From: Sasha Levin Date: Sat, 7 Oct 2023 12:15:37 +0000 (-0400) Subject: Fixes for 6.5 X-Git-Tag: v4.14.327~53^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea6aa0d3f0b57c5b52373fbd85bda45fef148eae;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.5 Signed-off-by: Sasha Levin --- diff --git a/queue-6.5/bluetooth-delete-unused-hci_req_prepare_suspend-decl.patch b/queue-6.5/bluetooth-delete-unused-hci_req_prepare_suspend-decl.patch new file mode 100644 index 00000000000..9e2cc707ff2 --- /dev/null +++ b/queue-6.5/bluetooth-delete-unused-hci_req_prepare_suspend-decl.patch @@ -0,0 +1,35 @@ +From 1e23a7ea663071fefb1a1606ac7cc17eb593db5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 16:13:13 +0800 +Subject: Bluetooth: Delete unused hci_req_prepare_suspend() declaration + +From: Yao Xiao + +[ Upstream commit cbaabbcdcbd355f0a1ccc09a925575c51c270750 ] + +hci_req_prepare_suspend() has been deprecated in favor of +hci_suspend_sync(). + +Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") +Signed-off-by: Yao Xiao +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_request.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h +index b9c5a98238374..0be75cf0efed8 100644 +--- a/net/bluetooth/hci_request.h ++++ b/net/bluetooth/hci_request.h +@@ -71,7 +71,5 @@ struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode, u32 plen, + void hci_req_add_le_scan_disable(struct hci_request *req, bool rpa_le_conn); + void hci_req_add_le_passive_scan(struct hci_request *req); + +-void hci_req_prepare_suspend(struct hci_dev *hdev, enum suspended_state next); +- + void hci_request_setup(struct hci_dev *hdev); + void hci_request_cancel_all(struct hci_dev *hdev); +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-fix-hci_link_tx_to-rcu-lock-usage.patch b/queue-6.5/bluetooth-fix-hci_link_tx_to-rcu-lock-usage.patch new file mode 100644 index 00000000000..3455955afe9 --- /dev/null +++ b/queue-6.5/bluetooth-fix-hci_link_tx_to-rcu-lock-usage.patch @@ -0,0 +1,64 @@ +From 04ccb12162d600467a8b7797bc70620b75f20357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 14:11:51 +0000 +Subject: Bluetooth: Fix hci_link_tx_to RCU lock usage + +From: Ying Hsu + +[ Upstream commit c7eaf80bfb0c8cef852cce9501b95dd5a6bddcb9 ] + +Syzbot found a bug "BUG: sleeping function called from invalid context +at kernel/locking/mutex.c:580". It is because hci_link_tx_to holds an +RCU read lock and calls hci_disconnect which would hold a mutex lock +since the commit a13f316e90fd ("Bluetooth: hci_conn: Consolidate code +for aborting connections"). Here's an example call trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xfc/0x174 lib/dump_stack.c:106 + ___might_sleep+0x4a9/0x4d3 kernel/sched/core.c:9663 + __mutex_lock_common kernel/locking/mutex.c:576 [inline] + __mutex_lock+0xc7/0x6e7 kernel/locking/mutex.c:732 + hci_cmd_sync_queue+0x3a/0x287 net/bluetooth/hci_sync.c:388 + hci_abort_conn+0x2cd/0x2e4 net/bluetooth/hci_conn.c:1812 + hci_disconnect+0x207/0x237 net/bluetooth/hci_conn.c:244 + hci_link_tx_to net/bluetooth/hci_core.c:3254 [inline] + __check_timeout net/bluetooth/hci_core.c:3419 [inline] + __check_timeout+0x310/0x361 net/bluetooth/hci_core.c:3399 + hci_sched_le net/bluetooth/hci_core.c:3602 [inline] + hci_tx_work+0xe8f/0x12d0 net/bluetooth/hci_core.c:3652 + process_one_work+0x75c/0xba1 kernel/workqueue.c:2310 + worker_thread+0x5b2/0x73a kernel/workqueue.c:2457 + kthread+0x2f7/0x30b kernel/kthread.c:319 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 + +This patch releases RCU read lock before calling hci_disconnect and +reacquires it afterward to fix the bug. + +Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections") +Signed-off-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 29ae9b254a34e..e57d7c25511f4 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3418,7 +3418,12 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type) + if (c->type == type && c->sent) { + bt_dev_err(hdev, "killing stalled connection %pMR", + &c->dst); ++ /* hci_disconnect might sleep, so, we have to release ++ * the RCU read lock before calling it. ++ */ ++ rcu_read_unlock(); + hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM); ++ rcu_read_lock(); + } + } + +-- +2.40.1 + diff --git a/queue-6.5/bluetooth-iso-fix-handling-of-listen-for-unicast.patch b/queue-6.5/bluetooth-iso-fix-handling-of-listen-for-unicast.patch new file mode 100644 index 00000000000..638eb4b9b36 --- /dev/null +++ b/queue-6.5/bluetooth-iso-fix-handling-of-listen-for-unicast.patch @@ -0,0 +1,57 @@ +From f0f41cc96e1d7b73784d28b0e2a563a0d2b6efea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 13:05:45 -0700 +Subject: Bluetooth: ISO: Fix handling of listen for unicast + +From: Luiz Augusto von Dentz + +[ Upstream commit e0275ea52169412b8faccb4e2f4fed8a057844c6 ] + +iso_listen_cis shall only return -EADDRINUSE if the listening socket has +the destination set to BDADDR_ANY otherwise if the destination is set to +a specific address it is for broadcast which shall be ignored. + +Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 9b6a7eb2015f0..42f7b257bdfbc 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -499,7 +499,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) + } + + /* -------- Socket interface ---------- */ +-static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *ba) ++static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst) + { + struct sock *sk; + +@@ -507,7 +507,10 @@ static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *ba) + if (sk->sk_state != BT_LISTEN) + continue; + +- if (!bacmp(&iso_pi(sk)->src, ba)) ++ if (bacmp(&iso_pi(sk)->dst, dst)) ++ continue; ++ ++ if (!bacmp(&iso_pi(sk)->src, src)) + return sk; + } + +@@ -965,7 +968,7 @@ static int iso_listen_cis(struct sock *sk) + + write_lock(&iso_sk_list.lock); + +- if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src)) ++ if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst)) + err = -EADDRINUSE; + + write_unlock(&iso_sk_list.lock); +-- +2.40.1 + diff --git a/queue-6.5/bpf-fix-tr-dereferencing.patch b/queue-6.5/bpf-fix-tr-dereferencing.patch new file mode 100644 index 00000000000..9dd0bd55548 --- /dev/null +++ b/queue-6.5/bpf-fix-tr-dereferencing.patch @@ -0,0 +1,42 @@ +From 287ee069cc0173eae5148a3e854999db7e1d2569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Sep 2023 23:38:46 +0800 +Subject: bpf: Fix tr dereferencing + +From: Leon Hwang + +[ Upstream commit b724a6418f1f853bcb39c8923bf14a50c7bdbd07 ] + +Fix 'tr' dereferencing bug when CONFIG_BPF_JIT is turned off. + +When CONFIG_BPF_JIT is turned off, 'bpf_trampoline_get()' returns NULL, +which is same as the cases when CONFIG_BPF_JIT is turned on. + +Closes: https://lore.kernel.org/r/202309131936.5Nc8eUD0-lkp@intel.com/ +Fixes: f7b12b6fea00 ("bpf: verifier: refactor check_attach_btf_id()") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Leon Hwang +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230917153846.88732-1-hffilwlqm@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 477d91b926b35..6ba9d3ed8f0b0 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -1294,7 +1294,7 @@ static inline int bpf_trampoline_unlink_prog(struct bpf_tramp_link *link, + static inline struct bpf_trampoline *bpf_trampoline_get(u64 key, + struct bpf_attach_target_info *tgt_info) + { +- return ERR_PTR(-EOPNOTSUPP); ++ return NULL; + } + static inline void bpf_trampoline_put(struct bpf_trampoline *tr) {} + #define DEFINE_BPF_DISPATCHER(name) +-- +2.40.1 + diff --git a/queue-6.5/bpf-sockmap-do-not-inc-copied_seq-when-peek-flag-set.patch b/queue-6.5/bpf-sockmap-do-not-inc-copied_seq-when-peek-flag-set.patch new file mode 100644 index 00000000000..e6db2d625f3 --- /dev/null +++ b/queue-6.5/bpf-sockmap-do-not-inc-copied_seq-when-peek-flag-set.patch @@ -0,0 +1,59 @@ +From 4c7577da359b1848b7ebe21ad1273bcbb999b140 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 20:52:59 -0700 +Subject: bpf, sockmap: Do not inc copied_seq when PEEK flag set + +From: John Fastabend + +[ Upstream commit da9e915eaf5dadb1963b7738cdfa42ed55212445 ] + +When data is peek'd off the receive queue we shouldn't considered it +copied from tcp_sock side. When we increment copied_seq this will confuse +tcp_data_ready() because copied_seq can be arbitrarily increased. From +application side it results in poll() operations not waking up when +expected. + +Notice tcp stack without BPF recvmsg programs also does not increment +copied_seq. + +We broke this when we moved copied_seq into recvmsg to only update when +actual copy was happening. But, it wasn't working correctly either before +because the tcp_data_ready() tried to use the copied_seq value to see +if data was read by user yet. See fixes tags. + +Fixes: e5c6de5fa0258 ("bpf, sockmap: Incorrectly handling copied_seq") +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230926035300.135096-3-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 81f0dff69e0b6..3272682030015 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -222,6 +222,7 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + int *addr_len) + { + struct tcp_sock *tcp = tcp_sk(sk); ++ int peek = flags & MSG_PEEK; + u32 seq = tcp->copied_seq; + struct sk_psock *psock; + int copied = 0; +@@ -311,7 +312,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + copied = -EAGAIN; + } + out: +- WRITE_ONCE(tcp->copied_seq, seq); ++ if (!peek) ++ WRITE_ONCE(tcp->copied_seq, seq); + tcp_rcv_space_adjust(sk); + if (copied > 0) + __tcp_cleanup_rbuf(sk, copied); +-- +2.40.1 + diff --git a/queue-6.5/bpf-sockmap-reject-sk_msg-egress-redirects-to-non-tc.patch b/queue-6.5/bpf-sockmap-reject-sk_msg-egress-redirects-to-non-tc.patch new file mode 100644 index 00000000000..62d8f26eaea --- /dev/null +++ b/queue-6.5/bpf-sockmap-reject-sk_msg-egress-redirects-to-non-tc.patch @@ -0,0 +1,102 @@ +From 3ff49e8f1f554ca6b851b0395aeb50f176a97827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 12:20:55 +0200 +Subject: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets + +From: Jakub Sitnicki + +[ Upstream commit b80e31baa43614e086a9d29dc1151932b1bd7fc5 ] + +With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages +sent from one TCP socket (s1) to actually egress from another TCP +socket (s2): + +tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg + tcp_bpf_send_verdict(s1) // __SK_REDIRECT case + tcp_bpf_sendmsg_redir(s2) + tcp_bpf_push_locked(s2) + tcp_bpf_push(s2) + tcp_rate_check_app_limited(s2) // expects tcp_sock + tcp_sendmsg_locked(s2) // ditto + +There is a hard-coded assumption in the call-chain, that the egress +socket (s2) is a TCP socket. + +However in commit 122e6c79efe1 ("sock_map: Update sock type checks for +UDP") we have enabled redirects to non-TCP sockets. This was done for the +sake of BPF sk_skb programs. There was no indention to support sk_msg +send-to-egress use case. + +As a result, attempts to send-to-egress through a non-TCP socket lead to a +crash due to invalid downcast from sock to tcp_sock: + + BUG: kernel NULL pointer dereference, address: 000000000000002f + ... + Call Trace: + + ? show_regs+0x60/0x70 + ? __die+0x1f/0x70 + ? page_fault_oops+0x80/0x160 + ? do_user_addr_fault+0x2d7/0x800 + ? rcu_is_watching+0x11/0x50 + ? exc_page_fault+0x70/0x1c0 + ? asm_exc_page_fault+0x27/0x30 + ? tcp_tso_segs+0x14/0xa0 + tcp_write_xmit+0x67/0xce0 + __tcp_push_pending_frames+0x32/0xf0 + tcp_push+0x107/0x140 + tcp_sendmsg_locked+0x99f/0xbb0 + tcp_bpf_push+0x19d/0x3a0 + tcp_bpf_sendmsg_redir+0x55/0xd0 + tcp_bpf_send_verdict+0x407/0x550 + tcp_bpf_sendmsg+0x1a1/0x390 + inet_sendmsg+0x6a/0x70 + sock_sendmsg+0x9d/0xc0 + ? sockfd_lookup_light+0x12/0x80 + __sys_sendto+0x10e/0x160 + ? syscall_enter_from_user_mode+0x20/0x60 + ? __this_cpu_preempt_check+0x13/0x20 + ? lockdep_hardirqs_on+0x82/0x110 + __x64_sys_sendto+0x1f/0x30 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg +program to prevent the crash. When attempted, user will receive an EACCES +error from send/sendto/sendmsg() syscall. + +Fixes: 122e6c79efe1 ("sock_map: Update sock type checks for UDP") +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20230920102055.42662-1-jakub@cloudflare.com +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 8f07fea39d9ea..3fc4086a414ea 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -668,6 +668,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg, + sk = __sock_map_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +@@ -1267,6 +1269,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg, + sk = __sock_hash_lookup_elem(map, key); + if (unlikely(!sk || !sock_map_redirect_allowed(sk))) + return SK_DROP; ++ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk)) ++ return SK_DROP; + + msg->flags = flags; + msg->sk_redir = sk; +-- +2.40.1 + diff --git a/queue-6.5/bpf-tcp_read_skb-needs-to-pop-skb-regardless-of-seq.patch b/queue-6.5/bpf-tcp_read_skb-needs-to-pop-skb-regardless-of-seq.patch new file mode 100644 index 00000000000..6c1fd9613ea --- /dev/null +++ b/queue-6.5/bpf-tcp_read_skb-needs-to-pop-skb-regardless-of-seq.patch @@ -0,0 +1,99 @@ +From cda142636621f4423ca14781c98976b4c1bd508c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 20:52:58 -0700 +Subject: bpf: tcp_read_skb needs to pop skb regardless of seq + +From: John Fastabend + +[ Upstream commit 9b7177b1df64b8d7f85700027c324aadd6aded00 ] + +Before fix e5c6de5fa0258 tcp_read_skb() would increment the tp->copied-seq +value. This (as described in the commit) would cause an error for apps +because once that is incremented the application might believe there is no +data to be read. Then some apps would stall or abort believing no data is +available. + +However, the fix is incomplete because it introduces another issue in +the skb dequeue. The loop does tcp_recv_skb() in a while loop to consume +as many skbs as possible. The problem is the call is ... + + tcp_recv_skb(sk, seq, &offset) + +... where 'seq' is: + + u32 seq = tp->copied_seq; + +Now we can hit a case where we've yet incremented copied_seq from BPF side, +but then tcp_recv_skb() fails this test ... + + if (offset < skb->len || (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)) + +... so that instead of returning the skb we call tcp_eat_recv_skb() which +frees the skb. This is because the routine believes the SKB has been collapsed +per comment: + + /* This looks weird, but this can happen if TCP collapsing + * splitted a fat GRO packet, while we released socket lock + * in skb_splice_bits() + */ + +This can't happen here we've unlinked the full SKB and orphaned it. Anyways +it would confuse any BPF programs if the data were suddenly moved underneath +it. + +To fix this situation do simpler operation and just skb_peek() the data +of the queue followed by the unlink. It shouldn't need to check this +condition and tcp_read_skb() reads entire skbs so there is no need to +handle the 'offset!=0' case as we would see in tcp_read_sock(). + +Fixes: e5c6de5fa0258 ("bpf, sockmap: Incorrectly handling copied_seq") +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230926035300.135096-2-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 75f24b931a185..9cfc07d1e4252 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1618,16 +1618,13 @@ EXPORT_SYMBOL(tcp_read_sock); + + int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) + { +- struct tcp_sock *tp = tcp_sk(sk); +- u32 seq = tp->copied_seq; + struct sk_buff *skb; + int copied = 0; +- u32 offset; + + if (sk->sk_state == TCP_LISTEN) + return -ENOTCONN; + +- while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) { ++ while ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) { + u8 tcp_flags; + int used; + +@@ -1640,13 +1637,10 @@ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) + copied = used; + break; + } +- seq += used; + copied += used; + +- if (tcp_flags & TCPHDR_FIN) { +- ++seq; ++ if (tcp_flags & TCPHDR_FIN) + break; +- } + } + return copied; + } +-- +2.40.1 + diff --git a/queue-6.5/bpf-unconditionally-reset-backtrack_state-masks-on-g.patch b/queue-6.5/bpf-unconditionally-reset-backtrack_state-masks-on-g.patch new file mode 100644 index 00000000000..1cffd97401e --- /dev/null +++ b/queue-6.5/bpf-unconditionally-reset-backtrack_state-masks-on-g.patch @@ -0,0 +1,55 @@ +From 842ebdaf6c091003bc4d28bf7e8eaf432f98aab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 14:01:10 -0700 +Subject: bpf: unconditionally reset backtrack_state masks on global func exit + +From: Andrii Nakryiko + +[ Upstream commit 81335f90e8a88b81932df011105c46e708744f44 ] + +In mark_chain_precision() logic, when we reach the entry to a global +func, it is expected that R1-R5 might be still requested to be marked +precise. This would correspond to some integer input arguments being +tracked as precise. This is all expected and handled as a special case. + +What's not expected is that we'll leave backtrack_state structure with +some register bits set. This is because for subsequent precision +propagations backtrack_state is reused without clearing masks, as all +code paths are carefully written in a way to leave empty backtrack_state +with zeroed out masks, for speed. + +The fix is trivial, we always clear register bit in the register mask, and +then, optionally, set reg->precise if register is SCALAR_VALUE type. + +Reported-by: Chris Mason +Fixes: be2ef8161572 ("bpf: allow precision tracking for programs with subprogs") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20230918210110.2241458-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 9cdba4ce23d2b..93fd32f2957b7 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4039,11 +4039,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno) + bitmap_from_u64(mask, bt_reg_mask(bt)); + for_each_set_bit(i, mask, 32) { + reg = &st->frame[0]->regs[i]; +- if (reg->type != SCALAR_VALUE) { +- bt_clear_reg(bt, i); +- continue; +- } +- reg->precise = true; ++ bt_clear_reg(bt, i); ++ if (reg->type == SCALAR_VALUE) ++ reg->precise = true; + } + return 0; + } +-- +2.40.1 + diff --git a/queue-6.5/drivers-net-process-the-result-of-hdlc_open-and-add-.patch b/queue-6.5/drivers-net-process-the-result-of-hdlc_open-and-add-.patch new file mode 100644 index 00000000000..306f4f5dde0 --- /dev/null +++ b/queue-6.5/drivers-net-process-the-result-of-hdlc_open-and-add-.patch @@ -0,0 +1,78 @@ +From 830189ade0c0f19685f4e49032ee357d8940e308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 17:25:02 +0300 +Subject: drivers/net: process the result of hdlc_open() and add call of + hdlc_close() in uhdlc_close() + +From: Alexandra Diupina + +[ Upstream commit a59addacf899b1b21a7b7449a1c52c98704c2472 ] + +Process the result of hdlc_open() and call uhdlc_close() +in case of an error. It is necessary to pass the error +code up the control flow, similar to a possible +error in request_irq(). +Also add a hdlc_close() call to the uhdlc_close() +because the comment to hdlc_close() says it must be called +by the hardware driver when the HDLC device is being closed + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC") +Signed-off-by: Alexandra Diupina +Reviewed-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/fsl_ucc_hdlc.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c +index 47c2ad7a3e429..fd50bb313b924 100644 +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -34,6 +34,8 @@ + #define TDM_PPPOHT_SLIC_MAXIN + #define RX_BD_ERRORS (R_CD_S | R_OV_S | R_CR_S | R_AB_S | R_NO_S | R_LG_S) + ++static int uhdlc_close(struct net_device *dev); ++ + static struct ucc_tdm_info utdm_primary_info = { + .uf_info = { + .tsa = 0, +@@ -708,6 +710,7 @@ static int uhdlc_open(struct net_device *dev) + hdlc_device *hdlc = dev_to_hdlc(dev); + struct ucc_hdlc_private *priv = hdlc->priv; + struct ucc_tdm *utdm = priv->utdm; ++ int rc = 0; + + if (priv->hdlc_busy != 1) { + if (request_irq(priv->ut_info->uf_info.irq, +@@ -731,10 +734,13 @@ static int uhdlc_open(struct net_device *dev) + napi_enable(&priv->napi); + netdev_reset_queue(dev); + netif_start_queue(dev); +- hdlc_open(dev); ++ ++ rc = hdlc_open(dev); ++ if (rc) ++ uhdlc_close(dev); + } + +- return 0; ++ return rc; + } + + static void uhdlc_memclean(struct ucc_hdlc_private *priv) +@@ -824,6 +830,8 @@ static int uhdlc_close(struct net_device *dev) + netdev_reset_queue(dev); + priv->hdlc_busy = 0; + ++ hdlc_close(dev); ++ + return 0; + } + +-- +2.40.1 + diff --git a/queue-6.5/erofs-allow-empty-device-tags-in-flatdev-mode.patch b/queue-6.5/erofs-allow-empty-device-tags-in-flatdev-mode.patch new file mode 100644 index 00000000000..e89cd0a4b5f --- /dev/null +++ b/queue-6.5/erofs-allow-empty-device-tags-in-flatdev-mode.patch @@ -0,0 +1,39 @@ +From dc70e568297472a081ac7b1348245573dc266029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 16:27:28 +0800 +Subject: erofs: allow empty device tags in flatdev mode + +From: Jingbo Xu + +[ Upstream commit f939aeea7ab7d96cd321e7ac107f5a070836b66f ] + +Device tags aren't actually required in flatdev mode, thus fix mount +failure due to empty device tags in flatdev mode. + +Signed-off-by: Jingbo Xu +Fixes: 8b465fecc35a ("erofs: support flattened block device for multi-blob images") +Reviewed-by: Jia Zhu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20230915082728.56588-1-jefflexu@linux.alibaba.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 566f68ddfa36e..31a103399412e 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -238,7 +238,7 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, + return PTR_ERR(ptr); + dis = ptr + erofs_blkoff(sb, *pos); + +- if (!dif->path) { ++ if (!sbi->devs->flatdev && !dif->path) { + if (!dis->tag[0]) { + erofs_err(sb, "empty device tag @ pos %llu", *pos); + return -EINVAL; +-- +2.40.1 + diff --git a/queue-6.5/erofs-fix-memory-leak-of-lzma-global-compressed-dedu.patch b/queue-6.5/erofs-fix-memory-leak-of-lzma-global-compressed-dedu.patch new file mode 100644 index 00000000000..e786ea317f1 --- /dev/null +++ b/queue-6.5/erofs-fix-memory-leak-of-lzma-global-compressed-dedu.patch @@ -0,0 +1,45 @@ +From 4d87268a09d337221869ce6bcc2fecdc6f57fd81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 13:05:42 +0800 +Subject: erofs: fix memory leak of LZMA global compressed deduplication + +From: Gao Xiang + +[ Upstream commit 75a5221630fe5aa3fedba7a06be618db0f79ba1e ] + +When stressing microLZMA EROFS images with the new global compressed +deduplication feature enabled (`-Ededupe`), I found some short-lived +temporary pages weren't properly released, which could slowly cause +unexpected OOMs hours later. + +Let's fix it now (LZ4 and DEFLATE don't have this issue.) + +Fixes: 5c2a64252c5d ("erofs: introduce partial-referenced pclusters") +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20230907050542.97152-1-hsiangkao@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + fs/erofs/decompressor_lzma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/erofs/decompressor_lzma.c b/fs/erofs/decompressor_lzma.c +index 73091fbe3ea45..dee10d22ada96 100644 +--- a/fs/erofs/decompressor_lzma.c ++++ b/fs/erofs/decompressor_lzma.c +@@ -217,9 +217,12 @@ int z_erofs_lzma_decompress(struct z_erofs_decompress_req *rq, + strm->buf.out_size = min_t(u32, outlen, + PAGE_SIZE - pageofs); + outlen -= strm->buf.out_size; +- if (!rq->out[no] && rq->fillgaps) /* deduped */ ++ if (!rq->out[no] && rq->fillgaps) { /* deduped */ + rq->out[no] = erofs_allocpage(pagepool, + GFP_KERNEL | __GFP_NOFAIL); ++ set_page_private(rq->out[no], ++ Z_EROFS_SHORTLIVED_PAGE); ++ } + if (rq->out[no]) + strm->buf.out = kmap(rq->out[no]) + pageofs; + pageofs = 0; +-- +2.40.1 + diff --git a/queue-6.5/ethtool-plca-fix-plca-enable-data-type-while-parsing.patch b/queue-6.5/ethtool-plca-fix-plca-enable-data-type-while-parsing.patch new file mode 100644 index 00000000000..1e7f015e739 --- /dev/null +++ b/queue-6.5/ethtool-plca-fix-plca-enable-data-type-while-parsing.patch @@ -0,0 +1,100 @@ +From 32462b23634b844a10f671d676ba9b991bba7f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 10:15:48 +0530 +Subject: ethtool: plca: fix plca enable data type while parsing the value + +From: Parthiban Veerasooran + +[ Upstream commit 8957261cd8149ed9d0738c01c0320bcbff989407 ] + +The ETHTOOL_A_PLCA_ENABLED data type is u8. But while parsing the +value from the attribute, nla_get_u32() is used in the plca_update_sint() +function instead of nla_get_u8(). So plca_cfg.enabled variable is updated +with some garbage value instead of 0 or 1 and always enables plca even +though plca is disabled through ethtool application. This bug has been +fixed by parsing the values based on the attributes type in the policy. + +Fixes: 8580e16c28f3 ("net/ethtool: add netlink interface for the PLCA RS") +Signed-off-by: Parthiban Veerasooran +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230908044548.5878-1-Parthiban.Veerasooran@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/plca.c | 45 +++++++++++++++++++++++++++++---------------- + 1 file changed, 29 insertions(+), 16 deletions(-) + +diff --git a/net/ethtool/plca.c b/net/ethtool/plca.c +index 5a8cab4df0c9c..a9334937ace26 100644 +--- a/net/ethtool/plca.c ++++ b/net/ethtool/plca.c +@@ -21,16 +21,6 @@ struct plca_reply_data { + #define PLCA_REPDATA(__reply_base) \ + container_of(__reply_base, struct plca_reply_data, base) + +-static void plca_update_sint(int *dst, const struct nlattr *attr, +- bool *mod) +-{ +- if (!attr) +- return; +- +- *dst = nla_get_u32(attr); +- *mod = true; +-} +- + // PLCA get configuration message ------------------------------------------- // + + const struct nla_policy ethnl_plca_get_cfg_policy[] = { +@@ -38,6 +28,29 @@ const struct nla_policy ethnl_plca_get_cfg_policy[] = { + NLA_POLICY_NESTED(ethnl_header_policy), + }; + ++static void plca_update_sint(int *dst, struct nlattr **tb, u32 attrid, ++ bool *mod) ++{ ++ const struct nlattr *attr = tb[attrid]; ++ ++ if (!attr || ++ WARN_ON_ONCE(attrid >= ARRAY_SIZE(ethnl_plca_set_cfg_policy))) ++ return; ++ ++ switch (ethnl_plca_set_cfg_policy[attrid].type) { ++ case NLA_U8: ++ *dst = nla_get_u8(attr); ++ break; ++ case NLA_U32: ++ *dst = nla_get_u32(attr); ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ } ++ ++ *mod = true; ++} ++ + static int plca_get_cfg_prepare_data(const struct ethnl_req_info *req_base, + struct ethnl_reply_data *reply_base, + struct genl_info *info) +@@ -144,13 +157,13 @@ ethnl_set_plca(struct ethnl_req_info *req_info, struct genl_info *info) + return -EOPNOTSUPP; + + memset(&plca_cfg, 0xff, sizeof(plca_cfg)); +- plca_update_sint(&plca_cfg.enabled, tb[ETHTOOL_A_PLCA_ENABLED], &mod); +- plca_update_sint(&plca_cfg.node_id, tb[ETHTOOL_A_PLCA_NODE_ID], &mod); +- plca_update_sint(&plca_cfg.node_cnt, tb[ETHTOOL_A_PLCA_NODE_CNT], &mod); +- plca_update_sint(&plca_cfg.to_tmr, tb[ETHTOOL_A_PLCA_TO_TMR], &mod); +- plca_update_sint(&plca_cfg.burst_cnt, tb[ETHTOOL_A_PLCA_BURST_CNT], ++ plca_update_sint(&plca_cfg.enabled, tb, ETHTOOL_A_PLCA_ENABLED, &mod); ++ plca_update_sint(&plca_cfg.node_id, tb, ETHTOOL_A_PLCA_NODE_ID, &mod); ++ plca_update_sint(&plca_cfg.node_cnt, tb, ETHTOOL_A_PLCA_NODE_CNT, &mod); ++ plca_update_sint(&plca_cfg.to_tmr, tb, ETHTOOL_A_PLCA_TO_TMR, &mod); ++ plca_update_sint(&plca_cfg.burst_cnt, tb, ETHTOOL_A_PLCA_BURST_CNT, + &mod); +- plca_update_sint(&plca_cfg.burst_tmr, tb[ETHTOOL_A_PLCA_BURST_TMR], ++ plca_update_sint(&plca_cfg.burst_tmr, tb, ETHTOOL_A_PLCA_BURST_TMR, + &mod); + if (!mod) + return 0; +-- +2.40.1 + diff --git a/queue-6.5/hid-intel-ish-hid-ipc-disable-and-reenable-acpi-gpe-.patch b/queue-6.5/hid-intel-ish-hid-ipc-disable-and-reenable-acpi-gpe-.patch new file mode 100644 index 00000000000..2b4e2e3732a --- /dev/null +++ b/queue-6.5/hid-intel-ish-hid-ipc-disable-and-reenable-acpi-gpe-.patch @@ -0,0 +1,55 @@ +From 7b677f94166a61b92b96db00baaa3018b7cd1b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 08:53:32 -0700 +Subject: HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit + +From: Srinivas Pandruvada + +[ Upstream commit 8f02139ad9a7e6e5c05712f8c1501eebed8eacfd ] + +The EHL (Elkhart Lake) based platforms provide a OOB (Out of band) +service, which allows to wakup device when the system is in S5 (Soft-Off +state). This OOB service can be enabled/disabled from BIOS settings. When +enabled, the ISH device gets PME wake capability. To enable PME wakeup, +driver also needs to enable ACPI GPE bit. + +On resume, BIOS will clear the wakeup bit. So driver need to re-enable it +in resume function to keep the next wakeup capability. But this BIOS +clearing of wakeup bit doesn't decrement internal OS GPE reference count, +so this reenabling on every resume will cause reference count to overflow. + +So first disable and reenable ACPI GPE bit using acpi_disable_gpe(). + +Fixes: 2e23a70edabe ("HID: intel-ish-hid: ipc: finish power flow for EHL OOB") +Reported-by: Kai-Heng Feng +Closes: https://lore.kernel.org/lkml/CAAd53p4=oLYiH2YbVSmrPNj1zpMcfp=Wxbasb5vhMXOWCArLCg@mail.gmail.com/T/ +Tested-by: Kai-Heng Feng +Signed-off-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +index 55cb25038e632..710fda5f19e1c 100644 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -133,6 +133,14 @@ static int enable_gpe(struct device *dev) + } + wakeup = &adev->wakeup; + ++ /* ++ * Call acpi_disable_gpe(), so that reference count ++ * gpe_event_info->runtime_count doesn't overflow. ++ * When gpe_event_info->runtime_count = 0, the call ++ * to acpi_disable_gpe() simply return. ++ */ ++ acpi_disable_gpe(wakeup->gpe_device, wakeup->gpe_number); ++ + acpi_sts = acpi_enable_gpe(wakeup->gpe_device, wakeup->gpe_number); + if (ACPI_FAILURE(acpi_sts)) { + dev_err(dev, "enable ose_gpe failed\n"); +-- +2.40.1 + diff --git a/queue-6.5/hid-nvidia-shield-add-leds_class-dependency.patch b/queue-6.5/hid-nvidia-shield-add-leds_class-dependency.patch new file mode 100644 index 00000000000..3d8c7696d39 --- /dev/null +++ b/queue-6.5/hid-nvidia-shield-add-leds_class-dependency.patch @@ -0,0 +1,46 @@ +From 956fcfe749d60f7dec4b9938963a20ac8b902931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 17:05:17 -0700 +Subject: HID: nvidia-shield: add LEDS_CLASS dependency + +From: Randy Dunlap + +[ Upstream commit 058574879853260a22bbec1f94221dfc5149d85c ] + +The hid-nvidia-shield driver uses functions that are built +only when LEDS_CLASS is set, so make the driver depend on that +symbol to prevent build errors. + +riscv32-linux-ld: drivers/hid/hid-nvidia-shield.o: in function `.L11': +hid-nvidia-shield.c:(.text+0x192): undefined reference to `led_classdev_unregister' +riscv32-linux-ld: drivers/hid/hid-nvidia-shield.o: in function `.L113': +hid-nvidia-shield.c:(.text+0xfa4): undefined reference to `led_classdev_register_ext' + +Fixes: 09308562d4af ("HID: nvidia-shield: Initial driver implementation with Thunderstrike support") +Signed-off-by: Randy Dunlap +Cc: Rahul Rameshbabu +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Reviewed-by: Rahul Rameshbabu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index e11c1c8036769..dc456c86e9569 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -792,6 +792,7 @@ config HID_NVIDIA_SHIELD + tristate "NVIDIA SHIELD devices" + depends on USB_HID + depends on BT_HIDP ++ depends on LEDS_CLASS + help + Support for NVIDIA SHIELD accessories. + +-- +2.40.1 + diff --git a/queue-6.5/hid-nvidia-shield-fix-a-missing-led_classdev_unregis.patch b/queue-6.5/hid-nvidia-shield-fix-a-missing-led_classdev_unregis.patch new file mode 100644 index 00000000000..77f67a377ea --- /dev/null +++ b/queue-6.5/hid-nvidia-shield-fix-a-missing-led_classdev_unregis.patch @@ -0,0 +1,52 @@ +From e60a7575252c9d9d5ad3c16590cfd51c4a1d3d90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 04:54:30 -0700 +Subject: HID: nvidia-shield: Fix a missing led_classdev_unregister() in the + probe error handling path + +From: Christophe JAILLET + +[ Upstream commit b07b6b27a50e3a740c9aa6260ee4bb3ab29515ab ] + +The commit in Fixes updated the error handling path of +thunderstrike_create() and the remove function but not the error handling +path of shield_probe(), should an error occur after a successful +thunderstrike_create() call. + +Add the missing call. Make sure it is safe to call in the probe error +handling path by preventing the led_classdev from attempting to set the LED +brightness to the off state on unregister. + +Fixes: f88af60e74a5 ("HID: nvidia-shield: Support LED functionality for Thunderstrike") +Signed-off-by: Christophe JAILLET +Reviewed-by: Rahul Rameshbabu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-nvidia-shield.