From: Sasha Levin Date: Sat, 28 Oct 2023 02:53:49 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.1.61~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c302388bbaa855b276406ffb651039279f6c5e3d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch b/queue-6.1/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch new file mode 100644 index 00000000000..6e0b87cb1ff --- /dev/null +++ b/queue-6.1/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch @@ -0,0 +1,84 @@ +From f875620bf95ebde0b34a461e5d6766e117fd3ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 17:16:03 -0700 +Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ] + +Fix kernel-doc warnings reported by the kernel test robot: + +timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; ' +timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64' +timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k' + +Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement") +Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/ +Cc: Arnd Bergmann +Cc: Vaibhav Hiremath +Cc: Felipe Balbi +Cc: Tony Lindgren +Cc: Xunlei Pang +Cc: John Stultz +Cc: Ingo Molnar +Cc: Aaro Koskinen +Cc: Janusz Krzysztofik +Cc: linux-omap@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Message-ID: <20231007001603.24972-1-rdunlap@infradead.org> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer32k.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c +index 410d17d1d4431..f618a6df29382 100644 +--- a/arch/arm/mach-omap1/timer32k.c ++++ b/arch/arm/mach-omap1/timer32k.c +@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void) + return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; + } + ++static struct timespec64 persistent_ts; ++static cycles_t cycles; ++static unsigned int persistent_mult, persistent_shift; ++ + /** + * omap_read_persistent_clock64 - Return time from a persistent clock. ++ * @ts: &struct timespec64 for the returned time + * + * Reads the time from a source which isn't disabled during PM, the + * 32k sync timer. Convert the cycles elapsed since last read into + * nsecs and adds to a monotonically increasing timespec64. + */ +-static struct timespec64 persistent_ts; +-static cycles_t cycles; +-static unsigned int persistent_mult, persistent_shift; +- + static void omap_read_persistent_clock64(struct timespec64 *ts) + { + unsigned long long nsecs; +@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts) + /** + * omap_init_clocksource_32k - setup and register counter 32k as a + * kernel clocksource +- * @pbase: base addr of counter_32k module +- * @size: size of counter_32k to map ++ * @vbase: base addr of counter_32k module + * +- * Returns 0 upon success or negative error code upon failure. ++ * Returns: %0 upon success or negative error code upon failure. + * + */ + static int __init omap_init_clocksource_32k(void __iomem *vbase) +-- +2.42.0 + diff --git a/queue-6.1/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch b/queue-6.1/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch new file mode 100644 index 00000000000..ac255d3f5ce --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch @@ -0,0 +1,51 @@ +From d780a9e16872a923cbe7c7288982b53719f8e08b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 12:47:26 +0100 +Subject: arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399 + +From: Christopher Obbard + +[ Upstream commit 3975e72b164dc8347a28dd0d5f11b346af534635 ] + +Commit 0efaf8078393 ("arm64: dts: rockchip: add i2s0-2ch-bus pins on +rk3399") introduced a pinctl for i2s0 in two-channel mode. Commit +91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399") +modified i2s0 to switch the corresponding pins off when idle. + +Although an idle pinctrl node was added for i2s0 in 8-channel mode, a +similar idle pinctrl node for i2s0 in 2-channel mode was not added. Add +it. + +Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399") +Signed-off-by: Christopher Obbard +Link: https://lore.kernel.org/r/20231013114737.494410-2-chris.obbard@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index 5f3caf01badeb..d6e6147652f36 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -2406,6 +2406,16 @@ + <4 RK_PA0 1 &pcfg_pull_none>; + }; + ++ i2s0_2ch_bus_bclk_off: i2s0-2ch-bus-bclk-off { ++ rockchip,pins = ++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>, ++ <3 RK_PD1 1 &pcfg_pull_none>, ++ <3 RK_PD2 1 &pcfg_pull_none>, ++ <3 RK_PD3 1 &pcfg_pull_none>, ++ <3 RK_PD7 1 &pcfg_pull_none>, ++ <4 RK_PA0 1 &pcfg_pull_none>; ++ }; ++ + i2s0_8ch_bus: i2s0-8ch-bus { + rockchip,pins = + <3 RK_PD0 1 &pcfg_pull_none>, +-- +2.42.0 + diff --git a/queue-6.1/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch b/queue-6.1/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch new file mode 100644 index 00000000000..ae57bfbc83b --- /dev/null +++ b/queue-6.1/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch @@ -0,0 +1,103 @@ +From 6b6c11f8c82d1e1eef324a5638becdbafaed3da7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 10:15:56 +0300 +Subject: clk: ti: Fix missing omap4 mcbsp functional clock and aliases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit cc2d819dd7df94a72bde7b9b9331a6535084092d ] + +We are using a wrong mcbsp functional clock. The interconnect target module +driver provided clock for mcbsp is not same as the mcbsp functional clock +known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should +have been added before we dropped the legacy platform data. + +Additionally we are also missing the clock aliases for the clocks used by +the audio driver if reparenting is needed. This causes audio driver errors +like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas. +The mcbsp clock aliases too should have been added before we dropped the +legacy platform data. + +Let's add the clocks and aliases with a single patch to fix the issue. + +Fixes: 349355ce3a05 ("ARM: OMAP2+: Drop legacy platform data for omap4 mcbsp") +Reported-by: Andreas Kemnade +Reported-by: Péter Ujfalusi +Acked-by: Stephen Boyd +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4-l4-abe.dtsi | 6 ++++++ + arch/arm/boot/dts/omap4-l4.dtsi | 2 ++ + drivers/clk/ti/clk-44xx.c | 5 +++++ + 3 files changed, 13 insertions(+) + +diff --git a/arch/arm/boot/dts/omap4-l4-abe.dtsi b/arch/arm/boot/dts/omap4-l4-abe.dtsi +index 7ae8b620515c5..59f546a278f87 100644 +--- a/arch/arm/boot/dts/omap4-l4-abe.dtsi ++++ b/arch/arm/boot/dts/omap4-l4-abe.dtsi +@@ -109,6 +109,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49022000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP1_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -142,6 +144,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49024000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP2_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -175,6 +179,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49026000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP3_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/arch/arm/boot/dts/omap4-l4.dtsi b/arch/arm/boot/dts/omap4-l4.dtsi +index 46b8f9efd4131..3fcef3080eaec 100644 +--- a/arch/arm/boot/dts/omap4-l4.dtsi ++++ b/arch/arm/boot/dts/omap4-l4.dtsi +@@ -2043,6 +2043,8 @@ + compatible = "ti,omap4-mcbsp"; + reg = <0x0 