From: Sasha Levin Date: Sat, 13 Jul 2024 16:34:05 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.1.99~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b8966c65bc9f9393b256714f2184039f1c087d2b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/arm-davinci-convert-comma-to-semicolon.patch b/queue-6.6/arm-davinci-convert-comma-to-semicolon.patch new file mode 100644 index 00000000000..75818e09361 --- /dev/null +++ b/queue-6.6/arm-davinci-convert-comma-to-semicolon.patch @@ -0,0 +1,36 @@ +From 2aab2a6cae3e4697bf2e972eb27d009aa1201038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 16:16:48 +0800 +Subject: ARM: davinci: Convert comma to semicolon + +From: Chen Ni + +[ Upstream commit acc3815db1a02d654fbc19726ceaadca0d7dd81c ] + +Replace a comma between expression statements by a semicolon. + +Fixes: efc1bb8a6fd5 ("davinci: add power management support") +Signed-off-by: Chen Ni +Acked-by: Bartosz Golaszewski +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-davinci/pm.c b/arch/arm/mach-davinci/pm.c +index 8aa39db095d76..2c5155bd376ba 100644 +--- a/arch/arm/mach-davinci/pm.c ++++ b/arch/arm/mach-davinci/pm.c +@@ -61,7 +61,7 @@ static void davinci_pm_suspend(void) + + /* Configure sleep count in deep sleep register */ + val = __raw_readl(pm_config.deepsleep_reg); +- val &= ~DEEPSLEEP_SLEEPCOUNT_MASK, ++ val &= ~DEEPSLEEP_SLEEPCOUNT_MASK; + val |= pm_config.sleepcount; + __raw_writel(val, pm_config.deepsleep_reg); + +-- +2.43.0 + diff --git a/queue-6.6/arm64-dts-qcom-sc8180x-fix-llcc-reg-property-again.patch b/queue-6.6/arm64-dts-qcom-sc8180x-fix-llcc-reg-property-again.patch new file mode 100644 index 00000000000..5ab09c9ce7c --- /dev/null +++ b/queue-6.6/arm64-dts-qcom-sc8180x-fix-llcc-reg-property-again.patch @@ -0,0 +1,54 @@ +From 9a2adefd1c51fee25ccf6a229a4a6fdf95d0e3b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 May 2024 10:44:11 -0700 +Subject: arm64: dts: qcom: sc8180x: Fix LLCC reg property again + +From: Bjorn Andersson + +[ Upstream commit 3df1627d8370a9c420b49743976b3eeba32afbbc ] + +Commit '74cf6675c35e ("arm64: dts: qcom: sc8180x: Fix LLCC reg +property")' transitioned the SC8180X LLCC node to describe each memory +region individually, but did not include all the regions. + +The result is that Linux fails to find the last regions, so extend the +definition to cover all the blocks. + +This also corrects the related DeviceTree validation error. + +Fixes: 74cf6675c35e ("arm64: dts: qcom: sc8180x: Fix LLCC reg property") +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240525-sc8180x-llcc-reg-fixup-v1-1-0c13d4ea94f2@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8180x.dtsi b/arch/arm64/boot/dts/qcom/sc8180x.dtsi +index fbb9bf09078a0..dd207eb81360a 100644 +--- a/arch/arm64/boot/dts/qcom/sc8180x.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8180x.dtsi +@@ -2551,11 +2551,14 @@ + + system-cache-controller@9200000 { + compatible = "qcom,sc8180x-llcc"; +- reg = <0 0x09200000 0 0x50000>, <0 0x09280000 0 0x50000>, +- <0 0x09300000 0 0x50000>, <0 0x09380000 0 0x50000>, +- <0 0x09600000 0 0x50000>; ++ reg = <0 0x09200000 0 0x58000>, <0 0x09280000 0 0x58000>, ++ <0 0x09300000 0 0x58000>, <0 0x09380000 0 0x58000>, ++ <0 0x09400000 0 0x58000>, <0 0x09480000 0 0x58000>, ++ <0 0x09500000 0 0x58000>, <0 0x09580000 0 0x58000>, ++ <0 0x09600000 0 0x58000>; + reg-names = "llcc0_base", "llcc1_base", "llcc2_base", +- "llcc3_base", "llcc_broadcast_base"; ++ "llcc3_base", "llcc4_base", "llcc5_base", ++ "llcc6_base", "llcc7_base", "llcc_broadcast_base"; + interrupts = ; + }; + +-- +2.43.0 + diff --git a/queue-6.6/asoc-sof-intel-hda-fix-null-deref-on-system-suspend-.patch b/queue-6.6/asoc-sof-intel-hda-fix-null-deref-on-system-suspend-.patch new file mode 100644 index 00000000000..57b918415bb --- /dev/null +++ b/queue-6.6/asoc-sof-intel-hda-fix-null-deref-on-system-suspend-.patch @@ -0,0 +1,67 @@ +From 0a47be232b26985a23b64b51fbfc2403da4e2d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 10:57:08 +0200 +Subject: ASoC: SOF: Intel: hda: fix null deref on system suspend entry + +From: Kai Vehmanen + +[ Upstream commit 9065693dcc13f287b9e4991f43aee70cf5538fdd ] + +When system enters suspend with an active stream, SOF core +calls hw_params_upon_resume(). On Intel platforms with HDA DMA used +to manage the link DMA, this leads to call chain of + + hda_dsp_set_hw_params_upon_resume() + -> hda_dsp_dais_suspend() + -> hda_dai_suspend() + -> hda_ipc4_post_trigger() + +A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, +which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() +is called with a NULL snd_pcm_substream pointer. + +Fixes: 2b009fa0823c ("ASoC: SOF: Intel: hda: Unify DAI drv ops for IPC3 and IPC4") +Link: https://github.com/thesofproject/linux/issues/5080 +Reviewed-by: Bard Liao +Signed-off-by: Kai Vehmanen +Signed-off-by: Pierre-Louis Bossart +Link: https://patch.msgid.link/20240704085708.371414-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-dai.