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-nvidia-shield.c b/drivers/hid/hid-nvidia-shield.c +index 9c44974135079..1ce9e42f57c71 100644 +--- a/drivers/hid/hid-nvidia-shield.c ++++ b/drivers/hid/hid-nvidia-shield.c +@@ -482,7 +482,7 @@ static inline int thunderstrike_led_create(struct thunderstrike *ts) + + led->name = "thunderstrike:blue:led"; + led->max_brightness = 1; +- led->flags = LED_CORE_SUSPENDRESUME; ++ led->flags = LED_CORE_SUSPENDRESUME | LED_RETAIN_AT_SHUTDOWN; + led->brightness_get = &thunderstrike_led_get_brightness; + led->brightness_set = &thunderstrike_led_set_brightness; + +@@ -694,6 +694,7 @@ static int shield_probe(struct hid_device *hdev, const struct hid_device_id *id) + err_haptics: + if (ts->haptics_dev) + input_unregister_device(ts->haptics_dev); ++ led_classdev_unregister(&ts->led_dev); + return ret; + } + +-- +2.40.1 + diff --git a/queue-6.5/hid-sony-fix-a-potential-memory-leak-in-sony_probe.patch b/queue-6.5/hid-sony-fix-a-potential-memory-leak-in-sony_probe.patch new file mode 100644 index 00000000000..c3ed63c3abc --- /dev/null +++ b/queue-6.5/hid-sony-fix-a-potential-memory-leak-in-sony_probe.patch @@ -0,0 +1,37 @@ +From ec0975974061df7ddd17f572e8b4b74920703872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 18:04:00 +0200 +Subject: HID: sony: Fix a potential memory leak in sony_probe() + +From: Christophe JAILLET + +[ Upstream commit e1cd4004cde7c9b694bbdd8def0e02288ee58c74 ] + +If an error occurs after a successful usb_alloc_urb() call, usb_free_urb() +should be called. + +Fixes: fb1a79a6b6e1 ("HID: sony: fix freeze when inserting ghlive ps3/wii dongles") +Signed-off-by: Christophe JAILLET +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sony.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index dd942061fd775..a02046a78b2da 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -2155,6 +2155,9 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id) + return ret; + + err: ++ if (sc->ghl_urb) ++ usb_free_urb(sc->ghl_urb); ++ + hid_hw_stop(hdev); + return ret; + } +-- +2.40.1 + diff --git a/queue-6.5/hid-sony-remove-duplicate-null-check-before-calling-.patch b/queue-6.5/hid-sony-remove-duplicate-null-check-before-calling-.patch new file mode 100644 index 00000000000..687e742ad60 --- /dev/null +++ b/queue-6.5/hid-sony-remove-duplicate-null-check-before-calling-.patch @@ -0,0 +1,37 @@ +From 28de6516fff7f7a7c4a8a58f9512636dd78c600e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 21:10:41 +0200 +Subject: HID: sony: remove duplicate NULL check before calling usb_free_urb() + +From: Jiri Kosina + +[ Upstream commit b328dd02e19cb9d3b35de4322f5363516a20ac8c ] + +usb_free_urb() does the NULL check itself, so there is no need to duplicate +it prior to calling. + +Reported-by: kernel test robot +Fixes: e1cd4004cde7c9 ("HID: sony: Fix a potential memory leak in sony_probe()") +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sony.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index a02046a78b2da..ebc0aa4e4345f 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -2155,8 +2155,7 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id) + return ret; + + err: +- if (sc->ghl_urb) +- usb_free_urb(sc->ghl_urb); ++ usb_free_urb(sc->ghl_urb); + + hid_hw_stop(hdev); + return ret; +-- +2.40.1 + diff --git a/queue-6.5/ibmveth-remove-condition-to-recompute-tcp-header-che.patch b/queue-6.5/ibmveth-remove-condition-to-recompute-tcp-header-che.patch new file mode 100644 index 00000000000..25f971041f4 --- /dev/null +++ b/queue-6.5/ibmveth-remove-condition-to-recompute-tcp-header-che.patch @@ -0,0 +1,72 @@ +From 7320c7dc9f31011a7e4e679e46899f2b19e6c52e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 16:42:51 -0500 +Subject: ibmveth: Remove condition to recompute TCP header checksum. + +From: David Wilder + +[ Upstream commit 51e7a66666e0ca9642c59464ef8359f0ac604d41 ] + +In some OVS environments the TCP pseudo header checksum may need to be +recomputed. Currently this is only done when the interface instance is +configured for "Trunk Mode". We found the issue also occurs in some +Kubernetes environments, these environments do not use "Trunk Mode", +therefor the condition is removed. + +Performance tests with this change show only a fractional decrease in +throughput (< 0.2%). + +Fixes: 7525de2516fb ("ibmveth: Set CHECKSUM_PARTIAL if NULL TCP CSUM.") +Signed-off-by: David Wilder +Reviewed-by: Nick Child +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 832a2ae019509..a8d79ee350f8d 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1303,24 +1303,23 @@ static void ibmveth_rx_csum_helper(struct sk_buff *skb, + * the user space for finding a flow. During this process, OVS computes + * checksum on the first packet when CHECKSUM_PARTIAL flag is set. + * +- * So, re-compute TCP pseudo header checksum when configured for +- * trunk mode. ++ * So, re-compute TCP pseudo header checksum. + */ ++ + if (iph_proto == IPPROTO_TCP) { + struct tcphdr *tcph = (struct tcphdr *)(skb->data + iphlen); ++ + if (tcph->check == 0x0000) { + /* Recompute TCP pseudo header checksum */ +- if (adapter->is_active_trunk) { +- tcphdrlen = skb->len - iphlen; +- if (skb_proto == ETH_P_IP) +- tcph->check = +- ~csum_tcpudp_magic(iph->saddr, +- iph->daddr, tcphdrlen, iph_proto, 0); +- else if (skb_proto == ETH_P_IPV6) +- tcph->check = +- ~csum_ipv6_magic(&iph6->saddr, +- &iph6->daddr, tcphdrlen, iph_proto, 0); +- } ++ tcphdrlen = skb->len - iphlen; ++ if (skb_proto == ETH_P_IP) ++ tcph->check = ++ ~csum_tcpudp_magic(iph->saddr, ++ iph->daddr, tcphdrlen, iph_proto, 0); ++ else if (skb_proto == ETH_P_IPV6) ++ tcph->check = ++ ~csum_ipv6_magic(&iph6->saddr, ++ &iph6->daddr, tcphdrlen, iph_proto, 0); + /* Setup SKB fields for checksum offload */ + skb_partial_csum_set(skb, iphlen, + offsetof(struct tcphdr, check)); +-- +2.40.1 + diff --git a/queue-6.5/ice-always-add-legacy-32byte-rxdid-in-supported_rxdi.patch b/queue-6.5/ice-always-add-legacy-32byte-rxdid-in-supported_rxdi.patch new file mode 100644 index 00000000000..606cec49529 --- /dev/null +++ b/queue-6.5/ice-always-add-legacy-32byte-rxdid-in-supported_rxdi.patch @@ -0,0 +1,71 @@ +From 5fdadee1fd217f53059d0e58c3f332839556c7ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 13:54:38 +0200 +Subject: ice: always add legacy 32byte RXDID in supported_rxdids + +From: Michal Schmidt + +[ Upstream commit c070e51db5e2a98d3aef7c324b15209ba47f3dca ] + +When the PF and VF drivers both support flexible rx descriptors and have +negotiated the VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC capability, the VF driver +queries the PF for the list of supported descriptor formats +(VIRTCHNL_OP_GET_SUPPORTED_RXDIDS). The PF driver is supposed to set the +supported_rxdids bits that correspond to the descriptor formats the +firmware implements. The legacy 32-byte rx desc format is always +supported, even though it is not expressed in GLFLXP_RXDID_FLAGS. + +The ice driver does not advertise the legacy 32-byte rx desc support, +which leads to this failure to bring up the VF using the Intel +out-of-tree iavf driver: + iavf 0000:41:01.0: PF does not list support for default Rx descriptor format + ... + iavf 0000:41:01.0: PF returned error -5 (VIRTCHNL_STATUS_ERR_PARAM) to our request 6 + +The in-tree iavf driver does not expose this bug, because it does not +yet implement VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC. + +The ice driver must always set the ICE_RXDID_LEGACY_1 bit in +supported_rxdids. The Intel out-of-tree ice driver and the ice driver in +DPDK both do this. + +I copied this piece of the code and the comment text from the Intel +out-of-tree driver. + +Fixes: e753df8fbca5 ("ice: Add support Flex RXD") +Signed-off-by: Michal Schmidt +Reviewed-by: Przemek Kitszel +Link: https://lore.kernel.org/r/20230920115439.61172-1-mschmidt@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +index dcf628b1fccd9..33ac6c4a8928f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +@@ -2615,12 +2615,14 @@ static int ice_vc_query_rxdid(struct ice_vf *vf) + goto err; + } + +- /* Read flexiflag registers to determine whether the +- * corresponding RXDID is configured and supported or not. +- * Since Legacy 16byte descriptor format is not supported, +- * start from Legacy 32byte descriptor. ++ /* RXDIDs supported by DDP package can be read from the register ++ * to get the supported RXDID bitmap. But the legacy 32byte RXDID ++ * is not listed in DDP package, add it in the bitmap manually. ++ * Legacy 16byte descriptor is not supported. + */ +- for (i = ICE_RXDID_LEGACY_1; i < ICE_FLEX_DESC_RXDID_MAX_NUM; i++) { ++ rxdid->supported_rxdids |= BIT(ICE_RXDID_LEGACY_1); ++ ++ for (i = ICE_RXDID_FLEX_NIC; i < ICE_FLEX_DESC_RXDID_MAX_NUM; i++) { + regval = rd32(hw, GLFLXP_RXDID_FLAGS(i, 0)); + if ((regval >> GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_S) + & GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_M) +-- +2.40.1 + diff --git a/queue-6.5/ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch b/queue-6.5/ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch new file mode 100644 index 00000000000..878c530853c --- /dev/null +++ b/queue-6.5/ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch @@ -0,0 +1,50 @@ +From 85ffeb6003aecd1b0aeb92763506ca6e25b04bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 06:45:05 +0000 +Subject: ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig + +From: Oleksandr Tymoshenko + +[ Upstream commit be210c6d3597faf330cb9af33b9f1591d7b2a983 ] + +The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509 +and IMA_BLACKLIST_KEYRING unavailable because the latter +two depend on the former. Since IMA_TRUSTED_KEYRING was +deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it +as a dependency for the two Kconfigs affected by the +deprecation. + +Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig") +Signed-off-by: Oleksandr Tymoshenko +Reviewed-by: Nayna Jain +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig +index c17660bf5f347..e6df7c930397c 100644 +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -268,7 +268,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY + config IMA_BLACKLIST_KEYRING + bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" + depends on SYSTEM_TRUSTED_KEYRING +- depends on IMA_TRUSTED_KEYRING ++ depends on INTEGRITY_TRUSTED_KEYRING + default n + help + This option creates an IMA blacklist keyring, which contains all +@@ -278,7 +278,7 @@ config IMA_BLACKLIST_KEYRING + + config IMA_LOAD_X509 + bool "Load X509 certificate onto the '.ima' trusted keyring" +- depends on IMA_TRUSTED_KEYRING ++ depends on INTEGRITY_TRUSTED_KEYRING + default n + help + File signature verification is based on the public keys +-- +2.40.1 + diff --git a/queue-6.5/ima-rework-config_ima-dependency-block.patch b/queue-6.5/ima-rework-config_ima-dependency-block.patch new file mode 100644 index 00000000000..efc2cf6902c --- /dev/null +++ b/queue-6.5/ima-rework-config_ima-dependency-block.patch @@ -0,0 +1,141 @@ +From e87be7ffdab2acb92d2f5041d753f3d3c0714305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 09:22:14 +0200 +Subject: ima: rework CONFIG_IMA dependency block + +From: Arnd Bergmann + +[ Upstream commit 91e326563ee34509c35267808a4b1b3ea3db62a8 ] + +Changing the direct dependencies of IMA_BLACKLIST_KEYRING and +IMA_LOAD_X509 caused them to no longer depend on IMA, but a +a configuration without IMA results in link failures: + +arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys': +iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509' + +aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify': +digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring' + +Adding explicit dependencies on IMA would fix this, but a more reliable +way to do this is to enclose the entire Kconfig file in an 'if IMA' block. +This also allows removing the existing direct dependencies. + +Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig") +Signed-off-by: Arnd Bergmann +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/Kconfig | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig +index e6df7c930397c..6ef7bde551263 100644 +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -29,9 +29,11 @@ config IMA + to learn more about IMA. + If unsure, say N. + ++if IMA ++ + config IMA_KEXEC + bool "Enable carrying the IMA measurement list across a soft boot" +- depends on IMA && TCG_TPM && HAVE_IMA_KEXEC ++ depends on TCG_TPM && HAVE_IMA_KEXEC + default n + help + TPM PCRs are only reset on a hard reboot. In order to validate +@@ -43,7 +45,6 @@ config IMA_KEXEC + + config IMA_MEASURE_PCR_IDX + int +- depends on IMA + range 8 14 + default 10 + help +@@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX + + config IMA_LSM_RULES + bool +- depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) ++ depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) + default y + help + Disabling this option will disregard LSM based policy rules. +@@ -61,7 +62,6 @@ config IMA_LSM_RULES + choice + prompt "Default template" + default IMA_NG_TEMPLATE +- depends on IMA + help + Select the default IMA measurement template. + +@@ -80,14 +80,12 @@ endchoice + + config IMA_DEFAULT_TEMPLATE + string +- depends on IMA + default "ima-ng" if IMA_NG_TEMPLATE + default "ima-sig" if IMA_SIG_TEMPLATE + + choice + prompt "Default integrity hash algorithm" + default IMA_DEFAULT_HASH_SHA1 +- depends on IMA + help + Select the default hash algorithm used for the measurement + list, integrity appraisal and audit log. The compiled default +@@ -117,7 +115,6 @@ endchoice + + config IMA_DEFAULT_HASH + string +- depends on IMA + default "sha1" if IMA_DEFAULT_HASH_SHA1 + default "sha256" if IMA_DEFAULT_HASH_SHA256 + default "sha512" if IMA_DEFAULT_HASH_SHA512 +@@ -126,7 +123,6 @@ config IMA_DEFAULT_HASH + + config IMA_WRITE_POLICY + bool "Enable multiple writes to the IMA policy" +- depends on IMA + default n + help + IMA policy can now be updated multiple times. The new rules get +@@ -137,7 +133,6 @@ config IMA_WRITE_POLICY + + config IMA_READ_POLICY + bool "Enable reading back the current IMA policy" +- depends on IMA + default y if IMA_WRITE_POLICY + default n if !IMA_WRITE_POLICY + help +@@ -147,7 +142,6 @@ config IMA_READ_POLICY + + config IMA_APPRAISE + bool "Appraise integrity measurements" +- depends on IMA + default n + help + This option enables local measurement integrity appraisal. +@@ -303,7 +297,6 @@ config IMA_APPRAISE_SIGNED_INIT + + config IMA_MEASURE_ASYMMETRIC_KEYS + bool +- depends on IMA + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y + default y + +@@ -322,7 +315,8 @@ config IMA_SECURE_AND_OR_TRUSTED_BOOT + + config IMA_DISABLE_HTABLE + bool "Disable htable to allow measurement of duplicate records" +- depends on IMA + default n + help + This option disables htable to allow measurement of duplicate records. ++ ++endif +-- +2.40.1 + diff --git a/queue-6.5/iommu-mediatek-fix-share-pgtable-for-iova-over-4gb.patch b/queue-6.5/iommu-mediatek-fix-share-pgtable-for-iova-over-4gb.patch new file mode 100644 index 00000000000..d7ee23902b6 --- /dev/null +++ b/queue-6.5/iommu-mediatek-fix-share-pgtable-for-iova-over-4gb.patch @@ -0,0 +1,68 @@ +From f132e3618f90770d9d2bc1fee1bfb1d764ba6231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Aug 2023 16:14:43 +0800 +Subject: iommu/mediatek: Fix share pgtable for iova over 4GB + +From: Yong Wu + +[ Upstream commit b07eba71a512eb196cbcc29765c29c8c29b11b59 ] + +In mt8192/mt8186, there is only one MM IOMMU that supports 16GB iova +space, which is shared by display, vcodec and camera. These two SoC use +one pgtable and have not the flag SHARE_PGTABLE, we should also keep +share pgtable for this case. + +In mtk_iommu_domain_finalise, MM IOMMU always share pgtable, thus remove +the flag SHARE_PGTABLE checking. Infra IOMMU always uses independent +pgtable. + +Fixes: cf69ef46dbd9 ("iommu/mediatek: Fix two IOMMU share pagetable issue") +Reported-by: Laura Nao +Closes: https://lore.kernel.org/linux-iommu/20230818154156.314742-1-laura.nao@collabora.com/ +Signed-off-by: Yong Wu +Reviewed-by: AngeloGioacchino Del Regno +Tested-by: Laura Nao +Link: https://lore.kernel.org/r/20230819081443.8333-1-yong.wu@mediatek.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index c2764891a779c..ef27f9f1e17ef 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -258,7 +258,7 @@ struct mtk_iommu_data { + struct device *smicomm_dev; + + struct mtk_iommu_bank_data *bank; +- struct mtk_iommu_domain *share_dom; /* For 2 HWs share pgtable */ ++ struct mtk_iommu_domain *share_dom; + + struct regmap *pericfg; + struct mutex mutex; /* Protect m4u_group/m4u_dom above */ +@@ -625,8 +625,8 @@ static int mtk_iommu_domain_finalise(struct mtk_iommu_domain *dom, + struct mtk_iommu_domain *share_dom = data->share_dom; + const struct mtk_iommu_iova_region *region; + +- /* Always use share domain in sharing pgtable case */ +- if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE) && share_dom) { ++ /* Share pgtable when 2 MM IOMMU share the pgtable or one IOMMU use multiple iova ranges */ ++ if (share_dom) { + dom->iop = share_dom->iop; + dom->cfg = share_dom->cfg; + dom->domain.pgsize_bitmap = share_dom->cfg.pgsize_bitmap; +@@ -659,8 +659,7 @@ static int mtk_iommu_domain_finalise(struct mtk_iommu_domain *dom, + /* Update our support page sizes bitmap */ + dom->domain.pgsize_bitmap = dom->cfg.pgsize_bitmap; + +- if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE)) +- data->share_dom = dom; ++ data->share_dom = dom; + + update_iova_region: + /* Update the iova region for this domain */ +-- +2.40.1 + diff --git a/queue-6.5/ipv4-ipv6-fix-handling-of-transhdrlen-in-__ip-6-_app.patch b/queue-6.5/ipv4-ipv6-fix-handling-of-transhdrlen-in-__ip-6-_app.patch new file mode 100644 index 00000000000..02789ad2b2f --- /dev/null +++ b/queue-6.5/ipv4-ipv6-fix-handling-of-transhdrlen-in-__ip-6-_app.patch @@ -0,0 +1,81 @@ +From 5f468c0bf640fe03f2837d39c4612a5ce341c440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 11:41:19 +0100 +Subject: ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() + +From: David Howells + +[ Upstream commit 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 ] + +Including the transhdrlen in length is a problem when the packet is +partially filled (e.g. something like send(MSG_MORE) happened previously) +when appending to an IPv4 or IPv6 packet as we don't want to repeat the +transport header or account for it twice. This can happen under some +circumstances, such as splicing into an L2TP socket. + +The symptom observed is a warning in __ip6_append_data(): + + WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800 + +that occurs when MSG_SPLICE_PAGES is used to append more data to an already +partially occupied skbuff. The warning occurs when 'copy' is larger than +the amount of data in the message iterator. This is because the requested +length includes the transport header length when it shouldn't. This can be +triggered by, for example: + + sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP); + bind(sfd, ...); // ::1 + connect(sfd, ...); // ::1 port 7 + send(sfd, buffer, 4100, MSG_MORE); + sendfile(sfd, dfd, NULL, 1024); + +Fix this by only adding transhdrlen into the length if the write queue is +empty in l2tp_ip6_sendmsg(), analogously to how UDP does things. + +l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds +the UDP packet itself. + +Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") +Reported-by: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/0000000000001c12b30605378ce8@google.com/ +Suggested-by: Willem de Bruijn +Signed-off-by: David Howells +cc: Eric Dumazet +cc: Willem de Bruijn +cc: "David S. Miller" +cc: David Ahern +cc: Paolo Abeni +cc: Jakub Kicinski +cc: netdev@vger.kernel.org +cc: bpf@vger.kernel.org +cc: syzkaller-bugs@googlegroups.com +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ip6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index ed8ebb6f59097..11f3d375cec00 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -507,7 +507,6 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + */ + if (len > INT_MAX - transhdrlen) + return -EMSGSIZE; +- ulen = len + transhdrlen; + + /* Mirror BSD error message compatibility */ + if (msg->msg_flags & MSG_OOB) +@@ -628,6 +627,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + back_from_confirm: + lock_sock(sk); ++ ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; + err = ip6_append_data(sk, ip_generic_getfrag, msg, + ulen, transhdrlen, &ipc6, + &fl6, (struct rt6_info *)dst, +-- +2.40.1 + diff --git a/queue-6.5/ipv4-set-offload_failed-flag-in-fibmatch-results.patch b/queue-6.5/ipv4-set-offload_failed-flag-in-fibmatch-results.patch new file mode 100644 index 00000000000..d67f37f6328 --- /dev/null +++ b/queue-6.5/ipv4-set-offload_failed-flag-in-fibmatch-results.patch @@ -0,0 +1,57 @@ +From d64f94ce00894804582d4d35d57e8ea40ee50d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 14:27:30 -0400 +Subject: ipv4: Set offload_failed flag in fibmatch results + +From: Benjamin Poirier + +[ Upstream commit 0add5c597f3253a9c6108a0a81d57f44ab0d9d30 ] + +Due to a small omission, the offload_failed flag is missing from ipv4 +fibmatch results. Make sure it is set correctly. + +The issue can be witnessed using the following commands: +echo "1 1" > /sys/bus/netdevsim/new_device +ip link add dummy1 up type dummy +ip route add 192.0.2.0/24 dev dummy1 +echo 1 > /sys/kernel/debug/netdevsim/netdevsim1/fib/fail_route_offload +ip route add 198.51.100.0/24 dev dummy1 +ip route + # 192.168.15.0/24 has rt_trap + # 198.51.100.0/24 has rt_offload_failed +ip route get 192.168.15.1 fibmatch + # Result has rt_trap +ip route get 198.51.100.1 fibmatch + # Result differs from the route shown by `ip route`, it is missing + # rt_offload_failed +ip link del dev dummy1 +echo 1 > /sys/bus/netdevsim/del_device + +Fixes: 36c5100e859d ("IPv4: Add "offload failed" indication to routes") +Signed-off-by: Benjamin Poirier +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230926182730.231208-1-bpoirier@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 0a53ca6ebb0d5..14fbc5cd157ef 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -3417,6 +3417,8 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, + fa->fa_type == fri.type) { + fri.offload = READ_ONCE(fa->offload); + fri.trap = READ_ONCE(fa->trap); ++ fri.offload_failed = ++ READ_ONCE(fa->offload_failed); + break; + } + } +-- +2.40.1 + diff --git a/queue-6.5/ipv6-tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch b/queue-6.5/ipv6-tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch new file mode 100644 index 00000000000..3550b157ab7 --- /dev/null +++ b/queue-6.5/ipv6-tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch @@ -0,0 +1,72 @@ +From 6007df17475c7a1cd4c6f8a7e0397a6ce8824387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 23:04:58 +0200 +Subject: ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling + +From: Ilya Maximets + +[ Upstream commit 9593c7cb6cf670ef724d17f7f9affd7a8d2ad0c5 ] + +Commit b0e214d21203 ("netfilter: keep conntrack reference until +IPsecv6 policy checks are done") is a direct copy of the old +commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until +IPsec policy checks are done") but for IPv6. However, it also +copies a bug that this old commit had. That is: when the third +packet of 3WHS connection establishment contains payload, it is +added into socket receive queue without the XFRM check and the +drop of connection tracking context. + +That leads to nf_conntrack module being impossible to unload as +it waits for all the conntrack references to be dropped while +the packet release is deferred in per-cpu cache indefinitely, if +not consumed by the application. + +The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a +missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM +check and correctly dropping the conntrack context. However, the +issue was introduced to IPv6 code afterwards. Fixing it the +same way for IPv6 now. + +Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done") +Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/ +Signed-off-by: Ilya Maximets +Acked-by: Florian Westphal +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230922210530.2045146-1-i.maximets@ovn.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/tcp_ipv6.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 3a88545a265d6..44b6949d72b22 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1640,9 +1640,12 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) + struct sock *nsk; + + sk = req->rsk_listener; +- drop_reason = tcp_inbound_md5_hash(sk, skb, +- &hdr->saddr, &hdr->daddr, +- AF_INET6, dif, sdif); ++ if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) ++ drop_reason = SKB_DROP_REASON_XFRM_POLICY; ++ else ++ drop_reason = tcp_inbound_md5_hash(sk, skb, ++ &hdr->saddr, &hdr->daddr, ++ AF_INET6, dif, sdif); + if (drop_reason) { + sk_drops_add(sk, skb); + reqsk_put(req); +@@ -1689,6 +1692,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) + } + goto discard_and_relse; + } ++ nf_reset_ct(skb); + if (nsk == sk) { + reqsk_put(req); + tcp_v6_restore_cb(skb); +-- +2.40.1 + diff --git a/queue-6.5/iwlwifi-mvm-handle-ps-changes-in-vif_cfg_changed.patch b/queue-6.5/iwlwifi-mvm-handle-ps-changes-in-vif_cfg_changed.patch new file mode 100644 index 00000000000..703be8294f0 --- /dev/null +++ b/queue-6.5/iwlwifi-mvm-handle-ps-changes-in-vif_cfg_changed.patch @@ -0,0 +1,167 @@ +From 85495b7fd253f6785c7bcaed46c8b3fefe68b9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 16:29:57 +0300 +Subject: iwlwifi: mvm: handle PS changes in vif_cfg_changed + +From: Gregory Greenman + +[ Upstream commit 2d4caa1dbe915654d0e8845758d9c96e721377a8 ] + +Handling of BSS_CHANGED_PS was missing in vif_cfg_changed +callback. Fix it. + +Fixes: 22c588343529 ("wifi: iwlwifi: mvm: replace bss_info_changed() with vif_cfg/link_info_changed()") +Reported-by: Sultan Alsawaf +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230905162939.5ef0c8230de6.Ieed265014988c50ec68fbff6d33821e4215f987f@changeid +[note: patch looks bigger than it is due to reindentation] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 121 +++++++++--------- + 1 file changed, 63 insertions(+), 58 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +index 8b6c641772ee6..b719843e94576 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +@@ -731,73 +731,78 @@ static void iwl_mvm_mld_vif_cfg_changed_station(struct iwl_mvm *mvm, + + mvmvif->associated = vif->cfg.assoc; + +- if (!(changes & BSS_CHANGED_ASSOC)) +- return; +- +- if (vif->cfg.assoc) { +- /* clear statistics to get clean beacon counter */ +- iwl_mvm_request_statistics(mvm, true); +- iwl_mvm_sf_update(mvm, vif, false); +- iwl_mvm_power_vif_assoc(mvm, vif); +- +- for_each_mvm_vif_valid_link(mvmvif, i) { +- memset(&mvmvif->link[i]->beacon_stats, 0, +- sizeof(mvmvif->link[i]->beacon_stats)); ++ if (changes & BSS_CHANGED_ASSOC) { ++ if (vif->cfg.assoc) { ++ /* clear statistics to get clean beacon counter */ ++ iwl_mvm_request_statistics(mvm, true); ++ iwl_mvm_sf_update(mvm, vif, false); ++ iwl_mvm_power_vif_assoc(mvm, vif); ++ ++ for_each_mvm_vif_valid_link(mvmvif, i) { ++ memset(&mvmvif->link[i]->beacon_stats, 0, ++ sizeof(mvmvif->link[i]->beacon_stats)); ++ ++ if (vif->p2p) { ++ iwl_mvm_update_smps(mvm, vif, ++ IWL_MVM_SMPS_REQ_PROT, ++ IEEE80211_SMPS_DYNAMIC, i); ++ } ++ ++ rcu_read_lock(); ++ link_conf = rcu_dereference(vif->link_conf[i]); ++ if (link_conf && !link_conf->dtim_period) ++ protect = true; ++ rcu_read_unlock(); ++ } + +- if (vif->p2p) { +- iwl_mvm_update_smps(mvm, vif, +- IWL_MVM_SMPS_REQ_PROT, +- IEEE80211_SMPS_DYNAMIC, i); ++ if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) && ++ protect) { ++ /* If we're not restarting and still haven't ++ * heard a beacon (dtim period unknown) then ++ * make sure we still have enough minimum time ++ * remaining in the time event, since the auth ++ * might actually have taken quite a while ++ * (especially for SAE) and so the remaining ++ * time could be small without us having heard ++ * a beacon yet. ++ */ ++ iwl_mvm_protect_assoc(mvm, vif, 0); + } + +- rcu_read_lock(); +- link_conf = rcu_dereference(vif->link_conf[i]); +- if (link_conf && !link_conf->dtim_period) +- protect = true; +- rcu_read_unlock(); +- } ++ iwl_mvm_sf_update(mvm, vif, false); ++ ++ /* FIXME: need to decide about misbehaving AP handling */ ++ iwl_mvm_power_vif_assoc(mvm, vif); ++ } else if (iwl_mvm_mld_vif_have_valid_ap_sta(mvmvif)) { ++ iwl_mvm_mei_host_disassociated(mvm); + +- if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) && +- protect) { +- /* If we're not restarting and still haven't +- * heard a beacon (dtim period unknown) then +- * make sure we still have enough minimum time +- * remaining in the time event, since the auth +- * might actually have taken quite a while +- * (especially for SAE) and so the remaining +- * time could be small without us having heard +- * a beacon yet. ++ /* If update fails - SF might be running in associated ++ * mode while disassociated - which is forbidden. + */ +- iwl_mvm_protect_assoc(mvm, vif, 0); ++ ret = iwl_mvm_sf_update(mvm, vif, false); ++ WARN_ONCE(ret && ++ !test_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, ++ &mvm->status), ++ "Failed to update SF upon disassociation\n"); ++ ++ /* If we get an assert during the connection (after the ++ * station has been added, but before the vif is set ++ * to associated), mac80211 will re-add the station and ++ * then configure the vif. Since the vif is not ++ * associated, we would remove the station here and ++ * this would fail the recovery. ++ */ ++ iwl_mvm_mld_vif_delete_all_stas(mvm, vif); + } + +- iwl_mvm_sf_update(mvm, vif, false); +- +- /* FIXME: need to decide about misbehaving AP handling */ +- iwl_mvm_power_vif_assoc(mvm, vif); +- } else if (iwl_mvm_mld_vif_have_valid_ap_sta(mvmvif)) { +- iwl_mvm_mei_host_disassociated(mvm); +- +- /* If update fails - SF might be running in associated +- * mode while disassociated - which is forbidden. +- */ +- ret = iwl_mvm_sf_update(mvm, vif, false); +- WARN_ONCE(ret && +- !test_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, +- &mvm->status), +- "Failed to update SF upon disassociation\n"); +- +- /* If we get an assert during the connection (after the +- * station has been added, but before the vif is set +- * to associated), mac80211 will re-add the station and +- * then configure the vif. Since the vif is not +- * associated, we would remove the station here and +- * this would fail the recovery. +- */ +- iwl_mvm_mld_vif_delete_all_stas(mvm, vif); ++ iwl_mvm_bss_info_changed_station_assoc(mvm, vif, changes); + } + +- iwl_mvm_bss_info_changed_station_assoc(mvm, vif, changes); ++ if (changes & BSS_CHANGED_PS) { ++ ret = iwl_mvm_power_update_mac(mvm); ++ if (ret) ++ IWL_ERR(mvm, "failed to update power mode\n"); ++ } + } + + static void +-- +2.40.1 + diff --git a/queue-6.5/leds-drop-bug_on-check-for-led_color_id_multi.patch b/queue-6.5/leds-drop-bug_on-check-for-led_color_id_multi.patch new file mode 100644 index 00000000000..07cc3ac58eb --- /dev/null +++ b/queue-6.5/leds-drop-bug_on-check-for-led_color_id_multi.patch @@ -0,0 +1,48 @@ +From 39148dc360da5fb62495261d2df585a6b065975d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 16:07:24 +0200 +Subject: leds: Drop BUG_ON check for LED_COLOR_ID_MULTI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 9dc1664fab2246bc2c3e9bf2cf21518a857f9b5b ] + +Commit c3f853184bed ("leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that +is always false") fixed a no-op BUG_ON. This turned out to cause a +regression, since some in-tree device-tree files already use +LED_COLOR_ID_MULTI. + +Drop the BUG_ON altogether. + +Fixes: c3f853184bed ("leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false") +Reported-by: Da Xue +Closes: https://lore.kernel.org/linux-leds/ZQLelWcNjjp2xndY@duo.ucw.cz/T/ +Signed-off-by: Marek Behún +Link: https://lore.kernel.org/r/20230918140724.18634-1-kabel@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-core.