From: Sasha Levin Date: Mon, 22 May 2023 11:45:33 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.3.4~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee770ffe74e21487b45059827cb1ae0d74ce670b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/af_key-reject-optional-tunnel-beet-mode-templates-in.patch b/queue-5.15/af_key-reject-optional-tunnel-beet-mode-templates-in.patch new file mode 100644 index 00000000000..cf236343e5e --- /dev/null +++ b/queue-5.15/af_key-reject-optional-tunnel-beet-mode-templates-in.patch @@ -0,0 +1,71 @@ +From 50054c39e45f5c300a72f0218e6e08fa937c2a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 11:00:06 +0200 +Subject: af_key: Reject optional tunnel/BEET mode templates in outbound + policies + +From: Tobias Brunner + +[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ] + +xfrm_state_find() uses `encap_family` of the current template with +the passed local and remote addresses to find a matching state. +If an optional tunnel or BEET mode template is skipped in a mixed-family +scenario, there could be a mismatch causing an out-of-bounds read as +the addresses were not replaced to match the family of the next template. + +While there are theoretical use cases for optional templates in outbound +policies, the only practical one is to skip IPComp states in inbound +policies if uncompressed packets are received that are handled by an +implicitly created IPIP state instead. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tobias Brunner +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 1d6ae1df3886b..d34fed1a484a7 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net) + } + + static int +-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) ++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol, ++ struct sadb_x_ipsecrequest *rq) + { + struct net *net = xp_net(xp); + struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr; +@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq) + if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0) + return -EINVAL; + t->mode = mode; +- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) ++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) { ++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) && ++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) ++ return -EINVAL; + t->optional = 1; +- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { ++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) { + t->reqid = rq->sadb_x_ipsecrequest_reqid; + if (t->reqid > IPSEC_MANUAL_REQID_MAX) + t->reqid = 0; +@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) + rq->sadb_x_ipsecrequest_len < sizeof(*rq)) + return -EINVAL; + +- if ((err = parse_ipsecrequest(xp, rq)) < 0) ++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0) + return err; + len -= rq->sadb_x_ipsecrequest_len; + rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len); +-- +2.39.2 + diff --git a/queue-5.15/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch b/queue-5.15/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch new file mode 100644 index 00000000000..70b77703b0b --- /dev/null +++ b/queue-5.15/alsa-firewire-digi00x-prevent-potential-use-after-fr.patch @@ -0,0 +1,41 @@ +From b6d30c1cef8a50d86b1da948e417ee3fe83fb226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:07:11 +0300 +Subject: ALSA: firewire-digi00x: prevent potential use after free + +From: Dan Carpenter + +[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ] + +This code was supposed to return an error code if init_stream() +failed, but it instead freed dg00x->rx_stream and returned success. +This potentially leads to a use after free. + +Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/digi00x/digi00x-stream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c +index a15f55b0dce37..295163bb8abb6 100644 +--- a/sound/firewire/digi00x/digi00x-stream.c ++++ b/sound/firewire/digi00x/digi00x-stream.c +@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) + return err; + + err = init_stream(dg00x, &dg00x->tx_stream); +- if (err < 0) ++ if (err < 0) { + destroy_stream(dg00x, &dg00x->rx_stream); ++ return err; ++ } + + err = amdtp_domain_init(&dg00x->domain); + if (err < 0) { +-- +2.39.2 + diff --git a/queue-5.15/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch b/queue-5.15/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch new file mode 100644 index 00000000000..4c1f7ba4a04 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch @@ -0,0 +1,39 @@ +From f0e34036417488091d2122cccf4838cbc513dffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 12:32:21 -0500 +Subject: ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 + +From: Ryan C. Underwood + +[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ] + +The Pavilion 15 line has B&O top speakers similar to the x360 and +applying the same profile produces good sound. Without this, the +sound would be tinny and underpowered without either applying +model=alc295-hp-x360 or booting another OS first. + +Signed-off-by: Ryan Underwood +Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15") +Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 86d07d06bd0cd..5d1ab9170361a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9008,7 +9008,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), + SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC), +- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), ++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC), + SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360), + SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), +-- +2.39.2 + diff --git a/queue-5.15/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch b/queue-5.15/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch new file mode 100644 index 00000000000..d5e0958845c --- /dev/null +++ b/queue-5.15/asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch @@ -0,0 +1,70 @@ +From cc519e572470e45211c69f6979a8ba1d81ef27d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:16:36 +0800 +Subject: ASoC: fsl_micfil: Fix error handler with pm_runtime_enable + +From: Shengjiu Wang + +[ Upstream commit 17955aba7877a4494d8093ae5498e19469b01d57 ] + +There is error message when defer probe happens: + +fsl-micfil-dai 30ca0000.micfil: Unbalanced pm_runtime_enable! + +Fix the error handler with pm_runtime_enable and add +fsl_micfil_remove() for pm_runtime_disable. + +Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.") +Signed-off-by: Shengjiu Wang +--- + sound/soc/fsl/fsl_micfil.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 38d4d1b7cfe39..acc820da46ebf 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -763,7 +763,7 @@ static int fsl_micfil_probe(struct platform_device *pdev) + ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); + if (ret) { + dev_err(&pdev->dev, "failed to pcm register\n"); +- return ret; ++ goto err_pm_disable; + } + + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_micfil_component, +@@ -771,9 +771,20 @@ static int fsl_micfil_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, "failed to register component %s\n", + fsl_micfil_component.name); ++ goto err_pm_disable; + } + + return ret; ++ ++err_pm_disable: ++ pm_runtime_disable(&pdev->dev); ++ ++ return ret; ++} ++ ++static void fsl_micfil_remove(struct platform_device *pdev) ++{ ++ pm_runtime_disable(&pdev->dev); + } + + static int __maybe_unused fsl_micfil_runtime_suspend(struct device *dev) +@@ -834,6 +845,7 @@ static const struct dev_pm_ops fsl_micfil_pm_ops = { + + static struct platform_driver fsl_micfil_driver = { + .probe = fsl_micfil_probe, ++ .remove_new = fsl_micfil_remove, + .driver = { + .name = "fsl-micfil-dai", + .pm = &fsl_micfil_pm_ops, +-- +2.39.2 + diff --git a/queue-5.15/bridge-always-declare-tunnel-functions.patch b/queue-5.15/bridge-always-declare-tunnel-functions.patch new file mode 100644 index 00000000000..538c83b0ef8 --- /dev/null +++ b/queue-5.15/bridge-always-declare-tunnel-functions.patch @@ -0,0 +1,61 @@ +From 8a02d7f06ffe77f45aec4085db9f21bf4c39d1f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:45:35 +0200 +Subject: bridge: always declare tunnel functions + +From: Arnd Bergmann + +[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ] + +When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still +defined but have no prototype or caller. This causes a W=1 warning for +the missing prototypes: + +net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes] +net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes] + +The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING, +and I coulnd't easily figure out the right set of #ifdefs, so just +move the declarations out of the #ifdef to avoid the warning, +at a small cost in code size over a more elaborate fix. + +Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping") +Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del") +Signed-off-by: Arnd Bergmann +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_private_tunnel.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h +index 2b053289f0166..efb096025151a 100644 +--- a/net/bridge/br_private_tunnel.h ++++ b/net/bridge/br_private_tunnel.h +@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br, + int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg); + int br_fill_vlan_tunnel_info(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); ++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, ++ const struct net_bridge_vlan *v_last); ++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, ++ u16 vid, u32 tun_id, bool *changed); + + #ifdef CONFIG_BRIDGE_VLAN_FILTERING + /* br_vlan_tunnel.c */ +@@ -43,10 +47,6 @@ void br_handle_ingress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan_group *vg); + int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan *vlan); +-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr, +- const struct net_bridge_vlan *v_last); +-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd, +- u16 vid, u32 tun_id, bool *changed); + #else + static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg) + { +-- +2.39.2 + diff --git a/queue-5.15/cassini-fix-a-memory-leak-in-the-error-handling-path.patch b/queue-5.15/cassini-fix-a-memory-leak-in-the-error-handling-path.patch new file mode 100644 index 00000000000..bc631266c68 --- /dev/null +++ b/queue-5.15/cassini-fix-a-memory-leak-in-the-error-handling-path.patch @@ -0,0 +1,42 @@ +From f22f96461cf8fc6fb896d90af1c896fe3df1af42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:09:11 +0200 +Subject: cassini: Fix a memory leak in the error handling path of + cas_init_one() + +From: Christophe JAILLET + +[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ] + +cas_saturn_firmware_init() allocates some memory using vmalloc(). This +memory is freed in the .remove() function but not it the error handling +path of the probe. + +Add the missing vfree() to avoid a memory leak, should an error occur. + +Fixes: fcaa40669cd7 ("cassini: use request_firmware") +Signed-off-by: Christophe JAILLET +Reviewed-by: Pavan Chebbi +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/cassini.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c +index 6472425539e15..21e4df8466c91 100644 +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -5123,6 +5123,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + cas_shutdown(cp); + mutex_unlock(&cp->pm_mutex); + ++ vfree(cp->fw_data); ++ + pci_iounmap(pdev, cp->regs); + + +-- +2.39.2 + diff --git a/queue-5.15/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch b/queue-5.15/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch new file mode 100644 index 00000000000..7de0f641c56 --- /dev/null +++ b/queue-5.15/cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch @@ -0,0 +1,159 @@ +From 0227c1d3caf976c6c75ba6672c5937e4cae1f38f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 06:25:44 +0000 +Subject: cpupower: Make TSC read per CPU for Mperf monitor + +From: Wyes Karny + +[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ] + +System-wide TSC read could cause a drift in C0 percentage calculation. +Because if first TSC is read and then one by one mperf is read for all +cpus, this introduces drift between mperf reading of later CPUs and TSC +reading. To lower this drift read TSC per CPU and also just after mperf +read. This technique improves C0 percentage calculation in Mperf monitor. + +Before fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00 + +After fix: (System 100% busy) + + | Mperf || RAPL || Idle_Stats + PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2 + 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00 + 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00 + +Cc: Thomas Renninger +Cc: Shuah Khan +Cc: Dominik Brodowski + +Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features") +Signed-off-by: Wyes Karny +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++---------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index e7d48cb563c0e..ae6af354a81db 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -70,8 +70,8 @@ static int max_freq_mode; + */ + static unsigned long max_frequency; + +-static unsigned long long tsc_at_measure_start; +-static unsigned long long tsc_at_measure_end; ++static unsigned long long *tsc_at_measure_start; ++static unsigned long long *tsc_at_measure_end; + static unsigned long long *mperf_previous_count; + static unsigned long long *aperf_previous_count; + static unsigned long long *mperf_current_count; +@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu]; + + if (max_freq_mode == MAX_FREQ_TSC_REF) { +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + *percent = 100.0 * mperf_diff / tsc_diff; + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); +@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ +- tsc_diff = tsc_at_measure_end - tsc_at_measure_start; ++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; + time_diff = timespec_diff_us(time_start, time_end); + max_frequency = tsc_diff / time_diff; + } +@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + static int mperf_start(void) + { + int cpu; +- unsigned long long dbg; + + clock_gettime(CLOCK_REALTIME, &time_start); +- mperf_get_tsc(&tsc_at_measure_start); + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { ++ mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); ++ } + +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start); + return 0; + } + + static int mperf_stop(void) + { +- unsigned long long dbg; + int cpu; + +- for (cpu = 0; cpu < cpu_count; cpu++) ++ for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ } + +- mperf_get_tsc(&tsc_at_measure_end); + clock_gettime(CLOCK_REALTIME, &time_end); +- +- mperf_get_tsc(&dbg); +- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end); +- + return 0; + } + +@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long)); + mperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); +- ++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); ++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -364,6 +359,8 @@ void mperf_unregister(void) + free(aperf_previous_count); + free(mperf_current_count); + free(aperf_current_count); ++ free(tsc_at_measure_start); ++ free(tsc_at_measure_end); + free(is_valid); + } + +-- +2.39.2 + diff --git a/queue-5.15/drm-exynos-fix-g2d_open-close-helper-function-defini.patch b/queue-5.15/drm-exynos-fix-g2d_open-close-helper-function-defini.patch new file mode 100644 index 00000000000..b47e98fec27 --- /dev/null +++ b/queue-5.15/drm-exynos-fix-g2d_open-close-helper-function-defini.patch @@ -0,0 +1,48 @@ +From 36646e8f795ef681fe5c392610a28e087048d8d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 23:04:11 +0200 +Subject: drm/exynos: fix g2d_open/close helper function definitions + +From: Arnd Bergmann + +[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ] + +The empty stub functions are defined as global functions, which +causes a warning because of missing prototypes: + +drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open' +drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close' + +Mark them as 'static inline' to avoid the warning and to make +them behave as intended. + +Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API") +Signed-off-by: Arnd Bergmann +Reviewed-by: Andi Shyti +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +index 74ea3c26deadc..1a5ae781b56c6 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h +@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data, + return -ENODEV; + } + +-int g2d_open(struct drm_device *drm_dev, struct drm_file *file) ++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file) + { + return 0; + } + +-void g2d_close(struct drm_device *drm_dev, struct drm_file *file) ++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file) + { } + #endif +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-dp-unregister-audio-driver-during-unbind.patch b/queue-5.15/drm-msm-dp-unregister-audio-driver-during-unbind.patch new file mode 100644 index 00000000000..d1d4a4dfd25 --- /dev/null +++ b/queue-5.15/drm-msm-dp-unregister-audio-driver-during-unbind.patch @@ -0,0 +1,81 @@ +From 06a8522ce4121dbf06b90e520ba8d8c8969cf04a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 15:56:57 +0100 +Subject: drm/msm/dp: unregister audio driver during unbind + +From: Srinivas Kandagatla + +[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ] + +while binding the code always registers a audio driver, however there +is no corresponding unregistration done in unbind. This leads to multiple +redundant audio platform devices if dp_display_bind and dp_display_unbind +happens multiple times during startup. On X13s platform this resulted in +6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports. + +Fix this by unregistering codecs on unbind. + +Signed-off-by: Srinivas Kandagatla +Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/533324/ +Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++ + drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++ + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c +index d7e4a39a904e2..0eaaaa94563a3 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.c ++++ b/drivers/gpu/drm/msm/dp/dp_audio.c +@@ -577,6 +577,18 @@ static struct hdmi_codec_pdata codec_data = { + .i2s = 1, + }; + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio) ++{ ++ struct dp_audio_private *audio_priv; ++ ++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio); ++ ++ if (audio_priv->audio_pdev) { ++ platform_device_unregister(audio_priv->audio_pdev); ++ audio_priv->audio_pdev = NULL; ++ } ++} ++ + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio) + { +diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h +index 84e5f4a5d26ba..4ab78880af829 100644 +--- a/drivers/gpu/drm/msm/dp/dp_audio.h ++++ b/drivers/gpu/drm/msm/dp/dp_audio.h +@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev, + int dp_register_audio_driver(struct device *dev, + struct dp_audio *dp_audio); + ++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio); ++ + /** + * dp_audio_put() + * +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 15e38ad7aefb4..38d37345c216b 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -267,6 +267,7 @@ static void dp_display_unbind(struct device *dev, struct device *master, + kthread_stop(dp->ev_tsk); + + dp_power_client_deinit(dp->power); ++ dp_unregister_audio_driver(dev, dp->audio); + dp_aux_unregister(dp->aux); + priv->dp = NULL; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-dpu-add-intf_5-interrupts.patch b/queue-5.15/drm-msm-dpu-add-intf_5-interrupts.patch new file mode 100644 index 00000000000..341956b7f9f --- /dev/null +++ b/queue-5.15/drm-msm-dpu-add-intf_5-interrupts.patch @@ -0,0 +1,62 @@ +From cac42285a326b3ad3fdc1da3e8d7b2d022b532cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Feb 2022 20:33:52 -0800 +Subject: drm/msm/dpu: Add INTF_5 interrupts + +From: Bjorn Andersson + +[ Upstream commit 148e852f290fe8be9fa69953bee2f958befd65d4 ] + +SC8180x has the eDP controller wired up to INTF_5, so add the interrupt +register block for this interface to the list. + +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220215043353.1256754-1-bjorn.andersson@linaro.org +Signed-off-by: Dmitry Baryshkov +Stable-dep-of: e9d9ce5462fe ("drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 6 ++++++ + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index 2e816f232e859..996011e356f7b 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -20,6 +20,7 @@ + #define MDP_INTF_2_OFF 0x6B000 + #define MDP_INTF_3_OFF 0x6B800 + #define MDP_INTF_4_OFF 0x6C000 ++#define MDP_INTF_5_OFF 0x6C800 + #define MDP_AD4_0_OFF 0x7C000 + #define MDP_AD4_1_OFF 0x7D000 + #define MDP_AD4_INTR_EN_OFF 0x41c +@@ -87,6 +88,11 @@ static const struct dpu_intr_reg dpu_intr_set[] = { + MDP_INTF_4_OFF+INTF_INTR_EN, + MDP_INTF_4_OFF+INTF_INTR_STATUS + }, ++ { ++ MDP_INTF_5_OFF+INTF_INTR_CLEAR, ++ MDP_INTF_5_OFF+INTF_INTR_EN, ++ MDP_INTF_5_OFF+INTF_INTR_STATUS ++ }, + { + MDP_AD4_0_OFF + MDP_AD4_INTR_CLEAR_OFF, + MDP_AD4_0_OFF + MDP_AD4_INTR_EN_OFF, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h +index ac83c1159815f..d90dac77c26fe 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h +@@ -22,6 +22,7 @@ enum dpu_hw_intr_reg { + MDP_INTF2_INTR, + MDP_INTF3_INTR, + MDP_INTF4_INTR, ++ MDP_INTF5_INTR, + MDP_AD4_0_INTR, + MDP_AD4_1_INTR, + MDP_INTF0_7xxx_INTR, +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch b/queue-5.15/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch new file mode 100644 index 00000000000..12b36dd897a --- /dev/null +++ b/queue-5.15/drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch @@ -0,0 +1,67 @@ +From e0e9b072620462dff03e423f53d30f7740c1dece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:37:17 +0200 +Subject: drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header + +From: Marijn Suijten + +[ Upstream commit e9d9ce5462fecdeefec87953de71df4d025cbc72 ] + +These offsets do not fall under the MDP TOP block and do not fit the +comment right above. Move them to dpu_hw_interrupts.c next to the +repsective MDP_INTF_x_OFF interrupt block offsets. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534203/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-3-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h | 3 --- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +index 996011e356f7b..ac0c221f8aa19 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +@@ -12,7 +12,7 @@ + + /** + * Register offsets in MDSS register file for the interrupt registers +- * w.r.t. to the MDP base ++ * w.r.t. the MDP base + */ + #define MDP_SSPP_TOP0_OFF 0x0 + #define MDP_INTF_0_OFF 0x6A000 +@@ -21,6 +21,9 @@ + #define MDP_INTF_3_OFF 0x6B800 + #define MDP_INTF_4_OFF 0x6C000 + #define MDP_INTF_5_OFF 0x6C800 ++#define INTF_INTR_EN 0x1c0 ++#define INTF_INTR_STATUS 0x1c4 ++#define INTF_INTR_CLEAR 0x1c8 + #define MDP_AD4_0_OFF 0x7C000 + #define MDP_AD4_1_OFF 0x7D000 + #define MDP_AD4_INTR_EN_OFF 0x41c +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +index c8156ed4b7fb8..93081e82c6d74 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h +@@ -20,9 +20,6 @@ + #define HIST_INTR_EN 0x01c + #define HIST_INTR_STATUS 0x020 + #define HIST_INTR_CLEAR 0x024 +-#define INTF_INTR_EN 0x1C0 +-#define INTF_INTR_STATUS 0x1C4 +-#define INTF_INTR_CLEAR 0x1C8 + #define SPLIT_DISPLAY_EN 0x2F4 + #define SPLIT_DISPLAY_UPPER_PIPE_CTRL 0x2F8 + #define DSPP_IGC_COLOR0_RAM_LUTN 0x300 +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch b/queue-5.15/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch new file mode 100644 index 00000000000..a4e463aaee5 --- /dev/null +++ b/queue-5.15/drm-msm-dpu-remove-duplicate-register-defines-from-i.patch @@ -0,0 +1,45 @@ +From 4631390d04a8c3bff6c29be1fb1ce1608f26523f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 00:37:22 +0200 +Subject: drm/msm/dpu: Remove duplicate register defines from INTF + +From: Marijn Suijten + +[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ] + +The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT +registers are already defined higher up, in the right place when sorted +numerically. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534231/ +Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +index 284f5610dc35b..916e2a4756c09 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c +@@ -53,11 +53,6 @@ + #define INTF_TPG_RGB_MAPPING 0x11C + #define INTF_PROG_FETCH_START 0x170 + #define INTF_PROG_ROT_START 0x174 +- +-#define INTF_FRAME_LINE_COUNT_EN 0x0A8 +-#define INTF_FRAME_COUNT 0x0AC +-#define INTF_LINE_COUNT 0x0B0 +- + #define INTF_MUX 0x25C + + static const struct dpu_intf_cfg *_intf_offset(enum dpu_intf intf, +-- +2.39.2 + diff --git a/queue-5.15/dt-bindings-display-msm-dsi-controller-main-document.patch b/queue-5.15/dt-bindings-display-msm-dsi-controller-main-document.patch new file mode 100644 index 00000000000..8a963cb5726 --- /dev/null +++ b/queue-5.15/dt-bindings-display-msm-dsi-controller-main-document.patch @@ -0,0 +1,52 @@ +From 60f2836565a22369741930c3c79a69e98e5bc61a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 20:21:32 +0800 +Subject: dt-bindings: display/msm: dsi-controller-main: Document qcom, + master-dsi and qcom, sync-dual-dsi + +From: Jianhua Lu + +[ Upstream commit ca29699a57ecee6084a4056f5bfd6f11dd359a71 ] + +This fixes warning: + sm8250-xiaomi-elish-csot.dtb: dsi@ae94000: Unevaluated properties are not allowed ('qcom,master-dsi', 'qcom,sync-dual-dsi' were unexpected) + +Reviewed-by: Dmitry Baryshkov +Acked-by: Rob Herring +Signed-off-by: Jianhua Lu +Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings") +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/534306/ +Link: https://lore.kernel.org/r/20230427122132.24840-1-lujianhua000@gmail.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + .../bindings/display/msm/dsi-controller-main.yaml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +index 283a12cd3e144..4b2cd556483c0 100644 +--- a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml ++++ b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml +@@ -64,6 +64,18 @@ properties: + Indicates if the DSI controller is driving a panel which needs + 2 DSI links. + ++ qcom,master-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller is the master DSI controller when ++ qcom,dual-dsi-mode enabled. ++ ++ qcom,sync-dual-dsi: ++ type: boolean ++ description: | ++ Indicates if the DSI controller needs to sync the other DSI controller ++ with MIPI DCS commands when qcom,dual-dsi-mode enabled. ++ + assigned-clocks: + minItems: 2 + maxItems: 2 +-- +2.39.2 + diff --git a/queue-5.15/erspan-get-the-proto-with-the-md-version-for-collect.patch b/queue-5.15/erspan-get-the-proto-with-the-md-version-for-collect.patch new file mode 100644 index 00000000000..c14c1d7491b --- /dev/null +++ b/queue-5.15/erspan-get-the-proto-with-the-md-version-for-collect.patch @@ -0,0 +1,81 @@ +From 5db7a13a7f4a16ee347ee7a74c19341dcb09f596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:22:11 -0400 +Subject: erspan: get the proto with the md version for collect_md + +From: Xin Long + +[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ] + +In commit 20704bd1633d ("erspan: build the header with the right proto +according to erspan_ver"), it gets the proto with t->parms.erspan_ver, +but t->parms.erspan_ver is not used by collect_md branch, and instead +it should get the proto with md->version for collect_md. + +Thanks to Kevin for pointing this out. + +Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver") +Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support") +Reported-by: Kevin Traynor +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index a91f93ec7d2b4..0b041ab79ad90 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1015,12 +1015,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + ntohl(tun_id), + ntohl(md->u.index), truncate, + false); ++ proto = htons(ETH_P_ERSPAN); + } else if (md->version == 2) { + erspan_build_header_v2(skb, + ntohl(tun_id), + md->u.md2.dir, + get_hwid(&md->u.md2), + truncate, false); ++ proto = htons(ETH_P_ERSPAN2); + } else { + goto tx_err; + } +@@ -1043,24 +1045,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + break; + } + +- if (t->parms.erspan_ver == 1) ++ if (t->parms.erspan_ver == 1) { + erspan_build_header(skb, ntohl(t->parms.o_key), + t->parms.index, + truncate, false); +- else if (t->parms.erspan_ver == 2) ++ proto = htons(ETH_P_ERSPAN); ++ } else if (t->parms.erspan_ver == 2) { + erspan_build_header_v2(skb, ntohl(t->parms.o_key), + t->parms.dir, + t->parms.hwid, + truncate, false); +- else ++ proto = htons(ETH_P_ERSPAN2); ++ } else { + goto tx_err; ++ } + + fl6.daddr = t->parms.raddr; + } + + /* Push GRE header. */ +- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN) +- : htons(ETH_P_ERSPAN2); + gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno))); + + /* TooBig packet may have updated dst->dev's mtu */ +-- +2.39.2 + diff --git a/queue-5.15/igb-fix-bit_shift-to-be-in-1.8-range.patch b/queue-5.15/igb-fix-bit_shift-to-be-in-1.8-range.patch new file mode 100644 index 00000000000..d25b476ddb9 --- /dev/null +++ b/queue-5.15/igb-fix-bit_shift-to-be-in-1.8-range.patch @@ -0,0 +1,50 @@ +From 8f2504bb8d8d6e51a021e1f9607d3f397b9631fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:41:46 -0700 +Subject: igb: fix bit_shift to be in [1..8] range + +From: Aleksandr Loktionov + +[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ] + +In igb_hash_mc_addr() the expression: + "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]" +shift by more than 7 bits always yields zero, so hash becomes not so different. +Add initialization with bit_shift = 1 and add a loop condition to ensure +bit_shift will be always in [1..8] range. + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Aleksandr Loktionov +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c +index 1277c5c7d0996..7be0c7ce9394b 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_mac.c ++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c +@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value) + static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + { + u32 hash_value, hash_mask; +- u8 bit_shift = 0; ++ u8 bit_shift = 1; + + /* Register count multiplied by bits per register */ + hash_mask = (hw->mac.mta_reg_count * 32) - 1; +@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr) + /* For a mc_filter_type of 0, bit_shift is the number of left-shifts + * where 0xFF would still fall within the hash mask. + */ +- while (hash_mask >> bit_shift != 0xFF) ++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4) + bit_shift++; + + /* The portion of the address that is used for the hash table +-- +2.39.2 + diff --git a/queue-5.15/media-netup_unidvb-fix-use-after-free-at-del_timer.patch b/queue-5.15/media-netup_unidvb-fix-use-after-free-at-del_timer.patch new file mode 100644 index 00000000000..76eb6464025 --- /dev/null +++ b/queue-5.15/media-netup_unidvb-fix-use-after-free-at-del_timer.patch @@ -0,0 +1,49 @@ +From 9e81ac6c74ca54c3cd0151f20592b045952051ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 12:55:14 +0000 +Subject: media: netup_unidvb: fix use-after-free at del_timer() + +From: Duoming Zhou + +[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ] + +When Universal DVB card is detaching, netup_unidvb_dma_fini() +uses del_timer() to stop dma->timeout timer. But when timer +handler netup_unidvb_dma_timeout() is running, del_timer() +could not stop it. As a result, the use-after-free bug could +happen. The process is shown below: + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +netup_unidvb_finidev() | (wait a time) + netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() + del_timer(&dma->timeout); | + | ndev->pci_dev->dev //USE + +Fix by changing del_timer() to del_timer_sync(). + +Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn +Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 77bae14685513..a71814e2772d1 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num) + netup_unidvb_dma_enable(dma, 0); + msleep(50); + cancel_work_sync(&dma->work); +- del_timer(&dma->timeout); ++ del_timer_sync(&dma->timeout); + } + + static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev) +-- +2.39.2 + diff --git a/queue-5.15/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch b/queue-5.15/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch new file mode 100644 index 00000000000..44c303ef3e8 --- /dev/null +++ b/queue-5.15/net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch @@ -0,0 +1,37 @@ +From 250762bb7d02017e7f5d0e3d5427bd352b48f49e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:07:27 -0700 +Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() + +From: Florian Fainelli + +[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ] + +The call to phy_stop() races with the later call to phy_disconnect(), +resulting in concurrent phy_suspend() calls being run from different +CPUs. The final call to phy_disconnect() ensures that the PHY is +stopped and suspended, too. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 92cd2916e8015..35bf840716d57 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3416,7 +3416,6 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + +- phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +-- +2.39.2 + diff --git a/queue-5.15/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch b/queue-5.15/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch new file mode 100644 index 00000000000..670d049349f --- /dev/null +++ b/queue-5.15/net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch @@ -0,0 +1,71 @@ +From 44076550c89cc8762df383223ff0fc0d5e0cea9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 19:56:07 -0700 +Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close + +From: Florian Fainelli + +[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ] + +Removing the phy_stop() from bcmgenet_netif_stop() ended up causing +warnings from the PHY library that phy_start() is called from the +RUNNING state since we are no longer stopping the PHY state machine +during bcmgenet_suspend(). + +Restore the call to phy_stop() but make it conditional on being called +from the close or suspend path. + +Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine") +Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()") +Signed-off-by: Florian Fainelli +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 35bf840716d57..9d4f406408c9d 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3401,7 +3401,7 @@ static int bcmgenet_open(struct net_device *dev) + return ret; + } + +-static void bcmgenet_netif_stop(struct net_device *dev) ++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + +@@ -3416,6 +3416,8 @@ static void bcmgenet_netif_stop(struct net_device *dev) + /* Disable MAC transmit. TX DMA disabled must be done before this */ + umac_enable_set(priv, CMD_TX_EN, false); + ++ if (stop_phy) ++ phy_stop(dev->phydev); + bcmgenet_disable_rx_napi(priv); + bcmgenet_intr_disable(priv); + +@@ -3441,7 +3443,7 @@ static int bcmgenet_close(struct net_device *dev) + + netif_dbg(priv, ifdown, dev, "bcmgenet_close\n"); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, false); + + /* Really kill the PHY state machine and disconnect from it */ + phy_disconnect(dev->phydev); +@@ -4241,7 +4243,7 @@ static int bcmgenet_suspend(struct device *d) + + netif_device_detach(dev); + +- bcmgenet_netif_stop(dev); ++ bcmgenet_netif_stop(dev, true); + + if (!device_may_wakeup(d)) + phy_suspend(dev->phydev); +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch b/queue-5.15/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch new file mode 100644 index 00000000000..d4e72ee1ba8 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch @@ -0,0 +1,37 @@ +From 3d87495fda982bfcf94420a077e3a6309ae57237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 09:38:54 +0200 +Subject: net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset + +From: Marco Migliore + +[ Upstream commit 1323e0c6e1d7e103d59384c3ac50f72b17a6936c ] + +According to datasheet, the command opcode must be specified +into bits [14:12] of the Extended Port Control register (EPC). + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family") +Signed-off-by: Marco Migliore +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/port.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h +index 03382b66f8003..3e68d534eaca5 100644 +--- a/drivers/net/dsa/mv88e6xxx/port.h ++++ b/drivers/net/dsa/mv88e6xxx/port.h +@@ -267,7 +267,7 @@ + /* Offset 0x10: Extended Port Control Command */ + #define MV88E6393X_PORT_EPC_CMD 0x10 + #define MV88E6393X_PORT_EPC_CMD_BUSY 0x8000 +-#define MV88E6393X_PORT_EPC_CMD_WRITE 0x0300 ++#define MV88E6393X_PORT_EPC_CMD_WRITE 0x3000 + #define MV88E6393X_PORT_EPC_INDEX_PORT_ETYPE 0x02 + + /* Offset 0x11: Extended Port Control Data */ +-- +2.39.2 + diff --git a/queue-5.15/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch b/queue-5.15/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch new file mode 100644 index 00000000000..48129c38625 --- /dev/null +++ b/queue-5.15/net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch @@ -0,0 +1,67 @@ +From 2e9788457577d2f79bf39a308b400114cf8913e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 22:00:20 +0200 +Subject: net: fec: Better handle pm_runtime_get() failing in .remove() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ] + +In the (unlikely) event that pm_runtime_get() (disguised as +pm_runtime_resume_and_get()) fails, the remove callback returned an +error early. The problem with this is that the driver core ignores the +error value and continues removing the device. This results in a +resource leak. Worse the devm allocated resources are freed and so if a +callback of the driver is called later the register mapping is already +gone which probably results in a crash. + +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index afb30d679a473..c0c96de7a9de4 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -4054,9 +4054,11 @@ fec_drv_remove(struct platform_device *pdev) + struct device_node *np = pdev->dev.of_node; + int ret; + +- ret = pm_runtime_resume_and_get(&pdev->dev); ++ ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, ++ "Failed to resume device in remove callback (%pe)\n", ++ ERR_PTR(ret)); + + cancel_work_sync(&fep->tx_timeout_work); + fec_ptp_stop(pdev); +@@ -4069,8 +4071,13 @@ fec_drv_remove(struct platform_device *pdev) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); + +- clk_disable_unprepare(fep->clk_ahb); +- clk_disable_unprepare(fep->clk_ipg); ++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip ++ * disabling them again. ++ */ ++ if (ret >= 0) { ++ clk_disable_unprepare(fep->clk_ahb); ++ clk_disable_unprepare(fep->clk_ipg); ++ } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +-- +2.39.2 + diff --git a/queue-5.15/net-hns3-fix-output-information-incomplete-for-dumpi.patch b/queue-5.15/net-hns3-fix-output-information-incomplete-for-dumpi.patch new file mode 100644 index 00000000000..78497cc94d7 --- /dev/null +++ b/queue-5.15/net-hns3-fix-output-information-incomplete-for-dumpi.patch @@ -0,0 +1,54 @@ +From 1585635038536e608e73fc3d2dd14b5d4f51a2a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:11 +0800 +Subject: net: hns3: fix output information incomplete for dumping tx queue + info with debugfs + +From: Jie Wang + +[ Upstream commit 89f6bfb071182f05d7188c255b0e7251c3806f16 ] + +In function hns3_dump_tx_queue_info, The print buffer is not enough when +the tx BD number is configured to 32760. As a result several BD +information wouldn't be displayed. + +So fix it by increasing the tx queue print buffer length. + +Fixes: 630a6738da82 ("net: hns3: adjust string spaces of some parameters of tx bd info in debugfs") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 15ce1a33649ee..3158c08a3aa9c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -123,7 +123,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = { + .name = "tx_bd_queue", + .cmd = HNAE3_DBG_CMD_TX_BD, + .dentry = HNS3_DBG_DENTRY_TX_BD, +- .buf_len = HNS3_DBG_READ_LEN_4MB, ++ .buf_len = HNS3_DBG_READ_LEN_5MB, + .init = hns3_dbg_bd_file_init, + }, + { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +index 814f7491ca08d..fb0c907cec852 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h +@@ -8,6 +8,7 @@ + #define HNS3_DBG_READ_LEN_128KB 0x20000 + #define HNS3_DBG_READ_LEN_1MB 0x100000 + #define HNS3_DBG_READ_LEN_4MB 0x400000 ++#define HNS3_DBG_READ_LEN_5MB 0x500000 + #define HNS3_DBG_WRITE_LEN 1024 + + #define HNS3_DBG_DATA_STR_LEN 32 +-- +2.39.2 + diff --git a/queue-5.15/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch b/queue-5.15/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch new file mode 100644 index 00000000000..2f2f384c0a9 --- /dev/null +++ b/queue-5.15/net-hns3-fix-reset-delay-time-to-avoid-configuration.patch @@ -0,0 +1,44 @@ +From 6e25f202c64d3b9ee36e2d392dab89ee4ed0fd2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:13 +0800 +Subject: net: hns3: fix reset delay time to avoid configuration timeout + +From: Jie Wang + +[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ] + +Currently the hns3 vf function reset delays 5000ms before vf rebuild +process. In product applications, this delay is too long for application +configurations and causes configuration timeout. + +According to the tests, 500ms delay is enough for reset process except PF +FLR. So this patch modifies delay to 500ms in these scenarios. + +Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer") +Signed-off-by: Jie Wang +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 3c1ff33132213..bc140e3620d6c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -1885,7 +1885,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev) + * might happen in case reset assertion was made by PF. Yes, this also + * means we might end up waiting bit more even for VF reset. + */ +- msleep(5000); ++ if (hdev->reset_type == HNAE3_VF_FULL_RESET) ++ msleep(5000); ++ else ++ msleep(500); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.15/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch b/queue-5.15/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch new file mode 100644 index 00000000000..1888b29c32a --- /dev/null +++ b/queue-5.15/net-hns3-fix-sending-pfc-frames-after-reset-issue.patch @@ -0,0 +1,91 @@ +From b8d03d63014dc8e7e16850ab17458fc69b609f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:00:12 +0800 +Subject: net: hns3: fix sending pfc frames after reset issue + +From: Jijie Shao + +[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ] + +To prevent the system from abnormally sending PFC frames after an +abnormal reset. The hns3 driver notifies the firmware to disable pfc +before reset. + +Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset") +Signed-off-by: Jijie Shao +Signed-off-by: Hao Lan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------ + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++-- + .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index f4d58fcdba272..bfdc021f4a190 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -8134,12 +8134,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle) + /* If it is not PF reset or FLR, the firmware will disable the MAC, + * so it only need to stop phy here. + */ +- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && +- hdev->reset_type != HNAE3_FUNC_RESET && +- hdev->reset_type != HNAE3_FLR_RESET) { +- hclge_mac_stop_phy(hdev); +- hclge_update_link_status(hdev); +- return; ++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) { ++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE, ++ HCLGE_PFC_DISABLE); ++ if (hdev->reset_type != HNAE3_FUNC_RESET && ++ hdev->reset_type != HNAE3_FLR_RESET) { ++ hclge_mac_stop_phy(hdev); ++ hclge_update_link_status(hdev); ++ return; ++ } + } + + hclge_reset_tqp(handle); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index afc47c9b5ec46..97a6864f60ef4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -171,8 +171,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) + return hclge_cmd_send(&hdev->hw, &desc, 1); + } + +-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, +- u8 pfc_bitmap) ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap) + { + struct hclge_desc desc; + struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index 5df18cc3ee556..2c5256d7f9962 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -155,6 +155,9 @@ struct hclge_bp_to_qs_map_cmd { + u32 rsvd1; + }; + ++#define HCLGE_PFC_DISABLE 0 ++#define HCLGE_PFC_TX_RX_DISABLE 0 ++ + struct hclge_pfc_en_cmd { + u8 tx_rx_en_bitmap; + u8 pri_en_bitmap; +@@ -226,6 +229,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc); + void hclge_tm_pfc_info_update(struct hclge_dev *hdev); + int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); ++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap, ++ u8 pfc_bitmap); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); + void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-- +2.39.2 + diff --git a/queue-5.15/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch b/queue-5.15/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch new file mode 100644 index 00000000000..b49efa84d0e --- /dev/null +++ b/queue-5.15/net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch @@ -0,0 +1,101 @@ +From 682a88dc5a294bcc6e5a2d1b69eedea867fe38a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 20:54:40 +0800 +Subject: net: nsh: Use correct mac_offset to unwind gso skb in + nsh_gso_segment() + +From: Dong Chenchen + +[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] + +As the call trace shows, skb_panic was caused by wrong skb->mac_header +in nsh_gso_segment(): + +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 +RIP: 0010:skb_panic+0xda/0xe0 +call Trace: + skb_push+0x91/0xa0 + nsh_gso_segment+0x4f3/0x570 + skb_mac_gso_segment+0x19e/0x270 + __skb_gso_segment+0x1e8/0x3c0 + validate_xmit_skb+0x452/0x890 + validate_xmit_skb_list+0x99/0xd0 + sch_direct_xmit+0x294/0x7c0 + __dev_queue_xmit+0x16f0/0x1d70 + packet_xmit+0x185/0x210 + packet_snd+0xc15/0x1170 + packet_sendmsg+0x7b/0xa0 + sock_sendmsg+0x14f/0x160 + +The root cause is: +nsh_gso_segment() use skb->network_header - nhoff to reset mac_header +in skb_gso_error_unwind() if inner-layer protocol gso fails. +However, skb->network_header may be reset by inner-layer protocol +gso function e.g. mpls_gso_segment. skb->mac_header reset by the +inaccurate network_header will be larger than skb headroom. + +nsh_gso_segment + nhoff = skb->network_header - skb->mac_header; + __skb_pull(skb,nsh_len) + skb_mac_gso_segment + mpls_gso_segment + skb_reset_network_header(skb);//skb->network_header+=nsh_len + return -EINVAL; + skb_gso_error_unwind + skb_push(skb, nsh_len); + skb->mac_header = skb->network_header - nhoff; + // skb->mac_header > skb->headroom, cause skb_push panic + +Use correct mac_offset to restore mac_header and get rid of nhoff. + +Fixes: c411ed854584 ("nsh: add GSO support") +Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Dong Chenchen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nsh/nsh.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c +index e9ca007718b7e..0f23e5e8e03eb 100644 +--- a/net/nsh/nsh.c ++++ b/net/nsh/nsh.c +@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + netdev_features_t features) + { + struct sk_buff *segs = ERR_PTR(-EINVAL); ++ u16 mac_offset = skb->mac_header; + unsigned int nsh_len, mac_len; + __be16 proto; +- int nhoff; + + skb_reset_network_header(skb); + +- nhoff = skb->network_header - skb->mac_header; + mac_len = skb->mac_len; + + if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) +@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, + segs = skb_mac_gso_segment(skb, features); + if (IS_ERR_OR_NULL(segs)) { + skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, +- skb->network_header - nhoff, +- mac_len); ++ mac_offset, mac_len); + goto out; + } + + for (skb = segs; skb; skb = skb->next) { + skb->protocol = htons(ETH_P_NSH); + __skb_push(skb, nsh_len); +- skb_set_mac_header(skb, -nhoff); ++ skb->mac_header = mac_offset; + skb->network_header = skb->mac_header + mac_len; + skb->mac_len = mac_len; + } +-- +2.39.2 + diff --git a/queue-5.15/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch b/queue-5.15/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch new file mode 100644 index 00000000000..7c262916e2c --- /dev/null +++ b/queue-5.15/net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch @@ -0,0 +1,77 @@ +From d9679744b5bfe0ed7ab0bc514d739d0e9dd08cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:21:39 +0530 +Subject: net: phy: dp83867: add w/a for packet errors seen with short cables + +From: Grygorii Strashko + +[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ] + +Introduce the W/A for packet errors seen with short cables (<1m) between +two DP83867 PHYs. + +The W/A recommended by DM requires FFE Equalizer Configuration tuning by +writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard +and soft resets as follows: + +write_reg(0x001F, 0x8000); //hard reset +write_reg(DSP_FFE_CFG, 0x0E81); +write_reg(0x001F, 0x4000); //soft reset + +Since DP83867 PHY DM says "Changing this register to 0x0E81, will not +affect Long Cable performance.", enable the W/A by default. + +Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy") +Signed-off-by: Grygorii Strashko +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index 783e30451e30d..6230dd5e29902 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -41,6 +41,7 @@ + #define DP83867_STRAP_STS1 0x006E + #define DP83867_STRAP_STS2 0x006f + #define DP83867_RGMIIDCTL 0x0086 ++#define DP83867_DSP_FFE_CFG 0x012c + #define DP83867_RXFCFG 0x0134 + #define DP83867_RXFPMD1 0x0136 + #define DP83867_RXFPMD2 0x0137 +@@ -841,8 +842,27 @@ static int dp83867_phy_reset(struct phy_device *phydev) + + usleep_range(10, 20); + +- return phy_modify(phydev, MII_DP83867_PHYCTRL, ++ err = phy_modify(phydev, MII_DP83867_PHYCTRL, + DP83867_PHYCR_FORCE_LINK_GOOD, 0); ++ if (err < 0) ++ return err; ++ ++ /* Configure the DSP Feedforward Equalizer Configuration register to ++ * improve short cable (< 1 meter) performance. This will not affect ++ * long cable performance. ++ */ ++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG, ++ 0x0e81); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART); ++ if (err < 0) ++ return err; ++ ++ usleep_range(10, 20); ++ ++ return 0; + } + + static void dp83867_link_change_notify(struct phy_device *phydev) +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nf_tables-fix-nft_trans-type-confusion.patch b/queue-5.15/netfilter-nf_tables-fix-nft_trans-type-confusion.patch new file mode 100644 index 00000000000..602357af0f9 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-fix-nft_trans-type-confusion.patch @@ -0,0 +1,43 @@ +From df0156ca3ed88a65be2839207b53996f90fb6c2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 14:15:15 +0200 +Subject: netfilter: nf_tables: fix nft_trans type confusion + +From: Florian Westphal + +[ Upstream commit e3c361b8acd636f5fe80c02849ca175201edf10c ] + +nft_trans_FOO objects all share a common nft_trans base structure, but +trailing fields depend on the real object size. Access is only safe after +trans->msg_type check. + +Check for rule type first. Found by code inspection. + +Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 091df8a7cb1e7..f20244a91d781 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3595,12 +3595,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + struct nft_trans *trans; + + list_for_each_entry(trans, &nft_net->commit_list, list) { +- struct nft_rule *rule = nft_trans_rule(trans); +- + if (trans->msg_type == NFT_MSG_NEWRULE && + trans->ctx.chain == chain && + id == nft_trans_rule_id(trans)) +- return rule; ++ return nft_trans_rule(trans); + } + return ERR_PTR(-ENOENT); + } +-- +2.39.2 + diff --git a/queue-5.15/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch b/queue-5.15/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch new file mode 100644 index 00000000000..f071172d35e --- /dev/null +++ b/queue-5.15/netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch @@ -0,0 +1,88 @@ +From 96395bef357ae1ab6010728e561e0d752ae0e1ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 22:39:30 +0200 +Subject: netfilter: nft_set_rbtree: fix null deref on element insertion + +From: Florian Westphal + +[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ] + +There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem(): + +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] + nft_add_set_elem+0x14b0/0x2990 + nf_tables_newsetelem+0x528/0xb30 + +Furthermore, there is a possible use-after-free while iterating, +'node' can be free'd so we need to cache the next value to use. + +Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_rbtree.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 19ea4d3c35535..2f114aa10f1a7 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -221,7 +221,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + { + struct nft_set *set = (struct nft_set *)__set; + struct rb_node *prev = rb_prev(&rbe->node); +- struct nft_rbtree_elem *rbe_prev; ++ struct nft_rbtree_elem *rbe_prev = NULL; + struct nft_set_gc_batch *gcb; + + gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC); +@@ -229,17 +229,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, + return -ENOMEM; + + /* search for expired end interval coming before this element. */ +- do { ++ while (prev) { + rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); + if (nft_rbtree_interval_end(rbe_prev)) + break; + + prev = rb_prev(prev); +- } while (prev != NULL); ++ } ++ ++ if (rbe_prev) { ++ rb_erase(&rbe_prev->node, &priv->root); ++ atomic_dec(&set->nelems); ++ } + +- rb_erase(&rbe_prev->node, &priv->root); + rb_erase(&rbe->node, &priv->root); +- atomic_sub(2, &set->nelems); ++ atomic_dec(&set->nelems); + + nft_set_gc_batch_add(gcb, rbe); + nft_set_gc_batch_complete(gcb); +@@ -268,7 +272,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + struct nft_set_ext **ext) + { + struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL; +- struct rb_node *node, *parent, **p, *first = NULL; ++ struct rb_node *node, *next, *parent, **p, *first = NULL; + struct nft_rbtree *priv = nft_set_priv(set); + u8 genmask = nft_genmask_next(net); + int d, err; +@@ -307,7 +311,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, + * Values stored in the tree are in reversed order, starting from + * highest to lowest value. + */ +- for (node = first; node != NULL; node = rb_next(node)) { ++ for (node = first; node != NULL; node = next) { ++ next = rb_next(node); ++ + rbe = rb_entry(node, struct nft_rbtree_elem, node); + + if (!nft_set_elem_active(&rbe->ext, genmask)) +-- +2.39.2 + diff --git a/queue-5.15/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch b/queue-5.15/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch new file mode 100644 index 00000000000..a1016775a59 --- /dev/null +++ b/queue-5.15/revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch @@ -0,0 +1,125 @@ +From cbf4b6f4dfa35b245eef32cf66c79a35b647d408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 09:46:18 +0200 +Subject: Revert "Fix XFRM-I support for nested ESP tunnels" + +From: Martin Willi + +[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ] + +This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de. + +The reverted commit clears the secpath on packets received via xfrm interfaces +to support nested IPsec tunnels. This breaks Netfilter policy matching using +xt_policy in the FORWARD chain, as the secpath is missing during forwarding. +Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode. + +Fix this regression by reverting the commit until we have a better approach +for nested IPsec tunnels. + +Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels") +Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/ +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface.c | 54 +++------------------------------------ + net/xfrm/xfrm_policy.c | 3 --- + 2 files changed, 4 insertions(+), 53 deletions(-) + +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index 694eec6ca147e..1e8b26eecb3f8 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -207,52 +207,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet) + skb->mark = 0; + } + +-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type, unsigned short family) +-{ +- struct sec_path *sp; +- +- sp = skb_sec_path(skb); +- if (sp && (sp->len || sp->olen) && +- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) +- goto discard; +- +- XFRM_SPI_SKB_CB(skb)->family = family; +- if (family == AF_INET) { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; +- } else { +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; +- } +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +-discard: +- kfree_skb(skb); +- return 0; +-} +- +-static int xfrmi4_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET); +-} +- +-static int xfrmi6_rcv(struct sk_buff *skb) +-{ +- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff], +- 0, 0, AF_INET6); +-} +- +-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET); +-} +- +-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) +-{ +- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6); +-} +- + static int xfrmi_rcv_cb(struct sk_buff *skb, int err) + { + const struct xfrm_mode *inner_mode; +@@ -820,8 +774,8 @@ static struct pernet_operations xfrmi_net_ops = { + }; + + static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { +- .handler = xfrmi6_rcv, +- .input_handler = xfrmi6_input, ++ .handler = xfrm6_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi6_err, + .priority = 10, +@@ -871,8 +825,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { + #endif + + static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = { +- .handler = xfrmi4_rcv, +- .input_handler = xfrmi4_input, ++ .handler = xfrm4_rcv, ++ .input_handler = xfrm_input, + .cb_handler = xfrmi_rcv_cb, + .err_handler = xfrmi4_err, + .priority = 10, +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 37eeda0f123cd..c15ef8003caa9 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3663,9 +3663,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + goto reject; + } + +- if (if_id) +- secpath_reset(skb); +- + xfrm_pols_put(pols, npols); + return 1; + } +-- +2.39.2 + diff --git a/queue-5.15/s390-cio-include-subchannels-without-devices-also-fo.patch b/queue-5.15/s390-cio-include-subchannels-without-devices-also-fo.patch new file mode 100644 index 00000000000..e8ded2d3561 --- /dev/null +++ b/queue-5.15/s390-cio-include-subchannels-without-devices-also-fo.patch @@ -0,0 +1,44 @@ +From 0ee472f9dd77728142a0cae241b828756c825bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 11:12:42 +0200 +Subject: s390/cio: include subchannels without devices also for evaluation + +From: Vineeth Vijayan + +[ Upstream commit b1b0d5aec1cf9f9a900a14964f869c68688d923e ] + +Currently when the new channel-path is enabled, we do evaluation only +on the subchannels with a device connected on it. This is because, +in the past, if the device in the subchannel is not working or not +available, we used to unregister the subchannels. But, from the 'commit +2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")' +we allow subchannels with or without an active device connected +on it. So, when we do the io_subchannel_verify, make sure that, +we are evaluating the subchannels without any device too. + +Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +Reported-by: Boris Fiuczynski +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c +index 61cde02b23fec..b21fa57d1a46b 100644 +--- a/drivers/s390/cio/device.c ++++ b/drivers/s390/cio/device.c +@@ -1116,6 +1116,8 @@ static void io_subchannel_verify(struct subchannel *sch) + cdev = sch_get_cdev(sch); + if (cdev) + dev_fsm_event(cdev, DEV_EVENT_VERIFY); ++ else ++ css_schedule_eval(sch->schid); + } + + static void io_subchannel_terminate_path(struct subchannel *sch, u8 mask) +-- +2.39.2 + diff --git a/queue-5.15/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch b/queue-5.15/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch new file mode 100644 index 00000000000..5576f8beb80 --- /dev/null +++ b/queue-5.15/scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch @@ -0,0 +1,65 @@ +From 958775351ba84f81081ff2c2e6a6b3359f4b521a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 10:20:41 -0700 +Subject: scsi: storvsc: Don't pass unused PFNs to Hyper-V host + +From: Michael Kelley + +[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ] + +In a SCSI request, storvsc pre-allocates space for up to +MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If +the size of the I/O request requires more PFNs, a separate memory area of +exactly the correct size is dynamically allocated. + +But when the pre-allocated area is used, current code always passes +MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While +this doesn't break anything because the additional PFNs are always zero, +more bytes than necessary are copied into the VMBus channel ring buffer. +This takes CPU cycles and wastes space in the ring buffer. For a typical 4 +Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are +copied. + +Fix this by setting the payload_sz based on the actual number of PFNs +required, not the size of the pre-allocated space. + +Reported-by: John Starks +Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K") +Signed-off-by: Michael Kelley +Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 83a3d9f085d84..c9b1500c2ab87 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1843,7 +1843,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; +- payload_sz = sizeof(cmd_request->mpb); ++ payload_sz = 0; + + if (sg_count) { + unsigned int hvpgoff, hvpfns_to_add; +@@ -1851,10 +1851,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + unsigned int hvpg_count = HVPFN_UP(offset_in_hvpg + length); + u64 hvpfn; + +- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { ++ payload_sz = (hvpg_count * sizeof(u64) + ++ sizeof(struct vmbus_packet_mpb_array)); + +- payload_sz = (hvpg_count * sizeof(u64) + +- sizeof(struct vmbus_packet_mpb_array)); ++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) { + payload = kzalloc(payload_sz, GFP_ATOMIC); + if (!payload) + return SCSI_MLQUEUE_DEVICE_BUSY; +-- +2.39.2 + diff --git a/queue-5.15/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch b/queue-5.15/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch new file mode 100644 index 00000000000..d2aa902f50a --- /dev/null +++ b/queue-5.15/selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch @@ -0,0 +1,56 @@ +From 9322046705d95eaaad031626d783659370352f6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 13:16:37 +0200 +Subject: selftests: seg6: disable DAD on IPv6 router cfg for + srv6_end_dt4_l3vpn_test + +From: Andrea Mayer + +[ Upstream commit 21a933c79a33add3612808f3be4ad65dd4dc026b ] + +The srv6_end_dt4_l3vpn_test instantiates a virtual network consisting of +several routers (rt-1, rt-2) and hosts. +When the IPv6 addresses of rt-{1,2} routers are configured, the Deduplicate +Address Detection (DAD) kicks in when enabled in the Linux distros running +the selftests. DAD is used to check whether an IPv6 address is already +assigned in a network. Such a mechanism consists of sending an ICMPv6 Echo +Request and waiting for a reply. +As the DAD process could take too long to complete, it may cause the +failing of some tests carried out by the srv6_end_dt4_l3vpn_test script. + +To make the srv6_end_dt4_l3vpn_test more robust, we disable DAD on routers +since we configure the virtual network manually and do not need any address +deduplication mechanism at all. + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Signed-off-by: Andrea Mayer +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 1003119773e5d..37f08d582d2fe 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -232,10 +232,14 @@ setup_rt_networking() + local nsname=rt-${rt} + + ip netns add ${nsname} ++ ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0 ++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0 ++ + ip link set veth-rt-${rt} netns ${nsname} + ip -netns ${nsname} link set veth-rt-${rt} name veth0 + +- ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 ++ ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad + ip -netns ${nsname} link set veth0 up + ip -netns ${nsname} link set lo up + +-- +2.39.2 + diff --git a/queue-5.15/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch b/queue-5.15/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch new file mode 100644 index 00000000000..948ef258dfa --- /dev/null +++ b/queue-5.15/selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch @@ -0,0 +1,63 @@ +From e3eac71692c056f2b2059063c55b5c9091d58d2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 13:16:38 +0200 +Subject: selftets: seg6: disable rp_filter by default in + srv6_end_dt4_l3vpn_test + +From: Andrea Mayer + +[ Upstream commit f97b8401e0deb46ad1e4245c21f651f64f55aaa6 ] + +On some distributions, the rp_filter is automatically set (=1) by +default on a netdev basis (also on VRFs). +In an SRv6 End.DT4 behavior, decapsulated IPv4 packets are routed using +the table associated with the VRF bound to that tunnel. During lookup +operations, the rp_filter can lead to packet loss when activated on the +VRF. +Therefore, we chose to make this selftest more robust by explicitly +disabling the rp_filter during tests (as it is automatically set by some +Linux distributions). + +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Reported-by: Hangbin Liu +Signed-off-by: Andrea Mayer +Tested-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +index 37f08d582d2fe..f962823628119 100755 +--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh ++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh +@@ -258,6 +258,12 @@ setup_hs() + + # set the networking for the host + ip netns add ${hsname} ++ ++ # disable the rp_filter otherwise the kernel gets confused about how ++ # to route decap ipv4 packets. ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 ++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.default.rp_filter=0 ++ + ip -netns ${hsname} link add veth0 type veth peer name ${rtveth} + ip -netns ${hsname} link set ${rtveth} netns ${rtname} + ip -netns ${hsname} addr add ${IPv4_HS_NETWORK}.${hs}/24 dev veth0 +@@ -276,11 +282,6 @@ setup_hs() + + ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.proxy_arp=1 + +- # disable the rp_filter otherwise the kernel gets confused about how +- # to route decap ipv4 packets. +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0 +- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.rp_filter=0 +- + ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode" + } + +-- +2.39.2 + diff --git a/queue-5.15/serial-8250_bcm7271-balance-clk_enable-calls.patch b/queue-5.15/serial-8250_bcm7271-balance-clk_enable-calls.patch new file mode 100644 index 00000000000..b82c7129d72 --- /dev/null +++ b/queue-5.15/serial-8250_bcm7271-balance-clk_enable-calls.patch @@ -0,0 +1,58 @@ +From b04f425156c0f812c1a64d2ff62555edab45a8d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:19:15 -0700 +Subject: serial: 8250_bcm7271: balance clk_enable calls + +From: Doug Berger + +[ Upstream commit 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d ] + +The sw_baud clock must be disabled when the device driver is not +connected to the device. This now occurs when probe fails and +upon remove. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-2-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_bcm7271.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index 87ff28a3a94c5..513ed24cba5ce 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1036,7 +1036,7 @@ static int brcmuart_probe(struct platform_device *pdev) + if (clk_rate == 0) { + dev_err(dev, "clock-frequency or clk not defined\n"); + ret = -EINVAL; +- goto release_dma; ++ goto err_clk_disable; + } + + dev_dbg(dev, "DMA is %senabled\n", priv->dma_enabled ? "" : "not "); +@@ -1123,6 +1123,8 @@ static int brcmuart_probe(struct platform_device *pdev) + serial8250_unregister_port(priv->line); + err: + brcmuart_free_bufs(dev, priv); ++err_clk_disable: ++ clk_disable_unprepare(baud_mux_clk); + release_dma: + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); +@@ -1137,6 +1139,7 @@ static int brcmuart_remove(struct platform_device *pdev) + hrtimer_cancel(&priv->hrt); + serial8250_unregister_port(priv->line); + brcmuart_free_bufs(&pdev->dev, priv); ++ clk_disable_unprepare(priv->baud_mux_clk); + if (priv->dma_enabled) + brcmuart_arbitration(priv, 0); + return 0; +-- +2.39.2 + diff --git a/queue-5.15/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch b/queue-5.15/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch new file mode 100644 index 00000000000..55a48c6c7b0 --- /dev/null +++ b/queue-5.15/serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch @@ -0,0 +1,43 @@ +From 6c6666d9c1677818afd5a7a8e8005a3ecbd9549c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:19:16 -0700 +Subject: serial: 8250_bcm7271: fix leak in `brcmuart_probe` + +From: Doug Berger + +[ Upstream commit f264f2f6f4788dc031cef60a0cf2881902736709 ] + +Smatch reports: +drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: +'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032. + +The issue is fixed by using a managed clock. + +Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") +Reported-by: XuDong Liu +Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/ +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230427181916.2983697-3-opendmb@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_bcm7271.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c +index 513ed24cba5ce..f95047160b4d2 100644 +--- a/drivers/tty/serial/8250/8250_bcm7271.c ++++ b/drivers/tty/serial/8250/8250_bcm7271.c +@@ -1016,7 +1016,7 @@ static int brcmuart_probe(struct platform_device *pdev) + of_property_read_u32(np, "clock-frequency", &clk_rate); + + /* See if a Baud clock has been specified */ +- baud_mux_clk = of_clk_get_by_name(np, "sw_baud"); ++ baud_mux_clk = devm_clk_get(dev, "sw_baud"); + if (IS_ERR(baud_mux_clk)) { + if (PTR_ERR(baud_mux_clk) == -EPROBE_DEFER) { + ret = -EPROBE_DEFER; +-- +2.39.2 + diff --git a/queue-5.15/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch b/queue-5.15/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch new file mode 100644 index 00000000000..0670d8d240c --- /dev/null +++ b/queue-5.15/serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch @@ -0,0 +1,51 @@ +From e4ead7250a0ad78fe03e012b5353615456839501 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 11:16:36 +0800 +Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe` + +From: Ke Zhang + +[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ] + +Smatch reports: + +drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn: +'port->membase' from of_iomap() not released on lines: 631. + +In arc_serial_probe(), if uart_add_one_port() fails, +port->membase is not released, which would cause a resource leak. + +To fix this, I replace of_iomap with devm_platform_ioremap_resource. + +Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper") +Signed-off-by: Ke Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/arc_uart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c +index 596217d10d5c7..4d0e992f78445 100644 +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -607,10 +607,11 @@ static int arc_serial_probe(struct platform_device *pdev) + } + uart->baud = val; + +- port->membase = of_iomap(np, 0); +- if (!port->membase) ++ port->membase = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(port->membase)) { + /* No point of dev_err since UART itself is hosed here */ +- return -ENXIO; ++ return PTR_ERR(port->membase); ++ } + + port->irq = irq_of_parse_and_map(np, 0); + +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index fb05735ac9a..5ff6b679abe 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -104,3 +104,57 @@ parisc-replace-regular-spinlock-with-spin_trylock-on.patch platform-x86-hp-wmi-support-touchpad-on-off.patch platform-x86-move-existing-hp-drivers-to-a-new-hp-su.patch platform-x86-hp-wmi-add-micmute-to-hp_wmi_keymap-str.patch +xfrm-don-t-check-the-default-policy-if-the-policy-al.patch +revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch +drm-msm-dp-unregister-audio-driver-during-unbind.patch +drm-msm-dpu-add-intf_5-interrupts.patch +drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch +drm-msm-dpu-remove-duplicate-register-defines-from-i.patch +dt-bindings-display-msm-dsi-controller-main-document.patch +asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch +cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch +af_key-reject-optional-tunnel-beet-mode-templates-in.patch +selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch +selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch +net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch +net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch +alsa-firewire-digi00x-prevent-potential-use-after-fr.patch +alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch +vsock-avoid-to-close-connected-socket-after-the-time.patch +tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch +serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch +serial-8250_bcm7271-balance-clk_enable-calls.patch +serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch +erspan-get-the-proto-with-the-md-version-for-collect.patch +net-hns3-fix-output-information-incomplete-for-dumpi.patch +net-hns3-fix-sending-pfc-frames-after-reset-issue.patch +net-hns3-fix-reset-delay-time-to-avoid-configuration.patch +media-netup_unidvb-fix-use-after-free-at-del_timer.patch +sunrpc-double-free-xprt_ctxt-while-still-in-use.patch +tracing-introduce-helpers-to-safely-handle-dynamic-s.patch +sunrpc-clean-up-svc_deferred_class-trace-events.patch +sunrpc-remove-dead-code-in-svc_tcp_release_rqst.patch +sunrpc-remove-svc_rqst-rq_xprt_hlen.patch +sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch +sunrpc-fix-trace_svc_register-call-site.patch +drm-exynos-fix-g2d_open-close-helper-function-defini.patch +net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch +virtio-net-maintain-reverse-cleanup-order.patch +virtio_net-fix-error-unwinding-of-xdp-initialization.patch +tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch +tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch +tipc-check-the-bearer-min-mtu-properly-when-setting-.patch +s390-cio-include-subchannels-without-devices-also-fo.patch +net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch +net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch +wifi-mac80211-fix-min-center-freq-offset-tracing.patch +wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch +wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch +scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch +cassini-fix-a-memory-leak-in-the-error-handling-path.patch +net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch +igb-fix-bit_shift-to-be-in-1.8-range.patch +vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch +netfilter-nf_tables-fix-nft_trans-type-confusion.patch +netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch +bridge-always-declare-tunnel-functions.patch diff --git a/queue-5.15/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch b/queue-5.15/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch new file mode 100644 index 00000000000..1c71023331b --- /dev/null +++ b/queue-5.15/sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch @@ -0,0 +1,267 @@ +From 0c425df52d98dc9d0c9cc3bc868496657e35f403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 09:42:47 +1000 +Subject: SUNRPC: always free ctxt when freeing deferred request + +From: NeilBrown + +[ Upstream commit 948f072ada23e0a504c5e4d7d71d4c83bd0785ec ] + +Since the ->xprt_ctxt pointer was added to svc_deferred_req, it has not +been sufficient to use kfree() to free a deferred request. We may need +to free the ctxt as well. + +As freeing the ctxt is all that ->xpo_release_rqst() does, we repurpose +it to explicit do that even when the ctxt is not stored in an rqst. +So we now have ->xpo_release_ctxt() which is given an xprt and a ctxt, +which may have been taken either from an rqst or from a dreq. The +caller is now responsible for clearing that pointer after the call to +->xpo_release_ctxt. + +We also clear dr->xprt_ctxt when the ctxt is moved into a new rqst when +revisiting a deferred request. This ensures there is only one pointer +to the ctxt, so the risk of double freeing in future is reduced. The +new code in svc_xprt_release which releases both the ctxt and any +rq_deferred depends on this. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/svc_rdma.h | 2 +- + include/linux/sunrpc/svc_xprt.h | 2 +- + net/sunrpc/svc_xprt.c | 23 +++++++++++++----- + net/sunrpc/svcsock.c | 30 +++++++++++++----------- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 ++++----- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 2 +- + 6 files changed, 41 insertions(+), 29 deletions(-) + +diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h +index 24aa159d29a7f..fbc4bd423b355 100644 +--- a/include/linux/sunrpc/svc_rdma.h ++++ b/include/linux/sunrpc/svc_rdma.h +@@ -176,7 +176,7 @@ extern struct svc_rdma_recv_ctxt * + extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + struct svc_rdma_recv_ctxt *ctxt); + extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma); +-extern void svc_rdma_release_rqst(struct svc_rqst *rqstp); ++extern void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *ctxt); + extern int svc_rdma_recvfrom(struct svc_rqst *); + + /* svc_rdma_rw.c */ +diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h +index 571f605bc91ef..154eee6bc6a01 100644 +--- a/include/linux/sunrpc/svc_xprt.h ++++ b/include/linux/sunrpc/svc_xprt.h +@@ -23,7 +23,7 @@ struct svc_xprt_ops { + int (*xpo_sendto)(struct svc_rqst *); + int (*xpo_result_payload)(struct svc_rqst *, unsigned int, + unsigned int); +- void (*xpo_release_rqst)(struct svc_rqst *); ++ void (*xpo_release_ctxt)(struct svc_xprt *xprt, void *ctxt); + void (*xpo_detach)(struct svc_xprt *); + void (*xpo_free)(struct svc_xprt *); + void (*xpo_secure_port)(struct svc_rqst *rqstp); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 5da8e87979f15..5ff8f902f14d2 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -530,13 +530,23 @@ void svc_reserve(struct svc_rqst *rqstp, int space) + } + EXPORT_SYMBOL_GPL(svc_reserve); + ++static void free_deferred(struct svc_xprt *xprt, struct svc_deferred_req *dr) ++{ ++ if (!dr) ++ return; ++ ++ xprt->xpt_ops->xpo_release_ctxt(xprt, dr->xprt_ctxt); ++ kfree(dr); ++} ++ + static void svc_xprt_release(struct svc_rqst *rqstp) + { + struct svc_xprt *xprt = rqstp->rq_xprt; + +- xprt->xpt_ops->xpo_release_rqst(rqstp); ++ xprt->xpt_ops->xpo_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + +- kfree(rqstp->rq_deferred); ++ free_deferred(xprt, rqstp->rq_deferred); + rqstp->rq_deferred = NULL; + + pagevec_release(&rqstp->rq_pvec); +@@ -1054,7 +1064,7 @@ static void svc_delete_xprt(struct svc_xprt *xprt) + spin_unlock_bh(&serv->sv_lock); + + while ((dr = svc_deferred_dequeue(xprt)) != NULL) +- kfree(dr); ++ free_deferred(xprt, dr); + + call_xpt_users(xprt); + svc_xprt_put(xprt); +@@ -1166,8 +1176,8 @@ static void svc_revisit(struct cache_deferred_req *dreq, int too_many) + if (too_many || test_bit(XPT_DEAD, &xprt->xpt_flags)) { + spin_unlock(&xprt->xpt_lock); + trace_svc_defer_drop(dr); ++ free_deferred(xprt, dr); + svc_xprt_put(xprt); +- kfree(dr); + return; + } + dr->xprt = NULL; +@@ -1212,14 +1222,13 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->addrlen = rqstp->rq_addrlen; + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; +- dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } +- WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); +@@ -1253,6 +1262,8 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp) + rqstp->rq_daddr = dr->daddr; + rqstp->rq_respages = rqstp->rq_pages; + rqstp->rq_xprt_ctxt = dr->xprt_ctxt; ++ ++ dr->xprt_ctxt = NULL; + svc_xprt_received(rqstp->rq_xprt); + return dr->argslen << 2; + } +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 9a0a27d1199f5..6fc7a8c523696 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -111,27 +111,27 @@ static void svc_reclassify_socket(struct socket *sock) + #endif + + /** +- * svc_tcp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_tcp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_tcp_release_rqst(struct svc_rqst *rqstp) ++static void svc_tcp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { + } + + /** +- * svc_udp_release_rqst - Release transport-related resources +- * @rqstp: request structure with resources to be released ++ * svc_udp_release_ctxt - Release transport-related resources ++ * @xprt: the transport which owned the context ++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + */ +-static void svc_udp_release_rqst(struct svc_rqst *rqstp) ++static void svc_udp_release_ctxt(struct svc_xprt *xprt, void *ctxt) + { +- struct sk_buff *skb = rqstp->rq_xprt_ctxt; ++ struct sk_buff *skb = ctxt; + +- if (skb) { +- rqstp->rq_xprt_ctxt = NULL; ++ if (skb) + consume_skb(skb); +- } + } + + union svc_pktinfo_u { +@@ -559,7 +559,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_udp_release_rqst(rqstp); ++ svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + svc_set_cmsg_data(rqstp, cmh); + +@@ -628,7 +629,7 @@ static const struct svc_xprt_ops svc_udp_ops = { + .xpo_recvfrom = svc_udp_recvfrom, + .xpo_sendto = svc_udp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_udp_release_rqst, ++ .xpo_release_ctxt = svc_udp_release_ctxt, + .xpo_detach = svc_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_udp_has_wspace, +@@ -1156,7 +1157,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp) + unsigned int sent; + int err; + +- svc_tcp_release_rqst(rqstp); ++ svc_tcp_release_ctxt(xprt, rqstp->rq_xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + + atomic_inc(&svsk->sk_sendqlen); + mutex_lock(&xprt->xpt_mutex); +@@ -1201,7 +1203,7 @@ static const struct svc_xprt_ops svc_tcp_ops = { + .xpo_recvfrom = svc_tcp_recvfrom, + .xpo_sendto = svc_tcp_sendto, + .xpo_result_payload = svc_sock_result_payload, +- .xpo_release_rqst = svc_tcp_release_rqst, ++ .xpo_release_ctxt = svc_tcp_release_ctxt, + .xpo_detach = svc_tcp_sock_detach, + .xpo_free = svc_sock_free, + .xpo_has_wspace = svc_tcp_has_wspace, +diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +index f760342861694..3ad4291148a68 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -239,21 +239,20 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma, + } + + /** +- * svc_rdma_release_rqst - Release transport-specific per-rqst resources +- * @rqstp: svc_rqst being released ++ * svc_rdma_release_ctxt - Release transport-specific per-rqst resources ++ * @xprt: the transport which owned the context ++ * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt + * + * Ensure that the recv_ctxt is released whether or not a Reply + * was sent. For example, the client could close the connection, + * or svc_process could drop an RPC, before the Reply is sent. + */ +-void svc_rdma_release_rqst(struct svc_rqst *rqstp) ++void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt) + { +- struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt; +- struct svc_xprt *xprt = rqstp->rq_xprt; ++ struct svc_rdma_recv_ctxt *ctxt = vctxt; + struct svcxprt_rdma *rdma = + container_of(xprt, struct svcxprt_rdma, sc_xprt); + +- rqstp->rq_xprt_ctxt = NULL; + if (ctxt) + svc_rdma_recv_ctxt_put(rdma, ctxt); + } +diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c +index 94b20fb471356..f776f0cb471f0 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -81,7 +81,7 @@ static const struct svc_xprt_ops svc_rdma_ops = { + .xpo_recvfrom = svc_rdma_recvfrom, + .xpo_sendto = svc_rdma_sendto, + .xpo_result_payload = svc_rdma_result_payload, +- .xpo_release_rqst = svc_rdma_release_rqst, ++ .xpo_release_ctxt = svc_rdma_release_ctxt, + .xpo_detach = svc_rdma_detach, + .xpo_free = svc_rdma_free, + .xpo_has_wspace = svc_rdma_has_wspace, +-- +2.39.2 + diff --git a/queue-5.15/sunrpc-clean-up-svc_deferred_class-trace-events.patch b/queue-5.15/sunrpc-clean-up-svc_deferred_class-trace-events.patch new file mode 100644 index 00000000000..8b186e27715 --- /dev/null +++ b/queue-5.15/sunrpc-clean-up-svc_deferred_class-trace-events.patch @@ -0,0 +1,52 @@ +From 1bb0f5e96cc2ca6752e93d2a2b5b870d972108c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 15:50:12 -0400 +Subject: SUNRPC: Clean up svc_deferred_class trace events + +From: Chuck Lever + +[ Upstream commit 45cb7955c180a2a34d291e68938250c4f9bd294f ] + +Replace the temporary fix from commit 4d5004451ab2 ("SUNRPC: Fix the +svc_deferred_event trace class") with the use of __sockaddr and +friends, which is the preferred solution (but only available in 5.18 +and newer). + +Signed-off-by: Chuck Lever +Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request") +Signed-off-by: Sasha Levin +--- + include/trace/events/sunrpc.h | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index 2a598fb45bf4f..d49426c0444c9 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -1923,19 +1923,18 @@ DECLARE_EVENT_CLASS(svc_deferred_event, + TP_STRUCT__entry( + __field(const void *, dr) + __field(u32, xid) +- __array(__u8, addr, INET6_ADDRSTRLEN + 10) ++ __sockaddr(addr, dr->addrlen) + ), + + TP_fast_assign( + __entry->dr = dr; + __entry->xid = be32_to_cpu(*(__be32 *)(dr->args + + (dr->xprt_hlen>>2))); +- snprintf(__entry->addr, sizeof(__entry->addr) - 1, +- "%pISpc", (struct sockaddr *)&dr->addr); ++ __assign_sockaddr(addr, &dr->addr, dr->addrlen); + ), + +- TP_printk("addr=%s dr=%p xid=0x%08x", __entry->addr, __entry->dr, +- __entry->xid) ++ TP_printk("addr=%pISpc dr=%p xid=0x%08x", __get_sockaddr(addr), ++ __entry->dr, __entry->xid) + ); + + #define DEFINE_SVC_DEFERRED_EVENT(name) \ +-- +2.39.2 + diff --git a/queue-5.15/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch b/queue-5.15/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch new file mode 100644 index 00000000000..c61306b9985 --- /dev/null +++ b/queue-5.15/sunrpc-double-free-xprt_ctxt-while-still-in-use.patch @@ -0,0 +1,58 @@ +From b7db5bf3edfa6279b5fe0cce9216769885a55807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 09:41:49 +1000 +Subject: SUNRPC: double free xprt_ctxt while still in use + +From: NeilBrown + +[ Upstream commit eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 ] + +When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out +of the svc_rqst into the svc_deferred_req. +When the deferred request is revisited, the pointer is copied into +the new svc_rqst - and also remains in the svc_deferred_req. + +In the (rare?) case that the request is deferred a second time, the old +svc_deferred_req is reused - it still has all the correct content. +However in that case the rq_xprt_ctxt pointer is NOT cleared so that +when xpo_release_xprt is called, the ctxt is freed (UDP) or possible +added to a free list (RDMA). +When the deferred request is revisited for a second time, it will +reference this ctxt which may be invalid, and the free the object a +second time which is likely to oops. + +So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that +the value is now stored in the svc_deferred_req. + +Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports") +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc_xprt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 935bba065636c..139ef1951a0e8 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1214,13 +1214,14 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->argslen = rqstp->rq_arg.len >> 2; + dr->xprt_hlen = rqstp->rq_xprt_hlen; + dr->xprt_ctxt = rqstp->rq_xprt_ctxt; +- rqstp->rq_xprt_ctxt = NULL; + + /* back up head to the start of the buffer and copy */ + skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len; + memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip, + dr->argslen << 2); + } ++ WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt); ++ rqstp->rq_xprt_ctxt = NULL; + trace_svc_defer(rqstp); + svc_xprt_get(rqstp->rq_xprt); + dr->xprt = rqstp->rq_xprt; +-- +2.39.2 + diff --git a/queue-5.15/sunrpc-fix-trace_svc_register-call-site.patch b/queue-5.15/sunrpc-fix-trace_svc_register-call-site.patch new file mode 100644 index 00000000000..29990651318 --- /dev/null +++ b/queue-5.15/sunrpc-fix-trace_svc_register-call-site.patch @@ -0,0 +1,35 @@ +From cfcf213987f433809dee73bb371fd799edccb83c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:51:48 -0400 +Subject: SUNRPC: Fix trace_svc_register() call site + +From: Chuck Lever + +[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ] + +The trace event recorded incorrect values for the registered family, +protocol, and port because the arguments are in the wrong order. + +Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c +index 74a1c9116a785..36a3ad9336d6f 100644 +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1024,7 +1024,7 @@ static int __svc_register(struct net *net, const char *progname, + #endif + } + +- trace_svc_register(progname, version, protocol, port, family, error); ++ trace_svc_register(progname, version, family, protocol, port, error); + return error; + } + +-- +2.39.2 + diff --git a/queue-5.15/sunrpc-remove-dead-code-in-svc_tcp_release_rqst.patch b/queue-5.15/sunrpc-remove-dead-code-in-svc_tcp_release_rqst.patch new file mode 100644 index 00000000000..32e4199ae53 --- /dev/null +++ b/queue-5.15/sunrpc-remove-dead-code-in-svc_tcp_release_rqst.patch @@ -0,0 +1,41 @@ +From 8378669d037be02618244b1052f221a02063b502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Apr 2022 12:25:55 -0400 +Subject: SUNRPC: Remove dead code in svc_tcp_release_rqst() + +From: Chuck Lever + +[ Upstream commit 4af8b42e5629b97bdde287d5d6c250535d324676 ] + +Clean up: svc_tcp_sendto() always sets rq_xprt_ctxt to NULL. + +Signed-off-by: Chuck Lever +Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request") +Signed-off-by: Sasha Levin +--- + net/sunrpc/svcsock.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 6ea3d87e11475..a28a6820852b2 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -117,15 +117,6 @@ static void svc_reclassify_socket(struct socket *sock) + */ + static void svc_tcp_release_rqst(struct svc_rqst *rqstp) + { +- struct sk_buff *skb = rqstp->rq_xprt_ctxt; +- +- if (skb) { +- struct svc_sock *svsk = +- container_of(rqstp->rq_xprt, struct svc_sock, sk_xprt); +- +- rqstp->rq_xprt_ctxt = NULL; +- skb_free_datagram_locked(svsk->sk_sk, skb); +- } + } + + /** +-- +2.39.2 + diff --git a/queue-5.15/sunrpc-remove-svc_rqst-rq_xprt_hlen.patch b/queue-5.15/sunrpc-remove-svc_rqst-rq_xprt_hlen.patch new file mode 100644 index 00000000000..bdccd13d5ba --- /dev/null +++ b/queue-5.15/sunrpc-remove-svc_rqst-rq_xprt_hlen.patch @@ -0,0 +1,123 @@ +From 0f6d9837cc34aeb7ca14f3e6a05ecdf4e6041481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 14:38:59 -0400 +Subject: SUNRPC: Remove svc_rqst::rq_xprt_hlen + +From: Chuck Lever + +[ Upstream commit 983084b2672c593959e3148d6a17c8b920797dde ] + +Clean up: This field is now always set to zero. + +Signed-off-by: Chuck Lever +Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request") +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/svc.h | 2 -- + include/trace/events/sunrpc.h | 3 +-- + net/sunrpc/svc_xprt.c | 10 ++++------ + net/sunrpc/svcsock.c | 2 -- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 1 - + 5 files changed, 5 insertions(+), 13 deletions(-) + +diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h +index 045f34add206f..664a54e330af3 100644 +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -246,7 +246,6 @@ struct svc_rqst { + void * rq_xprt_ctxt; /* transport specific context ptr */ + struct svc_deferred_req*rq_deferred; /* deferred request we are replaying */ + +- size_t rq_xprt_hlen; /* xprt header len */ + struct xdr_buf rq_arg; + struct xdr_stream rq_arg_stream; + struct xdr_stream rq_res_stream; +@@ -386,7 +385,6 @@ struct svc_deferred_req { + size_t daddrlen; + void *xprt_ctxt; + struct cache_deferred_req handle; +- size_t xprt_hlen; + int argslen; + __be32 args[]; + }; +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index d49426c0444c9..f09bbb6c918e2 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -1928,8 +1928,7 @@ DECLARE_EVENT_CLASS(svc_deferred_event, + + TP_fast_assign( + __entry->dr = dr; +- __entry->xid = be32_to_cpu(*(__be32 *)(dr->args + +- (dr->xprt_hlen>>2))); ++ __entry->xid = be32_to_cpu(*(__be32 *)dr->args); + __assign_sockaddr(addr, &dr->addr, dr->addrlen); + ), + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index 139ef1951a0e8..5da8e87979f15 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1212,7 +1212,6 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req) + dr->addrlen = rqstp->rq_addrlen; + dr->daddr = rqstp->rq_daddr; + dr->argslen = rqstp->rq_arg.len >> 2; +- dr->xprt_hlen = rqstp->rq_xprt_hlen; + dr->xprt_ctxt = rqstp->rq_xprt_ctxt; + + /* back up head to the start of the buffer and copy */ +@@ -1241,22 +1240,21 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp) + trace_svc_defer_recv(dr); + + /* setup iov_base past transport header */ +- rqstp->rq_arg.head[0].iov_base = dr->args + (dr->xprt_hlen>>2); ++ rqstp->rq_arg.head[0].iov_base = dr->args; + /* The iov_len does not include the transport header bytes */ +- rqstp->rq_arg.head[0].iov_len = (dr->argslen<<2) - dr->xprt_hlen; ++ rqstp->rq_arg.head[0].iov_len = dr->argslen << 2; + rqstp->rq_arg.page_len = 0; + /* The rq_arg.len includes the transport header bytes */ +- rqstp->rq_arg.len = dr->argslen<<2; ++ rqstp->rq_arg.len = dr->argslen << 2; + rqstp->rq_prot = dr->prot; + memcpy(&rqstp->rq_addr, &dr->addr, dr->addrlen); + rqstp->rq_addrlen = dr->addrlen; + /* Save off transport header len in case we get deferred again */ +- rqstp->rq_xprt_hlen = dr->xprt_hlen; + rqstp->rq_daddr = dr->daddr; + rqstp->rq_respages = rqstp->rq_pages; + rqstp->rq_xprt_ctxt = dr->xprt_ctxt; + svc_xprt_received(rqstp->rq_xprt); +- return (dr->argslen<<2) - dr->xprt_hlen; ++ return dr->argslen << 2; + } + + +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index a28a6820852b2..9a0a27d1199f5 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -250,8 +250,6 @@ static ssize_t svc_tcp_read_msg(struct svc_rqst *rqstp, size_t buflen, + ssize_t len; + size_t t; + +- rqstp->rq_xprt_hlen = 0; +- + clear_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); + + for (i = 0, t = 0; t < buflen; i++, t += PAGE_SIZE) { +diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +index 387a5da09dafb..f760342861694 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -826,7 +826,6 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp) + goto out_err; + if (ret == 0) + goto out_drop; +- rqstp->rq_xprt_hlen = 0; + + if (svc_rdma_is_reverse_direction_reply(xprt, ctxt)) + goto out_backchannel; +-- +2.39.2 + diff --git a/queue-5.15/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch b/queue-5.15/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch new file mode 100644 index 00000000000..ea980ae8803 --- /dev/null +++ b/queue-5.15/tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch @@ -0,0 +1,62 @@ +From 2a96170d8877cbcac816bec199ead6e25700a730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:47:49 +0000 +Subject: tcp: fix possible sk_priority leak in tcp_v4_send_reset() + +From: Eric Dumazet + +[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ] + +When tcp_v4_send_reset() is called with @sk == NULL, +we do not change ctl_sk->sk_priority, which could have been +set from a prior invocation. + +Change tcp_v4_send_reset() to set sk_priority and sk_mark +fields before calling ip_send_unicast_reply(). + +This means tcp_v4_send_reset() and tcp_v4_send_ack() +no longer have to clear ctl_sk->sk_mark after +their call to ip_send_unicast_reply(). + +Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state") +Signed-off-by: Eric Dumazet +Cc: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 63472c9b39ae4..db05ab4287e30 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -820,6 +820,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ } else { ++ ctl_sk->sk_mark = 0; ++ ctl_sk->sk_priority = 0; + } + ip_send_unicast_reply(ctl_sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, +@@ -827,7 +830,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -926,7 +928,6 @@ static void tcp_v4_send_ack(const struct sock *sk, + &arg, arg.iov[0].iov_len, + transmit_time); + +- ctl_sk->sk_mark = 0; + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); + local_bh_enable(); +-- +2.39.2 + diff --git a/queue-5.15/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch b/queue-5.15/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch new file mode 100644 index 00000000000..a0b5fdfadd9 --- /dev/null +++ b/queue-5.15/tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch @@ -0,0 +1,105 @@ +From c0529661f5aad6196e90479c09c5912b756f510a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:27 -0400 +Subject: tipc: add tipc_bearer_min_mtu to calculate min mtu + +From: Xin Long + +[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ] + +As different media may requires different min mtu, and even the +same media with different net family requires different min mtu, +add tipc_bearer_min_mtu() to calculate min mtu accordingly. + +This API will be used to check the new mtu when doing the link +mtu negotiation in the next patch. + +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation") +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 13 +++++++++++++ + net/tipc/bearer.h | 3 +++ + net/tipc/udp_media.c | 5 +++-- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index b0ad61b4b1013..897fc8fc08a0b 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -541,6 +541,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id) + return mtu; + } + ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id) ++{ ++ int mtu = TIPC_MIN_BEARER_MTU; ++ struct tipc_bearer *b; ++ ++ rcu_read_lock(); ++ b = bearer_get(net, bearer_id); ++ if (b) ++ mtu += b->encap_hlen; ++ rcu_read_unlock(); ++ return mtu; ++} ++ + /* tipc_bearer_xmit_skb - sends buffer to destination over bearer + */ + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, +diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h +index 57c6a1a719e24..483f90958857e 100644 +--- a/net/tipc/bearer.h ++++ b/net/tipc/bearer.h +@@ -146,6 +146,7 @@ struct tipc_media { + * @identity: array index of this bearer within TIPC bearer array + * @disc: ptr to link setup request + * @net_plane: network plane ('A' through 'H') currently associated with bearer ++ * @encap_hlen: encap headers length + * @up: bearer up flag (bit 0) + * @refcnt: tipc_bearer reference counter + * +@@ -170,6 +171,7 @@ struct tipc_bearer { + u32 identity; + struct tipc_discoverer *disc; + char net_plane; ++ u16 encap_hlen; + unsigned long up; + refcount_t refcnt; + }; +@@ -232,6 +234,7 @@ int tipc_bearer_setup(void); + void tipc_bearer_cleanup(void); + void tipc_bearer_stop(struct net *net); + int tipc_bearer_mtu(struct net *net, u32 bearer_id); ++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id); + bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id); + void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id, + struct sk_buff *skb, +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index c2bb818704c8f..0a85244fd6188 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -738,8 +738,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + udp_conf.local_ip.s_addr = local.ipv4.s_addr; + udp_conf.use_udp_checksums = false; + ub->ifindex = dev->ifindex; +- if (tipc_mtu_bad(dev, sizeof(struct iphdr) + +- sizeof(struct udphdr))) { ++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr); ++ if (tipc_mtu_bad(dev, b->encap_hlen)) { + err = -EINVAL; + goto err; + } +@@ -760,6 +760,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, + else + udp_conf.local_ip6 = local.ipv6; + ub->ifindex = dev->ifindex; ++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr); + b->mtu = 1280; + #endif + } else { +-- +2.39.2 + diff --git a/queue-5.15/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch b/queue-5.15/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch new file mode 100644 index 00000000000..b6354015797 --- /dev/null +++ b/queue-5.15/tipc-check-the-bearer-min-mtu-properly-when-setting-.patch @@ -0,0 +1,45 @@ +From 746ac57889fdfeb5322f04b7320a855a6d3a2b91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:29 -0400 +Subject: tipc: check the bearer min mtu properly when setting it by netlink + +From: Xin Long + +[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ] + +Checking the bearer min mtu with tipc_udp_mtu_bad() only works for +IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the +min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU +for min mtu, which works for both IPv4 and IPv6 UDP bearer. + +Note that tipc_udp_mtu_bad() is still used to check media min mtu +in __tipc_nl_media_set(), as m->mtu currently is only used by the +IPv4 UDP bearer as its default mtu value. + +Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 897fc8fc08a0b..1048607a1528a 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -1151,8 +1151,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + #ifdef CONFIG_TIPC_MEDIA_UDP +- if (tipc_udp_mtu_bad(nla_get_u32 +- (props[TIPC_NLA_PROP_MTU]))) { ++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) < ++ b->encap_hlen + TIPC_MIN_BEARER_MTU) { + NL_SET_ERR_MSG(info->extack, + "MTU value is out-of-range"); + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.15/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch b/queue-5.15/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch new file mode 100644 index 00000000000..aacaa3e150d --- /dev/null +++ b/queue-5.15/tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch @@ -0,0 +1,92 @@ +From 8b69368f9f627d32c4f67927451439540958e383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 15:52:28 -0400 +Subject: tipc: do not update mtu if msg_max is too small in mtu negotiation + +From: Xin Long + +[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ] + +When doing link mtu negotiation, a malicious peer may send Activate msg +with a very small mtu, e.g. 4 in Shuang's testing, without checking for +the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then +n->links[bearer_id].mtu is set to 4294967228, which is a overflow of +'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss(). + +With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning: + + tipc: Too large msg, purging xmit list 1 5 0 40 4! + tipc: Too large msg, purging xmit list 1 15 0 60 4! + +And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in +named_distribute(), and when purging it in tipc_link_xmit(), a crash +was even caused: + + general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19 + RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0 + Call Trace: + + skb_release_data+0xf9/0x1d0 + kfree_skb_reason+0x40/0x100 + tipc_link_xmit+0x57a/0x740 [tipc] + tipc_node_xmit+0x16c/0x5c0 [tipc] + tipc_named_node_up+0x27f/0x2c0 [tipc] + tipc_node_write_unlock+0x149/0x170 [tipc] + tipc_rcv+0x608/0x740 [tipc] + tipc_udp_recv+0xdc/0x1f0 [tipc] + udp_queue_rcv_one_skb+0x33e/0x620 + udp_unicast_rcv_skb.isra.72+0x75/0x90 + __udp4_lib_rcv+0x56d/0xc20 + ip_protocol_deliver_rcu+0x100/0x2d0 + +This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(), +and not updating mtu if it is too small. + +Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index 8fdd3b23bd123..655a2e1b6dfe4 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2199,7 +2199,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + struct tipc_msg *hdr = buf_msg(skb); + struct tipc_gap_ack_blks *ga = NULL; + bool reply = msg_probe(hdr), retransmitted = false; +- u32 dlen = msg_data_sz(hdr), glen = 0; ++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max; + u16 peers_snd_nxt = msg_next_sent(hdr); + u16 peers_tol = msg_link_tolerance(hdr); + u16 peers_prio = msg_linkprio(hdr); +@@ -2238,6 +2238,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + switch (mtyp) { + case RESET_MSG: + case ACTIVATE_MSG: ++ msg_max = msg_max_pkt(hdr); ++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id)) ++ break; + /* Complete own link name with peer's interface name */ + if_name = strrchr(l->name, ':') + 1; + if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME) +@@ -2282,8 +2285,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + l->peer_session = msg_session(hdr); + l->in_session = true; + l->peer_bearer_id = msg_bearer_id(hdr); +- if (l->mtu > msg_max_pkt(hdr)) +- l->mtu = msg_max_pkt(hdr); ++ if (l->mtu > msg_max) ++ l->mtu = msg_max; + break; + + case STATE_MSG: +-- +2.39.2 + diff --git a/queue-5.15/tracing-introduce-helpers-to-safely-handle-dynamic-s.patch b/queue-5.15/tracing-introduce-helpers-to-safely-handle-dynamic-s.patch new file mode 100644 index 00000000000..693519e8559 --- /dev/null +++ b/queue-5.15/tracing-introduce-helpers-to-safely-handle-dynamic-s.patch @@ -0,0 +1,222 @@ +From f9ed6fa8878a6c183cc95b72e2123d2ee4eb90da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 12:43:55 -0500 +Subject: tracing: Introduce helpers to safely handle dynamic-sized sockaddrs + +From: Chuck Lever + +[ Upstream commit d07c9ad622474616e94572e59e725c2c4a494fb4 ] + +Enable a struct sockaddr to be stored in a trace record as a +dynamically-sized field. The common cases are AF_INET and AF_INET6 +which are different sizes, and are vastly smaller than a struct +sockaddr_storage. + +These are safer because, when used properly, the size of the +sockaddr destination field in each trace record is now guaranteed +to be the same as the source address that is being copied into it. + +Link: https://lore.kernel.org/all/164182978641.8391.8277203495236105391.stgit@bazille.1015granger.net/ +Signed-off-by: Chuck Lever +Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request") +Signed-off-by: Sasha Levin +--- + include/trace/bpf_probe.h | 6 ++++ + include/trace/perf.h | 6 ++++ + include/trace/trace_events.h | 55 ++++++++++++++++++++++++++++++++++-- + 3 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/include/trace/bpf_probe.h b/include/trace/bpf_probe.h +index 04939b2d2f192..26ec024c3d58a 100644 +--- a/include/trace/bpf_probe.h ++++ b/include/trace/bpf_probe.h +@@ -21,6 +21,9 @@ + #undef __get_bitmask + #define __get_bitmask(field) (char *)__get_dynamic_array(field) + ++#undef __get_sockaddr ++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field)) ++ + #undef __get_rel_dynamic_array + #define __get_rel_dynamic_array(field) \ + ((void *)(&__entry->__rel_loc_##field) + \ +@@ -37,6 +40,9 @@ + #undef __get_rel_bitmask + #define __get_rel_bitmask(field) (char *)__get_rel_dynamic_array(field) + ++#undef __get_rel_sockaddr ++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field)) ++ + #undef __perf_count + #define __perf_count(c) (c) + +diff --git a/include/trace/perf.h b/include/trace/perf.h +index 5d48c46a30083..5800d13146c3d 100644 +--- a/include/trace/perf.h ++++ b/include/trace/perf.h +@@ -21,6 +21,9 @@ + #undef __get_bitmask + #define __get_bitmask(field) (char *)__get_dynamic_array(field) + ++#undef __get_sockaddr ++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field)) ++ + #undef __get_rel_dynamic_array + #define __get_rel_dynamic_array(field) \ + ((void *)__entry + \ +@@ -38,6 +41,9 @@ + #undef __get_rel_bitmask + #define __get_rel_bitmask(field) (char *)__get_rel_dynamic_array(field) + ++#undef __get_rel_sockaddr ++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field)) ++ + #undef __perf_count + #define __perf_count(c) (__count = (c)) + +diff --git a/include/trace/trace_events.h b/include/trace/trace_events.h +index 7f0b91dfb532d..e6b19ab357815 100644 +--- a/include/trace/trace_events.h ++++ b/include/trace/trace_events.h +@@ -108,6 +108,9 @@ TRACE_MAKE_SYSTEM_STR(); + #undef __bitmask + #define __bitmask(item, nr_bits) __dynamic_array(char, item, -1) + ++#undef __sockaddr ++#define __sockaddr(field, len) __dynamic_array(u8, field, len) ++ + #undef __rel_dynamic_array + #define __rel_dynamic_array(type, item, len) u32 __rel_loc_##item; + +@@ -120,6 +123,9 @@ TRACE_MAKE_SYSTEM_STR(); + #undef __rel_bitmask + #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(char, item, -1) + ++#undef __rel_sockaddr ++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len) ++ + #undef TP_STRUCT__entry + #define TP_STRUCT__entry(args...) args + +@@ -212,11 +218,14 @@ TRACE_MAKE_SYSTEM_STR(); + #undef __string + #define __string(item, src) __dynamic_array(char, item, -1) + ++#undef __string_len ++#define __string_len(item, src, len) __dynamic_array(char, item, -1) ++ + #undef __bitmask + #define __bitmask(item, nr_bits) __dynamic_array(unsigned long, item, -1) + +-#undef __string_len +-#define __string_len(item, src, len) __dynamic_array(char, item, -1) ++#undef __sockaddr ++#define __sockaddr(field, len) __dynamic_array(u8, field, len) + + #undef __rel_dynamic_array + #define __rel_dynamic_array(type, item, len) u32 item; +@@ -230,6 +239,9 @@ TRACE_MAKE_SYSTEM_STR(); + #undef __rel_bitmask + #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, -1) + ++#undef __rel_sockaddr ++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len) ++ + #undef DECLARE_EVENT_CLASS + #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \ + struct trace_event_data_offsets_##call { \ +@@ -349,6 +361,12 @@ TRACE_MAKE_SYSTEM_STR(); + trace_print_bitmask_seq(p, __bitmask, __bitmask_size); \ + }) + ++#undef __get_sockaddr ++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field)) ++ ++#undef __get_rel_sockaddr ++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field)) ++ + #undef __print_flags + #define __print_flags(flag, delim, flag_array...) \ + ({ \ +@@ -520,6 +538,9 @@ static struct trace_event_functions trace_event_type_funcs_##call = { \ + #undef __bitmask + #define __bitmask(item, nr_bits) __dynamic_array(unsigned long, item, -1) + ++#undef __sockaddr ++#define __sockaddr(field, len) __dynamic_array(u8, field, len) ++ + #undef __rel_dynamic_array + #define __rel_dynamic_array(_type, _item, _len) { \ + .type = "__rel_loc " #_type "[]", .name = #_item, \ +@@ -535,6 +556,9 @@ static struct trace_event_functions trace_event_type_funcs_##call = { \ + #undef __rel_bitmask + #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, -1) + ++#undef __rel_sockaddr ++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len) ++ + #undef DECLARE_EVENT_CLASS + #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, func, print) \ + static struct trace_event_fields trace_event_fields_##call[] = { \ +@@ -626,6 +650,12 @@ static struct trace_event_fields trace_event_fields_##call[] = { \ + #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, \ + __bitmask_size_in_longs(nr_bits)) + ++#undef __sockaddr ++#define __sockaddr(field, len) __dynamic_array(u8, field, len) ++ ++#undef __rel_sockaddr ++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len) ++ + #undef DECLARE_EVENT_CLASS + #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \ + static inline notrace int trace_event_get_offsets_##call( \ +@@ -790,6 +820,15 @@ static inline notrace int trace_event_get_offsets_##call( \ + #define __assign_bitmask(dst, src, nr_bits) \ + memcpy(__get_bitmask(dst), (src), __bitmask_size_in_bytes(nr_bits)) + ++#undef __sockaddr ++#define __sockaddr(field, len) __dynamic_array(u8, field, len) ++ ++#undef __get_sockaddr ++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field)) ++ ++#define __assign_sockaddr(dest, src, len) \ ++ memcpy(__get_dynamic_array(dest), src, len) ++ + #undef __rel_dynamic_array + #define __rel_dynamic_array(type, item, len) \ + __entry->__rel_loc_##item = __data_offsets.item; +@@ -821,6 +860,16 @@ static inline notrace int trace_event_get_offsets_##call( \ + #define __assign_rel_bitmask(dst, src, nr_bits) \ + memcpy(__get_rel_bitmask(dst), (src), __bitmask_size_in_bytes(nr_bits)) + ++#undef __rel_sockaddr ++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len) ++ ++#undef __get_rel_sockaddr ++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field)) ++ ++#define __assign_rel_sockaddr(dest, src, len) \ ++ memcpy(__get_rel_dynamic_array(dest), src, len) ++ ++ + #undef TP_fast_assign + #define TP_fast_assign(args...) args + +@@ -885,10 +934,12 @@ static inline void ftrace_test_probe_##call(void) \ + #undef __get_dynamic_array_len + #undef __get_str + #undef __get_bitmask ++#undef __get_sockaddr + #undef __get_rel_dynamic_array + #undef __get_rel_dynamic_array_len + #undef __get_rel_str + #undef __get_rel_bitmask ++#undef __get_rel_sockaddr + #undef __print_array + #undef __print_hex_dump + +-- +2.39.2 + diff --git a/queue-5.15/virtio-net-maintain-reverse-cleanup-order.patch b/queue-5.15/virtio-net-maintain-reverse-cleanup-order.patch new file mode 100644 index 00000000000..f9b280bce7d --- /dev/null +++ b/queue-5.15/virtio-net-maintain-reverse-cleanup-order.patch @@ -0,0 +1,40 @@ +From f3413cb1f7f02373df675f5b49d34ad269d059b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 15:37:38 +0200 +Subject: virtio-net: Maintain reverse cleanup order + +From: Parav Pandit + +[ Upstream commit 27369c9c2b722617063d6b80c758ab153f1d95d4 ] + +To easily audit the code, better to keep the device stop() +sequence to be mirror of the device open() sequence. + +Acked-by: Michael S. Tsirkin +Reviewed-by: Jiri Pirko +Signed-off-by: Parav Pandit +Signed-off-by: David S. Miller +Stable-dep-of: 5306623a9826 ("virtio_net: Fix error unwinding of XDP initialization") +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 9f2d691908b42..cdd28a11f5191 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1999,9 +1999,9 @@ static int virtnet_close(struct net_device *dev) + cancel_delayed_work_sync(&vi->refill); + + for (i = 0; i < vi->max_queue_pairs; i++) { ++ virtnet_napi_tx_disable(&vi->sq[i].napi); + napi_disable(&vi->rq[i].napi); + xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- virtnet_napi_tx_disable(&vi->sq[i].napi); + } + + return 0; +-- +2.39.2 + diff --git a/queue-5.15/virtio_net-fix-error-unwinding-of-xdp-initialization.patch b/queue-5.15/virtio_net-fix-error-unwinding-of-xdp-initialization.patch new file mode 100644 index 00000000000..c42ad9b8c6a --- /dev/null +++ b/queue-5.15/virtio_net-fix-error-unwinding-of-xdp-initialization.patch @@ -0,0 +1,126 @@ +From 1ceb6ef84868e38afc467808eae62a0f94feb781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:18:12 -0400 +Subject: virtio_net: Fix error unwinding of XDP initialization + +From: Feng Liu + +[ Upstream commit 5306623a9826aa7d63b32c6a3803c798a765474d ] + +When initializing XDP in virtnet_open(), some rq xdp initialization +may hit an error causing net device open failed. However, previous +rqs have already initialized XDP and enabled NAPI, which is not the +expected behavior. Need to roll back the previous rq initialization +to avoid leaks in error unwinding of init code. + +Also extract helper functions of disable and enable queue pairs. +Use newly introduced disable helper function in error unwinding and +virtnet_close. Use enable helper function in virtnet_open. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Signed-off-by: Feng Liu +Reviewed-by: Jiri Pirko +Reviewed-by: William Tu +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Xuan Zhuo +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 61 +++++++++++++++++++++++++++++----------- + 1 file changed, 44 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index cdd28a11f5191..0351f86494f16 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1604,6 +1604,38 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + return received; + } + ++static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ virtnet_napi_tx_disable(&vi->sq[qp_index].napi); ++ napi_disable(&vi->rq[qp_index].napi); ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++} ++ ++static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index) ++{ ++ struct net_device *dev = vi->dev; ++ int err; ++ ++ err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index, ++ vi->rq[qp_index].napi.napi_id); ++ if (err < 0) ++ return err; ++ ++ err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq, ++ MEM_TYPE_PAGE_SHARED, NULL); ++ if (err < 0) ++ goto err_xdp_reg_mem_model; ++ ++ virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi); ++ virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi); ++ ++ return 0; ++ ++err_xdp_reg_mem_model: ++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq); ++ return err; ++} ++ + static int virtnet_open(struct net_device *dev) + { + struct virtnet_info *vi = netdev_priv(dev); +@@ -1617,22 +1649,20 @@ static int virtnet_open(struct net_device *dev) + if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL)) + schedule_delayed_work(&vi->refill, 0); + +- err = xdp_rxq_info_reg(&vi->rq[i].xdp_rxq, dev, i, vi->rq[i].napi.napi_id); ++ err = virtnet_enable_queue_pair(vi, i); + if (err < 0) +- return err; +- +- err = xdp_rxq_info_reg_mem_model(&vi->rq[i].xdp_rxq, +- MEM_TYPE_PAGE_SHARED, NULL); +- if (err < 0) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- return err; +- } +- +- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi); +- virtnet_napi_tx_enable(vi, vi->sq[i].vq, &vi->sq[i].napi); ++ goto err_enable_qp; + } + + return 0; ++ ++err_enable_qp: ++ disable_delayed_refill(vi); ++ cancel_delayed_work_sync(&vi->refill); ++ ++ for (i--; i >= 0; i--) ++ virtnet_disable_queue_pair(vi, i); ++ return err; + } + + static int virtnet_poll_tx(struct napi_struct *napi, int budget) +@@ -1998,11 +2028,8 @@ static int virtnet_close(struct net_device *dev) + /* Make sure refill_work doesn't re-enable napi! */ + cancel_delayed_work_sync(&vi->refill); + +- for (i = 0; i < vi->max_queue_pairs; i++) { +- virtnet_napi_tx_disable(&vi->sq[i].napi); +- napi_disable(&vi->rq[i].napi); +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); +- } ++ for (i = 0; i < vi->max_queue_pairs; i++) ++ virtnet_disable_queue_pair(vi, i); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.15/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch b/queue-5.15/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch new file mode 100644 index 00000000000..a624d4abeac --- /dev/null +++ b/queue-5.15/vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch @@ -0,0 +1,93 @@ +From b8372aca1d7cdace021b185998d85afa5f3dde93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 14:23:42 +0000 +Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() + +From: Eric Dumazet + +[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ] + +syzbot triggered the following splat [1], sending an empty message +through pppoe_sendmsg(). + +When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header() +does not push extra bytes for the VLAN header, because vlan is offloaded. + +Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto +before testing (vlan->flags & VLAN_FLAG_REORDER_HDR). + +We need to swap the two conditions. + +[1] +BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111 +__netdev_start_xmit include/linux/netdevice.h:4883 [inline] +netdev_start_xmit include/linux/netdevice.h:4897 [inline] +xmit_one net/core/dev.c:3580 [inline] +dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596 +__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246 +dev_queue_xmit include/linux/netdevice.h:3053 [inline] +pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774 +slab_alloc_node mm/slub.c:3452 [inline] +kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497 +kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520 +__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606 +alloc_skb include/linux/skbuff.h:1277 [inline] +sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583 +pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 +___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 +__sys_sendmmsg+0x411/0xa50 net/socket.c:2641 +__do_sys_sendmmsg net/socket.c:2670 [inline] +__se_sys_sendmmsg net/socket.c:2667 [inline] +__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index b6d456c7952ed..3d0f0d0a323b5 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb, + * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING + * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs... + */ +- if (veth->h_vlan_proto != vlan->vlan_proto || +- vlan->flags & VLAN_FLAG_REORDER_HDR) { ++ if (vlan->flags & VLAN_FLAG_REORDER_HDR || ++ veth->h_vlan_proto != vlan->vlan_proto) { + u16 vlan_tci; + vlan_tci = vlan->vlan_id; + vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority); +-- +2.39.2 + diff --git a/queue-5.15/vsock-avoid-to-close-connected-socket-after-the-time.patch b/queue-5.15/vsock-avoid-to-close-connected-socket-after-the-time.patch new file mode 100644 index 00000000000..49799f949f0 --- /dev/null +++ b/queue-5.15/vsock-avoid-to-close-connected-socket-after-the-time.patch @@ -0,0 +1,54 @@ +From d18e48b4e6fd2e050553a0fe0f3ea3246f5b94aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 19:34:30 +0800 +Subject: vsock: avoid to close connected socket after the timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhuang Shengen + +[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ] + +When client and server establish a connection through vsock, +the client send a request to the server to initiate the connection, +then start a timer to wait for the server's response. When the server's +RESPONSE message arrives, the timer also times out and exits. The +server's RESPONSE message is processed first, and the connection is +established. However, the client's timer also times out, the original +processing logic of the client is to directly set the state of this vsock +to CLOSE and return ETIMEDOUT. It will not notify the server when the port +is released, causing the server port remain. +when client's vsock_connect timeout,it should check sk state is +ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection +is established, the client should not set the sk state to CLOSE + +Note: I encountered this issue on kernel-4.18, which can be fixed by +this patch. Then I checked the latest code in the community +and found similar issue. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Zhuang Shengen +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index dc36a46ce0e75..9a65a2f195853 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1415,7 +1415,7 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + vsock_transport_cancel_pkt(vsk); + vsock_remove_connected(vsk); + goto out_wait; +- } else if (timeout == 0) { ++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { + err = -ETIMEDOUT; + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; +-- +2.39.2 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch b/queue-5.15/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch new file mode 100644 index 00000000000..2bf3d7f2535 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch @@ -0,0 +1,60 @@ +From 3b9eb119a696238ce4d688321bfa7e93735ced06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:53 +0300 +Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels + +From: Johannes Berg + +[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ] + +If the firmware sends us a corrupted MCC response with +n_channels much larger than the command response can be, +we might copy far too much (uninitialized) memory and +even crash if the n_channels is large enough to make it +run out of the one page allocated for the FW response. + +Fix that by checking the lengths. Doing a < comparison +would be sufficient, but the firmware should be doing +it correctly, so check more strictly. + +Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +index da705fcaf0fcc..8a9732b5b9652 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL); +@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2, + struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data; + + n_channels = __le32_to_cpu(mcc_resp_v3->n_channels); ++ if (iwl_rx_packet_payload_len(pkt) != ++ struct_size(mcc_resp_v3, channels, n_channels)) { ++ resp_cp = ERR_PTR(-EINVAL); ++ goto exit; ++ } + resp_len = sizeof(struct iwl_mcc_update_resp) + + n_channels * sizeof(__le32); + resp_cp = kzalloc(resp_len, GFP_KERNEL); +-- +2.39.2 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch b/queue-5.15/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch new file mode 100644 index 00000000000..075339742b3 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch @@ -0,0 +1,44 @@ +From 47acb7693fb09cf7fa48728b0588ba3fae339000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 12:15:46 +0300 +Subject: wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock + +From: Johannes Berg + +[ Upstream commit c2d8b7f257b2398f2d866205365895e038beca12 ] + +Lockdep points out that we can deadlock here by calling +cancel_delayed_work_sync() because that might be already +running and gotten interrupted by the NAPI soft-IRQ. +Even just calling something that can sleep is wrong in +this context though. + +Luckily, it doesn't even really matter since the things +we need to do are idempotent, so just drop the _sync(). + +Fixes: e5d153ec54f0 ("iwlwifi: mvm: fix CSA AP side") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230514120631.b1813c823b4d.I9d20cc06d24fa40b6774d3dd95ea5e2bf8dd015b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index efccdd3f33773..49c28c96fdf28 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -1907,7 +1907,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi, + RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL); + /* Unblock BCAST / MCAST station */ + iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, false); +- cancel_delayed_work_sync(&mvm->cs_tx_unblock_dwork); ++ cancel_delayed_work(&mvm->cs_tx_unblock_dwork); + } + } + +-- +2.39.2 + diff --git a/queue-5.15/wifi-mac80211-fix-min-center-freq-offset-tracing.patch b/queue-5.15/wifi-mac80211-fix-min-center-freq-offset-tracing.patch new file mode 100644 index 00000000000..e53c2d89112 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-min-center-freq-offset-tracing.patch @@ -0,0 +1,39 @@ +From 1e73b823af439b242706d02393d9d4424138dc62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:01 +0300 +Subject: wifi: mac80211: fix min center freq offset tracing + +From: Johannes Berg + +[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ] + +We need to set the correct trace variable, otherwise we're +overwriting something else instead and the right one that +we print later is not initialized. + +Fixes: b6011960f392 ("mac80211: handle channel frequency offset") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h +index 9e8381bef7ed8..8a9b62f6e9236 100644 +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -67,7 +67,7 @@ + __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \ + __entry->min_chan_width = (c)->width; \ + __entry->min_center_freq1 = (c)->center_freq1; \ +- __entry->freq1_offset = (c)->freq1_offset; \ ++ __entry->min_freq1_offset = (c)->freq1_offset; \ + __entry->min_center_freq2 = (c)->center_freq2; + #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz" + #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \ +-- +2.39.2 + diff --git a/queue-5.15/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch b/queue-5.15/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch new file mode 100644 index 00000000000..f591ddd9d78 --- /dev/null +++ b/queue-5.15/xfrm-don-t-check-the-default-policy-if-the-policy-al.patch @@ -0,0 +1,49 @@ +From 520d80e7d916248142c4389011e8b59d6a46b213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 15:12:16 +0200 +Subject: xfrm: don't check the default policy if the policy allows the packet + +From: Sabrina Dubroca + +[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ] + +The current code doesn't let a simple "allow" policy counteract a +default policy blocking all incoming packets: + + ip x p setdefault in block + ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow + +At this stage, we have an allow policy (with or without transforms) +for this packet. It doesn't matter what the default policy says, since +the policy we looked up lets the packet through. The case of a +blocking policy is already handled separately, so we can remove this +check. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 0540e9f72b2fe..37eeda0f123cd 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3636,12 +3636,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + } + xfrm_nr = ti; + +- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK && +- !xfrm_nr) { +- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); +- goto reject; +- } +- + if (npols > 1) { + xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); + tpp = stp; +-- +2.39.2 +