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c +index f3cefd8660812..19ec1a45737ea 100644 +--- a/sound/soc/sof/intel/hda-dai.c ++++ b/sound/soc/sof/intel/hda-dai.c +@@ -534,12 +534,6 @@ static int hda_dai_suspend(struct hdac_bus *bus) + sdai = swidget->private; + ops = sdai->platform_private; + +- ret = hda_link_dma_cleanup(hext_stream->link_substream, +- hext_stream, +- cpu_dai); +- if (ret < 0) +- return ret; +- + /* for consistency with TRIGGER_SUSPEND */ + if (ops->post_trigger) { + ret = ops->post_trigger(sdev, cpu_dai, +@@ -548,6 +542,12 @@ static int hda_dai_suspend(struct hdac_bus *bus) + if (ret < 0) + return ret; + } ++ ++ ret = hda_link_dma_cleanup(hext_stream->link_substream, ++ hext_stream, ++ cpu_dai); ++ if (ret < 0) ++ return ret; + } + } + +-- +2.43.0 + diff --git a/queue-6.6/firmware-cs_dsp-fix-overflow-checking-of-wmfw-header.patch b/queue-6.6/firmware-cs_dsp-fix-overflow-checking-of-wmfw-header.patch new file mode 100644 index 00000000000..c1e7c2d3d0f --- /dev/null +++ b/queue-6.6/firmware-cs_dsp-fix-overflow-checking-of-wmfw-header.patch @@ -0,0 +1,115 @@ +From 657cb18ba468f7740ce0bdfd2f5d0367e7d0bafa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:14:29 +0100 +Subject: firmware: cs_dsp: Fix overflow checking of wmfw header + +From: Richard Fitzgerald + +[ Upstream commit 3019b86bce16fbb5bc1964f3544d0ce7d0137278 ] + +Fix the checking that firmware file buffer is large enough for the +wmfw header, to prevent overrunning the buffer. + +The original code tested that the firmware data buffer contained +enough bytes for the sums of the size of the structs + + wmfw_header + wmfw_adsp1_sizes + wmfw_footer + +But wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and +Halo Core the equivalent struct is wmfw_adsp2_sizes, which is +4 bytes longer. So the length check didn't guarantee that there +are enough bytes in the firmware buffer for a header with +wmfw_adsp2_sizes. + +This patch splits the length check into three separate parts. Each +of the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked +separately before they are used. + +Signed-off-by: Richard Fitzgerald +Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") +Link: https://patch.msgid.link/20240627141432.93056-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 79d4254d1f9bc..f0c3c4011411d 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1267,6 +1267,10 @@ static unsigned int cs_dsp_adsp1_parse_sizes(struct cs_dsp *dsp, + const struct wmfw_adsp1_sizes *adsp1_sizes; + + adsp1_sizes = (void *)&firmware->data[pos]; ++ if (sizeof(*adsp1_sizes) > firmware->size - pos) { ++ cs_dsp_err(dsp, "%s: file truncated\n", file); ++ return 0; ++ } + + cs_dsp_dbg(dsp, "%s: %d DM, %d PM, %d ZM\n", file, + le32_to_cpu(adsp1_sizes->dm), le32_to_cpu(adsp1_sizes->pm), +@@ -1283,6 +1287,10 @@ static unsigned int cs_dsp_adsp2_parse_sizes(struct cs_dsp *dsp, + const struct wmfw_adsp2_sizes *adsp2_sizes; + + adsp2_sizes = (void *)&firmware->data[pos]; ++ if (sizeof(*adsp2_sizes) > firmware->size - pos) { ++ cs_dsp_err(dsp, "%s: file truncated\n", file); ++ return 0; ++ } + + cs_dsp_dbg(dsp, "%s: %d XM, %d YM %d PM, %d ZM\n", file, + le32_to_cpu(adsp2_sizes->xm), le32_to_cpu(adsp2_sizes->ym), +@@ -1322,7 +1330,6 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + struct regmap *regmap = dsp->regmap; + unsigned int pos = 0; + const struct wmfw_header *header; +- const struct wmfw_adsp1_sizes *adsp1_sizes; + const struct wmfw_footer *footer; + const struct wmfw_region *region; + const struct cs_dsp_region *mem; +@@ -1338,10 +1345,8 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + + ret = -EINVAL; + +- pos = sizeof(*header) + sizeof(*adsp1_sizes) + sizeof(*footer); +- if (pos >= firmware->size) { +- cs_dsp_err(dsp, "%s: file too short, %zu bytes\n", +- file, firmware->size); ++ if (sizeof(*header) >= firmware->size) { ++ ret = -EOVERFLOW; + goto out_fw; + } + +@@ -1369,13 +1374,16 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + + pos = sizeof(*header); + pos = dsp->ops->parse_sizes(dsp, file, pos, firmware); ++ if ((pos == 0) || (sizeof(*footer) > firmware->size - pos)) { ++ ret = -EOVERFLOW; ++ goto out_fw; ++ } + + footer = (void *)&firmware->data[pos]; + pos += sizeof(*footer); + + if (le32_to_cpu(header->len) != pos) { +- cs_dsp_err(dsp, "%s: unexpected header length %d\n", +- file, le32_to_cpu(header->len)); ++ ret = -EOVERFLOW; + goto out_fw; + } + +@@ -1501,6 +1509,9 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + cs_dsp_buf_free(&buf_list); + kfree(text); + ++ if (ret == -EOVERFLOW) ++ cs_dsp_err(dsp, "%s: file content overflows file data\n", file); ++ + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/firmware-cs_dsp-prevent-buffer-overrun-when-processi.patch b/queue-6.6/firmware-cs_dsp-prevent-buffer-overrun-when-processi.patch new file mode 100644 index 00000000000..597201aa57c --- /dev/null +++ b/queue-6.6/firmware-cs_dsp-prevent-buffer-overrun-when-processi.patch @@ -0,0 +1,265 @@ +From 434d604eb1a358b0f74f093d8eaac3265a632577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:14:32 +0100 +Subject: firmware: cs_dsp: Prevent buffer overrun when processing V2 alg + headers + +From: Richard Fitzgerald + +[ Upstream commit 2163aff6bebbb752edf73f79700f5e2095f3559e ] + +Check that all fields of a V2 algorithm header fit into the available +firmware data buffer. + +The wmfw V2 format introduced variable-length strings in the algorithm +block header. This means the overall header length is variable, and the +position of most fields varies depending on the length of the string +fields. Each field must be checked to ensure that it does not overflow +the firmware data buffer. + +As this ia bugfix patch, the fixes avoid making any significant change to +the existing code. This makes it easier to review and less likely to +introduce new bugs. + +Signed-off-by: Richard Fitzgerald +Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") +Link: https://patch.msgid.link/20240627141432.93056-5-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 144 ++++++++++++++++++++++++------- + 1 file changed, 113 insertions(+), 31 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 031fd3e4045ec..5eba9e913f7c3 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1053,9 +1053,16 @@ struct cs_dsp_coeff_parsed_coeff { + int len; + }; + +-static int cs_dsp_coeff_parse_string(int bytes, const u8 **pos, const u8 **str) ++static int cs_dsp_coeff_parse_string(int bytes, const u8 **pos, unsigned int avail, ++ const u8 **str) + { +- int length; ++ int length, total_field_len; ++ ++ /* String fields are at least one __le32 */ ++ if (sizeof(__le32) > avail) { ++ *pos = NULL; ++ return 0; ++ } + + switch (bytes) { + case 1: +@@ -1068,10 +1075,16 @@ static int cs_dsp_coeff_parse_string(int bytes, const u8 **pos, const u8 **str) + return 0; + } + ++ total_field_len = ((length + bytes) + 3) & ~0x03; ++ if ((unsigned int)total_field_len > avail) { ++ *pos = NULL; ++ return 0; ++ } ++ + if (str) + *str = *pos + bytes; + +- *pos += ((length + bytes) + 3) & ~0x03; ++ *pos += total_field_len; + + return length; + } +@@ -1096,51 +1109,100 @@ static int cs_dsp_coeff_parse_int(int bytes, const u8 **pos) + return val; + } + +-static inline void cs_dsp_coeff_parse_alg(struct cs_dsp *dsp, const u8 **data, +- struct cs_dsp_coeff_parsed_alg *blk) ++static int cs_dsp_coeff_parse_alg(struct cs_dsp *dsp, ++ const struct wmfw_region *region, ++ struct cs_dsp_coeff_parsed_alg *blk) + { + const struct wmfw_adsp_alg_data *raw; ++ unsigned int data_len = le32_to_cpu(region->len); ++ unsigned int pos; ++ const u8 *tmp; ++ ++ raw = (const struct wmfw_adsp_alg_data *)region->data; + + switch (dsp->fw_ver) { + case 0: + case 1: +- raw = (const struct wmfw_adsp_alg_data *)*data; +- *data = raw->data; ++ if (sizeof(*raw) > data_len) ++ return -EOVERFLOW; + + blk->id = le32_to_cpu(raw->id); + blk->name = raw->name; + blk->name_len = strlen(raw->name); + blk->ncoeff = le32_to_cpu(raw->ncoeff); ++ ++ pos = sizeof(*raw); + break; + default: +- blk->id = cs_dsp_coeff_parse_int(sizeof(raw->id), data); +- blk->name_len = cs_dsp_coeff_parse_string(sizeof(u8), data, ++ if (sizeof(raw->id) > data_len) ++ return -EOVERFLOW; ++ ++ tmp = region->data; ++ blk->id = cs_dsp_coeff_parse_int(sizeof(raw->id), &tmp); ++ pos = tmp - region->data; ++ ++ tmp = ®ion->data[pos]; ++ blk->name_len = cs_dsp_coeff_parse_string(sizeof(u8), &tmp, data_len - pos, + &blk->name); +- cs_dsp_coeff_parse_string(sizeof(u16), data, NULL); +- blk->ncoeff = cs_dsp_coeff_parse_int(sizeof(raw->ncoeff), data); ++ if (!tmp) ++ return -EOVERFLOW; ++ ++ pos = tmp - region->data; ++ cs_dsp_coeff_parse_string(sizeof(u16), &tmp, data_len - pos, NULL); ++ if (!tmp) ++ return -EOVERFLOW; ++ ++ pos = tmp - region->data; ++ if (sizeof(raw->ncoeff) > (data_len - pos)) ++ return -EOVERFLOW; ++ ++ blk->ncoeff = cs_dsp_coeff_parse_int(sizeof(raw->ncoeff), &tmp); ++ pos += sizeof(raw->ncoeff); + break; + } + ++ if ((int)blk->ncoeff < 0) ++ return -EOVERFLOW; ++ + cs_dsp_dbg(dsp, "Algorithm ID: %#x\n", blk->id); + cs_dsp_dbg(dsp, "Algorithm name: %.*s\n", blk->name_len, blk->name); + cs_dsp_dbg(dsp, "# of coefficient descriptors: %#x\n", blk->ncoeff); ++ ++ return pos; + } + +-static inline void cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, const u8 **data, +- struct cs_dsp_coeff_parsed_coeff *blk) ++static int cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, ++ const struct wmfw_region *region, ++ unsigned int pos, ++ struct cs_dsp_coeff_parsed_coeff *blk) + { + const struct wmfw_adsp_coeff_data *raw; ++ unsigned int data_len = le32_to_cpu(region->len); ++ unsigned int blk_len, blk_end_pos; + const u8 *tmp; +- int length; ++ ++ raw = (const struct wmfw_adsp_coeff_data *)®ion->data[pos]; ++ if (sizeof(raw->hdr) > (data_len - pos)) ++ return -EOVERFLOW; ++ ++ blk_len = le32_to_cpu(raw->hdr.size); ++ if (blk_len > S32_MAX) ++ return -EOVERFLOW; ++ ++ if (blk_len > (data_len - pos - sizeof(raw->hdr))) ++ return -EOVERFLOW; ++ ++ blk_end_pos = pos + sizeof(raw->hdr) + blk_len; ++ ++ blk->offset = le16_to_cpu(raw->hdr.offset); ++ blk->mem_type = le16_to_cpu(raw->hdr.type); + + switch (dsp->fw_ver) { + case 0: + case 1: +- raw = (const struct wmfw_adsp_coeff_data *)*data; +- *data = *data + sizeof(raw->hdr) + le32_to_cpu(raw->hdr.size); ++ if (sizeof(*raw) > (data_len - pos)) ++ return -EOVERFLOW; + +- blk->offset = le16_to_cpu(raw->hdr.offset); +- blk->mem_type = le16_to_cpu(raw->hdr.type); + blk->name = raw->name; + blk->name_len = strlen(raw->name); + blk->ctl_type = le16_to_cpu(raw->ctl_type); +@@ -1148,19 +1210,33 @@ static inline void cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, const u8 **data, + blk->len = le32_to_cpu(raw->len); + break; + default: +- tmp = *data; +- blk->offset = cs_dsp_coeff_parse_int(sizeof(raw->hdr.offset), &tmp); +- blk->mem_type = cs_dsp_coeff_parse_int(sizeof(raw->hdr.type), &tmp); +- length = cs_dsp_coeff_parse_int(sizeof(raw->hdr.size), &tmp); +- blk->name_len = cs_dsp_coeff_parse_string(sizeof(u8), &tmp, ++ pos += sizeof(raw->hdr); ++ tmp = ®ion->data[pos]; ++ blk->name_len = cs_dsp_coeff_parse_string(sizeof(u8), &tmp, data_len - pos, + &blk->name); +- cs_dsp_coeff_parse_string(sizeof(u8), &tmp, NULL); +- cs_dsp_coeff_parse_string(sizeof(u16), &tmp, NULL); ++ if (!tmp) ++ return -EOVERFLOW; ++ ++ pos = tmp - region->data; ++ cs_dsp_coeff_parse_string(sizeof(u8), &tmp, data_len - pos, NULL); ++ if (!tmp) ++ return -EOVERFLOW; ++ ++ pos = tmp - region->data; ++ cs_dsp_coeff_parse_string(sizeof(u16), &tmp, data_len - pos, NULL); ++ if (!tmp) ++ return -EOVERFLOW; ++ ++ pos = tmp - region->data; ++ if (sizeof(raw->ctl_type) + sizeof(raw->flags) + sizeof(raw->len) > ++ (data_len - pos)) ++ return -EOVERFLOW; ++ + blk->ctl_type = cs_dsp_coeff_parse_int(sizeof(raw->ctl_type), &tmp); ++ pos += sizeof(raw->ctl_type); + blk->flags = cs_dsp_coeff_parse_int(sizeof(raw->flags), &tmp); ++ pos += sizeof(raw->flags); + blk->len = cs_dsp_coeff_parse_int(sizeof(raw->len), &tmp); +- +- *data = *data + sizeof(raw->hdr) + length; + break; + } + +@@ -1170,6 +1246,8 @@ static inline void cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, const u8 **data, + cs_dsp_dbg(dsp, "\tCoefficient flags: %#x\n", blk->flags); + cs_dsp_dbg(dsp, "\tALSA control type: %#x\n", blk->ctl_type); + cs_dsp_dbg(dsp, "\tALSA control len: %#x\n", blk->len); ++ ++ return blk_end_pos; + } + + static int cs_dsp_check_coeff_flags(struct cs_dsp *dsp, +@@ -1193,12 +1271,16 @@ static int cs_dsp_parse_coeff(struct cs_dsp *dsp, + struct cs_dsp_alg_region alg_region = {}; + struct cs_dsp_coeff_parsed_alg alg_blk; + struct cs_dsp_coeff_parsed_coeff coeff_blk; +- const u8 *data = region->data; +- int i, ret; ++ int i, pos, ret; ++ ++ pos = cs_dsp_coeff_parse_alg(dsp, region, &alg_blk); ++ if (pos < 0) ++ return pos; + +- cs_dsp_coeff_parse_alg(dsp, &data, &alg_blk); + for (i = 0; i < alg_blk.ncoeff; i++) { +- cs_dsp_coeff_parse_coeff(dsp, &data, &coeff_blk); ++ pos = cs_dsp_coeff_parse_coeff(dsp, region, pos, &coeff_blk); ++ if (pos < 0) ++ return pos; + + switch (coeff_blk.ctl_type) { + case WMFW_CTL_TYPE_BYTES: +-- +2.43.0 + diff --git a/queue-6.6/firmware-cs_dsp-return-error-if-block-header-overflo.patch b/queue-6.6/firmware-cs_dsp-return-error-if-block-header-overflo.patch new file mode 100644 index 00000000000..28ac14a3fbf --- /dev/null +++ b/queue-6.6/firmware-cs_dsp-return-error-if-block-header-overflo.patch @@ -0,0 +1,65 @@ +From 777cdb6e68ad8c793e71749cab2fb4ee3f97e353 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:14:30 +0100 +Subject: firmware: cs_dsp: Return error if block header overflows file + +From: Richard Fitzgerald + +[ Upstream commit 959fe01e85b7241e3ec305d657febbe82da16a02 ] + +Return an error from cs_dsp_power_up() if a block header is longer +than the amount of data left in the file. + +The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop +while there was enough data left in the file for a valid region. This +protected against overrunning the end of the file data, but it didn't +abort the file processing with an error. + +Signed-off-by: Richard Fitzgerald +Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") +Link: https://patch.msgid.link/20240627141432.93056-3-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index f0c3c4011411d..28d24cf4456da 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1390,8 +1390,13 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + cs_dsp_dbg(dsp, "%s: timestamp %llu\n", file, + le64_to_cpu(footer->timestamp)); + +- while (pos < firmware->size && +- sizeof(*region) < firmware->size - pos) { ++ while (pos < firmware->size) { ++ /* Is there enough data for a complete block header? */ ++ if (sizeof(*region) > firmware->size - pos) { ++ ret = -EOVERFLOW; ++ goto out_fw; ++ } ++ + region = (void *)&(firmware->data[pos]); + region_name = "Unknown"; + reg = 0; +@@ -2079,8 +2084,13 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + pos = le32_to_cpu(hdr->len); + + blocks = 0; +- while (pos < firmware->size && +- sizeof(*blk) < firmware->size - pos) { ++ while (pos < firmware->size) { ++ /* Is there enough data for a complete block header? */ ++ if (sizeof(*blk) > firmware->size - pos) { ++ ret = -EOVERFLOW; ++ goto out_fw; ++ } ++ + blk = (void *)(&firmware->data[pos]); + + type = le16_to_cpu(blk->type); +-- +2.43.0 + diff --git a/queue-6.6/firmware-cs_dsp-use-strnlen-on-name-fields-in-v1-wmf.patch b/queue-6.6/firmware-cs_dsp-use-strnlen-on-name-fields-in-v1-wmf.patch new file mode 100644 index 00000000000..ab88fd004ee --- /dev/null +++ b/queue-6.6/firmware-cs_dsp-use-strnlen-on-name-fields-in-v1-wmf.patch @@ -0,0 +1,50 @@ +From b6b9660062b2feb82fcb26153cedb72a7a01d58c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 15:48:55 +0100 +Subject: firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files + +From: Richard Fitzgerald + +[ Upstream commit 680e126ec0400f6daecf0510c5bb97a55779ff03 ] + +Use strnlen() instead of strlen() on the algorithm and coefficient name +string arrays in V1 wmfw files. + +In V1 wmfw files the name is a NUL-terminated string in a fixed-size +array. cs_dsp should protect against overrunning the array if the NUL +terminator is missing. + +Signed-off-by: Richard Fitzgerald +Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") +Link: https://patch.msgid.link/20240708144855.385332-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 5eba9e913f7c3..bd1651e709365 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1128,7 +1128,7 @@ static int cs_dsp_coeff_parse_alg(struct cs_dsp *dsp, + + blk->id = le32_to_cpu(raw->id); + blk->name = raw->name; +- blk->name_len = strlen(raw->name); ++ blk->name_len = strnlen(raw->name, ARRAY_SIZE(raw->name)); + blk->ncoeff = le32_to_cpu(raw->ncoeff); + + pos = sizeof(*raw); +@@ -1204,7 +1204,7 @@ static int cs_dsp_coeff_parse_coeff(struct cs_dsp *dsp, + return -EOVERFLOW; + + blk->name = raw->name; +- blk->name_len = strlen(raw->name); ++ blk->name_len = strnlen(raw->name, ARRAY_SIZE(raw->name)); + blk->ctl_type = le16_to_cpu(raw->ctl_type); + blk->flags = le16_to_cpu(raw->flags); + blk->len = le32_to_cpu(raw->len); +-- +2.43.0 + diff --git a/queue-6.6/firmware-cs_dsp-validate-payload-length-before-proce.patch b/queue-6.6/firmware-cs_dsp-validate-payload-length-before-proce.patch new file mode 100644 index 00000000000..870f01acc0f --- /dev/null +++ b/queue-6.6/firmware-cs_dsp-validate-payload-length-before-proce.patch @@ -0,0 +1,104 @@ +From c443fdcf4b4ee9f4c0dea01cc98538c4f88dcdaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:14:31 +0100 +Subject: firmware: cs_dsp: Validate payload length before processing block + +From: Richard Fitzgerald + +[ Upstream commit 6598afa9320b6ab13041616950ca5f8f938c0cf1 ] + +Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() +to be done before the block is processed. + +The check that the length of a block payload does not exceed the number +of remaining bytes in the firwmware file buffer was being done near the +end of the loop iteration. However, some code before that check used the +length field without validating it. + +Signed-off-by: Richard Fitzgerald +Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") +Link: https://patch.msgid.link/20240627141432.93056-4-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 36 +++++++++++++------------------- + 1 file changed, 15 insertions(+), 21 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 28d24cf4456da..031fd3e4045ec 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1398,6 +1398,12 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + } + + region = (void *)&(firmware->data[pos]); ++ ++ if (le32_to_cpu(region->len) > firmware->size - pos - sizeof(*region)) { ++ ret = -EOVERFLOW; ++ goto out_fw; ++ } ++ + region_name = "Unknown"; + reg = 0; + text = NULL; +@@ -1454,16 +1460,6 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + regions, le32_to_cpu(region->len), offset, + region_name); + +- if (le32_to_cpu(region->len) > +- firmware->size - pos - sizeof(*region)) { +- cs_dsp_err(dsp, +- "%s.%d: %s region len %d bytes exceeds file length %zu\n", +- file, regions, region_name, +- le32_to_cpu(region->len), firmware->size); +- ret = -EINVAL; +- goto out_fw; +- } +- + if (text) { + memcpy(text, region->data, le32_to_cpu(region->len)); + cs_dsp_info(dsp, "%s: %s\n", file, text); +@@ -2093,6 +2089,11 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + + blk = (void *)(&firmware->data[pos]); + ++ if (le32_to_cpu(blk->len) > firmware->size - pos - sizeof(*blk)) { ++ ret = -EOVERFLOW; ++ goto out_fw; ++ } ++ + type = le16_to_cpu(blk->type); + offset = le16_to_cpu(blk->offset); + version = le32_to_cpu(blk->ver) >> 8; +@@ -2189,17 +2190,6 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + } + + if (reg) { +- if (le32_to_cpu(blk->len) > +- firmware->size - pos - sizeof(*blk)) { +- cs_dsp_err(dsp, +- "%s.