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c +index 04f9ea675f2ce..214ed81eb0e92 100644 +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -479,10 +479,6 @@ int led_compose_name(struct device *dev, struct led_init_data *init_data, + + led_parse_fwnode_props(dev, fwnode, &props); + +- /* We want to label LEDs that can produce full range of colors +- * as RGB, not multicolor */ +- BUG_ON(props.color == LED_COLOR_ID_MULTI); +- + if (props.label) { + /* + * If init_data.devicename is NULL, then it indicates that +-- +2.40.1 + diff --git a/queue-6.5/modpost-add-missing-else-to-the-of-check.patch b/queue-6.5/modpost-add-missing-else-to-the-of-check.patch new file mode 100644 index 00000000000..7d7e228a65a --- /dev/null +++ b/queue-6.5/modpost-add-missing-else-to-the-of-check.patch @@ -0,0 +1,54 @@ +From 2508a9f6e011d510de5cd7dd6766d438a1021ae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 17:28:07 -0300 +Subject: modpost: add missing else to the "of" check + +From: Mauricio Faria de Oliveira + +[ Upstream commit cbc3d00cf88fda95dbcafee3b38655b7a8f2650a ] + +Without this 'else' statement, an "usb" name goes into two handlers: +the first/previous 'if' statement _AND_ the for-loop over 'devtable', +but the latter is useless as it has no 'usb' device_id entry anyway. + +Tested with allmodconfig before/after patch; no changes to *.mod.c: + + git checkout v6.6-rc3 + make -j$(nproc) allmodconfig + make -j$(nproc) olddefconfig + + make -j$(nproc) + find . -name '*.mod.c' | cpio -pd /tmp/before + + # apply patch + + make -j$(nproc) + find . -name '*.mod.c' | cpio -pd /tmp/after + + diff -r /tmp/before/ /tmp/after/ + # no difference + +Fixes: acbef7b76629 ("modpost: fix module autoloading for OF devices with generic compatible property") +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/file2alias.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index 38120f932b0dc..7056751c29b1f 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -1604,7 +1604,7 @@ void handle_moddevtable(struct module *mod, struct elf_info *info, + /* First handle the "special" cases */ + if (sym_is(name, namelen, "usb")) + do_usb_table(symval, sym->st_size, mod); +- if (sym_is(name, namelen, "of")) ++ else if (sym_is(name, namelen, "of")) + do_of_table(symval, sym->st_size, mod); + else if (sym_is(name, namelen, "pnp")) + do_pnp_device_entry(symval, sym->st_size, mod); +-- +2.40.1 + diff --git a/queue-6.5/neighbour-fix-data-races-around-n-output.patch b/queue-6.5/neighbour-fix-data-races-around-n-output.patch new file mode 100644 index 00000000000..da157b5201d --- /dev/null +++ b/queue-6.5/neighbour-fix-data-races-around-n-output.patch @@ -0,0 +1,103 @@ +From 8e403d780d52f7f5bac907500040845019c40e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 09:27:13 +0000 +Subject: neighbour: fix data-races around n->output + +From: Eric Dumazet + +[ Upstream commit 5baa0433a15eadd729625004c37463acb982eca7 ] + +n->output field can be read locklessly, while a writer +might change the pointer concurrently. + +Add missing annotations to prevent load-store tearing. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 2 +- + net/bridge/br_netfilter_hooks.c | 2 +- + net/core/neighbour.c | 10 +++++----- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index f6a8ecc6b1fa7..ccc4a0f8b4ad8 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -541,7 +541,7 @@ static inline int neigh_output(struct neighbour *n, struct sk_buff *skb, + READ_ONCE(hh->hh_len)) + return neigh_hh_output(hh, skb); + +- return n->output(n, skb); ++ return READ_ONCE(n->output)(n, skb); + } + + static inline struct neighbour * +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 1a801fab9543e..0be889905c2b6 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -294,7 +294,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_ + /* tell br_dev_xmit to continue with forwarding */ + nf_bridge->bridged_dnat = 1; + /* FIXME Need to refragment */ +- ret = neigh->output(neigh, skb); ++ ret = READ_ONCE(neigh->output)(neigh, skb); + } + neigh_release(neigh); + return ret; +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index b57d3ea3ccc9e..f16ec0e8a0348 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -410,7 +410,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev, + */ + __skb_queue_purge(&n->arp_queue); + n->arp_queue_len_bytes = 0; +- n->output = neigh_blackhole; ++ WRITE_ONCE(n->output, neigh_blackhole); + if (n->nud_state & NUD_VALID) + n->nud_state = NUD_NOARP; + else +@@ -920,7 +920,7 @@ static void neigh_suspect(struct neighbour *neigh) + { + neigh_dbg(2, "neigh %p is suspected\n", neigh); + +- neigh->output = neigh->ops->output; ++ WRITE_ONCE(neigh->output, neigh->ops->output); + } + + /* Neighbour state is OK; +@@ -932,7 +932,7 @@ static void neigh_connect(struct neighbour *neigh) + { + neigh_dbg(2, "neigh %p is connected\n", neigh); + +- neigh->output = neigh->ops->connected_output; ++ WRITE_ONCE(neigh->output, neigh->ops->connected_output); + } + + static void neigh_periodic_work(struct work_struct *work) +@@ -1449,7 +1449,7 @@ static int __neigh_update(struct neighbour *neigh, const u8 *lladdr, + if (n2) + n1 = n2; + } +- n1->output(n1, skb); ++ READ_ONCE(n1->output)(n1, skb); + if (n2) + neigh_release(n2); + rcu_read_unlock(); +@@ -3155,7 +3155,7 @@ int neigh_xmit(int index, struct net_device *dev, + rcu_read_unlock(); + goto out_kfree_skb; + } +- err = neigh->output(neigh, skb); ++ err = READ_ONCE(neigh->output)(neigh, skb); + rcu_read_unlock(); + } + else if (index == NEIGH_LINK_TABLE) { +-- +2.40.1 + diff --git a/queue-6.5/net-dsa-mv88e6xxx-avoid-eeprom-timeout-when-eeprom-i.patch b/queue-6.5/net-dsa-mv88e6xxx-avoid-eeprom-timeout-when-eeprom-i.patch new file mode 100644 index 00000000000..32c8e9c1475 --- /dev/null +++ b/queue-6.5/net-dsa-mv88e6xxx-avoid-eeprom-timeout-when-eeprom-i.patch @@ -0,0 +1,175 @@ +From edbf941ba00ed430e32f0dec029fde0f84e52542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 09:47:41 -0300 +Subject: net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent + +From: Fabio Estevam + +[ Upstream commit 6ccf50d4d4741e064ba35511a95402c63bbe21a8 ] + +Since commit 23d775f12dcd ("net: dsa: mv88e6xxx: Wait for EEPROM done +before HW reset") the following error is seen on a imx8mn board with +a 88E6320 switch: + +mv88e6085 30be0000.ethernet-1:00: Timeout waiting for EEPROM done + +This board does not have an EEPROM attached to the switch though. + +This problem is well explained by Andrew Lunn: + +"If there is an EEPROM, and the EEPROM contains a lot of data, it could +be that when we perform a hardware reset towards the end of probe, it +interrupts an I2C bus transaction, leaving the I2C bus in a bad state, +and future reads of the EEPROM do not work. + +The work around for this was to poll the EEInt status and wait for it +to go true before performing the hardware reset. + +However, we have discovered that for some boards which do not have an +EEPROM, EEInt never indicates complete. As a result, +mv88e6xxx_g1_wait_eeprom_done() spins for a second and then prints a +warning. + +We probably need a different solution than calling +mv88e6xxx_g1_wait_eeprom_done(). The datasheet for 6352 documents the +EEPROM Command register: + +bit 15 is: + + EEPROM Unit Busy. This bit must be set to a one to start an EEPROM + operation (see EEOp below). Only one EEPROM operation can be + executing at one time so this bit must be zero before setting it to + a one. When the requested EEPROM operation completes this bit will + automatically be cleared to a zero. The transition of this bit from + a one to a zero can be used to generate an interrupt (the EEInt in + Global 1, offset 0x00). + +and more interesting is bit 11: + + Register Loader Running. This bit is set to one whenever the + register loader is busy executing instructions contained in the + EEPROM." + +Change to using mv88e6xxx_g2_eeprom_wait() to fix the timeout error +when the EEPROM chip is not present. + +Fixes: 23d775f12dcd ("net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset") +Suggested-by: Andrew Lunn +Signed-off-by: Fabio Estevam +Reviewed-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 6 ++++-- + drivers/net/dsa/mv88e6xxx/global1.c | 31 ----------------------------- + drivers/net/dsa/mv88e6xxx/global1.h | 1 - + drivers/net/dsa/mv88e6xxx/global2.c | 2 +- + drivers/net/dsa/mv88e6xxx/global2.h | 1 + + 5 files changed, 6 insertions(+), 35 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 7af2f08a62f14..0d4b236d1e344 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3040,14 +3040,16 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip) + * from the wrong location resulting in the switch booting + * to wrong mode and inoperable. + */ +- mv88e6xxx_g1_wait_eeprom_done(chip); ++ if (chip->info->ops->get_eeprom) ++ mv88e6xxx_g2_eeprom_wait(chip); + + gpiod_set_value_cansleep(gpiod, 1); + usleep_range(10000, 20000); + gpiod_set_value_cansleep(gpiod, 0); + usleep_range(10000, 20000); + +- mv88e6xxx_g1_wait_eeprom_done(chip); ++ if (chip->info->ops->get_eeprom) ++ mv88e6xxx_g2_eeprom_wait(chip); + } + } + +diff --git a/drivers/net/dsa/mv88e6xxx/global1.c b/drivers/net/dsa/mv88e6xxx/global1.c +index 2fa55a6435910..174c773b38c2b 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.c ++++ b/drivers/net/dsa/mv88e6xxx/global1.c +@@ -75,37 +75,6 @@ static int mv88e6xxx_g1_wait_init_ready(struct mv88e6xxx_chip *chip) + return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_STS, bit, 1); + } + +-void mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip) +-{ +- const unsigned long timeout = jiffies + 1 * HZ; +- u16 val; +- int err; +- +- /* Wait up to 1 second for the switch to finish reading the +- * EEPROM. +- */ +- while (time_before(jiffies, timeout)) { +- err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_STS, &val); +- if (err) { +- dev_err(chip->dev, "Error reading status"); +- return; +- } +- +- /* If the switch is still resetting, it may not +- * respond on the bus, and so MDIO read returns +- * 0xffff. Differentiate between that, and waiting for +- * the EEPROM to be done by bit 0 being set. +- */ +- if (val != 0xffff && +- val & BIT(MV88E6XXX_G1_STS_IRQ_EEPROM_DONE)) +- return; +- +- usleep_range(1000, 2000); +- } +- +- dev_err(chip->dev, "Timeout waiting for EEPROM done"); +-} +- + /* Offset 0x01: Switch MAC Address Register Bytes 0 & 1 + * Offset 0x02: Switch MAC Address Register Bytes 2 & 3 + * Offset 0x03: Switch MAC Address Register Bytes 4 & 5 +diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h +index c99ddd117fe6e..1095261f5b490 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1.h ++++ b/drivers/net/dsa/mv88e6xxx/global1.h +@@ -282,7 +282,6 @@ int mv88e6xxx_g1_set_switch_mac(struct mv88e6xxx_chip *chip, u8 *addr); + int mv88e6185_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6352_g1_reset(struct mv88e6xxx_chip *chip); + int mv88e6250_g1_reset(struct mv88e6xxx_chip *chip); +-void mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip); + + int mv88e6185_g1_ppu_enable(struct mv88e6xxx_chip *chip); + int mv88e6185_g1_ppu_disable(struct mv88e6xxx_chip *chip); +diff --git a/drivers/net/dsa/mv88e6xxx/global2.c b/drivers/net/dsa/mv88e6xxx/global2.c +index 937a01f2ba75e..b2b5f6ba438f4 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.c ++++ b/drivers/net/dsa/mv88e6xxx/global2.c +@@ -340,7 +340,7 @@ int mv88e6xxx_g2_pot_clear(struct mv88e6xxx_chip *chip) + * Offset 0x15: EEPROM Addr (for 8-bit data access) + */ + +-static int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip) ++int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip) + { + int bit = __bf_shf(MV88E6XXX_G2_EEPROM_CMD_BUSY); + int err; +diff --git a/drivers/net/dsa/mv88e6xxx/global2.h b/drivers/net/dsa/mv88e6xxx/global2.h +index 7e091965582b7..d9434f7cae538 100644 +--- a/drivers/net/dsa/mv88e6xxx/global2.h ++++ b/drivers/net/dsa/mv88e6xxx/global2.h +@@ -365,6 +365,7 @@ int mv88e6xxx_g2_trunk_clear(struct mv88e6xxx_chip *chip); + + int mv88e6xxx_g2_device_mapping_write(struct mv88e6xxx_chip *chip, int target, + int port); ++int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip); + + extern const struct mv88e6xxx_irq_ops mv88e6097_watchdog_ops; + extern const struct mv88e6xxx_irq_ops mv88e6250_watchdog_ops; +-- +2.40.1 + diff --git a/queue-6.5/net-ethernet-ti-am65-cpsw-fix-error-code-in-am65_cps.patch b/queue-6.5/net-ethernet-ti-am65-cpsw-fix-error-code-in-am65_cps.patch new file mode 100644 index 00000000000..d19c6287c98 --- /dev/null +++ b/queue-6.5/net-ethernet-ti-am65-cpsw-fix-error-code-in-am65_cps.patch @@ -0,0 +1,37 @@ +From a9178178d6e4738ac04f234d5e5a9fbbd1dcccfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 17:04:43 +0300 +Subject: net: ethernet: ti: am65-cpsw: Fix error code in + am65_cpsw_nuss_init_tx_chns() + +From: Dan Carpenter + +[ Upstream commit 37d4f55567982e445f86dc0ff4ecfa72921abfe8 ] + +This accidentally returns success, but it should return a negative error +code. + +Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Roger Quadros +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index bebcfd5e6b579..a3d952f67ae32 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1749,6 +1749,7 @@ static int am65_cpsw_nuss_init_tx_chns(struct am65_cpsw_common *common) + if (tx_chn->irq <= 0) { + dev_err(dev, "Failed to get tx dma irq %d\n", + tx_chn->irq); ++ ret = tx_chn->irq ?: -ENXIO; + goto err; + } + +-- +2.40.1 + diff --git a/queue-6.5/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch b/queue-6.5/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch new file mode 100644 index 00000000000..c1f0b7a8fa6 --- /dev/null +++ b/queue-6.5/net-fix-possible-store-tearing-in-neigh_periodic_wor.patch @@ -0,0 +1,48 @@ +From f7cd927ad339682f164a442f89bc8cb97909817d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 08:46:26 +0000 +Subject: net: fix possible store tearing in neigh_periodic_work() + +From: Eric Dumazet + +[ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ] + +While looking at a related syzbot report involving neigh_periodic_work(), +I found that I forgot to add an annotation when deleting an +RCU protected item from a list. + +Readers use rcu_deference(*np), we need to use either +rcu_assign_pointer() or WRITE_ONCE() on writer side +to prevent store tearing. + +I use rcu_assign_pointer() to have lockdep support, +this was the choice made in neigh_flush_dev(). + +Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index ddd0f32de20ef..b57d3ea3ccc9e 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -988,7 +988,9 @@ static void neigh_periodic_work(struct work_struct *work) + (state == NUD_FAILED || + !time_in_range_open(jiffies, n->used, + n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { +- *np = n->next; ++ rcu_assign_pointer(*np, ++ rcu_dereference_protected(n->next, ++ lockdep_is_held(&tbl->lock))); + neigh_mark_dead(n); + write_unlock(&n->lock); + neigh_cleanup_and_release(n); +-- +2.40.1 + diff --git a/queue-6.5/net-lan743x-also-select-phylib.patch b/queue-6.5/net-lan743x-also-select-phylib.patch new file mode 100644 index 00000000000..6172e9bff18 --- /dev/null +++ b/queue-6.5/net-lan743x-also-select-phylib.patch @@ -0,0 +1,47 @@ +From 013f547e2c2a458780af361fab6789d3fc9229ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 12:35:44 -0700 +Subject: net: lan743x: also select PHYLIB + +From: Randy Dunlap + +[ Upstream commit 566aeed6871ac2189b5bfe03e1a5b3b7be5eca38 ] + +Since FIXED_PHY depends on PHYLIB, PHYLIB needs to be set to avoid +a kconfig warning: + +WARNING: unmet direct dependencies detected for FIXED_PHY + Depends on [n]: NETDEVICES [=y] && PHYLIB [=n] + Selected by [y]: + - LAN743X [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MICROCHIP [=y] && PCI [=y] && PTP_1588_CLOCK_OPTIONAL [=y] + +Fixes: 73c4d1b307ae ("net: lan743x: select FIXED_PHY") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: lore.kernel.org/r/202309261802.JPbRHwti-lkp@intel.com +Cc: Bryan Whitehead +Cc: UNGLinuxDriver@microchip.com +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Link: https://lore.kernel.org/r/20231002193544.14529-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microchip/Kconfig b/drivers/net/ethernet/microchip/Kconfig +index 329e374b9539c..43ba71e82260c 100644 +--- a/drivers/net/ethernet/microchip/Kconfig ++++ b/drivers/net/ethernet/microchip/Kconfig +@@ -46,6 +46,7 @@ config LAN743X + tristate "LAN743x support" + depends on PCI + depends on PTP_1588_CLOCK_OPTIONAL ++ select PHYLIB + select FIXED_PHY + select CRC16 + select CRC32 +-- +2.40.1 + diff --git a/queue-6.5/net-mana-fix-oversized-sge0-for-gso-packets.patch b/queue-6.5/net-mana-fix-oversized-sge0-for-gso-packets.patch new file mode 100644 index 00000000000..5fe81aa6ef0 --- /dev/null +++ b/queue-6.5/net-mana-fix-oversized-sge0-for-gso-packets.patch @@ -0,0 +1,337 @@ +From c526375c7a53adfe601c626b9c8c41c6b9711620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 13:42:27 -0700 +Subject: net: mana: Fix oversized sge0 for GSO packets + +From: Haiyang Zhang + +[ Upstream commit a43e8e9ffa0d1de058964edf1a0622cbb7e27cfe ] + +Handle the case when GSO SKB linear length is too large. + +MANA NIC requires GSO packets to put only the header part to SGE0, +otherwise the TX queue may stop at the HW level. + +So, use 2 SGEs for the skb linear part which contains more than the +packet header. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Haiyang Zhang +Reviewed-by: Simon Horman +Reviewed-by: Shradha Gupta +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 191 +++++++++++++----- + include/net/mana/mana.h | 5 +- + 2 files changed, 138 insertions(+), 58 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index 9f9bd3571da16..6d23a815ddeb6 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -89,63 +89,137 @@ static unsigned int mana_checksum_info(struct sk_buff *skb) + return 0; + } + ++static void mana_add_sge(struct mana_tx_package *tp, struct mana_skb_head *ash, ++ int sg_i, dma_addr_t da, int sge_len, u32 gpa_mkey) ++{ ++ ash->dma_handle[sg_i] = da; ++ ash->size[sg_i] = sge_len; ++ ++ tp->wqe_req.sgl[sg_i].address = da; ++ tp->wqe_req.sgl[sg_i].mem_key = gpa_mkey; ++ tp->wqe_req.sgl[sg_i].size = sge_len; ++} ++ + static int mana_map_skb(struct sk_buff *skb, struct mana_port_context *apc, +- struct mana_tx_package *tp) ++ struct mana_tx_package *tp, int gso_hs) + { + struct mana_skb_head *ash = (struct mana_skb_head *)skb->head; ++ int hsg = 1; /* num of SGEs of linear part */ + struct gdma_dev *gd = apc->ac->gdma_dev; ++ int skb_hlen = skb_headlen(skb); ++ int sge0_len, sge1_len = 0; + struct gdma_context *gc; + struct device *dev; + skb_frag_t *frag; + dma_addr_t da; ++ int sg_i; + int i; + + gc = gd->gdma_context; + dev = gc->dev; +- da = dma_map_single(dev, skb->data, skb_headlen(skb), DMA_TO_DEVICE); + ++ if (gso_hs && gso_hs < skb_hlen) { ++ sge0_len = gso_hs; ++ sge1_len = skb_hlen - gso_hs; ++ } else { ++ sge0_len = skb_hlen; ++ } ++ ++ da = dma_map_single(dev, skb->data, sge0_len, DMA_TO_DEVICE); + if (dma_mapping_error(dev, da)) + return -ENOMEM; + +- ash->dma_handle[0] = da; +- ash->size[0] = skb_headlen(skb); ++ mana_add_sge(tp, ash, 0, da, sge0_len, gd->gpa_mkey); + +- tp->wqe_req.sgl[0].address = ash->dma_handle[0]; +- tp->wqe_req.sgl[0].mem_key = gd->gpa_mkey; +- tp->wqe_req.sgl[0].size = ash->size[0]; ++ if (sge1_len) { ++ sg_i = 1; ++ da = dma_map_single(dev, skb->data + sge0_len, sge1_len, ++ DMA_TO_DEVICE); ++ if (dma_mapping_error(dev, da)) ++ goto frag_err; ++ ++ mana_add_sge(tp, ash, sg_i, da, sge1_len, gd->gpa_mkey); ++ hsg = 2; ++ } + + for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { ++ sg_i = hsg + i; ++ + frag = &skb_shinfo(skb)->frags[i]; + da = skb_frag_dma_map(dev, frag, 0, skb_frag_size(frag), + DMA_TO_DEVICE); +- + if (dma_mapping_error(dev, da)) + goto frag_err; + +- ash->dma_handle[i + 1] = da; +- ash->size[i + 1] = skb_frag_size(frag); +- +- tp->wqe_req.sgl[i + 1].address = ash->dma_handle[i + 1]; +- tp->wqe_req.sgl[i + 1].mem_key = gd->gpa_mkey; +- tp->wqe_req.sgl[i + 1].size = ash->size[i + 1]; ++ mana_add_sge(tp, ash, sg_i, da, skb_frag_size(frag), ++ gd->gpa_mkey); + } + + return 0; + + frag_err: +- for (i = i - 1; i >= 0; i--) +- dma_unmap_page(dev, ash->dma_handle[i + 1], ash->size[i + 1], ++ for (i = sg_i - 1; i >= hsg; i--) ++ dma_unmap_page(dev, ash->dma_handle[i], ash->size[i], + DMA_TO_DEVICE); + +- dma_unmap_single(dev, ash->dma_handle[0], ash->size[0], DMA_TO_DEVICE); ++ for (i = hsg - 1; i >= 0; i--) ++ dma_unmap_single(dev, ash->dma_handle[i], ash->size[i], ++ DMA_TO_DEVICE); + + return -ENOMEM; + } + ++/* Handle the case when GSO SKB linear length is too large. ++ * MANA NIC requires GSO packets to put only the packet header to SGE0. ++ * So, we need 2 SGEs for the skb linear part which contains more than the ++ * header. ++ * Return a positive value for the number of SGEs, or a negative value ++ * for an error. ++ */ ++static int mana_fix_skb_head(struct net_device *ndev, struct sk_buff *skb, ++ int gso_hs) ++{ ++ int num_sge = 1 + skb_shinfo(skb)->nr_frags; ++ int skb_hlen = skb_headlen(skb); ++ ++ if (gso_hs < skb_hlen) { ++ num_sge++; ++ } else if (gso_hs > skb_hlen) { ++ if (net_ratelimit()) ++ netdev_err(ndev, ++ "TX nonlinear head: hs:%d, skb_hlen:%d\n", ++ gso_hs, skb_hlen); ++ ++ return -EINVAL; ++ } ++ ++ return num_sge; ++} ++ ++/* Get the GSO packet's header size */ ++static int mana_get_gso_hs(struct sk_buff *skb) ++{ ++ int gso_hs; ++ ++ if (skb->encapsulation) { ++ gso_hs = skb_inner_tcp_all_headers(skb); ++ } else { ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) { ++ gso_hs = skb_transport_offset(skb) + ++ sizeof(struct udphdr); ++ } else { ++ gso_hs = skb_tcp_all_headers(skb); ++ } ++ } ++ ++ return gso_hs; ++} ++ + netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + { + enum mana_tx_pkt_format pkt_fmt = MANA_SHORT_PKT_FMT; + struct mana_port_context *apc = netdev_priv(ndev); ++ int gso_hs = 0; /* zero for non-GSO pkts */ + u16 txq_idx = skb_get_queue_mapping(skb); + struct gdma_dev *gd = apc->ac->gdma_dev; + bool ipv4 = false, ipv6 = false; +@@ -157,7 +231,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + struct mana_txq *txq; + struct mana_cq *cq; + int err, len; +- u16 ihs; + + if (unlikely(!apc->port_is_up)) + goto tx_drop; +@@ -207,19 +280,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + pkg.wqe_req.client_data_unit = 0; + + pkg.wqe_req.num_sge = 1 + skb_shinfo(skb)->nr_frags; +- WARN_ON_ONCE(pkg.wqe_req.num_sge > MAX_TX_WQE_SGL_ENTRIES); +- +- if (pkg.wqe_req.num_sge <= ARRAY_SIZE(pkg.sgl_array)) { +- pkg.wqe_req.sgl = pkg.sgl_array; +- } else { +- pkg.sgl_ptr = kmalloc_array(pkg.wqe_req.num_sge, +- sizeof(struct gdma_sge), +- GFP_ATOMIC); +- if (!pkg.sgl_ptr) +- goto tx_drop_count; +- +- pkg.wqe_req.sgl = pkg.sgl_ptr; +- } + + if (skb->protocol == htons(ETH_P_IP)) + ipv4 = true; +@@ -227,6 +287,26 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + ipv6 = true; + + if (skb_is_gso(skb)) { ++ int num_sge; ++ ++ gso_hs = mana_get_gso_hs(skb); ++ ++ num_sge = mana_fix_skb_head(ndev, skb, gso_hs); ++ if (num_sge > 0) ++ pkg.wqe_req.num_sge = num_sge; ++ else ++ goto tx_drop_count; ++ ++ u64_stats_update_begin(&tx_stats->syncp); ++ if (skb->encapsulation) { ++ tx_stats->tso_inner_packets++; ++ tx_stats->tso_inner_bytes += skb->len - gso_hs; ++ } else { ++ tx_stats->tso_packets++; ++ tx_stats->tso_bytes += skb->len - gso_hs; ++ } ++ u64_stats_update_end(&tx_stats->syncp); ++ + pkg.tx_oob.s_oob.is_outer_ipv4 = ipv4; + pkg.tx_oob.s_oob.is_outer_ipv6 = ipv6; + +@@ -250,26 +330,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + &ipv6_hdr(skb)->daddr, 0, + IPPROTO_TCP, 0); + } +- +- if (skb->encapsulation) { +- ihs = skb_inner_tcp_all_headers(skb); +- u64_stats_update_begin(&tx_stats->syncp); +- tx_stats->tso_inner_packets++; +- tx_stats->tso_inner_bytes += skb->len - ihs; +- u64_stats_update_end(&tx_stats->syncp); +- } else { +- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) { +- ihs = skb_transport_offset(skb) + sizeof(struct udphdr); +- } else { +- ihs = skb_tcp_all_headers(skb); +- } +- +- u64_stats_update_begin(&tx_stats->syncp); +- tx_stats->tso_packets++; +- tx_stats->tso_bytes += skb->len - ihs; +- u64_stats_update_end(&tx_stats->syncp); +- } +- + } else if (skb->ip_summed == CHECKSUM_PARTIAL) { + csum_type = mana_checksum_info(skb); + +@@ -292,11 +352,25 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + } else { + /* Can't do offload of this type of checksum */ + if (skb_checksum_help(skb)) +- goto free_sgl_ptr; ++ goto tx_drop_count; + } + } + +- if (mana_map_skb(skb, apc, &pkg)) { ++ WARN_ON_ONCE(pkg.wqe_req.num_sge > MAX_TX_WQE_SGL_ENTRIES); ++ ++ if (pkg.wqe_req.num_sge <= ARRAY_SIZE(pkg.sgl_array)) { ++ pkg.wqe_req.sgl = pkg.sgl_array; ++ } else { ++ pkg.sgl_ptr = kmalloc_array(pkg.wqe_req.num_sge, ++ sizeof(struct gdma_sge), ++ GFP_ATOMIC); ++ if (!pkg.sgl_ptr) ++ goto tx_drop_count; ++ ++ pkg.wqe_req.sgl = pkg.sgl_ptr; ++ } ++ ++ if (mana_map_skb(skb, apc, &pkg, gso_hs)) { + u64_stats_update_begin(&tx_stats->syncp); + tx_stats->mana_map_err++; + u64_stats_update_end(&tx_stats->syncp); +@@ -1254,11 +1328,16 @@ static void mana_unmap_skb(struct sk_buff *skb, struct mana_port_context *apc) + struct mana_skb_head *ash = (struct mana_skb_head *)skb->head; + struct gdma_context *gc = apc->ac->gdma_dev->gdma_context; + struct device *dev = gc->dev; +- int i; ++ int hsg, i; ++ ++ /* Number of SGEs of linear part */ ++ hsg = (skb_is_gso(skb) && skb_headlen(skb) > ash->size[0]) ? 2 : 1; + +- dma_unmap_single(dev, ash->dma_handle[0], ash->size[0], DMA_TO_DEVICE); ++ for (i = 0; i < hsg; i++) ++ dma_unmap_single(dev, ash->dma_handle[i], ash->size[i], ++ DMA_TO_DEVICE); + +- for (i = 1; i < skb_shinfo(skb)->nr_frags + 1; i++) ++ for (i = hsg; i < skb_shinfo(skb)->nr_frags + hsg; i++) + dma_unmap_page(dev, ash->dma_handle[i], ash->size[i], + DMA_TO_DEVICE); + } +diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h +index 024ad8ddb27e5..571cc011b0ec5 100644 +--- a/include/net/mana/mana.h ++++ b/include/net/mana/mana.h +@@ -101,9 +101,10 @@ struct mana_txq { + + /* skb data and frags dma mappings */ + struct mana_skb_head { +- dma_addr_t dma_handle[MAX_SKB_FRAGS + 1]; ++ /* GSO pkts may have 2 SGEs for the linear part*/ ++ dma_addr_t dma_handle[MAX_SKB_FRAGS + 2]; + +- u32 size[MAX_SKB_FRAGS + 1]; ++ u32 size[MAX_SKB_FRAGS + 2]; + }; + + #define MANA_HEADROOM sizeof(struct mana_skb_head) +-- +2.40.1 + diff --git a/queue-6.5/net-mana-fix-the-tso_bytes-calculation.patch b/queue-6.5/net-mana-fix-the-tso_bytes-calculation.patch new file mode 100644 index 00000000000..6aa7b83d2f6 --- /dev/null +++ b/queue-6.5/net-mana-fix-the-tso_bytes-calculation.patch @@ -0,0 +1,40 @@ +From 1c510795b8723aefc25ee0a9cc4e6710ea5cb67d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 13:42:26 -0700 +Subject: net: mana: Fix the tso_bytes calculation + +From: Haiyang Zhang + +[ Upstream commit 7a54de92657455210d0ca71d4176b553952c871a ] + +sizeof(struct hop_jumbo_hdr) is not part of tso_bytes, so remove +the subtraction from header size. + +Cc: stable@vger.kernel.org +Fixes: bd7fc6e1957c ("net: mana: Add new MANA VF performance counters for easier troubleshooting") +Signed-off-by: Haiyang Zhang +Reviewed-by: Simon Horman +Reviewed-by: Shradha Gupta +Signed-off-by: Paolo Abeni +Stable-dep-of: a43e8e9ffa0d ("net: mana: Fix oversized sge0 for GSO packets") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index c2ad0921e893c..9f9bd3571da16 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -262,8 +262,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev) + ihs = skb_transport_offset(skb) + sizeof(struct udphdr); + } else { + ihs = skb_tcp_all_headers(skb); +- if (ipv6_has_hopopt_jumbo(skb)) +- ihs -= sizeof(struct hop_jumbo_hdr); + } + + u64_stats_update_begin(&tx_stats->syncp); +-- +2.40.1 + diff --git a/queue-6.5/net-nfc-llcp-add-lock-when-modifying-device-list.patch b/queue-6.5/net-nfc-llcp-add-lock-when-modifying-device-list.patch new file mode 100644 index 00000000000..7ea58199eaf --- /dev/null +++ b/queue-6.5/net-nfc-llcp-add-lock-when-modifying-device-list.patch @@ -0,0 +1,41 @@ +From 9c79802cee011b056cdfd1966d23274c16116252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 19:58:53 -0400 +Subject: net: nfc: llcp: Add lock when modifying device list + +From: Jeremy Cline + +[ Upstream commit dfc7f7a988dad34c3bf4c053124fb26aa6c5f916 ] + +The device list needs its associated lock held when modifying it, or the +list could become corrupted, as syzbot discovered. + +Reported-and-tested-by: syzbot+c1d0a03d305972dbbe14@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c1d0a03d305972dbbe14 +Signed-off-by: Jeremy Cline +Reviewed-by: Simon Horman +Fixes: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local") +Link: https://lore.kernel.org/r/20230908235853.1319596-1-jeremy@jcline.