +From 6413098cd5bded5be14c1f28311fd831f44a7293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:50:14 +0530 +Subject: cxgb4: use port number to set mac addr + +From: Anumula Murali Mohan Reddy + +[ Upstream commit 356983f569c1f5991661fc0050aa263792f50616 ] + +t4_set_vf_mac_acl() uses pf to set mac addr, but t4vf_get_vf_mac_acl() +uses port number to get mac addr, this leads to error when an attempt +to set MAC address on VF's of PF2 and PF3. +This patch fixes the issue by using port number to set mac address. + +Fixes: e0cdac65ba26 ("cxgb4vf: configure ports accessible by the VF") +Signed-off-by: Anumula Murali Mohan Reddy +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241206062014.49414-1-anumula@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 2 +- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 5 +++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +index bbf7641a0fc7..7e13cd69f68a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h +@@ -2077,7 +2077,7 @@ void t4_idma_monitor(struct adapter *adapter, + struct sge_idma_monitor_state *idma, + int hz, int ticks); + int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, +- unsigned int naddr, u8 *addr); ++ u8 start, unsigned int naddr, u8 *addr); + void t4_tp_pio_read(struct adapter *adap, u32 *buff, u32 nregs, + u32 start_index, bool sleep_ok); + void t4_tp_tm_pio_read(struct adapter *adap, u32 *buff, u32 nregs, +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 2418645c8823..fb3933fbb842 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -3246,7 +3246,7 @@ static int cxgb4_mgmt_set_vf_mac(struct net_device *dev, int vf, u8 *mac) + + dev_info(pi->adapter->pdev_dev, + "Setting MAC %pM on VF %d\n", mac, vf); +- ret = t4_set_vf_mac_acl(adap, vf + 1, 1, mac); ++ ret = t4_set_vf_mac_acl(adap, vf + 1, pi->lport, 1, mac); + if (!ret) + ether_addr_copy(adap->vfinfo[vf].vf_mac_addr, mac); + return ret; +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 76de55306c4d..175bf9b13058 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -10215,11 +10215,12 @@ int t4_load_cfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) + * t4_set_vf_mac_acl - Set MAC address for the specified VF + * @adapter: The adapter + * @vf: one of the VFs instantiated by the specified PF ++ * @start: The start port id associated with specified VF + * @naddr: the number of MAC addresses + * @addr: the MAC address(es) to be set to the specified VF + */ + int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, +- unsigned int naddr, u8 *addr) ++ u8 start, unsigned int naddr, u8 *addr) + { + struct fw_acl_mac_cmd cmd; + +@@ -10234,7 +10235,7 @@ int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf, + cmd.en_to_len16 = cpu_to_be32((unsigned int)FW_LEN16(cmd)); + cmd.nmac = naddr; + +- switch (adapter->pf) { ++ switch (start) { + case 3: + memcpy(cmd.macaddr3, addr, sizeof(cmd.macaddr3)); + break; +-- +2.39.5 + diff --git a/queue-6.12/documentation-networking-add-a-caveat-to-nexthop_com.patch b/queue-6.12/documentation-networking-add-a-caveat-to-nexthop_com.patch new file mode 100644 index 00000000000..2209427cf32 --- /dev/null +++ b/queue-6.12/documentation-networking-add-a-caveat-to-nexthop_com.patch @@ -0,0 +1,50 @@ +From 196deb085965fb01abbb928181eff567bcabba81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 12:05:31 +0100 +Subject: Documentation: networking: Add a caveat to nexthop_compat_mode sysctl + +From: Petr Machata + +[ Upstream commit bbe4b41259a3e255a16d795486d331c1670b4e75 ] + +net.ipv4.nexthop_compat_mode was added when nexthop objects were added to +provide the view of nexthop objects through the usual lens of the route +UAPI. As nexthop objects evolved, the information provided through this +lens became incomplete. For example, details of resilient nexthop groups +are obviously omitted. + +Now that 16-bit nexthop group weights are a thing, the 8-bit UAPI cannot +convey the >8-bit weight accurately. Instead of inventing workarounds for +an obsolete interface, just document the expectations of inaccuracy. + +Fixes: b72a6a7ab957 ("net: nexthop: Increase weight to u16") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/b575e32399ccacd09079b2a218255164535123bd.1733740749.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index eacf8983e230..dcbb6f6caf6d 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -2170,6 +2170,12 @@ nexthop_compat_mode - BOOLEAN + understands the new API, this sysctl can be disabled to achieve full + performance benefits of the new API by disabling the nexthop expansion + and extraneous notifications. ++ ++ Note that as a backward-compatible mode, dumping of modern features ++ might be incomplete or wrong. For example, resilient groups will not be ++ shown as such, but rather as just a list of next hops. Also weights that ++ do not fit into 8 bits will show incorrectly. ++ + Default: true (backward compat mode) + + fib_notify_on_flag_change - INTEGER +-- +2.39.5 + diff --git a/queue-6.12/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch b/queue-6.12/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch new file mode 100644 index 00000000000..60d6f3852b9 --- /dev/null +++ b/queue-6.12/documentation-pm-clarify-pm_runtime_resume_and_get-r.patch @@ -0,0 +1,42 @@ +From 3796fe96f7c390533571da99332754f0e4fef91f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 14:37:29 +0000 +Subject: Documentation: PM: Clarify pm_runtime_resume_and_get() return value + +From: Paul Barker + +[ Upstream commit ccb84dc8f4a02e7d30ffd388522996546b4d00e1 ] + +Update the documentation to match the behaviour of the code. + +pm_runtime_resume_and_get() always returns 0 on success, even if +__pm_runtime_resume() returns 1. + +Fixes: 2c412337cfe6 ("PM: runtime: Add documentation for pm_runtime_resume_and_get()") +Signed-off-by: Paul Barker +Link: https://patch.msgid.link/20241203143729.478-1-paul.barker.ct@bp.renesas.com +[ rjw: Subject and changelog edits, adjusted new comment formatting ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + Documentation/power/runtime_pm.rst | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Documentation/power/runtime_pm.rst b/Documentation/power/runtime_pm.rst +index 53d1996460ab..12f429359a82 100644 +--- a/Documentation/power/runtime_pm.rst ++++ b/Documentation/power/runtime_pm.rst +@@ -347,7 +347,9 @@ drivers/base/power/runtime.c and include/linux/pm_runtime.h: + + `int pm_runtime_resume_and_get(struct device *dev);` + - run pm_runtime_resume(dev) and if successful, increment the device's +- usage counter; return the result of pm_runtime_resume ++ usage counter; returns 0 on success (whether or not the device's ++ runtime PM status was already 'active') or the error code from ++ pm_runtime_resume() on failure. + + `int pm_request_idle(struct device *dev);` + - submit a request to execute the subsystem-level idle callback for the +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-fix-the-err_ptr-returned-on-failure-to-alloca.patch b/queue-6.12/drm-xe-fix-the-err_ptr-returned-on-failure-to-alloca.patch new file mode 100644 index 00000000000..b7fc19be248 --- /dev/null +++ b/queue-6.12/drm-xe-fix-the-err_ptr-returned-on-failure-to-alloca.patch @@ -0,0 +1,73 @@ +From 62695e172bf8557a25888a38fe770a70b08e6fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 22:20:58 +0100 +Subject: drm/xe: fix the ERR_PTR() returned on failure to allocate tiny pt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Todorovac + +[ Upstream commit ed69b28b3a5e39871ba5599992f80562d6ee59db ] + +Running coccinelle spatch gave the following warning: + +./drivers/gpu/drm/xe/tests/xe_migrate.c:226:5-11: inconsistent IS_ERR +and PTR_ERR on line 228. + +The code reports PTR_ERR(pt) when IS_ERR(tiny) is checked: + +→ 211 pt = xe_bo_create_pin_map(xe, tile, m->q->vm, XE_PAGE_SIZE, + 212 ttm_bo_type_kernel, + 213 XE_BO_FLAG_VRAM_IF_DGFX(tile) | + 214 XE_BO_FLAG_PINNED); + 215 if (IS_ERR(pt)) { + 216 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n", + 217 PTR_ERR(pt)); + 218 goto free_big; + 219 } + 220 + 221 tiny = xe_bo_create_pin_map(xe, tile, m->q->vm, +→ 222 2 * SZ_4K, + 223 ttm_bo_type_kernel, + 224 XE_BO_FLAG_VRAM_IF_DGFX(tile) | + 225 XE_BO_FLAG_PINNED); +→ 226 if (IS_ERR(tiny)) { +→ 227 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n", +→ 228 PTR_ERR(pt)); + 229 goto free_pt; + 230 } + +Now, the IS_ERR(tiny) and the corresponding PTR_ERR(pt) do not match. + +Returning PTR_ERR(tiny), as the last failed function call, seems logical. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Signed-off-by: Mirsad Todorovac +Link: https://patchwork.freedesktop.org/patch/msgid/20241121212057.1526634-2-mtodorovac69@gmail.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit cb57c75098c1c449a007ba301f9073f96febaaa9) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/tests/xe_migrate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/tests/xe_migrate.c b/drivers/gpu/drm/xe/tests/xe_migrate.c +index 1a192a2a941b..3bbdb362d6f0 100644 +--- a/drivers/gpu/drm/xe/tests/xe_migrate.c ++++ b/drivers/gpu/drm/xe/tests/xe_migrate.c +@@ -224,8 +224,8 @@ static void xe_migrate_sanity_test(struct xe_migrate *m, struct kunit *test) + XE_BO_FLAG_VRAM_IF_DGFX(tile) | + XE_BO_FLAG_PINNED); + if (IS_ERR(tiny)) { +- KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n", +- PTR_ERR(pt)); ++ KUNIT_FAIL(test, "Failed to allocate tiny fake pt: %li\n", ++ PTR_ERR(tiny)); + goto free_pt; + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-reg_sr-remove-register-pool.patch b/queue-6.12/drm-xe-reg_sr-remove-register-pool.patch new file mode 100644 index 00000000000..0a91922db87 --- /dev/null +++ b/queue-6.12/drm-xe-reg_sr-remove-register-pool.patch @@ -0,0 +1,127 @@ +From 6689bda24aaaed732c142158cb9e5d9446848805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 15:27:35 -0800 +Subject: drm/xe/reg_sr: Remove register pool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas De Marchi + +[ Upstream commit d7b028656c29b22fcde1c6ee1df5b28fbba987b5 ] + +That pool implementation doesn't really work: if the krealloc happens to +move the memory and return another address, the entries in the xarray +become invalid, leading to use-after-free later: + + BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe] + Read of size 4 at addr ffff8881244b2590 by task modprobe/2753 + + Allocated by task 2753: + kasan_save_stack+0x39/0x70 + kasan_save_track+0x14/0x40 + kasan_save_alloc_info+0x37/0x60 + __kasan_kmalloc+0xc3/0xd0 + __kmalloc_node_track_caller_noprof+0x200/0x6d0 + krealloc_noprof+0x229/0x380 + +Simplify the code to fix the bug. A better pooling strategy may be added +back later if needed. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Reviewed-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20241209232739.147417-2-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_reg_sr.c | 31 ++++++---------------------- + drivers/gpu/drm/xe/xe_reg_sr_types.h | 6 ------ + 2 files changed, 6 insertions(+), 31 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_reg_sr.c b/drivers/gpu/drm/xe/xe_reg_sr.c +index 440ac572f6e5..52969c090965 100644 +--- a/drivers/gpu/drm/xe/xe_reg_sr.c ++++ b/drivers/gpu/drm/xe/xe_reg_sr.c +@@ -26,46 +26,27 @@ + #include "xe_reg_whitelist.h" + #include "xe_rtp_types.h" + +-#define XE_REG_SR_GROW_STEP_DEFAULT 16 +- + static void reg_sr_fini(struct drm_device *drm, void *arg) + { + struct xe_reg_sr *sr = arg; ++ struct xe_reg_sr_entry *entry; ++ unsigned long reg; ++ ++ xa_for_each(&sr->xa, reg, entry) ++ kfree(entry); + + xa_destroy(&sr->xa); +- kfree(sr->pool.arr); +- memset(&sr->pool, 0, sizeof(sr->pool)); + } + + int xe_reg_sr_init(struct xe_reg_sr *sr, const char *name, struct xe_device *xe) + { + xa_init(&sr->xa); +- memset(&sr->pool, 0, sizeof(sr->pool)); +- sr->pool.grow_step = XE_REG_SR_GROW_STEP_DEFAULT; + sr->name = name; + + return drmm_add_action_or_reset(&xe->drm, reg_sr_fini, sr); + } + EXPORT_SYMBOL_IF_KUNIT(xe_reg_sr_init); + +-static struct xe_reg_sr_entry *alloc_entry(struct xe_reg_sr *sr) +-{ +- if (sr->pool.used == sr->pool.allocated) { +- struct xe_reg_sr_entry *arr; +- +- arr = krealloc_array(sr->pool.arr, +- ALIGN(sr->pool.allocated + 1, sr->pool.grow_step), +- sizeof(*arr), GFP_KERNEL); +- if (!arr) +- return NULL; +- +- sr->pool.arr = arr; +- sr->pool.allocated += sr->pool.grow_step; +- } +- +- return &sr->pool.arr[sr->pool.used++]; +-} +- + static bool compatible_entries(const struct xe_reg_sr_entry *e1, + const struct xe_reg_sr_entry *e2) + { +@@ -111,7 +92,7 @@ int xe_reg_sr_add(struct xe_reg_sr *sr, + return 0; + } + +- pentry = alloc_entry(sr); ++ pentry = kmalloc(sizeof(*pentry), GFP_KERNEL); + if (!pentry) { + ret = -ENOMEM; + goto fail; +diff --git a/drivers/gpu/drm/xe/xe_reg_sr_types.h b/drivers/gpu/drm/xe/xe_reg_sr_types.h +index ad48a52b824a..ebe11f237fa2 100644 +--- a/drivers/gpu/drm/xe/xe_reg_sr_types.h ++++ b/drivers/gpu/drm/xe/xe_reg_sr_types.h +@@ -20,12 +20,6 @@ struct xe_reg_sr_entry { + }; + + struct xe_reg_sr { +- struct { +- struct xe_reg_sr_entry *arr; +- unsigned int used; +- unsigned int allocated; +- unsigned int grow_step; +- } pool; + struct xarray xa; + const char *name; + +-- +2.39.5 + diff --git a/queue-6.12/gpio-idio-16-actually-make-use-of-the-gpio_idio_16-s.patch b/queue-6.12/gpio-idio-16-actually-make-use-of-the-gpio_idio_16-s.patch new file mode 100644 index 00000000000..adbe730b770 --- /dev/null +++ b/queue-6.12/gpio-idio-16-actually-make-use-of-the-gpio_idio_16-s.patch @@ -0,0 +1,51 @@ +From 8845b746c447c715080e448d62aeed25f73fb205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:26:30 +0100 +Subject: gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 9ac4b58fcef0f9fc03fa6e126a5f53c1c71ada8a ] + +DEFAULT_SYMBOL_NAMESPACE must already be defined when +is included. So move the define above the include block. + +Fixes: b9b1fc1ae119 ("gpio: idio-16: Introduce the ACCES IDIO-16 GPIO library module") +Signed-off-by: Uwe Kleine-König +Acked-by: William Breathitt Gray +Link: https://lore.kernel.org/r/20241203172631.1647792-2-u.kleine-koenig@baylibre.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-idio-16.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-idio-16.c b/drivers/gpio/gpio-idio-16.c +index 2c9512589297..0103be977c66 100644 +--- a/drivers/gpio/gpio-idio-16.c ++++ b/drivers/gpio/gpio-idio-16.c +@@ -3,6 +3,9 @@ + * GPIO library for the ACCES IDIO-16 family + * Copyright (C) 2022 William Breathitt Gray + */ ++ ++#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16" ++ + #include + #include + #include +@@ -14,8 +17,6 @@ + + #include "gpio-idio-16.h" + +-#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16" +- + #define IDIO_16_DAT_BASE 0x0 + #define IDIO_16_OUT_BASE IDIO_16_DAT_BASE + #define IDIO_16_IN_BASE (IDIO_16_DAT_BASE + 1) +-- +2.39.5 + diff --git a/queue-6.12/kselftest-arm64-abi-fix-svcr-detection.patch b/queue-6.12/kselftest-arm64-abi-fix-svcr-detection.patch new file mode 100644 index 00000000000..ce8dddac870 --- /dev/null +++ b/queue-6.12/kselftest-arm64-abi-fix-svcr-detection.patch @@ -0,0 +1,130 @@ +From ca8b0c4640e5fac7c06164b0494493bf64c60c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 19:16:39 +0800 +Subject: kselftest/arm64: abi: fix SVCR detection + +From: Weizhao Ouyang + +[ Upstream commit ce03573a1917532da06057da9f8e74a2ee9e2ac9 ] + +When using svcr_in to check ZA and Streaming Mode, we should make sure +that the value in x2 is correct, otherwise it may trigger an Illegal +instruction if FEAT_SVE and !FEAT_SME. + +Fixes: 43e3f85523e4 ("kselftest/arm64: Add SME support to syscall ABI test") +Signed-off-by: Weizhao Ouyang +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20241211111639.12344-1-o451686892@gmail.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + .../selftests/arm64/abi/syscall-abi-asm.S | 32 +++++++++---------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +diff --git a/tools/testing/selftests/arm64/abi/syscall-abi-asm.S b/tools/testing/selftests/arm64/abi/syscall-abi-asm.S +index df3230fdac39..66ab2e0bae5f 100644 +--- a/tools/testing/selftests/arm64/abi/syscall-abi-asm.S ++++ b/tools/testing/selftests/arm64/abi/syscall-abi-asm.S +@@ -81,32 +81,31 @@ do_syscall: + stp x27, x28, [sp, #96] + + // Set SVCR if we're doing SME +- cbz x1, 1f ++ cbz x1, load_gpr + adrp x2, svcr_in + ldr x2, [x2, :lo12:svcr_in] + msr S3_3_C4_C2_2, x2 +-1: + + // Load ZA and ZT0 if enabled - uses x12 as scratch due to SME LDR +- tbz x2, #SVCR_ZA_SHIFT, 1f ++ tbz x2, #SVCR_ZA_SHIFT, load_gpr + mov w12, #0 + ldr x2, =za_in +-2: _ldr_za 12, 2 ++1: _ldr_za 12, 2 + add x2, x2, x1 + add x12, x12, #1 + cmp x1, x12 +- bne 2b ++ bne 1b + + // ZT0 + mrs x2, S3_0_C0_C4_5 // ID_AA64SMFR0_EL1 + ubfx x2, x2, #ID_AA64SMFR0_EL1_SMEver_SHIFT, \ + #ID_AA64SMFR0_EL1_SMEver_WIDTH +- cbz x2, 1f ++ cbz x2, load_gpr + adrp x2, zt_in + add x2, x2, :lo12:zt_in + _ldr_zt 2 +-1: + ++load_gpr: + // Load GPRs x8-x28, and save our SP/FP for later comparison + ldr x2, =gpr_in + add x2, x2, #64 +@@ -125,9 +124,9 @@ do_syscall: + str x30, [x2], #8 // LR + + // Load FPRs if we're not doing neither SVE nor streaming SVE +- cbnz x0, 1f ++ cbnz x0, check_sve_in + ldr x2, =svcr_in +- tbnz x2, #SVCR_SM_SHIFT, 1f ++ tbnz x2, #SVCR_SM_SHIFT, check_sve_in + + ldr x2, =fpr_in + ldp q0, q1, [x2] +@@ -148,8 +147,8 @@ do_syscall: + ldp q30, q31, [x2, #16 * 30] + + b 2f +-1: + ++check_sve_in: + // Load the SVE registers if we're doing SVE/SME + + ldr x2, =z_in +@@ -256,32 +255,31 @@ do_syscall: + stp q30, q31, [x2, #16 * 30] + + // Save SVCR if we're doing SME +- cbz x1, 1f ++ cbz x1, check_sve_out + mrs x2, S3_3_C4_C2_2 + adrp x3, svcr_out + str x2, [x3, :lo12:svcr_out] +-1: + + // Save ZA if it's enabled - uses x12 as scratch due to SME STR +- tbz x2, #SVCR_ZA_SHIFT, 1f ++ tbz x2, #SVCR_ZA_SHIFT, check_sve_out + mov w12, #0 + ldr x2, =za_out +-2: _str_za 12, 2 ++1: _str_za 12, 2 + add x2, x2, x1 + add x12, x12, #1 + cmp x1, x12 +- bne 2b ++ bne 1b + + // ZT0 + mrs x2, S3_0_C0_C4_5 // ID_AA64SMFR0_EL1 + ubfx x2, x2, #ID_AA64SMFR0_EL1_SMEver_SHIFT, \ + #ID_AA64SMFR0_EL1_SMEver_WIDTH +- cbz x2, 1f ++ cbz x2, check_sve_out + adrp x2, zt_out + add x2, x2, :lo12:zt_out + _str_zt 2 +-1: + ++check_sve_out: + // Save the SVE state if we have some + cbz x0, 1f + +-- +2.39.5 + diff --git a/queue-6.12/libperf-evlist-fix-cpu-argument-on-hybrid-platform.patch b/queue-6.12/libperf-evlist-fix-cpu-argument-on-hybrid-platform.patch new file mode 100644 index 00000000000..50bddad7ee2 --- /dev/null +++ b/queue-6.12/libperf-evlist-fix-cpu-argument-on-hybrid-platform.patch @@ -0,0 +1,93 @@ +From 40c52ebd18634bc2ff9e25c558ef7a8bfdbabc35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 16:04:48 +0000 +Subject: libperf: evlist: Fix --cpu argument on hybrid platform + +From: James Clark + +[ Upstream commit f7e36d02d771ee14acae1482091718460cffb321 ] + +Since the linked fixes: commit, specifying a CPU on hybrid platforms +results in an error because Perf tries to open an extended type event +on "any" CPU which isn't valid. Extended type events can only be opened +on CPUs that match the type. + +Before (working): + + $ perf record --cpu 1 -- true + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 2.385 MB perf.data (7 samples) ] + +After (not working): + + $ perf record -C 1 -- true + WARNING: A requested CPU in '1' is not supported by PMU 'cpu_atom' (CPUs 16-27) for event 'cycles:P' + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (cpu_atom/cycles:P/). + /bin/dmesg | grep -i perf may provide additional information. + +(Ignore the warning message, that's expected and not particularly +relevant to this issue). + +This is because perf_cpu_map__intersect() of the user specified CPU (1) +and one of the PMU's CPUs (16-27) correctly results in an empty (NULL) +CPU map. However for the purposes of opening an event, libperf converts +empty CPU maps into an any CPU (-1) which the kernel rejects. + +Fix it by deleting evsels with empty CPU maps in the specific case where +user requested CPU maps are evaluated. + +Fixes: 251aa040244a ("perf parse-events: Wildcard most "numeric" events") +Reviewed-by: Ian Rogers +Tested-by: Thomas Falcon +Signed-off-by: James Clark +Tested-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20241114160450.295844-2-james.clark@linaro.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/lib/perf/evlist.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c +index c6d67fc9e57e..83c43dc13313 100644 +--- a/tools/lib/perf/evlist.c ++++ b/tools/lib/perf/evlist.c +@@ -47,6 +47,20 @@ static void __perf_evlist__propagate_maps(struct perf_evlist *evlist, + */ + perf_cpu_map__put(evsel->cpus); + evsel->cpus = perf_cpu_map__intersect(evlist->user_requested_cpus, evsel->own_cpus); ++ ++ /* ++ * Empty cpu lists would eventually get opened as "any" so remove ++ * genuinely empty ones before they're opened in the wrong place. ++ */ ++ if (perf_cpu_map__is_empty(evsel->cpus)) { ++ struct perf_evsel *next = perf_evlist__next(evlist, evsel); ++ ++ perf_evlist__remove(evlist, evsel); ++ /* Keep idx contiguous */ ++ if (next) ++ list_for_each_entry_from(next, &evlist->entries, node) ++ next->idx--; ++ } + } else if (!evsel->own_cpus || evlist->has_user_cpus || + (!evsel->requires_cpu && perf_cpu_map__has_any_cpu(evlist->user_requested_cpus))) { + /* +@@ -80,11 +94,11 @@ static void __perf_evlist__propagate_maps(struct perf_evlist *evlist, + + static void perf_evlist__propagate_maps(struct perf_evlist *evlist) + { +- struct perf_evsel *evsel; ++ struct perf_evsel *evsel, *n; + + evlist->needs_map_propagation = true; + +- perf_evlist__for_each_evsel(evlist, evsel) ++ list_for_each_entry_safe(evsel, n, &evlist->entries, node) + __perf_evlist__propagate_maps(evlist, evsel); + } + +-- +2.39.5 + diff --git a/queue-6.12/module-convert-default-symbol-namespace-to-string-li.patch b/queue-6.12/module-convert-default-symbol-namespace-to-string-li.patch new file mode 100644 index 00000000000..bf10a561722 --- /dev/null +++ b/queue-6.12/module-convert-default-symbol-namespace-to-string-li.patch @@ -0,0 +1,305 @@ +From af461b6079e6df3b95b6b1f568d9680fcdcafa71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 19:21:07 +0900 +Subject: module: Convert default symbol namespace to string literal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masahiro Yamada + +[ Upstream commit ceb8bf2ceaa77fe222fe8fe32cb7789c9099ddf1 ] + +Commit cdd30ebb1b9f ("module: Convert symbol namespace to string +literal") only converted MODULE_IMPORT_NS() and EXPORT_SYMBOL_NS(), +leaving DEFAULT_SYMBOL_NAMESPACE as a macro expansion. + +This commit converts DEFAULT_SYMBOL_NAMESPACE in the same way to avoid +annoyance for the default namespace as well. + +Signed-off-by: Masahiro Yamada +Reviewed-by: Uwe Kleine-König +Signed-off-by: Linus Torvalds +Stable-dep-of: 9ac4b58fcef0 ("gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace") +Signed-off-by: Sasha Levin +--- + Documentation/core-api/symbol-namespaces.rst | 4 ++-- + .../translations/it_IT/core-api/symbol-namespaces.rst | 4 ++-- + .../translations/zh_CN/core-api/symbol-namespaces.rst | 4 ++-- + drivers/cdx/Makefile | 2 +- + drivers/crypto/intel/iaa/Makefile | 2 +- + drivers/crypto/intel/qat/qat_common/Makefile | 2 +- + drivers/dma/idxd/Makefile | 2 +- + drivers/gpio/gpio-idio-16.c | 2 +- + drivers/hwmon/nct6775-core.c | 2 +- + drivers/i2c/busses/i2c-designware-common.c | 2 +- + drivers/i2c/busses/i2c-designware-master.c | 2 +- + drivers/i2c/busses/i2c-designware-slave.c | 2 +- + drivers/pwm/core.c | 2 +- + drivers/pwm/pwm-dwc-core.c | 2 +- + drivers/pwm/pwm-lpss.c | 2 +- + drivers/tty/serial/sc16is7xx.c | 2 +- + drivers/usb/storage/Makefile | 2 +- + include/linux/export.h | 2 +- + 18 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst +index 12e4aecdae94..d1154eb43810 100644 +--- a/Documentation/core-api/symbol-namespaces.rst ++++ b/Documentation/core-api/symbol-namespaces.rst +@@ -68,7 +68,7 @@ is to define the default namespace in the ``Makefile`` of the subsystem. E.g. to + export all symbols defined in usb-common into the namespace USB_COMMON, add a + line like this to drivers/usb/common/Makefile:: + +- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON ++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"' + + That will affect all EXPORT_SYMBOL() and EXPORT_SYMBOL_GPL() statements. A + symbol exported with EXPORT_SYMBOL_NS() while this definition is present, will +@@ -79,7 +79,7 @@ A second option to define the default namespace is directly in the compilation + unit as preprocessor statement. The above example would then read:: + + #undef DEFAULT_SYMBOL_NAMESPACE +- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON ++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON" + + within the corresponding compilation unit before any EXPORT_SYMBOL macro is + used. +diff --git a/Documentation/translations/it_IT/core-api/symbol-namespaces.rst b/Documentation/translations/it_IT/core-api/symbol-namespaces.rst +index 17abc25ee4c1..6657f82c0101 100644 +--- a/Documentation/translations/it_IT/core-api/symbol-namespaces.rst ++++ b/Documentation/translations/it_IT/core-api/symbol-namespaces.rst +@@ -69,7 +69,7 @@ Per esempio per esportare tutti i simboli definiti in usb-common nello spazio + dei nomi USB_COMMON, si può aggiungere la seguente linea in + drivers/usb/common/Makefile:: + +- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON ++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"' + + Questo cambierà tutte le macro EXPORT_SYMBOL() ed EXPORT_SYMBOL_GPL(). Invece, + un simbolo esportato con EXPORT_SYMBOL_NS() non verrà cambiato e il simbolo +@@ -79,7 +79,7 @@ Una seconda possibilità è quella di definire il simbolo di preprocessore + direttamente nei file da compilare. L'esempio precedente diventerebbe:: + + #undef DEFAULT_SYMBOL_NAMESPACE +- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON ++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON" + + Questo va messo prima di un qualsiasi uso di EXPORT_SYMBOL. + +diff --git a/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst b/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst +index bb16f0611046..f3e73834f7d7 100644 +--- a/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst ++++ b/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst +@@ -66,7 +66,7 @@ + 子系统的 ``Makefile`` 中定义默认命名空间。