%d: %s region len %d bytes exceeds file length %zu\n", +- file, blocks, region_name, +- le32_to_cpu(blk->len), +- firmware->size); +- ret = -EINVAL; +- goto out_fw; +- } +- + buf = cs_dsp_buf_alloc(blk->data, + le32_to_cpu(blk->len), + &buf_list); +@@ -2239,6 +2229,10 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + regmap_async_complete(regmap); + cs_dsp_buf_free(&buf_list); + kfree(text); ++ ++ if (ret == -EOVERFLOW) ++ cs_dsp_err(dsp, "%s: file content overflows file data\n", file); ++ + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.6/i40e-fix-remove-needless-retries-of-nvm-update.patch b/queue-6.6/i40e-fix-remove-needless-retries-of-nvm-update.patch new file mode 100644 index 00000000000..5b68a06fa08 --- /dev/null +++ b/queue-6.6/i40e-fix-remove-needless-retries-of-nvm-update.patch @@ -0,0 +1,68 @@ +From bd4a1d0a8445ff8bdc4d82484e540af8abbf0ea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 15:44:54 -0700 +Subject: i40e: fix: remove needless retries of NVM update + +From: Aleksandr Loktionov + +[ Upstream commit 8b9b59e27aa88ba133fbac85def3f8be67f2d5a8 ] + +Remove wrong EIO to EGAIN conversion and pass all errors as is. + +After commit 230f3d53a547 ("i40e: remove i40e_status"), which should only +replace F/W specific error codes with Linux kernel generic, all EIO errors +suddenly started to be converted into EAGAIN which leads nvmupdate to retry +until it timeouts and sometimes fails after more than 20 minutes in the +middle of NVM update, so NVM becomes corrupted. + +The bug affects users only at the time when they try to update NVM, and +only F/W versions that generate errors while nvmupdate. For example, X710DA2 +with 0x8000ECB7 F/W is affected, but there are probably more... + +Command for reproduction is just NVM update: + ./nvmupdate64 + +In the log instead of: + i40e_nvmupd_exec_aq err I40E_ERR_ADMIN_QUEUE_ERROR aq_err I40E_AQ_RC_ENOMEM) +appears: + i40e_nvmupd_exec_aq err -EIO aq_err I40E_AQ_RC_ENOMEM + i40e: eeprom check failed (-5), Tx/Rx traffic disabled + +The problematic code did silently convert EIO into EAGAIN which forced +nvmupdate to ignore EAGAIN error and retry the same operation until timeout. +That's why NVM update takes 20+ minutes to finish with the fail in the end. + +Fixes: 230f3d53a547 ("i40e: remove i40e_status") +Co-developed-by: Kelvin Kang +Signed-off-by: Kelvin Kang +Reviewed-by: Arkadiusz Kubalewski +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20240710224455.188502-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_adminq.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq.h b/drivers/net/ethernet/intel/i40e/i40e_adminq.h +index 80125bea80a2a..290c23cec2fca 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_adminq.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq.h +@@ -116,10 +116,6 @@ static inline int i40e_aq_rc_to_posix(int aq_ret, int aq_rc) + -EFBIG, /* I40E_AQ_RC_EFBIG */ + }; + +- /* aq_rc is invalid if AQ timed out */ +- if (aq_ret == -EIO) +- return -EAGAIN; +- + if (!((u32)aq_rc < (sizeof(aq_to_posix) / sizeof((aq_to_posix)[0])))) + return -ERANGE; + +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-fix-a-issue-with-cpt_lf_alloc-mailbox.patch b/queue-6.6/octeontx2-af-fix-a-issue-with-cpt_lf_alloc-mailbox.patch new file mode 100644 index 00000000000..5e93720863c --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-a-issue-with-cpt_lf_alloc-mailbox.patch @@ -0,0 +1,37 @@ +From df30b3f7a27d4f907fd3187122aa88fdd980213a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:21:24 +0530 +Subject: octeontx2-af: fix a issue with cpt_lf_alloc mailbox + +From: Srujana Challa + +[ Upstream commit 845fe19139ab5a1ee303a3bee327e3191c3938af ] + +This patch fixes CPT_LF_ALLOC mailbox error due to +incompatible mailbox message format. Specifically, it +corrects the `blkaddr` field type from `int` to `u8`. + +Fixes: de2854c87c64 ("octeontx2-af: Mailbox changes for 98xx CPT block") +Signed-off-by: Srujana Challa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/mbox.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h +index 4c73575fba7be..e883c0929b1a9 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h +@@ -1661,7 +1661,7 @@ struct cpt_lf_alloc_req_msg { + u16 nix_pf_func; + u16 sso_pf_func; + u16 eng_grpmsk; +- int blkaddr; ++ u8 blkaddr; + u8 ctx_ilen_valid : 1; + u8 ctx_ilen : 7; + }; +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-fix-detection-of-ip-layer.patch b/queue-6.6/octeontx2-af-fix-detection-of-ip-layer.patch new file mode 100644 index 00000000000..104fd11de76 --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-detection-of-ip-layer.patch @@ -0,0 +1,52 @@ +From 7455734f91e0fdde8e931c48bfb3694ca917d91d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:21:25 +0530 +Subject: octeontx2-af: fix detection of IP layer + +From: Michal Mazur + +[ Upstream commit 404dc0fd6fb0bb942b18008c6f8c0320b80aca20 ] + +Checksum and length checks are not enabled for IPv4 header with +options and IPv6 with extension headers. +To fix this a change in enum npc_kpu_lc_ltype is required which will +allow adjustment of LTYPE_MASK to detect all types of IP headers. + +Fixes: 21e6699e5cd6 ("octeontx2-af: Add NPC KPU profile") +Signed-off-by: Michal Mazur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/npc.