0xff>; /* L4 Interconnect */ + reg-names = "mpu"; ++ clocks = <&l4_per_clkctrl OMAP4_MCBSP4_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/drivers/clk/ti/clk-44xx.c b/drivers/clk/ti/clk-44xx.c +index 868bc7af21b0b..9b2824ed785b9 100644 +--- a/drivers/clk/ti/clk-44xx.c ++++ b/drivers/clk/ti/clk-44xx.c +@@ -749,9 +749,14 @@ static struct ti_dt_clk omap44xx_clks[] = { + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), ++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"), ++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"), ++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"), + DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4-per-clkctrl:00c0:26"), ++ DT_CLK("48096000.mcbsp", "prcm_fck", "l4-per-clkctrl:00c0:26"), + DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3-init-clkctrl:00c0:8"), + DT_CLK(NULL, "otg_60m_gfclk", "l3-init-clkctrl:0040:24"), ++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"), + DT_CLK(NULL, "per_mcbsp4_gfclk", "l4-per-clkctrl:00c0:24"), + DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu-sys-clkctrl:0000:20"), + DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu-sys-clkctrl:0000:22"), +-- +2.42.0 + diff --git a/queue-6.1/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch b/queue-6.1/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch new file mode 100644 index 00000000000..1d8bea12bbb --- /dev/null +++ b/queue-6.1/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch @@ -0,0 +1,97 @@ +From fbef408135524b458ffaf9ae5282c559345cc207 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 10:15:56 +0300 +Subject: clk: ti: Fix missing omap5 mcbsp functional clock and aliases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit 0b9a4a67c60d3e15b39a69d480a50ce7eeff9bc1 ] + +We are using a wrong mcbsp functional clock. The interconnect target module +driver provided clock for mcbsp is not same as the mcbsp functional clock +known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should +have been added before we dropped the legacy platform data. + +Additionally we are also missing the clock aliases for the clocks used by +the audio driver if reparenting is needed. This causes audio driver errors +like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas. +The mcbsp clock aliases too should have been added before we dropped the +legacy platform data. + +Let's add the clocks and aliases with a single patch to fix the issue +similar to omap4. On omap5, there is no mcbsp4 instance on the l4_per +interconnect. + +Fixes: b1da0fa21bd1 ("ARM: OMAP2+: Drop legacy platform data for omap5 mcbsp") +Cc: H. Nikolaus Schaller +Reported-by: Andreas Kemnade +Reported-by: Péter Ujfalusi +Acked-by: Stephen Boyd +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap5-l4-abe.dtsi | 6 ++++++ + drivers/clk/ti/clk-54xx.c | 4 ++++ + 2 files changed, 10 insertions(+) + +diff --git a/arch/arm/boot/dts/omap5-l4-abe.dtsi b/arch/arm/boot/dts/omap5-l4-abe.dtsi +index a03bca5a35844..97b0c3b5f573f 100644 +--- a/arch/arm/boot/dts/omap5-l4-abe.dtsi ++++ b/arch/arm/boot/dts/omap5-l4-abe.dtsi +@@ -109,6 +109,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49022000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP1_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -142,6 +144,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49024000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP2_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -175,6 +179,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49026000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP3_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/drivers/clk/ti/clk-54xx.c b/drivers/clk/ti/clk-54xx.c +index b4aff76eb3735..74dfd5823f835 100644 +--- a/drivers/clk/ti/clk-54xx.c ++++ b/drivers/clk/ti/clk-54xx.c +@@ -565,15 +565,19 @@ static struct ti_dt_clk omap54xx_clks[] = { + DT_CLK(NULL, "gpio8_dbclk", "l4per-clkctrl:00f8:8"), + DT_CLK(NULL, "mcbsp1_gfclk", "abe-clkctrl:0028:24"), + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), ++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"), + DT_CLK(NULL, "mcbsp2_gfclk", "abe-clkctrl:0030:24"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), ++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"), + DT_CLK(NULL, "mcbsp3_gfclk", "abe-clkctrl:0038:24"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), ++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"), + DT_CLK(NULL, "mmc1_32khz_clk", "l3init-clkctrl:0008:8"), + DT_CLK(NULL, "mmc1_fclk", "l3init-clkctrl:0008:25"), + DT_CLK(NULL, "mmc1_fclk_mux", "l3init-clkctrl:0008:24"), + DT_CLK(NULL, "mmc2_fclk", "l3init-clkctrl:0010:25"), + DT_CLK(NULL, "mmc2_fclk_mux", "l3init-clkctrl:0010:24"), ++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"), + DT_CLK(NULL, "sata_ref_clk", "l3init-clkctrl:0068:8"), + DT_CLK(NULL, "timer10_gfclk_mux", "l4per-clkctrl:0008:24"), + DT_CLK(NULL, "timer11_gfclk_mux", "l4per-clkctrl:0010:24"), +-- +2.42.0 + diff --git a/queue-6.1/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch b/queue-6.1/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch new file mode 100644 index 00000000000..7f60d67e50e --- /dev/null +++ b/queue-6.1/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch @@ -0,0 +1,42 @@ +From 4b311ee426108d794065d2f1aa2677d6ef1e1cde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 10:42:07 +0800 +Subject: drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO + +From: Sui Jingfeng + +[ Upstream commit 4e6c38c38723a954b85aa9ee62603bb4a37acbb4 ] + +drm/logicvc driver is depend on REGMAP and REGMAP_MMIO, should select this +two kconfig option, otherwise the driver failed to compile on platform +without REGMAP_MMIO selected: + +ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/gpu/drm/logicvc/logicvc-drm.ko] undefined! +make[1]: *** [scripts/Makefile.modpost:136: Module.symvers] Error 1 +make: *** [Makefile:1978: modpost] Error 2 + +Signed-off-by: Sui Jingfeng +Acked-by: Paul Kocialkowski +Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller") +Link: https://patchwork.freedesktop.org/patch/msgid/20230608024207.581401-1-suijingfeng@loongson.cn +Signed-off-by: Paul Kocialkowski +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/logicvc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/logicvc/Kconfig b/drivers/gpu/drm/logicvc/Kconfig +index fa7a883688094..1df22a852a23e 100644 +--- a/drivers/gpu/drm/logicvc/Kconfig ++++ b/drivers/gpu/drm/logicvc/Kconfig +@@ -5,5 +5,7 @@ config DRM_LOGICVC + select DRM_KMS_HELPER + select DRM_KMS_DMA_HELPER + select DRM_GEM_DMA_HELPER ++ select REGMAP ++ select REGMAP_MMIO + help + DRM display driver for the logiCVC programmable logic block from Xylon +-- +2.42.0 + diff --git a/queue-6.1/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch b/queue-6.1/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch new file mode 100644 index 00000000000..2624f8180b6 --- /dev/null +++ b/queue-6.1/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch @@ -0,0 +1,42 @@ +From 22f357de3b82f231c338f64ee364e2f1d6b32a3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Oct 2023 11:29:08 +0800 +Subject: firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() + +From: Hao Ge + +[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ] + +dsp_chan->name and chan_name points to same block of memory, +because dev_err still needs to be used it,so we need free +it's memory after use to avoid use_after_free. + +Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()") +Signed-off-by: Hao Ge +Reviewed-by: Daniel Baluta +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-dsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c +index 1f410809d3ee4..0f656e4191d5c 100644 +--- a/drivers/firmware/imx/imx-dsp.c ++++ b/drivers/firmware/imx/imx-dsp.c +@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc) + dsp_chan->idx = i % 2; + dsp_chan->ch = mbox_request_channel_byname(cl, chan_name); + if (IS_ERR(dsp_chan->ch)) { +- kfree(dsp_chan->name); + ret = PTR_ERR(dsp_chan->ch); + if (ret != -EPROBE_DEFER) + dev_err(dev, "Failed to request mbox chan %s ret %d\n", + chan_name, ret); ++ kfree(dsp_chan->name); + goto out; + } + +-- +2.42.0 + diff --git a/queue-6.1/gtp-fix-fragmentation-needed-check-with-gso.patch b/queue-6.1/gtp-fix-fragmentation-needed-check-with-gso.patch new file mode 100644 index 00000000000..065988decbc --- /dev/null +++ b/queue-6.1/gtp-fix-fragmentation-needed-check-with-gso.patch @@ -0,0 +1,38 @@ +From 43256676a69dab9f4b7382f12166975b6fa0c62a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:18 +0200 +Subject: gtp: fix fragmentation needed check with gso + +From: Pablo Neira Ayuso + +[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ] + +Call skb_gso_validate_network_len() to check if packet is over PMTU. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index acb20ad4e37eb..477b4d4f860bd 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -871,8 +871,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev, + + skb_dst_update_pmtu_no_confirm(skb, mtu); + +- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) && +- mtu < ntohs(iph->tot_len)) { ++ if (iph->frag_off & htons(IP_DF) && ++ ((!skb_is_gso(skb) && skb->len > mtu) || ++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) { + netdev_dbg(dev, "packet too big, fragmentation needed\n"); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); +-- +2.42.0 + diff --git a/queue-6.1/gtp-uapi-fix-gtpa_max.patch b/queue-6.1/gtp-uapi-fix-gtpa_max.patch new file mode 100644 index 00000000000..9c0e479c4b5 --- /dev/null +++ b/queue-6.1/gtp-uapi-fix-gtpa_max.patch @@ -0,0 +1,34 @@ +From a036ddfca5cc43a4e1d31430a224c10d75c218b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:17 +0200 +Subject: gtp: uapi: fix GTPA_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ] + +Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/uapi/linux/gtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h +index 2f61298a7b779..3dcdb9e33cba2 100644 +--- a/include/uapi/linux/gtp.h ++++ b/include/uapi/linux/gtp.h +@@ -33,6 +33,6 @@ enum gtp_attrs { + GTPA_PAD, + __GTPA_MAX, + }; +-#define GTPA_MAX (__GTPA_MAX + 1) ++#define GTPA_MAX (__GTPA_MAX - 1) + + #endif /* _UAPI_LINUX_GTP_H_ */ +-- +2.42.0 + diff --git a/queue-6.1/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch b/queue-6.1/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch new file mode 100644 index 00000000000..f8b934565e9 --- /dev/null +++ b/queue-6.1/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch @@ -0,0 +1,63 @@ +From f72239fc20635dd684c7907f93b670f4e8087039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 18:37:20 +0200 +Subject: i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value + +From: Ivan Vecera + +[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ] + +Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new +PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with +existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag. + +Move the affected flag at the end of the flags and fix its value. + +Reproducer: +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off +[ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled) +netlink error: Operation not supported +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off + +The link-down-on-close flag cannot be modified after setting vf-vlan-pruning +because vf-vlan-pruning shares the same bit with total-port-shutdown flag +that prevents any modification of link-down-on-close flag. + +Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning") +Cc: Mateusz Palczewski +Cc: Simon Horman +Signed-off-by: Ivan Vecera +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index a81f918091ccf..7d4cc4eafd59e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -580,7 +580,6 @@ struct i40e_pf { + #define I40E_FLAG_DISABLE_FW_LLDP BIT(24) + #define I40E_FLAG_RS_FEC BIT(25) + #define I40E_FLAG_BASE_R_FEC BIT(26) +-#define I40E_FLAG_VF_VLAN_PRUNING BIT(27) + /* TOTAL_PORT_SHUTDOWN + * Allows to physically disable the link on the NIC's port. + * If enabled, (after link down request from the OS) +@@ -603,6 +602,7 @@ struct i40e_pf { + * in abilities field of i40e_aq_set_phy_config structure + */ + #define I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED BIT(27) ++#define I40E_FLAG_VF_VLAN_PRUNING BIT(28) + + struct i40e_client_instance *cinst; + bool stat_offsets_loaded; +-- +2.42.0 + diff --git a/queue-6.1/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch b/queue-6.1/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch new file mode 100644 index 00000000000..ad9ed3fe68d --- /dev/null +++ b/queue-6.1/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch @@ -0,0 +1,38 @@ +From 8c165e61be0768084200645529bfb370a01d5129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 14:27:14 -0700 +Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR + +From: Ivan Vecera + +[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ] + +The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one. + +Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722") +Signed-off-by: Ivan Vecera +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 494775d65bf28..6d26ee8eefae9 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2770,7 +2770,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget) + return budget; + } + +- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR) ++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR) + q_vector->arm_wb_state = false; + + /* Exit the polling mode, but don't re-enable interrupts if stack might +-- +2.42.0 + diff --git a/queue-6.1/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch b/queue-6.1/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch new file mode 100644 index 00000000000..b450f43ce88 --- /dev/null +++ b/queue-6.1/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch @@ -0,0 +1,49 @@ +From 8d3bde1046f7d9748b1be8d9630f8ade0d6522c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 11:32:13 -0700 +Subject: iavf: in iavf_down, disable queues when removing the driver + +From: Michal Schmidt + +[ Upstream commit 53798666648af3aa0dd512c2380576627237a800 ] + +In iavf_down, we're skipping the scheduling of certain operations if +the driver is being removed. However, the IAVF_FLAG_AQ_DISABLE_QUEUES +request must not be skipped in this case, because iavf_close waits +for the transition to the __IAVF_DOWN state, which happens in +iavf_virtchnl_completion after the queues are released. + +Without this fix, "rmmod iavf" takes half a second per interface that's +up and prints the "Device resources not yet released" warning. + +Fixes: c8de44b577eb ("iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set") +Signed-off-by: Michal Schmidt +Reviewed-by: Wojciech Drewek +Tested-by: Rafal Romanowski +Tested-by: Jacob Keller +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231025183213.874283-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 1ae90f8f9941f..326bb5fdf5f90 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1449,9 +1449,9 @@ void iavf_down(struct iavf_adapter *adapter) + adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER; + if (!list_empty(&adapter->adv_rss_list_head)) + adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG; +- adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + } + ++ adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + +-- +2.42.0 + diff --git a/queue-6.1/iavf-initialize-waitqueues-before-starting-watchdog_.patch b/queue-6.1/iavf-initialize-waitqueues-before-starting-watchdog_.patch new file mode 100644 index 00000000000..9a44303967a --- /dev/null +++ b/queue-6.1/iavf-initialize-waitqueues-before-starting-watchdog_.patch @@ -0,0 +1,55 @@ +From 0d3ad15d7764402f040fe00b82d850bcf3bf69be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 09:13:46 +0200 +Subject: iavf: initialize waitqueues before starting watchdog_task + +From: Michal Schmidt + +[ Upstream commit 7db3111043885c146e795c199d39c3f9042d97c0 ] + +It is not safe to initialize the waitqueues after queueing the +watchdog_task. It will be using them. + +The chance of this causing a real problem is very small, because +there will be some sleeping before any of the waitqueues get used. +I got a crash only after inserting an artificial sleep in iavf_probe. + +Queue the watchdog_task as the last step in iavf_probe. Add a comment to +prevent repeating the mistake. + +Fixes: fe2647ab0c99 ("i40evf: prevent VF close returning before state transitions to DOWN") +Signed-off-by: Michal Schmidt +Reviewed-by: Paul Menzel +Reviewed-by: Przemek Kitszel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index a39f7f0d6ab0b..1ae90f8f9941f 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -5020,8 +5020,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + INIT_WORK(&adapter->finish_config, iavf_finish_config); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); +- queue_delayed_work(adapter->wq, &adapter->watchdog_task, +- msecs_to_jiffies(5 * (pdev->devfn & 0x07))); + + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); +@@ -5032,6 +5030,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, ++ msecs_to_jiffies(5 * (pdev->devfn & 0x07))); ++ /* Initialization goes on in the work. Do not add more of it below. */ + return 0; + + err_ioremap: +-- +2.42.0 + diff --git a/queue-6.1/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch b/queue-6.1/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch new file mode 100644 index 00000000000..ca5a018b9f4 --- /dev/null +++ b/queue-6.1/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch @@ -0,0 +1,47 @@ +From 13e2356742e1458d87217b2c6f3bed3681715c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:40:35 -0700 +Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry + +From: Mateusz Palczewski + +[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ] + +Add check for return of igb_update_ethtool_nfc_entry so that in case +of any potential errors the memory alocated for input will be freed. + +Fixes: 0e71def25281 ("igb: add support of RX network flow classification") +Reviewed-by: Wojciech Drewek +Signed-off-by: Mateusz Palczewski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index 96fa1c420f910..ceff537d9d22d 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -2978,11 +2978,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter, + if (err) + goto err_out_w_lock; + +- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ if (err) ++ goto err_out_input_filter; + + spin_unlock(&adapter->nfc_lock); + return 0; + ++err_out_input_filter: ++ igb_erase_filter(adapter, input); + err_out_w_lock: + spin_unlock(&adapter->nfc_lock); + err_out: +-- +2.42.0 + diff --git a/queue-6.1/igc-fix-ambiguity-in-the-ethtool-advertising.patch b/queue-6.1/igc-fix-ambiguity-in-the-ethtool-advertising.patch new file mode 100644 index 00000000000..44240e87b8a --- /dev/null +++ b/queue-6.1/igc-fix-ambiguity-in-the-ethtool-advertising.patch @@ -0,0 +1,86 @@ +From a41638beee1d0b5c8b00b88081e09a28a02ecba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:36:41 -0700 +Subject: igc: Fix ambiguity in the ethtool advertising + +From: Sasha Neftin + +[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ] + +The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to +advertise 2500M speed support and TP (twisted pair) properly. Convert to +'ethtool_link_ksettings_test_link_mode' to advertise supported speed and +eliminate ambiguity. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Suggested-by: Dima Ruinskiy +Suggested-by: Vitaly Lifshits +Signed-off-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------ + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index e23b95edb05ef..81897f7a90a91 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1817,7 +1817,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + struct igc_adapter *adapter = netdev_priv(netdev); + struct net_device *dev = adapter->netdev; + struct igc_hw *hw = &adapter->hw; +- u32 advertising; ++ u16 advertised = 0; + + /* When adapter in resetting mode, autoneg/speed/duplex + * cannot be changed +@@ -1842,18 +1842,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + while (test_and_set_bit(__IGC_RESETTING, &adapter->state)) + usleep_range(1000, 2000); + +- ethtool_convert_link_mode_to_legacy_u32(&advertising, +- cmd->link_modes.advertising); +- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT. +- * We have to check this and convert it to ADVERTISE_2500_FULL +- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly. +- */ +- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full)) +- advertising |= ADVERTISE_2500_FULL; ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 2500baseT_Full)) ++ advertised |= ADVERTISE_2500_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 1000baseT_Full)) ++ advertised |= ADVERTISE_1000_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Full)) ++ advertised |= ADVERTISE_100_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Half)) ++ advertised |= ADVERTISE_100_HALF; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Full)) ++ advertised |= ADVERTISE_10_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Half)) ++ advertised |= ADVERTISE_10_HALF; + + if (cmd->base.autoneg == AUTONEG_ENABLE) { + hw->mac.autoneg = 1; +- hw->phy.autoneg_advertised = advertising; ++ hw->phy.autoneg_advertised = advertised; + if (adapter->fc_autoneg) + hw->fc.requested_mode = igc_fc_default; + } else { +-- +2.42.0 + diff --git a/queue-6.1/neighbour-fix-various-data-races.patch b/queue-6.1/neighbour-fix-various-data-races.patch new file mode 100644 index 00000000000..3047a66616a --- /dev/null +++ b/queue-6.1/neighbour-fix-various-data-races.patch @@ -0,0 +1,176 @@ +From 0e8f1c70114f828f57ece09c7bc4182bb4457943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 12:21:04 +0000 +Subject: neighbour: fix various data-races + +From: Eric Dumazet + +[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ] + +1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval + can be written from sysfs. + +2) tbl->last_flush is read locklessly from neigh_alloc() + +3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info() + +4) neightbl_fill_info() reads cpu stats that can be changed concurrently. + +Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 67 +++++++++++++++++++++++--------------------- + 1 file changed, 35 insertions(+), 32 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index b20c9768d9f3f..41daa47d03934 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -251,7 +251,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl) + + static int neigh_forced_gc(struct neigh_table *tbl) + { +- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2; ++ int max_clean = atomic_read(&tbl->gc_entries) - ++ READ_ONCE(tbl->gc_thresh2); + unsigned long tref = jiffies - 5 * HZ; + struct neighbour *n, *tmp; + int shrunk = 0; +@@ -280,7 +281,7 @@ static int neigh_forced_gc(struct neigh_table *tbl) + } + } + +- tbl->last_flush = jiffies; ++ WRITE_ONCE(tbl->last_flush, jiffies); + + write_unlock_bh(&tbl->lock); + +@@ -464,17 +465,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, + { + struct neighbour *n = NULL; + unsigned long now = jiffies; +- int entries; ++ int entries, gc_thresh3; + + if (exempt_from_gc) + goto do_alloc; + + entries = atomic_inc_return(&tbl->gc_entries) - 1; +- if (entries >= tbl->gc_thresh3 || +- (entries >= tbl->gc_thresh2 && +- time_after(now, tbl->last_flush + 5 * HZ))) { +- if (!neigh_forced_gc(tbl) && +- entries >= tbl->gc_thresh3) { ++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3); ++ if (entries >= gc_thresh3 || ++ (entries >= READ_ONCE(tbl->gc_thresh2) && ++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) { ++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) { + net_info_ratelimited("%s: neighbor table overflow!\n", + tbl->id); + NEIGH_CACHE_STAT_INC(tbl, table_fulls); +@@ -955,13 +956,14 @@ static void neigh_periodic_work(struct work_struct *work) + + if (time_after(jiffies, tbl->last_rand + 300 * HZ)) { + struct neigh_parms *p; +- tbl->last_rand = jiffies; ++ ++ WRITE_ONCE(tbl->last_rand, jiffies); + list_for_each_entry(p, &tbl->parms_list, list) + p->reachable_time = + neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME)); + } + +- if (atomic_read(&tbl->entries) < tbl->gc_thresh1) ++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1)) + goto out; + + for (i = 0 ; i < (1 << nht->hash_shift); i++) { +@@ -2157,15 +2159,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + ndtmsg->ndtm_pad2 = 0; + + if (nla_put_string(skb, NDTA_NAME, tbl->id) || +- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) || +- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) || +- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) || +- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3)) ++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval), ++ NDTA_PAD) || ++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) || ++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) || ++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3))) + goto nla_put_failure; + { + unsigned long now = jiffies; +- long flush_delta = now - tbl->last_flush; +- long rand_delta = now - tbl->last_rand; ++ long flush_delta = now - READ_ONCE(tbl->last_flush); ++ long rand_delta = now - READ_ONCE(tbl->last_rand); + struct neigh_hash_table *nht; + struct ndt_config ndc = { + .ndtc_key_len = tbl->key_len, +@@ -2173,7 +2176,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + .ndtc_entries = atomic_read(&tbl->entries), + .ndtc_last_flush = jiffies_to_msecs(flush_delta), + .ndtc_last_rand = jiffies_to_msecs(rand_delta), +- .ndtc_proxy_qlen = tbl->proxy_queue.qlen, ++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen), + }; + + rcu_read_lock(); +@@ -2196,17 +2199,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + struct neigh_statistics *st; + + st = per_cpu_ptr(tbl->stats, cpu); +- ndst.ndts_allocs += st->allocs; +- ndst.ndts_destroys += st->destroys; +- ndst.ndts_hash_grows += st->hash_grows; +- ndst.ndts_res_failed += st->res_failed; +- ndst.ndts_lookups += st->lookups; +- ndst.ndts_hits += st->hits; +- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast; +- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast; +- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs; +- ndst.ndts_forced_gc_runs += st->forced_gc_runs; +- ndst.ndts_table_fulls += st->table_fulls; ++ ndst.ndts_allocs += READ_ONCE(st->allocs); ++ ndst.ndts_destroys += READ_ONCE(st->destroys); ++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows); ++ ndst.ndts_res_failed += READ_ONCE(st->res_failed); ++ ndst.ndts_lookups += READ_ONCE(st->lookups); ++ ndst.ndts_hits += READ_ONCE(st->hits); ++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast); ++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast); ++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs); ++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs); ++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls); + } + + if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst, +@@ -2435,16 +2438,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, + goto errout_tbl_lock; + + if (tb[NDTA_THRESH1]) +- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]); ++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1])); + + if (tb[NDTA_THRESH2]) +- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]); ++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2])); + + if (tb[NDTA_THRESH3]) +- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]); ++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3])); + + if (tb[NDTA_GC_INTERVAL]) +- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]); ++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL])); + + err = 0; + +-- +2.42.0 + diff --git a/queue-6.1/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch b/queue-6.1/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..b174d468fac --- /dev/null +++ b/queue-6.1/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch @@ -0,0 +1,38 @@ +From 826017a4ab72dddd30e6ec9f710c5b2028641983 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 09:20:53 +0300 +Subject: net: ethernet: adi: adin1110: Fix uninitialized variable + +From: Dell Jin + +[ Upstream commit 965f9b8c0c1b37fa2a0e3ef56e40d5666d4cbb5c ] + +The spi_transfer struct has to have all it's fields initialized to 0 in +this case, since not all of them are set before starting the transfer. +Otherwise, spi_sync_transfer() will sometimes return an error. + +Fixes: a526a3cc9c8d ("net: ethernet: adi: adin1110: Fix SPI transfers") +Signed-off-by: Dell Jin +Signed-off-by: Ciprian Regus +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index ed2863ed6a5bb..7474afc0e8e73 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -294,7 +294,7 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv) + { + struct adin1110_priv *priv = port_priv->priv; + u32 header_len = ADIN1110_RD_HEADER_LEN; +- struct spi_transfer t; ++ struct spi_transfer t = {0}; + u32 frame_size_no_fcs; + struct sk_buff *rxb; + u32 frame_size; +-- +2.42.0 + diff --git a/queue-6.1/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch b/queue-6.1/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch new file mode 100644 index 00000000000..1a40b045659 --- /dev/null +++ b/queue-6.1/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch @@ -0,0 +1,47 @@ +From c5b7ae96ed920d89c5e818544a54176f669b1e2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 20:03:53 +0200 +Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in + adf7242_stats_show() + +From: Christophe JAILLET + +[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ] + +strncat() usage in adf7242_debugfs_init() is wrong. +The size given to strncat() is the maximum number of bytes that can be +written, excluding the trailing NULL. + +Here, the size that is passed, DNAME_INLINE_LEN, does not take into account +the size of "adf7242-" that is already in the array. + +In order to fix it, use snprintf() instead. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 5cf218c674a5a..32d92bdabd234 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset) + + static void adf7242_debugfs_init(struct adf7242_local *lp) + { +- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-"; ++ char debugfs_dir_name[DNAME_INLINE_LEN + 1]; + +- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN); ++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name), ++ "adf7242-%s", dev_name(&lp->spi->dev)); + + lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL); + +-- +2.42.0 + diff --git a/queue-6.1/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch b/queue-6.1/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch new file mode 100644 index 00000000000..25873cc19b2 --- /dev/null +++ b/queue-6.1/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch @@ -0,0 +1,103 @@ +From b85a859a2339295d6e9afe0cd99350366794c7a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 02:03:44 +0900 +Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg + +From: Shigeru Yoshida + +[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ] + +syzbot reported the following uninit-value access issue [1]: + +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD +===================================================== +BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750 + usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207 + usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238 + usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589 + hub_port_connect drivers/usb/core/hub.c:5440 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] + port_event drivers/usb/core/hub.c:5740 [inline] + hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703 + worker_thread+0xf45/0x1490 kernel/workqueue.c:2784 + kthread+0x3e8/0x540 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Local variable buf.i225 created at: + smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline] + smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + +CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Workqueue: usb_hub_wq hub_event +===================================================== + +Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in +__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads +less bytes than requested (zero byte in the reproducer). In this case, +'buf' is not properly filled. + +This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads +less bytes than requested. + +sysbot reported similar uninit-value access issue [2]. The root cause is +the same as mentioned above, and this patch addresses it as well. + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1] +Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2] +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 17da42fe605c3..a530f20ee2575 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -95,7 +95,9 @@ static int __must_check smsc95xx_read_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (ret < 0) { ++ if (ret < 4) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + if (ret != -ENODEV) + netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", + index, ret); +-- +2.42.0 + diff --git a/queue-6.1/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch b/queue-6.1/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch new file mode 100644 index 00000000000..43911449046 --- /dev/null +++ b/queue-6.1/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch @@ -0,0 +1,37 @@ +From 05f480069e3c3ff81b7d3c4062c6c078c20bc433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:54 -0700 +Subject: r8152: Cancel hw_phy_work if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ] + +The error handling in rtl8152_probe() is missing a call to cancel the +hw_phy_work. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 3cc8e324c5c6c..fb9c1f3f6e5a4 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9826,6 +9826,7 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); +-- +2.42.0 + diff --git a/queue-6.1/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch b/queue-6.1/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch new file mode 100644 index 00000000000..89231ef950f --- /dev/null +++ b/queue-6.1/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch @@ -0,0 +1,77 @@ +From 36092c6c2055b8f0544eea0a6a2b9735cfe08f97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:52 -0700 +Subject: r8152: Increase USB control msg timeout to 5000ms as per spec + +From: Douglas Anderson + +[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ] + +According to the comment next to USB_CTRL_GET_TIMEOUT and +USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is +usually quite fast, the spec allows them to take up to 5 seconds. +Let's increase the timeout in the Realtek driver from 500ms to 5000ms +(using the #defines) to account for this. + +This is not just a theoretical change. The need for the longer timeout +was seen in testing. Specifically, if you drop a sc7180-trogdor based +Chromebook into the kdb debugger and then "go" again after sitting in +the debugger for a while, the next USB control message takes a long +time. Out of ~40 tests the slowest USB control message was 4.5 +seconds. + +While dropping into kdb is not exactly an end-user scenario, the above +is similar to what could happen due to an temporary interrupt storm, +what could happen if there was a host controller (HW or SW) issue, or +what could happen if the Realtek device got into a confused state and +needed time to recover. + +This change is fairly critical since the r8152 driver in Linux doesn't +expect register reads/writes (which are backed by USB control +messages) to fail. + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Suggested-by: Hayes Wang +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index fc1458f96e170..4c90f7053171c 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1211,7 +1211,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in, + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT); + if (ret < 0) + memset(data, 0xff, size); + else +@@ -1234,7 +1234,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out, + RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT); + + kfree(tmp); + +@@ -9549,7 +9549,8 @@ u8 rtl8152_get_version(struct usb_interface *intf) + + ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500); ++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), ++ USB_CTRL_GET_TIMEOUT); + if (ret > 0) + ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK; + +-- +2.42.0 + diff --git a/queue-6.1/r8152-release-firmware-if-we-have-an-error-in-probe.patch b/queue-6.1/r8152-release-firmware-if-we-have-an-error-in-probe.patch new file mode 100644 index 00000000000..90547847733 --- /dev/null +++ b/queue-6.1/r8152-release-firmware-if-we-have-an-error-in-probe.patch @@ -0,0 +1,37 @@ +From c6d2e07bd5d4fbee44dfb1d5a9a615d546e6cfae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:55 -0700 +Subject: r8152: Release firmware if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ] + +The error handling in rtl8152_probe() is missing a call to release +firmware. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index fb9c1f3f6e5a4..c34974f7dfd26 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9829,6 +9829,7 @@ static int rtl8152_probe(struct usb_interface *intf, + cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); ++ rtl8152_release_firmware(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-6.1/r8152-run-the-unload-routine-if-we-have-errors-durin.patch b/queue-6.1/r8152-run-the-unload-routine-if-we-have-errors-durin.patch new file mode 100644 index 00000000000..18e45c19fcd --- /dev/null +++ b/queue-6.1/r8152-run-the-unload-routine-if-we-have-errors-durin.patch @@ -0,0 +1,38 @@ +From fd8d5a896f2f016138b87c5d2a5228c082e390f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:53 -0700 +Subject: r8152: Run the unload routine if we have errors during probe + +From: Douglas Anderson + +[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ] + +The rtl8152_probe() function lacks a call to the chip-specific +unload() routine when it sees an error in probe. Add it in to match +the cleanup code in rtl8152_disconnect(). + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 4c90f7053171c..3cc8e324c5c6c 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9826,6 +9826,8 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ if (tp->rtl_ops.unload) ++ tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch new file mode 100644 index 00000000000..6efc2671645 --- /dev/null +++ b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch @@ -0,0 +1,105 @@ +From 344cbd3142941572a9ebcc0648fa0038a0fa94e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:38 +0200 +Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading + desc->opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ] + +KCSAN reported the following data-race bug: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 + +race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x80003fff -> 0x3402805f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +drivers/net/ethernet/realtek/r8169_main.c: +========================================== + 4429 + → 4430 status = le32_to_cpu(desc->opts1); + 4431 if (status & DescOwn) + 4432 break; + 4433 + 4434 /* This barrier is needed to keep us from reading + 4435 * any other fields out of the Rx descriptor until + 4436 * we know the status of DescOwn + 4437 */ + 4438 dma_rmb(); + 4439 + 4440 if (unlikely(status & RxRES)) { + 4441 if (net_ratelimit()) + 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", + +Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to +desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from +happening: + + 4429 + → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); + 4431 if (status & DescOwn) + 4432 break; + 4433 + +As the consequence of this fix, this KCSAN warning was eliminated. + +Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private") +Suggested-by: Marco Elver +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index f677f625a4939..80b6079b8a8e3 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4413,7 +4413,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, int budget + dma_addr_t addr; + u32 status; + +- status = le32_to_cpu(desc->opts1); ++ status = le32_to_cpu(READ_ONCE(desc->opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch new file mode 100644 index 00000000000..c3694d85b3e --- /dev/null +++ b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch @@ -0,0 +1,175 @@ +From 573bf9bc69c25f29f60837cb303f204ed064e2ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:34 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx() while reading + tp->cur_tx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169] + +write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29: +rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169 +dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560) +sch_direct_xmit (net/sched/sch_generic.c:342) +__dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306) +ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233) +__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293) +ip_finish_output (net/ipv4/ip_output.c:328) +ip_output (net/ipv4/ip_output.c:435) +ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486) +udp_send_skb (net/ipv4/udp.c:963) +udp_sendmsg (net/ipv4/udp.c:1246) +inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4)) +sock_sendmsg (net/socket.c:730 net/socket.c:753) +__sys_sendto (net/socket.c:2177) +__x64_sys_sendto (net/socket.c:2185) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) +asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x002f4815 -> 0x002f4816 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The write side of drivers/net/ethernet/realtek/r8169_main.c is: +================== + 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ + 4252 smp_wmb(); + 4253 + → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); + 4255 + 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp), + 4257 R8169_TX_STOP_THRS, + 4258 R8169_TX_START_THRS); + +The read side is the function rtl_tx(): + + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + → 4397 if (tp->cur_tx != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the +line 4363: + + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + +but the same solution is required for protecting the other access to tp->cur_tx: + + → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + +The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397 +might have suffered read tearing under some compiler optimisations. + +The fix eliminated the KCSAN data-race report for this bug. + +It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363 +and line 4397. This test should certainly not be cached by the compiler in some register +for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line +4254 in the meantime. + +Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings") +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index a9a0dca0c0305..5288daaf59b5b 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4380,7 +4380,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + * If skb is NULL then we come here again once a tx irq is + * triggered after the last fragment is marked transmitted. + */ +- if (tp->cur_tx != dirty_tx && skb) ++ if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + rtl8169_doorbell(tp); + } + } +-- +2.42.0 + diff --git a/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-18717 b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-18717 new file mode 100644 index 00000000000..a7cc2f7ba61 --- /dev/null +++ b/queue-6.1/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-18717 @@ -0,0 +1,136 @@ +From 187d6e811b0da6a74a8c76d6a631b7d331313a6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:36 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading + TxDescArray[entry].opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 + +race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0xb0000042 -> 0x00000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The read side is in + +drivers/net/ethernet/realtek/r8169_main.c +========================================= + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes +this KCSAN warning. + + 4366 + → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + 4368 if (status & DescOwn) + 4369 break; + 4370 + +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 5288daaf59b5b..f677f625a4939 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4343,7 +4343,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + unsigned int entry = dirty_tx % NUM_TX_DESC; + u32 status; + +- status = le32_to_cpu(tp->TxDescArray[entry].opts1); ++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 7bfdeeb6871..d2e1a1f79e7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -27,3 +27,30 @@ nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch drm-dp_mst-fix-null-deref-in-get_mst_branch_device_by_guid_helper.patch +arm-omap-timer32k-fix-all-kernel-doc-warnings.patch +firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch +clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch +clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch +arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-18717 +r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch +iavf-initialize-waitqueues-before-starting-watchdog_.patch +i40e-fix-i40e_flag_vf_vlan_pruning-value.patch +treewide-spelling-fix-in-comment.patch +igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch +neighbour-fix-various-data-races.patch +igc-fix-ambiguity-in-the-ethtool-advertising.patch +net-ethernet-adi-adin1110-fix-uninitialized-variable.patch +net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch +net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch +r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch +r8152-run-the-unload-routine-if-we-have-errors-durin.patch +r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch +r8152-release-firmware-if-we-have-an-error-in-probe.patch +tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch +gtp-uapi-fix-gtpa_max.patch +gtp-fix-fragmentation-needed-check-with-gso.patch +i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch +drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch +iavf-in-iavf_down-disable-queues-when-removing-the-d.patch diff --git a/queue-6.1/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch b/queue-6.1/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch new file mode 100644 index 00000000000..17b424e372f --- /dev/null +++ b/queue-6.1/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch @@ -0,0 +1,96 @@ +From 423dbb654744d1619e6dc78efd623f5ddb53b74a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 08:19:47 +0800 +Subject: tcp: fix wrong RTO timeout when received SACK reneging + +From: Fred Chen + +[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ] + +This commit fix wrong RTO timeout when received SACK reneging. + +When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging() +will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future. + +But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when +CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer() +is moved after tcp_fastretrans_alert()(which do the SACK reneging check), +so the RTO timeout will be overwrited by tcp_set_xmit_timer() with +icsk_rto instead of 1/2*srtt. + +Here is a packetdrill script to check this bug: +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++0 bind(3, ..., ...) = 0 ++0 listen(3, 1) = 0 + +// simulate srtt to 100ms ++0 < S 0:0(0) win 32792 ++0 > S. 0:0(0) ack 1 ++.1 < . 1:1(0) ack 1 win 1024 + ++0 accept(3, ..., ...) = 4 + ++0 write(4, ..., 10000) = 10000 ++0 > P. 1:10001(10000) ack 1 + +// inject sack ++.1 < . 1:1(0) ack 1 win 257 ++0 > . 1:1001(1000) ack 1 + +// inject sack reneging ++.1 < . 1:1(0) ack 1001 win 257 + +// we expect rto fired in 1/2*srtt (50ms) ++.05 > . 1001:2001(1000) ack 1 + +This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when +tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid +being overwrited later. + +Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") +Signed-off-by: Fred Chen +Reviewed-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 068221e742425..d63942202493d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2202,16 +2202,17 @@ void tcp_enter_loss(struct sock *sk) + * restore sanity to the SACK scoreboard. If the apparent reneging + * persists until this RTO then we'll clear the SACK scoreboard. + */ +-static bool tcp_check_sack_reneging(struct sock *sk, int flag) ++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag) + { +- if (flag & FLAG_SACK_RENEGING && +- flag & FLAG_SND_UNA_ADVANCED) { ++ if (*ack_flag & FLAG_SACK_RENEGING && ++ *ack_flag & FLAG_SND_UNA_ADVANCED) { + struct tcp_sock *tp = tcp_sk(sk); + unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4), + msecs_to_jiffies(10)); + + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, + delay, TCP_RTO_MAX); ++ *ack_flag &= ~FLAG_SET_XMIT_TIMER; + return true; + } + return false; +@@ -2981,7 +2982,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + tp->prior_ssthresh = 0; + + /* B. In all the states check for reneging SACKs. */ +- if (tcp_check_sack_reneging(sk, flag)) ++ if (tcp_check_sack_reneging(sk, ack_flag)) + return; + + /* C. Check consistency of the current state. */ +-- +2.42.0 + diff --git a/queue-6.1/treewide-spelling-fix-in-comment.patch b/queue-6.1/treewide-spelling-fix-in-comment.patch new file mode 100644 index 00000000000..44b991ea58a --- /dev/null +++ b/queue-6.1/treewide-spelling-fix-in-comment.patch @@ -0,0 +1,36 @@ +From e0e1918c728fa018dfad9bf59cf79baec1b2dbf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:31:56 +0800 +Subject: treewide: Spelling fix in comment + +From: Kunwu Chan + +[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ] + +reques -> request + +Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3") +Signed-off-by: Kunwu Chan +Reviewed-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +index dc14a66583ff3..44488c153ea25 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev, + key_index = wl->current_key; + + if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) { +- /* reques to change default key index */ ++ /* request to change default key index */ + pr_debug("%s: request to change default key to %d\n", + __func__, key_index); + wl->current_key = key_index; +-- +2.42.0 +