例如,如果要将usb-common中定义的所有符号导 + 出到USB_COMMON命名空间,可以在drivers/usb/common/Makefile中添加这样一行:: + +- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON ++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"' + + 这将影响所有 EXPORT_SYMBOL() 和 EXPORT_SYMBOL_GPL() 语句。当这个定义存在时, + 用EXPORT_SYMBOL_NS()导出的符号仍然会被导出到作为命名空间参数传递的命名空间中, +@@ -76,7 +76,7 @@ + 成:: + + #undef DEFAULT_SYMBOL_NAMESPACE +- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON ++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON" + + 应置于相关编译单元中任何 EXPORT_SYMBOL 宏之前 + +diff --git a/drivers/cdx/Makefile b/drivers/cdx/Makefile +index 749a3295c2bd..3ca7068a3052 100644 +--- a/drivers/cdx/Makefile ++++ b/drivers/cdx/Makefile +@@ -5,7 +5,7 @@ + # Copyright (C) 2022-2023, Advanced Micro Devices, Inc. + # + +-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=CDX_BUS ++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"CDX_BUS"' + + obj-$(CONFIG_CDX_BUS) += cdx.o controller/ + +diff --git a/drivers/crypto/intel/iaa/Makefile b/drivers/crypto/intel/iaa/Makefile +index b64b208d2344..55bda7770fac 100644 +--- a/drivers/crypto/intel/iaa/Makefile ++++ b/drivers/crypto/intel/iaa/Makefile +@@ -3,7 +3,7 @@ + # Makefile for IAA crypto device drivers + # + +-ccflags-y += -I $(srctree)/drivers/dma/idxd -DDEFAULT_SYMBOL_NAMESPACE=IDXD ++ccflags-y += -I $(srctree)/drivers/dma/idxd -DDEFAULT_SYMBOL_NAMESPACE='"IDXD"' + + obj-$(CONFIG_CRYPTO_DEV_IAA_CRYPTO) := iaa_crypto.o + +diff --git a/drivers/crypto/intel/qat/qat_common/Makefile b/drivers/crypto/intel/qat/qat_common/Makefile +index eac73cbfdd38..7acf9c576149 100644 +--- a/drivers/crypto/intel/qat/qat_common/Makefile ++++ b/drivers/crypto/intel/qat/qat_common/Makefile +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_QAT) += intel_qat.o +-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=CRYPTO_QAT ++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"CRYPTO_QAT"' + intel_qat-objs := adf_cfg.o \ + adf_isr.o \ + adf_ctl_drv.o \ +diff --git a/drivers/dma/idxd/Makefile b/drivers/dma/idxd/Makefile +index 2b4a0d406e1e..9ff9d7b87b64 100644 +--- a/drivers/dma/idxd/Makefile ++++ b/drivers/dma/idxd/Makefile +@@ -1,4 +1,4 @@ +-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=IDXD ++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"IDXD"' + + obj-$(CONFIG_INTEL_IDXD_BUS) += idxd_bus.o + idxd_bus-y := bus.o +diff --git a/drivers/gpio/gpio-idio-16.c b/drivers/gpio/gpio-idio-16.c +index 53b1eb876a12..2c9512589297 100644 +--- a/drivers/gpio/gpio-idio-16.c ++++ b/drivers/gpio/gpio-idio-16.c +@@ -14,7 +14,7 @@ + + #include "gpio-idio-16.h" + +-#define DEFAULT_SYMBOL_NAMESPACE GPIO_IDIO_16 ++#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16" + + #define IDIO_16_DAT_BASE 0x0 + #define IDIO_16_OUT_BASE IDIO_16_DAT_BASE +diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c +index ee04795b98aa..c243b51837d2 100644 +--- a/drivers/hwmon/nct6775-core.c ++++ b/drivers/hwmon/nct6775-core.c +@@ -57,7 +57,7 @@ + #include "nct6775.h" + + #undef DEFAULT_SYMBOL_NAMESPACE +-#define DEFAULT_SYMBOL_NAMESPACE HWMON_NCT6775 ++#define DEFAULT_SYMBOL_NAMESPACE "HWMON_NCT6775" + + #define USE_ALTERNATE + +diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c +index 9d88b4fa03e4..0e7771d21469 100644 +--- a/drivers/i2c/busses/i2c-designware-common.c ++++ b/drivers/i2c/busses/i2c-designware-common.c +@@ -29,7 +29,7 @@ + #include + #include + +-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW_COMMON ++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW_COMMON" + + #include "i2c-designware-core.h" + +diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c +index e8ac9a7bf0b3..e23f93b8974e 100644 +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -22,7 +22,7 @@ + #include + #include + +-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW ++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW" + + #include "i2c-designware-core.h" + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index 7035296aa24c..0a76e10f77a2 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -16,7 +16,7 @@ + #include + #include + +-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW ++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW" + + #include "i2c-designware-core.h" + +diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c +index 210368099a06..174939359ae3 100644 +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -6,7 +6,7 @@ + * Copyright (C) 2011-2012 Avionic Design GmbH + */ + +-#define DEFAULT_SYMBOL_NAMESPACE PWM ++#define DEFAULT_SYMBOL_NAMESPACE "PWM" + + #include + #include +diff --git a/drivers/pwm/pwm-dwc-core.c b/drivers/pwm/pwm-dwc-core.c +index c8425493b95d..6dabec93a3c6 100644 +--- a/drivers/pwm/pwm-dwc-core.c ++++ b/drivers/pwm/pwm-dwc-core.c +@@ -9,7 +9,7 @@ + * Author: Raymond Tan + */ + +-#define DEFAULT_SYMBOL_NAMESPACE dwc_pwm ++#define DEFAULT_SYMBOL_NAMESPACE "dwc_pwm" + + #include + #include +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 867e2bc8c601..3b99feb3bb49 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -19,7 +19,7 @@ + #include + #include + +-#define DEFAULT_SYMBOL_NAMESPACE PWM_LPSS ++#define DEFAULT_SYMBOL_NAMESPACE "PWM_LPSS" + + #include "pwm-lpss.h" + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index ad88a33a504f..6a0a1cce3a89 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -8,7 +8,7 @@ + */ + + #undef DEFAULT_SYMBOL_NAMESPACE +-#define DEFAULT_SYMBOL_NAMESPACE SERIAL_NXP_SC16IS7XX ++#define DEFAULT_SYMBOL_NAMESPACE "SERIAL_NXP_SC16IS7XX" + + #include + #include +diff --git a/drivers/usb/storage/Makefile b/drivers/usb/storage/Makefile +index 46635fa4a340..28db337f190b 100644 +--- a/drivers/usb/storage/Makefile ++++ b/drivers/usb/storage/Makefile +@@ -8,7 +8,7 @@ + + ccflags-y := -I $(srctree)/drivers/scsi + +-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_STORAGE ++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_STORAGE"' + + obj-$(CONFIG_USB_UAS) += uas.o + obj-$(CONFIG_USB_STORAGE) += usb-storage.o +diff --git a/include/linux/export.h b/include/linux/export.h +index 0bbd02fd351d..1e04dbc675c2 100644 +--- a/include/linux/export.h ++++ b/include/linux/export.h +@@ -60,7 +60,7 @@ + #endif + + #ifdef DEFAULT_SYMBOL_NAMESPACE +-#define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, __stringify(DEFAULT_SYMBOL_NAMESPACE)) ++#define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, DEFAULT_SYMBOL_NAMESPACE) + #else + #define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, "") + #endif +-- +2.39.5 + diff --git a/queue-6.12/net-defer-final-struct-net-free-in-netns-dismantle.patch b/queue-6.12/net-defer-final-struct-net-free-in-netns-dismantle.patch new file mode 100644 index 00000000000..88fea03f19f --- /dev/null +++ b/queue-6.12/net-defer-final-struct-net-free-in-netns-dismantle.patch @@ -0,0 +1,223 @@ +From 57158f19cdaf2b57f32ec1566dfeb6fd8c1f9f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 12:54:55 +0000 +Subject: net: defer final 'struct net' free in netns dismantle + +From: Eric Dumazet + +[ Upstream commit 0f6ede9fbc747e2553612271bce108f7517e7a45 ] + +Ilya reported a slab-use-after-free in dst_destroy [1] + +Issue is in xfrm6_net_init() and xfrm4_net_init() : + +They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. + +But net structure might be freed before all the dst callbacks are +called. So when dst_destroy() calls later : + +if (dst->ops->destroy) + dst->ops->destroy(dst); + +dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. + +See a relevant issue fixed in : + +ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") + +A fix is to queue the 'struct net' to be freed after one +another cleanup_net() round (and existing rcu_barrier()) + +[1] + +BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) +Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 +Dec 03 05:46:18 kernel: +CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 +Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:124) +print_address_description.constprop.0 (mm/kasan/report.c:378) +? dst_destroy (net/core/dst.c:112) +print_report (mm/kasan/report.c:489) +? dst_destroy (net/core/dst.c:112) +? kasan_addr_to_slab (mm/kasan/common.c:37) +kasan_report (mm/kasan/report.c:603) +? dst_destroy (net/core/dst.c:112) +? rcu_do_batch (kernel/rcu/tree.c:2567) +dst_destroy (net/core/dst.c:112) +rcu_do_batch (kernel/rcu/tree.c:2567) +? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) +? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) +rcu_core (kernel/rcu/tree.c:2825) +handle_softirqs (kernel/softirq.c:554) +__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) +irq_exit_rcu (kernel/softirq.c:651) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) + + +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) +RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) +Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 +RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 +RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 +RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d +R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 +R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 +? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) +? cpuidle_idle_call (kernel/sched/idle.c:186) +default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) +cpuidle_idle_call (kernel/sched/idle.c:186) +? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) +? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) +? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) +? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) +do_idle (kernel/sched/idle.c:326) +cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) +? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) +? soft_restart_cpu (arch/x86/kernel/head_64.S:452) +common_startup_64 (arch/x86/kernel/head_64.S:414) + +Dec 03 05:46:18 kernel: +Allocated by task 12184: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) +__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) +kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) +copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) +create_new_namespaces (kernel/nsproxy.c:110) +unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) +ksys_unshare (kernel/fork.c:3313) +__x64_sys_unshare (kernel/fork.c:3382) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +Dec 03 05:46:18 kernel: +Freed by task 11: +kasan_save_stack (mm/kasan/common.c:48) +kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) +kasan_save_free_info (mm/kasan/generic.c:582) +__kasan_slab_free (mm/kasan/common.c:271) +kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) +cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) +process_one_work (kernel/workqueue.c:3229) +worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) +kthread (kernel/kthread.c:389) +ret_from_fork (arch/x86/kernel/process.c:147) +ret_from_fork_asm (arch/x86/entry/entry_64.S:257) +Dec 03 05:46:18 kernel: +Last potentially related work creation: +kasan_save_stack (mm/kasan/common.c:48) +__kasan_record_aux_stack (mm/kasan/generic.c:541) +insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) +__queue_work (kernel/workqueue.c:2340) +queue_work_on (kernel/workqueue.c:2391) +xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) +xfrm_add_policy (net/xfrm/xfrm_user.c:2116) +xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) +netlink_rcv_skb (net/netlink/af_netlink.c:2536) +xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) +netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) +netlink_sendmsg (net/netlink/af_netlink.c:1886) +sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) +vfs_write (fs/read_write.c:590 fs/read_write.c:683) +ksys_write (fs/read_write.c:736) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +Dec 03 05:46:18 kernel: +Second to last potentially related work creation: +kasan_save_stack (mm/kasan/common.c:48) +__kasan_record_aux_stack (mm/kasan/generic.c:541) +insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) +__queue_work (kernel/workqueue.c:2340) +queue_work_on (kernel/workqueue.c:2391) +__xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) +xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) +xfrm_add_sa (net/xfrm/xfrm_user.c:912) +xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) +netlink_rcv_skb (net/netlink/af_netlink.c:2536) +xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) +netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) +netlink_sendmsg (net/netlink/af_netlink.c:1886) +sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) +vfs_write (fs/read_write.c:590 fs/read_write.c:683) +ksys_write (fs/read_write.c:736) +do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops") +Reported-by: Ilya Maximets +Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY_tO8WQg@mail.gmail.com/T/#m02c98c3009fe66382b73cfb4db9cf1df6fab3fbf +Signed-off-by: Eric Dumazet +Acked-by: Paolo Abeni +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/net_namespace.h | 1 + + net/core/net_namespace.c | 20 +++++++++++++++++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index e67b483cc8bb..9398c8f49953 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -80,6 +80,7 @@ struct net { + * or to unregister pernet ops + * (pernet_ops_rwsem write locked). + */ ++ struct llist_node defer_free_list; + struct llist_node cleanup_list; /* namespaces on death row */ + + #ifdef CONFIG_KEYS +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index e39479f1c9a4..70fea7c1a4b0 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -443,6 +443,21 @@ static struct net *net_alloc(void) + goto out; + } + ++static LLIST_HEAD(defer_free_list); ++ ++static void net_complete_free(void) ++{ ++ struct llist_node *kill_list; ++ struct net *net, *next; ++ ++ /* Get the list of namespaces to free from last round. */ ++ kill_list = llist_del_all(&defer_free_list); ++ ++ llist_for_each_entry_safe(net, next, kill_list, defer_free_list) ++ kmem_cache_free(net_cachep, net); ++ ++} ++ + static void net_free(struct net *net) + { + if (refcount_dec_and_test(&net->passive)) { +@@ -451,7 +466,8 @@ static void net_free(struct net *net) + /* There should not be any trackers left there. */ + ref_tracker_dir_exit(&net->notrefcnt_tracker); + +- kmem_cache_free(net_cachep, net); ++ /* Wait for an extra rcu_barrier() before final free. */ ++ llist_add(&net->defer_free_list, &defer_free_list); + } + } + +@@ -636,6 +652,8 @@ static void cleanup_net(struct work_struct *work) + */ + rcu_barrier(); + ++ net_complete_free(); ++ + /* Finally it is safe to free my network namespace structure */ + list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { + list_del_init(&net->exit_list); +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-felix-fix-stuck-cpu-injected-packets-with-sh.patch b/queue-6.12/net-dsa-felix-fix-stuck-cpu-injected-packets-with-sh.patch new file mode 100644 index 00000000000..c875cda5e19 --- /dev/null +++ b/queue-6.12/net-dsa-felix-fix-stuck-cpu-injected-packets-with-sh.patch @@ -0,0 +1,171 @@ +From 2bf73e69c7bd715b934f0e984e703da324b6967f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:26:40 +0200 +Subject: net: dsa: felix: fix stuck CPU-injected packets with short taprio + windows + +From: Vladimir Oltean + +[ Upstream commit acfcdb78d5d4cdb78e975210c8825b9a112463f6 ] + +With this port schedule: + +tc qdisc replace dev $send_if parent root handle 100 taprio \ + num_tc 8 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ + map 0 1 2 3 4 5 6 7 \ + base-time 0 cycle-time 10000 \ + sched-entry S 01 1250 \ + sched-entry S 02 1250 \ + sched-entry S 04 1250 \ + sched-entry S 08 1250 \ + sched-entry S 10 1250 \ + sched-entry S 20 1250 \ + sched-entry S 40 1250 \ + sched-entry S 80 1250 \ + flags 2 + +ptp4l would fail to take TX timestamps of Pdelay_Resp messages like this: + +increasing tx_timestamp_timeout may correct this issue, but it is likely caused by a driver bug +ptp4l[4134.168]: port 2: send peer delay response failed + +It turns out that the driver can't take their TX timestamps because it +can't transmit them in the first place. And there's nothing special +about the Pdelay_Resp packets - they're just regular 68 byte packets. +But with this taprio configuration, the switch would refuse to send even +the ETH_ZLEN minimum packet size. + +This should have definitely not been the case. When applying the taprio +config, the driver prints: + +mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS + +and thus, everything under 132 bytes - ETH_FCS_LEN should have been sent +without problems. Yet it's not. + +For the forwarding path, the configuration is fine, yet packets injected +from Linux get stuck with this schedule no matter what. + +The first hint that the static guard bands are the cause of the problem +is that reverting Michael Walle's commit 297c4de6f780 ("net: dsa: felix: +re-enable TAS guard band mode") made things work. It must be that the +guard bands are calculated incorrectly. + +I remembered that there is a magic constant in the driver, set to 33 ns +for no logical reason other than experimentation, which says "never let +the static guard bands get so large as to leave less than this amount of +remaining space in the time slot, because the queue system will refuse +to schedule packets otherwise, and they will get stuck". I had a hunch +that my previous experimentally-determined value was only good for +packets coming from the forwarding path, and that the CPU injection path +needed more. + +I came to the new value of 35 ns through binary search, after seeing +that with 544 ns (the bit time required to send the Pdelay_Resp packet +at gigabit) it works. Again, this is purely experimental, there's no +logic and the manual doesn't say anything. + +The new driver prints for this schedule look like this: + +mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS +mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS + +So yes, the maximum MTU is now even smaller by 1 byte than before. +This is maybe counter-intuitive, but makes more sense with a diagram of +one time slot. + +Before: + + Gate open Gate close + | | + v 1250 ns total time slot duration v + <----------------------------------------------------> + <----><----------------------------------------------> + 33 ns 1217 ns static guard band + useful + + Gate open Gate close + | | + v 1250 ns total time slot duration v + <----------------------------------------------------> + <-----><---------------------------------------------> + 35 ns 1215 ns static guard band + useful + +The static guard band implemented by this switch hardware directly +determines the maximum allowable MTU for that traffic class. The larger +it is, the earlier the switch will stop scheduling frames for +transmission, because otherwise they might overrun the gate close time +(and avoiding that is the entire purpose of Michael's patch). +So, we now have guard bands smaller by 2 ns, thus, in this particular +case, we lose a byte of the maximum MTU. + +Fixes: 11afdc6526de ("net: dsa: felix: tc-taprio intervals smaller than MTU should send at least one packet") +Signed-off-by: Vladimir Oltean +Reviewed-by: Michael Walle +Link: https://patch.msgid.link/20241210132640.3426788-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/felix_vsc9959.