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/npc.h b/drivers/net/ethernet/marvell/octeontx2/af/npc.h +index c92c3f4631d54..2c028a81bbc51 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/npc.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/npc.h +@@ -63,8 +63,13 @@ enum npc_kpu_lb_ltype { + NPC_LT_LB_CUSTOM1 = 0xF, + }; + ++/* Don't modify ltypes up to IP6_EXT, otherwise length and checksum of IP ++ * headers may not be checked correctly. IPv4 ltypes and IPv6 ltypes must ++ * differ only at bit 0 so mask 0xE can be used to detect extended headers. ++ */ + enum npc_kpu_lc_ltype { +- NPC_LT_LC_IP = 1, ++ NPC_LT_LC_PTP = 1, ++ NPC_LT_LC_IP, + NPC_LT_LC_IP_OPT, + NPC_LT_LC_IP6, + NPC_LT_LC_IP6_EXT, +@@ -72,7 +77,6 @@ enum npc_kpu_lc_ltype { + NPC_LT_LC_RARP, + NPC_LT_LC_MPLS, + NPC_LT_LC_NSH, +- NPC_LT_LC_PTP, + NPC_LT_LC_FCOE, + NPC_LT_LC_NGIO, + NPC_LT_LC_CUSTOM0 = 0xE, +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch b/queue-6.6/octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch new file mode 100644 index 00000000000..bd811f32426 --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch @@ -0,0 +1,57 @@ +From 58759399682423f9c97551415a71ac4007f6c5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:21:27 +0530 +Subject: octeontx2-af: fix issue with IPv4 match for RSS + +From: Satheesh Paul + +[ Upstream commit 60795bbf047654c9f8ae88d34483233a56033578 ] + +While performing RSS based on IPv4, packets with +IPv4 options are not being considered. Adding changes +to match both plain IPv4 and IPv4 with option header. + +Fixes: 41a7aa7b800d ("octeontx2-af: NIX Rx flowkey configuration for RSS") +Signed-off-by: Satheesh Paul +Reviewed-by: Kalesh AP +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index e7ef07f1f0bb9..a07e5c8786c4b 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -3519,6 +3519,8 @@ static int get_flowkey_alg_idx(struct nix_hw *nix_hw, u32 flow_cfg) + + /* Mask to match ipv6(NPC_LT_LC_IP6) and ipv6 ext(NPC_LT_LC_IP6_EXT) */ + #define NPC_LT_LC_IP6_MATCH_MSK ((~(NPC_LT_LC_IP6 ^ NPC_LT_LC_IP6_EXT)) & 0xf) ++/* Mask to match both ipv4(NPC_LT_LC_IP) and ipv4 ext(NPC_LT_LC_IP_OPT) */ ++#define NPC_LT_LC_IP_MATCH_MSK ((~(NPC_LT_LC_IP ^ NPC_LT_LC_IP_OPT)) & 0xf) + + static int set_flowkey_fields(struct nix_rx_flowkey_alg *alg, u32 flow_cfg) + { +@@ -3589,7 +3591,7 @@ static int set_flowkey_fields(struct nix_rx_flowkey_alg *alg, u32 flow_cfg) + field->hdr_offset = 9; /* offset */ + field->bytesm1 = 0; /* 1 byte */ + field->ltype_match = NPC_LT_LC_IP; +- field->ltype_mask = 0xF; ++ field->ltype_mask = NPC_LT_LC_IP_MATCH_MSK; + break; + case NIX_FLOW_KEY_TYPE_IPV4: + case NIX_FLOW_KEY_TYPE_INNR_IPV4: +@@ -3616,8 +3618,7 @@ static int set_flowkey_fields(struct nix_rx_flowkey_alg *alg, u32 flow_cfg) + field->bytesm1 = 3; /* DIP, 4 bytes */ + } + } +- +- field->ltype_mask = 0xF; /* Match only IPv4 */ ++ field->ltype_mask = NPC_LT_LC_IP_MATCH_MSK; + keyoff_marker = false; + break; + case NIX_FLOW_KEY_TYPE_IPV6: +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch b/queue-6.6/octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch new file mode 100644 index 00000000000..5e80444cad6 --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch @@ -0,0 +1,50 @@ +From aec81c7c8d788a734c3350eaa83e85ef9ab44b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:21:26 +0530 +Subject: octeontx2-af: fix issue with IPv6 ext match for RSS + +From: Kiran Kumar K + +[ Upstream commit e23ac1095b9eb8ac48f98c398d81d6ba062c9b5d ] + +While performing RSS based on IPv6, extension ltype +is not being considered. This will be problem for +fragmented packets or packets with extension header. +Adding changes to match IPv6 ext header along with IPv6 +ltype. + +Fixes: 41a7aa7b800d ("octeontx2-af: NIX Rx flowkey configuration for RSS") +Signed-off-by: Kiran Kumar K +Reviewed-by: Kalesh AP +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index f6f6d7c04e8bf..e7ef07f1f0bb9 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -3517,6 +3517,9 @@ static int get_flowkey_alg_idx(struct nix_hw *nix_hw, u32 flow_cfg) + return -ERANGE; + } + ++/* Mask to match ipv6(NPC_LT_LC_IP6) and ipv6 ext(NPC_LT_LC_IP6_EXT) */ ++#define NPC_LT_LC_IP6_MATCH_MSK ((~(NPC_LT_LC_IP6 ^ NPC_LT_LC_IP6_EXT)) & 0xf) ++ + static int set_flowkey_fields(struct nix_rx_flowkey_alg *alg, u32 flow_cfg) + { + int idx, nr_field, key_off, field_marker, keyoff_marker; +@@ -3643,7 +3646,7 @@ static int set_flowkey_fields(struct nix_rx_flowkey_alg *alg, u32 flow_cfg) + field->bytesm1 = 15; /* DIP,16 bytes */ + } + } +- field->ltype_mask = 0xF; /* Match only IPv6 */ ++ field->ltype_mask = NPC_LT_LC_IP6_MATCH_MSK; + break; + case NIX_FLOW_KEY_TYPE_TCP: + case