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index f60e424e06076..6705bb895e239 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -1636,7 +1636,9 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) + timer_setup(&local->sdreq_timer, nfc_llcp_sdreq_timer, 0); + INIT_WORK(&local->sdreq_timeout_work, nfc_llcp_sdreq_timeout_work); + ++ spin_lock(&llcp_devices_lock); + list_add(&local->list, &llcp_devices); ++ spin_unlock(&llcp_devices_lock); + + return 0; + } +-- +2.40.1 + diff --git a/queue-6.5/net-renesas-rswitch-add-spin-lock-protection-for-irq.patch b/queue-6.5/net-renesas-rswitch-add-spin-lock-protection-for-irq.patch new file mode 100644 index 00000000000..a3443c89501 --- /dev/null +++ b/queue-6.5/net-renesas-rswitch-add-spin-lock-protection-for-irq.patch @@ -0,0 +1,124 @@ +From 7b688849a9099feb40f6555c22ba0a90534f694d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 10:49:36 +0900 +Subject: net: renesas: rswitch: Add spin lock protection for irq {un}mask + +From: Yoshihiro Shimoda + +[ Upstream commit c4f922e86c8e0f7c5fe94e0547e9835fc9711f08 ] + +Add spin lock protection for irq {un}mask registers' control. + +After napi_complete_done() and this protection were applied, +a lot of redundant interrupts no longer occur. + +For example: when "iperf3 -c -R" on R-Car S4-8 Spider + Before the patches are applied: about 800,000 times happened + After the patches were applied: about 100,000 times happened + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Stable-dep-of: a0c55bba0d0d ("rswitch: Fix PHY station management clock setting") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 12 ++++++++++++ + drivers/net/ethernet/renesas/rswitch.h | 2 ++ + 2 files changed, 14 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 449ed1f5624c9..215854812f80a 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -799,6 +799,7 @@ static int rswitch_poll(struct napi_struct *napi, int budget) + struct net_device *ndev = napi->dev; + struct rswitch_private *priv; + struct rswitch_device *rdev; ++ unsigned long flags; + int quota = budget; + + rdev = netdev_priv(ndev); +@@ -817,8 +818,10 @@ static int rswitch_poll(struct napi_struct *napi, int budget) + netif_wake_subqueue(ndev, 0); + + if (napi_complete_done(napi, budget - quota)) { ++ spin_lock_irqsave(&priv->lock, flags); + rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true); + rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true); ++ spin_unlock_irqrestore(&priv->lock, flags); + } + + out: +@@ -835,8 +838,10 @@ static void rswitch_queue_interrupt(struct net_device *ndev) + struct rswitch_device *rdev = netdev_priv(ndev); + + if (napi_schedule_prep(&rdev->napi)) { ++ spin_lock(&rdev->priv->lock); + rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false); + rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false); ++ spin_unlock(&rdev->priv->lock); + __napi_schedule(&rdev->napi); + } + } +@@ -1430,14 +1435,17 @@ static void rswitch_ether_port_deinit_all(struct rswitch_private *priv) + static int rswitch_open(struct net_device *ndev) + { + struct rswitch_device *rdev = netdev_priv(ndev); ++ unsigned long flags; + + phy_start(ndev->phydev); + + napi_enable(&rdev->napi); + netif_start_queue(ndev); + ++ spin_lock_irqsave(&rdev->priv->lock, flags); + rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, true); + rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, true); ++ spin_unlock_irqrestore(&rdev->priv->lock, flags); + + if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS)) + iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE); +@@ -1451,6 +1459,7 @@ static int rswitch_stop(struct net_device *ndev) + { + struct rswitch_device *rdev = netdev_priv(ndev); + struct rswitch_gwca_ts_info *ts_info, *ts_info2; ++ unsigned long flags; + + netif_tx_stop_all_queues(ndev); + bitmap_clear(rdev->priv->opened_ports, rdev->port, 1); +@@ -1466,8 +1475,10 @@ static int rswitch_stop(struct net_device *ndev) + kfree(ts_info); + } + ++ spin_lock_irqsave(&rdev->priv->lock, flags); + rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false); + rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false); ++ spin_unlock_irqrestore(&rdev->priv->lock, flags); + + phy_stop(ndev->phydev); + napi_disable(&rdev->napi); +@@ -1869,6 +1880,7 @@ static int renesas_eth_sw_probe(struct platform_device *pdev) + priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; ++ spin_lock_init(&priv->lock); + + priv->ptp_priv = rcar_gen4_ptp_alloc(pdev); + if (!priv->ptp_priv) +diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h +index bb9ed971a97ca..9740398067140 100644 +--- a/drivers/net/ethernet/renesas/rswitch.h ++++ b/drivers/net/ethernet/renesas/rswitch.h +@@ -1011,6 +1011,8 @@ struct rswitch_private { + struct rswitch_etha etha[RSWITCH_NUM_PORTS]; + struct rswitch_mfwd mfwd; + ++ spinlock_t lock; /* lock interrupt registers' control */ ++ + bool gwca_halt; + }; + +-- +2.40.1 + diff --git a/queue-6.5/net-stmmac-dwmac-stm32-fix-resume-on-stm32-mcu.patch b/queue-6.5/net-stmmac-dwmac-stm32-fix-resume-on-stm32-mcu.patch new file mode 100644 index 00000000000..ec448e11f6e --- /dev/null +++ b/queue-6.5/net-stmmac-dwmac-stm32-fix-resume-on-stm32-mcu.patch @@ -0,0 +1,68 @@ +From 6ec6f765ee8090edcedaffe73adda7ba3fbd4835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 13:57:49 -0400 +Subject: net: stmmac: dwmac-stm32: fix resume on STM32 MCU + +From: Ben Wolsieffer + +[ Upstream commit 6f195d6b0da3b689922ba9e302af2f49592fa9fc ] + +The STM32MP1 keeps clk_rx enabled during suspend, and therefore the +driver does not enable the clock in stm32_dwmac_init() if the device was +suspended. The problem is that this same code runs on STM32 MCUs, which +do disable clk_rx during suspend, causing the clock to never be +re-enabled on resume. + +This patch adds a variant flag to indicate that clk_rx remains enabled +during suspend, and uses this to decide whether to enable the clock in +stm32_dwmac_init() if the device was suspended. + +This approach fixes this specific bug with limited opportunity for +unintended side-effects, but I have a follow up patch that will refactor +the clock configuration and hopefully make it less error prone. + +Fixes: 6528e02cc9ff ("net: ethernet: stmmac: add adaptation for stm32mp157c.") +Signed-off-by: Ben Wolsieffer +Reviewed-by: Jacob Keller +Link: https://lore.kernel.org/r/20230927175749.1419774-1-ben.wolsieffer@hefring.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c +index bdb4de59a6727..28c8ca5fba6c5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c +@@ -105,6 +105,7 @@ struct stm32_ops { + int (*parse_data)(struct stm32_dwmac *dwmac, + struct device *dev); + u32 syscfg_eth_mask; ++ bool clk_rx_enable_in_suspend; + }; + + static int stm32_dwmac_init(struct plat_stmmacenet_data *plat_dat) +@@ -122,7 +123,8 @@ static int stm32_dwmac_init(struct plat_stmmacenet_data *plat_dat) + if (ret) + return ret; + +- if (!dwmac->dev->power.is_suspended) { ++ if (!dwmac->ops->clk_rx_enable_in_suspend || ++ !dwmac->dev->power.is_suspended) { + ret = clk_prepare_enable(dwmac->clk_rx); + if (ret) { + clk_disable_unprepare(dwmac->clk_tx); +@@ -514,7 +516,8 @@ static struct stm32_ops stm32mp1_dwmac_data = { + .suspend = stm32mp1_suspend, + .resume = stm32mp1_resume, + .parse_data = stm32mp1_parse_data, +- .syscfg_eth_mask = SYSCFG_MP1_ETH_MASK ++ .syscfg_eth_mask = SYSCFG_MP1_ETH_MASK, ++ .clk_rx_enable_in_suspend = true + }; + + static const struct of_device_id stm32_dwmac_match[] = { +-- +2.40.1 + diff --git a/queue-6.5/net-stmmac-platform-fix-the-incorrect-parameter.patch b/queue-6.5/net-stmmac-platform-fix-the-incorrect-parameter.patch new file mode 100644 index 00000000000..31115e5ad10 --- /dev/null +++ b/queue-6.5/net-stmmac-platform-fix-the-incorrect-parameter.patch @@ -0,0 +1,84 @@ +From 67a3a9fb61001205c011a380e072262133e21d52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 14:24:43 +0800 +Subject: net: stmmac: platform: fix the incorrect parameter + +From: Clark Wang + +[ Upstream commit 6b09edc1b31762af58d3d95754354ca6a92d39c0 ] + +The second parameter of stmmac_pltfr_init() needs the pointer of +"struct plat_stmmacenet_data". So, correct the parameter typo when calling the +function. + +Otherwise, it may cause this alignment exception when doing suspend/resume. +[ 49.067201] CPU1 is up +[ 49.135258] Internal error: SP/PC alignment exception: 000000008a000000 [#1] PREEMPT SMP +[ 49.143346] Modules linked in: soc_imx9 crct10dif_ce polyval_ce nvmem_imx_ocotp_fsb_s400 polyval_generic layerscape_edac_mod snd_soc_fsl_asoc_card snd_soc_imx_audmux snd_soc_imx_card snd_soc_wm8962 el_enclave snd_soc_fsl_micfil rtc_pcf2127 rtc_pcf2131 flexcan can_dev snd_soc_fsl_xcvr snd_soc_fsl_sai imx8_media_dev(C) snd_soc_fsl_utils fuse +[ 49.173393] CPU: 0 PID: 565 Comm: sh Tainted: G C 6.5.0-rc4-next-20230804-05047-g5781a6249dae #677 +[ 49.183721] Hardware name: NXP i.MX93 11X11 EVK board (DT) +[ 49.189190] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 49.196140] pc : 0x80800052 +[ 49.198931] lr : stmmac_pltfr_resume+0x34/0x50 +[ 49.203368] sp : ffff800082f8bab0 +[ 49.206670] x29: ffff800082f8bab0 x28: ffff0000047d0ec0 x27: ffff80008186c170 +[ 49.213794] x26: 0000000b5e4ff1ba x25: ffff800081e5fa74 x24: 0000000000000010 +[ 49.220918] x23: ffff800081fe0000 x22: 0000000000000000 x21: 0000000000000000 +[ 49.228042] x20: ffff0000001b4010 x19: ffff0000001b4010 x18: 0000000000000006 +[ 49.235166] x17: ffff7ffffe007000 x16: ffff800080000000 x15: 0000000000000000 +[ 49.242290] x14: 00000000000000fc x13: 0000000000000000 x12: 0000000000000000 +[ 49.249414] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff800082f8b8c0 +[ 49.256538] x8 : 0000000000000008 x7 : 0000000000000001 x6 : 000000005f54a200 +[ 49.263662] x5 : 0000000001000000 x4 : ffff800081b93680 x3 : ffff800081519be0 +[ 49.270786] x2 : 0000000080800052 x1 : 0000000000000000 x0 : ffff0000001b4000 +[ 49.277911] Call trace: +[ 49.280346] 0x80800052 +[ 49.282781] platform_pm_resume+0x2c/0x68 +[ 49.286785] dpm_run_callback.constprop.0+0x74/0x134 +[ 49.291742] device_resume+0x88/0x194 +[ 49.295391] dpm_resume+0x10c/0x230 +[ 49.298866] dpm_resume_end+0x18/0x30 +[ 49.302515] suspend_devices_and_enter+0x2b8/0x624 +[ 49.307299] pm_suspend+0x1fc/0x348 +[ 49.310774] state_store+0x80/0x104 +[ 49.314258] kobj_attr_store+0x18/0x2c +[ 49.318002] sysfs_kf_write+0x44/0x54 +[ 49.321659] kernfs_fop_write_iter+0x120/0x1ec +[ 49.326088] vfs_write+0x1bc/0x300 +[ 49.329485] ksys_write+0x70/0x104 +[ 49.332874] __arm64_sys_write+0x1c/0x28 +[ 49.336783] invoke_syscall+0x48/0x114 +[ 49.340527] el0_svc_common.constprop.0+0xc4/0xe4 +[ 49.345224] do_el0_svc+0x38/0x98 +[ 49.348526] el0_svc+0x2c/0x84 +[ 49.351568] el0t_64_sync_handler+0x100/0x12c +[ 49.355910] el0t_64_sync+0x190/0x194 +[ 49.359567] Code: ???????? ???????? ???????? ???????? (????????) +[ 49.365644] ---[ end trace 0000000000000000 ]--- + +Fixes: 97117eb51ec8 ("net: stmmac: platform: provide stmmac_pltfr_init()") +Signed-off-by: Clark Wang +Reviewed-by: Jacob Keller +Reviewed-by: Serge Semin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index 231152ee5a323..5a3bd30d6c220 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -901,7 +901,7 @@ static int __maybe_unused stmmac_pltfr_resume(struct device *dev) + struct platform_device *pdev = to_platform_device(dev); + int ret; + +- ret = stmmac_pltfr_init(pdev, priv->plat->bsp_priv); ++ ret = stmmac_pltfr_init(pdev, priv->plat); + if (ret) + return ret; + +-- +2.40.1 + diff --git a/queue-6.5/net-usb-smsc75xx-fix-uninit-value-access-in-__smsc75.patch b/queue-6.5/net-usb-smsc75xx-fix-uninit-value-access-in-__smsc75.patch new file mode 100644 index 00000000000..ac1de457813 --- /dev/null +++ b/queue-6.5/net-usb-smsc75xx-fix-uninit-value-access-in-__smsc75.patch @@ -0,0 +1,99 @@ +From 4f9a7b3e7459acd40fc2180ff74cfc5dc55464f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Sep 2023 02:35:49 +0900 +Subject: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg + +From: Shigeru Yoshida + +[ Upstream commit e9c65989920f7c28775ec4e0c11b483910fb67b8 ] + +syzbot reported the following uninit-value access issue: + +===================================================== +BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] +BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 +CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] + smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 + usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 + usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374 + really_probe+0xf20/0x20b0 drivers/base/dd.c:529 + driver_probe_device+0x293/0x390 drivers/base/dd.c:701 + __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 + bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 + __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 + bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 + device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 + usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032 + usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241 + usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272 + really_probe+0xf20/0x20b0 drivers/base/dd.c:529 + driver_probe_device+0x293/0x390 drivers/base/dd.c:701 + __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 + bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 + __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 + bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 + device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 + usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 + hub_port_connect drivers/usb/core/hub.c:5208 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5348 [inline] + port_event drivers/usb/core/hub.c:5494 [inline] + hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 + process_one_work+0x1688/0x2140 kernel/workqueue.c:2269 + worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415 + kthread+0x551/0x590 kernel/kthread.c:292 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 + +Local variable ----buf.i87@smsc75xx_bind created at: + __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] + smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] + smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 + __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] + smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] + smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 + +This issue is caused because usbnet_read_cmd() reads less bytes than requested +(zero byte in the reproducer). In this case, 'buf' is not properly filled. + +This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads +less bytes than requested. + +Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") +Reported-and-tested-by: syzbot+6966546b78d050bb0b5d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6966546b78d050bb0b5d +Signed-off-by: Shigeru Yoshida +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230923173549.3284502-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 5d6454fedb3f1..78ad2da3ee29b 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -90,7 +90,9 @@ static int __must_check __smsc75xx_read_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (unlikely(ret < 0)) { ++ if (unlikely(ret < 4)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", + index, ret); + return ret; +-- +2.40.1 + diff --git a/queue-6.5/netfilter-handle-the-connecting-collision-properly-i.patch b/queue-6.5/netfilter-handle-the-connecting-collision-properly-i.patch new file mode 100644 index 00000000000..f7f1843714b --- /dev/null +++ b/queue-6.5/netfilter-handle-the-connecting-collision-properly-i.patch @@ -0,0 +1,175 @@ +From 2885afbe0879d711716fd7b49d15e5efe49516e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 13:17:53 -0400 +Subject: netfilter: handle the connecting collision properly in + nf_conntrack_proto_sctp + +From: Xin Long + +[ Upstream commit 8e56b063c86569e51eed1c5681ce6361fa97fc7a ] + +In Scenario A and B below, as the delayed INIT_ACK always changes the peer +vtag, SCTP ct with the incorrect vtag may cause packet loss. + +Scenario A: INIT_ACK is delayed until the peer receives its own INIT_ACK + + 192.168.1.2 > 192.168.1.1: [INIT] [init tag: 1328086772] + 192.168.1.1 > 192.168.1.2: [INIT] [init tag: 1414468151] + 192.168.1.2 > 192.168.1.1: [INIT ACK] [init tag: 1328086772] + 192.168.1.1 > 192.168.1.2: [INIT ACK] [init tag: 1650211246] * + 192.168.1.2 > 192.168.1.1: [COOKIE ECHO] + 192.168.1.1 > 192.168.1.2: [COOKIE ECHO] + 192.168.1.2 > 192.168.1.1: [COOKIE ACK] + +Scenario B: INIT_ACK is delayed until the peer completes its own handshake + + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408] + 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885] + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408] + 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO] + 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK] + 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] * + +This patch fixes it as below: + +In SCTP_CID_INIT processing: +- clear ct->proto.sctp.init[!dir] if ct->proto.sctp.init[dir] && + ct->proto.sctp.init[!dir]. (Scenario E) +- set ct->proto.sctp.init[dir]. + +In SCTP_CID_INIT_ACK processing: +- drop it if !ct->proto.sctp.init[!dir] && ct->proto.sctp.vtag[!dir] && + ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario B, Scenario C) +- drop it if ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] && + ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario A) + +In SCTP_CID_COOKIE_ACK processing: +- clear ct->proto.sctp.init[dir] and ct->proto.sctp.init[!dir]. + (Scenario D) + +Also, it's important to allow the ct state to move forward with cookie_echo +and cookie_ack from the opposite dir for the collision scenarios. + +There are also other Scenarios where it should allow the packet through, +addressed by the processing above: + +Scenario C: new CT is created by INIT_ACK. + +Scenario D: start INIT on the existing ESTABLISHED ct. + +Scenario E: start INIT after the old collision on the existing ESTABLISHED +ct. + + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408] + 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885] + (both side are stopped, then start new connection again in hours) + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 242308742] + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Signed-off-by: Xin Long +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/linux/netfilter/nf_conntrack_sctp.h | 1 + + net/netfilter/nf_conntrack_proto_sctp.c | 43 ++++++++++++++++----- + 2 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h +index 625f491b95de8..fb31312825ae5 100644 +--- a/include/linux/netfilter/nf_conntrack_sctp.h ++++ b/include/linux/netfilter/nf_conntrack_sctp.h +@@ -9,6 +9,7 @@ struct ip_ct_sctp { + enum sctp_conntrack state; + + __be32 vtag[IP_CT_DIR_MAX]; ++ u8 init[IP_CT_DIR_MAX]; + u8 last_dir; + u8 flags; + }; +diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c +index b6bcc8f2f46b7..c6bd533983c1f 100644 +--- a/net/netfilter/nf_conntrack_proto_sctp.c ++++ b/net/netfilter/nf_conntrack_proto_sctp.c +@@ -112,7 +112,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { + /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA}, + /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/ + /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */ +-/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */ ++/* cookie_ack */ {sCL, sCL, sCW, sES, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */ + /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL}, + /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, + /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, +@@ -126,7 +126,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = { + /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV}, + /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV}, + /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV}, +-/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */ ++/* cookie_echo */ {sIV, sCL, sCE, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */ + /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV}, + /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV}, + /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS}, +@@ -412,6 +412,9 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, + /* (D) vtag must be same as init_vtag as found in INIT_ACK */ + if (sh->vtag != ct->proto.sctp.vtag[dir]) + goto out_unlock; ++ } else if (sch->type == SCTP_CID_COOKIE_ACK) { ++ ct->proto.sctp.init[dir] = 0; ++ ct->proto.sctp.init[!dir] = 0; + } else if (sch->type == SCTP_CID_HEARTBEAT) { + if (ct->proto.sctp.vtag[dir] == 0) { + pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir); +@@ -461,16 +464,18 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, + } + + /* If it is an INIT or an INIT ACK note down the vtag */ +- if (sch->type == SCTP_CID_INIT || +- sch->type == SCTP_CID_INIT_ACK) { +- struct sctp_inithdr _inithdr, *ih; ++ if (sch->type == SCTP_CID_INIT) { ++ struct sctp_inithdr _ih, *ih; + +- ih = skb_header_pointer(skb, offset + sizeof(_sch), +- sizeof(_inithdr), &_inithdr); +- if (ih == NULL) ++ ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih); ++ if (!ih) + goto out_unlock; +- pr_debug("Setting vtag %x for dir %d\n", +- ih->init_tag, !dir); ++ ++ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir]) ++ ct->proto.sctp.init[!dir] = 0; ++ ct->proto.sctp.init[dir] = 1; ++ ++ pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir); + ct->proto.sctp.vtag[!dir] = ih->init_tag; + + /* don't renew timeout on init retransmit so +@@ -481,6 +486,24 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct, + old_state == SCTP_CONNTRACK_CLOSED && + nf_ct_is_confirmed(ct)) + ignore = true; ++ } else if (sch->type == SCTP_CID_INIT_ACK) { ++ struct sctp_inithdr _ih, *ih; ++ __be32 vtag; ++ ++ ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih); ++ if (!ih) ++ goto out_unlock; ++ ++ vtag = ct->proto.sctp.vtag[!dir]; ++ if (!ct->proto.sctp.init[!dir] && vtag && vtag != ih->init_tag) ++ goto out_unlock; ++ /* collision */ ++ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] && ++ vtag != ih->init_tag) ++ goto out_unlock; ++ ++ pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir); ++ ct->proto.sctp.vtag[!dir] = ih->init_tag; + } + + ct->proto.sctp.state = new_state; +-- +2.40.1 + diff --git a/queue-6.5/netfilter-nf_tables-deduplicate-nft_register_obj-aud.patch b/queue-6.5/netfilter-nf_tables-deduplicate-nft_register_obj-aud.patch new file mode 100644 index 00000000000..a3cdb7904b5 --- /dev/null +++ b/queue-6.5/netfilter-nf_tables-deduplicate-nft_register_obj-aud.patch @@ -0,0 +1,130 @@ +From e92efdb697e0863657ef4a665a3fa62af7651a13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 03:53:50 +0200 +Subject: netfilter: nf_tables: Deduplicate nft_register_obj audit logs + +From: Phil Sutter + +[ Upstream commit 0d880dc6f032e0b541520e9926f398a77d3d433c ] + +When adding/updating an object, the transaction handler emits suitable +audit log entries already, the one in nft_obj_notify() is redundant. To +fix that (and retain the audit logging from objects' 'update' callback), +Introduce an "audit log free" variant for internal use. + +Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table") +Signed-off-by: Phil Sutter +Reviewed-by: Richard Guy Briggs +Acked-by: Paul Moore (Audit) +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 44 ++++++++++++------- + .../testing/selftests/netfilter/nft_audit.sh | 20 +++++++++ + 2 files changed, 48 insertions(+), 16 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 976a9b763b9bb..be5869366c7d3 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7868,24 +7868,14 @@ static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, + return nft_delobj(&ctx, obj); + } + +-void nft_obj_notify(struct net *net, const struct nft_table *table, +- struct nft_object *obj, u32 portid, u32 seq, int event, +- u16 flags, int family, int report, gfp_t gfp) ++static void ++__nft_obj_notify(struct net *net, const struct nft_table *table, ++ struct nft_object *obj, u32 portid, u32 seq, int event, ++ u16 flags, int family, int report, gfp_t gfp) + { + struct nftables_pernet *nft_net = nft_pernet(net); + struct sk_buff *skb; + int err; +- char *buf = kasprintf(gfp, "%s:%u", +- table->name, nft_net->base_seq); +- +- audit_log_nfcfg(buf, +- family, +- obj->handle, +- event == NFT_MSG_NEWOBJ ? +- AUDIT_NFT_OP_OBJ_REGISTER : +- AUDIT_NFT_OP_OBJ_UNREGISTER, +- gfp); +- kfree(buf); + + if (!report && + !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) +@@ -7908,13 +7898,35 @@ void nft_obj_notify(struct net *net, const struct nft_table *table, + err: + nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); + } ++ ++void nft_obj_notify(struct net *net, const struct nft_table *table, ++ struct nft_object *obj, u32 portid, u32 seq, int event, ++ u16 flags, int family, int report, gfp_t gfp) ++{ ++ struct nftables_pernet *nft_net = nft_pernet(net); ++ char *buf = kasprintf(gfp, "%s:%u", ++ table->name, nft_net->base_seq); ++ ++ audit_log_nfcfg(buf, ++ family, ++ obj->handle, ++ event == NFT_MSG_NEWOBJ ? ++ AUDIT_NFT_OP_OBJ_REGISTER : ++ AUDIT_NFT_OP_OBJ_UNREGISTER, ++ gfp); ++ kfree(buf); ++ ++ __nft_obj_notify(net, table, obj, portid, seq, event, ++ flags, family, report, gfp); ++} + EXPORT_SYMBOL_GPL(nft_obj_notify); + + static void nf_tables_obj_notify(const struct nft_ctx *ctx, + struct nft_object *obj, int event) + { +- nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, +- ctx->flags, ctx->family, ctx->report, GFP_KERNEL); ++ __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ++ ctx->seq, event, ctx->flags, ctx->family, ++ ctx->report, GFP_KERNEL); + } + + /* +diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh +index 0b3255e7b3538..bb34329e02a7f 100755 +--- a/tools/testing/selftests/netfilter/nft_audit.sh ++++ b/tools/testing/selftests/netfilter/nft_audit.sh +@@ -85,6 +85,26 @@ do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \ + do_test "nft add element t1 s3 $setelem" \ + "table=t1 family=2 entries=3 op=nft_register_setelem" + ++# adding counters ++ ++do_test 'nft add counter t1 c1' \ ++'table=t1 family=2 entries=1 op=nft_register_obj' ++ ++do_test 'nft add counter t2 c1; add counter t2 c2' \ ++'table=t2 family=2 entries=2 op=nft_register_obj' ++ ++# adding/updating quotas ++ ++do_test 'nft add quota t1 q1 { 10 bytes }' \ ++'table=t1 family=2 entries=1 op=nft_register_obj' ++ ++do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \ ++'table=t2 family=2 entries=2 op=nft_register_obj' ++ ++# changing the quota value triggers obj update path ++do_test 'nft add quota t1 q1 { 20 bytes }' \ ++'table=t1 family=2 entries=1 op=nft_register_obj' ++ + # resetting rules + + do_test 'nft reset rules t1 c2' \ +-- +2.40.1 + diff --git a/queue-6.5/netfilter-nf_tables-nft_set_rbtree-fix-spurious-inse.patch b/queue-6.5/netfilter-nf_tables-nft_set_rbtree-fix-spurious-inse.patch new file mode 100644 index 00000000000..9f74b068cdc --- /dev/null +++ b/queue-6.5/netfilter-nf_tables-nft_set_rbtree-fix-spurious-inse.patch @@ -0,0 +1,181 @@ +From d4ec00c5c8d784fcec2d94b2d317002042146893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 15:12:44 +0200 +Subject: netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure + +From: Florian Westphal + +[ Upstream commit 087388278e0f301f4c61ddffb1911d3a180f84b8 ] + +nft_rbtree_gc_elem() walks back and removes the end interval element that +comes before the expired element. + +There is a small chance that we've cached this element as 'rbe_ge'. +If this happens, we hold and test a pointer that has been queued for +freeing. + +It also causes spurious insertion failures: + +$ cat test-testcases-sets-0044interval_overlap_0.1/testout.log +Error: Could not process rule: File exists +add element t s { 0 - 2 } + ^^^^^^ +Failed to insert 0 - 2 given: +table ip t { + set s { + type inet_service + flags interval,timeout + timeout 2s + gc-interval 2s + } +} + +The set (rbtree) is empty. The 'failure' doesn't happen on next attempt. + +Reason is that when we try to insert, the tree may hold an expired +element that collides with the range we're adding. +While we do evict/erase this element, we can trip over this check: + +if (rbe_ge && nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new)) + return -ENOTEMPTY; + +rbe_ge was erased by the synchronous gc, we should not have done this +check. Next attempt won't find it, so retry results in successful +insertion. + +Restart in-kernel to avoid such spurious errors. + +Such restart are rare, unless userspace intentionally adds very large +numbers of elements with very short timeouts while setting a huge +gc interval. + +Even in this case, this cannot loop forever, on each retry an existing +element has been removed. + +As the caller is holding the transaction mutex, its impossible +for a second entity to add more expiring elements to the tree. + +After this it also becomes feasible to remove the async gc worker +and perform all garbage collection from the commit path. + +Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 46 +++++++++++++++++++++------------- + 1 file changed, 29 insertions(+), 17 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 487572dcd6144..2660ceab3759d 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -233,10 +233,9 @@ static void nft_rbtree_gc_remove(struct net *net, struct nft_set *set, + rb_erase(&rbe->node, &priv->root); + } + +-static int nft_rbtree_gc_elem(const struct nft_set *__set, +- struct nft_rbtree *priv, +- struct nft_rbtree_elem *rbe, +- u8 genmask) ++static const struct nft_rbtree_elem * ++nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv, ++ struct nft_rbtree_elem *rbe, u8 genmask) + { + struct nft_set *set = (struct nft_set *)__set; + struct rb_node *prev = rb_prev(&rbe->node); +@@ -246,7 +245,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + + gc = nft_trans_gc_alloc(set, 0, GFP_ATOMIC); + if (!gc) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + /* search for end interval coming before this element. + * end intervals don't carry a timeout extension, they +@@ -261,6 +260,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + prev = rb_prev(prev); + } + ++ rbe_prev = NULL; + if (prev) { + rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); + nft_rbtree_gc_remove(net, set, priv, rbe_prev); +@@ -272,7 +272,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + */ + gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC); + if (WARN_ON_ONCE(!gc)) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + nft_trans_gc_elem_add(gc, rbe_prev); + } +@@ -280,13 +280,13 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + nft_rbtree_gc_remove(net, set, priv, rbe); + gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC); + if (WARN_ON_ONCE(!gc)) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + nft_trans_gc_elem_add(gc, rbe); + + nft_trans_gc_queue_sync_done(gc); + +- return 0; ++ return rbe_prev; + } + + static bool nft_rbtree_update_first(const struct nft_set *set, +@@ -314,7 +314,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_rbtree *priv = nft_set_priv(set); + u8 cur_genmask = nft_genmask_cur(net); + u8 genmask = nft_genmask_next(net); +- int d, err; ++ int d; + + /* Descend the tree to search for an existing element greater than the + * key value to insert that is greater than the new element. This is the +@@ -363,9 +363,14 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + */ + if (nft_set_elem_expired(&rbe->ext) && + nft_set_elem_active(&rbe->ext, cur_genmask)) { +- err = nft_rbtree_gc_elem(set, priv, rbe, genmask); +- if (err < 0) +- return err; ++ const struct nft_rbtree_elem *removed_end; ++ ++ removed_end = nft_rbtree_gc_elem(set, priv, rbe, genmask); ++ if (IS_ERR(removed_end)) ++ return PTR_ERR(removed_end); ++ ++ if (removed_end == rbe_le || removed_end == rbe_ge) ++ return -EAGAIN; + + continue; + } +@@ -486,11 +491,18 @@ static int nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_rbtree_elem *rbe = elem->priv; + int err; + +- write_lock_bh(&priv->lock); +- write_seqcount_begin(&priv->count); +- err = __nft_rbtree_insert(net, set, rbe, ext); +- write_seqcount_end(&priv->count); +- write_unlock_bh(&priv->lock); ++ do { ++ if (fatal_signal_pending(current)) ++ return -EINTR; ++ ++ cond_resched(); ++ ++ write_lock_bh(&priv->lock); ++ write_seqcount_begin(&priv->count); ++ err = __nft_rbtree_insert(net, set, rbe, ext); ++ write_seqcount_end(&priv->count); ++ write_unlock_bh(&priv->lock); ++ } while (err == -EAGAIN); + + return err; + } +-- +2.40.1 + diff --git a/queue-6.5/netfilter-nft_payload-rebuild-vlan-header-on-h_proto.patch b/queue-6.5/netfilter-nft_payload-rebuild-vlan-header-on-h_proto.patch new file mode 100644 index 00000000000..dcc494d038c --- /dev/null +++ b/queue-6.5/netfilter-nft_payload-rebuild-vlan-header-on-h_proto.patch @@ -0,0 +1,65 @@ +From 3fc45d8d26a3862f01940745edfed47e2b2064e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 10:42:10 +0200 +Subject: netfilter: nft_payload: rebuild vlan header on h_proto access + +From: Florian Westphal + +[ Upstream commit af84f9e447a65b4b9f79e7e5d69e19039b431c56 ] + +nft can perform merging of adjacent payload requests. +This means that: + +ether saddr 00:11 ... ether type 8021ad ... + +is a single payload expression, for 8 bytes, starting at the +ethernet source offset. + +Check that offset+length is fully within the source/destination mac +addersses. + +This bug prevents 'ether type' from matching the correct h_proto in case +vlan tag got stripped. + +Fixes: de6843be3082 ("netfilter: nft_payload: rebuild vlan header when needed") +Reported-by: David Ward +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 8cb8009899479..120f6d395b98b 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -154,6 +154,17 @@ int nft_payload_inner_offset(const struct nft_pktinfo *pkt) + return pkt->inneroff; + } + ++static bool nft_payload_need_vlan_copy(const struct nft_payload *priv) ++{ ++ unsigned int len = priv->offset + priv->len; ++ ++ /* data past ether src/dst requested, copy needed */ ++ if (len > offsetof(struct ethhdr, h_proto)) ++ return true; ++ ++ return false; ++} ++ + void nft_payload_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) +@@ -172,7 +183,7 @@ void nft_payload_eval(const struct nft_expr *expr, + goto err; + + if (skb_vlan_tag_present(skb) && +- priv->offset >= offsetof(struct ethhdr, h_proto)) { ++ nft_payload_need_vlan_copy(priv)) { + if (!nft_payload_copy_vlan(dest, skb, + priv->offset, priv->len)) + goto err; +-- +2.40.1 + diff --git a/queue-6.5/netlink-annotate-data-races-around-sk-sk_err.patch b/queue-6.5/netlink-annotate-data-races-around-sk-sk_err.patch new file mode 100644 index 00000000000..9a0a3283612 --- /dev/null +++ b/queue-6.5/netlink-annotate-data-races-around-sk-sk_err.patch @@ -0,0 +1,100 @@ +From d0f5ab9be620d7ed96f12992a849156a1c4b03ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 18:34:55 +0000 +Subject: netlink: annotate data-races around sk->sk_err + +From: Eric Dumazet + +[ Upstream commit d0f95894fda7d4f895b29c1097f92d7fee278cb2 ] + +syzbot caught another data-race in netlink when +setting sk->sk_err. + +Annotate all of them for good measure. + +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +write to 0xffff8881613bb220 of 4 bytes by task 28147 on cpu 0: +netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994 +sock_recvmsg_nosec net/socket.c:1027 [inline] +sock_recvmsg net/socket.c:1049 [inline] +__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229 +__do_sys_recvfrom net/socket.c:2247 [inline] +__se_sys_recvfrom net/socket.c:2243 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +write to 0xffff8881613bb220 of 4 bytes by task 28146 on cpu 1: +netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994 +sock_recvmsg_nosec net/socket.c:1027 [inline] +sock_recvmsg net/socket.c:1049 [inline] +__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229 +__do_sys_recvfrom net/socket.c:2247 [inline] +__se_sys_recvfrom net/socket.c:2243 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00000000 -> 0x00000016 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 28146 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-00055-g9ed22ae6be81 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231003183455.3410550-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 20082171f24a3..9c6bc47bc7f7b 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -352,7 +352,7 @@ static void netlink_overrun(struct sock *sk) + if (!nlk_test_bit(RECV_NO_ENOBUFS, sk)) { + if (!test_and_set_bit(NETLINK_S_CONGESTED, + &nlk_sk(sk)->state)) { +- sk->sk_err = ENOBUFS; ++ WRITE_ONCE(sk->sk_err, ENOBUFS); + sk_error_report(sk); + } + } +@@ -1577,7 +1577,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + goto out; + } + +- sk->sk_err = p->code; ++ WRITE_ONCE(sk->sk_err, p->code); + sk_error_report(sk); + out: + return ret; +@@ -1966,7 +1966,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { + ret = netlink_dump(sk); + if (ret) { +- sk->sk_err = -ret; ++ WRITE_ONCE(sk->sk_err, -ret); + sk_error_report(sk); + } + } +@@ -2485,7 +2485,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, + err_bad_put: + nlmsg_free(skb); + err_skb: +- NETLINK_CB(in_skb).sk->sk_err = ENOBUFS; ++ WRITE_ONCE(NETLINK_CB(in_skb).sk->sk_err, ENOBUFS); + sk_error_report(NETLINK_CB(in_skb).sk); + } + EXPORT_SYMBOL(netlink_ack); +-- +2.40.1 + diff --git a/queue-6.5/nfsv4-fix-a-nfs4_state_manager-race.patch b/queue-6.5/nfsv4-fix-a-nfs4_state_manager-race.patch new file mode 100644 index 00000000000..15268a6d918 --- /dev/null +++ b/queue-6.5/nfsv4-fix-a-nfs4_state_manager-race.patch @@ -0,0 +1,43 @@ +From ef631955e9a44e020f70d4cc675fe462da7d5920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Sep 2023 19:05:50 -0400 +Subject: NFSv4: Fix a nfs4_state_manager() race + +From: Trond Myklebust + +[ Upstream commit ed1cc05aa1f7fe8197d300e914afc28ab9818f89 ] + +If the NFS4CLNT_RUN_MANAGER flag got set just before we cleared +NFS4CLNT_MANAGER_RUNNING, then we might have won the race against +nfs4_schedule_state_manager(), and are responsible for handling the +recovery situation. + +Fixes: aeabb3c96186 ("NFSv4: Fix a NFSv4 state manager deadlock") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 597ae4535fe33..9a5d911a7edc7 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -2714,6 +2714,13 @@ static void nfs4_state_manager(struct nfs_client *clp) + nfs4_end_drain_session(clp); + nfs4_clear_state_manager_bit(clp); + ++ if (test_bit(NFS4CLNT_RUN_MANAGER, &clp->cl_state) && ++ !test_and_set_bit(NFS4CLNT_MANAGER_RUNNING, ++ &clp->cl_state)) { ++ memflags = memalloc_nofs_save(); ++ continue; ++ } ++ + if (!test_and_set_bit(NFS4CLNT_RECALL_RUNNING, &clp->cl_state)) { + if (test_and_clear_bit(NFS4CLNT_DELEGRETURN, &clp->cl_state)) { + nfs_client_return_marked_delegations(clp); +-- +2.40.1 + diff --git a/queue-6.5/ovl-fetch-inode-once-in-ovl_dentry_revalidate_common.patch b/queue-6.5/ovl-fetch-inode-once-in-ovl_dentry_revalidate_common.patch new file mode 100644 index 00000000000..50c867e1662 --- /dev/null +++ b/queue-6.5/ovl-fetch-inode-once-in-ovl_dentry_revalidate_common.patch @@ -0,0 +1,47 @@ +From b2025886886287e85fb8138dd4802b3bf4216902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 03:36:43 +0100 +Subject: ovl: fetch inode once in ovl_dentry_revalidate_common() + +From: Al Viro + +[ Upstream commit c54719c92aa3129f330cce81b88cf34f1627f756 ] + +d_inode_rcu() is right - we might be in rcu pathwalk; +however, OVL_E() hides plain d_inode() on the same dentry... + +Fixes: a6ff2bc0be17 ("ovl: use OVL_E() and OVL_E_FLAGS() accessors") +Signed-off-by: Al Viro +Signed-off-by: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/overlayfs/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c +index 8e9c1cf83df24..1090c68e5b051 100644 +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -101,8 +101,8 @@ static int ovl_revalidate_real(struct dentry *d, unsigned int flags, bool weak) + static int ovl_dentry_revalidate_common(struct dentry *dentry, + unsigned int flags, bool weak) + { +- struct ovl_entry *oe = OVL_E(dentry); +- struct ovl_path *lowerstack = ovl_lowerstack(oe); ++ struct ovl_entry *oe; ++ struct ovl_path *lowerstack; + struct inode *inode = d_inode_rcu(dentry); + struct dentry *upper; + unsigned int i; +@@ -112,6 +112,8 @@ static int ovl_dentry_revalidate_common(struct dentry *dentry, + if (!inode) + return -ECHILD; + ++ oe = OVL_I_E(inode); ++ lowerstack = ovl_lowerstack(oe); + upper = ovl_i_dentry_upper(inode); + if (upper) + ret = ovl_revalidate_real(upper, flags, weak); +-- +2.40.1 + diff --git a/queue-6.5/ovl-move-freeing-ovl_entry-past-rcu-delay.patch b/queue-6.5/ovl-move-freeing-ovl_entry-past-rcu-delay.patch new file mode 100644 index 00000000000..3fae023dc94 --- /dev/null +++ b/queue-6.5/ovl-move-freeing-ovl_entry-past-rcu-delay.patch @@ -0,0 +1,43 @@ +From 2ff67718b0d8054df84f1e24dc72cc8fb7ee1b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 03:36:13 +0100 +Subject: ovl: move freeing ovl_entry past rcu delay + +From: Al Viro + +[ Upstream commit d9e8319a6e3538b430f692b5625a76ffa0758adc ] + +... into ->free_inode(), that is. + +Fixes: 0af950f57fef "ovl: move ovl_entry into ovl_inode" +Signed-off-by: Al Viro +Signed-off-by: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/overlayfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c +index cc8977498c483..8e9c1cf83df24 100644 +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -164,6 +164,7 @@ static void ovl_free_inode(struct inode *inode) + struct ovl_inode *oi = OVL_I(inode); + + kfree(oi->redirect); ++ kfree(oi->oe); + mutex_destroy(&oi->lock); + kmem_cache_free(ovl_inode_cachep, oi); + } +@@ -173,7 +174,7 @@ static void ovl_destroy_inode(struct inode *inode) + struct ovl_inode *oi = OVL_I(inode); + + dput(oi->__upperdentry); +- ovl_free_entry(oi->oe); ++ ovl_stack_put(ovl_lowerstack(oi->oe), ovl_numlower(oi->oe)); + if (S_ISDIR(inode->i_mode)) + ovl_dir_cache_free(inode); + else +-- +2.40.1 + diff --git a/queue-6.5/perf-x86-amd-core-fix-overflow-reset-on-hotplug.patch b/queue-6.5/perf-x86-amd-core-fix-overflow-reset-on-hotplug.patch new file mode 100644 index 00000000000..711ec51b3d5 --- /dev/null +++ b/queue-6.5/perf-x86-amd-core-fix-overflow-reset-on-hotplug.patch @@ -0,0 +1,90 @@ +From 940b795b4972d82ef36f4afe28c62a29742484a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 19:36:04 +0530 +Subject: perf/x86/amd/core: Fix overflow reset on hotplug + +From: Sandipan Das + +[ Upstream commit 23d2626b841c2adccdeb477665313c02dff02dc3 ] + +Kernels older than v5.19 do not support PerfMonV2 and the PMI handler +does not clear the overflow bits of the PerfCntrGlobalStatus register. +Because of this, loading a recent kernel using kexec from an older +kernel can result in inconsistent register states on Zen 4 systems. + +The PMI handler of the new kernel gets confused and shows a warning when +an overflow occurs because some of the overflow bits are set even if the +corresponding counters are inactive. These are remnants from overflows +that were handled by the older kernel. + +During CPU hotplug, the PerfCntrGlobalCtl and PerfCntrGlobalStatus +registers should always be cleared for PerfMonV2-capable processors. +However, a condition used for NB event constaints applicable only to +older processors currently prevents this from happening. Move the reset +sequence to an appropriate place and also clear the LBR Freeze bit. + +Fixes: 21d59e3e2c40 ("perf/x86/amd/core: Detect PerfMonV2 support") +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/882a87511af40792ba69bb0e9026f19a2e71e8a3.1694696888.git.sandipan.das@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index abadd5f234254..ed626bfa1eedb 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -534,8 +534,12 @@ static void amd_pmu_cpu_reset(int cpu) + /* Clear enable bits i.e. PerfCntrGlobalCtl.PerfCntrEn */ + wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_CTL, 0); + +- /* Clear overflow bits i.e. PerfCntrGLobalStatus.PerfCntrOvfl */ +- wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR, amd_pmu_global_cntr_mask); ++ /* ++ * Clear freeze and overflow bits i.e. PerfCntrGLobalStatus.LbrFreeze ++ * and PerfCntrGLobalStatus.PerfCntrOvfl ++ */ ++ wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR, ++ GLOBAL_STATUS_LBRS_FROZEN | amd_pmu_global_cntr_mask); + } + + static int amd_pmu_cpu_prepare(int cpu) +@@ -570,6 +574,7 @@ static void amd_pmu_cpu_starting(int cpu) + int i, nb_id; + + cpuc->perf_ctr_virt_mask = AMD64_EVENTSEL_HOSTONLY; ++ amd_pmu_cpu_reset(cpu); + + if (!x86_pmu.amd_nb_constraints) + return; +@@ -591,8 +596,6 @@ static void amd_pmu_cpu_starting(int cpu) + + cpuc->amd_nb->nb_id = nb_id; + cpuc->amd_nb->refcnt++; +- +- amd_pmu_cpu_reset(cpu); + } + + static void amd_pmu_cpu_dead(int cpu) +@@ -601,6 +604,7 @@ static void amd_pmu_cpu_dead(int cpu) + + kfree(cpuhw->lbr_sel); + cpuhw->lbr_sel = NULL; ++ amd_pmu_cpu_reset(cpu); + + if (!x86_pmu.amd_nb_constraints) + return; +@@ -613,8 +617,6 @@ static void amd_pmu_cpu_dead(int cpu) + + cpuhw->amd_nb = NULL; + } +- +- amd_pmu_cpu_reset(cpu); + } + + static inline void amd_pmu_set_global_ctl(u64 ctl) +-- +2.40.1 + diff --git a/queue-6.5/perf-x86-amd-do-not-warn-on-every-irq.patch b/queue-6.5/perf-x86-amd-do-not-warn-on-every-irq.patch new file mode 100644 index 00000000000..fc2ad9e2b48 --- /dev/null +++ b/queue-6.5/perf-x86-amd-do-not-warn-on-every-irq.patch @@ -0,0 +1,87 @@ +From 280bb8b77f2ec5665b5a5837312c2e1bf808462a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Sep 2023 19:58:40 +0530 +Subject: perf/x86/amd: Do not WARN() on every IRQ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Breno Leitao + +[ Upstream commit 599522d9d2e19d6240e4312577f1c5f3ffca22f6 ] + +Zen 4 systems running buggy microcode can hit a WARN_ON() in the PMI +handler, as shown below, several times while perf runs. A simple +`perf top` run is enough to render the system unusable: + + WARNING: CPU: 18 PID: 20608 at arch/x86/events/amd/core.c:944 amd_pmu_v2_handle_irq+0x1be/0x2b0 + +This happens because the Performance Counter Global Status Register +(PerfCntGlobalStatus) has one or more bits set which are considered +reserved according to the "AMD64 Architecture Programmer’s Manual, +Volume 2: System Programming, 24593": + + https://www.amd.com/system/files/TechDocs/24593.pdf + +To make this less intrusive, warn just once if any reserved bit is set +and prompt the user to update the microcode. Also sanitize the value to +what the code is handling, so that the overflow events continue to be +handled for the number of counters that are known to be sane. + +Going forward, the following microcode patch levels are recommended +for Zen 4 processors in order to avoid such issues with reserved bits: + + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e + Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 + +Commit f2eb058afc57 ("linux-firmware: Update AMD cpu microcode") from +the linux-firmware tree has binaries that meet the minimum required +patch levels. + + [ sandipan: - add message to prompt users to update microcode + - rework commit message and call out required microcode levels ] + +Fixes: 7685665c390d ("perf/x86/amd/core: Add PerfMonV2 overflow handling") +Reported-by: Jirka Hladky +Signed-off-by: Breno Leitao +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/all/3540f985652f41041e54ee82aa53e7dbd55739ae.1694696888.git.sandipan.das@amd.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index ed626bfa1eedb..e24976593a298 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -886,7 +886,7 @@ static int amd_pmu_v2_handle_irq(struct pt_regs *regs) + struct hw_perf_event *hwc; + struct perf_event *event; + int handled = 0, idx; +- u64 status, mask; ++ u64 reserved, status, mask; + bool pmu_enabled; + + /* +@@ -911,6 +911,14 @@ static int amd_pmu_v2_handle_irq(struct pt_regs *regs) + status &= ~GLOBAL_STATUS_LBRS_FROZEN; + } + ++ reserved = status & ~amd_pmu_global_cntr_mask; ++ if (reserved) ++ pr_warn_once("Reserved PerfCntrGlobalStatus bits are set (0x%llx), please consider updating microcode\n", ++ reserved); ++ ++ /* Clear any reserved bits set by buggy microcode */ ++ status &= amd_pmu_global_cntr_mask; ++ + for (idx = 0; idx < x86_pmu.num_counters; idx++) { + if (!test_bit(idx, cpuc->active_mask)) + continue; +-- +2.40.1 + diff --git a/queue-6.5/ptp-ocp-fix-error-handling-in-ptp_ocp_device_init.patch b/queue-6.5/ptp-ocp-fix-error-handling-in-ptp_ocp_device_init.patch new file mode 100644 index 00000000000..ce55f3466de --- /dev/null +++ b/queue-6.5/ptp-ocp-fix-error-handling-in-ptp_ocp_device_init.patch @@ -0,0 +1,37 @@ +From 4be405806c8f2c51e56bd16e73059d8f3121b3d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 17:40:44 +0800 +Subject: ptp: ocp: Fix error handling in ptp_ocp_device_init + +From: Dinghao Liu + +[ Upstream commit caa0578c1d487d39e4bb947a1b4965417053b409 ] + +When device_add() fails, ptp_ocp_dev_release() will be called +after put_device(). Therefore, it seems that the +ptp_ocp_dev_release() before put_device() is redundant. + +Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.") +Signed-off-by: Dinghao Liu +Reviewed-by: Vadim Feodrenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_ocp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c +index 20a974ced8d6c..a7a6947ab4bc5 100644 +--- a/drivers/ptp/ptp_ocp.c ++++ b/drivers/ptp/ptp_ocp.c +@@ -3998,7 +3998,6 @@ ptp_ocp_device_init(struct ptp_ocp *bp, struct pci_dev *pdev) + return 0; + + out: +- ptp_ocp_dev_release(&bp->dev); + put_device(&bp->dev); + return err; + } +-- +2.40.1 + diff --git a/queue-6.5/regmap-rbtree-fix-wrong-register-marked-as-in-cache-.patch b/queue-6.5/regmap-rbtree-fix-wrong-register-marked-as-in-cache-.patch new file mode 100644 index 00000000000..f8b8c6cda2d --- /dev/null +++ b/queue-6.5/regmap-rbtree-fix-wrong-register-marked-as-in-cache-.patch @@ -0,0 +1,50 @@ +From 59fb72cd3df498ceaa4808f8a09dedee85183d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 16:37:11 +0100 +Subject: regmap: rbtree: Fix wrong register marked as in-cache when creating + new node + +From: Richard Fitzgerald + +[ Upstream commit 7a795ac8d49e2433e1b97caf5e99129daf8e1b08 ] + +When regcache_rbtree_write() creates a new rbtree_node it was passing the +wrong bit number to regcache_rbtree_set_register(). The bit number is the +offset __in number of registers__, but in the case of creating a new block +regcache_rbtree_write() was not dividing by the address stride to get the +number of registers. + +Fix this by dividing by map->reg_stride. +Compare with regcache_rbtree_read() where the bit is checked. + +This bug meant that the wrong register was marked as present. The register +that was written to the cache could not be read from the cache because it +was not marked as cached. But a nearby register could be marked as having +a cached value even if it was never written to the cache. + +Signed-off-by: Richard Fitzgerald +Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node") +Link: https://lore.kernel.org/r/20230922153711.28103-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-rbtree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c +index 06788965aa293..31d7bc682910c 100644 +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -453,7 +453,8 @@ static int regcache_rbtree_write(struct regmap *map, unsigned int reg, + if (!rbnode) + return -ENOMEM; + regcache_rbtree_set_register(map, rbnode, +- reg - rbnode->base_reg, value); ++ (reg - rbnode->base_reg) / map->reg_stride, ++ value); + regcache_rbtree_insert(map, &rbtree_ctx->root, rbnode); + rbtree_ctx->cached_rbnode = rbnode; + } +-- +2.40.1 + diff --git a/queue-6.5/regulator-core-regulator_register-set-device-class-e.patch b/queue-6.5/regulator-core-regulator_register-set-device-class-e.patch new file mode 100644 index 00000000000..59b9aa41577 --- /dev/null +++ b/queue-6.5/regulator-core-regulator_register-set-device-class-e.patch @@ -0,0 +1,60 @@ +From e2fe0d487077bbd04f4f57ca1752f74ca792eabb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 00:50:26 +0200 +Subject: regulator/core: regulator_register: set device->class earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit 8adb4e647a83cb5928c05dae95b010224aea0705 ] + +When fixing a memory leak in commit d3c731564e09 ("regulator: plug +of_node leak in regulator_register()'s error path") it moved the +device_initialize() call earlier, but did not move the `dev->class` +initialization. The bug was spotted and fixed by reverting part of +the commit (in commit 5f4b204b6b81 "regulator: core: fix kobject +release warning and memory leak in regulator_register()") but +introducing a different bug: now early error paths use `kfree(dev)` +instead of `put_device()` for an already initialized `struct device`. + +Move the missing assignments to just after `device_initialize()`. + +Fixes: d3c731564e09 ("regulator: plug of_node leak in regulator_register()'s error path") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/b5b19cb458c40c9d02f3d5a7bd1ba7d97ba17279.1695077303.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index d8e1caaf207e1..2820badc7a126 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5542,6 +5542,8 @@ regulator_register(struct device *dev, + goto rinse; + } + device_initialize(&rdev->dev); ++ dev_set_drvdata(&rdev->dev, rdev); ++ rdev->dev.class = ®ulator_class; + spin_lock_init(&rdev->err_lock); + + /* +@@ -5603,11 +5605,9 @@ regulator_register(struct device *dev, + rdev->supply_name = regulator_desc->supply_name; + + /* register with sysfs */ +- rdev->dev.class = ®ulator_class; + rdev->dev.parent = config->dev; + dev_set_name(&rdev->dev, "regulator.%lu", + (unsigned long) atomic_inc_return(®ulator_no)); +- dev_set_drvdata(&rdev->dev, rdev); + + /* set regulator constraints */ + if (init_data) +-- +2.40.1 + diff --git a/queue-6.5/regulator-mt6358-split-ops-for-buck-and-linear-range.patch b/queue-6.5/regulator-mt6358-split-ops-for-buck-and-linear-range.patch new file mode 100644 index 00000000000..28627dde24f --- /dev/null +++ b/queue-6.5/regulator-mt6358-split-ops-for-buck-and-linear-range.patch @@ -0,0 +1,81 @@ +From 88d4a115224c4652bab35a741fcdbf7f2fd6ef92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 16:53:34 +0800 +Subject: regulator: mt6358: split ops for buck and linear range LDO regulators + +From: Chen-Yu Tsai + +[ Upstream commit 7e37c851374eca2d1f6128de03195c9f7b4baaf2 ] + +The buck and linear range LDO (VSRAM_*) regulators share one set of ops. +This set includes support for get/set mode. However this only makes +sense for buck regulators, not LDOs. The callbacks were not checking +whether the register offset and/or mask for mode setting was valid or +not. This ends up making the kernel report "normal" mode operation for +the LDOs. + +Create a new set of ops without the get/set mode callbacks for the +linear range LDO regulators. + +Fixes: f67ff1bd58f0 ("regulator: mt6358: Add support for MT6358 regulator") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20230920085336.136238-1-wenst@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/mt6358-regulator.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/mt6358-regulator.c b/drivers/regulator/mt6358-regulator.c +index b9cda2210c330..65fbd95f1dbb0 100644 +--- a/drivers/regulator/mt6358-regulator.c ++++ b/drivers/regulator/mt6358-regulator.c +@@ -43,7 +43,7 @@ struct mt6358_regulator_info { + .desc = { \ + .name = #vreg, \ + .of_match = of_match_ptr(match), \ +- .ops = &mt6358_volt_range_ops, \ ++ .ops = &mt6358_buck_ops, \ + .type = REGULATOR_VOLTAGE, \ + .id = MT6358_ID_##vreg, \ + .owner = THIS_MODULE, \ +@@ -139,7 +139,7 @@ struct mt6358_regulator_info { + .desc = { \ + .name = #vreg, \ + .of_match = of_match_ptr(match), \ +- .ops = &mt6358_volt_range_ops, \ ++ .ops = &mt6358_buck_ops, \ + .type = REGULATOR_VOLTAGE, \ + .id = MT6366_ID_##vreg, \ + .owner = THIS_MODULE, \ +@@ -450,7 +450,7 @@ static unsigned int mt6358_regulator_get_mode(struct regulator_dev *rdev) + } + } + +-static const struct regulator_ops mt6358_volt_range_ops = { ++static const struct regulator_ops mt6358_buck_ops = { + .list_voltage = regulator_list_voltage_linear, + .map_voltage = regulator_map_voltage_linear, + .set_voltage_sel = regulator_set_voltage_sel_regmap, +@@ -464,6 +464,18 @@ static const struct regulator_ops mt6358_volt_range_ops = { + .get_mode = mt6358_regulator_get_mode, + }; + ++static const struct regulator_ops mt6358_volt_range_ops = { ++ .list_voltage = regulator_list_voltage_linear, ++ .map_voltage = regulator_map_voltage_linear, ++ .set_voltage_sel = regulator_set_voltage_sel_regmap, ++ .get_voltage_sel = mt6358_get_buck_voltage_sel, ++ .set_voltage_time_sel = regulator_set_voltage_time_sel, ++ .enable = regulator_enable_regmap, ++ .disable = regulator_disable_regmap, ++ .is_enabled = regulator_is_enabled_regmap, ++ .get_status = mt6358_get_status, ++}; ++ + static const struct regulator_ops mt6358_volt_table_ops = { + .list_voltage = regulator_list_voltage_table, + .map_voltage = regulator_map_voltage_iterate, +-- +2.40.1 + diff --git a/queue-6.5/rswitch-fix-phy-station-management-clock-setting.patch b/queue-6.5/rswitch-fix-phy-station-management-clock-setting.patch new file mode 100644 index 00000000000..f2856a3e605 --- /dev/null +++ b/queue-6.5/rswitch-fix-phy-station-management-clock-setting.patch @@ -0,0 +1,100 @@ +From c94aac90f1da5a289170b178085e2e33f0ec1259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 21:30:54 +0900 +Subject: rswitch: Fix PHY station management clock setting + +From: Yoshihiro Shimoda + +[ Upstream commit a0c55bba0d0d0b5591083f65f830940d8ae63f31 ] + +Fix the MPIC.PSMCS value following the programming example in the +section 6.4.2 Management Data Clock (MDC) Setting, Ethernet MAC IP, +S4 Hardware User Manual Rev.1.00. + +The value is calculated by + MPIC.PSMCS = clk[MHz] / (MDC frequency[MHz] * 2) - 1 +with the input clock frequency from clk_get_rate() and MDC frequency +of 2.5MHz. Otherwise, this driver cannot communicate PHYs on the R-Car +S4 Starter Kit board. + +Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"") +Reported-by: Tam Nguyen +Signed-off-by: Yoshihiro Shimoda +Tested-by: Kuninori Morimoto +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230926123054.3976752-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/rswitch.c | 13 ++++++++++++- + drivers/net/ethernet/renesas/rswitch.h | 2 ++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c +index 215854812f80a..660cbfe344d2c 100644 +--- a/drivers/net/ethernet/renesas/rswitch.c ++++ b/drivers/net/ethernet/renesas/rswitch.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2022 Renesas Electronics Corporation + */ + ++#include + #include + #include + #include +@@ -1049,7 +1050,7 @@ static void rswitch_rmac_setting(struct rswitch_etha *etha, const u8 *mac) + static void rswitch_etha_enable_mii(struct rswitch_etha *etha) + { + rswitch_modify(etha->addr, MPIC, MPIC_PSMCS_MASK | MPIC_PSMHT_MASK, +- MPIC_PSMCS(0x05) | MPIC_PSMHT(0x06)); ++ MPIC_PSMCS(etha->psmcs) | MPIC_PSMHT(0x06)); + rswitch_modify(etha->addr, MPSM, 0, MPSM_MFF_C45); + } + +@@ -1681,6 +1682,12 @@ static void rswitch_etha_init(struct rswitch_private *priv, int index) + etha->index = index; + etha->addr = priv->addr + RSWITCH_ETHA_OFFSET + index * RSWITCH_ETHA_SIZE; + etha->coma_addr = priv->addr; ++ ++ /* MPIC.PSMCS = (clk [MHz] / (MDC frequency [MHz] * 2) - 1. ++ * Calculating PSMCS value as MDC frequency = 2.5MHz. So, multiply ++ * both the numerator and the denominator by 10. ++ */ ++ etha->psmcs = clk_get_rate(priv->clk) / 100000 / (25 * 2) - 1; + } + + static int rswitch_device_alloc(struct rswitch_private *priv, int index) +@@ -1882,6 +1889,10 @@ static int renesas_eth_sw_probe(struct platform_device *pdev) + return -ENOMEM; + spin_lock_init(&priv->lock); + ++ priv->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(priv->clk)) ++ return PTR_ERR(priv->clk); ++ + priv->ptp_priv = rcar_gen4_ptp_alloc(pdev); + if (!priv->ptp_priv) + return -ENOMEM; +diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h +index 9740398067140..13a401cebd8b7 100644 +--- a/drivers/net/ethernet/renesas/rswitch.h ++++ b/drivers/net/ethernet/renesas/rswitch.h +@@ -915,6 +915,7 @@ struct rswitch_etha { + bool external_phy; + struct mii_bus *mii; + phy_interface_t phy_interface; ++ u32 psmcs; + u8 mac_addr[MAX_ADDR_LEN]; + int link; + int speed; +@@ -1012,6 +1013,7 @@ struct rswitch_private { + struct rswitch_mfwd mfwd; + + spinlock_t lock; /* lock interrupt registers' control */ ++ struct clk *clk; + + bool gwca_halt; + }; +-- +2.40.1 + diff --git a/queue-6.5/rtla-timerlat-do-not-stop-user-space-if-a-cpu-is-off.patch b/queue-6.5/rtla-timerlat-do-not-stop-user-space-if-a-cpu-is-off.patch new file mode 100644 index 00000000000..0dc25f37638 --- /dev/null +++ b/queue-6.5/rtla-timerlat-do-not-stop-user-space-if-a-cpu-is-off.patch @@ -0,0 +1,56 @@ +From 81aef2098c153817879f21e1b8972c47a931d81c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:02:32 +0200 +Subject: rtla/timerlat: Do not stop user-space if a cpu is offline + +From: Daniel Bristot de Oliveira + +[ Upstream commit e8c44d3b713b96cda055a23b21e8c4f931dd159f ] + +If no CPU list is passed, timerlat in user-space will dispatch +one thread per sysconf(_SC_NPROCESSORS_CONF). However, not all +CPU might be available, for instance, if HT is disabled. + +Currently, rtla timerlat is stopping the session if an user-space +thread cannot set affinity to a CPU, or if a running user-space +thread is killed. However, this is too restrictive. + +So, reduce the error to a debug message, and rtla timerlat run as +long as there is at least one user-space thread alive. + +Link: https://lore.kernel.org/lkml/59cf2c882900ab7de91c6ee33b382ac7fa6b4ed0.1694781909.git.bristot@kernel.org + +Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_u.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/tracing/rtla/src/timerlat_u.c b/tools/tracing/rtla/src/timerlat_u.c +index 05e310696dd5c..01dbf9a6b5a51 100644 +--- a/tools/tracing/rtla/src/timerlat_u.c ++++ b/tools/tracing/rtla/src/timerlat_u.c +@@ -45,7 +45,7 @@ static int timerlat_u_main(int cpu, struct timerlat_u_params *params) + + retval = sched_setaffinity(gettid(), sizeof(set), &set); + if (retval == -1) { +- err_msg("Error setting user thread affinity\n"); ++ debug_msg("Error setting user thread affinity %d, is the CPU online?\n", cpu); + exit(1); + } + +@@ -193,7 +193,9 @@ void *timerlat_u_dispatcher(void *data) + procs_count--; + } + } +- break; ++ ++ if (!procs_count) ++ break; + } + + sleep(1); +-- +2.40.1 + diff --git a/queue-6.5/rtla-timerlat_aa-fix-negative-irq-delay.patch b/queue-6.5/rtla-timerlat_aa-fix-negative-irq-delay.patch new file mode 100644 index 00000000000..d2c93edad24 --- /dev/null +++ b/queue-6.5/rtla-timerlat_aa-fix-negative-irq-delay.patch @@ -0,0 +1,63 @@ +From b01d61f4a9644f359e4bf2412dfed8d511fa9c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:52:12 +0200 +Subject: rtla/timerlat_aa: Fix negative IRQ delay + +From: Daniel Bristot de Oliveira + +[ Upstream commit 6c73daf26420b97fb8b4a620e4ffee5c1f9d44d1 ] + +When estimating the IRQ timer delay, we are dealing with two different +clock sources: the external clock source that timerlat uses as a reference +and the clock used by the tracer. There are also two moments: the time +reading the clock and the timer in which the event is placed in the +buffer (the trace event timestamp). + +If the processor is slow or there is some hardware noise, the difference +between the timestamp and the external clock, read can be longer than the +IRQ handler delay, resulting in a negative time. + +If so, set IRQ to start delay as 0. In the end, it is less near-zero and relevant +then the noise. + +Link: https://lore.kernel.org/lkml/a066fb667c7136d86dcddb3c7ccd72587db3e7c7.1691162043.git.bristot@kernel.org + +Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_aa.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c +index dec5b4c4511e1..baf1efda0581d 100644 +--- a/tools/tracing/rtla/src/timerlat_aa.c ++++ b/tools/tracing/rtla/src/timerlat_aa.c +@@ -338,7 +338,23 @@ static int timerlat_aa_irq_handler(struct trace_seq *s, struct tep_record *recor + taa_data->timer_irq_start_time = start; + taa_data->timer_irq_duration = duration; + +- taa_data->timer_irq_start_delay = taa_data->timer_irq_start_time - expected_start; ++ /* ++ * We are dealing with two different clock sources: the ++ * external clock source that timerlat uses as a reference ++ * and the clock used by the tracer. There are also two ++ * moments: the time reading the clock and the timer in ++ * which the event is placed in the buffer (the trace ++ * event timestamp). If the processor is slow or there ++ * is some hardware noise, the difference between the ++ * timestamp and the external clock read can be longer ++ * than the IRQ handler delay, resulting in a negative ++ * time. If so, set IRQ start delay as 0. In the end, ++ * it is less relevant than the noise. ++ */ ++ if (expected_start < taa_data->timer_irq_start_time) ++ taa_data->timer_irq_start_delay = taa_data->timer_irq_start_time - expected_start; ++ else ++ taa_data->timer_irq_start_delay = 0; + + /* + * not exit from idle. +-- +2.40.1 + diff --git a/queue-6.5/rtla-timerlat_aa-fix-previous-irq-delay-for-irqs-tha.patch b/queue-6.5/rtla-timerlat_aa-fix-previous-irq-delay-for-irqs-tha.patch new file mode 100644 index 00000000000..c760607a655 --- /dev/null +++ b/queue-6.5/rtla-timerlat_aa-fix-previous-irq-delay-for-irqs-tha.patch @@ -0,0 +1,76 @@ +From 32d1d6c52b443906f6261c8a6b262b32ed82201d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:52:13 +0200 +Subject: rtla/timerlat_aa: Fix previous IRQ delay for IRQs that happens after + thread sample + +From: Daniel Bristot de Oliveira + +[ Upstream commit 301deca09b254965661d3e971f1a60ac2ce41f5f ] + +timerlat auto-analysis takes note of all IRQs, before or after the +execution of the timerlat thread. + +Because we cannot go backward in the trace (we will fix it when +moving to trace-cmd lib?), timerlat aa take note of the last IRQ +execution in the waiting for the IRQ state, and then print it +if it is executed after the expected timer IRQ starting time. + +After the thread sample, the timerlat starts recording the next IRQs as +"previous" irq for the next occurrence. + +However, if an IRQ happens after the thread measurement but before the +tracing stops, it is classified as a previous IRQ. That is not +wrong, as it can be "previous" for the subsequent activation. What is +wrong is considering it as a potential source for the last activation. + +Ignore the IRQ interference that happens after the IRQ starting time for +now. A future improvement for timerlat can be either keeping a list of +previous IRQ execution or using the trace-cmd library. Still, it requires +further investigation - it is a new feature. + +Link: https://lore.kernel.org/lkml/a44a3f5c801dcc697bacf7325b65d4a5b0460537.1691162043.git.bristot@kernel.org + +Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_aa.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c +index baf1efda0581d..7093fd5333beb 100644 +--- a/tools/tracing/rtla/src/timerlat_aa.c ++++ b/tools/tracing/rtla/src/timerlat_aa.c +@@ -545,7 +545,7 @@ static int timerlat_aa_kworker_start_handler(struct trace_seq *s, struct tep_rec + static void timerlat_thread_analysis(struct timerlat_aa_data *taa_data, int cpu, + int irq_thresh, int thread_thresh) + { +- unsigned long long exp_irq_ts; ++ long long exp_irq_ts; + int total; + int irq; + +@@ -562,12 +562,15 @@ static void timerlat_thread_analysis(struct timerlat_aa_data *taa_data, int cpu, + + /* + * Expected IRQ arrival time using the trace clock as the base. ++ * ++ * TODO: Add a list of previous IRQ, and then run the list backwards. + */ + exp_irq_ts = taa_data->timer_irq_start_time - taa_data->timer_irq_start_delay; +- +- if (exp_irq_ts < taa_data->prev_irq_timstamp + taa_data->prev_irq_duration) +- printf(" Previous IRQ interference: \t\t up to %9.2f us\n", +- ns_to_usf(taa_data->prev_irq_duration)); ++ if (exp_irq_ts < taa_data->prev_irq_timstamp + taa_data->prev_irq_duration) { ++ if (taa_data->prev_irq_timstamp < taa_data->timer_irq_start_time) ++ printf(" Previous IRQ interference: \t\t up to %9.2f us\n", ++ ns_to_usf(taa_data->prev_irq_duration)); ++ } + + /* + * The delay that the IRQ suffered before starting. +-- +2.40.1 + diff --git a/queue-6.5/rtla-timerlat_aa-zero-thread-sum-after-every-sample-.patch b/queue-6.5/rtla-timerlat_aa-zero-thread-sum-after-every-sample-.patch new file mode 100644 index 00000000000..8e9da1fc5e1 --- /dev/null +++ b/queue-6.5/rtla-timerlat_aa-zero-thread-sum-after-every-sample-.patch @@ -0,0 +1,39 @@ +From 5d7381c35db50b78101bcd6d65e7b517d11c11ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:52:11 +0200 +Subject: rtla/timerlat_aa: Zero thread sum after every sample analysis + +From: Daniel Bristot de Oliveira + +[ Upstream commit 02d89917ef68acbe65c7cc2323f1db4429879878 ] + +The thread thread_thread_sum accounts for thread interference +during a single activation. It was not being zeroed, so it was +accumulating thread interference over all activations. + +It was not that visible when timerlat was the highest priority. + +Link: https://lore.kernel.org/lkml/97bff55b0141f2d01b47d9450a5672fde147b89a.1691162043.git.bristot@kernel.org + +Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_aa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c +index e0ffe69c271c6..dec5b4c4511e1 100644 +--- a/tools/tracing/rtla/src/timerlat_aa.c ++++ b/tools/tracing/rtla/src/timerlat_aa.c +@@ -159,6 +159,7 @@ static int timerlat_aa_irq_latency(struct timerlat_aa_data *taa_data, + taa_data->thread_nmi_sum = 0; + taa_data->thread_irq_sum = 0; + taa_data->thread_softirq_sum = 0; ++ taa_data->thread_thread_sum = 0; + taa_data->thread_blocking_duration = 0; + taa_data->timer_irq_start_time = 0; + taa_data->timer_irq_duration = 0; +-- +2.40.1 + diff --git a/queue-6.5/s390-bpf-let-arch_prepare_bpf_trampoline-return-prog.patch b/queue-6.5/s390-bpf-let-arch_prepare_bpf_trampoline-return-prog.patch new file mode 100644 index 00000000000..60c3015e448 --- /dev/null +++ b/queue-6.5/s390-bpf-let-arch_prepare_bpf_trampoline-return-prog.patch @@ -0,0 +1,55 @@ +From d10a17429162accce0e9031e2af6bdbcc074f4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 23:02:57 -0700 +Subject: s390/bpf: Let arch_prepare_bpf_trampoline return program size + +From: Song Liu + +[ Upstream commit cf094baa3e0f19f1f80ceaf205c80402b024386c ] + +arch_prepare_bpf_trampoline() for s390 currently returns 0 on success. This +is not a problem for regular trampoline. However, struct_ops relies on the +return value to advance "image" pointer: + +bpf_struct_ops_map_update_elem() { + ... + for_each_member(i, t, member) { + ... + err = bpf_struct_ops_prepare_trampoline(); + ... + image += err; + } +} + +When arch_prepare_bpf_trampoline returns 0 on success, all members of the +struct_ops will point to the same trampoline (the last one). + +Fix this by returning the program size in arch_prepare_bpf_trampoline (on +success). This is the same behavior as other architectures. + +Signed-off-by: Song Liu +Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()") +Reviewed-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20230919060258.3237176-2-song@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index de2fb12120d2e..2861e3360affc 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -2513,7 +2513,7 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, + return -E2BIG; + } + +- return ret; ++ return tjit.common.prg; + } + + bool bpf_jit_supports_subprog_tailcalls(void) +-- +2.40.1 + diff --git a/queue-6.5/scsi-target-core-fix-deadlock-due-to-recursive-locki.patch b/queue-6.5/scsi-target-core-fix-deadlock-due-to-recursive-locki.patch new file mode 100644 index 00000000000..9bf3a6f2019 --- /dev/null +++ b/queue-6.5/scsi-target-core-fix-deadlock-due-to-recursive-locki.patch @@ -0,0 +1,98 @@ +From 9a81d8467f34e2301d9db646b92605a571850cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 15:58:48 -0700 +Subject: scsi: target: core: Fix deadlock due to recursive locking + +From: Junxiao Bi + +[ Upstream commit a154f5f643c6ecddd44847217a7a3845b4350003 ] + +The following call trace shows a deadlock issue due to recursive locking of +mutex "device_mutex". First lock acquire is in target_for_each_device() and +second in target_free_device(). + + PID: 148266 TASK: ffff8be21ffb5d00 CPU: 10 COMMAND: "iscsi_ttx" + #0 [ffffa2bfc9ec3b18] __schedule at ffffffffa8060e7f + #1 [ffffa2bfc9ec3ba0] schedule at ffffffffa8061224 + #2 [ffffa2bfc9ec3bb8] schedule_preempt_disabled at ffffffffa80615ee + #3 [ffffa2bfc9ec3bc8] __mutex_lock at ffffffffa8062fd7 + #4 [ffffa2bfc9ec3c40] __mutex_lock_slowpath at ffffffffa80631d3 + #5 [ffffa2bfc9ec3c50] mutex_lock at ffffffffa806320c + #6 [ffffa2bfc9ec3c68] target_free_device at ffffffffc0935998 [target_core_mod] + #7 [ffffa2bfc9ec3c90] target_core_dev_release at ffffffffc092f975 [target_core_mod] + #8 [ffffa2bfc9ec3ca0] config_item_put at ffffffffa79d250f + #9 [ffffa2bfc9ec3cd0] config_item_put at ffffffffa79d2583 + #10 [ffffa2bfc9ec3ce0] target_devices_idr_iter at ffffffffc0933f3a [target_core_mod] + #11 [ffffa2bfc9ec3d00] idr_for_each at ffffffffa803f6fc + #12 [ffffa2bfc9ec3d60] target_for_each_device at ffffffffc0935670 [target_core_mod] + #13 [ffffa2bfc9ec3d98] transport_deregister_session at ffffffffc0946408 [target_core_mod] + #14 [ffffa2bfc9ec3dc8] iscsit_close_session at ffffffffc09a44a6 [iscsi_target_mod] + #15 [ffffa2bfc9ec3df0] iscsit_close_connection at ffffffffc09a4a88 [iscsi_target_mod] + #16 [ffffa2bfc9ec3df8] finish_task_switch at ffffffffa76e5d07 + #17 [ffffa2bfc9ec3e78] iscsit_take_action_for_connection_exit at ffffffffc0991c23 [iscsi_target_mod] + #18 [ffffa2bfc9ec3ea0] iscsi_target_tx_thread at ffffffffc09a403b [iscsi_target_mod] + #19 [ffffa2bfc9ec3f08] kthread at ffffffffa76d8080 + #20 [ffffa2bfc9ec3f50] ret_from_fork at ffffffffa8200364 + +Fixes: 36d4cb460bcb ("scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion") +Signed-off-by: Junxiao Bi +Link: https://lore.kernel.org/r/20230918225848.66463-1-junxiao.bi@oracle.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index b7ac60f4a2194..b6523d4b9259e 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -843,7 +843,6 @@ sector_t target_to_linux_sector(struct se_device *dev, sector_t lb) + EXPORT_SYMBOL(target_to_linux_sector); + + struct devices_idr_iter { +- struct config_item *prev_item; + int (*fn)(struct se_device *dev, void *data); + void *data; + }; +@@ -853,11 +852,9 @@ static int target_devices_idr_iter(int id, void *p, void *data) + { + struct devices_idr_iter *iter = data; + struct se_device *dev = p; ++ struct config_item *item; + int ret; + +- config_item_put(iter->prev_item); +- iter->prev_item = NULL; +- + /* + * We add the device early to the idr, so it can be used + * by backend modules during configuration. We do not want +@@ -867,12 +864,13 @@ static int target_devices_idr_iter(int id, void *p, void *data) + if (!target_dev_configured(dev)) + return 0; + +- iter->prev_item = config_item_get_unless_zero(&dev->dev_group.cg_item); +- if (!iter->prev_item) ++ item = config_item_get_unless_zero(&dev->dev_group.cg_item); ++ if (!item) + return 0; + mutex_unlock(&device_mutex); + + ret = iter->fn(dev, iter->data); ++ config_item_put(item); + + mutex_lock(&device_mutex); + return ret; +@@ -895,7 +893,6 @@ int target_for_each_device(int (*fn)(struct se_device *dev, void *data), + mutex_lock(&device_mutex); + ret = idr_for_each(&devices_idr, target_devices_idr_iter, &iter); + mutex_unlock(&device_mutex); +- config_item_put(iter.prev_item); + return ret; + } + +-- +2.40.1 + diff --git a/queue-6.5/sctp-update-hb-timer-immediately-after-users-change-.patch b/queue-6.5/sctp-update-hb-timer-immediately-after-users-change-.patch new file mode 100644 index 00000000000..9c781adacd0 --- /dev/null +++ b/queue-6.5/sctp-update-hb-timer-immediately-after-users-change-.patch @@ -0,0 +1,48 @@ +From 3d5d6b49a77252d940be8c704124cac669b03259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Oct 2023 11:04:20 -0400 +Subject: sctp: update hb timer immediately after users change hb_interval + +From: Xin Long + +[ Upstream commit 1f4e803cd9c9166eb8b6c8b0b8e4124f7499fc07 ] + +Currently, when hb_interval is changed by users, it won't take effect +until the next expiry of hb timer. As the default value is 30s, users +have to wait up to 30s to wait its hb_interval update to work. + +This becomes pretty bad in containers where a much smaller value is +usually set on hb_interval. This patch improves it by resetting the +hb timer immediately once the value of hb_interval is updated by users. + +Note that we don't address the already existing 'problem' when sending +a heartbeat 'on demand' if one hb has just been sent(from the timer) +mentioned in: + + https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg590224.html + +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/75465785f8ee5df2fb3acdca9b8fafdc18984098.1696172660.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 7cf207706eb66..652af155966f1 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -2450,6 +2450,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params, + if (trans) { + trans->hbinterval = + msecs_to_jiffies(params->spp_hbinterval); ++ sctp_transport_reset_hb_timer(trans); + } else if (asoc) { + asoc->hbinterval = + msecs_to_jiffies(params->spp_hbinterval); +-- +2.40.1 + diff --git a/queue-6.5/sctp-update-transport-state-when-processing-a-dupcoo.patch b/queue-6.5/sctp-update-transport-state-when-processing-a-dupcoo.patch new file mode 100644 index 00000000000..be79f73d57e --- /dev/null +++ b/queue-6.5/sctp-update-transport-state-when-processing-a-dupcoo.patch @@ -0,0 +1,67 @@ +From 802b42dc972b9e5863e008ec85d27ad1cef2c2c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Oct 2023 10:58:45 -0400 +Subject: sctp: update transport state when processing a dupcook packet + +From: Xin Long + +[ Upstream commit 2222a78075f0c19ca18db53fd6623afb4aff602d ] + +During the 4-way handshake, the transport's state is set to ACTIVE in +sctp_process_init() when processing INIT_ACK chunk on client or +COOKIE_ECHO chunk on server. + +In the collision scenario below: + + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408] + 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885] + 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408] + 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO] + 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK] + 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] + +when processing COOKIE_ECHO on 192.168.1.2, as it's in COOKIE_WAIT state, +sctp_sf_do_dupcook_b() is called by sctp_sf_do_5_2_4_dupcook() where it +creates a new association and sets its transport to ACTIVE then updates +to the old association in sctp_assoc_update(). + +However, in sctp_assoc_update(), it will skip the transport update if it +finds a transport with the same ipaddr already existing in the old asoc, +and this causes the old asoc's transport state not to move to ACTIVE +after the handshake. + +This means if DATA retransmission happens at this moment, it won't be able +to enter PF state because of the check 'transport->state == SCTP_ACTIVE' +in sctp_do_8_2_transport_strike(). + +This patch fixes it by updating the transport in sctp_assoc_update() with +sctp_assoc_add_peer() where it updates the transport state if there is +already a transport with the same ipaddr exists in the old asoc. + +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/fd17356abe49713ded425250cc1ae51e9f5846c6.1696172325.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/associola.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 796529167e8d2..c45c192b78787 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1159,8 +1159,7 @@ int sctp_assoc_update(struct sctp_association *asoc, + /* Add any peer addresses from the new association. */ + list_for_each_entry(trans, &new->peer.transport_addr_list, + transports) +- if (!sctp_assoc_lookup_paddr(asoc, &trans->ipaddr) && +- !sctp_assoc_add_peer(asoc, &trans->ipaddr, ++ if (!sctp_assoc_add_peer(asoc, &trans->ipaddr, + GFP_ATOMIC, trans->state)) + return -ENOMEM; + +-- +2.40.1 + diff --git a/queue-6.5/selftests-netfilter-extend-nft_audit.sh.patch b/queue-6.5/selftests-netfilter-extend-nft_audit.sh.patch new file mode 100644 index 00000000000..efd1da9d9bd --- /dev/null +++ b/queue-6.5/selftests-netfilter-extend-nft_audit.sh.patch @@ -0,0 +1,171 @@ +From cf5f02195f6e42bacb90500438a0e59049edf421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 03:53:49 +0200 +Subject: selftests: netfilter: Extend nft_audit.sh + +From: Phil Sutter + +[ Upstream commit 203bb9d39866d3c5a8135433ce3742fe4f9d5741 ] + +Add tests for sets and elements and deletion of all kinds. Also +reorder rule reset tests: By moving the bulk rule add command up, the +two 'reset rules' tests become identical. + +While at it, fix for a failing bulk rule add test's error status getting +lost due to its use in a pipe. Avoid this by using a temporary file. + +Headings in diff output for failing tests contain no useful data, strip +them. + +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Stable-dep-of: 0d880dc6f032 ("netfilter: nf_tables: Deduplicate nft_register_obj audit logs") +Signed-off-by: Sasha Levin +--- + .../testing/selftests/netfilter/nft_audit.sh | 97 ++++++++++++++++--- + 1 file changed, 81 insertions(+), 16 deletions(-) + +diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh +index 83c271b1c7352..0b3255e7b3538 100755 +--- a/tools/testing/selftests/netfilter/nft_audit.sh ++++ b/tools/testing/selftests/netfilter/nft_audit.sh +@@ -12,10 +12,11 @@ nft --version >/dev/null 2>&1 || { + } + + logfile=$(mktemp) ++rulefile=$(mktemp) + echo "logging into $logfile" + ./audit_logread >"$logfile" & + logread_pid=$! +-trap 'kill $logread_pid; rm -f $logfile' EXIT ++trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT + exec 3<"$logfile" + + do_test() { # (cmd, log) +@@ -26,12 +27,14 @@ do_test() { # (cmd, log) + res=$(diff -a -u <(echo "$2") - <&3) + [ $? -eq 0 ] && { echo "OK"; return; } + echo "FAIL" +- echo "$res" +- ((RC++)) ++ grep -v '^\(---\|+++\|@@\)' <<< "$res" ++ ((RC--)) + } + + nft flush ruleset + ++# adding tables, chains and rules ++ + for table in t1 t2; do + do_test "nft add table $table" \ + "table=$table family=2 entries=1 op=nft_register_table" +@@ -62,6 +65,28 @@ for table in t1 t2; do + "table=$table family=2 entries=6 op=nft_register_rule" + done + ++for ((i = 0; i < 500; i++)); do ++ echo "add rule t2 c3 counter accept comment \"rule $i\"" ++done >$rulefile ++do_test "nft -f $rulefile" \ ++'table=t2 family=2 entries=500 op=nft_register_rule' ++ ++# adding sets and elements ++ ++settype='type inet_service; counter' ++setelem='{ 22, 80, 443 }' ++setblock="{ $settype; elements = $setelem; }" ++do_test "nft add set t1 s $setblock" \ ++"table=t1 family=2 entries=4 op=nft_register_set" ++ ++do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \ ++"table=t1 family=2 entries=5 op=nft_register_set" ++ ++do_test "nft add element t1 s3 $setelem" \ ++"table=t1 family=2 entries=3 op=nft_register_setelem" ++ ++# resetting rules ++ + do_test 'nft reset rules t1 c2' \ + 'table=t1 family=2 entries=3 op=nft_reset_rule' + +@@ -70,19 +95,6 @@ do_test 'nft reset rules table t1' \ + table=t1 family=2 entries=3 op=nft_reset_rule + table=t1 family=2 entries=3 op=nft_reset_rule' + +-do_test 'nft reset rules' \ +-'table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t1 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule +-table=t2 family=2 entries=3 op=nft_reset_rule' +- +-for ((i = 0; i < 500; i++)); do +- echo "add rule t2 c3 counter accept comment \"rule $i\"" +-done | do_test 'nft -f -' \ +-'table=t2 family=2 entries=500 op=nft_register_rule' +- + do_test 'nft reset rules t2 c3' \ + 'table=t2 family=2 entries=189 op=nft_reset_rule + table=t2 family=2 entries=188 op=nft_reset_rule +@@ -105,4 +117,57 @@ table=t2 family=2 entries=180 op=nft_reset_rule + table=t2 family=2 entries=188 op=nft_reset_rule + table=t2 family=2 entries=135 op=nft_reset_rule' + ++# resetting sets and elements ++ ++elem=(22 ,80 ,443) ++relem="" ++for i in {1..3}; do ++ relem+="${elem[((i - 1))]}" ++ do_test "nft reset element t1 s { $relem }" \ ++ "table=t1 family=2 entries=$i op=nft_reset_setelem" ++done ++ ++do_test 'nft reset set t1 s' \ ++'table=t1 family=2 entries=3 op=nft_reset_setelem' ++ ++# deleting rules ++ ++readarray -t handles < <(nft -a list chain t1 c1 | \ ++ sed -n 's/.*counter.* handle \(.*\)$/\1/p') ++ ++do_test "nft delete rule t1 c1 handle ${handles[0]}" \ ++'table=t1 family=2 entries=1 op=nft_unregister_rule' ++ ++cmd='delete rule t1 c1 handle' ++do_test "nft $cmd ${handles[1]}; $cmd ${handles[2]}" \ ++'table=t1 family=2 entries=2 op=nft_unregister_rule' ++ ++do_test 'nft flush chain t1 c2' \ ++'table=t1 family=2 entries=3 op=nft_unregister_rule' ++ ++do_test 'nft flush table t2' \ ++'table=t2 family=2 entries=509 op=nft_unregister_rule' ++ ++# deleting chains ++ ++do_test 'nft delete chain t2 c2' \ ++'table=t2 family=2 entries=1 op=nft_unregister_chain' ++ ++# deleting sets and elements ++ ++do_test 'nft delete element t1 s { 22 }' \ ++'table=t1 family=2 entries=1 op=nft_unregister_setelem' ++ ++do_test 'nft delete element t1 s { 80, 443 }' \ ++'table=t1 family=2 entries=2 op=nft_unregister_setelem' ++ ++do_test 'nft flush set t1 s2' \ ++'table=t1 family=2 entries=3 op=nft_unregister_setelem' ++ ++do_test 'nft delete set t1 s2' \ ++'table=t1 family=2 entries=1 op=nft_unregister_set' ++ ++do_test 'nft delete set t1 s3' \ ++'table=t1 family=2 entries=1 op=nft_unregister_set' ++ + exit $RC +-- +2.40.1 + diff --git a/queue-6.5/selftests-netfilter-test-nf_tables-audit-logging.patch b/queue-6.5/selftests-netfilter-test-nf_tables-audit-logging.patch new file mode 100644 index 00000000000..7d7d181e0d0 --- /dev/null +++ b/queue-6.5/selftests-netfilter-test-nf_tables-audit-logging.patch @@ -0,0 +1,352 @@ +From d5a6feb2dd3a4e9b16f199dcd41dd410313b3299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 15:51:37 +0200 +Subject: selftests: netfilter: Test nf_tables audit logging + +From: Phil Sutter + +[ Upstream commit e8dbde59ca3fe925d0105bfb380e8429928b16dd ] + +Compare NETFILTER_CFG type audit logs emitted from kernel upon ruleset +modifications against expected output. + +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Stable-dep-of: 0d880dc6f032 ("netfilter: nf_tables: Deduplicate nft_register_obj audit logs") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/.gitignore | 1 + + tools/testing/selftests/netfilter/Makefile | 4 +- + .../selftests/netfilter/audit_logread.c | 165 ++++++++++++++++++ + tools/testing/selftests/netfilter/config | 1 + + .../testing/selftests/netfilter/nft_audit.sh | 108 ++++++++++++ + 5 files changed, 277 insertions(+), 2 deletions(-) + create mode 100644 tools/testing/selftests/netfilter/audit_logread.c + create mode 100755 tools/testing/selftests/netfilter/nft_audit.sh + +diff --git a/tools/testing/selftests/netfilter/.gitignore b/tools/testing/selftests/netfilter/.gitignore +index 4cb887b574138..4b2928e1c19d8 100644 +--- a/tools/testing/selftests/netfilter/.gitignore ++++ b/tools/testing/selftests/netfilter/.gitignore +@@ -1,3 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0-only + nf-queue + connect_close ++audit_logread +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +index 3686bfa6c58d7..321db8850da00 100644 +--- a/tools/testing/selftests/netfilter/Makefile ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -6,13 +6,13 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \ + nft_concat_range.sh nft_conntrack_helper.sh \ + nft_queue.sh nft_meta.sh nf_nat_edemux.sh \ + ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \ +- conntrack_vrf.sh nft_synproxy.sh rpath.sh ++ conntrack_vrf.sh nft_synproxy.sh rpath.sh nft_audit.sh + + HOSTPKG_CONFIG := pkg-config + + CFLAGS += $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null) + LDLIBS += $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl) + +-TEST_GEN_FILES = nf-queue connect_close ++TEST_GEN_FILES = nf-queue connect_close audit_logread + + include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/audit_logread.c b/tools/testing/selftests/netfilter/audit_logread.c +new file mode 100644 +index 0000000000000..a0a880fc2d9de +--- /dev/null ++++ b/tools/testing/selftests/netfilter/audit_logread.c +@@ -0,0 +1,165 @@ ++// SPDX-License-Identifier: GPL-2.0 ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int fd; ++ ++#define MAX_AUDIT_MESSAGE_LENGTH 8970 ++struct audit_message { ++ struct nlmsghdr nlh; ++ union { ++ struct audit_status s; ++ char data[MAX_AUDIT_MESSAGE_LENGTH]; ++ } u; ++}; ++ ++int audit_recv(int fd, struct audit_message *rep) ++{ ++ struct sockaddr_nl addr; ++ socklen_t addrlen = sizeof(addr); ++ int ret; ++ ++ do { ++ ret = recvfrom(fd, rep, sizeof(*rep), 0, ++ (struct sockaddr *)&addr, &addrlen); ++ } while (ret < 0 && errno == EINTR); ++ ++ if (ret < 0 || ++ addrlen != sizeof(addr) || ++ addr.nl_pid != 0 || ++ rep->nlh.nlmsg_type == NLMSG_ERROR) /* short-cut for now */ ++ return -1; ++ ++ return ret; ++} ++ ++int audit_send(int fd, uint16_t type, uint32_t key, uint32_t val) ++{ ++ static int seq = 0; ++ struct audit_message msg = { ++ .nlh = { ++ .nlmsg_len = NLMSG_SPACE(sizeof(msg.u.s)), ++ .nlmsg_type = type, ++ .nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, ++ .nlmsg_seq = ++seq, ++ }, ++ .u.s = { ++ .mask = key, ++ .enabled = key == AUDIT_STATUS_ENABLED ? val : 0, ++ .pid = key == AUDIT_STATUS_PID ? val : 0, ++ } ++ }; ++ struct sockaddr_nl addr = { ++ .nl_family = AF_NETLINK, ++ }; ++ int ret; ++ ++ do { ++ ret = sendto(fd, &msg, msg.nlh.nlmsg_len, 0, ++ (struct sockaddr *)&addr, sizeof(addr)); ++ } while (ret < 0 && errno == EINTR); ++ ++ if (ret != (int)msg.nlh.nlmsg_len) ++ return -1; ++ return 0; ++} ++ ++int audit_set(int fd, uint32_t key, uint32_t val) ++{ ++ struct audit_message rep = { 0 }; ++ int ret; ++ ++ ret = audit_send(fd, AUDIT_SET, key, val); ++ if (ret) ++ return ret; ++ ++ ret = audit_recv(fd, &rep); ++ if (ret < 0) ++ return ret; ++ return 0; ++} ++ ++int readlog(int fd) ++{ ++ struct audit_message rep = { 0 }; ++ int ret = audit_recv(fd, &rep); ++ const char *sep = ""; ++ char *k, *v; ++ ++ if (ret < 0) ++ return ret; ++ ++ if (rep.nlh.nlmsg_type != AUDIT_NETFILTER_CFG) ++ return 0; ++ ++ /* skip the initial "audit(...): " part */ ++ strtok(rep.u.data, " "); ++ ++ while ((k = strtok(NULL, "="))) { ++ v = strtok(NULL, " "); ++ ++ /* these vary and/or are uninteresting, ignore */ ++ if (!strcmp(k, "pid") || ++ !strcmp(k, "comm") || ++ !strcmp(k, "subj")) ++ continue; ++ ++ /* strip the varying sequence number */ ++ if (!strcmp(k, "table")) ++ *strchrnul(v, ':') = '\0'; ++ ++ printf("%s%s=%s", sep, k, v); ++ sep = " "; ++ } ++ if (*sep) { ++ printf("\n"); ++ fflush(stdout); ++ } ++ return 0; ++} ++ ++void cleanup(int sig) ++{ ++ audit_set(fd, AUDIT_STATUS_ENABLED, 0); ++ close(fd); ++ if (sig) ++ exit(0); ++} ++ ++int main(int argc, char **argv) ++{ ++ struct sigaction act = { ++ .sa_handler = cleanup, ++ }; ++ ++ fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); ++ if (fd < 0) { ++ perror("Can't open netlink socket"); ++ return -1; ++ } ++ ++ if (sigaction(SIGTERM, &act, NULL) < 0 || ++ sigaction(SIGINT, &act, NULL) < 0) { ++ perror("Can't set signal handler"); ++ close(fd); ++ return -1; ++ } ++ ++ audit_set(fd, AUDIT_STATUS_ENABLED, 1); ++ audit_set(fd, AUDIT_STATUS_PID, getpid()); ++ ++ while (1) ++ readlog(fd); ++} +diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config +index 4faf2ce021d90..7c42b1b2c69b4 100644 +--- a/tools/testing/selftests/netfilter/config ++++ b/tools/testing/selftests/netfilter/config +@@ -6,3 +6,4 @@ CONFIG_NFT_REDIR=m + CONFIG_NFT_MASQ=m + CONFIG_NFT_FLOW_OFFLOAD=m + CONFIG_NF_CT_NETLINK=m ++CONFIG_AUDIT=y +diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh +new file mode 100755 +index 0000000000000..83c271b1c7352 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/nft_audit.sh +@@ -0,0 +1,108 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Check that audit logs generated for nft commands are as expected. ++ ++SKIP_RC=4 ++RC=0 ++ ++nft --version >/dev/null 2>&1 || { ++ echo "SKIP: missing nft tool" ++ exit $SKIP_RC ++} ++ ++logfile=$(mktemp) ++echo "logging into $logfile" ++./audit_logread >"$logfile" & ++logread_pid=$! ++trap 'kill $logread_pid; rm -f $logfile' EXIT ++exec 3<"$logfile" ++ ++do_test() { # (cmd, log) ++ echo -n "testing for cmd: $1 ... " ++ cat <&3 >/dev/null ++ $1 >/dev/null || exit 1 ++ sleep 0.1 ++ res=$(diff -a -u <(echo "$2") - <&3) ++ [ $? -eq 0 ] && { echo "OK"; return; } ++ echo "FAIL" ++ echo "$res" ++ ((RC++)) ++} ++ ++nft flush ruleset ++ ++for table in t1 t2; do ++ do_test "nft add table $table" \ ++ "table=$table family=2 entries=1 op=nft_register_table" ++ ++ do_test "nft add chain $table c1" \ ++ "table=$table family=2 entries=1 op=nft_register_chain" ++ ++ do_test "nft add chain $table c2; add chain $table c3" \ ++ "table=$table family=2 entries=2 op=nft_register_chain" ++ ++ cmd="add rule $table c1 counter" ++ ++ do_test "nft $cmd" \ ++ "table=$table family=2 entries=1 op=nft_register_rule" ++ ++ do_test "nft $cmd; $cmd" \ ++ "table=$table family=2 entries=2 op=nft_register_rule" ++ ++ cmd="" ++ sep="" ++ for chain in c2 c3; do ++ for i in {1..3}; do ++ cmd+="$sep add rule $table $chain counter" ++ sep=";" ++ done ++ done ++ do_test "nft $cmd" \ ++ "table=$table family=2 entries=6 op=nft_register_rule" ++done ++ ++do_test 'nft reset rules t1 c2' \ ++'table=t1 family=2 entries=3 op=nft_reset_rule' ++ ++do_test 'nft reset rules table t1' \ ++'table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule' ++ ++do_test 'nft reset rules' \ ++'table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule' ++ ++for ((i = 0; i < 500; i++)); do ++ echo "add rule t2 c3 counter accept comment \"rule $i\"" ++done | do_test 'nft -f -' \ ++'table=t2 family=2 entries=500 op=nft_register_rule' ++ ++do_test 'nft reset rules t2 c3' \ ++'table=t2 family=2 entries=189 op=nft_reset_rule ++table=t2 family=2 entries=188 op=nft_reset_rule ++table=t2 family=2 entries=126 op=nft_reset_rule' ++ ++do_test 'nft reset rules t2' \ ++'table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=186 op=nft_reset_rule ++table=t2 family=2 entries=188 op=nft_reset_rule ++table=t2 family=2 entries=129 op=nft_reset_rule' ++ ++do_test 'nft reset rules' \ ++'table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule ++table=t1 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=3 op=nft_reset_rule ++table=t2 family=2 entries=180 op=nft_reset_rule ++table=t2 family=2 entries=188 op=nft_reset_rule ++table=t2 family=2 entries=135 op=nft_reset_rule' ++ ++exit $RC +-- +2.40.1 + diff --git a/queue-6.5/series b/queue-6.5/series index 5ac9950abdf..71dc571ba2e 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -23,3 +23,84 @@ net-release-reference-to-inet6_dev-pointer.patch iommu-arm-smmu-v3-avoid-constructing-invalid-range-c.patch maple_tree-reduce-resets-during-store-setup.patch maple_tree-add-mas_underflow-and-mas_overflow-states.patch +hid-sony-fix-a-potential-memory-leak-in-sony_probe.patch +wifi-mt76-fix-lock-dependency-problem-for-wed_lock.patch +ubi-refuse-attaching-if-mtd-s-erasesize-is-0.patch +erofs-fix-memory-leak-of-lzma-global-compressed-dedu.patch +wifi-cfg80211-mac80211-hold-link-bsses-when-assoc-fa.patch +iwlwifi-mvm-handle-ps-changes-in-vif_cfg_changed.patch +wifi-iwlwifi-dbg_ini-fix-structure-packing.patch +wifi-iwlwifi-mvm-fix-a-memory-corruption-issue.patch +wifi-cfg80211-fix-cqm_config-access-race.patch +rtla-timerlat_aa-zero-thread-sum-after-every-sample-.patch +rtla-timerlat_aa-fix-negative-irq-delay.patch +rtla-timerlat_aa-fix-previous-irq-delay-for-irqs-tha.patch +wifi-cfg80211-add-missing-kernel-doc-for-cqm_rssi_wo.patch +wifi-mac80211-fix-mesh-id-corruption-on-32-bit-syste.patch +wifi-mwifiex-fix-oob-check-condition-in-mwifiex_proc.patch +hid-nvidia-shield-add-leds_class-dependency.patch +erofs-allow-empty-device-tags-in-flatdev-mode.patch +s390-bpf-let-arch_prepare_bpf_trampoline-return-prog.patch +leds-drop-bug_on-check-for-led_color_id_multi.patch +bpf-fix-tr-dereferencing.patch +bpf-unconditionally-reset-backtrack_state-masks-on-g.patch +regulator-mt6358-split-ops-for-buck-and-linear-range.patch +bluetooth-delete-unused-hci_req_prepare_suspend-decl.patch +bluetooth-fix-hci_link_tx_to-rcu-lock-usage.patch +bluetooth-iso-fix-handling-of-listen-for-unicast.patch +drivers-net-process-the-result-of-hdlc_open-and-add-.patch +wifi-mt76-mt76x02-fix-mt76x0-external-lna-gain-handl.patch +perf-x86-amd-core-fix-overflow-reset-on-hotplug.patch +rtla-timerlat-do-not-stop-user-space-if-a-cpu-is-off.patch +regmap-rbtree-fix-wrong-register-marked-as-in-cache-.patch +wifi-mac80211-fix-potential-key-use-after-free.patch +perf-x86-amd-do-not-warn-on-every-irq.patch +iommu-mediatek-fix-share-pgtable-for-iova-over-4gb.patch +wifi-mac80211-create-resources-for-disabled-links.patch +regulator-core-regulator_register-set-device-class-e.patch +ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch +wifi-iwlwifi-mvm-fix-incorrect-usage-of-scan-api.patch +scsi-target-core-fix-deadlock-due-to-recursive-locki.patch +ima-rework-config_ima-dependency-block.patch +nfsv4-fix-a-nfs4_state_manager-race.patch +ice-always-add-legacy-32byte-rxdid-in-supported_rxdi.patch +bpf-tcp_read_skb-needs-to-pop-skb-regardless-of-seq.patch +bpf-sockmap-do-not-inc-copied_seq-when-peek-flag-set.patch +bpf-sockmap-reject-sk_msg-egress-redirects-to-non-tc.patch +modpost-add-missing-else-to-the-of-check.patch +net-stmmac-platform-fix-the-incorrect-parameter.patch +net-fix-possible-store-tearing-in-neigh_periodic_wor.patch +neighbour-fix-data-races-around-n-output.patch +ipv4-ipv6-fix-handling-of-transhdrlen-in-__ip-6-_app.patch +ptp-ocp-fix-error-handling-in-ptp_ocp_device_init.patch +net-dsa-mv88e6xxx-avoid-eeprom-timeout-when-eeprom-i.patch +ovl-move-freeing-ovl_entry-past-rcu-delay.patch +ovl-fetch-inode-once-in-ovl_dentry_revalidate_common.patch +ipv6-tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch +net-usb-smsc75xx-fix-uninit-value-access-in-__smsc75.patch +ethtool-plca-fix-plca-enable-data-type-while-parsing.patch +net-nfc-llcp-add-lock-when-modifying-device-list.patch +net-renesas-rswitch-add-spin-lock-protection-for-irq.patch +rswitch-fix-phy-station-management-clock-setting.patch +net-ethernet-ti-am65-cpsw-fix-error-code-in-am65_cps.patch +ibmveth-remove-condition-to-recompute-tcp-header-che.patch +netfilter-nft_payload-rebuild-vlan-header-on-h_proto.patch +netfilter-handle-the-connecting-collision-properly-i.patch +selftests-netfilter-test-nf_tables-audit-logging.patch +selftests-netfilter-extend-nft_audit.sh.patch +netfilter-nf_tables-deduplicate-nft_register_obj-aud.patch +netfilter-nf_tables-nft_set_rbtree-fix-spurious-inse.patch +ipv4-set-offload_failed-flag-in-fibmatch-results.patch +net-stmmac-dwmac-stm32-fix-resume-on-stm32-mcu.patch +tipc-fix-a-potential-deadlock-on-tx-lock.patch +tcp-fix-quick-ack-counting-to-count-actual-acks-of-n.patch +tcp-fix-delayed-acks-for-mss-boundary-condition.patch +sctp-update-transport-state-when-processing-a-dupcoo.patch +sctp-update-hb-timer-immediately-after-users-change-.patch +netlink-annotate-data-races-around-sk-sk_err.patch +net-mana-fix-the-tso_bytes-calculation.patch +net-mana-fix-oversized-sge0-for-gso-packets.patch +hid-nvidia-shield-fix-a-missing-led_classdev_unregis.patch +hid-sony-remove-duplicate-null-check-before-calling-.patch +hid-intel-ish-hid-ipc-disable-and-reenable-acpi-gpe-.patch +net-lan743x-also-select-phylib.patch diff --git a/queue-6.5/tcp-fix-delayed-acks-for-mss-boundary-condition.patch b/queue-6.5/tcp-fix-delayed-acks-for-mss-boundary-condition.patch new file mode 100644 index 00000000000..b8e349b246f --- /dev/null +++ b/queue-6.5/tcp-fix-delayed-acks-for-mss-boundary-condition.patch @@ -0,0 +1,99 @@ +From 348fdd1ffce9ea3cfe08dd230aa6cc3c006b5f0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Oct 2023 11:12:39 -0400 +Subject: tcp: fix delayed ACKs for MSS boundary condition + +From: Neal Cardwell + +[ Upstream commit 4720852ed9afb1c5ab84e96135cb5b73d5afde6f ] + +This commit fixes poor delayed ACK behavior that can cause poor TCP +latency in a particular boundary condition: when an application makes +a TCP socket write that is an exact multiple of the MSS size. + +The problem is that there is painful boundary discontinuity in the +current delayed ACK behavior. With the current delayed ACK behavior, +we have: + +(1) If an app reads data when > 1*MSS is unacknowledged, then + tcp_cleanup_rbuf() ACKs immediately because of: + + tp->rcv_nxt - tp->rcv_wup > icsk->icsk_ack.rcv_mss || + +(2) If an app reads all received data, and the packets were < 1*MSS, + and either (a) the app is not ping-pong or (b) we received two + packets < 1*MSS, then tcp_cleanup_rbuf() ACKs immediately beecause + of: + + ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED2) || + ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED) && + !inet_csk_in_pingpong_mode(sk))) && + +(3) *However*: if an app reads exactly 1*MSS of data, + tcp_cleanup_rbuf() does not send an immediate ACK. This is true + even if the app is not ping-pong and the 1*MSS of data had the PSH + bit set, suggesting the sending application completed an + application write. + +Thus if the app is not ping-pong, we have this painful case where +>1*MSS gets an immediate ACK, and <1*MSS gets an immediate ACK, but a +write whose last skb is an exact multiple of 1*MSS can get a 40ms +delayed ACK. This means that any app that transfers data in one +direction and takes care to align write size or packet size with MSS +can suffer this problem. With receive zero copy making 4KB MSS values +more common, it is becoming more common to have application writes +naturally align with MSS, and more applications are likely to +encounter this delayed ACK problem. + +The fix in this commit is to refine the delayed ACK heuristics with a +simple check: immediately ACK a received 1*MSS skb with PSH bit set if +the app reads all data. Why? If an skb has a len of exactly 1*MSS and +has the PSH bit set then it is likely the end of an application +write. So more data may not be arriving soon, and yet the data sender +may be waiting for an ACK if cwnd-bound or using TX zero copy. Thus we +set ICSK_ACK_PUSHED in this case so that tcp_cleanup_rbuf() will send +an ACK immediately if the app reads all of the data and is not +ping-pong. Note that this logic is also executed for the case where +len > MSS, but in that case this logic does not matter (and does not +hurt) because tcp_cleanup_rbuf() will always ACK immediately if the +app reads data and there is more than an MSS of unACKed data. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Neal Cardwell +Reviewed-by: Yuchung Cheng +Reviewed-by: Eric Dumazet +Cc: Xin Guo +Link: https://lore.kernel.org/r/20231001151239.1866845-2-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 48c2b96b08435..a5781f86ac375 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -243,6 +243,19 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb) + if (unlikely(len > icsk->icsk_ack.rcv_mss + + MAX_TCP_OPTION_SPACE)) + tcp_gro_dev_warn(sk, skb, len); ++ /* If the skb has a len of exactly 1*MSS and has the PSH bit ++ * set then it is likely the end of an application write. So ++ * more data may not be arriving soon, and yet the data sender ++ * may be waiting for an ACK if cwnd-bound or using TX zero ++ * copy. So we set ICSK_ACK_PUSHED here so that ++ * tcp_cleanup_rbuf() will send an ACK immediately if the app ++ * reads all of the data and is not ping-pong. If len > MSS ++ * then this logic does not matter (and does not hurt) because ++ * tcp_cleanup_rbuf() will always ACK immediately if the app ++ * reads data and there is more than an MSS of unACKed data. ++ */ ++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_PSH) ++ icsk->icsk_ack.pending |= ICSK_ACK_PUSHED; + } else { + /* Otherwise, we make more careful check taking into account, + * that SACKs block is variable. +-- +2.40.1 + diff --git a/queue-6.5/tcp-fix-quick-ack-counting-to-count-actual-acks-of-n.patch b/queue-6.5/tcp-fix-quick-ack-counting-to-count-actual-acks-of-n.patch new file mode 100644 index 00000000000..f370835c8ec --- /dev/null +++ b/queue-6.5/tcp-fix-quick-ack-counting-to-count-actual-acks-of-n.patch @@ -0,0 +1,102 @@ +From 6ca414058761864b36130171a57bd1dbddc60e38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Oct 2023 11:12:38 -0400 +Subject: tcp: fix quick-ack counting to count actual ACKs of new data + +From: Neal Cardwell + +[ Upstream commit 059217c18be6757b95bfd77ba53fb50b48b8a816 ] + +This commit fixes quick-ack counting so that it only considers that a +quick-ack has been provided if we are sending an ACK that newly +acknowledges data. + +The code was erroneously using the number of data segments in outgoing +skbs when deciding how many quick-ack credits to remove. This logic +does not make sense, and could cause poor performance in +request-response workloads, like RPC traffic, where requests or +responses can be multi-segment skbs. + +When a TCP connection decides to send N quick-acks, that is to +accelerate the cwnd growth of the congestion control module +controlling the remote endpoint of the TCP connection. That quick-ack +decision is purely about the incoming data and outgoing ACKs. It has +nothing to do with the outgoing data or the size of outgoing data. + +And in particular, an ACK only serves the intended purpose of allowing +the remote congestion control to grow the congestion window quickly if +the ACK is ACKing or SACKing new data. + +The fix is simple: only count packets as serving the goal of the +quickack mechanism if they are ACKing/SACKing new data. We can tell +whether this is the case by checking inet_csk_ack_scheduled(), since +we schedule an ACK exactly when we are ACKing/SACKing new data. + +Fixes: fc6415bcb0f5 ("[TCP]: Fix quick-ack decrementing with TSO.") +Signed-off-by: Neal Cardwell +Reviewed-by: Yuchung Cheng +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231001151239.1866845-1-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 ++++-- + net/ipv4/tcp_output.c | 7 +++---- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 10fc5c5928f71..b1b1e01c69839 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -350,12 +350,14 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos, + struct sk_buff *tcp_stream_alloc_skb(struct sock *sk, gfp_t gfp, + bool force_schedule); + +-static inline void tcp_dec_quickack_mode(struct sock *sk, +- const unsigned int pkts) ++static inline void tcp_dec_quickack_mode(struct sock *sk) + { + struct inet_connection_sock *icsk = inet_csk(sk); + + if (icsk->icsk_ack.quick) { ++ /* How many ACKs S/ACKing new data have we sent? */ ++ const unsigned int pkts = inet_csk_ack_scheduled(sk) ? 1 : 0; ++ + if (pkts >= icsk->icsk_ack.quick) { + icsk->icsk_ack.quick = 0; + /* Leaving quickack mode we deflate ATO. */ +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 9f9ca68c47026..37fd9537423f1 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -177,8 +177,7 @@ static void tcp_event_data_sent(struct tcp_sock *tp, + } + + /* Account for an ACK we sent. */ +-static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts, +- u32 rcv_nxt) ++static inline void tcp_event_ack_sent(struct sock *sk, u32 rcv_nxt) + { + struct tcp_sock *tp = tcp_sk(sk); + +@@ -192,7 +191,7 @@ static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts, + + if (unlikely(rcv_nxt != tp->rcv_nxt)) + return; /* Special ACK sent by DCTCP to reflect ECN */ +- tcp_dec_quickack_mode(sk, pkts); ++ tcp_dec_quickack_mode(sk); + inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK); + } + +@@ -1372,7 +1371,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, + sk, skb); + + if (likely(tcb->tcp_flags & TCPHDR_ACK)) +- tcp_event_ack_sent(sk, tcp_skb_pcount(skb), rcv_nxt); ++ tcp_event_ack_sent(sk, rcv_nxt); + + if (skb->len != tcp_header_size) { + tcp_event_data_sent(tp, sk); +-- +2.40.1 + diff --git a/queue-6.5/tipc-fix-a-potential-deadlock-on-tx-lock.patch b/queue-6.5/tipc-fix-a-potential-deadlock-on-tx-lock.patch new file mode 100644 index 00000000000..e1a2aaff2f5 --- /dev/null +++ b/queue-6.5/tipc-fix-a-potential-deadlock-on-tx-lock.patch @@ -0,0 +1,70 @@ +From 19521237f120a5a168bdb01514f35b44ac1af8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 18:14:14 +0000 +Subject: tipc: fix a potential deadlock on &tx->lock + +From: Chengfeng Ye + +[ Upstream commit 08e50cf071847323414df0835109b6f3560d44f5 ] + +It seems that tipc_crypto_key_revoke() could be be invoked by +wokequeue tipc_crypto_work_rx() under process context and +timer/rx callback under softirq context, thus the lock acquisition +on &tx->lock seems better use spin_lock_bh() to prevent possible +deadlock. + +This flaw was found by an experimental static analysis tool I am +developing for irq-related deadlock. + +tipc_crypto_work_rx() +--> tipc_crypto_key_distr() +--> tipc_bcast_xmit() +--> tipc_bcbase_xmit() +--> tipc_bearer_bc_xmit() +--> tipc_crypto_xmit() +--> tipc_ehdr_build() +--> tipc_crypto_key_revoke() +--> spin_lock(&tx->lock) + + --> tipc_disc_timeout() + --> tipc_bearer_xmit_skb() + --> tipc_crypto_xmit() + --> tipc_ehdr_build() + --> tipc_crypto_key_revoke() + --> spin_lock(&tx->lock) + +Signed-off-by: Chengfeng Ye +Reviewed-by: Jacob Keller +Acked-by: Jon Maloy +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Link: https://lore.kernel.org/r/20230927181414.59928-1-dg573847474@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 302fd749c4249..43c3f1c971b8f 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1441,14 +1441,14 @@ static int tipc_crypto_key_revoke(struct net *net, u8 tx_key) + struct tipc_crypto *tx = tipc_net(net)->crypto_tx; + struct tipc_key key; + +- spin_lock(&tx->lock); ++ spin_lock_bh(&tx->lock); + key = tx->key; + WARN_ON(!key.active || tx_key != key.active); + + /* Free the active key */ + tipc_crypto_key_set_state(tx, key.passive, 0, key.pending); + tipc_crypto_key_detach(tx->aead[key.active], &tx->lock); +- spin_unlock(&tx->lock); ++ spin_unlock_bh(&tx->lock); + + pr_warn("%s: key is revoked\n", tx->name); + return -EKEYREVOKED; +-- +2.40.1 + diff --git a/queue-6.5/ubi-refuse-attaching-if-mtd-s-erasesize-is-0.patch b/queue-6.5/ubi-refuse-attaching-if-mtd-s-erasesize-is-0.patch new file mode 100644 index 00000000000..cc953b635e6 --- /dev/null +++ b/queue-6.5/ubi-refuse-attaching-if-mtd-s-erasesize-is-0.patch @@ -0,0 +1,45 @@ +From 2ee91cb640cc1b4e27e13646960f773a668368b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Apr 2023 19:10:41 +0800 +Subject: ubi: Refuse attaching if mtd's erasesize is 0 + +From: Zhihao Cheng + +[ Upstream commit 017c73a34a661a861712f7cc1393a123e5b2208c ] + +There exists mtd devices with zero erasesize, which will trigger a +divide-by-zero exception while attaching ubi device. +Fix it by refusing attaching if mtd's erasesize is 0. + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Reported-by: Yu Hao +Link: https://lore.kernel.org/lkml/977347543.226888.1682011999468.JavaMail.zimbra@nod.at/T/ +Signed-off-by: Zhihao Cheng +Reviewed-by: Miquel Raynal +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/build.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 8b91a55ec0d28..8ee51e49fced5 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -894,6 +894,13 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + return -EINVAL; + } + ++ /* UBI cannot work on flashes with zero erasesize. */ ++ if (!mtd->erasesize) { ++ pr_err("ubi: refuse attaching mtd%d - zero erasesize flash is not supported\n", ++ mtd->index); ++ return -EINVAL; ++ } ++ + if (ubi_num == UBI_DEV_NUM_AUTO) { + /* Search for an empty slot in the @ubi_devices array */ + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++) +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-add-missing-kernel-doc-for-cqm_rssi_wo.patch b/queue-6.5/wifi-cfg80211-add-missing-kernel-doc-for-cqm_rssi_wo.patch new file mode 100644 index 00000000000..2da3bf20acc --- /dev/null +++ b/queue-6.5/wifi-cfg80211-add-missing-kernel-doc-for-cqm_rssi_wo.patch @@ -0,0 +1,35 @@ +From 1bb05f20077877f639fafa5480086d51eb52a346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 09:36:57 +0200 +Subject: wifi: cfg80211: add missing kernel-doc for cqm_rssi_work + +From: Johannes Berg + +[ Upstream commit d1383077c225ceb87ac7a3b56b2c505193f77ed7 ] + +As reported by Stephen, I neglected to add the kernel-doc +for the new struct member. Fix that. + +Reported-by: Stephen Rothwell +Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 0debc3c9364e8..641c6edc9b81d 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -5942,6 +5942,7 @@ void wiphy_delayed_work_cancel(struct wiphy *wiphy, + * @event_lock: (private) lock for event list + * @owner_nlportid: (private) owner socket port ID + * @nl_owner_dead: (private) owner socket went away ++ * @cqm_rssi_work: (private) CQM RSSI reporting work + * @cqm_config: (private) nl80211 RSSI monitor state + * @pmsr_list: (private) peer measurement requests + * @pmsr_lock: (private) peer measurements requests/results lock +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-fix-cqm_config-access-race.patch b/queue-6.5/wifi-cfg80211-fix-cqm_config-access-race.patch new file mode 100644 index 00000000000..b77e474f20e --- /dev/null +++ b/queue-6.5/wifi-cfg80211-fix-cqm_config-access-race.patch @@ -0,0 +1,330 @@ +From 67e1c9eec9797ffc64df9c7aadfc554dd7a99fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 15:38:04 +0200 +Subject: wifi: cfg80211: fix cqm_config access race + +From: Johannes Berg + +[ Upstream commit 37c20b2effe987b806c8de6d12978e4ffeff026f ] + +Max Schulze reports crashes with brcmfmac. The reason seems +to be a race between userspace removing the CQM config and +the driver calling cfg80211_cqm_rssi_notify(), where if the +data is freed while cfg80211_cqm_rssi_notify() runs it will +crash since it assumes wdev->cqm_config is set. This can't +be fixed with a simple non-NULL check since there's nothing +we can do for locking easily, so use RCU instead to protect +the pointer, but that requires pulling the updates out into +an asynchronous worker so they can sleep and call back into +the driver. + +Since we need to change the free anyway, also change it to +go back to the old settings if changing the settings fails. + +Reported-and-tested-by: Max Schulze +Closes: https://lore.kernel.org/r/ac96309a-8d8d-4435-36e6-6d152eb31876@online.de +Fixes: 4a4b8169501b ("cfg80211: Accept multiple RSSI thresholds for CQM") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 3 +- + net/wireless/core.c | 14 +++---- + net/wireless/core.h | 7 +++- + net/wireless/nl80211.c | 93 +++++++++++++++++++++++++++--------------- + 4 files changed, 75 insertions(+), 42 deletions(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 3f03f9b375e56..0debc3c9364e8 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -6014,7 +6014,8 @@ struct wireless_dev { + } wext; + #endif + +- struct cfg80211_cqm_config *cqm_config; ++ struct wiphy_work cqm_rssi_work; ++ struct cfg80211_cqm_config __rcu *cqm_config; + + struct list_head pmsr_list; + spinlock_t pmsr_lock; +diff --git a/net/wireless/core.c b/net/wireless/core.c +index 25bc2e50a0615..64e8616171104 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1181,16 +1181,11 @@ void wiphy_rfkill_set_hw_state_reason(struct wiphy *wiphy, bool blocked, + } + EXPORT_SYMBOL(wiphy_rfkill_set_hw_state_reason); + +-void cfg80211_cqm_config_free(struct wireless_dev *wdev) +-{ +- kfree(wdev->cqm_config); +- wdev->cqm_config = NULL; +-} +- + static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, + bool unregister_netdev) + { + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); ++ struct cfg80211_cqm_config *cqm_config; + unsigned int link_id; + + ASSERT_RTNL(); +@@ -1227,7 +1222,10 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, + kfree_sensitive(wdev->wext.keys); + wdev->wext.keys = NULL; + #endif +- cfg80211_cqm_config_free(wdev); ++ wiphy_work_cancel(wdev->wiphy, &wdev->cqm_rssi_work); ++ /* deleted from the list, so can't be found from nl80211 any more */ ++ cqm_config = rcu_access_pointer(wdev->cqm_config); ++ kfree_rcu(cqm_config, rcu_head); + + /* + * Ensure that all events have been processed and +@@ -1379,6 +1377,8 @@ void cfg80211_init_wdev(struct wireless_dev *wdev) + wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; + #endif + ++ wiphy_work_init(&wdev->cqm_rssi_work, cfg80211_cqm_rssi_notify_work); ++ + if (wdev->wiphy->flags & WIPHY_FLAG_PS_ON_BY_DEFAULT) + wdev->ps = true; + else +diff --git a/net/wireless/core.h b/net/wireless/core.h +index 8a807b609ef73..86f209abc06ab 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -295,12 +295,17 @@ struct cfg80211_beacon_registration { + }; + + struct cfg80211_cqm_config { ++ struct rcu_head rcu_head; + u32 rssi_hyst; + s32 last_rssi_event_value; ++ enum nl80211_cqm_rssi_threshold_event last_rssi_event_type; + int n_rssi_thresholds; + s32 rssi_thresholds[]; + }; + ++void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, ++ struct wiphy_work *work); ++ + void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev); + + /* free object */ +@@ -566,8 +571,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + #define CFG80211_DEV_WARN_ON(cond) ({bool __r = (cond); __r; }) + #endif + +-void cfg80211_cqm_config_free(struct wireless_dev *wdev); +- + void cfg80211_release_pmsr(struct wireless_dev *wdev, u32 portid); + void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev); + void cfg80211_pmsr_free_wk(struct work_struct *work); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 4dcbc40d07c85..705d1cf048309 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12797,7 +12797,8 @@ static int nl80211_set_cqm_txe(struct genl_info *info, + } + + static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, +- struct net_device *dev) ++ struct net_device *dev, ++ struct cfg80211_cqm_config *cqm_config) + { + struct wireless_dev *wdev = dev->ieee80211_ptr; + s32 last, low, high; +@@ -12806,7 +12807,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + int err; + + /* RSSI reporting disabled? */ +- if (!wdev->cqm_config) ++ if (!cqm_config) + return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0); + + /* +@@ -12815,7 +12816,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + * connection is established and enough beacons received to calculate + * the average. + */ +- if (!wdev->cqm_config->last_rssi_event_value && ++ if (!cqm_config->last_rssi_event_value && + wdev->links[0].client.current_bss && + rdev->ops->get_station) { + struct station_info sinfo = {}; +@@ -12829,30 +12830,30 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + + cfg80211_sinfo_release_content(&sinfo); + if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG)) +- wdev->cqm_config->last_rssi_event_value = ++ cqm_config->last_rssi_event_value = + (s8) sinfo.rx_beacon_signal_avg; + } + +- last = wdev->cqm_config->last_rssi_event_value; +- hyst = wdev->cqm_config->rssi_hyst; +- n = wdev->cqm_config->n_rssi_thresholds; ++ last = cqm_config->last_rssi_event_value; ++ hyst = cqm_config->rssi_hyst; ++ n = cqm_config->n_rssi_thresholds; + + for (i = 0; i < n; i++) { + i = array_index_nospec(i, n); +- if (last < wdev->cqm_config->rssi_thresholds[i]) ++ if (last < cqm_config->rssi_thresholds[i]) + break; + } + + low_index = i - 1; + if (low_index >= 0) { + low_index = array_index_nospec(low_index, n); +- low = wdev->cqm_config->rssi_thresholds[low_index] - hyst; ++ low = cqm_config->rssi_thresholds[low_index] - hyst; + } else { + low = S32_MIN; + } + if (i < n) { + i = array_index_nospec(i, n); +- high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1; ++ high = cqm_config->rssi_thresholds[i] + hyst - 1; + } else { + high = S32_MAX; + } +@@ -12865,6 +12866,7 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, + u32 hysteresis) + { + struct cfg80211_registered_device *rdev = info->user_ptr[0]; ++ struct cfg80211_cqm_config *cqm_config = NULL, *old; + struct net_device *dev = info->user_ptr[1]; + struct wireless_dev *wdev = dev->ieee80211_ptr; + int i, err; +@@ -12882,10 +12884,6 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, + wdev->iftype != NL80211_IFTYPE_P2P_CLIENT) + return -EOPNOTSUPP; + +- wdev_lock(wdev); +- cfg80211_cqm_config_free(wdev); +- wdev_unlock(wdev); +- + if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) { + if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */ + return rdev_set_cqm_rssi_config(rdev, dev, 0, 0); +@@ -12902,9 +12900,10 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, + n_thresholds = 0; + + wdev_lock(wdev); +- if (n_thresholds) { +- struct cfg80211_cqm_config *cqm_config; ++ old = rcu_dereference_protected(wdev->cqm_config, ++ lockdep_is_held(&wdev->mtx)); + ++ if (n_thresholds) { + cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds, + n_thresholds), + GFP_KERNEL); +@@ -12919,11 +12918,18 @@ static int nl80211_set_cqm_rssi(struct genl_info *info, + flex_array_size(cqm_config, rssi_thresholds, + n_thresholds)); + +- wdev->cqm_config = cqm_config; ++ rcu_assign_pointer(wdev->cqm_config, cqm_config); ++ } else { ++ RCU_INIT_POINTER(wdev->cqm_config, NULL); + } + +- err = cfg80211_cqm_rssi_update(rdev, dev); +- ++ err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config); ++ if (err) { ++ rcu_assign_pointer(wdev->cqm_config, old); ++ kfree_rcu(cqm_config, rcu_head); ++ } else { ++ kfree_rcu(old, rcu_head); ++ } + unlock: + wdev_unlock(wdev); + +@@ -19074,9 +19080,8 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev, + enum nl80211_cqm_rssi_threshold_event rssi_event, + s32 rssi_level, gfp_t gfp) + { +- struct sk_buff *msg; + struct wireless_dev *wdev = dev->ieee80211_ptr; +- struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); ++ struct cfg80211_cqm_config *cqm_config; + + trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level); + +@@ -19084,18 +19089,41 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev, + rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH)) + return; + +- if (wdev->cqm_config) { +- wdev->cqm_config->last_rssi_event_value = rssi_level; ++ rcu_read_lock(); ++ cqm_config = rcu_dereference(wdev->cqm_config); ++ if (cqm_config) { ++ cqm_config->last_rssi_event_value = rssi_level; ++ cqm_config->last_rssi_event_type = rssi_event; ++ wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work); ++ } ++ rcu_read_unlock(); ++} ++EXPORT_SYMBOL(cfg80211_cqm_rssi_notify); ++ ++void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work) ++{ ++ struct wireless_dev *wdev = container_of(work, struct wireless_dev, ++ cqm_rssi_work); ++ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); ++ enum nl80211_cqm_rssi_threshold_event rssi_event; ++ struct cfg80211_cqm_config *cqm_config; ++ struct sk_buff *msg; ++ s32 rssi_level; + +- cfg80211_cqm_rssi_update(rdev, dev); ++ wdev_lock(wdev); ++ cqm_config = rcu_dereference_protected(wdev->cqm_config, ++ lockdep_is_held(&wdev->mtx)); ++ if (!wdev->cqm_config) ++ goto unlock; + +- if (rssi_level == 0) +- rssi_level = wdev->cqm_config->last_rssi_event_value; +- } ++ cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config); + +- msg = cfg80211_prepare_cqm(dev, NULL, gfp); ++ rssi_level = cqm_config->last_rssi_event_value; ++ rssi_event = cqm_config->last_rssi_event_type; ++ ++ msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL); + if (!msg) +- return; ++ goto unlock; + + if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT, + rssi_event)) +@@ -19105,14 +19133,15 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev, + rssi_level)) + goto nla_put_failure; + +- cfg80211_send_cqm(msg, gfp); ++ cfg80211_send_cqm(msg, GFP_KERNEL); + +- return; ++ goto unlock; + + nla_put_failure: + nlmsg_free(msg); ++ unlock: ++ wdev_unlock(wdev); + } +-EXPORT_SYMBOL(cfg80211_cqm_rssi_notify); + + void cfg80211_cqm_txe_notify(struct net_device *dev, + const u8 *peer, u32 num_packets, +-- +2.40.1 + diff --git a/queue-6.5/wifi-cfg80211-mac80211-hold-link-bsses-when-assoc-fa.patch b/queue-6.5/wifi-cfg80211-mac80211-hold-link-bsses-when-assoc-fa.patch new file mode 100644 index 00000000000..a92ee36955a --- /dev/null +++ b/queue-6.5/wifi-cfg80211-mac80211-hold-link-bsses-when-assoc-fa.patch @@ -0,0 +1,111 @@ +From c731bd687aec7d83e3e31e528192a1a3b1d470bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Aug 2023 03:00:55 -0400 +Subject: wifi: cfg80211/mac80211: hold link BSSes when assoc fails for MLO + connection + +From: Wen Gong + +[ Upstream commit 234249d88b091d006b82f8d570343aae5f383736 ] + +When connect to MLO AP with more than one link, and the assoc response of +AP is not success, then cfg80211_unhold_bss() is not called for all the +links' cfg80211_bss except the primary link which means the link used by +the latest successful association request. Thus the hold value of the +cfg80211_bss is not reset to 0 after the assoc fail, and then the +__cfg80211_unlink_bss() will not be called for the cfg80211_bss by +__cfg80211_bss_expire(). + +Then the AP always looks exist even the AP is shutdown or reconfigured +to another type, then it will lead error while connecting it again. + +The detail info are as below. + +When connect with muti-links AP, cfg80211_hold_bss() is called by +cfg80211_mlme_assoc() for each cfg80211_bss of all the links. When +assoc response from AP is not success(such as status_code==1), the +ieee80211_link_data of non-primary link(sdata->link[link_id]) is NULL +because ieee80211_assoc_success()->ieee80211_vif_update_links() is +not called for the links. + +Then struct cfg80211_rx_assoc_resp resp in cfg80211_rx_assoc_resp() and +struct cfg80211_connect_resp_params cr in __cfg80211_connect_result() +will only have the data of the primary link, and finally function +cfg80211_connect_result_release_bsses() only call cfg80211_unhold_bss() +for the primary link. Then cfg80211_bss of the other links will never free +because its hold is always > 0 now. + +Hence assign value for the bss and status from assoc_data since it is +valid for this case. Also assign value of addr from assoc_data when the +link is NULL because the addrs of assoc_data and link both represent the +local link addr and they are same value for success connection. + +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Signed-off-by: Wen Gong +Link: https://lore.kernel.org/r/20230825070055.28164-1-quic_wgong@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 2 +- + net/mac80211/mlme.c | 11 ++++++----- + net/wireless/mlme.c | 3 ++- + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index d6fa7c8767ad3..3f03f9b375e56 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -7232,7 +7232,7 @@ struct cfg80211_rx_assoc_resp { + int uapsd_queues; + const u8 *ap_mld_addr; + struct { +- const u8 *addr; ++ u8 addr[ETH_ALEN] __aligned(2); + struct cfg80211_bss *bss; + u16 status; + } links[IEEE80211_MLD_MAX_NUM_LINKS]; +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index f93eb38ae0b8d..46d46cfab6c84 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5429,17 +5429,18 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, + for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) { + struct ieee80211_link_data *link; + +- link = sdata_dereference(sdata->link[link_id], sdata); +- if (!link) +- continue; +- + if (!assoc_data->link[link_id].bss) + continue; + + resp.links[link_id].bss = assoc_data->link[link_id].bss; +- resp.links[link_id].addr = link->conf->addr; ++ ether_addr_copy(resp.links[link_id].addr, ++ assoc_data->link[link_id].addr); + resp.links[link_id].status = assoc_data->link[link_id].status; + ++ link = sdata_dereference(sdata->link[link_id], sdata); ++ if (!link) ++ continue; ++ + /* get uapsd queues configuration - same for all links */ + resp.uapsd_queues = 0; + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index 775cac4d61006..3e2c398abddcc 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -52,7 +52,8 @@ void cfg80211_rx_assoc_resp(struct net_device *dev, + cr.links[link_id].bssid = data->links[link_id].bss->bssid; + cr.links[link_id].addr = data->links[link_id].addr; + /* need to have local link addresses for MLO connections */ +- WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); ++ WARN_ON(cr.ap_mld_addr && ++ !is_valid_ether_addr(cr.links[link_id].addr)); + + BUG_ON(!cr.links[link_id].bss->channel); + +-- +2.40.1 + diff --git a/queue-6.5/wifi-iwlwifi-dbg_ini-fix-structure-packing.patch b/queue-6.5/wifi-iwlwifi-dbg_ini-fix-structure-packing.patch new file mode 100644 index 00000000000..be73fbe1cf0 --- /dev/null +++ b/queue-6.5/wifi-iwlwifi-dbg_ini-fix-structure-packing.patch @@ -0,0 +1,50 @@ +From e5532839702e162f02320431a2719c8adc2b7507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 11:03:34 +0200 +Subject: wifi: iwlwifi: dbg_ini: fix structure packing + +From: Arnd Bergmann + +[ Upstream commit 424c82e8ad56756bb98b08268ffcf68d12d183eb ] + +The iwl_fw_ini_error_dump_range structure has conflicting alignment +requirements for the inner union and the outer struct: + +In file included from drivers/net/wireless/intel/iwlwifi/fw/dbg.c:9: +drivers/net/wireless/intel/iwlwifi/fw/error-dump.h:312:2: error: field within 'struct iwl_fw_ini_error_dump_range' is less aligned than 'union iwl_fw_ini_error_dump_range::(anonymous at drivers/net/wireless/intel/iwlwifi/fw/error-dump.h:312:2)' and is usually due to 'struct iwl_fw_ini_error_dump_range' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access] + union { + +As the original intention was apparently to make the entire structure +unaligned, mark the innermost members the same way so the union +becomes packed as well. + +Fixes: 973193554cae6 ("iwlwifi: dbg_ini: dump headers cleanup") +Signed-off-by: Arnd Bergmann +Acked-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230616090343.2454061-1-arnd@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/error-dump.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h b/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h +index f5e08988dc7bf..06d6f7f664308 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h +@@ -310,9 +310,9 @@ struct iwl_fw_ini_fifo_hdr { + struct iwl_fw_ini_error_dump_range { + __le32 range_data_size; + union { +- __le32 internal_base_addr; +- __le64 dram_base_addr; +- __le32 page_num; ++ __le32 internal_base_addr __packed; ++ __le64 dram_base_addr __packed; ++ __le32 page_num __packed; + struct iwl_fw_ini_fifo_hdr fifo_hdr; + struct iwl_cmd_header fw_pkt_hdr; + }; +-- +2.40.1 + diff --git a/queue-6.5/wifi-iwlwifi-mvm-fix-a-memory-corruption-issue.patch b/queue-6.5/wifi-iwlwifi-mvm-fix-a-memory-corruption-issue.patch new file mode 100644 index 00000000000..9a58efc563d --- /dev/null +++ b/queue-6.5/wifi-iwlwifi-mvm-fix-a-memory-corruption-issue.patch @@ -0,0 +1,63 @@ +From 55e40e92b1955de22c8f17ff560ae74db85c5edf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 22:24:59 +0200 +Subject: wifi: iwlwifi: mvm: Fix a memory corruption issue + +From: Christophe JAILLET + +[ Upstream commit 8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d ] + +A few lines above, space is kzalloc()'ed for: + sizeof(struct iwl_nvm_data) + + sizeof(struct ieee80211_channel) + + sizeof(struct ieee80211_rate) + +'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. + +At the end of this structure, there is the 'channels' flex array. +Each element is of type 'struct ieee80211_channel'. +So only 1 element is allocated in this array. + +When doing: + mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; +We point at the first element of the 'channels' flex array. +So this is fine. + +However, when doing: + mvm->nvm_data->bands[0].bitrates = + (void *)((u8 *)mvm->nvm_data->channels + 1); +because of the "(u8 *)" cast, we add only 1 to the address of the beginning +of the flex array. + +It is likely that we want point at the 'struct ieee80211_rate' allocated +just after. + +Remove the spurious casting so that the pointer arithmetic works as +expected. + +Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver") +Signed-off-by: Christophe JAILLET +Acked-by: Gregory Greenman +Link: https://lore.kernel.org/r/23f0ec986ef1529055f4f93dcb3940a6cf8d9a94.1690143750.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 1f5db65a088d3..1d5ee4330f29f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -802,7 +802,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm) + mvm->nvm_data->bands[0].n_channels = 1; + mvm->nvm_data->bands[0].n_bitrates = 1; + mvm->nvm_data->bands[0].bitrates = +- (void *)((u8 *)mvm->nvm_data->channels + 1); ++ (void *)(mvm->nvm_data->channels + 1); + mvm->nvm_data->bands[0].bitrates->hw_value = 10; + } + +-- +2.40.1 + diff --git a/queue-6.5/wifi-iwlwifi-mvm-fix-incorrect-usage-of-scan-api.patch b/queue-6.5/wifi-iwlwifi-mvm-fix-incorrect-usage-of-scan-api.patch new file mode 100644 index 00000000000..fc489c51f3a --- /dev/null +++ b/queue-6.5/wifi-iwlwifi-mvm-fix-incorrect-usage-of-scan-api.patch @@ -0,0 +1,43 @@ +From 9b27bf133ea934ba1c396ecf2bc4984a2c0357ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 16:55:50 +0300 +Subject: wifi: iwlwifi: mvm: Fix incorrect usage of scan API +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilan Peer + +[ Upstream commit 22061bfc57fe08c77141dc876b4af75603c4d61d ] + +The support for using link ID in the scan request API was only +added in version 16. However, the code wrongly enabled this +API usage also for older versions. Fix it. + +Reported-by: Antoine Beaupré +Fixes: e98b23d0d7b8 ("wifi: iwlwifi: mvm: Add support for SCAN API version 16") +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230926165546.086e635fbbe6.Ia660f35ca0b1079f2c2ea92fd8d14d8101a89d03@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index c1d9ce7534688..3cbe2c0b8d6bc 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -2342,7 +2342,7 @@ iwl_mvm_scan_umac_fill_general_p_v12(struct iwl_mvm *mvm, + if (gen_flags & IWL_UMAC_SCAN_GEN_FLAGS_V2_FRAGMENTED_LMAC2) + gp->num_of_fragments[SCAN_HB_LMAC_IDX] = IWL_SCAN_NUM_OF_FRAGS; + +- if (version < 12) { ++ if (version < 16) { + gp->scan_start_mac_or_link_id = scan_vif->id; + } else { + struct iwl_mvm_vif_link_info *link_info; +-- +2.40.1 + diff --git a/queue-6.5/wifi-mac80211-create-resources-for-disabled-links.patch b/queue-6.5/wifi-mac80211-create-resources-for-disabled-links.patch new file mode 100644 index 00000000000..b0cd278beb1 --- /dev/null +++ b/queue-6.5/wifi-mac80211-create-resources-for-disabled-links.patch @@ -0,0 +1,51 @@ +From 4757359f5cdfa9b8b82241ca3df972686b9ff6d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 17:30:29 +0200 +Subject: wifi: mac80211: Create resources for disabled links + +From: Benjamin Berg + +[ Upstream commit aaba3cd33fc9593a858beeee419c0e6671ee9551 ] + +When associating to an MLD AP, links may be disabled. Create all +resources associated with a disabled link so that we can later enable it +without having to create these resources on the fly. + +Fixes: 6d543b34dbcf ("wifi: mac80211: Support disabled links during association") +Signed-off-by: Benjamin Berg +Link: https://lore.kernel.org/r/20230925173028.f9afdb26f6c7.I4e6e199aaefc1bf017362d64f3869645fa6830b5@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 46d46cfab6c84..24b2833e0e475 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5107,9 +5107,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + continue; + + valid_links |= BIT(link_id); +- if (assoc_data->link[link_id].disabled) { ++ if (assoc_data->link[link_id].disabled) + dormant_links |= BIT(link_id); +- } else if (link_id != assoc_data->assoc_link_id) { ++ ++ if (link_id != assoc_data->assoc_link_id) { + err = ieee80211_sta_allocate_link(sta, link_id); + if (err) + goto out_err; +@@ -5124,7 +5125,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, + struct ieee80211_link_data *link; + struct link_sta_info *link_sta; + +- if (!cbss || assoc_data->link[link_id].disabled) ++ if (!cbss) + continue; + + link = sdata_dereference(sdata->link[link_id], sdata); +-- +2.40.1 + diff --git a/queue-6.5/wifi-mac80211-fix-mesh-id-corruption-on-32-bit-syste.patch b/queue-6.5/wifi-mac80211-fix-mesh-id-corruption-on-32-bit-syste.patch new file mode 100644 index 00000000000..2fd5e00f3e8 --- /dev/null +++ b/queue-6.5/wifi-mac80211-fix-mesh-id-corruption-on-32-bit-syste.patch @@ -0,0 +1,80 @@ +From 44df07e1d70d75d8a883cc63c99d0255123fbd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Sep 2023 07:01:34 +0200 +Subject: wifi: mac80211: fix mesh id corruption on 32 bit systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Fietkau + +[ Upstream commit 6e48ebffc2db5419b3a51cfc509bde442252b356 ] + +Since the changed field size was increased to u64, mesh_bss_info_changed +pulls invalid bits from the first 3 bytes of the mesh id, clears them, and +passes them on to ieee80211_link_info_change_notify, because +ifmsh->mbss_changed was not updated to match its size. +Fix this by turning into ifmsh->mbss_changed into an unsigned long array with +64 bit size. + +Fixes: 15ddba5f4311 ("wifi: mac80211: consistently use u64 for BSS changes") +Reported-by: Thomas Hühn +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230913050134.53536-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 +- + net/mac80211/mesh.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 91633a0b723e0..f8cd94ba55ccc 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -676,7 +676,7 @@ struct ieee80211_if_mesh { + struct timer_list mesh_path_root_timer; + + unsigned long wrkq_flags; +- unsigned long mbss_changed; ++ unsigned long mbss_changed[64 / BITS_PER_LONG]; + + bool userspace_handles_dfs; + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index af8c5fc2db149..e31c312c124a1 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1175,7 +1175,7 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata, + + /* if we race with running work, worst case this work becomes a noop */ + for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE) +- set_bit(bit, &ifmsh->mbss_changed); ++ set_bit(bit, ifmsh->mbss_changed); + set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags); + wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work); + } +@@ -1257,7 +1257,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) + + /* clear any mesh work (for next join) we may have accrued */ + ifmsh->wrkq_flags = 0; +- ifmsh->mbss_changed = 0; ++ memset(ifmsh->mbss_changed, 0, sizeof(ifmsh->mbss_changed)); + + local->fif_other_bss--; + atomic_dec(&local->iff_allmultis); +@@ -1724,9 +1724,9 @@ static void mesh_bss_info_changed(struct ieee80211_sub_if_data *sdata) + u32 bit; + u64 changed = 0; + +- for_each_set_bit(bit, &ifmsh->mbss_changed, ++ for_each_set_bit(bit, ifmsh->mbss_changed, + sizeof(changed) * BITS_PER_BYTE) { +- clear_bit(bit, &ifmsh->mbss_changed); ++ clear_bit(bit, ifmsh->mbss_changed); + changed |= BIT(bit); + } + +-- +2.40.1 + diff --git a/queue-6.5/wifi-mac80211-fix-potential-key-use-after-free.patch b/queue-6.5/wifi-mac80211-fix-potential-key-use-after-free.patch new file mode 100644 index 00000000000..d75d718923f --- /dev/null +++ b/queue-6.5/wifi-mac80211-fix-potential-key-use-after-free.patch @@ -0,0 +1,58 @@ +From 3d26f447a9c83157eda209ebed59efbbe46615f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 08:34:15 +0200 +Subject: wifi: mac80211: fix potential key use-after-free + +From: Johannes Berg + +[ Upstream commit 31db78a4923ef5e2008f2eed321811ca79e7f71b ] + +When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() +but returns 0 due to KRACK protection (identical key reinstall), +ieee80211_gtk_rekey_add() will still return a pointer into the +key, in a potential use-after-free. This normally doesn't happen +since it's only called by iwlwifi in case of WoWLAN rekey offload +which has its own KRACK protection, but still better to fix, do +that by returning an error code and converting that to success on +the cfg80211 boundary only, leaving the error for bad callers of +ieee80211_gtk_rekey_add(). + +Reported-by: Dan Carpenter +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 +++ + net/mac80211/key.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 45e7a5d9c7d94..e883c41a2163b 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -566,6 +566,9 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev, + } + + err = ieee80211_key_link(key, link, sta); ++ /* KRACK protection, shouldn't happen but just silently accept key */ ++ if (err == -EALREADY) ++ err = 0; + + out_unlock: + mutex_unlock(&local->sta_mtx); +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 21cf5a2089101..f719abe33a328 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -905,7 +905,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + */ + if (ieee80211_key_identical(sdata, old_key, key)) { + ieee80211_key_free_unused(key); +- ret = 0; ++ ret = -EALREADY; + goto out; + } + +-- +2.40.1 + diff --git a/queue-6.5/wifi-mt76-fix-lock-dependency-problem-for-wed_lock.patch b/queue-6.5/wifi-mt76-fix-lock-dependency-problem-for-wed_lock.patch new file mode 100644 index 00000000000..5b09150bbd8 --- /dev/null +++ b/queue-6.5/wifi-mt76-fix-lock-dependency-problem-for-wed_lock.patch @@ -0,0 +1,359 @@ +From 1adf727722140647de6d1ad1b86061e00c7ea946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 15:16:11 +0200 +Subject: wifi: mt76: fix lock dependency problem for wed_lock + +From: Lorenzo Bianconi + +[ Upstream commit 195273147e520844c1aae9fbf85cb6eb0bc0fdd7 ] + +Fix the following kernel depency lock holding wed_lock with BH disabled. + +[ 40.579696] mt798x-wmac 18000000.wifi: attaching wed device 0 version 2 +[ 40.604648] platform 15010000.wed: MTK WED WO Firmware Version: DEV_000000, Build Time: 20221208202138 +[ 40.613972] platform 15010000.wed: MTK WED WO Chip ID 00 Region 3 +[ 40.943617] +[ 40.945118] ======================================================== +[ 40.951457] WARNING: possible irq lock inversion dependency detected +[ 40.957797] 5.15.127 #0 Not tainted +[ 40.961276] -------------------------------------------------------- +[ 40.967614] insmod/2329 just changed the state of lock: +[ 40.972827] ffffff8004003b08 (&dev->wed_lock){+.+.}-{2:2}, at: mt76_get_rxwi+0x1c/0xac [mt76] +[ 40.981387] but this lock was taken by another, SOFTIRQ-safe lock in the past: +[ 40.988592] (&q->lock){+.-.}-{2:2} +[ 40.988602] +[ 40.988602] +[ 40.988602] and interrupts could create inverse lock ordering between them. +[ 40.988602] +[ 41.003445] +[ 41.003445] other info that might help us debug this: +[ 41.009957] Possible interrupt unsafe locking scenario: +[ 41.009957] +[ 41.016729] CPU0 CPU1 +[ 41.021245] ---- ---- +[ 41.025761] lock(&dev->wed_lock); +[ 41.029241] local_irq_disable(); +[ 41.035145] lock(&q->lock); +[ 41.040620] lock(&dev->wed_lock); +[ 41.046616] +[ 41.049223] lock(&q->lock); +[ 41.052356] +[ 41.052356] *** DEADLOCK *** +[ 41.052356] +[ 41.058260] 1 lock held by insmod/2329: +[ 41.062085] #0: ffffff80003b9988 (&dev->mutex){....}-{3:3}, at: __driver_attach+0x88/0x190 +[ 41.070442] +[ 41.070442] the shortest dependencies between 2nd lock and 1st lock: +[ 41.078257] -> (&q->lock){+.-.}-{2:2} { +[ 41.082177] HARDIRQ-ON-W at: +[ 41.085396] lock_acquire+0xfc/0x2c0 +[ 41.090787] _raw_spin_lock_bh+0x84/0xa0 +[ 41.096525] mt76_dma_cleanup+0x24c/0x650 [mt76] +[ 41.102977] mt76_dma_cleanup+0x614/0x650 [mt76] +[ 41.109428] mt7915_eeprom_get_power_delta+0x1168/0x2464 [mt7915e] +[ 41.117435] mt7915_eeprom_init+0x40/0x340 [mt7915e] +[ 41.124222] cleanup_module+0x94/0xb28 [mt7915e] +[ 41.130662] platform_probe+0x64/0xbc +[ 41.136139] really_probe.part.0+0x98/0x2f4 +[ 41.142134] __driver_probe_device+0x94/0x16c +[ 41.148303] driver_probe_device+0x40/0x120 +[ 41.154299] __driver_attach+0x94/0x190 +[ 41.159947] bus_for_each_dev+0x5c/0x94 +[ 41.165594] driver_attach+0x20/0x30 +[ 41.170983] bus_add_driver+0x104/0x1f4 +[ 41.176631] driver_register+0x74/0x120 +[ 41.182280] __platform_driver_register+0x24/0x30 +[ 41.188797] 0xffffffc000cb1074 +[ 41.193754] do_one_initcall+0x70/0x2cc +[ 41.199403] do_init_module+0x44/0x240 +[ 41.204968] load_module+0x1f5c/0x2874 +[ 41.210532] __do_sys_init_module+0x1d8/0x2ac +[ 41.216702] __arm64_sys_init_module+0x18/0x20 +[ 41.222958] invoke_syscall.constprop.0+0x4c/0xe0 +[ 41.229474] do_el0_svc+0x50/0xf0 +[ 41.234602] el0_svc+0x4c/0xcc +[ 41.239471] el0t_64_sync_handler+0xe0/0x110 +[ 41.245556] el0t_64_sync+0x15c/0x160 +[ 41.251029] IN-SOFTIRQ-W at: +[ 41.254249] lock_acquire+0xfc/0x2c0 +[ 41.259638] _raw_spin_lock_bh+0x84/0xa0 +[ 41.265372] mt76_queue_tx_complete+0x34/0x70 [mt76] +[ 41.272170] mt76_free_pending_rxwi+0x36c/0x5d0 [mt76] +[ 41.279140] mt76_free_pending_rxwi+0x5c0/0x5d0 [mt76] +[ 41.286111] mt7915_eeprom_get_power_delta+0x620/0x2464 [mt7915e] +[ 41.294026] __napi_poll.constprop.0+0x5c/0x230 +[ 41.300372] net_rx_action+0xe4/0x294 +[ 41.305847] _stext+0x154/0x4cc +[ 41.310801] do_softirq+0xa4/0xbc +[ 41.315930] __local_bh_enable_ip+0x168/0x174 +[ 41.322097] napi_threaded_poll+0xbc/0x140 +[ 41.328007] kthread+0x13c/0x150 +[ 41.333049] ret_from_fork+0x10/0x20 +[ 41.338437] INITIAL USE at: +[ 41.341568] lock_acquire+0xfc/0x2c0 +[ 41.346869] _raw_spin_lock_bh+0x84/0xa0 +[ 41.352519] mt76_dma_cleanup+0x24c/0x650 [mt76] +[ 41.358882] mt76_dma_cleanup+0x614/0x650 [mt76] +[ 41.365245] mt7915_eeprom_get_power_delta+0x1168/0x2464 [mt7915e] +[ 41.373160] mt7915_eeprom_init+0x40/0x340 [mt7915e] +[ 41.379860] cleanup_module+0x94/0xb28 [mt7915e] +[ 41.386213] platform_probe+0x64/0xbc +[ 41.391602] really_probe.part.0+0x98/0x2f4 +[ 41.397511] __driver_probe_device+0x94/0x16c +[ 41.403594] driver_probe_device+0x40/0x120 +[ 41.409502] __driver_attach+0x94/0x190 +[ 41.415063] bus_for_each_dev+0x5c/0x94 +[ 41.420625] driver_attach+0x20/0x30 +[ 41.425926] bus_add_driver+0x104/0x1f4 +[ 41.431487] driver_register+0x74/0x120 +[ 41.437049] __platform_driver_register+0x24/0x30 +[ 41.443479] 0xffffffc000cb1074 +[ 41.448346] do_one_initcall+0x70/0x2cc +[ 41.453907] do_init_module+0x44/0x240 +[ 41.459383] load_module+0x1f5c/0x2874 +[ 41.464860] __do_sys_init_module+0x1d8/0x2ac +[ 41.470944] __arm64_sys_init_module+0x18/0x20 +[ 41.477113] invoke_syscall.constprop.0+0x4c/0xe0 +[ 41.483542] do_el0_svc+0x50/0xf0 +[ 41.488582] el0_svc+0x4c/0xcc +[ 41.493364] el0t_64_sync_handler+0xe0/0x110 +[ 41.499361] el0t_64_sync+0x15c/0x160 +[ 41.504748] } +[ 41.506489] ... key at: [] __this_module+0x3e0/0xffffffffffffa840 [mt76] +[ 41.515371] ... acquired at: +[ 41.518413] _raw_spin_lock+0x60/0x74 +[ 41.522240] mt76_get_rxwi+0x1c/0xac [mt76] +[ 41.526608] mt76_dma_cleanup+0x3e0/0x650 [mt76] +[ 41.531410] mt76_dma_cleanup+0x614/0x650 [mt76] +[ 41.536211] mt7915_dma_init+0x408/0x7b0 [mt7915e] +[ 41.541177] mt7915_register_device+0x310/0x620 [mt7915e] +[ 41.546749] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e] +[ 41.551973] platform_probe+0x64/0xbc +[ 41.555802] really_probe.part.0+0x98/0x2f4 +[ 41.560149] __driver_probe_device+0x94/0x16c +[ 41.564670] driver_probe_device+0x40/0x120 +[ 41.569017] __driver_attach+0x94/0x190 +[ 41.573019] bus_for_each_dev+0x5c/0x94 +[ 41.577018] driver_attach+0x20/0x30 +[ 41.580758] bus_add_driver+0x104/0x1f4 +[ 41.584758] driver_register+0x74/0x120 +[ 41.588759] __platform_driver_register+0x24/0x30 +[ 41.593628] init_module+0x74/0x1000 [mt7915e] +[ 41.598248] do_one_initcall+0x70/0x2cc +[ 41.602248] do_init_module+0x44/0x240 +[ 41.606162] load_module+0x1f5c/0x2874 +[ 41.610078] __do_sys_init_module+0x1d8/0x2ac +[ 41.614600] __arm64_sys_init_module+0x18/0x20 +[ 41.619209] invoke_syscall.constprop.0+0x4c/0xe0 +[ 41.624076] do_el0_svc+0x50/0xf0 +[ 41.627555] el0_svc+0x4c/0xcc +[ 41.630776] el0t_64_sync_handler+0xe0/0x110 +[ 41.635211] el0t_64_sync+0x15c/0x160 +[ 41.639037] +[ 41.640517] -> (&dev->wed_lock){+.+.}-{2:2} { +[ 41.644872] HARDIRQ-ON-W at: +[ 41.648003] lock_acquire+0xfc/0x2c0 +[ 41.653219] _raw_spin_lock+0x60/0x74 +[ 41.658520] mt76_free_pending_rxwi+0xc0/0x5d0 [mt76] +[ 41.665232] mt76_dma_cleanup+0x1dc/0x650 [mt76] +[ 41.671508] mt7915_eeprom_get_power_delta+0x1830/0x2464 [mt7915e] +[ 41.679336] mt7915_unregister_device+0x5b4/0x910 [mt7915e] +[ 41.686555] mt7915_eeprom_get_target_power+0xb8/0x230 [mt7915e] +[ 41.694209] mt7986_wmac_enable+0xc30/0xcd0 [mt7915e] +[ 41.700909] platform_remove+0x4c/0x64 +[ 41.706298] __device_release_driver+0x194/0x240 +[ 41.712554] driver_detach+0xc0/0x100 +[ 41.717857] bus_remove_driver+0x54/0xac +[ 41.723418] driver_unregister+0x2c/0x54 +[ 41.728980] platform_driver_unregister+0x10/0x20 +[ 41.735323] mt7915_ops+0x244/0xffffffffffffed58 [mt7915e] +[ 41.742457] __arm64_sys_delete_module+0x170/0x23c +[ 41.748887] invoke_syscall.constprop.0+0x4c/0xe0 +[ 41.755229] do_el0_svc+0x50/0xf0 +[ 41.760183] el0_svc+0x4c/0xcc +[ 41.764878] el0t_64_sync_handler+0xe0/0x110 +[ 41.770788] el0t_64_sync+0x15c/0x160 +[ 41.776088] SOFTIRQ-ON-W at: +[ 41.779220] lock_acquire+0xfc/0x2c0 +[ 41.784435] _raw_spin_lock+0x60/0x74 +[ 41.789737] mt76_get_rxwi+0x1c/0xac [mt76] +[ 41.795580] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e] +[ 41.802540] mtk_wed_start+0x970/0xaa0 +[ 41.807929] mt7915_dma_start+0x26c/0x630 [mt7915e] +[ 41.814455] mt7915_dma_start+0x5a4/0x630 [mt7915e] +[ 41.820981] mt7915_dma_init+0x45c/0x7b0 [mt7915e] +[ 41.827420] mt7915_register_device+0x310/0x620 [mt7915e] +[ 41.834467] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e] +[ 41.841167] platform_probe+0x64/0xbc +[ 41.846469] really_probe.part.0+0x98/0x2f4 +[ 41.852291] __driver_probe_device+0x94/0x16c +[ 41.858286] driver_probe_device+0x40/0x120 +[ 41.864107] __driver_attach+0x94/0x190 +[ 41.869582] bus_for_each_dev+0x5c/0x94 +[ 41.875056] driver_attach+0x20/0x30 +[ 41.880270] bus_add_driver+0x104/0x1f4 +[ 41.885745] driver_register+0x74/0x120 +[ 41.891221] __platform_driver_register+0x24/0x30 +[ 41.897564] init_module+0x74/0x1000 [mt7915e] +[ 41.903657] do_one_initcall+0x70/0x2cc +[ 41.909130] do_init_module+0x44/0x240 +[ 41.914520] load_module+0x1f5c/0x2874 +[ 41.919909] __do_sys_init_module+0x1d8/0x2ac +[ 41.925905] __arm64_sys_init_module+0x18/0x20 +[ 41.931989] invoke_syscall.constprop.0+0x4c/0xe0 +[ 41.938331] do_el0_svc+0x50/0xf0 +[ 41.943285] el0_svc+0x4c/0xcc +[ 41.947981] el0t_64_sync_handler+0xe0/0x110 +[ 41.953892] el0t_64_sync+0x15c/0x160 +[ 41.959192] INITIAL USE at: +[ 41.962238] lock_acquire+0xfc/0x2c0 +[ 41.967365] _raw_spin_lock+0x60/0x74 +[ 41.972580] mt76_free_pending_rxwi+0xc0/0x5d0 [mt76] +[ 41.979206] mt76_dma_cleanup+0x1dc/0x650 [mt76] +[ 41.985395] mt7915_eeprom_get_power_delta+0x1830/0x2464 [mt7915e] +[ 41.993137] mt7915_unregister_device+0x5b4/0x910 [mt7915e] +[ 42.000270] mt7915_eeprom_get_target_power+0xb8/0x230 [mt7915e] +[ 42.007837] mt7986_wmac_enable+0xc30/0xcd0 [mt7915e] +[ 42.014450] platform_remove+0x4c/0x64 +[ 42.019753] __device_release_driver+0x194/0x240 +[ 42.025922] driver_detach+0xc0/0x100 +[ 42.031137] bus_remove_driver+0x54/0xac +[ 42.036612] driver_unregister+0x2c/0x54 +[ 42.042087] platform_driver_unregister+0x10/0x20 +[ 42.048344] mt7915_ops+0x244/0xffffffffffffed58 [mt7915e] +[ 42.055391] __arm64_sys_delete_module+0x170/0x23c +[ 42.061735] invoke_syscall.constprop.0+0x4c/0xe0 +[ 42.067990] do_el0_svc+0x50/0xf0 +[ 42.072857] el0_svc+0x4c/0xcc +[ 42.077466] el0t_64_sync_handler+0xe0/0x110 +[ 42.083289] el0t_64_sync+0x15c/0x160 +[ 42.088503] } +[ 42.090157] ... key at: [] __this_module+0x450/0xffffffffffffa840 [mt76] +[ 42.098951] ... acquired at: +[ 42.101907] __lock_acquire+0x718/0x1df0 +[ 42.105994] lock_acquire+0xfc/0x2c0 +[ 42.109734] _raw_spin_lock+0x60/0x74 +[ 42.113561] mt76_get_rxwi+0x1c/0xac [mt76] +[ 42.117929] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e] +[ 42.123415] mtk_wed_start+0x970/0xaa0 +[ 42.127328] mt7915_dma_start+0x26c/0x630 [mt7915e] +[ 42.132379] mt7915_dma_start+0x5a4/0x630 [mt7915e] +[ 42.137430] mt7915_dma_init+0x45c/0x7b0 [mt7915e] +[ 42.142395] mt7915_register_device+0x310/0x620 [mt7915e] +[ 42.147967] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e] +[ 42.153192] platform_probe+0x64/0xbc +[ 42.157019] really_probe.part.0+0x98/0x2f4 +[ 42.161367] __driver_probe_device+0x94/0x16c +[ 42.165887] driver_probe_device+0x40/0x120 +[ 42.170234] __driver_attach+0x94/0x190 +[ 42.174235] bus_for_each_dev+0x5c/0x94 +[ 42.178235] driver_attach+0x20/0x30 +[ 42.181974] bus_add_driver+0x104/0x1f4 +[ 42.185974] driver_register+0x74/0x120 +[ 42.189974] __platform_driver_register+0x24/0x30 +[ 42.194842] init_module+0x74/0x1000 [mt7915e] +[ 42.199460] do_one_initcall+0x70/0x2cc +[ 42.203460] do_init_module+0x44/0x240 +[ 42.207376] load_module+0x1f5c/0x2874 +[ 42.211290] __do_sys_init_module+0x1d8/0x2ac +[ 42.215813] __arm64_sys_init_module+0x18/0x20 +[ 42.220421] invoke_syscall.constprop.0+0x4c/0xe0 +[ 42.225288] do_el0_svc+0x50/0xf0 +[ 42.228768] el0_svc+0x4c/0xcc +[ 42.231989] el0t_64_sync_handler+0xe0/0x110 +[ 42.236424] el0t_64_sync+0x15c/0x160 +[ 42.240249] +[ 42.241730] +[ 42.241730] stack backtrace: +[ 42.246074] CPU: 1 PID: 2329 Comm: insmod Not tainted 5.15.127 #0 +[ 42.252157] Hardware name: GainStrong Oolite-MT7981B V1 Dev Board (NAND boot) (DT) +[ 42.259712] Call trace: +[ 42.262147] dump_backtrace+0x0/0x174 +[ 42.265802] show_stack+0x14/0x20 +[ 42.269108] dump_stack_lvl+0x84/0xac +[ 42.272761] dump_stack+0x14/0x2c +[ 42.276066] print_irq_inversion_bug.part.0+0x1b0/0x1c4 +[ 42.281285] mark_lock+0x8b8/0x8bc +[ 42.284678] __lock_acquire+0x718/0x1df0 +[ 42.288592] lock_acquire+0xfc/0x2c0 +[ 42.292158] _raw_spin_lock+0x60/0x74 +[ 42.295811] mt76_get_rxwi+0x1c/0xac [mt76] +[ 42.300008] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e] +[ 42.305320] mtk_wed_start+0x970/0xaa0 +[ 42.309059] mt7915_dma_start+0x26c/0x630 [mt7915e] +[ 42.313937] mt7915_dma_start+0x5a4/0x630 [mt7915e] +[ 42.318815] mt7915_dma_init+0x45c/0x7b0 [mt7915e] +[ 42.323606] mt7915_register_device+0x310/0x620 [mt7915e] +[ 42.329005] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e] +[ 42.334056] platform_probe+0x64/0xbc +[ 42.337711] really_probe.part.0+0x98/0x2f4 +[ 42.341885] __driver_probe_device+0x94/0x16c +[ 42.346232] driver_probe_device+0x40/0x120 +[ 42.350407] __driver_attach+0x94/0x190 +[ 42.354234] bus_for_each_dev+0x5c/0x94 +[ 42.358061] driver_attach+0x20/0x30 +[ 42.361627] bus_add_driver+0x104/0x1f4 +[ 42.365454] driver_register+0x74/0x120 +[ 42.369282] __platform_driver_register+0x24/0x30 +[ 42.373977] init_module+0x74/0x1000 [mt7915e] +[ 42.378423] do_one_initcall+0x70/0x2cc +[ 42.382249] do_init_module+0x44/0x240 +[ 42.385990] load_module+0x1f5c/0x2874 +[ 42.389733] __do_sys_init_module+0x1d8/0x2ac +[ 42.394082] __arm64_sys_init_module+0x18/0x20 +[ 42.398518] invoke_syscall.constprop.0+0x4c/0xe0 +[ 42.403211] do_el0_svc+0x50/0xf0 +[ 42.406517] el0_svc+0x4c/0xcc +[ 42.409565] el0t_64_sync_handler+0xe0/0x110 +[ 42.413827] el0t_64_sync+0x15c/0x160 +[ 42.674858] mt798x-wmac 18000000.wifi: HW/SW Version: 0x8a108a10, Build Time: 20221208201745a +[ 42.674858] +[ 42.692078] mt798x-wmac 18000000.wifi: WM Firmware Version: ____000000, Build Time: 20221208201806 +[ 42.735606] mt798x-wmac 18000000.wifi: WA Firmware Version: DEV_000000, Build Time: 20221208202048 + +Tested-by: Daniel Golle +Fixes: 2666bece0905 ("wifi: mt76: introduce rxwi and rx token utility routines") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/ee80be41c2a8d8749d83c6950a272a5e77aadd45.1693228333.git.lorenzo@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/dma.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c +index 465190ebaf1c4..f539913aadf86 100644 +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -93,13 +93,13 @@ __mt76_get_rxwi(struct mt76_dev *dev) + { + struct mt76_txwi_cache *t = NULL; + +- spin_lock(&dev->wed_lock); ++ spin_lock_bh(&dev->wed_lock); + if (!list_empty(&dev->rxwi_cache)) { + t = list_first_entry(&dev->rxwi_cache, struct mt76_txwi_cache, + list); + list_del(&t->list); + } +- spin_unlock(&dev->wed_lock); ++ spin_unlock_bh(&dev->wed_lock); + + return t; + } +@@ -145,9 +145,9 @@ mt76_put_rxwi(struct mt76_dev *dev, struct mt76_txwi_cache *t) + if (!t) + return; + +- spin_lock(&dev->wed_lock); ++ spin_lock_bh(&dev->wed_lock); + list_add(&t->list, &dev->rxwi_cache); +- spin_unlock(&dev->wed_lock); ++ spin_unlock_bh(&dev->wed_lock); + } + EXPORT_SYMBOL_GPL(mt76_put_rxwi); + +-- +2.40.1 + diff --git a/queue-6.5/wifi-mt76-mt76x02-fix-mt76x0-external-lna-gain-handl.patch b/queue-6.5/wifi-mt76-mt76x02-fix-mt76x0-external-lna-gain-handl.patch new file mode 100644 index 00000000000..dc146a5840d --- /dev/null +++ b/queue-6.5/wifi-mt76-mt76x02-fix-mt76x0-external-lna-gain-handl.patch @@ -0,0 +1,78 @@ +From 90a2307ff4b6a70debe8838eeef0558dd4dc1223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 21:47:47 +0200 +Subject: wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling + +From: Felix Fietkau + +[ Upstream commit 684e45e120b82deccaf8b85633905304a3bbf56d ] + +On MT76x0, LNA gain should be applied for both external and internal LNA. +On MT76x2, LNA gain should be treated as 0 for external LNA. +Move the LNA type based logic to mt76x2 in order to fix mt76x0. + +Fixes: 2daa67588f34 ("mt76x0: unify lna_gain parsing") +Reported-by: Shiji Yang +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230919194747.31647-1-nbd@nbd.name +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c | 7 ------- + drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 13 +++++++++++-- + 2 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c b/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c +index 0acabba2d1a50..5d402cf2951cb 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c +@@ -131,15 +131,8 @@ u8 mt76x02_get_lna_gain(struct mt76x02_dev *dev, + s8 *lna_2g, s8 *lna_5g, + struct ieee80211_channel *chan) + { +- u16 val; + u8 lna; + +- val = mt76x02_eeprom_get(dev, MT_EE_NIC_CONF_1); +- if (val & MT_EE_NIC_CONF_1_LNA_EXT_2G) +- *lna_2g = 0; +- if (val & MT_EE_NIC_CONF_1_LNA_EXT_5G) +- memset(lna_5g, 0, sizeof(s8) * 3); +- + if (chan->band == NL80211_BAND_2GHZ) + lna = *lna_2g; + else if (chan->hw_value <= 64) +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c +index d5809408d1d37..8c01855885ce3 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c +@@ -256,7 +256,8 @@ void mt76x2_read_rx_gain(struct mt76x02_dev *dev) + struct ieee80211_channel *chan = dev->mphy.chandef.chan; + int channel = chan->hw_value; + s8 lna_5g[3], lna_2g; +- u8 lna; ++ bool use_lna; ++ u8 lna = 0; + u16 val; + + if (chan->band == NL80211_BAND_2GHZ) +@@ -275,7 +276,15 @@ void mt76x2_read_rx_gain(struct mt76x02_dev *dev) + dev->cal.rx.mcu_gain |= (lna_5g[1] & 0xff) << 16; + dev->cal.rx.mcu_gain |= (lna_5g[2] & 0xff) << 24; + +- lna = mt76x02_get_lna_gain(dev, &lna_2g, lna_5g, chan); ++ val = mt76x02_eeprom_get(dev, MT_EE_NIC_CONF_1); ++ if (chan->band == NL80211_BAND_2GHZ) ++ use_lna = !(val & MT_EE_NIC_CONF_1_LNA_EXT_2G); ++ else ++ use_lna = !(val & MT_EE_NIC_CONF_1_LNA_EXT_5G); ++ ++ if (use_lna) ++ lna = mt76x02_get_lna_gain(dev, &lna_2g, lna_5g, chan); ++ + dev->cal.rx.lna_gain = mt76x02_sign_extend(lna, 8); + } + EXPORT_SYMBOL_GPL(mt76x2_read_rx_gain); +-- +2.40.1 + diff --git a/queue-6.5/wifi-mwifiex-fix-oob-check-condition-in-mwifiex_proc.patch b/queue-6.5/wifi-mwifiex-fix-oob-check-condition-in-mwifiex_proc.patch new file mode 100644 index 00000000000..6f4aab51873 --- /dev/null +++ b/queue-6.5/wifi-mwifiex-fix-oob-check-condition-in-mwifiex_proc.patch @@ -0,0 +1,61 @@ +From 635905492a3f4175102741569f544c2f81691316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 18:41:12 +0800 +Subject: wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet + +From: Pin-yen Lin + +[ Upstream commit aef7a0300047e7b4707ea0411dc9597cba108fc8 ] + +Only skip the code path trying to access the rfc1042 headers when the +buffer is too small, so the driver can still process packets without +rfc1042 headers. + +Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets") +Signed-off-by: Pin-yen Lin +Acked-by: Brian Norris +Reviewed-by: Matthew Wang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230908104308.1546501-1-treapking@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 65420ad674167..257737137cd70 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -86,7 +86,8 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length); + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off; + +- if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) { ++ if (sizeof(rx_pkt_hdr->eth803_hdr) + sizeof(rfc1042_header) + ++ rx_pkt_off > skb->len) { + mwifiex_dbg(priv->adapter, ERROR, + "wrong rx packet offset: len=%d, rx_pkt_off=%d\n", + skb->len, rx_pkt_off); +@@ -95,12 +96,13 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + return -1; + } + +- if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +- sizeof(bridge_tunnel_header))) || +- (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +- sizeof(rfc1042_header)) && +- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP && +- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX)) { ++ if (sizeof(*rx_pkt_hdr) + rx_pkt_off <= skb->len && ++ ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, ++ sizeof(bridge_tunnel_header))) || ++ (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, ++ sizeof(rfc1042_header)) && ++ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP && ++ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX))) { + /* + * Replace the 803 header and rfc1042 header (llc/snap) with an + * EthernetII header, keep the src/dst and snap_type +-- +2.40.1 +