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/dsa/ocelot/felix_vsc9959.c b/drivers/net/dsa/ocelot/felix_vsc9959.c +index 0102a82e88cc..940f1b71226d 100644 +--- a/drivers/net/dsa/ocelot/felix_vsc9959.c ++++ b/drivers/net/dsa/ocelot/felix_vsc9959.c +@@ -24,7 +24,7 @@ + #define VSC9959_NUM_PORTS 6 + + #define VSC9959_TAS_GCL_ENTRY_MAX 63 +-#define VSC9959_TAS_MIN_GATE_LEN_NS 33 ++#define VSC9959_TAS_MIN_GATE_LEN_NS 35 + #define VSC9959_VCAP_POLICER_BASE 63 + #define VSC9959_VCAP_POLICER_MAX 383 + #define VSC9959_SWITCH_PCI_BAR 4 +@@ -1056,11 +1056,15 @@ static void vsc9959_mdio_bus_free(struct ocelot *ocelot) + mdiobus_free(felix->imdio); + } + +-/* The switch considers any frame (regardless of size) as eligible for +- * transmission if the traffic class gate is open for at least 33 ns. ++/* The switch considers any frame (regardless of size) as eligible ++ * for transmission if the traffic class gate is open for at least ++ * VSC9959_TAS_MIN_GATE_LEN_NS. ++ * + * Overruns are prevented by cropping an interval at the end of the gate time +- * slot for which egress scheduling is blocked, but we need to still keep 33 ns +- * available for one packet to be transmitted, otherwise the port tc will hang. ++ * slot for which egress scheduling is blocked, but we need to still keep ++ * VSC9959_TAS_MIN_GATE_LEN_NS available for one packet to be transmitted, ++ * otherwise the port tc will hang. ++ * + * This function returns the size of a gate interval that remains available for + * setting the guard band, after reserving the space for one egress frame. + */ +@@ -1303,7 +1307,8 @@ static void vsc9959_tas_guard_bands_update(struct ocelot *ocelot, int port) + * per-tc static guard band lengths, so it reduces the + * useful gate interval length. Therefore, be careful + * to calculate a guard band (and therefore max_sdu) +- * that still leaves 33 ns available in the time slot. ++ * that still leaves VSC9959_TAS_MIN_GATE_LEN_NS ++ * available in the time slot. + */ + max_sdu = div_u64(remaining_gate_len_ps, picos_per_byte); + /* A TC gate may be completely closed, which is a +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-microchip-ksz9896-register-regmap-alignment-.patch b/queue-6.12/net-dsa-microchip-ksz9896-register-regmap-alignment-.patch new file mode 100644 index 00000000000..50d9d34d616 --- /dev/null +++ b/queue-6.12/net-dsa-microchip-ksz9896-register-regmap-alignment-.patch @@ -0,0 +1,140 @@ +From 8a76012c4a11c91d5228f8f92b7419631a64e9d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 10:29:32 +0100 +Subject: net: dsa: microchip: KSZ9896 register regmap alignment to 32 bit + boundaries + +From: Jesse Van Gavere + +[ Upstream commit 5af53577c64fa84da032d490b701127fe8d1a6aa ] + +Commit 8d7ae22ae9f8 ("net: dsa: microchip: KSZ9477 register regmap +alignment to 32 bit boundaries") fixed an issue whereby regmap_reg_range +did not allow writes as 32 bit words to KSZ9477 PHY registers, this fix +for KSZ9896 is adapted from there as the same errata is present in +KSZ9896C as "Module 5: Certain PHY registers must be written as pairs +instead of singly" the explanation below is likewise taken from this +commit. + +The commit provided code +to apply "Module 6: Certain PHY registers must be written as pairs instead +of singly" errata for KSZ9477 as this chip for certain PHY registers +(0xN120 to 0xN13F, N=1,2,3,4,5) must be accessed as 32 bit words instead +of 16 or 8 bit access. +Otherwise, adjacent registers (no matter if reserved or not) are +overwritten with 0x0. + +Without this patch some registers (e.g. 0x113c or 0x1134) required for 32 +bit access are out of valid regmap ranges. + +As a result, following error is observed and KSZ9896 is not properly +configured: + +ksz-switch spi1.0: can't rmw 32bit reg 0x113c: -EIO +ksz-switch spi1.0: can't rmw 32bit reg 0x1134: -EIO +ksz-switch spi1.0 lan1 (uninitialized): failed to connect to PHY: -EIO +ksz-switch spi1.0 lan1 (uninitialized): error -5 setting up PHY for tree 0, switch 0, port 0 + +The solution is to modify regmap_reg_range to allow accesses with 4 bytes +boundaries. + +Fixes: 5c844d57aa78 ("net: dsa: microchip: fix writes to phy registers >= 0x10") +Signed-off-by: Jesse Van Gavere +Link: https://patch.msgid.link/20241211092932.26881-1-jesse.vangavere@scioteq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz_common.c | 42 +++++++++++--------------- + 1 file changed, 18 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 5290f5ad98f3..bf26cd0abf6d 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -1098,10 +1098,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x1030, 0x1030), + regmap_reg_range(0x1100, 0x1115), + regmap_reg_range(0x111a, 0x111f), +- regmap_reg_range(0x1122, 0x1127), +- regmap_reg_range(0x112a, 0x112b), +- regmap_reg_range(0x1136, 0x1139), +- regmap_reg_range(0x113e, 0x113f), ++ regmap_reg_range(0x1120, 0x112b), ++ regmap_reg_range(0x1134, 0x113b), ++ regmap_reg_range(0x113c, 0x113f), + regmap_reg_range(0x1400, 0x1401), + regmap_reg_range(0x1403, 0x1403), + regmap_reg_range(0x1410, 0x1417), +@@ -1128,10 +1127,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x2030, 0x2030), + regmap_reg_range(0x2100, 0x2115), + regmap_reg_range(0x211a, 0x211f), +- regmap_reg_range(0x2122, 0x2127), +- regmap_reg_range(0x212a, 0x212b), +- regmap_reg_range(0x2136, 0x2139), +- regmap_reg_range(0x213e, 0x213f), ++ regmap_reg_range(0x2120, 0x212b), ++ regmap_reg_range(0x2134, 0x213b), ++ regmap_reg_range(0x213c, 0x213f), + regmap_reg_range(0x2400, 0x2401), + regmap_reg_range(0x2403, 0x2403), + regmap_reg_range(0x2410, 0x2417), +@@ -1158,10 +1156,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x3030, 0x3030), + regmap_reg_range(0x3100, 0x3115), + regmap_reg_range(0x311a, 0x311f), +- regmap_reg_range(0x3122, 0x3127), +- regmap_reg_range(0x312a, 0x312b), +- regmap_reg_range(0x3136, 0x3139), +- regmap_reg_range(0x313e, 0x313f), ++ regmap_reg_range(0x3120, 0x312b), ++ regmap_reg_range(0x3134, 0x313b), ++ regmap_reg_range(0x313c, 0x313f), + regmap_reg_range(0x3400, 0x3401), + regmap_reg_range(0x3403, 0x3403), + regmap_reg_range(0x3410, 0x3417), +@@ -1188,10 +1185,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x4030, 0x4030), + regmap_reg_range(0x4100, 0x4115), + regmap_reg_range(0x411a, 0x411f), +- regmap_reg_range(0x4122, 0x4127), +- regmap_reg_range(0x412a, 0x412b), +- regmap_reg_range(0x4136, 0x4139), +- regmap_reg_range(0x413e, 0x413f), ++ regmap_reg_range(0x4120, 0x412b), ++ regmap_reg_range(0x4134, 0x413b), ++ regmap_reg_range(0x413c, 0x413f), + regmap_reg_range(0x4400, 0x4401), + regmap_reg_range(0x4403, 0x4403), + regmap_reg_range(0x4410, 0x4417), +@@ -1218,10 +1214,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x5030, 0x5030), + regmap_reg_range(0x5100, 0x5115), + regmap_reg_range(0x511a, 0x511f), +- regmap_reg_range(0x5122, 0x5127), +- regmap_reg_range(0x512a, 0x512b), +- regmap_reg_range(0x5136, 0x5139), +- regmap_reg_range(0x513e, 0x513f), ++ regmap_reg_range(0x5120, 0x512b), ++ regmap_reg_range(0x5134, 0x513b), ++ regmap_reg_range(0x513c, 0x513f), + regmap_reg_range(0x5400, 0x5401), + regmap_reg_range(0x5403, 0x5403), + regmap_reg_range(0x5410, 0x5417), +@@ -1248,10 +1243,9 @@ static const struct regmap_range ksz9896_valid_regs[] = { + regmap_reg_range(0x6030, 0x6030), + regmap_reg_range(0x6100, 0x6115), + regmap_reg_range(0x611a, 0x611f), +- regmap_reg_range(0x6122, 0x6127), +- regmap_reg_range(0x612a, 0x612b), +- regmap_reg_range(0x6136, 0x6139), +- regmap_reg_range(0x613e, 0x613f), ++ regmap_reg_range(0x6120, 0x612b), ++ regmap_reg_range(0x6134, 0x613b), ++ regmap_reg_range(0x613c, 0x613f), + regmap_reg_range(0x6300, 0x6301), + regmap_reg_range(0x6400, 0x6401), + regmap_reg_range(0x6403, 0x6403), +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-tag_ocelot_8021q-fix-broken-reception.patch b/queue-6.12/net-dsa-tag_ocelot_8021q-fix-broken-reception.patch new file mode 100644 index 00000000000..196751b0f9f --- /dev/null +++ b/queue-6.12/net-dsa-tag_ocelot_8021q-fix-broken-reception.patch @@ -0,0 +1,45 @@ +From 39b5875d28493f0b59b73588675c8f9a398d68d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 15:47:41 +0100 +Subject: net: dsa: tag_ocelot_8021q: fix broken reception + +From: Robert Hodaszi + +[ Upstream commit 36ff681d2283410742489ce77e7b01419eccf58c ] + +The blamed commit changed the dsa_8021q_rcv() calling convention to +accept pre-populated source_port and switch_id arguments. If those are +not available, as in the case of tag_ocelot_8021q, the arguments must be +pre-initialized with -1. + +Due to the bug of passing uninitialized arguments in tag_ocelot_8021q, +dsa_8021q_rcv() does not detect that it needs to populate the +source_port and switch_id, and this makes dsa_conduit_find_user() fail, +which leads to packet loss on reception. + +Fixes: dcfe7673787b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") +Signed-off-by: Robert Hodaszi +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20241211144741.1415758-1-robert.hodaszi@digi.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_ocelot_8021q.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/tag_ocelot_8021q.c b/net/dsa/tag_ocelot_8021q.c +index 8e8b1bef6af6..11ea8cfd6266 100644 +--- a/net/dsa/tag_ocelot_8021q.c ++++ b/net/dsa/tag_ocelot_8021q.c +@@ -79,7 +79,7 @@ static struct sk_buff *ocelot_xmit(struct sk_buff *skb, + static struct sk_buff *ocelot_rcv(struct sk_buff *skb, + struct net_device *netdev) + { +- int src_port, switch_id; ++ int src_port = -1, switch_id = -1; + + dsa_8021q_rcv(skb, &src_port, &switch_id, NULL, NULL); + +-- +2.39.5 + diff --git a/queue-6.12/net-lapb-increase-lapb_header_len.patch b/queue-6.12/net-lapb-increase-lapb_header_len.patch new file mode 100644 index 00000000000..86e01ef25ad --- /dev/null +++ b/queue-6.12/net-lapb-increase-lapb_header_len.patch @@ -0,0 +1,86 @@ +From 44ca27373f0bec8d7c7354b9d3859a860854a475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 14:10:31 +0000 +Subject: net: lapb: increase LAPB_HEADER_LEN + +From: Eric Dumazet + +[ Upstream commit a6d75ecee2bf828ac6a1b52724aba0a977e4eaf4 ] + +It is unclear if net/lapb code is supposed to be ready for 8021q. + +We can at least avoid crashes like the following : + +skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:206 ! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 + RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] + RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 +Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 +RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282 +RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 +RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60 +R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140 +R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016 +FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_push+0xe5/0x100 net/core/skbuff.c:2636 + nr_header+0x36/0x320 net/netrom/nr_dev.c:69 + dev_hard_header include/linux/netdevice.h:3148 [inline] + vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83 + dev_hard_header include/linux/netdevice.h:3148 [inline] + lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257 + lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447 + lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149 + lapb_establish_data_link+0x84/0xd0 + lapb_device_event+0x4e0/0x670 + notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 + __dev_notify_flags+0x207/0x400 + dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922 + devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188 + inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003 + sock_do_ioctl+0x158/0x460 net/socket.c:1227 + sock_ioctl+0x626/0x8e0 net/socket.c:1346 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+fb99d1b0c0f81d94a5e2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67506220.050a0220.17bd51.006c.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241204141031.4030267-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/lapb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/lapb.h b/include/net/lapb.h +index 124ee122f2c8..6c07420644e4 100644 +--- a/include/net/lapb.h ++++ b/include/net/lapb.h +@@ -4,7 +4,7 @@ + #include + #include + +-#define LAPB_HEADER_LEN 20 /* LAPB over Ethernet + a bit more */ ++#define LAPB_HEADER_LEN MAX_HEADER /* LAPB over Ethernet + a bit more */ + + #define LAPB_ACK_PENDING_CONDITION 0x01 + #define LAPB_REJECT_CONDITION 0x02 +-- +2.39.5 + diff --git a/queue-6.12/net-mana-fix-irq_contexts-memory-leak-in-mana_gd_set.patch b/queue-6.12/net-mana-fix-irq_contexts-memory-leak-in-mana_gd_set.patch new file mode 100644 index 00000000000..24bcb2d9231 --- /dev/null +++ b/queue-6.12/net-mana-fix-irq_contexts-memory-leak-in-mana_gd_set.patch @@ -0,0 +1,53 @@ +From 1e2f200da3fcfa42aa841664c51dbbe233418464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 12:57:51 -0500 +Subject: net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs + +From: Maxim Levitsky + +[ Upstream commit 9a5beb6ca6305de5c5210efab0702ea79b62eb39 ] + +gc->irq_contexts is not freeded if one of the later operations +fail. + +Suggested-by: Michael Kelley +Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") +Signed-off-by: Maxim Levitsky +Reviewed-by: Michal Swiatkowski +Reviewed-by: Kalesh AP +Reviewed-by: Saurabh Sengar +Reviewed-by: Yury Norov +Link: https://patch.msgid.link/20241209175751.287738-3-mlevitsk@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 42076c90ce87..0c2ba2fa88c4 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1315,7 +1315,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev) + GFP_KERNEL); + if (!gc->irq_contexts) { + err = -ENOMEM; +- goto free_irq_vector; ++ goto free_irq_array; + } + + for (i = 0; i < nvec; i++) { +@@ -1385,8 +1385,9 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev) + } + + kfree(gc->irq_contexts); +- kfree(irqs); + gc->irq_contexts = NULL; ++free_irq_array: ++ kfree(irqs); + free_irq_vector: + cpus_read_unlock(); + pci_free_irq_vectors(pdev); +-- +2.39.5 + diff --git a/queue-6.12/net-mana-fix-memory-leak-in-mana_gd_setup_irqs.patch b/queue-6.12/net-mana-fix-memory-leak-in-mana_gd_setup_irqs.patch new file mode 100644 index 00000000000..308b3f84aab --- /dev/null +++ b/queue-6.12/net-mana-fix-memory-leak-in-mana_gd_setup_irqs.patch @@ -0,0 +1,43 @@ +From dfc3b53125f0eb4c7ecb841aefbbf834888a658e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 12:57:50 -0500 +Subject: net: mana: Fix memory leak in mana_gd_setup_irqs + +From: Maxim Levitsky + +[ Upstream commit bb1e3eb57d2cc38951f9a9f1b8c298ced175798f ] + +Commit 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") +added memory allocation in mana_gd_setup_irqs of 'irqs' but the code +doesn't free this temporary array in the success path. + +This was caught by kmemleak. + +Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores") +Signed-off-by: Maxim Levitsky +Reviewed-by: Michal Swiatkowski +Reviewed-by: Kalesh AP +Reviewed-by: Saurabh Sengar +Reviewed-by: Yury Norov +Link: https://patch.msgid.link/20241209175751.287738-2-mlevitsk@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index ca4ed58f1206..42076c90ce87 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1372,6 +1372,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev) + gc->max_num_msix = nvec; + gc->num_msix_usable = nvec; + cpus_read_unlock(); ++ kfree(irqs); + return 0; + + free_irq: +-- +2.39.5 + diff --git a/queue-6.12/net-mlx5-dr-prevent-potential-error-pointer-derefere.patch b/queue-6.12/net-mlx5-dr-prevent-potential-error-pointer-derefere.patch new file mode 100644 index 00000000000..d244dbe8cc0 --- /dev/null +++ b/queue-6.12/net-mlx5-dr-prevent-potential-error-pointer-derefere.patch @@ -0,0 +1,43 @@ +From e693a60895d2580e8e35e7a638c2bc0acf68eb91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 15:06:41 +0300 +Subject: net/mlx5: DR, prevent potential error pointer dereference + +From: Dan Carpenter + +[ Upstream commit 11776cff0b563c8b8a4fa76cab620bfb633a8cb8 ] + +The dr_domain_add_vport_cap() function generally returns NULL on error +but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can +retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM +and if it's and -ENOMEM then the error pointer is propogated back and +eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). + +Fixes: 11a45def2e19 ("net/mlx5: DR, Add support for SF vports") +Signed-off-by: Dan Carpenter +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/07477254-e179-43e2-b1b3-3b9db4674195@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index 3d74109f8230..49f22cad92bf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -297,7 +297,9 @@ dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) + if (ret) { + mlx5dr_dbg(dmn, "Couldn't insert new vport into xarray (%d)\n", ret); + kvfree(vport_caps); +- return ERR_PTR(ret); ++ if (ret == -EBUSY) ++ return ERR_PTR(-EBUSY); ++ return NULL; + } + + return vport_caps; +-- +2.39.5 + diff --git a/queue-6.12/net-mscc-ocelot-be-resilient-to-loss-of-ptp-packets-.patch b/queue-6.12/net-mscc-ocelot-be-resilient-to-loss-of-ptp-packets-.patch new file mode 100644 index 00000000000..b4efd92a090 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-be-resilient-to-loss-of-ptp-packets-.patch @@ -0,0 +1,404 @@ +From 777d1ad1a1fc1afcf4e979b9c9555418dc1b6615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:55:18 +0200 +Subject: net: mscc: ocelot: be resilient to loss of PTP packets during + transmission + +From: Vladimir Oltean + +[ Upstream commit b454abfab52543c44b581afc807b9f97fc1e7a3a ] + +The Felix DSA driver presents unique challenges that make the simplistic +ocelot PTP TX timestamping procedure unreliable: any transmitted packet +may be lost in hardware before it ever leaves our local system. + +This may happen because there is congestion on the DSA conduit, the +switch CPU port or even user port (Qdiscs like taprio may delay packets +indefinitely by design). + +The technical problem is that the kernel, i.e. ocelot_port_add_txtstamp_skb(), +runs out of timestamp IDs eventually, because it never detects that +packets are lost, and keeps the IDs of the lost packets on hold +indefinitely. The manifestation of the issue once the entire timestamp +ID range becomes busy looks like this in dmesg: + +mscc_felix 0000:00:00.5: port 0 delivering skb without TX timestamp +mscc_felix 0000:00:00.5: port 1 delivering skb without TX timestamp + +At the surface level, we need a timeout timer so that the kernel knows a +timestamp ID is available again. But there is a deeper problem with the +implementation, which is the monotonically increasing ocelot_port->ts_id. +In the presence of packet loss, it will be impossible to detect that and +reuse one of the holes created in the range of free timestamp IDs. + +What we actually need is a bitmap of 63 timestamp IDs tracking which one +is available. That is able to use up holes caused by packet loss, but +also gives us a unique opportunity to not implement an actual timer_list +for the timeout timer (very complicated in terms of locking). + +We could only declare a timestamp ID stale on demand (lazily), aka when +there's no other timestamp ID available. There are pros and cons to this +approach: the implementation is much more simple than per-packet timers +would be, but most of the stale packets would be quasi-leaked - not +really leaked, but blocked in driver memory, since this algorithm sees +no reason to free them. + +An improved technique would be to check for stale timestamp IDs every +time we allocate a new one. Assuming a constant flux of PTP packets, +this avoids stale packets being blocked in memory, but of course, +packets lost at the end of the flux are still blocked until the flux +resumes (nobody left to kick them out). + +Since implementing per-packet timers is way too complicated, this should +be good enough. + +Testing procedure: + +Persistently block traffic class 5 and try to run PTP on it: +$ tc qdisc replace dev swp3 parent root taprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \ + base-time 0 sched-entry S 0xdf 100000 flags 0x2 +[ 126.948141] mscc_felix 0000:00:00.5: port 3 tc 5 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS +$ ptp4l -i swp3 -2 -P -m --socket_priority 5 --fault_reset_interval ASAP --logSyncInterval -3 +ptp4l[70.351]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE +ptp4l[70.354]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE +ptp4l[70.358]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE +[ 70.394583] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +ptp4l[70.406]: timed out while polling for tx timestamp +ptp4l[70.406]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[70.406]: port 1 (swp3): send peer delay response failed +ptp4l[70.407]: port 1 (swp3): clearing fault immediately +ptp4l[70.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 +[ 71.394858] mscc_felix 0000:00:00.5: port 3 timestamp id 1 +ptp4l[71.400]: timed out while polling for tx timestamp +ptp4l[71.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[71.401]: port 1 (swp3): send peer delay response failed +ptp4l[71.401]: port 1 (swp3): clearing fault immediately +[ 72.393616] mscc_felix 0000:00:00.5: port 3 timestamp id 2 +ptp4l[72.401]: timed out while polling for tx timestamp +ptp4l[72.402]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[72.402]: port 1 (swp3): send peer delay response failed +ptp4l[72.402]: port 1 (swp3): clearing fault immediately +ptp4l[72.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 +[ 73.395291] mscc_felix 0000:00:00.5: port 3 timestamp id 3 +ptp4l[73.400]: timed out while polling for tx timestamp +ptp4l[73.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[73.400]: port 1 (swp3): send peer delay response failed +ptp4l[73.400]: port 1 (swp3): clearing fault immediately +[ 74.394282] mscc_felix 0000:00:00.5: port 3 timestamp id 4 +ptp4l[74.400]: timed out while polling for tx timestamp +ptp4l[74.401]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[74.401]: port 1 (swp3): send peer delay response failed +ptp4l[74.401]: port 1 (swp3): clearing fault immediately +ptp4l[74.953]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 +[ 75.396830] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost +[ 75.405760] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +ptp4l[75.410]: timed out while polling for tx timestamp +ptp4l[75.411]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it +ptp4l[75.411]: port 1 (swp3): send peer delay response failed +ptp4l[75.411]: port 1 (swp3): clearing fault immediately +(...) + +Remove the blocking condition and see that the port recovers: +$ same tc command as above, but use "sched-entry S 0xff" instead +$ same ptp4l command as above +ptp4l[99.489]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE +ptp4l[99.490]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE +ptp4l[99.492]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE +[ 100.403768] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost +[ 100.412545] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 1 which seems lost +[ 100.421283] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 2 which seems lost +[ 100.430015] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 3 which seems lost +[ 100.438744] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 4 which seems lost +[ 100.447470] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 100.505919] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +ptp4l[100.963]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1 +[ 101.405077] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 101.507953] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 102.405405] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 102.509391] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 103.406003] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 103.510011] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 104.405601] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 104.510624] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +ptp4l[104.965]: selected best master clock d858d7.fffe.00ca6d +ptp4l[104.966]: port 1 (swp3): assuming the grand master role +ptp4l[104.967]: port 1 (swp3): LISTENING to GRAND_MASTER on RS_GRAND_MASTER +[ 105.106201] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.232420] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.359001] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.405500] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.485356] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.511220] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.610938] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +[ 105.737237] mscc_felix 0000:00:00.5: port 3 timestamp id 0 +(...) + +Notice that in this new usage pattern, a non-congested port should +basically use timestamp ID 0 all the time, progressing to higher numbers +only if there are unacknowledged timestamps in flight. Compare this to +the old usage, where the timestamp ID used to monotonically increase +modulo OCELOT_MAX_PTP_ID. + +In terms of implementation, this simplifies the bookkeeping of the +ocelot_port :: ts_id and ptp_skbs_in_flight. Since we need to traverse +the list of two-step timestampable skbs for each new packet anyway, the +information can already be computed and does not need to be stored. +Also, ocelot_port->tx_skbs is always accessed under the switch-wide +ocelot->ts_id_lock IRQ-unsafe spinlock, so we don't need the skb queue's +lock and can use the unlocked primitives safely. + +This problem was actually detected using the tc-taprio offload, and is +causing trouble in TSN scenarios, which Felix (NXP LS1028A / VSC9959) +supports but Ocelot (VSC7514) does not. Thus, I've selected the commit +to blame as the one adding initial timestamping support for the Felix +switch. + +Fixes: c0bcf537667c ("net: dsa: ocelot: add hardware timestamping support for Felix") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20241205145519.1236778-5-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_ptp.c | 134 +++++++++++++++---------- + include/linux/dsa/ocelot.h | 1 + + include/soc/mscc/ocelot.h | 2 - + 3 files changed, 80 insertions(+), 57 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c +index d732f99e6391..7eb01d1e1ecd 100644 +--- a/drivers/net/ethernet/mscc/ocelot_ptp.c ++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c +@@ -14,6 +14,8 @@ + #include + #include "ocelot.h" + ++#define OCELOT_PTP_TX_TSTAMP_TIMEOUT (5 * HZ) ++ + int ocelot_ptp_gettime64(struct ptp_clock_info *ptp, struct timespec64 *ts) + { + struct ocelot *ocelot = container_of(ptp, struct ocelot, ptp_info); +@@ -603,34 +605,88 @@ int ocelot_get_ts_info(struct ocelot *ocelot, int port, + } + EXPORT_SYMBOL(ocelot_get_ts_info); + +-static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port, ++static struct sk_buff *ocelot_port_dequeue_ptp_tx_skb(struct ocelot *ocelot, ++ int port, u8 ts_id, ++ u32 seqid) ++{ ++ struct ocelot_port *ocelot_port = ocelot->ports[port]; ++ struct sk_buff *skb, *skb_tmp, *skb_match = NULL; ++ struct ptp_header *hdr; ++ ++ spin_lock(&ocelot->ts_id_lock); ++ ++ skb_queue_walk_safe(&ocelot_port->tx_skbs, skb, skb_tmp) { ++ if (OCELOT_SKB_CB(skb)->ts_id != ts_id) ++ continue; ++ ++ /* Check that the timestamp ID is for the expected PTP ++ * sequenceId. We don't have to test ptp_parse_header() against ++ * NULL, because we've pre-validated the packet's ptp_class. ++ */ ++ hdr = ptp_parse_header(skb, OCELOT_SKB_CB(skb)->ptp_class); ++ if (seqid != ntohs(hdr->sequence_id)) ++ continue; ++ ++ __skb_unlink(skb, &ocelot_port->tx_skbs); ++ ocelot->ptp_skbs_in_flight--; ++ skb_match = skb; ++ break; ++ } ++ ++ spin_unlock(&ocelot->ts_id_lock); ++ ++ return skb_match; ++} ++ ++static int ocelot_port_queue_ptp_tx_skb(struct ocelot *ocelot, int port, + struct sk_buff *clone) + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; ++ DECLARE_BITMAP(ts_id_in_flight, OCELOT_MAX_PTP_ID); ++ struct sk_buff *skb, *skb_tmp; ++ unsigned long n; + + spin_lock(&ocelot->ts_id_lock); + +- if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID || +- ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) { ++ /* To get a better chance of acquiring a timestamp ID, first flush the ++ * stale packets still waiting in the TX timestamping queue. They are ++ * probably lost. ++ */ ++ skb_queue_walk_safe(&ocelot_port->tx_skbs, skb, skb_tmp) { ++ if (time_before(OCELOT_SKB_CB(skb)->ptp_tx_time + ++ OCELOT_PTP_TX_TSTAMP_TIMEOUT, jiffies)) { ++ dev_warn_ratelimited(ocelot->dev, ++ "port %d invalidating stale timestamp ID %u which seems lost\n", ++ port, OCELOT_SKB_CB(skb)->ts_id); ++ __skb_unlink(skb, &ocelot_port->tx_skbs); ++ kfree_skb(skb); ++ ocelot->ptp_skbs_in_flight--; ++ } else { ++ __set_bit(OCELOT_SKB_CB(skb)->ts_id, ts_id_in_flight); ++ } ++ } ++ ++ if (ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) { + spin_unlock(&ocelot->ts_id_lock); + return -EBUSY; + } + +- skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS; +- /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */ +- OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id; +- +- ocelot_port->ts_id++; +- if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID) +- ocelot_port->ts_id = 0; ++ n = find_first_zero_bit(ts_id_in_flight, OCELOT_MAX_PTP_ID); ++ if (n == OCELOT_MAX_PTP_ID) { ++ spin_unlock(&ocelot->ts_id_lock); ++ return -EBUSY; ++ } + +- ocelot_port->ptp_skbs_in_flight++; ++ /* Found an available timestamp ID, use it */ ++ OCELOT_SKB_CB(clone)->ts_id = n; ++ OCELOT_SKB_CB(clone)->ptp_tx_time = jiffies; + ocelot->ptp_skbs_in_flight++; +- +- skb_queue_tail(&ocelot_port->tx_skbs, clone); ++ __skb_queue_tail(&ocelot_port->tx_skbs, clone); + + spin_unlock(&ocelot->ts_id_lock); + ++ dev_dbg_ratelimited(ocelot->dev, "port %d timestamp id %lu\n", port, n); ++ + return 0; + } + +@@ -686,12 +742,14 @@ int ocelot_port_txtstamp_request(struct ocelot *ocelot, int port, + if (!(*clone)) + return -ENOMEM; + +- err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone); ++ /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */ ++ err = ocelot_port_queue_ptp_tx_skb(ocelot, port, *clone); + if (err) { + kfree_skb(*clone); + return err; + } + ++ skb_shinfo(*clone)->tx_flags |= SKBTX_IN_PROGRESS; + OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd; + OCELOT_SKB_CB(*clone)->ptp_class = ptp_class; + } +@@ -727,26 +785,14 @@ static void ocelot_get_hwtimestamp(struct ocelot *ocelot, + spin_unlock_irqrestore(&ocelot->ptp_clock_lock, flags); + } + +-static bool ocelot_validate_ptp_skb(struct sk_buff *clone, u16 seqid) +-{ +- struct ptp_header *hdr; +- +- hdr = ptp_parse_header(clone, OCELOT_SKB_CB(clone)->ptp_class); +- if (WARN_ON(!hdr)) +- return false; +- +- return seqid == ntohs(hdr->sequence_id); +-} +- + void ocelot_get_txtstamp(struct ocelot *ocelot) + { + int budget = OCELOT_PTP_QUEUE_SZ; + + while (budget--) { +- struct sk_buff *skb, *skb_tmp, *skb_match = NULL; + struct skb_shared_hwtstamps shhwtstamps; + u32 val, id, seqid, txport; +- struct ocelot_port *port; ++ struct sk_buff *skb_match; + struct timespec64 ts; + + val = ocelot_read(ocelot, SYS_PTP_STATUS); +@@ -762,36 +808,14 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val); + seqid = SYS_PTP_STATUS_PTP_MESS_SEQ_ID(val); + +- port = ocelot->ports[txport]; +- +- spin_lock(&ocelot->ts_id_lock); +- port->ptp_skbs_in_flight--; +- ocelot->ptp_skbs_in_flight--; +- spin_unlock(&ocelot->ts_id_lock); +- + /* Retrieve its associated skb */ +-try_again: +- spin_lock(&port->tx_skbs.lock); +- +- skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) { +- if (OCELOT_SKB_CB(skb)->ts_id != id) +- continue; +- __skb_unlink(skb, &port->tx_skbs); +- skb_match = skb; +- break; +- } +- +- spin_unlock(&port->tx_skbs.lock); +- +- if (WARN_ON(!skb_match)) ++ skb_match = ocelot_port_dequeue_ptp_tx_skb(ocelot, txport, id, ++ seqid); ++ if (!skb_match) { ++ dev_warn_ratelimited(ocelot->dev, ++ "port %d received TX timestamp (seqid %d, ts id %u) for packet previously declared stale\n", ++ txport, seqid, id); + goto next_ts; +- +- if (!ocelot_validate_ptp_skb(skb_match, seqid)) { +- dev_err_ratelimited(ocelot->dev, +- "port %d received stale TX timestamp for seqid %d, discarding\n", +- txport, seqid); +- kfree_skb(skb); +- goto try_again; + } + + /* Get the h/w timestamp */ +diff --git a/include/linux/dsa/ocelot.h b/include/linux/dsa/ocelot.h +index 6fbfbde68a37..620a3260fc08 100644 +--- a/include/linux/dsa/ocelot.h ++++ b/include/linux/dsa/ocelot.h +@@ -15,6 +15,7 @@ + struct ocelot_skb_cb { + struct sk_buff *clone; + unsigned int ptp_class; /* valid only for clones */ ++ unsigned long ptp_tx_time; /* valid only for clones */ + u32 tstamp_lo; + u8 ptp_cmd; + u8 ts_id; +diff --git a/include/soc/mscc/ocelot.h b/include/soc/mscc/ocelot.h +index 462c653e1017..2db9ae0575b6 100644 +--- a/include/soc/mscc/ocelot.h ++++ b/include/soc/mscc/ocelot.h +@@ -778,7 +778,6 @@ struct ocelot_port { + + phy_interface_t phy_mode; + +- unsigned int ptp_skbs_in_flight; + struct sk_buff_head tx_skbs; + + unsigned int trap_proto; +@@ -786,7 +785,6 @@ struct ocelot_port { + u16 mrp_ring_id; + + u8 ptp_cmd; +- u8 ts_id; + + u8 index; + +-- +2.39.5 + diff --git a/queue-6.12/net-mscc-ocelot-fix-memory-leak-on-ocelot_port_add_t.patch b/queue-6.12/net-mscc-ocelot-fix-memory-leak-on-ocelot_port_add_t.patch new file mode 100644 index 00000000000..d36c3e00bd8 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-fix-memory-leak-on-ocelot_port_add_t.patch @@ -0,0 +1,41 @@ +From 71d69f6a7dd80dbb34d126c9003ac29920072a37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:55:15 +0200 +Subject: net: mscc: ocelot: fix memory leak on ocelot_port_add_txtstamp_skb() + +From: Vladimir Oltean + +[ Upstream commit 4b01bec25bef62544228bce06db6a3afa5d3d6bb ] + +If ocelot_port_add_txtstamp_skb() fails, for example due to a full PTP +timestamp FIFO, we must undo the skb_clone_sk() call with kfree_skb(). +Otherwise, the reference to the skb clone is lost. + +Fixes: 52849bcf0029 ("net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20241205145519.1236778-2-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c +index e172638b0601..db00a51a7430 100644 +--- a/drivers/net/ethernet/mscc/ocelot_ptp.c ++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c +@@ -688,8 +688,10 @@ int ocelot_port_txtstamp_request(struct ocelot *ocelot, int port, + return -ENOMEM; + + err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone); +- if (err) ++ if (err) { ++ kfree_skb(*clone); + return err; ++ } + + OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd; + OCELOT_SKB_CB(*clone)->ptp_class = ptp_class; +-- +2.39.5 + diff --git a/queue-6.12/net-mscc-ocelot-improve-handling-of-tx-timestamp-for.patch b/queue-6.12/net-mscc-ocelot-improve-handling-of-tx-timestamp-for.patch new file mode 100644 index 00000000000..0d765c57e18 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-improve-handling-of-tx-timestamp-for.patch @@ -0,0 +1,54 @@ +From 858a5c7ab2b4cc2a294a5bb56d8f7705be411ef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:55:16 +0200 +Subject: net: mscc: ocelot: improve handling of TX timestamp for unknown skb + +From: Vladimir Oltean + +[ Upstream commit b6fba4b3f0becb794e274430f3a0839d8ba31262 ] + +This condition, theoretically impossible to trigger, is not really +handled well. By "continuing", we are skipping the write to SYS_PTP_NXT +which advances the timestamp FIFO to the next entry. So we are reading +the same FIFO entry all over again, printing stack traces and eventually +killing the kernel. + +No real problem has been observed here. This is part of a larger rework +of the timestamp IRQ procedure, with this logical change split out into +a patch of its own. We will need to "goto next_ts" for other conditions +as well. + +Fixes: 9fde506e0c53 ("net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20241205145519.1236778-3-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c +index db00a51a7430..95a5267bc9ce 100644 +--- a/drivers/net/ethernet/mscc/ocelot_ptp.c ++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c +@@ -786,7 +786,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + spin_unlock_irqrestore(&port->tx_skbs.lock, flags); + + if (WARN_ON(!skb_match)) +- continue; ++ goto next_ts; + + if (!ocelot_validate_ptp_skb(skb_match, seqid)) { + dev_err_ratelimited(ocelot->dev, +@@ -804,7 +804,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + shhwtstamps.hwtstamp = ktime_set(ts.tv_sec, ts.tv_nsec); + skb_complete_tx_timestamp(skb_match, &shhwtstamps); + +- /* Next ts */ ++next_ts: + ocelot_write(ocelot, SYS_PTP_NXT_PTP_NXT, SYS_PTP_NXT); + } + } +-- +2.39.5 + diff --git a/queue-6.12/net-mscc-ocelot-ocelot-ts_id_lock-and-ocelot_port-tx.patch b/queue-6.12/net-mscc-ocelot-ocelot-ts_id_lock-and-ocelot_port-tx.patch new file mode 100644 index 00000000000..bee7b142870 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-ocelot-ts_id_lock-and-ocelot_port-tx.patch @@ -0,0 +1,104 @@ +From a0a9b0156ad5caf44128d0fb9a4756a95944a6bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:55:17 +0200 +Subject: net: mscc: ocelot: ocelot->ts_id_lock and ocelot_port->tx_skbs.lock + are IRQ-safe + +From: Vladimir Oltean + +[ Upstream commit 0c53cdb95eb4a604062e326636971d96dd9b1b26 ] + +ocelot_get_txtstamp() is a threaded IRQ handler, requested explicitly as +such by both ocelot_ptp_rdy_irq_handler() and vsc9959_irq_handler(). + +As such, it runs with IRQs enabled, and not in hardirq context. Thus, +ocelot_port_add_txtstamp_skb() has no reason to turn off IRQs, it cannot +be preempted by ocelot_get_txtstamp(). For the same reason, +dev_kfree_skb_any_reason() will always evaluate as kfree_skb_reason() in +this calling context, so just simplify the dev_kfree_skb_any() call to +kfree_skb(). + +Also, ocelot_port_txtstamp_request() runs from NET_TX softirq context, +not with hardirqs enabled. Thus, ocelot_get_txtstamp() which shares the +ocelot_port->tx_skbs.lock lock with it, has no reason to disable hardirqs. + +This is part of a larger rework of the TX timestamping procedure. +A logical subportion of the rework has been split into a separate +change. + +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20241205145519.1236778-4-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: b454abfab525 ("net: mscc: ocelot: be resilient to loss of PTP packets during transmission") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_ptp.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c +index 95a5267bc9ce..d732f99e6391 100644 +--- a/drivers/net/ethernet/mscc/ocelot_ptp.c ++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c +@@ -607,13 +607,12 @@ static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port, + struct sk_buff *clone) + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; +- unsigned long flags; + +- spin_lock_irqsave(&ocelot->ts_id_lock, flags); ++ spin_lock(&ocelot->ts_id_lock); + + if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID || + ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) { +- spin_unlock_irqrestore(&ocelot->ts_id_lock, flags); ++ spin_unlock(&ocelot->ts_id_lock); + return -EBUSY; + } + +@@ -630,7 +629,7 @@ static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port, + + skb_queue_tail(&ocelot_port->tx_skbs, clone); + +- spin_unlock_irqrestore(&ocelot->ts_id_lock, flags); ++ spin_unlock(&ocelot->ts_id_lock); + + return 0; + } +@@ -749,7 +748,6 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + u32 val, id, seqid, txport; + struct ocelot_port *port; + struct timespec64 ts; +- unsigned long flags; + + val = ocelot_read(ocelot, SYS_PTP_STATUS); + +@@ -773,7 +771,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + + /* Retrieve its associated skb */ + try_again: +- spin_lock_irqsave(&port->tx_skbs.lock, flags); ++ spin_lock(&port->tx_skbs.lock); + + skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) { + if (OCELOT_SKB_CB(skb)->ts_id != id) +@@ -783,7 +781,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + break; + } + +- spin_unlock_irqrestore(&port->tx_skbs.lock, flags); ++ spin_unlock(&port->tx_skbs.lock); + + if (WARN_ON(!skb_match)) + goto next_ts; +@@ -792,7 +790,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + dev_err_ratelimited(ocelot->dev, + "port %d received stale TX timestamp for seqid %d, discarding\n", + txport, seqid); +- dev_kfree_skb_any(skb); ++ kfree_skb(skb); + goto try_again; + } + +-- +2.39.5 + diff --git a/queue-6.12/net-mscc-ocelot-perform-error-cleanup-in-ocelot_hwst.patch b/queue-6.12/net-mscc-ocelot-perform-error-cleanup-in-ocelot_hwst.patch new file mode 100644 index 00000000000..bb8d73e9e36 --- /dev/null +++ b/queue-6.12/net-mscc-ocelot-perform-error-cleanup-in-ocelot_hwst.patch @@ -0,0 +1,128 @@ +From 95ce36ca4e371d7f13f8615fbd9bb9f6e365f533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:55:19 +0200 +Subject: net: mscc: ocelot: perform error cleanup in ocelot_hwstamp_set() + +From: Vladimir Oltean + +[ Upstream commit 43a4166349a254446e7a3db65f721c6a30daccf3 ] + +An unsupported RX filter will leave the port with TX timestamping still +applied as per the new request, rather than the old setting. When +parsing the tx_type, don't apply it just yet, but delay that until after +we've parsed the rx_filter as well (and potentially returned -ERANGE for +that). + +Similarly, copy_to_user() may fail, which is a rare occurrence, but +should still be treated by unwinding what was done. + +Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20241205145519.1236778-6-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_ptp.c | 59 ++++++++++++++++++-------- + 1 file changed, 42 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c +index 7eb01d1e1ecd..808ce8e68d39 100644 +--- a/drivers/net/ethernet/mscc/ocelot_ptp.c ++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c +@@ -497,6 +497,28 @@ static int ocelot_traps_to_ptp_rx_filter(unsigned int proto) + return HWTSTAMP_FILTER_NONE; + } + ++static int ocelot_ptp_tx_type_to_cmd(int tx_type, int *ptp_cmd) ++{ ++ switch (tx_type) { ++ case HWTSTAMP_TX_ON: ++ *ptp_cmd = IFH_REW_OP_TWO_STEP_PTP; ++ break; ++ case HWTSTAMP_TX_ONESTEP_SYNC: ++ /* IFH_REW_OP_ONE_STEP_PTP updates the correctionField, ++ * what we need to update is the originTimestamp. ++ */ ++ *ptp_cmd = IFH_REW_OP_ORIGIN_PTP; ++ break; ++ case HWTSTAMP_TX_OFF: ++ *ptp_cmd = 0; ++ break; ++ default: ++ return -ERANGE; ++ } ++ ++ return 0; ++} ++ + int ocelot_hwstamp_get(struct ocelot *ocelot, int port, struct ifreq *ifr) + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; +@@ -523,30 +545,19 @@ EXPORT_SYMBOL(ocelot_hwstamp_get); + int ocelot_hwstamp_set(struct ocelot *ocelot, int port, struct ifreq *ifr) + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; ++ int ptp_cmd, old_ptp_cmd = ocelot_port->ptp_cmd; + bool l2 = false, l4 = false; + struct hwtstamp_config cfg; ++ bool old_l2, old_l4; + int err; + + if (copy_from_user(&cfg, ifr->ifr_data, sizeof(cfg))) + return -EFAULT; + + /* Tx type sanity check */ +- switch (cfg.tx_type) { +- case HWTSTAMP_TX_ON: +- ocelot_port->ptp_cmd = IFH_REW_OP_TWO_STEP_PTP; +- break; +- case HWTSTAMP_TX_ONESTEP_SYNC: +- /* IFH_REW_OP_ONE_STEP_PTP updates the correctional field, we +- * need to update the origin time. +- */ +- ocelot_port->ptp_cmd = IFH_REW_OP_ORIGIN_PTP; +- break; +- case HWTSTAMP_TX_OFF: +- ocelot_port->ptp_cmd = 0; +- break; +- default: +- return -ERANGE; +- } ++ err = ocelot_ptp_tx_type_to_cmd(cfg.tx_type, &ptp_cmd); ++ if (err) ++ return err; + + switch (cfg.rx_filter) { + case HWTSTAMP_FILTER_NONE: +@@ -571,13 +582,27 @@ int ocelot_hwstamp_set(struct ocelot *ocelot, int port, struct ifreq *ifr) + return -ERANGE; + } + ++ old_l2 = ocelot_port->trap_proto & OCELOT_PROTO_PTP_L2; ++ old_l4 = ocelot_port->trap_proto & OCELOT_PROTO_PTP_L4; ++ + err = ocelot_setup_ptp_traps(ocelot, port, l2, l4); + if (err) + return err; + ++ ocelot_port->ptp_cmd = ptp_cmd; ++ + cfg.rx_filter = ocelot_traps_to_ptp_rx_filter(ocelot_port->trap_proto); + +- return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0; ++ if (copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg))) { ++ err = -EFAULT; ++ goto out_restore_ptp_traps; ++ } ++ ++ return 0; ++out_restore_ptp_traps: ++ ocelot_setup_ptp_traps(ocelot, port, old_l2, old_l4); ++ ocelot_port->ptp_cmd = old_ptp_cmd; ++ return err; + } + EXPORT_SYMBOL(ocelot_hwstamp_set); + +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-avoid-use-after-put-for-a-device.patch b/queue-6.12/net-renesas-rswitch-avoid-use-after-put-for-a-device.patch new file mode 100644 index 00000000000..2944483e0c7 --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-avoid-use-after-put-for-a-device.patch @@ -0,0 +1,56 @@ +From 3825d2ac123f0444a8176bc3ac92a6756c12b7e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 14:50:04 +0500 +Subject: net: renesas: rswitch: avoid use-after-put for a device tree node + +From: Nikita Yushchenko + +[ Upstream commit 66b7e9f85b8459c823b11e9af69dbf4be5eb6be8 ] + +The device tree node saved in the rswitch_device structure is used at +several driver locations. So passing this node to of_node_put() after +the first use is wrong. + +Move of_node_put() for this node to exit paths. + +Fixes: b46f1e579329 ("net: renesas: rswitch: Simplify struct phy * handling") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Yoshihiro Shimoda +Link: https://patch.msgid.link/20241208095004.69468-5-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index af0bc95ad6ae..3b57abada200 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1891,7 +1891,6 @@ static int rswitch_device_alloc(struct rswitch_private *priv, unsigned int index + rdev->np_port = rswitch_get_port_node(rdev); + rdev->disabled = !rdev->np_port; + err = of_get_ethdev_address(rdev->np_port, ndev); +- of_node_put(rdev->np_port); + if (err) { + if (is_valid_ether_addr(rdev->etha->mac_addr)) + eth_hw_addr_set(ndev, rdev->etha->mac_addr); +@@ -1921,6 +1920,7 @@ static int rswitch_device_alloc(struct rswitch_private *priv, unsigned int index + + out_rxdmac: + out_get_params: ++ of_node_put(rdev->np_port); + netif_napi_del(&rdev->napi); + free_netdev(ndev); + +@@ -1934,6 +1934,7 @@ static void rswitch_device_free(struct rswitch_private *priv, unsigned int index + + rswitch_txdmac_free(ndev); + rswitch_rxdmac_free(ndev); ++ of_node_put(rdev->np_port); + netif_napi_del(&rdev->napi); + free_netdev(ndev); + } +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-fix-initial-mpic-register-settin.patch b/queue-6.12/net-renesas-rswitch-fix-initial-mpic-register-settin.patch new file mode 100644 index 00000000000..83ef83e18ac --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-fix-initial-mpic-register-settin.patch @@ -0,0 +1,104 @@ +From 782bac5e2c35cb9f77b76aa99748dc77bf4438fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 10:30:12 +0500 +Subject: net: renesas: rswitch: fix initial MPIC register setting + +From: Nikita Yushchenko + +[ Upstream commit fb9e6039c325cc205a368046dc03c56c87df2310 ] + +MPIC.PIS must be set per phy interface type. +MPIC.LSC must be set per speed. + +Do that strictly per datasheet, instead of hardcoding MPIC.PIS to GMII. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20241211053012.368914-1-nikita.yoush@cogentembedded.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 27 ++++++++++++++++++++------ + drivers/net/ethernet/renesas/rswitch.h | 14 ++++++------- + 2 files changed, 28 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 9dffb7cf1254..09117110e3dd 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1116,25 +1116,40 @@ static int rswitch_etha_wait_link_verification(struct rswitch_etha *etha) + + static void rswitch_rmac_setting(struct rswitch_etha *etha, const u8 *mac) + { +- u32 val; ++ u32 pis, lsc; + + rswitch_etha_write_mac_address(etha, mac); + ++ switch (etha->phy_interface) { ++ case PHY_INTERFACE_MODE_SGMII: ++ pis = MPIC_PIS_GMII; ++ break; ++ case PHY_INTERFACE_MODE_USXGMII: ++ case PHY_INTERFACE_MODE_5GBASER: ++ pis = MPIC_PIS_XGMII; ++ break; ++ default: ++ pis = FIELD_GET(MPIC_PIS, ioread32(etha->addr + MPIC)); ++ break; ++ } ++ + switch (etha->speed) { + case 100: +- val = MPIC_LSC_100M; ++ lsc = MPIC_LSC_100M; + break; + case 1000: +- val = MPIC_LSC_1G; ++ lsc = MPIC_LSC_1G; + break; + case 2500: +- val = MPIC_LSC_2_5G; ++ lsc = MPIC_LSC_2_5G; + break; + default: +- return; ++ lsc = FIELD_GET(MPIC_LSC, ioread32(etha->addr + MPIC)); ++ break; + } + +- iowrite32(MPIC_PIS_GMII | val, etha->addr + MPIC); ++ rswitch_modify(etha->addr, MPIC, MPIC_PIS | MPIC_LSC, ++ FIELD_PREP(MPIC_PIS, pis) | FIELD_PREP(MPIC_LSC, lsc)); + } + + static void rswitch_etha_enable_mii(struct rswitch_etha *etha) +diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h +index 72e3ff596d31..e020800dcc57 100644 +--- a/drivers/net/ethernet/renesas/rswitch.h ++++ b/drivers/net/ethernet/renesas/rswitch.h +@@ -724,13 +724,13 @@ enum rswitch_etha_mode { + + #define EAVCC_VEM_SC_TAG (0x3 << 16) + +-#define MPIC_PIS_MII 0x00 +-#define MPIC_PIS_GMII 0x02 +-#define MPIC_PIS_XGMII 0x04 +-#define MPIC_LSC_SHIFT 3 +-#define MPIC_LSC_100M (1 << MPIC_LSC_SHIFT) +-#define MPIC_LSC_1G (2 << MPIC_LSC_SHIFT) +-#define MPIC_LSC_2_5G (3 << MPIC_LSC_SHIFT) ++#define MPIC_PIS GENMASK(2, 0) ++#define MPIC_PIS_GMII 2 ++#define MPIC_PIS_XGMII 4 ++#define MPIC_LSC GENMASK(5, 3) ++#define MPIC_LSC_100M 1 ++#define MPIC_LSC_1G 2 ++#define MPIC_LSC_2_5G 3 + + #define MDIO_READ_C45 0x03 + #define MDIO_WRITE_C45 0x01 +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch b/queue-6.12/net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch new file mode 100644 index 00000000000..88edd29b215 --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch @@ -0,0 +1,44 @@ +From 0b33b71437792773cfa7113e2b070274291e044e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 14:50:03 +0500 +Subject: net: renesas: rswitch: fix leaked pointer on error path + +From: Nikita Yushchenko + +[ Upstream commit bb617328bafa1023d8e9c25a25345a564c66c14f ] + +If error path is taken while filling descriptor for a frame, skb +pointer is left in the entry. Later, on the ring entry reuse, the +same entry could be used as a part of a multi-descriptor frame, +and skb for that new frame could be stored in a different entry. + +Then, the stale pointer will reach the completion routine, and passed +to the release operation. + +Fix that by clearing the saved skb pointer at the error path. + +Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Yoshihiro Shimoda +Link: https://patch.msgid.link/20241208095004.69468-4-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index c251becef6f8..af0bc95ad6ae 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1703,6 +1703,7 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd + return ret; + + err_unmap: ++ gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = NULL; + dma_unmap_single(ndev->dev.parent, dma_addr_orig, skb->len, DMA_TO_DEVICE); + + err_kfree: +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-fix-possible-early-skb-release.patch b/queue-6.12/net-renesas-rswitch-fix-possible-early-skb-release.patch new file mode 100644 index 00000000000..19203fdd642 --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-fix-possible-early-skb-release.patch @@ -0,0 +1,55 @@ +From 0a6888a799f11203e4f9b7a3c427dd682634b9cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 14:50:01 +0500 +Subject: net: renesas: rswitch: fix possible early skb release + +From: Nikita Yushchenko + +[ Upstream commit 5cb099902b6b6292b3a85ffa1bb844e0ba195945 ] + +When sending frame split into multiple descriptors, hardware processes +descriptors one by one, including writing back DT values. The first +descriptor could be already marked as completed when processing of +next descriptors for the same frame is still in progress. + +Although only the last descriptor is configured to generate interrupt, +completion of the first descriptor could be noticed by the driver when +handling interrupt for the previous frame. + +Currently, driver stores skb in the entry that corresponds to the first +descriptor. This results into skb could be unmapped and freed when +hardware did not complete the send yet. This opens a window for +corrupting the data being sent. + +Fix this by saving skb in the entry that corresponds to the last +descriptor used to send the frame. + +Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Yoshihiro Shimoda +Link: https://patch.msgid.link/20241208095004.69468-2-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index b80aa27a7214..32b32aa7e01f 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -1681,8 +1681,9 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd + if (dma_mapping_error(ndev->dev.parent, dma_addr_orig)) + goto err_kfree; + +- gq->skbs[gq->cur] = skb; +- gq->unmap_addrs[gq->cur] = dma_addr_orig; ++ /* Stored the skb at the last descriptor to avoid skb free before hardware completes send */ ++ gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = skb; ++ gq->unmap_addrs[(gq->cur + nr_desc - 1) % gq->ring_size] = dma_addr_orig; + + /* DT_FSTART should be set at last. So, this is reverse order. */ + for (i = nr_desc; i-- > 0; ) { +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-fix-race-window-between-tx-start.patch b/queue-6.12/net-renesas-rswitch-fix-race-window-between-tx-start.patch new file mode 100644 index 00000000000..42a88a7a21e --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-fix-race-window-between-tx-start.patch @@ -0,0 +1,84 @@ +From b82d0b0657f544dc16255b1743fad56014bf1979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 14:50:02 +0500 +Subject: net: renesas: rswitch: fix race window between tx start and complete + +From: Nikita Yushchenko + +[ Upstream commit 0c9547e6ccf40455b0574cf589be3b152a3edf5b ] + +If hardware is already transmitting, it can start handling the +descriptor being written to immediately after it observes updated DT +field, before the queue is kicked by a write to GWTRC. + +If the start_xmit() execution is preempted at unfortunate moment, this +transmission can complete, and interrupt handled, before gq->cur gets +updated. With the current implementation of completion, this will cause +the last entry not completed. + +Fix that by changing completion loop to check DT values directly, instead +of depending on gq->cur. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Yoshihiro Shimoda +Link: https://patch.msgid.link/20241208095004.69468-3-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 32b32aa7e01f..c251becef6f8 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -862,13 +862,10 @@ static void rswitch_tx_free(struct net_device *ndev) + struct rswitch_ext_desc *desc; + struct sk_buff *skb; + +- for (; rswitch_get_num_cur_queues(gq) > 0; +- gq->dirty = rswitch_next_queue_index(gq, false, 1)) { +- desc = &gq->tx_ring[gq->dirty]; +- if ((desc->desc.die_dt & DT_MASK) != DT_FEMPTY) +- break; +- ++ desc = &gq->tx_ring[gq->dirty]; ++ while ((desc->desc.die_dt & DT_MASK) == DT_FEMPTY) { + dma_rmb(); ++ + skb = gq->skbs[gq->dirty]; + if (skb) { + rdev->ndev->stats.tx_packets++; +@@ -879,7 +876,10 @@ static void rswitch_tx_free(struct net_device *ndev) + dev_kfree_skb_any(gq->skbs[gq->dirty]); + gq->skbs[gq->dirty] = NULL; + } ++ + desc->desc.die_dt = DT_EEMPTY; ++ gq->dirty = rswitch_next_queue_index(gq, false, 1); ++ desc = &gq->tx_ring[gq->dirty]; + } + } + +@@ -1685,6 +1685,8 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd + gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = skb; + gq->unmap_addrs[(gq->cur + nr_desc - 1) % gq->ring_size] = dma_addr_orig; + ++ dma_wmb(); ++ + /* DT_FSTART should be set at last. So, this is reverse order. */ + for (i = nr_desc; i-- > 0; ) { + desc = &gq->tx_ring[rswitch_next_queue_index(gq, true, i)]; +@@ -1695,8 +1697,6 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd + goto err_unmap; + } + +- wmb(); /* gq->cur must be incremented after die_dt was set */ +- + gq->cur = rswitch_next_queue_index(gq, true, nr_desc); + rswitch_modify(rdev->addr, GWTRC(gq->index), 0, BIT(gq->index % 32)); + +-- +2.39.5 + diff --git a/queue-6.12/net-renesas-rswitch-handle-stop-vs-interrupt-race.patch b/queue-6.12/net-renesas-rswitch-handle-stop-vs-interrupt-race.patch new file mode 100644 index 00000000000..4e95bdc1d99 --- /dev/null +++ b/queue-6.12/net-renesas-rswitch-handle-stop-vs-interrupt-race.patch @@ -0,0 +1,119 @@ +From 997269d0ebdf37fba665a178e3aec7b69ddc80a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 16:32:04 +0500 +Subject: net: renesas: rswitch: handle stop vs interrupt race + +From: Nikita Yushchenko + +[ Upstream commit 3dd002f20098b9569f8fd7f8703f364571e2e975 ] + +Currently the stop routine of rswitch driver does not immediately +prevent hardware from continuing to update descriptors and requesting +interrupts. + +It can happen that when rswitch_stop() executes the masking of +interrupts from the queues of the port being closed, napi poll for +that port is already scheduled or running on a different CPU. When +execution of this napi poll completes, it will unmask the interrupts. +And unmasked interrupt can fire after rswitch_stop() returns from +napi_disable() call. Then, the handler won't mask it, because +napi_schedule_prep() will return false, and interrupt storm will +happen. + +This can't be fixed by making rswitch_stop() call napi_disable() before +masking interrupts. In this case, the interrupt storm will happen if +interrupt fires between napi_disable() and masking. + +Fix this by checking for priv->opened_ports bit when unmasking +interrupts after napi poll. For that to be consistent, move +priv->opened_ports changes into spinlock-protected areas, and reorder +other operations in rswitch_open() and rswitch_stop() accordingly. + +Signed-off-by: Nikita Yushchenko +Reviewed-by: Yoshihiro Shimoda +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Link: https://patch.msgid.link/20241209113204.175015-1-nikita.yoush@cogentembedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 33 ++++++++++++++------------ + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 3b57abada200..9dffb7cf1254 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -908,8 +908,10 @@ static int rswitch_poll(struct napi_struct *napi, int budget) + + if (napi_complete_done(napi, budget - quota)) { + spin_lock_irqsave(&priv->lock, flags); +- rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true); +- rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true); ++ if (test_bit(rdev->port, priv->opened_ports)) { ++ rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true); ++ rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true); ++ } + spin_unlock_irqrestore(&priv->lock, flags); + } + +@@ -1538,20 +1540,20 @@ static int rswitch_open(struct net_device *ndev) + struct rswitch_device *rdev = netdev_priv(ndev); + unsigned long flags; + +- phy_start(ndev->phydev); ++ if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS)) ++ iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE); + + napi_enable(&rdev->napi); +- netif_start_queue(ndev); + + spin_lock_irqsave(&rdev->priv->lock, flags); ++ bitmap_set(rdev->priv->opened_ports, rdev->port, 1); + rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, true); + rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, true); + spin_unlock_irqrestore(&rdev->priv->lock, flags); + +- if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS)) +- iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE); ++ phy_start(ndev->phydev); + +- bitmap_set(rdev->priv->opened_ports, rdev->port, 1); ++ netif_start_queue(ndev); + + return 0; + }; +@@ -1563,7 +1565,16 @@ static int rswitch_stop(struct net_device *ndev) + unsigned long flags; + + netif_tx_stop_all_queues(ndev); ++ ++ phy_stop(ndev->phydev); ++ ++ spin_lock_irqsave(&rdev->priv->lock, flags); ++ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false); ++ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false); + bitmap_clear(rdev->priv->opened_ports, rdev->port, 1); ++ spin_unlock_irqrestore(&rdev->priv->lock, flags); ++ ++ napi_disable(&rdev->napi); + + if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS)) + iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDID); +@@ -1576,14 +1587,6 @@ static int rswitch_stop(struct net_device *ndev) + kfree(ts_info); + } + +- spin_lock_irqsave(&rdev->priv->lock, flags); +- rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false); +- rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false); +- spin_unlock_irqrestore(&rdev->priv->lock, flags); +- +- phy_stop(ndev->phydev); +- napi_disable(&rdev->napi); +- + return 0; + }; + +-- +2.39.5 + diff --git a/queue-6.12/net-sched-netem-account-for-backlog-updates-from-chi.patch b/queue-6.12/net-sched-netem-account-for-backlog-updates-from-chi.patch new file mode 100644 index 00000000000..140447a26f1 --- /dev/null +++ b/queue-6.12/net-sched-netem-account-for-backlog-updates-from-chi.patch @@ -0,0 +1,171 @@ +From 829f96282846f93f1f2d4f4a0f0b2c410b880d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 14:14:11 +0100 +Subject: net/sched: netem: account for backlog updates from child qdisc + +From: Martin Ottens + +[ Upstream commit f8d4bc455047cf3903cd6f85f49978987dbb3027 ] + +In general, 'qlen' of any classful qdisc should keep track of the +number of packets that the qdisc itself and all of its children holds. +In case of netem, 'qlen' only accounts for the packets in its internal +tfifo. When netem is used with a child qdisc, the child qdisc can use +'qdisc_tree_reduce_backlog' to inform its parent, netem, about created +or dropped SKBs. This function updates 'qlen' and the backlog statistics +of netem, but netem does not account for changes made by a child qdisc. +'qlen' then indicates the wrong number of packets in the tfifo. +If a child qdisc creates new SKBs during enqueue and informs its parent +about this, netem's 'qlen' value is increased. When netem dequeues the +newly created SKBs from the child, the 'qlen' in netem is not updated. +If 'qlen' reaches the configured sch->limit, the enqueue function stops +working, even though the tfifo is not full. + +Reproduce the bug: +Ensure that the sender machine has GSO enabled. Configure netem as root +qdisc and tbf as its child on the outgoing interface of the machine +as follows: +$ tc qdisc add dev root handle 1: netem delay 100ms limit 100 +$ tc qdisc add dev parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms + +Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 +client on the machine. Check the qdisc statistics: +$ tc -s qdisc show dev + +Statistics after 10s of iPerf3 TCP test before the fix (note that +netem's backlog > limit, netem stopped accepting packets): +qdisc netem 1: root refcnt 2 limit 1000 delay 100ms + Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) + backlog 4294528236b 1155p requeues 0 +qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms + Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) + backlog 0b 0p requeues 0 + +Statistics after the fix: +qdisc netem 1: root refcnt 2 limit 1000 delay 100ms + Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 +qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms + Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) + backlog 0b 0p requeues 0 + +tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. +The interface fully stops transferring packets and "locks". In this case, +the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at +its limit and no more packets are accepted. + +This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is +only decreased when a packet is returned by its dequeue function, and not +during enqueuing into the child qdisc. External updates to 'qlen' are thus +accounted for and only the behavior of the backlog statistics changes. As +in other qdiscs, 'qlen' then keeps track of how many packets are held in +netem and all of its children. As before, sch->limit remains as the +maximum number of packets in the tfifo. The same applies to netem's +backlog statistics. + +Fixes: 50612537e9ab ("netem: fix classful handling") +Signed-off-by: Martin Ottens +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20241210131412.1837202-1-martin.ottens@fau.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 39382ee1e331..3b519adc0125 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -78,6 +78,8 @@ struct netem_sched_data { + struct sk_buff *t_head; + struct sk_buff *t_tail; + ++ u32 t_len; ++ + /* optional qdisc for classful handling (NULL at netem init) */ + struct Qdisc *qdisc; + +@@ -382,6 +384,7 @@ static void tfifo_reset(struct Qdisc *sch) + rtnl_kfree_skbs(q->t_head, q->t_tail); + q->t_head = NULL; + q->t_tail = NULL; ++ q->t_len = 0; + } + + static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) +@@ -411,6 +414,7 @@ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) + rb_link_node(&nskb->rbnode, parent, p); + rb_insert_color(&nskb->rbnode, &q->t_root); + } ++ q->t_len++; + sch->q.qlen++; + } + +@@ -517,7 +521,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch, + 1<q.qlen >= sch->limit)) { ++ if (unlikely(q->t_len >= sch->limit)) { + /* re-link segs, so that qdisc_drop_all() frees them all */ + skb->next = segs; + qdisc_drop_all(skb, sch, to_free); +@@ -701,8 +705,8 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + tfifo_dequeue: + skb = __qdisc_dequeue_head(&sch->q); + if (skb) { +- qdisc_qstats_backlog_dec(sch, skb); + deliver: ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + return skb; + } +@@ -718,8 +722,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + + if (time_to_send <= now && q->slot.slot_next <= now) { + netem_erase_head(q, skb); +- sch->q.qlen--; +- qdisc_qstats_backlog_dec(sch, skb); ++ q->t_len--; + skb->next = NULL; + skb->prev = NULL; + /* skb->dev shares skb->rbnode area, +@@ -746,16 +749,21 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + if (net_xmit_drop_count(err)) + qdisc_qstats_drop(sch); + qdisc_tree_reduce_backlog(sch, 1, pkt_len); ++ sch->qstats.backlog -= pkt_len; ++ sch->q.qlen--; + } + goto tfifo_dequeue; + } ++ sch->q.qlen--; + goto deliver; + } + + if (q->qdisc) { + skb = q->qdisc->ops->dequeue(q->qdisc); +- if (skb) ++ if (skb) { ++ sch->q.qlen--; + goto deliver; ++ } + } + + qdisc_watchdog_schedule_ns(&q->watchdog, +@@ -765,8 +773,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) + + if (q->qdisc) { + skb = q->qdisc->ops->dequeue(q->qdisc); +- if (skb) ++ if (skb) { ++ sch->q.qlen--; + goto deliver; ++ } + } + return NULL; + } +-- +2.39.5 + diff --git a/queue-6.12/net-sparx5-fix-fdma-performance-issue.patch b/queue-6.12/net-sparx5-fix-fdma-performance-issue.patch new file mode 100644 index 00000000000..2ebfab4ddb3 --- /dev/null +++ b/queue-6.12/net-sparx5-fix-fdma-performance-issue.patch @@ -0,0 +1,63 @@ +From a88ee71e3f41551e49fe44d175c37615293dc490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 14:54:26 +0100 +Subject: net: sparx5: fix FDMA performance issue + +From: Daniel Machon + +[ Upstream commit f004f2e535e2b66ccbf5ac35f8eaadeac70ad7b7 ] + +The FDMA handler is responsible for scheduling a NAPI poll, which will +eventually fetch RX packets from the FDMA queue. Currently, the FDMA +handler is run in a threaded context. For some reason, this kills +performance. Admittedly, I did not do a thorough investigation to see +exactly what causes the issue, however, I noticed that in the other +driver utilizing the same FDMA engine, we run the FDMA handler in hard +IRQ context. + +Fix this performance issue, by running the FDMA handler in hard IRQ +context, not deferring any work to a thread. + +Prior to this change, the RX UDP performance was: + +Interval Transfer Bitrate Jitter +0.00-10.20 sec 44.6 MBytes 36.7 Mbits/sec 0.027 ms + +After this change, the rx UDP performance is: + +Interval Transfer Bitrate Jitter +0.00-9.12 sec 1.01 GBytes 953 Mbits/sec 0.020 ms + +Fixes: 10615907e9b5 ("net: sparx5: switchdev: adding frame DMA functionality") +Signed-off-by: Daniel Machon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +index b64c814eac11..0c4c75b3682f 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c +@@ -693,12 +693,11 @@ static int sparx5_start(struct sparx5 *sparx5) + err = -ENXIO; + if (sparx5->fdma_irq >= 0) { + if (GCB_CHIP_ID_REV_ID_GET(sparx5->chip_id) > 0) +- err = devm_request_threaded_irq(sparx5->dev, +- sparx5->fdma_irq, +- NULL, +- sparx5_fdma_handler, +- IRQF_ONESHOT, +- "sparx5-fdma", sparx5); ++ err = devm_request_irq(sparx5->dev, ++ sparx5->fdma_irq, ++ sparx5_fdma_handler, ++ 0, ++ "sparx5-fdma", sparx5); + if (!err) + err = sparx5_fdma_start(sparx5); + if (err) +-- +2.39.5 + diff --git a/queue-6.12/net-sparx5-fix-the-maximum-frame-length-register.patch b/queue-6.12/net-sparx5-fix-the-maximum-frame-length-register.patch new file mode 100644 index 00000000000..b7c9dc14266 --- /dev/null +++ b/queue-6.12/net-sparx5-fix-the-maximum-frame-length-register.patch @@ -0,0 +1,39 @@ +From e1d420e1e9087d38b869d5ad221f5fbbd96f97da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 14:54:28 +0100 +Subject: net: sparx5: fix the maximum frame length register + +From: Daniel Machon + +[ Upstream commit ddd7ba006078a2bef5971b2dc5f8383d47f96207 ] + +On port initialization, we configure the maximum frame length accepted +by the receive module associated with the port. This value is currently +written to the MAX_LEN field of the DEV10G_MAC_ENA_CFG register, when in +fact, it should be written to the DEV10G_MAC_MAXLEN_CFG register. Fix +this. + +Fixes: 946e7fd5053a ("net: sparx5: add port module support") +Signed-off-by: Daniel Machon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +index 062e486c002c..672508efce5c 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c +@@ -1119,7 +1119,7 @@ int sparx5_port_init(struct sparx5 *sparx5, + spx5_inst_rmw(DEV10G_MAC_MAXLEN_CFG_MAX_LEN_SET(ETH_MAXLEN), + DEV10G_MAC_MAXLEN_CFG_MAX_LEN, + devinst, +- DEV10G_MAC_ENA_CFG(0)); ++ DEV10G_MAC_MAXLEN_CFG(0)); + + /* Handle Signal Detect in 10G PCS */ + spx5_inst_wr(PCS10G_BR_PCS_SD_CFG_SD_POL_SET(sd_pol) | +-- +2.39.5 + diff --git a/queue-6.12/net-team-bonding-add-netdev_base_features-helper.patch b/queue-6.12/net-team-bonding-add-netdev_base_features-helper.patch new file mode 100644 index 00000000000..b61080296d9 --- /dev/null +++ b/queue-6.12/net-team-bonding-add-netdev_base_features-helper.patch @@ -0,0 +1,80 @@ +From db226a143ff53b7d6b03560b4428a245233f2038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:41 +0100 +Subject: net, team, bonding: Add netdev_base_features helper + +From: Daniel Borkmann + +[ Upstream commit d2516c3a53705f783bb6868df0f4a2b977898a71 ] + +Both bonding and team driver have logic to derive the base feature +flags before iterating over their slave devices to refine the set +via netdev_increment_features(). + +Add a small helper netdev_base_features() so this can be reused +instead of having it open-coded multiple times. + +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Hangbin Liu +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20241210141245.327886-1-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Stable-dep-of: d064ea7fe2a2 ("bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 4 +--- + drivers/net/team/team_core.c | 3 +-- + include/linux/netdev_features.h | 7 +++++++ + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 15e0f14d0d49..166910693fd7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1520,9 +1520,7 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + struct slave *slave; + + mask = features; +- +- features &= ~NETIF_F_ONE_FOR_ALL; +- features |= NETIF_F_ALL_FOR_ALL; ++ features = netdev_base_features(features); + + bond_for_each_slave(bond, slave, iter) { + features = netdev_increment_features(features, +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index 18191d5a8bd4..481c8df8842f 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -2012,8 +2012,7 @@ static netdev_features_t team_fix_features(struct net_device *dev, + netdev_features_t mask; + + mask = features; +- features &= ~NETIF_F_ONE_FOR_ALL; +- features |= NETIF_F_ALL_FOR_ALL; ++ features = netdev_base_features(features); + + rcu_read_lock(); + list_for_each_entry_rcu(port, &team->port_list, list) { +diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h +index 66e7d26b70a4..11be70a7929f 100644 +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -253,4 +253,11 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start) + NETIF_F_GSO_UDP_TUNNEL | \ + NETIF_F_GSO_UDP_TUNNEL_CSUM) + ++static inline netdev_features_t netdev_base_features(netdev_features_t features) ++{ ++ features &= ~NETIF_F_ONE_FOR_ALL; ++ features |= NETIF_F_ALL_FOR_ALL; ++ return features; ++} ++ + #endif /* _LINUX_NETDEV_FEATURES_H */ +-- +2.39.5 + diff --git a/queue-6.12/netfilter-idletimer-fix-for-possible-abba-deadlock.patch b/queue-6.12/netfilter-idletimer-fix-for-possible-abba-deadlock.patch new file mode 100644 index 00000000000..f30243ab9ad --- /dev/null +++ b/queue-6.12/netfilter-idletimer-fix-for-possible-abba-deadlock.patch @@ -0,0 +1,130 @@ +From b2d4378ab3706bf06c9c358fb54c445afda1e378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:32:29 +0100 +Subject: netfilter: IDLETIMER: Fix for possible ABBA deadlock + +From: Phil Sutter + +[ Upstream commit f36b01994d68ffc253c8296e2228dfe6e6431c03 ] + +Deletion of the last rule referencing a given idletimer may happen at +the same time as a read of its file in sysfs: + +| ====================================================== +| WARNING: possible circular locking dependency detected +| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted +| ------------------------------------------------------ +| iptables/3303 is trying to acquire lock: +| ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 +| +| but task is already holding lock: +| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] +| +| which lock already depends on the new lock. + +A simple reproducer is: + +| #!/bin/bash +| +| while true; do +| iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" +| iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" +| done & +| while true; do +| cat /sys/class/xt_idletimer/timers/testme >/dev/null +| done + +Avoid this by freeing list_mutex right after deleting the element from +the list, then continuing with the teardown. + +Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 52 +++++++++++++++++++----------------- + 1 file changed, 28 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index f8b25b6f5da7..9869ef3c2ab3 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -409,21 +409,23 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par) + + mutex_lock(&list_mutex); + +- if (--info->timer->refcnt == 0) { +- pr_debug("deleting timer %s\n", info->label); +- +- list_del(&info->timer->entry); +- timer_shutdown_sync(&info->timer->timer); +- cancel_work_sync(&info->timer->work); +- sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr); +- kfree(info->timer->attr.attr.name); +- kfree(info->timer); +- } else { ++ if (--info->timer->refcnt > 0) { + pr_debug("decreased refcnt of timer %s to %u\n", + info->label, info->timer->refcnt); ++ mutex_unlock(&list_mutex); ++ return; + } + ++ pr_debug("deleting timer %s\n", info->label); ++ ++ list_del(&info->timer->entry); + mutex_unlock(&list_mutex); ++ ++ timer_shutdown_sync(&info->timer->timer); ++ cancel_work_sync(&info->timer->work); ++ sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr); ++ kfree(info->timer->attr.attr.name); ++ kfree(info->timer); + } + + static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par) +@@ -434,25 +436,27 @@ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par) + + mutex_lock(&list_mutex); + +- if (--info->timer->refcnt == 0) { +- pr_debug("deleting timer %s\n", info->label); +- +- list_del(&info->timer->entry); +- if (info->timer->timer_type & XT_IDLETIMER_ALARM) { +- alarm_cancel(&info->timer->alarm); +- } else { +- timer_shutdown_sync(&info->timer->timer); +- } +- cancel_work_sync(&info->timer->work); +- sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr); +- kfree(info->timer->attr.attr.name); +- kfree(info->timer); +- } else { ++ if (--info->timer->refcnt > 0) { + pr_debug("decreased refcnt of timer %s to %u\n", + info->label, info->timer->refcnt); ++ mutex_unlock(&list_mutex); ++ return; + } + ++ pr_debug("deleting timer %s\n", info->label); ++ ++ list_del(&info->timer->entry); + mutex_unlock(&list_mutex); ++ ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ alarm_cancel(&info->timer->alarm); ++ } else { ++ timer_shutdown_sync(&info->timer->timer); ++ } ++ cancel_work_sync(&info->timer->work); ++ sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr); ++ kfree(info->timer->attr.attr.name); ++ kfree(info->timer); + } + + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_tables-do-not-defer-rule-destruction-vi.patch b/queue-6.12/netfilter-nf_tables-do-not-defer-rule-destruction-vi.patch new file mode 100644 index 00000000000..9f2ca662397 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-do-not-defer-rule-destruction-vi.patch @@ -0,0 +1,167 @@ +From 0c839d5b145459d98b016ca1da6d3b06979ee532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 12:14:48 +0100 +Subject: netfilter: nf_tables: do not defer rule destruction via call_rcu + +From: Florian Westphal + +[ Upstream commit b04df3da1b5c6f6dc7cdccc37941740c078c4043 ] + +nf_tables_chain_destroy can sleep, it can't be used from call_rcu +callbacks. + +Moreover, nf_tables_rule_release() is only safe for error unwinding, +while transaction mutex is held and the to-be-desroyed rule was not +exposed to either dataplane or dumps, as it deactives+frees without +the required synchronize_rcu() in-between. + +nft_rule_expr_deactivate() callbacks will change ->use counters +of other chains/sets, see e.g. nft_lookup .deactivate callback, these +must be serialized via transaction mutex. + +Also add a few lockdep asserts to make this more explicit. + +Calling synchronize_rcu() isn't ideal, but fixing this without is hard +and way more intrusive. As-is, we can get: + +WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x.. +Workqueue: events nf_tables_trans_destroy_work +RIP: 0010:nft_set_destroy+0x3fe/0x5c0 +Call Trace: + + nf_tables_trans_destroy_work+0x6b7/0xad0 + process_one_work+0x64a/0xce0 + worker_thread+0x613/0x10d0 + +In case the synchronize_rcu becomes an issue, we can explore alternatives. + +One way would be to allocate nft_trans_rule objects + one nft_trans_chain +object, deactivate the rules + the chain and then defer the freeing to the +nft destroy workqueue. We'd still need to keep the synchronize_rcu path as +a fallback to handle -ENOMEM corner cases though. + +Reported-by: syzbot+b26935466701e56cfdc2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67478d92.050a0220.253251.0062.GAE@google.com/T/ +Fixes: c03d278fdf35 ("netfilter: nf_tables: wait for rcu grace period on net_device removal") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 4 ---- + net/netfilter/nf_tables_api.c | 32 +++++++++++++++---------------- + 2 files changed, 15 insertions(+), 21 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 066a3ea33b12..91ae20cb7648 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1103,7 +1103,6 @@ struct nft_rule_blob { + * @name: name of the chain + * @udlen: user data length + * @udata: user data in the chain +- * @rcu_head: rcu head for deferred release + * @blob_next: rule blob pointer to the next in the chain + */ + struct nft_chain { +@@ -1121,7 +1120,6 @@ struct nft_chain { + char *name; + u16 udlen; + u8 *udata; +- struct rcu_head rcu_head; + + /* Only used during control plane commit phase: */ + struct nft_rule_blob *blob_next; +@@ -1265,7 +1263,6 @@ static inline void nft_use_inc_restore(u32 *use) + * @sets: sets in the table + * @objects: stateful objects in the table + * @flowtables: flow tables in the table +- * @net: netnamespace this table belongs to + * @hgenerator: handle generator state + * @handle: table handle + * @use: number of chain references to this table +@@ -1285,7 +1282,6 @@ struct nft_table { + struct list_head sets; + struct list_head objects; + struct list_head flowtables; +- possible_net_t net; + u64 hgenerator; + u64 handle; + u32 use; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 4a137afaf0b8..0c5ff4afc370 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1495,7 +1495,6 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, + INIT_LIST_HEAD(&table->sets); + INIT_LIST_HEAD(&table->objects); + INIT_LIST_HEAD(&table->flowtables); +- write_pnet(&table->net, net); + table->family = family; + table->flags = flags; + table->handle = ++nft_net->table_handle; +@@ -3884,8 +3883,11 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) + kfree(rule); + } + ++/* can only be used if rule is no longer visible to dumps */ + static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) + { ++ lockdep_commit_lock_is_held(ctx->net); ++ + nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); + } +@@ -5650,6 +5652,8 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { ++ lockdep_commit_lock_is_held(ctx->net); ++ + switch (phase) { + case NFT_TRANS_PREPARE_ERROR: + nft_set_trans_unbind(ctx, set); +@@ -11456,19 +11460,6 @@ static void __nft_release_basechain_now(struct nft_ctx *ctx) + nf_tables_chain_destroy(ctx->chain); + } + +-static void nft_release_basechain_rcu(struct rcu_head *head) +-{ +- struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head); +- struct nft_ctx ctx = { +- .family = chain->table->family, +- .chain = chain, +- .net = read_pnet(&chain->table->net), +- }; +- +- __nft_release_basechain_now(&ctx); +- put_net(ctx.net); +-} +- + int __nft_release_basechain(struct nft_ctx *ctx) + { + struct nft_rule *rule; +@@ -11483,11 +11474,18 @@ int __nft_release_basechain(struct nft_ctx *ctx) + nft_chain_del(ctx->chain); + nft_use_dec(&ctx->table->use); + +- if (maybe_get_net(ctx->net)) +- call_rcu(&ctx->chain->rcu_head, nft_release_basechain_rcu); +- else ++ if (!maybe_get_net(ctx->net)) { + __nft_release_basechain_now(ctx); ++ return 0; ++ } ++ ++ /* wait for ruleset dumps to complete. Owning chain is no longer in ++ * lists, so new dumps can't find any of these rules anymore. ++ */ ++ synchronize_rcu(); + ++ __nft_release_basechain_now(ctx); ++ put_net(ctx->net); + return 0; + } + EXPORT_SYMBOL_GPL(__nft_release_basechain); +-- +2.39.5 + diff --git a/queue-6.12/perf-machine-initialize-machine-env-to-address-a-seg.patch b/queue-6.12/perf-machine-initialize-machine-env-to-address-a-seg.patch new file mode 100644 index 00000000000..8d7de1f59d2 --- /dev/null +++ b/queue-6.12/perf-machine-initialize-machine-env-to-address-a-seg.patch @@ -0,0 +1,111 @@ +From 1f106e3c9f292394a5b51b596ef4fbd8d10f74c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 11:47:25 -0300 +Subject: perf machine: Initialize machine->env to address a segfault + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 88a6e2f67cc94f751a74409ab4c21e5fc8ea6757 ] + +Its used from trace__run(), for the 'perf trace' live mode, i.e. its +strace-like, non-perf.data file processing mode, the most common one. + +The trace__run() function will set trace->host using machine__new_host() +that is supposed to give a machine instance representing the running +machine, and since we'll use perf_env__arch_strerrno() to get the right +errno -> string table, we need to use machine->env, so initialize it in +machine__new_host(). + +Before the patch: + + (gdb) run trace --errno-summary -a sleep 1 + + Summary of events: + + gvfs-afc-volume (3187), 2 events, 0.0% + + syscall calls errors total min avg max stddev + (msec) (msec) (msec) (msec) (%) + --------------- -------- ------ -------- --------- --------- --------- ------ + pselect6 1 0 0.000 0.000 0.000 0.000 0.00% + + GUsbEventThread (3519), 2 events, 0.0% + + syscall calls errors total min avg max stddev + (msec) (msec) (msec) (msec) (%) + --------------- -------- ------ -------- --------- --------- --------- ------ + poll 1 0 0.000 0.000 0.000 0.000 0.00% + + Program received signal SIGSEGV, Segmentation fault. + 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478 + 478 if (env->arch_strerrno == NULL) + (gdb) bt + #0 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478 + #1 0x00000000004b75d2 in thread__dump_stats (ttrace=0x14f58f0, trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4673 + #2 0x00000000004b78bf in trace__fprintf_thread (fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>, thread=0x10fa0b0, trace=0x7fffffffa5b0) at builtin-trace.c:4708 + #3 0x00000000004b7ad9 in trace__fprintf_thread_summary (trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4747 + #4 0x00000000004b656e in trace__run (trace=0x7fffffffa5b0, argc=2, argv=0x7fffffffde60) at builtin-trace.c:4456 + #5 0x00000000004ba43e in cmd_trace (argc=2, argv=0x7fffffffde60) at builtin-trace.c:5487 + #6 0x00000000004c0414 in run_builtin (p=0xec3068 , argc=5, argv=0x7fffffffde60) at perf.c:351 + #7 0x00000000004c06bb in handle_internal_command (argc=5, argv=0x7fffffffde60) at perf.c:404 + #8 0x00000000004c0814 in run_argv (argcp=0x7fffffffdc4c, argv=0x7fffffffdc40) at perf.c:448 + #9 0x00000000004c0b5d in main (argc=5, argv=0x7fffffffde60) at perf.c:560 + (gdb) + +After: + + root@number:~# perf trace -a --errno-summary sleep 1 + + pw-data-loop (2685), 1410 events, 16.0% + + syscall calls errors total min avg max stddev + (msec) (msec) (msec) (msec) (%) + --------------- -------- ------ -------- --------- --------- --------- ------ + epoll_wait 188 0 983.428 0.000 5.231 15.595 8.68% + ioctl 94 0 0.811 0.004 0.009 0.016 2.82% + read 188 0 0.322 0.001 0.002 0.006 5.15% + write 141 0 0.280 0.001 0.002 0.018 8.39% + timerfd_settime 94 0 0.138 0.001 0.001 0.007 6.47% + + gnome-control-c (179406), 1848 events, 20.9% + + syscall calls errors total min avg max stddev + (msec) (msec) (msec) (msec) (%) + --------------- -------- ------ -------- --------- --------- --------- ------ + poll 222 0 959.577 0.000 4.322 21.414 11.40% + recvmsg 150 0 0.539 0.001 0.004 0.013 5.12% + write 300 0 0.442 0.001 0.001 0.007 3.29% + read 150 0 0.183 0.001 0.001 0.009 5.53% + getpid 102 0 0.101 0.000 0.001 0.008 7.82% + + root@number:~# + +Fixes: 54373b5d53c1f6aa ("perf env: Introduce perf_env__arch_strerrno()") +Reported-by: Veronika Molnarova +Signed-off-by: Arnaldo Carvalho de Melo +Acked-by: Veronika Molnarova +Acked-by: Michael Petlan +Tested-by: Michael Petlan +Link: https://lore.kernel.org/r/Z0XffUgNSv_9OjOi@x1 +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index 4f0ac998b0cc..27d5345d2b30 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -134,6 +134,8 @@ struct machine *machine__new_host(void) + + if (machine__create_kernel_maps(machine) < 0) + goto out_delete; ++ ++ machine->env = &perf_env; + } + + return machine; +-- +2.39.5 + diff --git a/queue-6.12/perf-tools-fix-build-id-event-recording.patch b/queue-6.12/perf-tools-fix-build-id-event-recording.patch new file mode 100644 index 00000000000..91bcd8faf55 --- /dev/null +++ b/queue-6.12/perf-tools-fix-build-id-event-recording.patch @@ -0,0 +1,55 @@ +From 9aa58caa1c895fb1b9337019c5d238fb79a14de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 19:13:31 -0800 +Subject: perf tools: Fix build-id event recording + +From: Namhyung Kim + +[ Upstream commit 23c44f6c83257923b179461694edcf62749bedd5 ] + +The build-id events written at the end of the record session are broken +due to unexpected data. The write_buildid() writes the fixed length +event first and then variable length filename. + +But a recent change made it write more data in the padding area +accidentally. So readers of the event see zero-filled data for the +next entry and treat it incorrectly. This resulted in wrong kernel +symbols because the kernel DSO loaded a random vmlinux image in the +path as it didn't have a valid build-id. + +Fixes: ae39ba16554e ("perf inject: Fix build ID injection") +Reported-by: Linus Torvalds +Tested-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/Z0aRFFW9xMh3mqKB@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/build-id.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c +index 8982f68e7230..e763e8d99a43 100644 +--- a/tools/perf/util/build-id.c ++++ b/tools/perf/util/build-id.c +@@ -277,7 +277,7 @@ static int write_buildid(const char *name, size_t name_len, struct build_id *bid + struct perf_record_header_build_id b; + size_t len; + +- len = sizeof(b) + name_len + 1; ++ len = name_len + 1; + len = PERF_ALIGN(len, sizeof(u64)); + + memset(&b, 0, sizeof(b)); +@@ -286,7 +286,7 @@ static int write_buildid(const char *name, size_t name_len, struct build_id *bid + misc |= PERF_RECORD_MISC_BUILD_ID_SIZE; + b.pid = pid; + b.header.misc = misc; +- b.header.size = len; ++ b.header.size = sizeof(b) + len; + + err = do_write(fd, &b, sizeof(b)); + if (err < 0) +-- +2.39.5 + diff --git a/queue-6.12/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch b/queue-6.12/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch new file mode 100644 index 00000000000..ebe0f4e79e0 --- /dev/null +++ b/queue-6.12/ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch @@ -0,0 +1,63 @@ +From 939e70e54ccc258ea67a6c84f787ce6eb0ef83e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:09:55 +0100 +Subject: ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from + kvm_arch_ptp_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 5e7aa97c7acf171275ac02a8bb018c31b8918d13 ] + +The caller, ptp_kvm_init(), emits a warning if kvm_arch_ptp_init() exits +with any error which is not EOPNOTSUPP: + + "fail to initialize ptp_kvm" + +Replace ENODEV with EOPNOTSUPP to avoid this spurious warning, +aligning with the ARM implementation. + +Fixes: a86ed2cfa13c ("ptp: Don't print an error if ptp_kvm is not supported") +Signed-off-by: Thomas Weißschuh +Link: https://patch.msgid.link/20241203-kvm_ptp-eopnotsuppp-v2-1-d1d060f27aa6@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_kvm_x86.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c +index 617c8d6706d3..6cea4fe39bcf 100644 +--- a/drivers/ptp/ptp_kvm_x86.c ++++ b/drivers/ptp/ptp_kvm_x86.c +@@ -26,7 +26,7 @@ int kvm_arch_ptp_init(void) + long ret; + + if (!kvm_para_available()) +- return -ENODEV; ++ return -EOPNOTSUPP; + + if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { + p = alloc_page(GFP_KERNEL | __GFP_ZERO); +@@ -46,14 +46,14 @@ int kvm_arch_ptp_init(void) + + clock_pair_gpa = slow_virt_to_phys(clock_pair); + if (!pvclock_get_pvti_cpu0_va()) { +- ret = -ENODEV; ++ ret = -EOPNOTSUPP; + goto err; + } + + ret = kvm_hypercall2(KVM_HC_CLOCK_PAIRING, clock_pair_gpa, + KVM_CLOCK_PAIRING_WALLCLOCK); + if (ret == -KVM_ENOSYS) { +- ret = -ENODEV; ++ ret = -EOPNOTSUPP; + goto err; + } + +-- +2.39.5 + diff --git a/queue-6.12/qca_spi-fix-clock-speed-for-multiple-qca7000.patch b/queue-6.12/qca_spi-fix-clock-speed-for-multiple-qca7000.patch new file mode 100644 index 00000000000..337cbc25d60 --- /dev/null +++ b/queue-6.12/qca_spi-fix-clock-speed-for-multiple-qca7000.patch @@ -0,0 +1,98 @@ +From 4fa3d117f9781fe37d7e6316ee5f914d4e049f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:46:42 +0100 +Subject: qca_spi: Fix clock speed for multiple QCA7000 + +From: Stefan Wahren + +[ Upstream commit 4dba406fac06b009873fe7a28231b9b7e4288b09 ] + +Storing the maximum clock speed in module parameter qcaspi_clkspeed +has the unintended side effect that the first probed instance +defines the value for all other instances. Fix this issue by storing +it in max_speed_hz of the relevant SPI device. + +This fix keeps the priority of the speed parameter (module parameter, +device tree property, driver default). Btw this uses the opportunity +to get the rid of the unused member clkspeed. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241206184643.123399-2-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 24 ++++++++++-------------- + drivers/net/ethernet/qualcomm/qca_spi.h | 1 - + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 8f7ce6b51a1c..a73426a8c429 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -812,7 +812,6 @@ qcaspi_netdev_init(struct net_device *dev) + + dev->mtu = QCAFRM_MAX_MTU; + dev->type = ARPHRD_ETHER; +- qca->clkspeed = qcaspi_clkspeed; + qca->burst_len = qcaspi_burst_len; + qca->spi_thread = NULL; + qca->buffer_size = (QCAFRM_MAX_MTU + VLAN_ETH_HLEN + QCAFRM_HEADER_LEN + +@@ -903,17 +902,15 @@ qca_spi_probe(struct spi_device *spi) + legacy_mode = of_property_read_bool(spi->dev.of_node, + "qca,legacy-mode"); + +- if (qcaspi_clkspeed == 0) { +- if (spi->max_speed_hz) +- qcaspi_clkspeed = spi->max_speed_hz; +- else +- qcaspi_clkspeed = QCASPI_CLK_SPEED; +- } ++ if (qcaspi_clkspeed) ++ spi->max_speed_hz = qcaspi_clkspeed; ++ else if (!spi->max_speed_hz) ++ spi->max_speed_hz = QCASPI_CLK_SPEED; + +- if ((qcaspi_clkspeed < QCASPI_CLK_SPEED_MIN) || +- (qcaspi_clkspeed > QCASPI_CLK_SPEED_MAX)) { +- dev_err(&spi->dev, "Invalid clkspeed: %d\n", +- qcaspi_clkspeed); ++ if (spi->max_speed_hz < QCASPI_CLK_SPEED_MIN || ++ spi->max_speed_hz > QCASPI_CLK_SPEED_MAX) { ++ dev_err(&spi->dev, "Invalid clkspeed: %u\n", ++ spi->max_speed_hz); + return -EINVAL; + } + +@@ -938,14 +935,13 @@ qca_spi_probe(struct spi_device *spi) + return -EINVAL; + } + +- dev_info(&spi->dev, "ver=%s, clkspeed=%d, burst_len=%d, pluggable=%d\n", ++ dev_info(&spi->dev, "ver=%s, clkspeed=%u, burst_len=%d, pluggable=%d\n", + QCASPI_DRV_VERSION, +- qcaspi_clkspeed, ++ spi->max_speed_hz, + qcaspi_burst_len, + qcaspi_pluggable); + + spi->mode = SPI_MODE_3; +- spi->max_speed_hz = qcaspi_clkspeed; + if (spi_setup(spi) < 0) { + dev_err(&spi->dev, "Unable to setup SPI device\n"); + return -EFAULT; +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h +index 8f4808695e82..0831cefc58b8 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.h ++++ b/drivers/net/ethernet/qualcomm/qca_spi.h +@@ -89,7 +89,6 @@ struct qcaspi { + #endif + + /* user configurable options */ +- u32 clkspeed; + u8 legacy_mode; + u16 burst_len; + }; +-- +2.39.5 + diff --git a/queue-6.12/qca_spi-make-driver-probing-reliable.patch b/queue-6.12/qca_spi-make-driver-probing-reliable.patch new file mode 100644 index 00000000000..17803366d64 --- /dev/null +++ b/queue-6.12/qca_spi-make-driver-probing-reliable.patch @@ -0,0 +1,40 @@ +From 61a9870dee8cf0be6b5a30d71a9be35ae4ab6cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:46:43 +0100 +Subject: qca_spi: Make driver probing reliable + +From: Stefan Wahren + +[ Upstream commit becc6399ce3b724cffe9ccb7ef0bff440bb1b62b ] + +The module parameter qcaspi_pluggable controls if QCA7000 signature +should be checked at driver probe (current default) or not. Unfortunately +this could fail in case the chip is temporary in reset, which isn't under +total control by the Linux host. So disable this check per default +in order to avoid unexpected probe failures. + +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20241206184643.123399-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index a73426a8c429..6b4b40c6e1fe 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -53,7 +53,7 @@ MODULE_PARM_DESC(qcaspi_burst_len, "Number of data bytes per burst. Use 1-5000." + + #define QCASPI_PLUGGABLE_MIN 0 + #define QCASPI_PLUGGABLE_MAX 1 +-static int qcaspi_pluggable = QCASPI_PLUGGABLE_MIN; ++static int qcaspi_pluggable = QCASPI_PLUGGABLE_MAX; + module_param(qcaspi_pluggable, int, 0); + MODULE_PARM_DESC(qcaspi_pluggable, "Pluggable SPI connection (yes/no)."); + +-- +2.39.5 + diff --git a/queue-6.12/regulator-axp20x-axp717-set-ramp_delay.patch b/queue-6.12/regulator-axp20x-axp717-set-ramp_delay.patch new file mode 100644 index 00000000000..b4d58f02e03 --- /dev/null +++ b/queue-6.12/regulator-axp20x-axp717-set-ramp_delay.patch @@ -0,0 +1,125 @@ +From 87e8c809c47a12c4e90e2a65bc2fddc1f83e8aae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2024 13:43:08 +0100 +Subject: regulator: axp20x: AXP717: set ramp_delay + +From: Philippe Simons + +[ Upstream commit f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74 ] + +AXP717 datasheet says that regulator ramp delay is 15.625 us/step, +which is 10mV in our case. + +Add a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to +expand to AXP_DESC_RANGES_DELAY with ramp_delay = 0 + +For DCDC4, steps is 100mv + +Add a AXP_DESC_DELAY macro and update AXP_DESC macro to +expand to AXP_DESC_DELAY with ramp_delay = 0 + +This patch fix crashes when using CPU DVFS. + +Signed-off-by: Philippe Simons +Tested-by: Hironori KIKUCHI +Tested-by: Chris Morgan +Reviewed-by: Chen-Yu Tsai +Fixes: d2ac3df75c3a ("regulator: axp20x: add support for the AXP717") +Link: https://patch.msgid.link/20241208124308.5630-1-simons.philippe@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 36 ++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index a8e91d9d028b..945d2917b91b 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -371,8 +371,8 @@ + .ops = &axp20x_ops, \ + } + +-#define AXP_DESC(_family, _id, _match, _supply, _min, _max, _step, _vreg, \ +- _vmask, _ereg, _emask) \ ++#define AXP_DESC_DELAY(_family, _id, _match, _supply, _min, _max, _step, _vreg, \ ++ _vmask, _ereg, _emask, _ramp_delay) \ + [_family##_##_id] = { \ + .name = (_match), \ + .supply_name = (_supply), \ +@@ -388,9 +388,15 @@ + .vsel_mask = (_vmask), \ + .enable_reg = (_ereg), \ + .enable_mask = (_emask), \ ++ .ramp_delay = (_ramp_delay), \ + .ops = &axp20x_ops, \ + } + ++#define AXP_DESC(_family, _id, _match, _supply, _min, _max, _step, _vreg, \ ++ _vmask, _ereg, _emask) \ ++ AXP_DESC_DELAY(_family, _id, _match, _supply, _min, _max, _step, _vreg, \ ++ _vmask, _ereg, _emask, 0) ++ + #define AXP_DESC_SW(_family, _id, _match, _supply, _ereg, _emask) \ + [_family##_##_id] = { \ + .name = (_match), \ +@@ -419,8 +425,8 @@ + .ops = &axp20x_ops_fixed \ + } + +-#define AXP_DESC_RANGES(_family, _id, _match, _supply, _ranges, _n_voltages, \ +- _vreg, _vmask, _ereg, _emask) \ ++#define AXP_DESC_RANGES_DELAY(_family, _id, _match, _supply, _ranges, _n_voltages, \ ++ _vreg, _vmask, _ereg, _emask, _ramp_delay) \ + [_family##_##_id] = { \ + .name = (_match), \ + .supply_name = (_supply), \ +@@ -436,9 +442,15 @@ + .enable_mask = (_emask), \ + .linear_ranges = (_ranges), \ + .n_linear_ranges = ARRAY_SIZE(_ranges), \ ++ .ramp_delay = (_ramp_delay), \ + .ops = &axp20x_ops_range, \ + } + ++#define AXP_DESC_RANGES(_family, _id, _match, _supply, _ranges, _n_voltages, \ ++ _vreg, _vmask, _ereg, _emask) \ ++ AXP_DESC_RANGES_DELAY(_family, _id, _match, _supply, _ranges, \ ++ _n_voltages, _vreg, _vmask, _ereg, _emask, 0) ++ + static const int axp209_dcdc2_ldo3_slew_rates[] = { + 1600, + 800, +@@ -781,21 +793,21 @@ static const struct linear_range axp717_dcdc3_ranges[] = { + }; + + static const struct regulator_desc axp717_regulators[] = { +- AXP_DESC_RANGES(AXP717, DCDC1, "dcdc1", "vin1", ++ AXP_DESC_RANGES_DELAY(AXP717, DCDC1, "dcdc1", "vin1", + axp717_dcdc1_ranges, AXP717_DCDC1_NUM_VOLTAGES, + AXP717_DCDC1_CONTROL, AXP717_DCDC_V_OUT_MASK, +- AXP717_DCDC_OUTPUT_CONTROL, BIT(0)), +- AXP_DESC_RANGES(AXP717, DCDC2, "dcdc2", "vin2", ++ AXP717_DCDC_OUTPUT_CONTROL, BIT(0), 640), ++ AXP_DESC_RANGES_DELAY(AXP717, DCDC2, "dcdc2", "vin2", + axp717_dcdc2_ranges, AXP717_DCDC2_NUM_VOLTAGES, + AXP717_DCDC2_CONTROL, AXP717_DCDC_V_OUT_MASK, +- AXP717_DCDC_OUTPUT_CONTROL, BIT(1)), +- AXP_DESC_RANGES(AXP717, DCDC3, "dcdc3", "vin3", ++ AXP717_DCDC_OUTPUT_CONTROL, BIT(1), 640), ++ AXP_DESC_RANGES_DELAY(AXP717, DCDC3, "dcdc3", "vin3", + axp717_dcdc3_ranges, AXP717_DCDC3_NUM_VOLTAGES, + AXP717_DCDC3_CONTROL, AXP717_DCDC_V_OUT_MASK, +- AXP717_DCDC_OUTPUT_CONTROL, BIT(2)), +- AXP_DESC(AXP717, DCDC4, "dcdc4", "vin4", 1000, 3700, 100, ++ AXP717_DCDC_OUTPUT_CONTROL, BIT(2), 640), ++ AXP_DESC_DELAY(AXP717, DCDC4, "dcdc4", "vin4", 1000, 3700, 100, + AXP717_DCDC4_CONTROL, AXP717_DCDC_V_OUT_MASK, +- AXP717_DCDC_OUTPUT_CONTROL, BIT(3)), ++ AXP717_DCDC_OUTPUT_CONTROL, BIT(3), 6400), + AXP_DESC(AXP717, ALDO1, "aldo1", "aldoin", 500, 3500, 100, + AXP717_ALDO1_CONTROL, AXP717_LDO_V_OUT_MASK, + AXP717_LDO0_OUTPUT_CONTROL, BIT(0)), +-- +2.39.5 + diff --git a/queue-6.12/selftests-mlxsw-sharedbuffer-ensure-no-extra-packets.patch b/queue-6.12/selftests-mlxsw-sharedbuffer-ensure-no-extra-packets.patch new file mode 100644 index 00000000000..0103066debb --- /dev/null +++ b/queue-6.12/selftests-mlxsw-sharedbuffer-ensure-no-extra-packets.patch @@ -0,0 +1,140 @@ +From ee0c5dbddc7cb1abd074a4959e4b433c0f4fb0e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 17:36:01 +0100 +Subject: selftests: mlxsw: sharedbuffer: Ensure no extra packets are counted + +From: Danielle Ratson + +[ Upstream commit 5f2c7ab15fd806043db1a7d54b5ec36be0bd93b1 ] + +The test assumes that the packet it is sending is the only packet being +passed to the device. + +However, it is not the case and so other packets are filling the buffers +as well. Therefore, the test sometimes fails because it is reading a +maximum occupancy that is larger than expected. + +Add egress filters on $h1 and $h2 that will guarantee the above. + +Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") +Signed-off-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/64c28bc9b1cc1d78c4a73feda7cedbe9526ccf8b.1733414773.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../drivers/net/mlxsw/sharedbuffer.sh | 40 +++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +index 21bebc5726f6..c068e6c2a580 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +@@ -22,20 +22,34 @@ SB_ITC=0 + h1_create() + { + simple_if_init $h1 192.0.1.1/24 ++ tc qdisc add dev $h1 clsact ++ ++ # Add egress filter on $h1 that will guarantee that the packet sent, ++ # will be the only packet being passed to the device. ++ tc filter add dev $h1 egress pref 2 handle 102 matchall action drop + } + + h1_destroy() + { ++ tc filter del dev $h1 egress pref 2 handle 102 matchall action drop ++ tc qdisc del dev $h1 clsact + simple_if_fini $h1 192.0.1.1/24 + } + + h2_create() + { + simple_if_init $h2 192.0.1.2/24 ++ tc qdisc add dev $h2 clsact ++ ++ # Add egress filter on $h2 that will guarantee that the packet sent, ++ # will be the only packet being passed to the device. ++ tc filter add dev $h2 egress pref 1 handle 101 matchall action drop + } + + h2_destroy() + { ++ tc filter del dev $h2 egress pref 1 handle 101 matchall action drop ++ tc qdisc del dev $h2 clsact + simple_if_fini $h2 192.0.1.2/24 + } + +@@ -101,6 +115,11 @@ port_pool_test() + local exp_max_occ=$(devlink_cell_size_get) + local max_occ + ++ tc filter add dev $h1 egress protocol ip pref 1 handle 101 flower \ ++ src_mac $h1mac dst_mac $h2mac \ ++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \ ++ action pass ++ + devlink sb occupancy clearmax $DEVLINK_DEV + + $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \ +@@ -117,6 +136,11 @@ port_pool_test() + max_occ=$(sb_occ_pool_check $cpu_dl_port $SB_POOL_EGR_CPU $exp_max_occ) + check_err $? "Expected ePool($SB_POOL_EGR_CPU) max occupancy to be $exp_max_occ, but got $max_occ" + log_test "CPU port's egress pool" ++ ++ tc filter del dev $h1 egress protocol ip pref 1 handle 101 flower \ ++ src_mac $h1mac dst_mac $h2mac \ ++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \ ++ action pass + } + + port_tc_ip_test() +@@ -124,6 +148,11 @@ port_tc_ip_test() + local exp_max_occ=$(devlink_cell_size_get) + local max_occ + ++ tc filter add dev $h1 egress protocol ip pref 1 handle 101 flower \ ++ src_mac $h1mac dst_mac $h2mac \ ++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \ ++ action pass ++ + devlink sb occupancy clearmax $DEVLINK_DEV + + $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \ +@@ -140,6 +169,11 @@ port_tc_ip_test() + max_occ=$(sb_occ_etc_check $cpu_dl_port $SB_ITC_CPU_IP $exp_max_occ) + check_err $? "Expected egress TC($SB_ITC_CPU_IP) max occupancy to be $exp_max_occ, but got $max_occ" + log_test "CPU port's egress TC - IP packet" ++ ++ tc filter del dev $h1 egress protocol ip pref 1 handle 101 flower \ ++ src_mac $h1mac dst_mac $h2mac \ ++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \ ++ action pass + } + + port_tc_arp_test() +@@ -147,6 +181,9 @@ port_tc_arp_test() + local exp_max_occ=$(devlink_cell_size_get) + local max_occ + ++ tc filter add dev $h1 egress protocol arp pref 1 handle 101 flower \ ++ src_mac $h1mac action pass ++ + devlink sb occupancy clearmax $DEVLINK_DEV + + $MZ $h1 -c 1 -p 10 -a $h1mac -A 192.0.1.1 -t arp -q +@@ -162,6 +199,9 @@ port_tc_arp_test() + max_occ=$(sb_occ_etc_check $cpu_dl_port $SB_ITC_CPU_ARP $exp_max_occ) + check_err $? "Expected egress TC($SB_ITC_IP2ME) max occupancy to be $exp_max_occ, but got $max_occ" + log_test "CPU port's egress TC - ARP packet" ++ ++ tc filter del dev $h1 egress protocol arp pref 1 handle 101 flower \ ++ src_mac $h1mac action pass + } + + setup_prepare() +-- +2.39.5 + diff --git a/queue-6.12/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch b/queue-6.12/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch new file mode 100644 index 00000000000..1e7c5195dfa --- /dev/null +++ b/queue-6.12/selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch @@ -0,0 +1,58 @@ +From 49081c6f8f26a9e56762596dcbb8b62055065cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 17:36:00 +0100 +Subject: selftests: mlxsw: sharedbuffer: Remove duplicate test cases + +From: Danielle Ratson + +[ Upstream commit 6c46ad4d1bb2e8ec2265296e53765190f6e32f33 ] + +On both port_tc_ip_test() and port_tc_arp_test(), the max occupancy is +checked on $h2 twice, when only the error message is different and does not +match the check itself. + +Remove the two duplicated test cases from the test. + +Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") +Signed-off-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/d9eb26f6fc16a06a30b5c2c16ad80caf502bc561.1733414773.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/drivers/net/mlxsw/sharedbuffer.sh | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +index a7b3d6cf3185..21bebc5726f6 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +@@ -131,11 +131,6 @@ port_tc_ip_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) +- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress TC - IP packet" +- + RET=0 + max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) + check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +@@ -158,11 +153,6 @@ port_tc_arp_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) +- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress TC - ARP packet" +- + RET=0 + max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ) + check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ" +-- +2.39.5 + diff --git a/queue-6.12/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch b/queue-6.12/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch new file mode 100644 index 00000000000..2c00f20e5b1 --- /dev/null +++ b/queue-6.12/selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch @@ -0,0 +1,48 @@ +From 1bc4ba59d6f376b39cdde1394791d20b55bd9b04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 17:35:59 +0100 +Subject: selftests: mlxsw: sharedbuffer: Remove h1 ingress test case + +From: Danielle Ratson + +[ Upstream commit cf3515c556907b4da290967a2a6cbbd9ee0ee723 ] + +The test is sending only one packet generated with mausezahn from $h1 to +$h2. However, for some reason, it is testing for non-zero maximum occupancy +in both the ingress pool of $h1 and $h2. The former only passes when $h2 +happens to send a packet. + +Avoid intermittent failures by removing unintentional test case +regarding the ingress pool of $h1. + +Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test") +Signed-off-by: Danielle Ratson +Reviewed-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/5b7344608d5e06f38209e48d8af8c92fa11b6742.1733414773.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +index 0c47faff9274..a7b3d6cf3185 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh +@@ -108,11 +108,6 @@ port_pool_test() + + devlink sb occupancy snapshot $DEVLINK_DEV + +- RET=0 +- max_occ=$(sb_occ_pool_check $dl_port1 $SB_POOL_ING $exp_max_occ) +- check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ" +- log_test "physical port's($h1) ingress pool" +- + RET=0 + max_occ=$(sb_occ_pool_check $dl_port2 $SB_POOL_ING $exp_max_occ) + check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ" +-- +2.39.5 + diff --git a/queue-6.12/selftests-netfilter-stabilize-rpath.sh.patch b/queue-6.12/selftests-netfilter-stabilize-rpath.sh.patch new file mode 100644 index 00000000000..b8fcf6fc513 --- /dev/null +++ b/queue-6.12/selftests-netfilter-stabilize-rpath.sh.patch @@ -0,0 +1,78 @@ +From a39cd06039339c64ea9c8bfd41d241be8f34fedc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 15:08:40 +0100 +Subject: selftests: netfilter: Stabilize rpath.sh + +From: Phil Sutter + +[ Upstream commit d92906fd1b940681b4509f7bb8ae737789fb4695 ] + +On some systems, neighbor discoveries from ns1 for fec0:42::1 (i.e., the +martian trap address) would happen at the wrong time and cause +false-negative test result. + +Problem analysis also discovered that IPv6 martian ping test was broken +in that sent neighbor discoveries, not echo requests were inadvertently +trapped + +Avoid the race condition by introducing the neighbors to each other +upfront. Also pin down the firewall rules to matching on echo requests +only. + +Fixes: efb056e5f1f0 ("netfilter: ip6t_rpfilter: Fix regression with VRF interfaces") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/netfilter/rpath.sh | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/netfilter/rpath.sh b/tools/testing/selftests/net/netfilter/rpath.sh +index 4485fd7675ed..86ec4e68594d 100755 +--- a/tools/testing/selftests/net/netfilter/rpath.sh ++++ b/tools/testing/selftests/net/netfilter/rpath.sh +@@ -61,9 +61,20 @@ ip -net "$ns2" a a 192.168.42.1/24 dev d0 + ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad + ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad + ++# avoid neighbor lookups and enable martian IPv6 pings ++ns2_hwaddr=$(ip -net "$ns2" link show dev v0 | \ ++ sed -n 's, *link/ether \([^ ]*\) .*,\1,p') ++ns1_hwaddr=$(ip -net "$ns1" link show dev v0 | \ ++ sed -n 's, *link/ether \([^ ]*\) .*,\1,p') ++ip -net "$ns1" neigh add fec0:42::1 lladdr "$ns2_hwaddr" nud permanent dev v0 ++ip -net "$ns1" neigh add fec0:23::1 lladdr "$ns2_hwaddr" nud permanent dev v0 ++ip -net "$ns2" neigh add fec0:42::2 lladdr "$ns1_hwaddr" nud permanent dev d0 ++ip -net "$ns2" neigh add fec0:23::2 lladdr "$ns1_hwaddr" nud permanent dev v0 ++ + # firewall matches to test + [ -n "$iptables" ] && { + common='-t raw -A PREROUTING -s 192.168.0.0/16' ++ common+=' -p icmp --icmp-type echo-request' + if ! ip netns exec "$ns2" "$iptables" $common -m rpfilter;then + echo "Cannot add rpfilter rule" + exit $ksft_skip +@@ -72,6 +83,7 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad + } + [ -n "$ip6tables" ] && { + common='-t raw -A PREROUTING -s fec0::/16' ++ common+=' -p icmpv6 --icmpv6-type echo-request' + if ! ip netns exec "$ns2" "$ip6tables" $common -m rpfilter;then + echo "Cannot add rpfilter rule" + exit $ksft_skip +@@ -82,8 +94,10 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad + table inet t { + chain c { + type filter hook prerouting priority raw; +- ip saddr 192.168.0.0/16 fib saddr . iif oif exists counter +- ip6 saddr fec0::/16 fib saddr . iif oif exists counter ++ ip saddr 192.168.0.0/16 icmp type echo-request \ ++ fib saddr . iif oif exists counter ++ ip6 saddr fec0::/16 icmpv6 type echo-request \ ++ fib saddr . iif oif exists counter + } + } + EOF +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index 80dbf8463b2..c63fbf53506 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -79,3 +79,86 @@ bpf-perf-fix-invalid-prog_array-access-in-perf_event_detach_bpf_prog.patch bpf-sockmap-fix-race-between-element-replace-and-close.patch bpf-sockmap-fix-update-element-with-same.patch bpf-augment-raw_tp-arguments-with-ptr_maybe_null.patch +perf-tools-fix-build-id-event-recording.patch +wifi-nl80211-fix-nl80211_attr_mlo_link_id-off-by-one.patch +wifi-mac80211-init-cnt-before-accessing-elem-in-ieee.patch +wifi-mac80211-fix-a-queue-stall-in-certain-cases-of-.patch +wifi-mac80211-fix-station-nss-capability-initializat.patch +perf-machine-initialize-machine-env-to-address-a-seg.patch +acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch +amdgpu-uvd-get-ring-reference-from-rq-scheduler.patch +batman-adv-do-not-send-uninitialized-tt-changes.patch +batman-adv-remove-uninitialized-data-in-full-table-t.patch +batman-adv-do-not-let-tt-changes-list-grows-indefini.patch +tipc-fix-null-deref-in-cleanup_bearer.patch +net-mlx5-dr-prevent-potential-error-pointer-derefere.patch +wifi-cfg80211-sme-init-n_channels-before-channels-ac.patch +selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch +selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch +selftests-mlxsw-sharedbuffer-ensure-no-extra-packets.patch +ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch +bnxt_en-fix-gso-type-for-hw-gro-packets-on-5750x-chi.patch +net-lapb-increase-lapb_header_len.patch +net-defer-final-struct-net-free-in-netns-dismantle.patch +net-mscc-ocelot-fix-memory-leak-on-ocelot_port_add_t.patch +net-mscc-ocelot-improve-handling-of-tx-timestamp-for.patch +net-mscc-ocelot-ocelot-ts_id_lock-and-ocelot_port-tx.patch +net-mscc-ocelot-be-resilient-to-loss-of-ptp-packets-.patch +net-mscc-ocelot-perform-error-cleanup-in-ocelot_hwst.patch +regulator-axp20x-axp717-set-ramp_delay.patch +spi-aspeed-fix-an-error-handling-path-in-aspeed_spi_.patch +net-sparx5-fix-fdma-performance-issue.patch +net-sparx5-fix-the-maximum-frame-length-register.patch +acpi-resource-fix-memory-resource-type-union-access.patch +cxgb4-use-port-number-to-set-mac-addr.patch +qca_spi-fix-clock-speed-for-multiple-qca7000.patch +qca_spi-make-driver-probing-reliable.patch +module-convert-default-symbol-namespace-to-string-li.patch +gpio-idio-16-actually-make-use-of-the-gpio_idio_16-s.patch +alsa-control-avoid-warn-for-symlink-errors.patch +asoc-amd-yc-fix-the-wrong-return-value.patch +documentation-pm-clarify-pm_runtime_resume_and_get-r.patch +block-get-wp_offset-by-bdev_offset_from_zone_start.patch +bnxt_en-fix-aggregation-id-mask-to-prevent-oops-on-5.patch +documentation-networking-add-a-caveat-to-nexthop_com.patch +cifs-fix-rmdir-failure-due-to-ongoing-i-o-on-deleted.patch +net-renesas-rswitch-fix-possible-early-skb-release.patch +net-renesas-rswitch-fix-race-window-between-tx-start.patch +net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch +net-renesas-rswitch-avoid-use-after-put-for-a-device.patch +net-renesas-rswitch-handle-stop-vs-interrupt-race.patch +asoc-tas2781-fix-calibration-issue-in-stress-test.patch +bluetooth-improve-setsockopt-handling-of-malformed-u.patch +libperf-evlist-fix-cpu-argument-on-hybrid-platform.patch +asoc-fsl_xcvr-change-iface_pcm-to-iface_mixer.patch +asoc-fsl_spdif-change-iface_pcm-to-iface_mixer.patch +selftests-netfilter-stabilize-rpath.sh.patch +netfilter-idletimer-fix-for-possible-abba-deadlock.patch +netfilter-nf_tables-do-not-defer-rule-destruction-vi.patch +net-mana-fix-memory-leak-in-mana_gd_setup_irqs.patch +net-mana-fix-irq_contexts-memory-leak-in-mana_gd_set.patch +net-dsa-felix-fix-stuck-cpu-injected-packets-with-sh.patch +net-sched-netem-account-for-backlog-updates-from-chi.patch +net-team-bonding-add-netdev_base_features-helper.patch +bonding-fix-initial-vlan-mpls-_feature-set-in-bond_c.patch +bonding-fix-feature-propagation-of-netif_f_gso_encap.patch +team-fix-initial-vlan_feature-set-in-__team_compute_.patch +team-fix-feature-propagation-of-netif_f_gso_encap_al.patch +asoc-intel-sof_sdw-add-space-for-a-terminator-into-d.patch +acpica-events-evxfregn-don-t-release-the-contextmute.patch +bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch +bluetooth-iso-always-release-hdev-at-the-end-of-iso_.patch +bluetooth-iso-fix-recursive-locking-warning.patch +bluetooth-sco-add-support-for-16-bits-transparent-vo.patch +bluetooth-iso-fix-circular-lock-in-iso_listen_bis.patch +bluetooth-iso-fix-circular-lock-in-iso_conn_big_sync.patch +bluetooth-btmtk-avoid-uaf-in-btmtk_process_coredump.patch +net-renesas-rswitch-fix-initial-mpic-register-settin.patch +net-dsa-microchip-ksz9896-register-regmap-alignment-.patch +net-dsa-tag_ocelot_8021q-fix-broken-reception.patch +drm-xe-fix-the-err_ptr-returned-on-failure-to-alloca.patch +drm-xe-reg_sr-remove-register-pool.patch +blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch +kselftest-arm64-abi-fix-svcr-detection.patch +blk-mq-move-cpuhp-callback-registering-out-of-q-sysf.patch +block-fix-potential-deadlock-while-freezing-queue-an.patch diff --git a/queue-6.12/spi-aspeed-fix-an-error-handling-path-in-aspeed_spi_.patch b/queue-6.12/spi-aspeed-fix-an-error-handling-path-in-aspeed_spi_.patch new file mode 100644 index 00000000000..60097f164dd --- /dev/null +++ b/queue-6.12/spi-aspeed-fix-an-error-handling-path-in-aspeed_spi_.patch @@ -0,0 +1,64 @@ +From 3e236c09ca2c7303be7538941369fc980c32c4ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 22:30:29 +0100 +Subject: spi: aspeed: Fix an error handling path in + aspeed_spi_[read|write]_user() + +From: Christophe JAILLET + +[ Upstream commit c84dda3751e945a67d71cbe3af4474aad24a5794 ] + +A aspeed_spi_start_user() is not balanced by a corresponding +aspeed_spi_stop_user(). +Add the missing call. + +Fixes: e3228ed92893 ("spi: spi-mem: Convert Aspeed SMC driver to spi-mem") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/4052aa2f9a9ea342fa6af83fa991b55ce5d5819e.1732051814.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-aspeed-smc.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-aspeed-smc.c b/drivers/spi/spi-aspeed-smc.c +index bbd417c55e7f..b0e3f307b283 100644 +--- a/drivers/spi/spi-aspeed-smc.c ++++ b/drivers/spi/spi-aspeed-smc.c +@@ -239,7 +239,7 @@ static ssize_t aspeed_spi_read_user(struct aspeed_spi_chip *chip, + + ret = aspeed_spi_send_cmd_addr(chip, op->addr.nbytes, offset, op->cmd.opcode); + if (ret < 0) +- return ret; ++ goto stop_user; + + if (op->dummy.buswidth && op->dummy.nbytes) { + for (i = 0; i < op->dummy.nbytes / op->dummy.buswidth; i++) +@@ -249,8 +249,9 @@ static ssize_t aspeed_spi_read_user(struct aspeed_spi_chip *chip, + aspeed_spi_set_io_mode(chip, io_mode); + + aspeed_spi_read_from_ahb(buf, chip->ahb_base, len); ++stop_user: + aspeed_spi_stop_user(chip); +- return 0; ++ return ret; + } + + static ssize_t aspeed_spi_write_user(struct aspeed_spi_chip *chip, +@@ -261,10 +262,11 @@ static ssize_t aspeed_spi_write_user(struct aspeed_spi_chip *chip, + aspeed_spi_start_user(chip); + ret = aspeed_spi_send_cmd_addr(chip, op->addr.nbytes, op->addr.val, op->cmd.opcode); + if (ret < 0) +- return ret; ++ goto stop_user; + aspeed_spi_write_to_ahb(chip->ahb_base, op->data.buf.out, op->data.nbytes); ++stop_user: + aspeed_spi_stop_user(chip); +- return 0; ++ return ret; + } + + /* support for 1-1-1, 1-1-2 or 1-1-4 */ +-- +2.39.5 + diff --git a/queue-6.12/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch b/queue-6.12/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch new file mode 100644 index 00000000000..d9d20f154fa --- /dev/null +++ b/queue-6.12/team-fix-feature-propagation-of-netif_f_gso_encap_al.patch @@ -0,0 +1,44 @@ +From 82659e8e02bca3a55997563baa7270e0cd4757d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:45 +0100 +Subject: team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL + +From: Daniel Borkmann + +[ Upstream commit 98712844589e06d9aa305b5077169942139fd75c ] + +Similar to bonding driver, add NETIF_F_GSO_ENCAP_ALL to TEAM_VLAN_FEATURES +in order to support slave devices which propagate NETIF_F_GSO_UDP_TUNNEL & +NETIF_F_GSO_UDP_TUNNEL_CSUM as vlan_features. + +Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-5-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index ddd9ae7085c7..6ace5a74cddb 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -983,7 +983,8 @@ static void team_port_disable(struct team *team, + + #define TEAM_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_HIGHDMA | NETIF_F_LRO) ++ NETIF_F_HIGHDMA | NETIF_F_LRO | \ ++ NETIF_F_GSO_ENCAP_ALL) + + #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE) +-- +2.39.5 + diff --git a/queue-6.12/team-fix-initial-vlan_feature-set-in-__team_compute_.patch b/queue-6.12/team-fix-initial-vlan_feature-set-in-__team_compute_.patch new file mode 100644 index 00000000000..05bb68f6bf6 --- /dev/null +++ b/queue-6.12/team-fix-initial-vlan_feature-set-in-__team_compute_.patch @@ -0,0 +1,52 @@ +From 5c5bc715a6a390a39686b4533ba8f1fed332a3e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:12:44 +0100 +Subject: team: Fix initial vlan_feature set in __team_compute_features + +From: Daniel Borkmann + +[ Upstream commit 396699ac2cb1bc4e3485abb48a1e3e41956de0cd ] + +Similarly as with bonding, fix the calculation of vlan_features to reuse +netdev_base_features() in order derive the set in the same way as +ndo_fix_features before iterating through the slave devices to refine the +feature set. + +Fixes: 3625920b62c3 ("teaming: fix vlan_features computing") +Signed-off-by: Daniel Borkmann +Cc: Nikolay Aleksandrov +Cc: Ido Schimmel +Cc: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20241210141245.327886-4-daniel@iogearbox.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index 481c8df8842f..ddd9ae7085c7 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -991,13 +991,14 @@ static void team_port_disable(struct team *team, + static void __team_compute_features(struct team *team) + { + struct team_port *port; +- netdev_features_t vlan_features = TEAM_VLAN_FEATURES & +- NETIF_F_ALL_FOR_ALL; ++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES; + netdev_features_t enc_features = TEAM_ENC_FEATURES; + unsigned short max_hard_header_len = ETH_HLEN; + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | + IFF_XMIT_DST_RELEASE_PERM; + ++ vlan_features = netdev_base_features(vlan_features); ++ + rcu_read_lock(); + list_for_each_entry_rcu(port, &team->port_list, list) { + vlan_features = netdev_increment_features(vlan_features, +-- +2.39.5 + diff --git a/queue-6.12/tipc-fix-null-deref-in-cleanup_bearer.patch b/queue-6.12/tipc-fix-null-deref-in-cleanup_bearer.patch new file mode 100644 index 00000000000..aa5d8f261a2 --- /dev/null +++ b/queue-6.12/tipc-fix-null-deref-in-cleanup_bearer.patch @@ -0,0 +1,82 @@ +From 5c5eb189b538abca622f1a5139c88b31bc562244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 17:05:48 +0000 +Subject: tipc: fix NULL deref in cleanup_bearer() + +From: Eric Dumazet + +[ Upstream commit b04d86fff66b15c07505d226431f808c15b1703c ] + +syzbot found [1] that after blamed commit, ub->ubsock->sk +was NULL when attempting the atomic_dec() : + +atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); + +Fix this by caching the tipc_net pointer. + +[1] + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Workqueue: events cleanup_bearer + RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] + RIP: 0010:sock_net include/net/sock.h:655 [inline] + RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 +Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b +RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 +RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 +RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 +RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 +R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 +R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 +FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 6a2fa13312e5 ("tipc: Fix use-after-free of kernel socket in cleanup_bearer().") +Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67508b5f.050a0220.17bd51.0070.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20241204170548.4152658-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index b7e25e7e9933..108a4cc2e001 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -807,6 +807,7 @@ static void cleanup_bearer(struct work_struct *work) + { + struct udp_bearer *ub = container_of(work, struct udp_bearer, work); + struct udp_replicast *rcast, *tmp; ++ struct tipc_net *tn; + + list_for_each_entry_safe(rcast, tmp, &ub->rcast.list, list) { + dst_cache_destroy(&rcast->dst_cache); +@@ -814,10 +815,14 @@ static void cleanup_bearer(struct work_struct *work) + kfree_rcu(rcast, rcu); + } + ++ tn = tipc_net(sock_net(ub->ubsock->sk)); ++ + dst_cache_destroy(&ub->rcast.dst_cache); + udp_tunnel_sock_release(ub->ubsock); ++ ++ /* Note: could use a call_rcu() to avoid another synchronize_net() */ + synchronize_net(); +- atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); ++ atomic_dec(&tn->wq_count); + kfree(ub); + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-cfg80211-sme-init-n_channels-before-channels-ac.patch b/queue-6.12/wifi-cfg80211-sme-init-n_channels-before-channels-ac.patch new file mode 100644 index 00000000000..bd2d42e5fa1 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-sme-init-n_channels-before-channels-ac.patch @@ -0,0 +1,38 @@ +From e2a2117eea15e73bec7e1cc7216718cd9197110f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 23:20:49 +0800 +Subject: wifi: cfg80211: sme: init n_channels before channels[] access + +From: Haoyu Li + +[ Upstream commit f1d3334d604cc32db63f6e2b3283011e02294e54 ] + +With the __counted_by annocation in cfg80211_scan_request struct, +the "n_channels" struct member must be set before accessing the +"channels" array. Failing to do so will trigger a runtime warning +when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. + +Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") +Signed-off-by: Haoyu Li +Link: https://patch.msgid.link/20241203152049.348806-1-lihaoyu499@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 431da30817a6..268171600087 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -83,6 +83,7 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev) + if (!request) + return -ENOMEM; + ++ request->n_channels = n_channels; + if (wdev->conn->params.channel) { + enum nl80211_band band = wdev->conn->params.channel->band; + struct ieee80211_supported_band *sband = +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-fix-a-queue-stall-in-certain-cases-of-.patch b/queue-6.12/wifi-mac80211-fix-a-queue-stall-in-certain-cases-of-.patch new file mode 100644 index 00000000000..810aee9edff --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-a-queue-stall-in-certain-cases-of-.patch @@ -0,0 +1,259 @@ +From 84745557fd47a5882c1b7ea9f8e3a4153643b1bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:35:40 +0200 +Subject: wifi: mac80211: fix a queue stall in certain cases of CSA + +From: Emmanuel Grumbach + +[ Upstream commit 11ac0d7c3b5ba58232fb7dacb54371cbe75ec183 ] + +If we got an unprotected action frame with CSA and then we heard the +beacon with the CSA IE, we'll block the queues with the CSA reason +twice. Since this reason is refcounted, we won't wake up the queues +since we wake them up only once and the ref count will never reach 0. +This led to blocked queues that prevented any activity (even +disconnection wouldn't reset the queue state and the only way to recover +would be to reload the kernel module. + +Fix this by not refcounting the CSA reason. +It becomes now pointless to maintain the csa_blocked_queues state. +Remove it. + +Signed-off-by: Emmanuel Grumbach +Fixes: 414e090bc41d ("wifi: mac80211: restrict public action ECSA frame handling") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447 +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20241119173108.5ea90828c2cc.I4f89e58572fb71ae48e47a81e74595cac410fbac@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 2 +- + include/net/mac80211.h | 4 +- + net/mac80211/cfg.c | 3 +- + net/mac80211/ieee80211_i.h | 49 +++++++++++++++---- + net/mac80211/iface.c | 12 ++--- + net/mac80211/mlme.c | 2 - + net/mac80211/util.c | 23 ++------- + 7 files changed, 50 insertions(+), 45 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c +index a7a10e716e65..e96ddaeeeeff 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c +@@ -1967,7 +1967,7 @@ void iwl_mvm_channel_switch_error_notif(struct iwl_mvm *mvm, + if (csa_err_mask & (CS_ERR_COUNT_ERROR | + CS_ERR_LONG_DELAY_AFTER_CS | + CS_ERR_TX_BLOCK_TIMER_EXPIRED)) +- ieee80211_channel_switch_disconnect(vif, true); ++ ieee80211_channel_switch_disconnect(vif); + rcu_read_unlock(); + } + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 333e0fae6796..5b712582f9a9 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -6770,14 +6770,12 @@ void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success, + /** + * ieee80211_channel_switch_disconnect - disconnect due to channel switch error + * @vif: &struct ieee80211_vif pointer from the add_interface callback. +- * @block_tx: if %true, do not send deauth frame. + * + * Instruct mac80211 to disconnect due to a channel switch error. The channel + * switch can request to block the tx and so, we need to make sure we do not send + * a deauth frame in this case. + */ +-void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif, +- bool block_tx); ++void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif); + + /** + * ieee80211_request_smps - request SM PS transition +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 242b718b1cd9..16d47123a73c 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3674,13 +3674,12 @@ void ieee80211_csa_finish(struct ieee80211_vif *vif, unsigned int link_id) + } + EXPORT_SYMBOL(ieee80211_csa_finish); + +-void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif, bool block_tx) ++void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif) + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct ieee80211_local *local = sdata->local; + +- sdata->csa_blocked_queues = block_tx; + sdata_info(sdata, "channel switch failed, disconnecting\n"); + wiphy_work_queue(local->hw.wiphy, &ifmgd->csa_connection_drop_work); + } +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 3d3c9139ff5e..7a0242e937d3 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1106,8 +1106,6 @@ struct ieee80211_sub_if_data { + + unsigned long state; + +- bool csa_blocked_queues; +- + char name[IFNAMSIZ]; + + struct ieee80211_fragment_cache frags; +@@ -2411,17 +2409,13 @@ void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata); + void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata, + struct ieee80211_hdr *hdr, bool ack, u16 tx_time); +- ++unsigned int ++ieee80211_get_vif_queues(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata); + void ieee80211_wake_queues_by_reason(struct ieee80211_hw *hw, + unsigned long queues, + enum queue_stop_reason reason, + bool refcounted); +-void ieee80211_stop_vif_queues(struct ieee80211_local *local, +- struct ieee80211_sub_if_data *sdata, +- enum queue_stop_reason reason); +-void ieee80211_wake_vif_queues(struct ieee80211_local *local, +- struct ieee80211_sub_if_data *sdata, +- enum queue_stop_reason reason); + void ieee80211_stop_queues_by_reason(struct ieee80211_hw *hw, + unsigned long queues, + enum queue_stop_reason reason, +@@ -2432,6 +2426,43 @@ void ieee80211_wake_queue_by_reason(struct ieee80211_hw *hw, int queue, + void ieee80211_stop_queue_by_reason(struct ieee80211_hw *hw, int queue, + enum queue_stop_reason reason, + bool refcounted); ++static inline void ++ieee80211_stop_vif_queues(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ enum queue_stop_reason reason) ++{ ++ ieee80211_stop_queues_by_reason(&local->hw, ++ ieee80211_get_vif_queues(local, sdata), ++ reason, true); ++} ++ ++static inline void ++ieee80211_wake_vif_queues(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ enum queue_stop_reason reason) ++{ ++ ieee80211_wake_queues_by_reason(&local->hw, ++ ieee80211_get_vif_queues(local, sdata), ++ reason, true); ++} ++static inline void ++ieee80211_stop_vif_queues_norefcount(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ enum queue_stop_reason reason) ++{ ++ ieee80211_stop_queues_by_reason(&local->hw, ++ ieee80211_get_vif_queues(local, sdata), ++ reason, false); ++} ++static inline void ++ieee80211_wake_vif_queues_norefcount(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ enum queue_stop_reason reason) ++{ ++ ieee80211_wake_queues_by_reason(&local->hw, ++ ieee80211_get_vif_queues(local, sdata), ++ reason, false); ++} + void ieee80211_add_pending_skb(struct ieee80211_local *local, + struct sk_buff *skb); + void ieee80211_add_pending_skbs(struct ieee80211_local *local, +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 6ef0990d3d29..af9055252e6d 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -2364,18 +2364,14 @@ void ieee80211_vif_block_queues_csa(struct ieee80211_sub_if_data *sdata) + if (ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA)) + return; + +- ieee80211_stop_vif_queues(local, sdata, +- IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_queues = true; ++ ieee80211_stop_vif_queues_norefcount(local, sdata, ++ IEEE80211_QUEUE_STOP_REASON_CSA); + } + + void ieee80211_vif_unblock_queues_csa(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_local *local = sdata->local; + +- if (sdata->csa_blocked_queues) { +- ieee80211_wake_vif_queues(local, sdata, +- IEEE80211_QUEUE_STOP_REASON_CSA); +- sdata->csa_blocked_queues = false; +- } ++ ieee80211_wake_vif_queues_norefcount(local, sdata, ++ IEEE80211_QUEUE_STOP_REASON_CSA); + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 0303972c23e4..111066928b96 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2636,8 +2636,6 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link, + */ + link->conf->csa_active = true; + link->u.mgd.csa.blocked_tx = csa_ie.mode; +- sdata->csa_blocked_queues = +- csa_ie.mode && !ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA); + + wiphy_work_queue(sdata->local->hw.wiphy, + &ifmgd->csa_connection_drop_work); +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index f94faa86ba8a..b4814e97cf74 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -657,7 +657,7 @@ void ieee80211_wake_queues(struct ieee80211_hw *hw) + } + EXPORT_SYMBOL(ieee80211_wake_queues); + +-static unsigned int ++unsigned int + ieee80211_get_vif_queues(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata) + { +@@ -669,7 +669,8 @@ ieee80211_get_vif_queues(struct ieee80211_local *local, + queues = 0; + + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) +- queues |= BIT(sdata->vif.hw_queue[ac]); ++ if (sdata->vif.hw_queue[ac] != IEEE80211_INVAL_HW_QUEUE) ++ queues |= BIT(sdata->vif.hw_queue[ac]); + if (sdata->vif.cab_queue != IEEE80211_INVAL_HW_QUEUE) + queues |= BIT(sdata->vif.cab_queue); + } else { +@@ -724,24 +725,6 @@ void ieee80211_flush_queues(struct ieee80211_local *local, + __ieee80211_flush_queues(local, sdata, 0, drop); + } + +-void ieee80211_stop_vif_queues(struct ieee80211_local *local, +- struct ieee80211_sub_if_data *sdata, +- enum queue_stop_reason reason) +-{ +- ieee80211_stop_queues_by_reason(&local->hw, +- ieee80211_get_vif_queues(local, sdata), +- reason, true); +-} +- +-void ieee80211_wake_vif_queues(struct ieee80211_local *local, +- struct ieee80211_sub_if_data *sdata, +- enum queue_stop_reason reason) +-{ +- ieee80211_wake_queues_by_reason(&local->hw, +- ieee80211_get_vif_queues(local, sdata), +- reason, true); +-} +- + static void __iterate_interfaces(struct ieee80211_local *local, + u32 iter_flags, + void (*iterator)(void *data, u8 *mac, +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-fix-station-nss-capability-initializat.patch b/queue-6.12/wifi-mac80211-fix-station-nss-capability-initializat.patch new file mode 100644 index 00000000000..3236e7dec72 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-station-nss-capability-initializat.patch @@ -0,0 +1,47 @@ +From 2e287a6489bd4368229ec60d5baa757e9482d415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 16:07:22 +0800 +Subject: wifi: mac80211: fix station NSS capability initialization order + +From: Benjamin Lin + +[ Upstream commit 819e0f1e58e0ba3800cd9eb96b2a39e44e49df97 ] + +Station's spatial streaming capability should be initialized before +handling VHT OMN, because the handling requires the capability information. + +Fixes: a8bca3e9371d ("wifi: mac80211: track capability/opmode NSS separately") +Signed-off-by: Benjamin Lin +Link: https://patch.msgid.link/20241118080722.9603-1-benjamin-jw.lin@mediatek.com +[rewrite subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 16d47123a73c..1b1bf044378d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1911,6 +1911,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + params->eht_capa_len, + link_sta); + ++ ieee80211_sta_init_nss(link_sta); ++ + if (params->opmode_notif_used) { + /* returned value is only needed for rc update, but the + * rc isn't initialized here yet, so ignore it +@@ -1920,8 +1922,6 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + sband->band); + } + +- ieee80211_sta_init_nss(link_sta); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-init-cnt-before-accessing-elem-in-ieee.patch b/queue-6.12/wifi-mac80211-init-cnt-before-accessing-elem-in-ieee.patch new file mode 100644 index 00000000000..4b64313c339 --- /dev/null +++ b/queue-6.12/wifi-mac80211-init-cnt-before-accessing-elem-in-ieee.patch @@ -0,0 +1,46 @@ +From 5a46e36b4c4155488e3e8f91c2d846605330775a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Nov 2024 01:25:00 +0800 +Subject: wifi: mac80211: init cnt before accessing elem in + ieee80211_copy_mbssid_beacon + +From: Haoyu Li + +[ Upstream commit 496db69fd860570145f7c266b31f3af85fca5b00 ] + +With the new __counted_by annocation in cfg80211_mbssid_elems, +the "cnt" struct member must be set before accessing the "elem" +array. Failing to do so will trigger a runtime warning when enabling +CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. + +Fixes: c14679d7005a ("wifi: cfg80211: Annotate struct cfg80211_mbssid_elems with __counted_by") +Signed-off-by: Haoyu Li +Link: https://patch.msgid.link/20241123172500.311853-1-lihaoyu499@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 6dfc61a9acd4..242b718b1cd9 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1061,13 +1061,13 @@ ieee80211_copy_mbssid_beacon(u8 *pos, struct cfg80211_mbssid_elems *dst, + { + int i, offset = 0; + ++ dst->cnt = src->cnt; + for (i = 0; i < src->cnt; i++) { + memcpy(pos + offset, src->elem[i].data, src->elem[i].len); + dst->elem[i].len = src->elem[i].len; + dst->elem[i].data = pos + offset; + offset += dst->elem[i].len; + } +- dst->cnt = src->cnt; + + return offset; + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-nl80211-fix-nl80211_attr_mlo_link_id-off-by-one.patch b/queue-6.12/wifi-nl80211-fix-nl80211_attr_mlo_link_id-off-by-one.patch new file mode 100644 index 00000000000..0a4227cd7e7 --- /dev/null +++ b/queue-6.12/wifi-nl80211-fix-nl80211_attr_mlo_link_id-off-by-one.patch @@ -0,0 +1,77 @@ +From 502a8bf3c3a42d00f139debaed3c811da0d99433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Dec 2024 01:05:26 +0800 +Subject: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one + +From: Lin Ma + +[ Upstream commit 2e3dbf938656986cce73ac4083500d0bcfbffe24 ] + +Since the netlink attribute range validation provides inclusive +checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be +IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. + +One crash stack for demonstration: +================================================================== +BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 +Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 + +CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 + print_report+0xe0/0x750 mm/kasan/report.c:398 + kasan_report+0x139/0x170 mm/kasan/report.c:495 + kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 + memcpy+0x25/0x60 mm/kasan/shadow.c:65 + ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 + rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] + nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 + genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 + genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] + genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 + netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 + netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] + netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 + netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 + sock_sendmsg_nosec net/socket.c:716 [inline] + __sock_sendmsg net/socket.c:728 [inline] + ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 + ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 + __sys_sendmsg net/socket.c:2582 [inline] + __do_sys_sendmsg net/socket.c:2591 [inline] + __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Update the policy to ensure correct validation. + +Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") +Signed-off-by: Lin Ma +Suggested-by: Cengiz Can +Link: https://patch.msgid.link/20241130170526.96698-1-linma@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 9b1b9dc5a7eb..1e78f575fb56 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -814,7 +814,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_MLO_LINKS] = + NLA_POLICY_NESTED_ARRAY(nl80211_policy), + [NL80211_ATTR_MLO_LINK_ID] = +- NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS), ++ NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1), + [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN), + [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG }, + [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT }, +-- +2.39.5 +