NIX_FLOW_KEY_TYPE_UDP: +-- +2.43.0 + diff --git a/queue-6.6/octeontx2-af-replace-cpt-slot-with-lf-id-on-reg-writ.patch b/queue-6.6/octeontx2-af-replace-cpt-slot-with-lf-id-on-reg-writ.patch new file mode 100644 index 00000000000..caaa5fdfc10 --- /dev/null +++ b/queue-6.6/octeontx2-af-replace-cpt-slot-with-lf-id-on-reg-writ.patch @@ -0,0 +1,71 @@ +From 9cf47272b8f08475de85adeb7a9e38bde399ca3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 13:21:23 +0530 +Subject: octeontx2-af: replace cpt slot with lf id on reg write + +From: Nithin Dabilpuram + +[ Upstream commit bc35e28af7890085dcbe5cc32373647dfb4d9af9 ] + +Replace slot id with global CPT lf id on reg read/write as +CPTPF/VF driver would send slot number instead of global +lf id in the reg offset. And also update the mailbox response +with the global lf's register offset. + +Fixes: ae454086e3c2 ("octeontx2-af: add mailbox interface for CPT") +Signed-off-by: Nithin Dabilpuram +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 +++++++++++++------ + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c +index f047185f38e0f..3e09d22858147 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c +@@ -696,7 +696,8 @@ int rvu_mbox_handler_cpt_rd_wr_register(struct rvu *rvu, + struct cpt_rd_wr_reg_msg *req, + struct cpt_rd_wr_reg_msg *rsp) + { +- int blkaddr; ++ u64 offset = req->reg_offset; ++ int blkaddr, lf; + + blkaddr = validate_and_get_cpt_blkaddr(req->blkaddr); + if (blkaddr < 0) +@@ -707,17 +708,25 @@ int rvu_mbox_handler_cpt_rd_wr_register(struct rvu *rvu, + !is_cpt_vf(rvu, req->hdr.pcifunc)) + return CPT_AF_ERR_ACCESS_DENIED; + +- rsp->reg_offset = req->reg_offset; +- rsp->ret_val = req->ret_val; +- rsp->is_write = req->is_write; +- + if (!is_valid_offset(rvu, req)) + return CPT_AF_ERR_ACCESS_DENIED; + ++ /* Translate local LF used by VFs to global CPT LF */ ++ lf = rvu_get_lf(rvu, &rvu->hw->block[blkaddr], req->hdr.pcifunc, ++ (offset & 0xFFF) >> 3); ++ ++ /* Translate local LF's offset to global CPT LF's offset */ ++ offset &= 0xFF000; ++ offset += lf << 3; ++ ++ rsp->reg_offset = offset; ++ rsp->ret_val = req->ret_val; ++ rsp->is_write = req->is_write; ++ + if (req->is_write) +- rvu_write64(rvu, blkaddr, req->reg_offset, req->val); ++ rvu_write64(rvu, blkaddr, offset, req->val); + else +- rsp->val = rvu_read64(rvu, blkaddr, req->reg_offset); ++ rsp->val = rvu_read64(rvu, blkaddr, offset); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch new file mode 100644 index 00000000000..3eae4e88bdc --- /dev/null +++ b/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch @@ -0,0 +1,47 @@ +From 498c077e53fb9da9f58d701a6f5e8c1670afaa22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:30:01 +0200 +Subject: s390: Mark psw in __load_psw_mask() as __unitialized + +From: Sven Schnelle + +[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] + +Without __unitialized, the following code is generated when +INIT_STACK_ALL_ZERO is enabled: + +86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) +8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) +92: c0 10 00 00 00 08 larl %r1, 0xa2 +98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) +9e: b2 b2 f0 a0 lpswe 160(%r15) + +The xc is not adding any security because psw is fully initialized +with the following instructions. Add __unitialized to the psw +definitiation to avoid the superfluous clearing of psw. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h +index dc17896a001a9..e7338ed540d8f 100644 +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -308,8 +308,8 @@ static inline void __load_psw(psw_t psw) + */ + static __always_inline void __load_psw_mask(unsigned long mask) + { ++ psw_t psw __uninitialized; + unsigned long addr; +- psw_t psw; + + psw.mask = mask; + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index bd88a2a59d4..6e79659ec45 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -33,3 +33,18 @@ ethtool-netlink-do-not-return-sqi-value-if-link-is-d.patch udp-set-sock_rcu_free-earlier-in-udp_lib_get_port.patch net-sched-fix-uaf-when-resolving-a-clash.patch net-sunrpc-remap-eperm-in-case-of-connection-failure.patch +s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +arm64-dts-qcom-sc8180x-fix-llcc-reg-property-again.patch +firmware-cs_dsp-fix-overflow-checking-of-wmfw-header.patch +firmware-cs_dsp-return-error-if-block-header-overflo.patch +firmware-cs_dsp-validate-payload-length-before-proce.patch +firmware-cs_dsp-prevent-buffer-overrun-when-processi.patch +asoc-sof-intel-hda-fix-null-deref-on-system-suspend-.patch +firmware-cs_dsp-use-strnlen-on-name-fields-in-v1-wmf.patch +arm-davinci-convert-comma-to-semicolon.patch +i40e-fix-remove-needless-retries-of-nvm-update.patch +octeontx2-af-replace-cpt-slot-with-lf-id-on-reg-writ.patch +octeontx2-af-fix-a-issue-with-cpt_lf_alloc-mailbox.patch +octeontx2-af-fix-detection-of-ip-layer.patch +octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch +octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch