From 26a15f03d2edb027ee9bef1b05aa49c1f09edb57 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 13 Sep 2023 21:14:23 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ..._unix-fix-data-race-around-sk-sk_err.patch | 42 ++ ...x-data-race-around-unix_tot_inflight.patch | 84 +++ ...fix-data-races-around-sk-sk_shutdown.patch | 96 +++ ...data-races-around-user-unix_inflight.patch | 105 +++ ...acklight-drop-output-gpio-direction-.patch | 42 ++ ...s-in-struct-ceph_mds_request_args_ex.patch | 70 ++ ...p-unused-helper-intel_vgpu_reset_gtt.patch | 74 +++ .../gfs2-low-memory-forced-flush-fixes.patch | 89 +++ ...s2-switch-to-wait_event-in-gfs2_logd.patch | 57 ++ queue-5.15/gve-fix-frag_list-chaining.patch | 58 ++ ...x-param-name-in-idr_alloc_cyclic-doc.patch | 35 + ...in-to-allow-set-rx-tx-value-between-.patch | 44 ++ ...ble-virtualization-features-on-82580.patch | 40 ++ ...vf_min-to-allow-set-rx-tx-value-betw.patch | 44 ++ ...in-to-allow-set-rx-tx-value-between-.patch | 44 ++ ...ypad-always-expect-proper-irq-number.patch | 128 ++++ ...ypad-fix-interrupt-enable-disbalance.patch | 52 ++ queue-5.15/ip_tunnels-use-dev_stats_inc.patch | 128 ++++ ...notate-data-races-around-fi-fib_dead.patch | 136 ++++ ...ignore-dst-hint-for-multipath-routes.patch | 71 ++ ...not-run-depmod-for-make-modules_sign.patch | 41 ++ .../kcm-destroy-mutex-in-kcm_exit_net.patch | 37 ++ ...kconfig-fix-possible-buffer-overflow.patch | 38 ++ ...complete-tc-cbs-offload-support-on-s.patch | 136 ++++ ...fix-bandwidth-discrepancy-between-tc.patch | 136 ++++ ...fix-enospc-when-replacing-the-same-t.patch | 81 +++ ...b-avoid-warn-splat-in-flow-dissector.patch | 77 +++ ...e-order-conversion-issue-in-hclge_db.patch | 70 ++ ...ugfs-concurrency-issue-between-kfree.patch | 62 ++ ...alid-mutex-between-tc-qdisc-and-dcb-.patch | 153 +++++ ...-port-information-display-when-sfp-i.patch | 39 ++ ...-hns3-remove-gso-partial-feature-bit.patch | 39 ++ ...f-avoid-integer-underflow-in-ipv6_cr.patch | 40 ++ ...orrect-bit-assignments-for-phy_devic.patch | 54 ++ ...read-sk-sk_family-once-in-sk_mc_loop.patch | 87 +++ ...-fq_pie-avoid-stalls-in-fq_pie_timer.patch | 115 ++++ ...sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch | 242 +++++++ ...tfilter-nfnetlink_osf-avoid-oob-read.patch | 59 ++ ...es-exthdr-fix-4-byte-stack-oob-write.patch | 96 +++ ...-truncation-of-smq-in-cn10k-nix-aq-e.patch | 81 +++ ...f-don-t-enclose-non-debug-code-with-.patch | 114 ++++ ...ass-an-err_ptr-directly-to-perf_sess.patch | 85 +++ ...race-really-free-the-evsel-priv-area.patch | 100 +++ ...free-to-reduce-chances-of-use-after-.patch | 59 ++ ...ts-drop-some-of-the-json-events-for-.patch | 137 ++++ ...ts-update-the-json-events-descriptio.patch | 618 ++++++++++++++++++ ...nvert-to-platform-remove-callback-re.patch | 66 ++ ...x-resource-freeing-in-error-path-and.patch | 90 +++ ...-harmonize-resource-allocation-order.patch | 124 ++++ ...32xx-remove-handling-of-pwm-channels.patch | 88 +++ ...-t-leak-memory-if-dev_set_name-fails.patch | 37 ++ ...-data-races-around-sk-sk_wmem_queued.patch | 152 +++++ queue-5.15/series | 57 ++ ...u-buffer-size-passed-to-dma_declare_.patch | 121 ++++ ...smit-return-status-for-dropped-packe.patch | 54 ++ ...id_wdt-add-module_alias-to-allow-aut.patch | 40 ++ ...necessary-check-on-extended-cpuid-le.patch | 45 ++ ...-use-after-free-error-during-socket-.patch | 58 ++ 58 files changed, 5167 insertions(+) create mode 100644 queue-5.15/af_unix-fix-data-race-around-sk-sk_err.patch create mode 100644 queue-5.15/af_unix-fix-data-race-around-unix_tot_inflight.patch create mode 100644 queue-5.15/af_unix-fix-data-races-around-sk-sk_shutdown.patch create mode 100644 queue-5.15/af_unix-fix-data-races-around-user-unix_inflight.patch create mode 100644 queue-5.15/backlight-gpio_backlight-drop-output-gpio-direction-.patch create mode 100644 queue-5.15/ceph-make-members-in-struct-ceph_mds_request_args_ex.patch create mode 100644 queue-5.15/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch create mode 100644 queue-5.15/gfs2-low-memory-forced-flush-fixes.patch create mode 100644 queue-5.15/gfs2-switch-to-wait_event-in-gfs2_logd.patch create mode 100644 queue-5.15/gve-fix-frag_list-chaining.patch create mode 100644 queue-5.15/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch create mode 100644 queue-5.15/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch create mode 100644 queue-5.15/igb-disable-virtualization-features-on-82580.patch create mode 100644 queue-5.15/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch create mode 100644 queue-5.15/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch create mode 100644 queue-5.15/input-tca6416-keypad-always-expect-proper-irq-number.patch create mode 100644 queue-5.15/input-tca6416-keypad-fix-interrupt-enable-disbalance.patch create mode 100644 queue-5.15/ip_tunnels-use-dev_stats_inc.patch create mode 100644 queue-5.15/ipv4-annotate-data-races-around-fi-fib_dead.patch create mode 100644 queue-5.15/ipv4-ignore-dst-hint-for-multipath-routes.patch create mode 100644 queue-5.15/kbuild-do-not-run-depmod-for-make-modules_sign.patch create mode 100644 queue-5.15/kcm-destroy-mutex-in-kcm_exit_net.patch create mode 100644 queue-5.15/kconfig-fix-possible-buffer-overflow.patch create mode 100644 queue-5.15/net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch create mode 100644 queue-5.15/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch create mode 100644 queue-5.15/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch create mode 100644 queue-5.15/net-fib-avoid-warn-splat-in-flow-dissector.patch create mode 100644 queue-5.15/net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch create mode 100644 queue-5.15/net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch create mode 100644 queue-5.15/net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch create mode 100644 queue-5.15/net-hns3-fix-the-port-information-display-when-sfp-i.patch create mode 100644 queue-5.15/net-hns3-remove-gso-partial-feature-bit.patch create mode 100644 queue-5.15/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch create mode 100644 queue-5.15/net-phy-micrel-correct-bit-assignments-for-phy_devic.patch create mode 100644 queue-5.15/net-read-sk-sk_family-once-in-sk_mc_loop.patch create mode 100644 queue-5.15/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch create mode 100644 queue-5.15/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch create mode 100644 queue-5.15/netfilter-nfnetlink_osf-avoid-oob-read.patch create mode 100644 queue-5.15/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch create mode 100644 queue-5.15/octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch create mode 100644 queue-5.15/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch create mode 100644 queue-5.15/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch create mode 100644 queue-5.15/perf-trace-really-free-the-evsel-priv-area.patch create mode 100644 queue-5.15/perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch create mode 100644 queue-5.15/perf-vendor-events-drop-some-of-the-json-events-for-.patch create mode 100644 queue-5.15/perf-vendor-events-update-the-json-events-descriptio.patch create mode 100644 queue-5.15/pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch create mode 100644 queue-5.15/pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch create mode 100644 queue-5.15/pwm-atmel-tcb-harmonize-resource-allocation-order.patch create mode 100644 queue-5.15/pwm-lpc32xx-remove-handling-of-pwm-channels.patch create mode 100644 queue-5.15/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch create mode 100644 queue-5.15/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch create mode 100644 queue-5.15/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch create mode 100644 queue-5.15/veth-fixing-transmit-return-status-for-dropped-packe.patch create mode 100644 queue-5.15/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch create mode 100644 queue-5.15/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch create mode 100644 queue-5.15/xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch diff --git a/queue-5.15/af_unix-fix-data-race-around-sk-sk_err.patch b/queue-5.15/af_unix-fix-data-race-around-sk-sk_err.patch new file mode 100644 index 00000000000..ae549d986ea --- /dev/null +++ b/queue-5.15/af_unix-fix-data-race-around-sk-sk_err.patch @@ -0,0 +1,42 @@ +From 8d63757403ca4f202190aac4bfc91aa65db269f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:08 -0700 +Subject: af_unix: Fix data race around sk->sk_err. + +From: Kuniyuki Iwashima + +[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ] + +As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be +read locklessly by unix_dgram_sendmsg(). + +Let's use READ_ONCE() for sk_err as well. + +Note that the writer side is marked by commit cc04410af7de ("af_unix: +annotate lockless accesses to sk->sk_err"). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index ba669f72d7df2..8faa0f9cc0839 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2466,7 +2466,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + break; + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; +- if (sk->sk_err) ++ if (READ_ONCE(sk->sk_err)) + break; + timeo = schedule_timeout(timeo); + } +-- +2.40.1 + diff --git a/queue-5.15/af_unix-fix-data-race-around-unix_tot_inflight.patch b/queue-5.15/af_unix-fix-data-race-around-unix_tot_inflight.patch new file mode 100644 index 00000000000..fc4fafbb4ff --- /dev/null +++ b/queue-5.15/af_unix-fix-data-race-around-unix_tot_inflight.patch @@ -0,0 +1,84 @@ +From aaf3c998bdaffe5d80b756d55999a715146efcea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:06 -0700 +Subject: af_unix: Fix data-race around unix_tot_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ] + +unix_tot_inflight is changed under spin_lock(unix_gc_lock), but +unix_release_sock() reads it locklessly. + +Let's use READ_ONCE() for unix_tot_inflight. + +Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: +annote lockless accesses to unix_tot_inflight & gc_in_progress") + +BUG: KCSAN: data-race in unix_inflight / unix_release_sock + +write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: + unix_inflight+0x130/0x180 net/unix/scm.c:64 + unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1832 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:747 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 + __sys_sendmsg+0x94/0x140 net/socket.c:2576 + __do_sys_sendmsg net/socket.c:2585 [inline] + __se_sys_sendmsg net/socket.c:2583 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: + unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 + unix_release+0x59/0x80 net/unix/af_unix.c:1058 + __sock_release+0x7d/0x170 net/socket.c:653 + sock_close+0x19/0x30 net/socket.c:1385 + __fput+0x179/0x5e0 fs/file_table.c:321 + ____fput+0x15/0x20 fs/file_table.c:349 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x00000000 -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 5264fe82e6ec1..748769f4ba058 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -603,7 +603,7 @@ static void unix_release_sock(struct sock *sk, int embrion) + * What the above comment does talk about? --ANK(980817) + */ + +- if (unix_tot_inflight) ++ if (READ_ONCE(unix_tot_inflight)) + unix_gc(); /* Garbage collect fds */ + } + +-- +2.40.1 + diff --git a/queue-5.15/af_unix-fix-data-races-around-sk-sk_shutdown.patch b/queue-5.15/af_unix-fix-data-races-around-sk-sk_shutdown.patch new file mode 100644 index 00000000000..d6a2c84fb08 --- /dev/null +++ b/queue-5.15/af_unix-fix-data-races-around-sk-sk_shutdown.patch @@ -0,0 +1,96 @@ +From cb8d08ac15aa92571ced88702ae07e9f260b9190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:07 -0700 +Subject: af_unix: Fix data-races around sk->sk_shutdown. + +From: Kuniyuki Iwashima + +[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ] + +sk->sk_shutdown is changed under unix_state_lock(sk), but +unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly. + + sock_alloc_send_pskb + `- sock_wait_for_wmem + +Let's use READ_ONCE() there. + +Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix: +Fix data races around sk->sk_shutdown."). + +BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock + +write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1: + unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 + unix_release+0x59/0x80 net/unix/af_unix.c:1053 + __sock_release+0x7d/0x170 net/socket.c:654 + sock_close+0x19/0x30 net/socket.c:1386 + __fput+0x2a3/0x680 fs/file_table.c:384 + ____fput+0x15/0x20 fs/file_table.c:412 + task_work_run+0x116/0x1a0 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 + do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0: + sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767 + unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x00 -> 0x03 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 4b63478cf021a..ba669f72d7df2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2464,7 +2464,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo) + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf)) + break; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + break; + if (sk->sk_err) + break; +@@ -2494,7 +2494,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, + goto failure; + + err = -EPIPE; +- if (sk->sk_shutdown & SEND_SHUTDOWN) ++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) + goto failure; + + if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf)) +-- +2.40.1 + diff --git a/queue-5.15/af_unix-fix-data-races-around-user-unix_inflight.patch b/queue-5.15/af_unix-fix-data-races-around-user-unix_inflight.patch new file mode 100644 index 00000000000..c5cdc7e080b --- /dev/null +++ b/queue-5.15/af_unix-fix-data-races-around-user-unix_inflight.patch @@ -0,0 +1,105 @@ +From b7342f6a8ec3747a574bc0e88fea37f41579749a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 17:27:05 -0700 +Subject: af_unix: Fix data-races around user->unix_inflight. + +From: Kuniyuki Iwashima + +[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ] + +user->unix_inflight is changed under spin_lock(unix_gc_lock), +but too_many_unix_fds() reads it locklessly. + +Let's annotate the write/read accesses to user->unix_inflight. + +BUG: KCSAN: data-race in unix_attach_fds / unix_inflight + +write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: + unix_inflight+0x157/0x180 net/unix/scm.c:66 + unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: + too_many_unix_fds net/unix/scm.c:101 [inline] + unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 + unix_scm_to_skb net/unix/af_unix.c:1827 [inline] + unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 + unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] + unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 + sock_sendmsg_nosec net/socket.c:725 [inline] + sock_sendmsg+0x148/0x160 net/socket.c:748 + ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 + ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 + __sys_sendmsg+0x94/0x140 net/socket.c:2577 + __do_sys_sendmsg net/socket.c:2586 [inline] + __se_sys_sendmsg net/socket.c:2584 [inline] + __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +value changed: 0x000000000000000c -> 0x000000000000000d + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Acked-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/scm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/unix/scm.c b/net/unix/scm.c +index aa27a02478dc1..e8e2a00bb0f58 100644 +--- a/net/unix/scm.c ++++ b/net/unix/scm.c +@@ -63,7 +63,7 @@ void unix_inflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1); + } +- user->unix_inflight++; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1); + spin_unlock(&unix_gc_lock); + } + +@@ -84,7 +84,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp) + /* Paired with READ_ONCE() in wait_for_unix_gc() */ + WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1); + } +- user->unix_inflight--; ++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1); + spin_unlock(&unix_gc_lock); + } + +@@ -98,7 +98,7 @@ static inline bool too_many_unix_fds(struct task_struct *p) + { + struct user_struct *user = current_user(); + +- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE))) + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); + return false; + } +-- +2.40.1 + diff --git a/queue-5.15/backlight-gpio_backlight-drop-output-gpio-direction-.patch b/queue-5.15/backlight-gpio_backlight-drop-output-gpio-direction-.patch new file mode 100644 index 00000000000..085be9748bd --- /dev/null +++ b/queue-5.15/backlight-gpio_backlight-drop-output-gpio-direction-.patch @@ -0,0 +1,42 @@ +From 9cd28246e9771c3554d1d2fc467d7f2f489e179b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 09:29:03 +0000 +Subject: backlight: gpio_backlight: Drop output GPIO direction check for + initial power state + +From: Ying Liu + +[ Upstream commit fe1328b5b2a087221e31da77e617f4c2b70f3b7f ] + +So, let's drop output GPIO direction check and only check GPIO value to set +the initial power state. + +Fixes: 706dc68102bc ("backlight: gpio: Explicitly set the direction of the GPIO") +Signed-off-by: Liu Ying +Reviewed-by: Andy Shevchenko +Acked-by: Linus Walleij +Acked-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20230721093342.1532531-1-victor.liu@nxp.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/gpio_backlight.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/gpio_backlight.c b/drivers/video/backlight/gpio_backlight.c +index 5c5c99f7979e3..30ec5b6845335 100644 +--- a/drivers/video/backlight/gpio_backlight.c ++++ b/drivers/video/backlight/gpio_backlight.c +@@ -87,8 +87,7 @@ static int gpio_backlight_probe(struct platform_device *pdev) + /* Not booted with device tree or no phandle link to the node */ + bl->props.power = def_value ? FB_BLANK_UNBLANK + : FB_BLANK_POWERDOWN; +- else if (gpiod_get_direction(gbl->gpiod) == 0 && +- gpiod_get_value_cansleep(gbl->gpiod) == 0) ++ else if (gpiod_get_value_cansleep(gbl->gpiod) == 0) + bl->props.power = FB_BLANK_POWERDOWN; + else + bl->props.power = FB_BLANK_UNBLANK; +-- +2.40.1 + diff --git a/queue-5.15/ceph-make-members-in-struct-ceph_mds_request_args_ex.patch b/queue-5.15/ceph-make-members-in-struct-ceph_mds_request_args_ex.patch new file mode 100644 index 00000000000..8a76f12ea09 --- /dev/null +++ b/queue-5.15/ceph-make-members-in-struct-ceph_mds_request_args_ex.patch @@ -0,0 +1,70 @@ +From 0bbf544078cff4a33e950ab0f01a6802789a240d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 09:44:40 +0800 +Subject: ceph: make members in struct ceph_mds_request_args_ext a union + +From: Xiubo Li + +[ Upstream commit 3af5ae22030cb59fab4fba35f5a2b62f47e14df9 ] + +In ceph mainline it will allow to set the btime in the setattr request +and just add a 'btime' member in the union 'ceph_mds_request_args' and +then bump up the header version to 4. That means the total size of union +'ceph_mds_request_args' will increase sizeof(struct ceph_timespec) bytes, +but in kclient it will increase the sizeof(setattr_ext) bytes for each +request. + +Since the MDS will always depend on the header's vesion and front_len +members to decode the 'ceph_mds_request_head' struct, at the same time +kclient hasn't supported the 'btime' feature yet in setattr request, +so it's safe to do this change here. + +This will save 48 bytes memories for each request. + +Fixes: 4f1ddb1ea874 ("ceph: implement updated ceph_mds_request_head structure") +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + include/linux/ceph/ceph_fs.h | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/include/linux/ceph/ceph_fs.h b/include/linux/ceph/ceph_fs.h +index bc2699feddbeb..8038279a14fa0 100644 +--- a/include/linux/ceph/ceph_fs.h ++++ b/include/linux/ceph/ceph_fs.h +@@ -459,17 +459,19 @@ union ceph_mds_request_args { + } __attribute__ ((packed)); + + union ceph_mds_request_args_ext { +- union ceph_mds_request_args old; +- struct { +- __le32 mode; +- __le32 uid; +- __le32 gid; +- struct ceph_timespec mtime; +- struct ceph_timespec atime; +- __le64 size, old_size; /* old_size needed by truncate */ +- __le32 mask; /* CEPH_SETATTR_* */ +- struct ceph_timespec btime; +- } __attribute__ ((packed)) setattr_ext; ++ union { ++ union ceph_mds_request_args old; ++ struct { ++ __le32 mode; ++ __le32 uid; ++ __le32 gid; ++ struct ceph_timespec mtime; ++ struct ceph_timespec atime; ++ __le64 size, old_size; /* old_size needed by truncate */ ++ __le32 mask; /* CEPH_SETATTR_* */ ++ struct ceph_timespec btime; ++ } __attribute__ ((packed)) setattr_ext; ++ }; + }; + + #define CEPH_MDS_FLAG_REPLAY 1 /* this is a replayed op */ +-- +2.40.1 + diff --git a/queue-5.15/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch b/queue-5.15/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch new file mode 100644 index 00000000000..333cb1ffc93 --- /dev/null +++ b/queue-5.15/drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch @@ -0,0 +1,74 @@ +From 5fa7e65f37517504cc532efeae85b3ef236ce54e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 18:35:16 -0700 +Subject: drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() + +From: Sean Christopherson + +[ Upstream commit a90c367e5af63880008e21dd199dac839e0e9e0f ] + +Drop intel_vgpu_reset_gtt() as it no longer has any callers. In addition +to eliminating dead code, this eliminates the last possible scenario where +__kvmgt_protect_table_find() can be reached without holding vgpu_lock. +Requiring vgpu_lock to be held when calling __kvmgt_protect_table_find() +will allow a protecting the gfn hash with vgpu_lock without too much fuss. + +No functional change intended. + +Fixes: ba25d977571e ("drm/i915/gvt: Do not destroy ppgtt_mm during vGPU D3->D0.") +Reviewed-by: Yan Zhao +Tested-by: Yongwei Ma +Reviewed-by: Zhi Wang +Link: https://lore.kernel.org/r/20230729013535.1070024-11-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/gtt.c | 18 ------------------ + drivers/gpu/drm/i915/gvt/gtt.h | 1 - + 2 files changed, 19 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c +index 7ea7abef6143f..0344a0eef95c0 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -2864,24 +2864,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old) + ggtt_invalidate(gvt->gt); + } + +-/** +- * intel_vgpu_reset_gtt - reset the all GTT related status +- * @vgpu: a vGPU +- * +- * This function is called from vfio core to reset reset all +- * GTT related status, including GGTT, PPGTT, scratch page. +- * +- */ +-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu) +-{ +- /* Shadow pages are only created when there is no page +- * table tracking data, so remove page tracking data after +- * removing the shadow pages. +- */ +- intel_vgpu_destroy_all_ppgtt_mm(vgpu); +- intel_vgpu_reset_ggtt(vgpu, true); +-} +- + /** + * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries + * @gvt: intel gvt device +diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h +index 3bf45672ef987..8e8fe21186243 100644 +--- a/drivers/gpu/drm/i915/gvt/gtt.h ++++ b/drivers/gpu/drm/i915/gvt/gtt.h +@@ -224,7 +224,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old); + void intel_vgpu_invalidate_ppgtt(struct intel_vgpu *vgpu); + + int intel_gvt_init_gtt(struct intel_gvt *gvt); +-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu); + void intel_gvt_clean_gtt(struct intel_gvt *gvt); + + struct intel_vgpu_mm *intel_gvt_find_ppgtt_mm(struct intel_vgpu *vgpu, +-- +2.40.1 + diff --git a/queue-5.15/gfs2-low-memory-forced-flush-fixes.patch b/queue-5.15/gfs2-low-memory-forced-flush-fixes.patch new file mode 100644 index 00000000000..f9362eb76fb --- /dev/null +++ b/queue-5.15/gfs2-low-memory-forced-flush-fixes.patch @@ -0,0 +1,89 @@ +From 68f0cbd1b0ec4bd6464524f9bd47663cf73b6218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 17:15:46 +0200 +Subject: gfs2: low-memory forced flush fixes + +From: Andreas Gruenbacher + +[ Upstream commit b74cd55aa9a9d0aca760028a51343ec79812e410 ] + +First, function gfs2_ail_flush_reqd checks the SDF_FORCE_AIL_FLUSH flag +to determine if an AIL flush should be forced in low-memory situations. +However, it also immediately clears the flag, and when called repeatedly +as in function gfs2_logd, the flag will be lost. Fix that by pulling +the SDF_FORCE_AIL_FLUSH flag check out of gfs2_ail_flush_reqd. + +Second, function gfs2_writepages sets the SDF_FORCE_AIL_FLUSH flag +whether or not enough pages were written. If enough pages could be +written, flushing the AIL is unnecessary, though. + +Third, gfs2_writepages doesn't wake up logd after setting the +SDF_FORCE_AIL_FLUSH flag, so it can take a long time for logd to react. +It would be preferable to wake up logd, but that hurts the performance +of some workloads and we don't quite understand why so far, so don't +wake up logd so far. + +Fixes: b066a4eebd4f ("gfs2: forcibly flush ail to relieve memory pressure") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/aops.c | 4 ++-- + fs/gfs2/log.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c +index ee212c9310ad0..2b654c3b918a3 100644 +--- a/fs/gfs2/aops.c ++++ b/fs/gfs2/aops.c +@@ -207,13 +207,13 @@ static int gfs2_writepages(struct address_space *mapping, + int ret; + + /* +- * Even if we didn't write any pages here, we might still be holding ++ * Even if we didn't write enough pages here, we might still be holding + * dirty pages in the ail. We forcibly flush the ail because we don't + * want balance_dirty_pages() to loop indefinitely trying to write out + * pages held in the ail that it can't find. + */ + ret = iomap_writepages(mapping, wbc, &wpc, &gfs2_writeback_ops); +- if (ret == 0) ++ if (ret == 0 && wbc->nr_to_write > 0) + set_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags); + return ret; + } +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index 924d7f0de1e83..9a96842aeab3d 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -1277,9 +1277,6 @@ static inline int gfs2_ail_flush_reqd(struct gfs2_sbd *sdp) + { + unsigned int used_blocks = sdp->sd_jdesc->jd_blocks - atomic_read(&sdp->sd_log_blks_free); + +- if (test_and_clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags)) +- return 1; +- + return used_blocks + atomic_read(&sdp->sd_log_blks_needed) >= + atomic_read(&sdp->sd_log_thresh2); + } +@@ -1320,7 +1317,9 @@ int gfs2_logd(void *data) + GFS2_LFC_LOGD_JFLUSH_REQD); + } + +- if (gfs2_ail_flush_reqd(sdp)) { ++ if (test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) || ++ gfs2_ail_flush_reqd(sdp)) { ++ clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags); + gfs2_ail1_start(sdp); + gfs2_ail1_wait(sdp); + gfs2_ail1_empty(sdp, 0); +@@ -1333,6 +1332,7 @@ int gfs2_logd(void *data) + try_to_freeze(); + + t = wait_event_interruptible_timeout(sdp->sd_logd_waitq, ++ test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) || + gfs2_ail_flush_reqd(sdp) || + gfs2_jrnl_flush_reqd(sdp) || + kthread_should_stop(), +-- +2.40.1 + diff --git a/queue-5.15/gfs2-switch-to-wait_event-in-gfs2_logd.patch b/queue-5.15/gfs2-switch-to-wait_event-in-gfs2_logd.patch new file mode 100644 index 00000000000..f8e3f59afdb --- /dev/null +++ b/queue-5.15/gfs2-switch-to-wait_event-in-gfs2_logd.patch @@ -0,0 +1,57 @@ +From feb770e0b51d10c4da805cce77c61762aef4da9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 15:46:16 +0200 +Subject: gfs2: Switch to wait_event in gfs2_logd + +From: Andreas Gruenbacher + +[ Upstream commit 6df373b09b1dcf2f7d579f515f653f89a896d417 ] + +In gfs2_logd(), switch from an open-coded wait loop to +wait_event_interruptible_timeout(). + +Signed-off-by: Andreas Gruenbacher +Stable-dep-of: b74cd55aa9a9 ("gfs2: low-memory forced flush fixes") +Signed-off-by: Sasha Levin +--- + fs/gfs2/log.c | 17 +++++------------ + 1 file changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index f0ee3ff6f9a87..924d7f0de1e83 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -1296,7 +1296,6 @@ int gfs2_logd(void *data) + { + struct gfs2_sbd *sdp = data; + unsigned long t = 1; +- DEFINE_WAIT(wait); + + while (!kthread_should_stop()) { + +@@ -1333,17 +1332,11 @@ int gfs2_logd(void *data) + + try_to_freeze(); + +- do { +- prepare_to_wait(&sdp->sd_logd_waitq, &wait, +- TASK_INTERRUPTIBLE); +- if (!gfs2_ail_flush_reqd(sdp) && +- !gfs2_jrnl_flush_reqd(sdp) && +- !kthread_should_stop()) +- t = schedule_timeout(t); +- } while(t && !gfs2_ail_flush_reqd(sdp) && +- !gfs2_jrnl_flush_reqd(sdp) && +- !kthread_should_stop()); +- finish_wait(&sdp->sd_logd_waitq, &wait); ++ t = wait_event_interruptible_timeout(sdp->sd_logd_waitq, ++ gfs2_ail_flush_reqd(sdp) || ++ gfs2_jrnl_flush_reqd(sdp) || ++ kthread_should_stop(), ++ t); + } + + return 0; +-- +2.40.1 + diff --git a/queue-5.15/gve-fix-frag_list-chaining.patch b/queue-5.15/gve-fix-frag_list-chaining.patch new file mode 100644 index 00000000000..28fe5d6d467 --- /dev/null +++ b/queue-5.15/gve-fix-frag_list-chaining.patch @@ -0,0 +1,58 @@ +From 45f15f6e1de0334918eec4de6eb28f68ac122778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 21:38:12 +0000 +Subject: gve: fix frag_list chaining + +From: Eric Dumazet + +[ Upstream commit 817c7cd2043a83a3d8147f40eea1505ac7300b62 ] + +gve_rx_append_frags() is able to build skbs chained with frag_list, +like GRO engine. + +Problem is that shinfo->frag_list should only be used +for the head of the chain. + +All other links should use skb->next pointer. + +Otherwise, built skbs are not valid and can cause crashes. + +Equivalent code in GRO (skb_gro_receive()) is: + + if (NAPI_GRO_CB(p)->last == p) + skb_shinfo(p)->frag_list = skb; + else + NAPI_GRO_CB(p)->last->next = skb; + NAPI_GRO_CB(p)->last = skb; + +Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path") +Signed-off-by: Eric Dumazet +Cc: Bailey Forrest +Cc: Willem de Bruijn +Cc: Catherine Sullivan +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_rx_dqo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c +index 7b18b4fd9e548..fdfe4c6d230f4 100644 +--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c +@@ -492,7 +492,10 @@ static int gve_rx_append_frags(struct napi_struct *napi, + if (!skb) + return -1; + +- skb_shinfo(rx->skb_tail)->frag_list = skb; ++ if (rx->ctx.skb_tail == rx->ctx.skb_head) ++ skb_shinfo(rx->ctx.skb_head)->frag_list = skb; ++ else ++ rx->ctx.skb_tail->next = skb; + rx->skb_tail = skb; + num_frags = 0; + } +-- +2.40.1 + diff --git a/queue-5.15/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch b/queue-5.15/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch new file mode 100644 index 00000000000..274d3e479b9 --- /dev/null +++ b/queue-5.15/idr-fix-param-name-in-idr_alloc_cyclic-doc.patch @@ -0,0 +1,35 @@ +From bf1db7b8c9b83b7db87e1b7ccd1814b592098f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 20:33:17 +0300 +Subject: idr: fix param name in idr_alloc_cyclic() doc + +From: Ariel Marcovitch + +[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ] + +The relevant parameter is 'start' and not 'nextid' + +Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext") +Signed-off-by: Ariel Marcovitch +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/idr.c b/lib/idr.c +index 7ecdfdb5309e7..13f2758c23773 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc); + * @end: The maximum ID (exclusive). + * @gfp: Memory allocation flags. + * +- * Allocates an unused ID in the range specified by @nextid and @end. If ++ * Allocates an unused ID in the range specified by @start and @end. If + * @end is <= 0, it is treated as one larger than %INT_MAX. This allows + * callers to use @start + N as @end as long as N is within integer range. + * The search for an unused ID will start at the last ID allocated and will +-- +2.40.1 + diff --git a/queue-5.15/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.15/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..6ac6949d680 --- /dev/null +++ b/queue-5.15/igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From d664011496ba37e3f0893239370fabeda4bd229d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:58 +0200 +Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igb devices can use as low as 64 descriptors. +This change will unify igb with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Signed-off-by: Olga Zaborska +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h +index 015b781441149..a2b759531cb7b 100644 +--- a/drivers/net/ethernet/intel/igb/igb.h ++++ b/drivers/net/ethernet/intel/igb/igb.h +@@ -34,11 +34,11 @@ struct igb_adapter; + /* TX/RX descriptor defines */ + #define IGB_DEFAULT_TXD 256 + #define IGB_DEFAULT_TX_WORK 128 +-#define IGB_MIN_TXD 80 ++#define IGB_MIN_TXD 64 + #define IGB_MAX_TXD 4096 + + #define IGB_DEFAULT_RXD 256 +-#define IGB_MIN_RXD 80 ++#define IGB_MIN_RXD 64 + #define IGB_MAX_RXD 4096 + + #define IGB_DEFAULT_ITR 3 /* dynamic */ +-- +2.40.1 + diff --git a/queue-5.15/igb-disable-virtualization-features-on-82580.patch b/queue-5.15/igb-disable-virtualization-features-on-82580.patch new file mode 100644 index 00000000000..3cd2cd4d42b --- /dev/null +++ b/queue-5.15/igb-disable-virtualization-features-on-82580.patch @@ -0,0 +1,40 @@ +From b86c81ad896829162c7d733bc4805518b3dc50b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 14:19:13 +0200 +Subject: igb: disable virtualization features on 82580 + +From: Corinna Vinschen + +[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ] + +Disable virtualization features on 82580 just as on i210/i211. +This avoids that virt functions are acidentally called on 82850. + +Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices") +Signed-off-by: Corinna Vinschen +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 83daf86c1674b..c01114cabbb09 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3856,8 +3856,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter) + struct pci_dev *pdev = adapter->pdev; + struct e1000_hw *hw = &adapter->hw; + +- /* Virtualization features not supported on i210 family. */ +- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) ++ /* Virtualization features not supported on i210 and 82580 family. */ ++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) || ++ (hw->mac.type == e1000_82580)) + return; + + /* Of the below we really only want the effect of getting +-- +2.40.1 + diff --git a/queue-5.15/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch b/queue-5.15/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch new file mode 100644 index 00000000000..8399dbfbf35 --- /dev/null +++ b/queue-5.15/igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch @@ -0,0 +1,44 @@ +From 75a3a0434ca5b3998482209476404d73b944b0c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:57 +0200 +Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igbvf devices can use as low as 64 descriptors. +This change will unify igbvf with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions") +Signed-off-by: Olga Zaborska +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h +index 975eb47ee04df..b39fca9827dc2 100644 +--- a/drivers/net/ethernet/intel/igbvf/igbvf.h ++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h +@@ -39,11 +39,11 @@ enum latency_range { + /* Tx/Rx descriptor defines */ + #define IGBVF_DEFAULT_TXD 256 + #define IGBVF_MAX_TXD 4096 +-#define IGBVF_MIN_TXD 80 ++#define IGBVF_MIN_TXD 64 + + #define IGBVF_DEFAULT_RXD 256 + #define IGBVF_MAX_RXD 4096 +-#define IGBVF_MIN_RXD 80 ++#define IGBVF_MIN_RXD 64 + + #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */ + #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */ +-- +2.40.1 + diff --git a/queue-5.15/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch b/queue-5.15/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch new file mode 100644 index 00000000000..c6127b577d0 --- /dev/null +++ b/queue-5.15/igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch @@ -0,0 +1,44 @@ +From d70aa4a69877cadaed50f64484c765a530822389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:10:56 +0200 +Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 + +From: Olga Zaborska + +[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ] + +Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx +value between 64 and 80. All igc devices can use as low as 64 descriptors. +This change will unify igc with other drivers. +Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64") + +Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers") +Signed-off-by: Olga Zaborska +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 192fee9e72b05..e09ca21b8e3fe 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -359,11 +359,11 @@ static inline u32 igc_rss_type(const union igc_adv_rx_desc *rx_desc) + /* TX/RX descriptor defines */ + #define IGC_DEFAULT_TXD 256 + #define IGC_DEFAULT_TX_WORK 128 +-#define IGC_MIN_TXD 80 ++#define IGC_MIN_TXD 64 + #define IGC_MAX_TXD 4096 + + #define IGC_DEFAULT_RXD 256 +-#define IGC_MIN_RXD 80 ++#define IGC_MIN_RXD 64 + #define IGC_MAX_RXD 4096 + + /* Supported Rx Buffer Sizes */ +-- +2.40.1 + diff --git a/queue-5.15/input-tca6416-keypad-always-expect-proper-irq-number.patch b/queue-5.15/input-tca6416-keypad-always-expect-proper-irq-number.patch new file mode 100644 index 00000000000..7eb7d569473 --- /dev/null +++ b/queue-5.15/input-tca6416-keypad-always-expect-proper-irq-number.patch @@ -0,0 +1,128 @@ +From 3cf8969078e539172cacd10b317a25e83c24d875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 22:30:18 -0700 +Subject: Input: tca6416-keypad - always expect proper IRQ number in i2c client + +From: Dmitry Torokhov + +[ Upstream commit 687fe7dfb736b03ab820d172ea5dbfc1ec447135 ] + +Remove option having i2c client contain raw gpio number instead of proper +IRQ number. There are no users of this facility in mainline and it will +allow cleaning up the driver code with regard to wakeup handling, etc. + +Link: https://lore.kernel.org/r/20230724053024.352054-1-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Stable-dep-of: cc141c35af87 ("Input: tca6416-keypad - fix interrupt enable disbalance") +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/tca6416-keypad.c | 27 +++++++++---------------- + include/linux/tca6416_keypad.h | 1 - + 2 files changed, 10 insertions(+), 18 deletions(-) + +diff --git a/drivers/input/keyboard/tca6416-keypad.c b/drivers/input/keyboard/tca6416-keypad.c +index 2a97559100652..d65afa25c2405 100644 +--- a/drivers/input/keyboard/tca6416-keypad.c ++++ b/drivers/input/keyboard/tca6416-keypad.c +@@ -148,7 +148,7 @@ static int tca6416_keys_open(struct input_dev *dev) + if (chip->use_polling) + schedule_delayed_work(&chip->dwork, msecs_to_jiffies(100)); + else +- enable_irq(chip->irqnum); ++ enable_irq(chip->client->irq); + + return 0; + } +@@ -160,7 +160,7 @@ static void tca6416_keys_close(struct input_dev *dev) + if (chip->use_polling) + cancel_delayed_work_sync(&chip->dwork); + else +- disable_irq(chip->irqnum); ++ disable_irq(chip->client->irq); + } + + static int tca6416_setup_registers(struct tca6416_keypad_chip *chip) +@@ -266,12 +266,7 @@ static int tca6416_keypad_probe(struct i2c_client *client, + goto fail1; + + if (!chip->use_polling) { +- if (pdata->irq_is_gpio) +- chip->irqnum = gpio_to_irq(client->irq); +- else +- chip->irqnum = client->irq; +- +- error = request_threaded_irq(chip->irqnum, NULL, ++ error = request_threaded_irq(client->irq, NULL, + tca6416_keys_isr, + IRQF_TRIGGER_FALLING | + IRQF_ONESHOT | IRQF_NO_AUTOEN, +@@ -279,7 +274,7 @@ static int tca6416_keypad_probe(struct i2c_client *client, + if (error) { + dev_dbg(&client->dev, + "Unable to claim irq %d; error %d\n", +- chip->irqnum, error); ++ client->irq, error); + goto fail1; + } + } +@@ -298,8 +293,8 @@ static int tca6416_keypad_probe(struct i2c_client *client, + + fail2: + if (!chip->use_polling) { +- free_irq(chip->irqnum, chip); +- enable_irq(chip->irqnum); ++ free_irq(client->irq, chip); ++ enable_irq(client->irq); + } + fail1: + input_free_device(input); +@@ -312,8 +307,8 @@ static int tca6416_keypad_remove(struct i2c_client *client) + struct tca6416_keypad_chip *chip = i2c_get_clientdata(client); + + if (!chip->use_polling) { +- free_irq(chip->irqnum, chip); +- enable_irq(chip->irqnum); ++ free_irq(client->irq, chip); ++ enable_irq(client->irq); + } + + input_unregister_device(chip->input); +@@ -326,10 +321,9 @@ static int tca6416_keypad_remove(struct i2c_client *client) + static int tca6416_keypad_suspend(struct device *dev) + { + struct i2c_client *client = to_i2c_client(dev); +- struct tca6416_keypad_chip *chip = i2c_get_clientdata(client); + + if (device_may_wakeup(dev)) +- enable_irq_wake(chip->irqnum); ++ enable_irq_wake(client->irq); + + return 0; + } +@@ -337,10 +331,9 @@ static int tca6416_keypad_suspend(struct device *dev) + static int tca6416_keypad_resume(struct device *dev) + { + struct i2c_client *client = to_i2c_client(dev); +- struct tca6416_keypad_chip *chip = i2c_get_clientdata(client); + + if (device_may_wakeup(dev)) +- disable_irq_wake(chip->irqnum); ++ disable_irq_wake(client->irq); + + return 0; + } +diff --git a/include/linux/tca6416_keypad.h b/include/linux/tca6416_keypad.h +index b0d36a9934ccd..5cf6f6f82aa70 100644 +--- a/include/linux/tca6416_keypad.h ++++ b/include/linux/tca6416_keypad.h +@@ -25,7 +25,6 @@ struct tca6416_keys_platform_data { + unsigned int rep:1; /* enable input subsystem auto repeat */ + uint16_t pinmask; + uint16_t invert; +- int irq_is_gpio; + int use_polling; /* use polling if Interrupt is not connected*/ + }; + #endif +-- +2.40.1 + diff --git a/queue-5.15/input-tca6416-keypad-fix-interrupt-enable-disbalance.patch b/queue-5.15/input-tca6416-keypad-fix-interrupt-enable-disbalance.patch new file mode 100644 index 00000000000..3a60f6bdd0c --- /dev/null +++ b/queue-5.15/input-tca6416-keypad-fix-interrupt-enable-disbalance.patch @@ -0,0 +1,52 @@ +From 2632301074c216fddbe24e87e467b1c239cd03aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 22:30:20 -0700 +Subject: Input: tca6416-keypad - fix interrupt enable disbalance + +From: Dmitry Torokhov + +[ Upstream commit cc141c35af873c6796e043adcb820833bd8ef8c5 ] + +The driver has been switched to use IRQF_NO_AUTOEN, but in the error +unwinding and remove paths calls to enable_irq() were left in place, which +will lead to an incorrect enable counter value. + +Fixes: bcd9730a04a1 ("Input: move to use request_irq by IRQF_NO_AUTOEN flag") +Link: https://lore.kernel.org/r/20230724053024.352054-3-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/tca6416-keypad.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/keyboard/tca6416-keypad.c b/drivers/input/keyboard/tca6416-keypad.c +index d65afa25c2405..508d84f6d00cb 100644 +--- a/drivers/input/keyboard/tca6416-keypad.c ++++ b/drivers/input/keyboard/tca6416-keypad.c +@@ -292,10 +292,8 @@ static int tca6416_keypad_probe(struct i2c_client *client, + return 0; + + fail2: +- if (!chip->use_polling) { ++ if (!chip->use_polling) + free_irq(client->irq, chip); +- enable_irq(client->irq); +- } + fail1: + input_free_device(input); + kfree(chip); +@@ -306,10 +304,8 @@ static int tca6416_keypad_remove(struct i2c_client *client) + { + struct tca6416_keypad_chip *chip = i2c_get_clientdata(client); + +- if (!chip->use_polling) { ++ if (!chip->use_polling) + free_irq(client->irq, chip); +- enable_irq(client->irq); +- } + + input_unregister_device(chip->input); + kfree(chip); +-- +2.40.1 + diff --git a/queue-5.15/ip_tunnels-use-dev_stats_inc.patch b/queue-5.15/ip_tunnels-use-dev_stats_inc.patch new file mode 100644 index 00000000000..330297ef5be --- /dev/null +++ b/queue-5.15/ip_tunnels-use-dev_stats_inc.patch @@ -0,0 +1,128 @@ +From e2a4e69c302157b33cde99867c32bc87eb67d942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 13:40:46 +0000 +Subject: ip_tunnels: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ] + +syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1] + +This can run from multiple cpus without mutual exclusion. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +[1] +BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit + +read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0: +iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline] +iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87 +ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831 +__gre_xmit net/ipv4/ip_gre.c:469 [inline] +ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662 +__netdev_start_xmit include/linux/netdevice.h:4889 [inline] +netdev_start_xmit include/linux/netdevice.h:4903 [inline] +xmit_one net/core/dev.c:3544 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560 +__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340 +dev_queue_xmit include/linux/netdevice.h:3082 [inline] +__bpf_tx_skb net/core/filter.c:2129 [inline] +__bpf_redirect_no_mac net/core/filter.c:2159 [inline] +__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182 +____bpf_clone_redirect net/core/filter.c:2453 [inline] +bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425 +___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954 +__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195 +bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline] +__bpf_prog_run include/linux/filter.h:609 [inline] +bpf_prog_run include/linux/filter.h:616 [inline] +bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423 +bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045 +bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996 +__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353 +__do_sys_bpf kernel/bpf/syscall.c:5439 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5437 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000018830 -> 0x0000000000018831 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0 + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 4eb0edc6640d9..17ec652e8f124 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -454,15 +454,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len) + tstats->tx_packets++; + u64_stats_update_end(&tstats->syncp); + put_cpu_ptr(tstats); ++ return; ++ } ++ ++ if (pkt_len < 0) { ++ DEV_STATS_INC(dev, tx_errors); ++ DEV_STATS_INC(dev, tx_aborted_errors); + } else { +- struct net_device_stats *err_stats = &dev->stats; +- +- if (pkt_len < 0) { +- err_stats->tx_errors++; +- err_stats->tx_aborted_errors++; +- } else { +- err_stats->tx_dropped++; +- } ++ DEV_STATS_INC(dev, tx_dropped); + } + } + +-- +2.40.1 + diff --git a/queue-5.15/ipv4-annotate-data-races-around-fi-fib_dead.patch b/queue-5.15/ipv4-annotate-data-races-around-fi-fib_dead.patch new file mode 100644 index 00000000000..85b2cd40e70 --- /dev/null +++ b/queue-5.15/ipv4-annotate-data-races-around-fi-fib_dead.patch @@ -0,0 +1,136 @@ +From 011cf45e0d6d1eee05f645641d6ec9906cc8eebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:55:20 +0000 +Subject: ipv4: annotate data-races around fi->fib_dead + +From: Eric Dumazet + +[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ] + +syzbot complained about a data-race in fib_table_lookup() [1] + +Add appropriate annotations to document it. + +[1] +BUG: KCSAN: data-race in fib_release_info / fib_table_lookup + +write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0: +fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281 +fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777 +fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106 +fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317 +fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448 +notifier_call_chain kernel/notifier.c:93 [inline] +blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388 +__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432 +inet_del_ifa net/ipv4/devinet.c:469 [inline] +inetdev_destroy net/ipv4/devinet.c:322 [inline] +inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1962 [inline] +call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037 +dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673 +do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837 +rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177 +rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445 +netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549 +rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914 +sock_sendmsg_nosec net/socket.c:725 [inline] +sock_sendmsg net/socket.c:748 [inline] +sock_write_iter+0x1aa/0x230 net/socket.c:1129 +do_iter_write+0x4b4/0x7b0 fs/read_write.c:860 +vfs_writev+0x1a8/0x320 fs/read_write.c:933 +do_writev+0xf8/0x220 fs/read_write.c:976 +__do_sys_writev fs/read_write.c:1049 [inline] +__se_sys_writev fs/read_write.c:1046 [inline] +__x64_sys_writev+0x45/0x50 fs/read_write.c:1046 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1: +fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585 +fib_lookup include/net/ip_fib.h:383 [inline] +ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751 +ip_route_output_key_hash net/ipv4/route.c:2641 [inline] +__ip_route_output_key include/net/route.h:134 [inline] +ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869 +send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61 +wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175 +wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200 +wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] +wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51 +process_one_work+0x434/0x860 kernel/workqueue.c:2600 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0 + +Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 5 ++++- + net/ipv4/fib_trie.c | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 607a4f8161555..799370bcc70c1 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -276,7 +276,8 @@ void fib_release_info(struct fib_info *fi) + hlist_del(&nexthop_nh->nh_hash); + } endfor_nexthops(fi) + } +- fi->fib_dead = 1; ++ /* Paired with READ_ONCE() from fib_table_lookup() */ ++ WRITE_ONCE(fi->fib_dead, 1); + fib_info_put(fi); + } + spin_unlock_bh(&fib_info_lock); +@@ -1598,6 +1599,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + link_it: + ofi = fib_find_info(fi); + if (ofi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + refcount_inc(&ofi->fib_treeref); +@@ -1636,6 +1638,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + + failure: + if (fi) { ++ /* fib_table_lookup() should not see @fi yet. */ + fi->fib_dead = 1; + free_fib_info(fi); + } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 52f9f69f57b32..22531aac0ccbf 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1578,7 +1578,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp, + } + if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos) + continue; +- if (fi->fib_dead) ++ /* Paired with WRITE_ONCE() in fib_release_info() */ ++ if (READ_ONCE(fi->fib_dead)) + continue; + if (fa->fa_info->fib_scope < flp->flowi4_scope) + continue; +-- +2.40.1 + diff --git a/queue-5.15/ipv4-ignore-dst-hint-for-multipath-routes.patch b/queue-5.15/ipv4-ignore-dst-hint-for-multipath-routes.patch new file mode 100644 index 00000000000..f47ce798c0a --- /dev/null +++ b/queue-5.15/ipv4-ignore-dst-hint-for-multipath-routes.patch @@ -0,0 +1,71 @@ +From 617babff54c42d85e512672f4b901313d99919cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 10:03:30 +0200 +Subject: ipv4: ignore dst hint for multipath routes + +From: Sriram Yagnaraman + +[ Upstream commit 6ac66cb03ae306c2e288a9be18226310529f5b25 ] + +Route hints when the nexthop is part of a multipath group causes packets +in the same receive batch to be sent to the same nexthop irrespective of +the multipath hash of the packet. So, do not extract route hint for +packets whose destination is part of a multipath group. + +A new SKB flag IPSKB_MULTIPATH is introduced for this purpose, set the +flag when route is looked up in ip_mkroute_input() and use it in +ip_extract_route_hint() to check for the existence of the flag. + +Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive") +Signed-off-by: Sriram Yagnaraman +Reviewed-by: Ido Schimmel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 1 + + net/ipv4/ip_input.c | 3 ++- + net/ipv4/route.c | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index fc05e016be060..e1a93c3391090 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -56,6 +56,7 @@ struct inet_skb_parm { + #define IPSKB_FRAG_PMTU BIT(6) + #define IPSKB_L3SLAVE BIT(7) + #define IPSKB_NOPOLICY BIT(8) ++#define IPSKB_MULTIPATH BIT(9) + + u16 frag_max_size; + }; +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c +index 124bf8fdf924a..5d0bc0dbdb4d9 100644 +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -581,7 +581,8 @@ static void ip_sublist_rcv_finish(struct list_head *head) + static struct sk_buff *ip_extract_route_hint(const struct net *net, + struct sk_buff *skb, int rt_type) + { +- if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST) ++ if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST || ++ IPCB(skb)->flags & IPSKB_MULTIPATH) + return NULL; + + return skb; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index ca59b61fd3a31..bc6240d327a8f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2151,6 +2151,7 @@ static int ip_mkroute_input(struct sk_buff *skb, + int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys); + + fib_select_multipath(res, h); ++ IPCB(skb)->flags |= IPSKB_MULTIPATH; + } + #endif + +-- +2.40.1 + diff --git a/queue-5.15/kbuild-do-not-run-depmod-for-make-modules_sign.patch b/queue-5.15/kbuild-do-not-run-depmod-for-make-modules_sign.patch new file mode 100644 index 00000000000..3feadbf5a50 --- /dev/null +++ b/queue-5.15/kbuild-do-not-run-depmod-for-make-modules_sign.patch @@ -0,0 +1,41 @@ +From 8a5f290e12a0a172b02e970713c448ab9d1f0c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 20:50:41 +0900 +Subject: kbuild: do not run depmod for 'make modules_sign' + +From: Masahiro Yamada + +[ Upstream commit 2429742e506a2b5939a62c629c4a46d91df0ada8 ] + +Commit 961ab4a3cd66 ("kbuild: merge scripts/Makefile.modsign to +scripts/Makefile.modinst") started to run depmod at the end of +'make modules_sign'. + +Move the depmod rule to scripts/Makefile.modinst and run it only when +$(modules_sign_only) is empty. + +Fixes: 961ab4a3cd66 ("kbuild: merge scripts/Makefile.modsign to scripts/Makefile.modinst") +Signed-off-by: Masahiro Yamada +Reviewed-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Makefile b/Makefile +index 1f537b7286b5f..52baf426dcea5 100644 +--- a/Makefile ++++ b/Makefile +@@ -1835,7 +1835,9 @@ quiet_cmd_depmod = DEPMOD $(MODLIB) + + modules_install: + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst ++ifndef modules_sign_only + $(call cmd,depmod) ++endif + + else # CONFIG_MODULES + +-- +2.40.1 + diff --git a/queue-5.15/kcm-destroy-mutex-in-kcm_exit_net.patch b/queue-5.15/kcm-destroy-mutex-in-kcm_exit_net.patch new file mode 100644 index 00000000000..ad2ff3eff7e --- /dev/null +++ b/queue-5.15/kcm-destroy-mutex-in-kcm_exit_net.patch @@ -0,0 +1,37 @@ +From 31839b540035e7d753dd13adaa727e01c5614079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Sep 2023 02:07:08 +0900 +Subject: kcm: Destroy mutex in kcm_exit_net() + +From: Shigeru Yoshida + +[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ] + +kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially +needed if CONFIG_DEBUG_MUTEXES is enabled. + +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 9c60c0c18b4dd..43005bba2d407 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1982,6 +1982,8 @@ static __net_exit void kcm_exit_net(struct net *net) + * that all multiplexors and psocks have been destroyed. + */ + WARN_ON(!list_empty(&knet->mux_list)); ++ ++ mutex_destroy(&knet->mutex); + } + + static struct pernet_operations kcm_net_ops = { +-- +2.40.1 + diff --git a/queue-5.15/kconfig-fix-possible-buffer-overflow.patch b/queue-5.15/kconfig-fix-possible-buffer-overflow.patch new file mode 100644 index 00000000000..0f9279215d5 --- /dev/null +++ b/queue-5.15/kconfig-fix-possible-buffer-overflow.patch @@ -0,0 +1,38 @@ +From 20487042779fb998385cae2ac08550ede0ab0dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 17:59:14 +0800 +Subject: kconfig: fix possible buffer overflow + +From: Konstantin Meskhidze + +[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ] + +Buffer 'new_argv' is accessed without bound check after accessing with +bound check via 'new_argc' index. + +Fixes: e298f3b49def ("kconfig: add built-in function support") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/preprocess.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c +index 748da578b418c..d1f5bcff4b62d 100644 +--- a/scripts/kconfig/preprocess.c ++++ b/scripts/kconfig/preprocess.c +@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[]) + + p++; + } ++ ++ if (new_argc >= FUNCTION_MAX_ARGS) ++ pperror("too many function arguments"); + new_argv[new_argc++] = prev; + + /* +-- +2.40.1 + diff --git a/queue-5.15/net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch b/queue-5.15/net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch new file mode 100644 index 00000000000..62f0c7bd071 --- /dev/null +++ b/queue-5.15/net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch @@ -0,0 +1,136 @@ +From 7188e724b0c0acbd16038dcf393e051728af0df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 00:53:38 +0300 +Subject: net: dsa: sja1105: complete tc-cbs offload support on SJA1110 + +From: Vladimir Oltean + +[ Upstream commit 180a7419fe4adc8d9c8e0ef0fd17bcdd0cf78acd ] + +The blamed commit left this delta behind: + + struct sja1105_cbs_entry { + - u64 port; + - u64 prio; + + u64 port; /* Not used for SJA1110 */ + + u64 prio; /* Not used for SJA1110 */ + u64 credit_hi; + u64 credit_lo; + u64 send_slope; + u64 idle_slope; + }; + +but did not actually implement tc-cbs offload fully for the new switch. +The offload is accepted, but it doesn't work. + +The difference compared to earlier switch generations is that now, the +table of CBS shapers is sparse, because there are many more shapers, so +the mapping between a {port, prio} and a table index is static, rather +than requiring us to store the port and prio into the sja1105_cbs_entry. + +So, the problem is that the code programs the CBS shaper parameters at a +dynamic table index which is incorrect. + +All that needs to be done for SJA1110 CBS shapers to work is to bypass +the logic which allocates shapers in a dense manner, as for SJA1105, and +use the fixed mapping instead. + +Fixes: 3e77e59bf8cf ("net: dsa: sja1105: add support for the SJA1110 switch family") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105.h | 2 ++ + drivers/net/dsa/sja1105/sja1105_main.c | 13 +++++++++++++ + drivers/net/dsa/sja1105/sja1105_spi.c | 4 ++++ + 3 files changed, 19 insertions(+) + +diff --git a/drivers/net/dsa/sja1105/sja1105.h b/drivers/net/dsa/sja1105/sja1105.h +index 5e5d24e7c02b2..548d585256fbb 100644 +--- a/drivers/net/dsa/sja1105/sja1105.h ++++ b/drivers/net/dsa/sja1105/sja1105.h +@@ -111,6 +111,8 @@ struct sja1105_info { + int max_frame_mem; + int num_ports; + bool multiple_cascade_ports; ++ /* Every {port, TXQ} has its own CBS shaper */ ++ bool fixed_cbs_mapping; + enum dsa_tag_protocol tag_proto; + const struct sja1105_dynamic_table_ops *dyn_ops; + const struct sja1105_table_ops *static_ops; +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 9176bd78b3d61..d5600d0d6ef10 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2014,12 +2014,22 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port, + } + + #define BYTES_PER_KBIT (1000LL / 8) ++/* Port 0 (the uC port) does not have CBS shapers */ ++#define SJA1110_FIXED_CBS(port, prio) ((((port) - 1) * SJA1105_NUM_TC) + (prio)) + + static int sja1105_find_cbs_shaper(struct sja1105_private *priv, + int port, int prio) + { + int i; + ++ if (priv->info->fixed_cbs_mapping) { ++ i = SJA1110_FIXED_CBS(port, prio); ++ if (i >= 0 && i < priv->info->num_cbs_shapers) ++ return i; ++ ++ return -1; ++ } ++ + for (i = 0; i < priv->info->num_cbs_shapers; i++) + if (priv->cbs[i].port == port && priv->cbs[i].prio == prio) + return i; +@@ -2031,6 +2041,9 @@ static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv) + { + int i; + ++ if (priv->info->fixed_cbs_mapping) ++ return -1; ++ + for (i = 0; i < priv->info->num_cbs_shapers; i++) + if (!priv->cbs[i].idle_slope && !priv->cbs[i].send_slope) + return i; +diff --git a/drivers/net/dsa/sja1105/sja1105_spi.c b/drivers/net/dsa/sja1105/sja1105_spi.c +index d3c9ad6d39d46..e6b61aef4127c 100644 +--- a/drivers/net/dsa/sja1105/sja1105_spi.c ++++ b/drivers/net/dsa/sja1105/sja1105_spi.c +@@ -781,6 +781,7 @@ const struct sja1105_info sja1110a_info = { + .tag_proto = DSA_TAG_PROTO_SJA1110, + .can_limit_mcast_flood = true, + .multiple_cascade_ports = true, ++ .fixed_cbs_mapping = true, + .ptp_ts_bits = 32, + .ptpegr_ts_bytes = 8, + .max_frame_mem = SJA1110_MAX_FRAME_MEMORY, +@@ -831,6 +832,7 @@ const struct sja1105_info sja1110b_info = { + .tag_proto = DSA_TAG_PROTO_SJA1110, + .can_limit_mcast_flood = true, + .multiple_cascade_ports = true, ++ .fixed_cbs_mapping = true, + .ptp_ts_bits = 32, + .ptpegr_ts_bytes = 8, + .max_frame_mem = SJA1110_MAX_FRAME_MEMORY, +@@ -881,6 +883,7 @@ const struct sja1105_info sja1110c_info = { + .tag_proto = DSA_TAG_PROTO_SJA1110, + .can_limit_mcast_flood = true, + .multiple_cascade_ports = true, ++ .fixed_cbs_mapping = true, + .ptp_ts_bits = 32, + .ptpegr_ts_bytes = 8, + .max_frame_mem = SJA1110_MAX_FRAME_MEMORY, +@@ -931,6 +934,7 @@ const struct sja1105_info sja1110d_info = { + .tag_proto = DSA_TAG_PROTO_SJA1110, + .can_limit_mcast_flood = true, + .multiple_cascade_ports = true, ++ .fixed_cbs_mapping = true, + .ptp_ts_bits = 32, + .ptpegr_ts_bytes = 8, + .max_frame_mem = SJA1110_MAX_FRAME_MEMORY, +-- +2.40.1 + diff --git a/queue-5.15/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch b/queue-5.15/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch new file mode 100644 index 00000000000..513726c2a2a --- /dev/null +++ b/queue-5.15/net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch @@ -0,0 +1,136 @@ +From b5233eb3d9c9effc3afcfc8eac1f178287190775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 00:53:36 +0300 +Subject: net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software + and offload + +From: Vladimir Oltean + +[ Upstream commit 954ad9bf13c4f95a4958b5f8433301f2ab99e1f5 ] + +More careful measurement of the tc-cbs bandwidth shows that the stream +bandwidth (effectively idleslope) increases, there is a larger and +larger discrepancy between the rate limit obtained by the software +Qdisc, and the rate limit obtained by its offloaded counterpart. + +The discrepancy becomes so large, that e.g. at an idleslope of 40000 +(40Mbps), the offloaded cbs does not actually rate limit anything, and +traffic will pass at line rate through a 100 Mbps port. + +The reason for the discrepancy is that the hardware documentation I've +been following is incorrect. UM11040.pdf (for SJA1105P/Q/R/S) states +about IDLE_SLOPE that it is "the rate (in unit of bytes/sec) at which +the credit counter is increased". + +Cross-checking with UM10944.pdf (for SJA1105E/T) and UM11107.pdf +(for SJA1110), the wording is different: "This field specifies the +value, in bytes per second times link speed, by which the credit counter +is increased". + +So there's an extra scaling for link speed that the driver is currently +not accounting for, and apparently (empirically), that link speed is +expressed in Kbps. + +I've pondered whether to pollute the sja1105_mac_link_up() +implementation with CBS shaper reprogramming, but I don't think it is +worth it. IMO, the UAPI exposed by tc-cbs requires user space to +recalculate the sendslope anyway, since the formula for that depends on +port_transmit_rate (see man tc-cbs), which is not an invariant from tc's +perspective. + +So we use the offload->sendslope and offload->idleslope to deduce the +original port_transmit_rate from the CBS formula, and use that value to +scale the offload->sendslope and offload->idleslope to values that the +hardware understands. + +Some numerical data points: + + 40Mbps stream, max interfering frame size 1500, port speed 100M + --------------------------------------------------------------- + + tc-cbs parameters: + idleslope 40000 sendslope -60000 locredit -900 hicredit 600 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 600 600 + credit_lo 900 900 + send_slope 7500000 75 + idle_slope 5000000 50 + + 40Mbps stream, max interfering frame size 1500, port speed 1G + ------------------------------------------------------------- + + tc-cbs parameters: + idleslope 40000 sendslope -960000 locredit -1440 hicredit 60 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 60 60 + credit_lo 1440 1440 + send_slope 120000000 120 + idle_slope 5000000 5 + + 5.12Mbps stream, max interfering frame size 1522, port speed 100M + ----------------------------------------------------------------- + + tc-cbs parameters: + idleslope 5120 sendslope -94880 locredit -1444 hicredit 77 + + which result in hardware values: + + Before (doesn't work) After (works) + credit_hi 77 77 + credit_lo 1444 1444 + send_slope 11860000 118 + idle_slope 640000 6 + +Tested on SJA1105T, SJA1105S and SJA1110A, at 1Gbps and 100Mbps. + +Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") +Reported-by: Yanan Yang +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index ef4d8d6c2bd7a..5f70773fa8201 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2049,6 +2049,7 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + { + struct sja1105_private *priv = ds->priv; + struct sja1105_cbs_entry *cbs; ++ s64 port_transmit_rate_kbps; + int index; + + if (!offload->enable) +@@ -2066,9 +2067,17 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + */ + cbs->credit_hi = offload->hicredit; + cbs->credit_lo = abs(offload->locredit); +- /* User space is in kbits/sec, hardware in bytes/sec */ +- cbs->idle_slope = offload->idleslope * BYTES_PER_KBIT; +- cbs->send_slope = abs(offload->sendslope * BYTES_PER_KBIT); ++ /* User space is in kbits/sec, while the hardware in bytes/sec times ++ * link speed. Since the given offload->sendslope is good only for the ++ * current link speed anyway, and user space is likely to reprogram it ++ * when that changes, don't even bother to track the port's link speed, ++ * but deduce the port transmit rate from idleslope - sendslope. ++ */ ++ port_transmit_rate_kbps = offload->idleslope - offload->sendslope; ++ cbs->idle_slope = div_s64(offload->idleslope * BYTES_PER_KBIT, ++ port_transmit_rate_kbps); ++ cbs->send_slope = div_s64(abs(offload->sendslope * BYTES_PER_KBIT), ++ port_transmit_rate_kbps); + /* Convert the negative values from 64-bit 2's complement + * to 32-bit 2's complement (for the case of 0x80000000 whose + * negative is still negative). +-- +2.40.1 + diff --git a/queue-5.15/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch b/queue-5.15/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch new file mode 100644 index 00000000000..c4daea72a0c --- /dev/null +++ b/queue-5.15/net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch @@ -0,0 +1,81 @@ +From bba65b609343c07787b1f2372788e595a74cfc33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 00:53:37 +0300 +Subject: net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too + many times + +From: Vladimir Oltean + +[ Upstream commit 894cafc5c62ccced758077bd4e970dc714c42637 ] + +After running command [2] too many times in a row: + +[1] $ tc qdisc add dev sw2p0 root handle 1: mqprio num_tc 8 \ + map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 +[2] $ tc qdisc replace dev sw2p0 parent 1:1 cbs offload 1 \ + idleslope 120000 sendslope -880000 locredit -1320 hicredit 180 + +(aka more than priv->info->num_cbs_shapers times) + +we start seeing the following error message: + +Error: Specified device failed to setup cbs hardware offload. + +This comes from the fact that ndo_setup_tc(TC_SETUP_QDISC_CBS) presents +the same API for the qdisc create and replace cases, and the sja1105 +driver fails to distinguish between the 2. Thus, it always thinks that +it must allocate the same shaper for a {port, queue} pair, when it may +instead have to replace an existing one. + +Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 5f70773fa8201..9176bd78b3d61 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2015,6 +2015,18 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port, + + #define BYTES_PER_KBIT (1000LL / 8) + ++static int sja1105_find_cbs_shaper(struct sja1105_private *priv, ++ int port, int prio) ++{ ++ int i; ++ ++ for (i = 0; i < priv->info->num_cbs_shapers; i++) ++ if (priv->cbs[i].port == port && priv->cbs[i].prio == prio) ++ return i; ++ ++ return -1; ++} ++ + static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv) + { + int i; +@@ -2055,9 +2067,14 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port, + if (!offload->enable) + return sja1105_delete_cbs_shaper(priv, port, offload->queue); + +- index = sja1105_find_unused_cbs_shaper(priv); +- if (index < 0) +- return -ENOSPC; ++ /* The user may be replacing an existing shaper */ ++ index = sja1105_find_cbs_shaper(priv, port, offload->queue); ++ if (index < 0) { ++ /* That isn't the case - see if we can allocate a new one */ ++ index = sja1105_find_unused_cbs_shaper(priv); ++ if (index < 0) ++ return -ENOSPC; ++ } + + cbs = &priv->cbs[index]; + cbs->port = port; +-- +2.40.1 + diff --git a/queue-5.15/net-fib-avoid-warn-splat-in-flow-dissector.patch b/queue-5.15/net-fib-avoid-warn-splat-in-flow-dissector.patch new file mode 100644 index 00000000000..214a95dc6aa --- /dev/null +++ b/queue-5.15/net-fib-avoid-warn-splat-in-flow-dissector.patch @@ -0,0 +1,77 @@ +From 06b466b6777c5fa4560c05b91d7cd095836e1954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 13:00:37 +0200 +Subject: net: fib: avoid warn splat in flow dissector + +From: Florian Westphal + +[ Upstream commit 8aae7625ff3f0bd5484d01f1b8d5af82e44bec2d ] + +New skbs allocated via nf_send_reset() have skb->dev == NULL. + +fib*_rules_early_flow_dissect helpers already have a 'struct net' +argument but its not passed down to the flow dissector core, which +will then WARN as it can't derive a net namespace to use: + + WARNING: CPU: 0 PID: 0 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0xa91/0x1cd0 + [..] + ip_route_me_harder+0x143/0x330 + nf_send_reset+0x17c/0x2d0 [nf_reject_ipv4] + nft_reject_inet_eval+0xa9/0xf2 [nft_reject_inet] + nft_do_chain+0x198/0x5d0 [nf_tables] + nft_do_chain_inet+0xa4/0x110 [nf_tables] + nf_hook_slow+0x41/0xc0 + ip_local_deliver+0xce/0x110 + .. + +Cc: Stanislav Fomichev +Cc: David Ahern +Cc: Ido Schimmel +Fixes: 812fa71f0d96 ("netfilter: Dissect flow after packet mangling") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217826 +Signed-off-by: Florian Westphal +Reviewed-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20230830110043.30497-1-fw@strlen.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip6_fib.h | 5 ++++- + include/net/ip_fib.h | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h +index bbb27639f2933..d72cee4dff70b 100644 +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -610,7 +610,10 @@ static inline bool fib6_rules_early_flow_dissect(struct net *net, + if (!net->ipv6.fib6_rules_require_fldissect) + return false; + +- skb_flow_dissect_flow_keys(skb, flkeys, flag); ++ memset(flkeys, 0, sizeof(*flkeys)); ++ __skb_flow_dissect(net, skb, &flow_keys_dissector, ++ flkeys, NULL, 0, 0, 0, flag); ++ + fl6->fl6_sport = flkeys->ports.src; + fl6->fl6_dport = flkeys->ports.dst; + fl6->flowi6_proto = flkeys->basic.ip_proto; +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 3417ba2d27ad6..c3324a1949c3a 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -415,7 +415,10 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net, + if (!net->ipv4.fib_rules_require_fldissect) + return false; + +- skb_flow_dissect_flow_keys(skb, flkeys, flag); ++ memset(flkeys, 0, sizeof(*flkeys)); ++ __skb_flow_dissect(net, skb, &flow_keys_dissector, ++ flkeys, NULL, 0, 0, 0, flag); ++ + fl4->fl4_sport = flkeys->ports.src; + fl4->fl4_dport = flkeys->ports.dst; + fl4->flowi4_proto = flkeys->basic.ip_proto; +-- +2.40.1 + diff --git a/queue-5.15/net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch b/queue-5.15/net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch new file mode 100644 index 00000000000..f00afdf4f0a --- /dev/null +++ b/queue-5.15/net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch @@ -0,0 +1,70 @@ +From b3b80a6049d9f413e7c7b9eeebc0ae69444592c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:14 +0800 +Subject: net: hns3: fix byte order conversion issue in + hclge_dbg_fd_tcam_read() + +From: Hao Chen + +[ Upstream commit efccf655e99b6907ca07a466924e91805892e7d3 ] + +req1->tcam_data is defined as "u8 tcam_data[8]", and we convert it as +(u32 *) without considerring byte order conversion, +it may result in printing wrong data for tcam_data. + +Convert tcam_data to (__le32 *) first to fix it. + +Fixes: b5a0b70d77b9 ("net: hns3: refactor dump fd tcam of debugfs") +Signed-off-by: Hao Chen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +index dd8b73aebe6a5..63665e8a7c718 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +@@ -1450,7 +1450,7 @@ static int hclge_dbg_fd_tcam_read(struct hclge_dev *hdev, bool sel_x, + struct hclge_desc desc[3]; + int pos = 0; + int ret, i; +- u32 *req; ++ __le32 *req; + + hclge_cmd_setup_basic_desc(&desc[0], HCLGE_OPC_FD_TCAM_OP, true); + desc[0].flag |= cpu_to_le16(HCLGE_CMD_FLAG_NEXT); +@@ -1475,22 +1475,22 @@ static int hclge_dbg_fd_tcam_read(struct hclge_dev *hdev, bool sel_x, + tcam_msg.loc); + + /* tcam_data0 ~ tcam_data1 */ +- req = (u32 *)req1->tcam_data; ++ req = (__le32 *)req1->tcam_data; + for (i = 0; i < 2; i++) + pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos, +- "%08x\n", *req++); ++ "%08x\n", le32_to_cpu(*req++)); + + /* tcam_data2 ~ tcam_data7 */ +- req = (u32 *)req2->tcam_data; ++ req = (__le32 *)req2->tcam_data; + for (i = 0; i < 6; i++) + pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos, +- "%08x\n", *req++); ++ "%08x\n", le32_to_cpu(*req++)); + + /* tcam_data8 ~ tcam_data12 */ +- req = (u32 *)req3->tcam_data; ++ req = (__le32 *)req3->tcam_data; + for (i = 0; i < 5; i++) + pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos, +- "%08x\n", *req++); ++ "%08x\n", le32_to_cpu(*req++)); + + return ret; + } +-- +2.40.1 + diff --git a/queue-5.15/net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch b/queue-5.15/net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch new file mode 100644 index 00000000000..aa4e1b1021c --- /dev/null +++ b/queue-5.15/net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch @@ -0,0 +1,62 @@ +From 77ba5ca5f23f13f4cd26f408ce64ba23b40a0923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:15 +0800 +Subject: net: hns3: fix debugfs concurrency issue between kfree buffer and + read + +From: Hao Chen + +[ Upstream commit c295160b1d95e885f1af4586a221cb221d232d10 ] + +Now in hns3_dbg_uninit(), there may be concurrency between +kfree buffer and read, it may result in memory error. + +Moving debugfs_remove_recursive() in front of kfree buffer to ensure +they don't happen at the same time. + +Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") +Signed-off-by: Hao Chen +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index 3158c08a3aa9c..45f245b1d331c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -1171,9 +1171,9 @@ int hns3_dbg_init(struct hnae3_handle *handle) + return 0; + + out: +- mutex_destroy(&handle->dbgfs_lock); + debugfs_remove_recursive(handle->hnae3_dbgfs); + handle->hnae3_dbgfs = NULL; ++ mutex_destroy(&handle->dbgfs_lock); + return ret; + } + +@@ -1181,6 +1181,9 @@ void hns3_dbg_uninit(struct hnae3_handle *handle) + { + u32 i; + ++ debugfs_remove_recursive(handle->hnae3_dbgfs); ++ handle->hnae3_dbgfs = NULL; ++ + for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) + if (handle->dbgfs_buf[i]) { + kvfree(handle->dbgfs_buf[i]); +@@ -1188,8 +1191,6 @@ void hns3_dbg_uninit(struct hnae3_handle *handle) + } + + mutex_destroy(&handle->dbgfs_lock); +- debugfs_remove_recursive(handle->hnae3_dbgfs); +- handle->hnae3_dbgfs = NULL; + } + + void hns3_dbg_register_debugfs(const char *debugfs_dir_name) +-- +2.40.1 + diff --git a/queue-5.15/net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch b/queue-5.15/net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch new file mode 100644 index 00000000000..eab9ff4fb13 --- /dev/null +++ b/queue-5.15/net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch @@ -0,0 +1,153 @@ +From dc3e5ef6e46f15089fa5a751422848eecf951c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:16 +0800 +Subject: net: hns3: fix invalid mutex between tc qdisc and dcb ets command + issue + +From: Jijie Shao + +[ Upstream commit fa5564945f7d15ae2390b00c08b6abaef0165cda ] + +We hope that tc qdisc and dcb ets commands can not be used crosswise. +If we want to use any of the commands to configure tc, +We must use the other command to clear the existing configuration. + +However, when we configure a single tc with tc qdisc, +we can still configure it with dcb ets. +Because we use mqprio_active as the tag of tc qdisc configuration, +but with dcb ets, we do not check mqprio_active. + +This patch fix this issue by check mqprio_active before +executing the dcb ets command. and add dcb_ets_active to +replace HCLGE_FLAG_DCB_ENABLE and HCLGE_FLAG_MQPRIO_ENABLE +at the hclge layer, + +Fixes: cacde272dd00 ("net: hns3: Add hclge_dcb module for the support of DCB feature") +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 + + .../hisilicon/hns3/hns3pf/hclge_dcb.c | 20 +++++-------------- + .../hisilicon/hns3/hns3pf/hclge_main.c | 5 +++-- + .../hisilicon/hns3/hns3pf/hclge_main.h | 2 -- + 4 files changed, 9 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +index 9204f5ecd4151..695e299f534d5 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -757,6 +757,7 @@ struct hnae3_tc_info { + u16 tqp_offset[HNAE3_MAX_TC]; + u8 num_tc; /* Total number of enabled TCs */ + bool mqprio_active; ++ bool dcb_ets_active; + }; + + struct hnae3_knic_private_info { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index 87640a2e1794b..a15f2ed268a8d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -251,7 +251,7 @@ static int hclge_ieee_setets(struct hnae3_handle *h, struct ieee_ets *ets) + int ret; + + if (!(hdev->dcbx_cap & DCB_CAP_DCBX_VER_IEEE) || +- hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE) ++ h->kinfo.tc_info.mqprio_active) + return -EINVAL; + + ret = hclge_ets_validate(hdev, ets, &num_tc, &map_changed); +@@ -267,10 +267,7 @@ static int hclge_ieee_setets(struct hnae3_handle *h, struct ieee_ets *ets) + } + + hclge_tm_schd_info_update(hdev, num_tc); +- if (num_tc > 1) +- hdev->flag |= HCLGE_FLAG_DCB_ENABLE; +- else +- hdev->flag &= ~HCLGE_FLAG_DCB_ENABLE; ++ h->kinfo.tc_info.dcb_ets_active = num_tc > 1; + + ret = hclge_ieee_ets_to_tm_info(hdev, ets); + if (ret) +@@ -376,7 +373,7 @@ static u8 hclge_getdcbx(struct hnae3_handle *h) + struct hclge_vport *vport = hclge_get_vport(h); + struct hclge_dev *hdev = vport->back; + +- if (hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE) ++ if (h->kinfo.tc_info.mqprio_active) + return 0; + + return hdev->dcbx_cap; +@@ -500,7 +497,8 @@ static int hclge_setup_tc(struct hnae3_handle *h, + if (!test_bit(HCLGE_STATE_NIC_REGISTERED, &hdev->state)) + return -EBUSY; + +- if (hdev->flag & HCLGE_FLAG_DCB_ENABLE) ++ kinfo = &vport->nic.kinfo; ++ if (kinfo->tc_info.dcb_ets_active) + return -EINVAL; + + ret = hclge_mqprio_qopt_check(hdev, mqprio_qopt); +@@ -514,7 +512,6 @@ static int hclge_setup_tc(struct hnae3_handle *h, + if (ret) + return ret; + +- kinfo = &vport->nic.kinfo; + memcpy(&old_tc_info, &kinfo->tc_info, sizeof(old_tc_info)); + hclge_sync_mqprio_qopt(&kinfo->tc_info, mqprio_qopt); + kinfo->tc_info.mqprio_active = tc > 0; +@@ -523,13 +520,6 @@ static int hclge_setup_tc(struct hnae3_handle *h, + if (ret) + goto err_out; + +- hdev->flag &= ~HCLGE_FLAG_DCB_ENABLE; +- +- if (tc > 1) +- hdev->flag |= HCLGE_FLAG_MQPRIO_ENABLE; +- else +- hdev->flag &= ~HCLGE_FLAG_MQPRIO_ENABLE; +- + return hclge_notify_init_up(hdev); + + err_out: +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 1d424b1ee6cd3..a415760505ab4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -11187,6 +11187,7 @@ static void hclge_get_mdix_mode(struct hnae3_handle *handle, + + static void hclge_info_show(struct hclge_dev *hdev) + { ++ struct hnae3_handle *handle = &hdev->vport->nic; + struct device *dev = &hdev->pdev->dev; + + dev_info(dev, "PF info begin:\n"); +@@ -11203,9 +11204,9 @@ static void hclge_info_show(struct hclge_dev *hdev) + dev_info(dev, "This is %s PF\n", + hdev->flag & HCLGE_FLAG_MAIN ? "main" : "not main"); + dev_info(dev, "DCB %s\n", +- hdev->flag & HCLGE_FLAG_DCB_ENABLE ? "enable" : "disable"); ++ handle->kinfo.tc_info.dcb_ets_active ? "enable" : "disable"); + dev_info(dev, "MQPRIO %s\n", +- hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE ? "enable" : "disable"); ++ handle->kinfo.tc_info.mqprio_active ? "enable" : "disable"); + dev_info(dev, "Default tx spare buffer size: %u\n", + hdev->tx_spare_buf_size); + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +index 4d6dbfe0be7a2..a716027df0ed1 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +@@ -902,8 +902,6 @@ struct hclge_dev { + + #define HCLGE_FLAG_MAIN BIT(0) + #define HCLGE_FLAG_DCB_CAPABLE BIT(1) +-#define HCLGE_FLAG_DCB_ENABLE BIT(2) +-#define HCLGE_FLAG_MQPRIO_ENABLE BIT(3) + u32 flag; + + u32 pkt_buf_size; /* Total pf buf size for tx/rx */ +-- +2.40.1 + diff --git a/queue-5.15/net-hns3-fix-the-port-information-display-when-sfp-i.patch b/queue-5.15/net-hns3-fix-the-port-information-display-when-sfp-i.patch new file mode 100644 index 00000000000..748850f22f3 --- /dev/null +++ b/queue-5.15/net-hns3-fix-the-port-information-display-when-sfp-i.patch @@ -0,0 +1,39 @@ +From 09a9906445164f3ab71840e0d7063d6ceecf681e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:17 +0800 +Subject: net: hns3: fix the port information display when sfp is absent + +From: Yisen Zhuang + +[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ] + +When sfp is absent or unidentified, the port type should be +displayed as PORT_OTHERS, rather than PORT_FIBRE. + +Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type") +Signed-off-by: Yisen Zhuang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +index 526fb56c84f24..17fa4e7684cd2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -739,7 +739,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev, + hns3_get_ksettings(h, cmd); + break; + case HNAE3_MEDIA_TYPE_FIBER: +- if (module_type == HNAE3_MODULE_TYPE_CR) ++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN) ++ cmd->base.port = PORT_OTHER; ++ else if (module_type == HNAE3_MODULE_TYPE_CR) + cmd->base.port = PORT_DA; + else + cmd->base.port = PORT_FIBRE; +-- +2.40.1 + diff --git a/queue-5.15/net-hns3-remove-gso-partial-feature-bit.patch b/queue-5.15/net-hns3-remove-gso-partial-feature-bit.patch new file mode 100644 index 00000000000..004ec57d821 --- /dev/null +++ b/queue-5.15/net-hns3-remove-gso-partial-feature-bit.patch @@ -0,0 +1,39 @@ +From 9b26454bd41824930357a991f58ac9a31f5b836b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 15:20:18 +0800 +Subject: net: hns3: remove GSO partial feature bit + +From: Jie Wang + +[ Upstream commit 60326634f6c54528778de18bfef1e8a7a93b3771 ] + +HNS3 NIC does not support GSO partial packets segmentation. Actually tunnel +packets for example NvGRE packets segment offload and checksum offload is +already supported. There is no need to keep gso partial feature bit. So +this patch removes it. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Jie Wang +Signed-off-by: Jijie Shao +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 2acf50ed6025a..3693ff55197dd 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -3118,8 +3118,6 @@ static void hns3_set_default_feature(struct net_device *netdev) + + netdev->priv_flags |= IFF_UNICAST_FLT; + +- netdev->gso_partial_features |= NETIF_F_GSO_GRE_CSUM; +- + netdev->features |= NETIF_F_HW_VLAN_CTAG_FILTER | + NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_RXCSUM | NETIF_F_SG | NETIF_F_GSO | +-- +2.40.1 + diff --git a/queue-5.15/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch b/queue-5.15/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch new file mode 100644 index 00000000000..5cecd05c47f --- /dev/null +++ b/queue-5.15/net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch @@ -0,0 +1,40 @@ +From b102bd8bafa1445ca20701557ee1942efb415c7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 22:41:27 -0600 +Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr + +From: Alex Henrie + +[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ] + +The existing code incorrectly casted a negative value (the result of a +subtraction) to an unsigned value without checking. For example, if +/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred +lifetime would jump to 4 billion seconds. On my machine and network the +shortest lifetime that avoided underflow was 3 seconds. + +Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR") +Signed-off-by: Alex Henrie +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 0c0b7969840f5..6572174e2115f 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1368,7 +1368,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block) + * idev->desync_factor if it's larger + */ + cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft); +- max_desync_factor = min_t(__u32, ++ max_desync_factor = min_t(long, + idev->cnf.max_desync_factor, + cnf_temp_preferred_lft - regen_advance); + +-- +2.40.1 + diff --git a/queue-5.15/net-phy-micrel-correct-bit-assignments-for-phy_devic.patch b/queue-5.15/net-phy-micrel-correct-bit-assignments-for-phy_devic.patch new file mode 100644 index 00000000000..3aa0ffd40c4 --- /dev/null +++ b/queue-5.15/net-phy-micrel-correct-bit-assignments-for-phy_devic.patch @@ -0,0 +1,54 @@ +From b204507f3accf55a95065b5b5f9678159bcdaad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 06:53:23 +0200 +Subject: net: phy: micrel: Correct bit assignments for phy_device flags + +From: Oleksij Rempel + +[ Upstream commit 719c5e37e99d2fd588d1c994284d17650a66354c ] + +Previously, the defines for phy_device flags in the Micrel driver were +ambiguous in their representation. They were intended to be bit masks +but were mistakenly defined as bit positions. This led to the following +issues: + +- MICREL_KSZ8_P1_ERRATA, designated for KSZ88xx switches, overlapped + with MICREL_PHY_FXEN and MICREL_PHY_50MHZ_CLK. +- Due to this overlap, the code path for MICREL_PHY_FXEN, tailored for + the KSZ8041 PHY, was not executed for KSZ88xx PHYs. +- Similarly, the code associated with MICREL_PHY_50MHZ_CLK wasn't + triggered for KSZ88xx. + +To rectify this, all three flags have now been explicitly converted to +use the `BIT()` macro, ensuring they are defined as bit masks and +preventing potential overlaps in the future. + +Fixes: 49011e0c1555 ("net: phy: micrel: ksz886x/ksz8081: add cabletest support") +Signed-off-by: Oleksij Rempel +Reviewed-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/micrel_phy.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/micrel_phy.h b/include/linux/micrel_phy.h +index 3d43c60b49fa8..2d0f75ffa3233 100644 +--- a/include/linux/micrel_phy.h ++++ b/include/linux/micrel_phy.h +@@ -37,9 +37,9 @@ + #define PHY_ID_KSZ9477 0x00221631 + + /* struct phy_device dev_flags definitions */ +-#define MICREL_PHY_50MHZ_CLK 0x00000001 +-#define MICREL_PHY_FXEN 0x00000002 +-#define MICREL_KSZ8_P1_ERRATA 0x00000003 ++#define MICREL_PHY_50MHZ_CLK BIT(0) ++#define MICREL_PHY_FXEN BIT(1) ++#define MICREL_KSZ8_P1_ERRATA BIT(2) + + #define MICREL_KSZ9021_EXTREG_CTRL 0xB + #define MICREL_KSZ9021_EXTREG_DATA_WRITE 0xC +-- +2.40.1 + diff --git a/queue-5.15/net-read-sk-sk_family-once-in-sk_mc_loop.patch b/queue-5.15/net-read-sk-sk_family-once-in-sk_mc_loop.patch new file mode 100644 index 00000000000..68d9673c46e --- /dev/null +++ b/queue-5.15/net-read-sk-sk_family-once-in-sk_mc_loop.patch @@ -0,0 +1,87 @@ +From 2c15269fd1082199aed3e8084d1191eeba743ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 10:12:44 +0000 +Subject: net: read sk->sk_family once in sk_mc_loop() + +From: Eric Dumazet + +[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ] + +syzbot is playing with IPV6_ADDRFORM quite a lot these days, +and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() + +We have many more similar issues to fix. + +WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 +Modules linked in: +CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +Workqueue: events_power_efficient gc_worker +RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 +Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 +RSP: 0018:ffffc90000388530 EFLAGS: 00010246 +RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 +RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 +RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 +R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 +R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 +FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +[] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 +[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] +[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 +[] NF_HOOK_COND include/linux/netfilter.h:298 [inline] +[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 +[] dst_output include/net/dst.h:444 [inline] +[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 +[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] +[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] +[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] +[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 +[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 +[] netdev_start_xmit include/linux/netdevice.h:4925 [inline] +[] xmit_one net/core/dev.c:3644 [inline] +[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 +[] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 +[] qdisc_restart net/sched/sch_generic.c:407 [inline] +[] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 +[] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 +[] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 +[] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 +[] invoke_softirq kernel/softirq.c:430 [inline] +[] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 +[] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 + +Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index ae1e9e2b82557..4b63478cf021a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -717,7 +717,8 @@ bool sk_mc_loop(struct sock *sk) + return false; + if (!sk) + return true; +- switch (sk->sk_family) { ++ /* IPV6_ADDRFORM can change sk->sk_family under us. */ ++ switch (READ_ONCE(sk->sk_family)) { + case AF_INET: + return inet_sk(sk)->mc_loop; + #if IS_ENABLED(CONFIG_IPV6) +-- +2.40.1 + diff --git a/queue-5.15/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch b/queue-5.15/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch new file mode 100644 index 00000000000..b9edea90428 --- /dev/null +++ b/queue-5.15/net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch @@ -0,0 +1,115 @@ +From aaefa0258c1c84adf7e80eeb58b3cb9fc3f9441e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 12:35:41 +0000 +Subject: net/sched: fq_pie: avoid stalls in fq_pie_timer() + +From: Eric Dumazet + +[ Upstream commit 8c21ab1bae945686c602c5bfa4e3f3352c2452c5 ] + +When setting a high number of flows (limit being 65536), +fq_pie_timer() is currently using too much time as syzbot reported. + +Add logic to yield the cpu every 2048 flows (less than 150 usec +on debug kernels). +It should also help by not blocking qdisc fast paths for too long. +Worst case (65536 flows) would need 31 jiffies for a complete scan. + +Relevant extract from syzbot report: + +rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/. +rcu: blocking rcu_node structures (internal RCU debug): +Sending NMI from CPU 1 to CPUs 0: +NMI backtrace for cpu 0 +CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] +RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236 +Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b +RSP: 0018:ffffc90000007bb8 EFLAGS: 00000206 +RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0 +RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + + + pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415 + fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387 + call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 + +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Link: https://lore.kernel.org/lkml/00000000000017ad3f06040bf394@google.com/ +Reported-by: syzbot+e46fbd5289363464bc13@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Reviewed-by: Michal Kubiak +Reviewed-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230829123541.3745013-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_fq_pie.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index ce7833f95214f..1fb68c973f451 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -61,6 +61,7 @@ struct fq_pie_sched_data { + struct pie_params p_params; + u32 ecn_prob; + u32 flows_cnt; ++ u32 flows_cursor; + u32 quantum; + u32 memory_limit; + u32 new_flow_count; +@@ -378,21 +379,31 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + static void fq_pie_timer(struct timer_list *t) + { + struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer); ++ unsigned long next, tupdate; + struct Qdisc *sch = q->sch; + spinlock_t *root_lock; /* to lock qdisc for probability calculations */ +- u32 idx; ++ int max_cnt, i; + + root_lock = qdisc_lock(qdisc_root_sleeping(sch)); + spin_lock(root_lock); + +- for (idx = 0; idx < q->flows_cnt; idx++) +- pie_calculate_probability(&q->p_params, &q->flows[idx].vars, +- q->flows[idx].backlog); +- +- /* reset the timer to fire after 'tupdate' jiffies. */ +- if (q->p_params.tupdate) +- mod_timer(&q->adapt_timer, jiffies + q->p_params.tupdate); ++ /* Limit this expensive loop to 2048 flows per round. */ ++ max_cnt = min_t(int, q->flows_cnt - q->flows_cursor, 2048); ++ for (i = 0; i < max_cnt; i++) { ++ pie_calculate_probability(&q->p_params, ++ &q->flows[q->flows_cursor].vars, ++ q->flows[q->flows_cursor].backlog); ++ q->flows_cursor++; ++ } + ++ tupdate = q->p_params.tupdate; ++ next = 0; ++ if (q->flows_cursor >= q->flows_cnt) { ++ q->flows_cursor = 0; ++ next = tupdate; ++ } ++ if (tupdate) ++ mod_timer(&q->adapt_timer, jiffies + next); + spin_unlock(root_lock); + } + +-- +2.40.1 + diff --git a/queue-5.15/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch b/queue-5.15/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch new file mode 100644 index 00000000000..e6928c99276 --- /dev/null +++ b/queue-5.15/net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch @@ -0,0 +1,242 @@ +From 758715418b9fcf084ff63261ebd93a41125fc021 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:22:37 -0400 +Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue() + +From: valis + +[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ] + +When the plug qdisc is used as a class of the qfq qdisc it could trigger a +UAF. This issue can be reproduced with following commands: + + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 + +and boom: + +[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0 +[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144 +[ 285.355903] +[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4 +[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +[ 285.358376] Call Trace: +[ 285.358773] +[ 285.359109] dump_stack_lvl+0x44/0x60 +[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0 +[ 285.360611] kasan_report+0x10c/0x120 +[ 285.361195] ? qfq_dequeue+0xa7/0x7f0 +[ 285.361780] qfq_dequeue+0xa7/0x7f0 +[ 285.362342] __qdisc_run+0xf1/0x970 +[ 285.362903] net_tx_action+0x28e/0x460 +[ 285.363502] __do_softirq+0x11b/0x3de +[ 285.364097] do_softirq.part.0+0x72/0x90 +[ 285.364721] +[ 285.365072] +[ 285.365422] __local_bh_enable_ip+0x77/0x90 +[ 285.366079] __dev_queue_xmit+0x95f/0x1550 +[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10 +[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 285.368259] ? __build_skb_around+0x129/0x190 +[ 285.368960] ? ip_generic_getfrag+0x12c/0x170 +[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10 +[ 285.370390] ? csum_partial+0x8/0x20 +[ 285.370961] ? raw_getfrag+0xe5/0x140 +[ 285.371559] ip_finish_output2+0x539/0xa40 +[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10 +[ 285.372954] ip_output+0x113/0x1e0 +[ 285.373512] ? __pfx_ip_output+0x10/0x10 +[ 285.374130] ? icmp_out_count+0x49/0x60 +[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10 +[ 285.375457] ip_push_pending_frames+0xf3/0x100 +[ 285.376173] raw_sendmsg+0xef5/0x12d0 +[ 285.376760] ? do_syscall_64+0x40/0x90 +[ 285.377359] ? __static_call_text_end+0x136578/0x136578 +[ 285.378173] ? do_syscall_64+0x40/0x90 +[ 285.378772] ? kasan_enable_current+0x11/0x20 +[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10 +[ 285.380137] ? __sock_create+0x13e/0x270 +[ 285.380673] ? __sys_socket+0xf3/0x180 +[ 285.381174] ? __x64_sys_socket+0x3d/0x50 +[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.382425] ? __rcu_read_unlock+0x48/0x70 +[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380 +[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10 +[ 285.384295] ? preempt_count_sub+0x14/0xc0 +[ 285.384844] ? __list_del_entry_valid+0x76/0x140 +[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0 +[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10 +[ 285.386645] ? release_sock+0xa0/0xd0 +[ 285.387148] ? preempt_count_sub+0x14/0xc0 +[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0 +[ 285.388341] ? aa_sk_perm+0x177/0x390 +[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10 +[ 285.389441] ? check_stack_object+0x22/0x70 +[ 285.390032] ? inet_send_prepare+0x2f/0x120 +[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10 +[ 285.391172] sock_sendmsg+0xcc/0xe0 +[ 285.391667] __sys_sendto+0x190/0x230 +[ 285.392168] ? __pfx___sys_sendto+0x10/0x10 +[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30 +[ 285.393328] ? set_normalized_timespec64+0x57/0x70 +[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40 +[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160 +[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10 +[ 285.395908] ? _copy_to_user+0x3e/0x60 +[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.397734] ? do_syscall_64+0x71/0x90 +[ 285.398258] __x64_sys_sendto+0x74/0x90 +[ 285.398786] do_syscall_64+0x64/0x90 +[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120 +[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50 +[ 285.400605] ? do_syscall_64+0x71/0x90 +[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.401807] RIP: 0033:0x495726 +[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09 +[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726 +[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000 +[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c +[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634 +[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000 +[ 285.410403] +[ 285.410704] +[ 285.410929] Allocated by task 144: +[ 285.411402] kasan_save_stack+0x1e/0x40 +[ 285.411926] kasan_set_track+0x21/0x30 +[ 285.412442] __kasan_slab_alloc+0x55/0x70 +[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0 +[ 285.413567] __alloc_skb+0x1b4/0x230 +[ 285.414060] __ip_append_data+0x17f7/0x1b60 +[ 285.414633] ip_append_data+0x97/0xf0 +[ 285.415144] raw_sendmsg+0x5a8/0x12d0 +[ 285.415640] sock_sendmsg+0xcc/0xe0 +[ 285.416117] __sys_sendto+0x190/0x230 +[ 285.416626] __x64_sys_sendto+0x74/0x90 +[ 285.417145] do_syscall_64+0x64/0x90 +[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 285.418306] +[ 285.418531] Freed by task 144: +[ 285.418960] kasan_save_stack+0x1e/0x40 +[ 285.419469] kasan_set_track+0x21/0x30 +[ 285.419988] kasan_save_free_info+0x27/0x40 +[ 285.420556] ____kasan_slab_free+0x109/0x1a0 +[ 285.421146] kmem_cache_free+0x1c2/0x450 +[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870 +[ 285.422333] __netif_receive_skb_one_core+0x97/0x140 +[ 285.423003] process_backlog+0x100/0x2f0 +[ 285.423537] __napi_poll+0x5c/0x2d0 +[ 285.424023] net_rx_action+0x2be/0x560 +[ 285.424510] __do_softirq+0x11b/0x3de +[ 285.425034] +[ 285.425254] The buggy address belongs to the object at ffff8880bad31280 +[ 285.425254] which belongs to the cache skbuff_head_cache of size 224 +[ 285.426993] The buggy address is located 40 bytes inside of +[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360) +[ 285.428572] +[ 285.428798] The buggy address belongs to the physical page: +[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31 +[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1) +[ 285.431447] page_type: 0xffffffff() +[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000 +[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 285.433562] page dumped because: kasan: bad access detected +[ 285.434144] +[ 285.434320] Memory state around the buggy address: +[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 285.436777] ^ +[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 285.438126] ================================================================== +[ 285.438662] Disabling lock debugging due to kernel taint + +Fix this by: +1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a +function compatible with non-work-conserving qdiscs +2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: valis +Signed-off-by: valis +Signed-off-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_plug.c | 2 +- + net/sched/sch_qfq.c | 22 +++++++++++++++++----- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c +index cbc2ebca4548c..339990bb59817 100644 +--- a/net/sched/sch_plug.c ++++ b/net/sched/sch_plug.c +@@ -210,7 +210,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = { + .priv_size = sizeof(struct plug_sched_data), + .enqueue = plug_enqueue, + .dequeue = plug_dequeue, +- .peek = qdisc_peek_head, ++ .peek = qdisc_peek_dequeued, + .init = plug_init, + .change = plug_change, + .reset = qdisc_reset_queue, +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 905c86b50215e..b1dbe03dde1b5 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -980,10 +980,13 @@ static void qfq_update_eligible(struct qfq_sched *q) + } + + /* Dequeue head packet of the head class in the DRR queue of the aggregate. */ +-static void agg_dequeue(struct qfq_aggregate *agg, +- struct qfq_class *cl, unsigned int len) ++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, ++ struct qfq_class *cl, unsigned int len) + { +- qdisc_dequeue_peeked(cl->qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc); ++ ++ if (!skb) ++ return NULL; + + cl->deficit -= (int) len; + +@@ -993,6 +996,8 @@ static void agg_dequeue(struct qfq_aggregate *agg, + cl->deficit += agg->lmax; + list_move_tail(&cl->alist, &agg->active); + } ++ ++ return skb; + } + + static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, +@@ -1138,11 +1143,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) + if (!skb) + return NULL; + +- qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; ++ ++ skb = agg_dequeue(in_serv_agg, cl, len); ++ ++ if (!skb) { ++ sch->q.qlen++; ++ return NULL; ++ } ++ ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + +- agg_dequeue(in_serv_agg, cl, len); + /* If lmax is lowered, through qfq_change_class, for a class + * owning pending packets with larger size than the new value + * of lmax, then the following condition may hold. +-- +2.40.1 + diff --git a/queue-5.15/netfilter-nfnetlink_osf-avoid-oob-read.patch b/queue-5.15/netfilter-nfnetlink_osf-avoid-oob-read.patch new file mode 100644 index 00000000000..91ab11dec00 --- /dev/null +++ b/queue-5.15/netfilter-nfnetlink_osf-avoid-oob-read.patch @@ -0,0 +1,59 @@ +From 629154d688a5f441d535b400b0227bdf98c8659d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 10:50:20 -0300 +Subject: netfilter: nfnetlink_osf: avoid OOB read + +From: Wander Lairson Costa + +[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ] + +The opt_num field is controlled by user mode and is not currently +validated inside the kernel. An attacker can take advantage of this to +trigger an OOB read and potentially leak information. + +BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 +Read of size 2 at addr ffff88804bc64272 by task poc/6431 + +CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1 +Call Trace: + nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88 + nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281 + nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47 + expr_call_ops_eval net/netfilter/nf_tables_core.c:214 + nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264 + nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23 + [..] + +Also add validation to genre, subtype and version fields. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Reported-by: Lucas Leong +Signed-off-by: Wander Lairson Costa +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_osf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c +index 8f1bfa6ccc2d9..50723ba082890 100644 +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -315,6 +315,14 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, + + f = nla_data(osf_attrs[OSF_ATTR_FINGER]); + ++ if (f->opt_num > ARRAY_SIZE(f->opt)) ++ return -EINVAL; ++ ++ if (!memchr(f->genre, 0, MAXGENRELEN) || ++ !memchr(f->subtype, 0, MAXGENRELEN) || ++ !memchr(f->version, 0, MAXGENRELEN)) ++ return -EINVAL; ++ + kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL); + if (!kf) + return -ENOMEM; +-- +2.40.1 + diff --git a/queue-5.15/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch b/queue-5.15/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch new file mode 100644 index 00000000000..61f2ad3654d --- /dev/null +++ b/queue-5.15/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch @@ -0,0 +1,96 @@ +From fd14d75508aec873f251f77bab8efdd31788ea96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 23:13:56 +0200 +Subject: netfilter: nftables: exthdr: fix 4-byte stack OOB write + +From: Florian Westphal + +[ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ] + +If priv->len is a multiple of 4, then dst[len / 4] can write past +the destination array which leads to stack corruption. + +This construct is necessary to clean the remainder of the register +in case ->len is NOT a multiple of the register size, so make it +conditional just like nft_payload.c does. + +The bug was added in 4.1 cycle and then copied/inherited when +tcp/sctp and ip option support was added. + +Bug reported by Zero Day Initiative project (ZDI-CAN-21950, +ZDI-CAN-21951, ZDI-CAN-21961). + +Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") +Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching") +Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") +Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index 9e927ab4df151..3609680831a14 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) + return opt[offset + 1]; + } + ++static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) ++{ ++ if (len % NFT_REG32_SIZE) ++ dest[len / NFT_REG32_SIZE] = 0; ++ ++ return skb_copy_bits(skb, offset, dest, len); ++} ++ + static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) +@@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + } + offset += priv->offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; +- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) ++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) + goto err; + return; + err: +@@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, + } + offset += priv->offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; +- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) ++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) + goto err; + return; + err: +@@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, + if (priv->flags & NFT_EXTHDR_F_PRESENT) { + *dest = 1; + } else { +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; + memcpy(dest, opt + offset, priv->len); + } + +@@ -335,9 +342,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, + offset + ntohs(sch->length) > pkt->skb->len) + break; + +- dest[priv->len / NFT_REG32_SIZE] = 0; +- if (skb_copy_bits(pkt->skb, offset + priv->offset, +- dest, priv->len) < 0) ++ if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset, ++ dest, priv->len) < 0) + break; + return; + } +-- +2.40.1 + diff --git a/queue-5.15/octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch b/queue-5.15/octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch new file mode 100644 index 00000000000..2e54535e719 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch @@ -0,0 +1,81 @@ +From e18836ca6bfa88f98eb4d72dba7951eeae3a7807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 12:18:16 +0530 +Subject: octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox + handler + +From: Geetha sowjanya + +[ Upstream commit 29fe7a1b62717d58f033009874554d99d71f7d37 ] + +The smq value used in the CN10K NIX AQ instruction enqueue mailbox +handler was truncated to 9-bit value from 10-bit value because of +typecasting the CN10K mbox request structure to the CN9K structure. +Though this hasn't caused any problems when programming the NIX SQ +context to the HW because the context structure is the same size. +However, this causes a problem when accessing the structure parameters. +This patch reads the right smq value for each platform. + +Fixes: 30077d210c83 ("octeontx2-af: cn10k: Update NIX/NPA context structure") +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Kovvuri Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/af/rvu_nix.c | 21 +++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index f5922d63e33e4..1593efc4502b5 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -841,6 +841,21 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block, + return 0; + } + ++static void nix_get_aq_req_smq(struct rvu *rvu, struct nix_aq_enq_req *req, ++ u16 *smq, u16 *smq_mask) ++{ ++ struct nix_cn10k_aq_enq_req *aq_req; ++ ++ if (!is_rvu_otx2(rvu)) { ++ aq_req = (struct nix_cn10k_aq_enq_req *)req; ++ *smq = aq_req->sq.smq; ++ *smq_mask = aq_req->sq_mask.smq; ++ } else { ++ *smq = req->sq.smq; ++ *smq_mask = req->sq_mask.smq; ++ } ++} ++ + static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw, + struct nix_aq_enq_req *req, + struct nix_aq_enq_rsp *rsp) +@@ -852,6 +867,7 @@ static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw, + struct rvu_block *block; + struct admin_queue *aq; + struct rvu_pfvf *pfvf; ++ u16 smq, smq_mask; + void *ctx, *mask; + bool ena; + u64 cfg; +@@ -923,13 +939,14 @@ static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw, + if (rc) + return rc; + ++ nix_get_aq_req_smq(rvu, req, &smq, &smq_mask); + /* Check if SQ pointed SMQ belongs to this PF/VF or not */ + if (req->ctype == NIX_AQ_CTYPE_SQ && + ((req->op == NIX_AQ_INSTOP_INIT && req->sq.ena) || + (req->op == NIX_AQ_INSTOP_WRITE && +- req->sq_mask.ena && req->sq_mask.smq && req->sq.ena))) { ++ req->sq_mask.ena && req->sq.ena && smq_mask))) { + if (!is_valid_txschq(rvu, blkaddr, NIX_TXSCH_LVL_SMQ, +- pcifunc, req->sq.smq)) ++ pcifunc, smq)) + return NIX_AF_ERR_AQ_ENQUEUE; + } + +-- +2.40.1 + diff --git a/queue-5.15/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch b/queue-5.15/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch new file mode 100644 index 00000000000..d97797644ab --- /dev/null +++ b/queue-5.15/perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch @@ -0,0 +1,114 @@ +From a87074618a41df1c745b4223b47c29098903de81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 18:22:14 -0300 +Subject: perf annotate bpf: Don't enclose non-debug code with an assert() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ] + +In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we +started using NDEBUG=1 when DEBUG=1 isn't present, so code that is +enclosed with assert() is not called. + +In dd317df072071903 ("perf build: Make binutil libraries opt in") we +stopped linking against binutils-devel, for licensing reasons. + +Recently people asked me why annotation of BPF programs wasn't working, +i.e. this: + + $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb + +was returning: + + case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF: + scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation"); + +This was on a fedora rpm, so its new enough that I had to try to test by +rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me. + +This combination made this libopcode function not to be called: + + assert(bfd_check_format(bfdf, bfd_object)); + +Changing it to: + + if (!bfd_check_format(bfdf, bfd_object)) + abort(); + +Made it work, looking at this "check" function made me realize it +changes the 'bfdf' internal state, i.e. we better call it. + +So stop using assert() on it, just call it and abort if it fails. + +Probably it is better to propagate the error, etc, but it seems it is +unlikely to fail from the usage done so far and we really need to stop +using libopcodes, so do the quick fix above and move on. + +With it we have BPF annotation back working when built with +BUILD_NONDISTRO=1: + + ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head + No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found + Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period] + bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb + Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) { + nop + 33.33 xchg %ax,%ax + push %rbp + mov %rsp,%rbp + sub $0x180,%rsp + push %rbx + push %r13 + ⬢[acme@toolbox perf-tools-next]$ + +Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mohamed Mahmoud +Cc: Namhyung Kim +Cc: Dave Tucker +Cc: Derek Barbosa +Cc: Song Liu +Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index a5e87c7f4f4eb..60b232eba5c82 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1729,8 +1729,11 @@ static int symbol__disassemble_bpf(struct symbol *sym, + perf_exe(tpath, sizeof(tpath)); + + bfdf = bfd_openr(tpath, NULL); +- assert(bfdf); +- assert(bfd_check_format(bfdf, bfd_object)); ++ if (bfdf == NULL) ++ abort(); ++ ++ if (!bfd_check_format(bfdf, bfd_object)) ++ abort(); + + s = open_memstream(&buf, &buf_size); + if (!s) { +@@ -1778,7 +1781,8 @@ static int symbol__disassemble_bpf(struct symbol *sym, + #else + disassemble = disassembler(bfdf); + #endif +- assert(disassemble); ++ if (disassemble == NULL) ++ abort(); + + fflush(s); + do { +-- +2.40.1 + diff --git a/queue-5.15/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch b/queue-5.15/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch new file mode 100644 index 00000000000..87d49ed029d --- /dev/null +++ b/queue-5.15/perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch @@ -0,0 +1,85 @@ +From cd3de552ce559418aa3369cf0bb4353cb9e48f7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 09:11:21 -0300 +Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ] + +While debugging a segfault on 'perf lock contention' without an +available perf.data file I noticed that it was basically calling: + + perf_session__delete(ERR_PTR(-1)) + +Resulting in: + + (gdb) run lock contention + Starting program: /root/bin/perf lock contention + [Thread debugging using libthread_db enabled] + Using host libthread_db library "/lib64/libthread_db.so.1". + failed to open perf.data: No such file or directory (try 'perf record' first) + Initializing perf session failed + + Program received signal SIGSEGV, Segmentation fault. + 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + 2858 if (!session->auxtrace) + (gdb) p session + $1 = (struct perf_session *) 0xffffffffffffffff + (gdb) bt + #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858 + #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300 + #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161 + #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604 + #4 0x0000000000501466 in run_builtin (p=0xe597a8 , argc=2, argv=0x7fffffffe200) at perf.c:322 + #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375 + #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419 + #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535 + (gdb) + +So just set it to NULL after using PTR_ERR(session) to decode the error +as perf_session__delete(NULL) is supported. + +The same problem was found in 'perf top' after an audit of all +perf_session__new() failure handling. + +Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure") +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Greg Kroah-Hartman +Cc: Jeremie Galarneau +Cc: Jiri Olsa +Cc: Kate Stewart +Cc: Mamatha Inamdar +Cc: Mukesh Ojha +Cc: Nageswara R Sastry +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Shawn Landden +Cc: Song Liu +Cc: Thomas Gleixner +Cc: Tzvetomir Stoyanov +Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index a3ae9176a83e2..6fdd401ec9c56 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1743,6 +1743,7 @@ int cmd_top(int argc, const char **argv) + top.session = perf_session__new(NULL, NULL); + if (IS_ERR(top.session)) { + status = PTR_ERR(top.session); ++ top.session = NULL; + goto out_delete_evlist; + } + +-- +2.40.1 + diff --git a/queue-5.15/perf-trace-really-free-the-evsel-priv-area.patch b/queue-5.15/perf-trace-really-free-the-evsel-priv-area.patch new file mode 100644 index 00000000000..8de4d468b6e --- /dev/null +++ b/queue-5.15/perf-trace-really-free-the-evsel-priv-area.patch @@ -0,0 +1,100 @@ +From d2d6bd4a75af3cc3ea575fd170cc87303d2f6ea9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 15:37:14 -0300 +Subject: perf trace: Really free the evsel->priv area + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 7962ef13651a9163f07b530607392ea123482e8a ] + +In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in +evsel->priv") it only was freeing if strcmp(evsel->tp_format->system, +"syscalls") returned zero, while the corresponding initialization of +evsel->priv was being performed if it was _not_ zero, i.e. if the tp +system wasn't 'syscalls'. + +Just stop looking for that and free it if evsel->priv was set, which +should be equivalent. + +Also use the pre-existing evsel_trace__delete() function. + +This resolves these leaks, detected with: + + $ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin + + ================================================================= + ==481565==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 40 byte(s) in 1 object(s) allocated from: + #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) + #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) + #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 + #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 + #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 + #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 + #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212 + #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 + #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 + #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 + #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 + #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 + #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 + #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) + + Direct leak of 40 byte(s) in 1 object(s) allocated from: + #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) + #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) + #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 + #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 + #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 + #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 + #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205 + #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 + #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 + #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 + #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 + #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 + #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 + #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) + + SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s). + [root@quaco ~]# + +With this we plug all leaks with "perf trace sleep 1". + +Fixes: 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in evsel->priv") +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Riccardo Mancini +Link: https://lore.kernel.org/lkml/20230719202951.534582-5-acme@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index d912dc878a6e9..6755370483b06 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -3124,13 +3124,8 @@ static void evlist__free_syscall_tp_fields(struct evlist *evlist) + struct evsel *evsel; + + evlist__for_each_entry(evlist, evsel) { +- struct evsel_trace *et = evsel->priv; +- +- if (!et || !evsel->tp_format || strcmp(evsel->tp_format->system, "syscalls")) +- continue; +- +- zfree(&et->fmt); +- free(et); ++ evsel_trace__delete(evsel->priv); ++ evsel->priv = NULL; + } + } + +-- +2.40.1 + diff --git a/queue-5.15/perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch b/queue-5.15/perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch new file mode 100644 index 00000000000..f620296857b --- /dev/null +++ b/queue-5.15/perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch @@ -0,0 +1,59 @@ +From 9e81db32ca8c7424b3867cac878913a09f5541b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 09:50:08 -0300 +Subject: perf trace: Use zfree() to reduce chances of use after free + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 9997d5dd177c52017fa0541bf236a4232c8148e6 ] + +Do defensive programming by using zfree() to initialize freed pointers +to NULL, so that eventual use after free result in a NULL pointer deref +instead of more subtle behaviour. + +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 7962ef13651a ("perf trace: Really free the evsel->priv area") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index d9ea546850cd6..d912dc878a6e9 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -2287,7 +2287,7 @@ static void syscall__exit(struct syscall *sc) + if (!sc) + return; + +- free(sc->arg_fmt); ++ zfree(&sc->arg_fmt); + } + + static int trace__sys_enter(struct trace *trace, struct evsel *evsel, +@@ -3129,7 +3129,7 @@ static void evlist__free_syscall_tp_fields(struct evlist *evlist) + if (!et || !evsel->tp_format || strcmp(evsel->tp_format->system, "syscalls")) + continue; + +- free(et->fmt); ++ zfree(&et->fmt); + free(et); + } + } +@@ -4748,11 +4748,11 @@ static void trace__exit(struct trace *trace) + int i; + + strlist__delete(trace->ev_qualifier); +- free(trace->ev_qualifier_ids.entries); ++ zfree(&trace->ev_qualifier_ids.entries); + if (trace->syscalls.table) { + for (i = 0; i <= trace->sctbl->syscalls.max_id; i++) + syscall__exit(&trace->syscalls.table[i]); +- free(trace->syscalls.table); ++ zfree(&trace->syscalls.table); + } + syscalltbl__delete(trace->sctbl); + zfree(&trace->perfconfig_events); +-- +2.40.1 + diff --git a/queue-5.15/perf-vendor-events-drop-some-of-the-json-events-for-.patch b/queue-5.15/perf-vendor-events-drop-some-of-the-json-events-for-.patch new file mode 100644 index 00000000000..dc9c827da8e --- /dev/null +++ b/queue-5.15/perf-vendor-events-drop-some-of-the-json-events-for-.patch @@ -0,0 +1,137 @@ +From fe0da3476d7cf5b6349182748ae6d765c65025a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 16:57:58 +0530 +Subject: perf vendor events: Drop some of the JSON/events for power10 platform + +From: Kajol Jain + +[ Upstream commit e104df97b8dcfbab2e42de634b99bf03f0805d85 ] + +Drop some of the JSON/events for power10 platform due to counter +data mismatch. + +Fixes: 32daa5d7899e0343 ("perf vendor events: Initial JSON/events list for power10 platform") +Signed-off-by: Kajol Jain +Cc: Athira Rajeev +Cc: Disha Goel +Cc: Ian Rogers +Cc: Kajol Jain +Cc: Madhavan Srinivasan +Cc: Namhyung Kim +Cc: linuxppc-dev@lists.ozlabs.org +Link: https://lore.kernel.org/r/20230814112803.1508296-2-kjain@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + .../arch/powerpc/power10/floating_point.json | 7 ------- + tools/perf/pmu-events/arch/powerpc/power10/marked.json | 10 ---------- + tools/perf/pmu-events/arch/powerpc/power10/others.json | 5 ----- + .../perf/pmu-events/arch/powerpc/power10/pipeline.json | 10 ---------- + .../pmu-events/arch/powerpc/power10/translation.json | 5 ----- + 5 files changed, 37 deletions(-) + delete mode 100644 tools/perf/pmu-events/arch/powerpc/power10/floating_point.json + +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json b/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json +deleted file mode 100644 +index 54acb55e2c8c6..0000000000000 +--- a/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json ++++ /dev/null +@@ -1,7 +0,0 @@ +-[ +- { +- "EventCode": "0x4016E", +- "EventName": "PM_THRESH_NOT_MET", +- "BriefDescription": "Threshold counter did not meet threshold." +- } +-] +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/marked.json b/tools/perf/pmu-events/arch/powerpc/power10/marked.json +index 131f8d0e88317..f2436fc5537ce 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/marked.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/marked.json +@@ -19,11 +19,6 @@ + "EventName": "PM_MRK_BR_TAKEN_CMPL", + "BriefDescription": "Marked Branch Taken instruction completed." + }, +- { +- "EventCode": "0x20112", +- "EventName": "PM_MRK_NTF_FIN", +- "BriefDescription": "The marked instruction became the oldest in the pipeline before it finished. It excludes instructions that finish at dispatch." +- }, + { + "EventCode": "0x2C01C", + "EventName": "PM_EXEC_STALL_DMISS_OFF_CHIP", +@@ -64,11 +59,6 @@ + "EventName": "PM_L1_ICACHE_MISS", + "BriefDescription": "Demand instruction cache miss." + }, +- { +- "EventCode": "0x30130", +- "EventName": "PM_MRK_INST_FIN", +- "BriefDescription": "marked instruction finished. Excludes instructions that finish at dispatch. Note that stores always finish twice since the address gets issued to the LSU and the data gets issued to the VSU." +- }, + { + "EventCode": "0x34146", + "EventName": "PM_MRK_LD_CMPL", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/others.json b/tools/perf/pmu-events/arch/powerpc/power10/others.json +index e691041ee8678..36c5bbc64c3be 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/others.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/others.json +@@ -29,11 +29,6 @@ + "EventName": "PM_DISP_SS0_2_INSTR_CYC", + "BriefDescription": "Cycles in which Superslice 0 dispatches either 1 or 2 instructions." + }, +- { +- "EventCode": "0x1F15C", +- "EventName": "PM_MRK_STCX_L2_CYC", +- "BriefDescription": "Cycles spent in the nest portion of a marked Stcx instruction. It starts counting when the operation starts to drain to the L2 and it stops counting when the instruction retires from the Instruction Completion Table (ICT) in the Instruction Sequencing Unit (ISU)." +- }, + { + "EventCode": "0x10066", + "EventName": "PM_ADJUNCT_CYC", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json +index 449f57e8ba6af..799893c56f32b 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json +@@ -194,11 +194,6 @@ + "EventName": "PM_TLBIE_FIN", + "BriefDescription": "TLBIE instruction finished in the LSU. Two TLBIEs can finish each cycle. All will be counted." + }, +- { +- "EventCode": "0x3D058", +- "EventName": "PM_SCALAR_FSQRT_FDIV_ISSUE", +- "BriefDescription": "Scalar versions of four floating point operations: fdiv,fsqrt (xvdivdp, xvdivsp, xvsqrtdp, xvsqrtsp)." +- }, + { + "EventCode": "0x30066", + "EventName": "PM_LSU_FIN", +@@ -269,11 +264,6 @@ + "EventName": "PM_IC_MISS_CMPL", + "BriefDescription": "Non-speculative instruction cache miss, counted at completion." + }, +- { +- "EventCode": "0x4D050", +- "EventName": "PM_VSU_NON_FLOP_CMPL", +- "BriefDescription": "Non-floating point VSU instructions completed." +- }, + { + "EventCode": "0x4D052", + "EventName": "PM_2FLOP_CMPL", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/translation.json b/tools/perf/pmu-events/arch/powerpc/power10/translation.json +index 3e47b804a0a8f..961e2491e73f6 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/translation.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/translation.json +@@ -4,11 +4,6 @@ + "EventName": "PM_MRK_START_PROBE_NOP_CMPL", + "BriefDescription": "Marked Start probe nop (AND R0,R0,R0) completed." + }, +- { +- "EventCode": "0x20016", +- "EventName": "PM_ST_FIN", +- "BriefDescription": "Store finish count. Includes speculative activity." +- }, + { + "EventCode": "0x20018", + "EventName": "PM_ST_FWD", +-- +2.40.1 + diff --git a/queue-5.15/perf-vendor-events-update-the-json-events-descriptio.patch b/queue-5.15/perf-vendor-events-update-the-json-events-descriptio.patch new file mode 100644 index 00000000000..f9d737cc5ce --- /dev/null +++ b/queue-5.15/perf-vendor-events-update-the-json-events-descriptio.patch @@ -0,0 +1,618 @@ +From 2514035533b713dff7b41b30bddbb6ceca4ae8ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 16:57:57 +0530 +Subject: perf vendor events: Update the JSON/events descriptions for power10 + platform + +From: Kajol Jain + +[ Upstream commit 3286f88f31da060ac2789cee247153961ba57e49 ] + +Update the description for some of the JSON/events for power10 platform. + +Fixes: 32daa5d7899e0343 ("perf vendor events: Initial JSON/events list for power10 platform") +Signed-off-by: Kajol Jain +Cc: Athira Rajeev +Cc: Disha Goel +Cc: Ian Rogers +Cc: Kajol Jain +Cc: Madhavan Srinivasan +Cc: Namhyung Kim +Cc: linuxppc-dev@lists.ozlabs.org +Link: https://lore.kernel.org/r/20230814112803.1508296-1-kjain@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + .../arch/powerpc/power10/cache.json | 4 +- + .../arch/powerpc/power10/frontend.json | 30 ++++++------ + .../arch/powerpc/power10/marked.json | 20 ++++---- + .../arch/powerpc/power10/memory.json | 6 +-- + .../arch/powerpc/power10/others.json | 48 +++++++++---------- + .../arch/powerpc/power10/pipeline.json | 20 ++++---- + .../pmu-events/arch/powerpc/power10/pmc.json | 4 +- + .../arch/powerpc/power10/translation.json | 6 +-- + 8 files changed, 69 insertions(+), 69 deletions(-) + +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/cache.json b/tools/perf/pmu-events/arch/powerpc/power10/cache.json +index 605be14f441c8..9cb929bb64afd 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/cache.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/cache.json +@@ -17,7 +17,7 @@ + { + "EventCode": "0x34056", + "EventName": "PM_EXEC_STALL_LOAD_FINISH", +- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was finishing a load after its data was reloaded from a data source beyond the local L1; cycles in which the LSU was processing an L1-hit; cycles in which the NTF instruction merged with another load in the LMQ; cycles in which the NTF instruction is waiting for a data reload for a load miss, but the data comes back with a non-NTF instruction." ++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was finishing a load after its data was reloaded from a data source beyond the local L1; cycles in which the LSU was processing an L1-hit; cycles in which the next-to-finish (NTF) instruction merged with another load in the LMQ; cycles in which the NTF instruction is waiting for a data reload for a load miss, but the data comes back with a non-NTF instruction." + }, + { + "EventCode": "0x3006C", +@@ -27,7 +27,7 @@ + { + "EventCode": "0x300F4", + "EventName": "PM_RUN_INST_CMPL_CONC", +- "BriefDescription": "PowerPC instructions completed by this thread when all threads in the core had the run-latch set." ++ "BriefDescription": "PowerPC instruction completed by this thread when all threads in the core had the run-latch set." + }, + { + "EventCode": "0x4C016", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/frontend.json b/tools/perf/pmu-events/arch/powerpc/power10/frontend.json +index 558f9530f54ec..61e9e0222c873 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/frontend.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/frontend.json +@@ -7,7 +7,7 @@ + { + "EventCode": "0x10006", + "EventName": "PM_DISP_STALL_HELD_OTHER_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch for any other reason." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch for any other reason." + }, + { + "EventCode": "0x10010", +@@ -32,12 +32,12 @@ + { + "EventCode": "0x1D05E", + "EventName": "PM_DISP_STALL_HELD_HALT_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because of power management." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because of power management." + }, + { + "EventCode": "0x1E050", + "EventName": "PM_DISP_STALL_HELD_STF_MAPPER_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the STF mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the STF mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR." + }, + { + "EventCode": "0x1F054", +@@ -67,7 +67,7 @@ + { + "EventCode": "0x100F6", + "EventName": "PM_IERAT_MISS", +- "BriefDescription": "IERAT Reloaded to satisfy an IERAT miss. All page sizes are counted by this event." ++ "BriefDescription": "IERAT Reloaded to satisfy an IERAT miss. All page sizes are counted by this event. This event only counts instruction demand access." + }, + { + "EventCode": "0x100F8", +@@ -77,7 +77,7 @@ + { + "EventCode": "0x20006", + "EventName": "PM_DISP_STALL_HELD_ISSQ_FULL_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch due to Issue queue full. Includes issue queue and branch queue." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch due to Issue queue full. Includes issue queue and branch queue." + }, + { + "EventCode": "0x20114", +@@ -102,7 +102,7 @@ + { + "EventCode": "0x2D01A", + "EventName": "PM_DISP_STALL_IC_MISS", +- "BriefDescription": "Cycles when dispatch was stalled for this thread due to an Icache Miss." ++ "BriefDescription": "Cycles when dispatch was stalled for this thread due to an instruction cache miss." + }, + { + "EventCode": "0x2E018", +@@ -112,7 +112,7 @@ + { + "EventCode": "0x2E01A", + "EventName": "PM_DISP_STALL_HELD_XVFC_MAPPER_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the XVFC mapper/SRB was full." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the XVFC mapper/SRB was full." + }, + { + "EventCode": "0x2C142", +@@ -137,7 +137,7 @@ + { + "EventCode": "0x30004", + "EventName": "PM_DISP_STALL_FLUSH", +- "BriefDescription": "Cycles when dispatch was stalled because of a flush that happened to an instruction(s) that was not yet NTC. PM_EXEC_STALL_NTC_FLUSH only includes instructions that were flushed after becoming NTC." ++ "BriefDescription": "Cycles when dispatch was stalled because of a flush that happened to an instruction(s) that was not yet next-to-complete (NTC). PM_EXEC_STALL_NTC_FLUSH only includes instructions that were flushed after becoming NTC." + }, + { + "EventCode": "0x3000A", +@@ -157,7 +157,7 @@ + { + "EventCode": "0x30018", + "EventName": "PM_DISP_STALL_HELD_SCOREBOARD_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch while waiting on the Scoreboard. This event combines VSCR and FPSCR together." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch while waiting on the Scoreboard. This event combines VSCR and FPSCR together." + }, + { + "EventCode": "0x30026", +@@ -182,7 +182,7 @@ + { + "EventCode": "0x3D05C", + "EventName": "PM_DISP_STALL_HELD_RENAME_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR and XVFC." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR and XVFC." + }, + { + "EventCode": "0x3E052", +@@ -192,7 +192,7 @@ + { + "EventCode": "0x3E054", + "EventName": "PM_LD_MISS_L1", +- "BriefDescription": "Load Missed L1, counted at execution time (can be greater than loads finished). LMQ merges are not included in this count. i.e. if a load instruction misses on an address that is already allocated on the LMQ, this event will not increment for that load). Note that this count is per slice, so if a load spans multiple slices this event will increment multiple times for a single load." ++ "BriefDescription": "Load missed L1, counted at finish time. LMQ merges are not included in this count. i.e. if a load instruction misses on an address that is already allocated on the LMQ, this event will not increment for that load). Note that this count is per slice, so if a load spans multiple slices this event will increment multiple times for a single load." + }, + { + "EventCode": "0x301EA", +@@ -202,7 +202,7 @@ + { + "EventCode": "0x300FA", + "EventName": "PM_INST_FROM_L3MISS", +- "BriefDescription": "The processor's instruction cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss." ++ "BriefDescription": "The processor's instruction cache was reloaded from beyond the local core's L3 due to a demand miss." + }, + { + "EventCode": "0x40006", +@@ -232,16 +232,16 @@ + { + "EventCode": "0x4E01A", + "EventName": "PM_DISP_STALL_HELD_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch for any reason." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch for any reason." + }, + { + "EventCode": "0x4003C", + "EventName": "PM_DISP_STALL_HELD_SYNC_CYC", +- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because of a synchronizing instruction that requires the ICT to be empty before dispatch." ++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because of a synchronizing instruction that requires the ICT to be empty before dispatch." + }, + { + "EventCode": "0x44056", + "EventName": "PM_VECTOR_ST_CMPL", +- "BriefDescription": "Vector store instructions completed." ++ "BriefDescription": "Vector store instruction completed." + } + ] +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/marked.json b/tools/perf/pmu-events/arch/powerpc/power10/marked.json +index 58b5dfe3a2731..131f8d0e88317 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/marked.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/marked.json +@@ -62,7 +62,7 @@ + { + "EventCode": "0x200FD", + "EventName": "PM_L1_ICACHE_MISS", +- "BriefDescription": "Demand iCache Miss." ++ "BriefDescription": "Demand instruction cache miss." + }, + { + "EventCode": "0x30130", +@@ -72,7 +72,7 @@ + { + "EventCode": "0x34146", + "EventName": "PM_MRK_LD_CMPL", +- "BriefDescription": "Marked loads completed." ++ "BriefDescription": "Marked load instruction completed." + }, + { + "EventCode": "0x3E158", +@@ -82,12 +82,12 @@ + { + "EventCode": "0x3E15A", + "EventName": "PM_MRK_ST_FIN", +- "BriefDescription": "The marked instruction was a store of any kind." ++ "BriefDescription": "Marked store instruction finished." + }, + { + "EventCode": "0x30068", + "EventName": "PM_L1_ICACHE_RELOADED_PREF", +- "BriefDescription": "Counts all Icache prefetch reloads ( includes demand turned into prefetch)." ++ "BriefDescription": "Counts all instruction cache prefetch reloads (includes demand turned into prefetch)." + }, + { + "EventCode": "0x301E4", +@@ -102,12 +102,12 @@ + { + "EventCode": "0x300FE", + "EventName": "PM_DATA_FROM_L3MISS", +- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss." ++ "BriefDescription": "The processor's L1 data cache was reloaded from beyond the local core's L3 due to a demand miss." + }, + { + "EventCode": "0x40012", + "EventName": "PM_L1_ICACHE_RELOADED_ALL", +- "BriefDescription": "Counts all Icache reloads includes demand, prefetch, prefetch turned into demand and demand turned into prefetch." ++ "BriefDescription": "Counts all instruction cache reloads includes demand, prefetch, prefetch turned into demand and demand turned into prefetch." + }, + { + "EventCode": "0x40134", +@@ -117,22 +117,22 @@ + { + "EventCode": "0x4505A", + "EventName": "PM_SP_FLOP_CMPL", +- "BriefDescription": "Single Precision floating point instructions completed." ++ "BriefDescription": "Single Precision floating point instruction completed." + }, + { + "EventCode": "0x4D058", + "EventName": "PM_VECTOR_FLOP_CMPL", +- "BriefDescription": "Vector floating point instructions completed." ++ "BriefDescription": "Vector floating point instruction completed." + }, + { + "EventCode": "0x4D05A", + "EventName": "PM_NON_MATH_FLOP_CMPL", +- "BriefDescription": "Non Math instructions completed." ++ "BriefDescription": "Non Math instruction completed." + }, + { + "EventCode": "0x401E0", + "EventName": "PM_MRK_INST_CMPL", +- "BriefDescription": "marked instruction completed." ++ "BriefDescription": "Marked instruction completed." + }, + { + "EventCode": "0x400FE", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/memory.json b/tools/perf/pmu-events/arch/powerpc/power10/memory.json +index 843b51f531e95..c4c10ca98cad7 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/memory.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/memory.json +@@ -47,7 +47,7 @@ + { + "EventCode": "0x10062", + "EventName": "PM_LD_L3MISS_PEND_CYC", +- "BriefDescription": "Cycles L3 miss was pending for this thread." ++ "BriefDescription": "Cycles in which an L3 miss was pending for this thread." + }, + { + "EventCode": "0x20010", +@@ -132,7 +132,7 @@ + { + "EventCode": "0x300FC", + "EventName": "PM_DTLB_MISS", +- "BriefDescription": "The DPTEG required for the load/store instruction in execution was missing from the TLB. It includes pages of all sizes for demand and prefetch activity." ++ "BriefDescription": "The DPTEG required for the load/store instruction in execution was missing from the TLB. This event only counts for demand misses." + }, + { + "EventCode": "0x4D02C", +@@ -142,7 +142,7 @@ + { + "EventCode": "0x4003E", + "EventName": "PM_LD_CMPL", +- "BriefDescription": "Loads completed." ++ "BriefDescription": "Load instruction completed." + }, + { + "EventCode": "0x4C040", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/others.json b/tools/perf/pmu-events/arch/powerpc/power10/others.json +index 7d0de1a2860b4..e691041ee8678 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/others.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/others.json +@@ -2,12 +2,12 @@ + { + "EventCode": "0x10016", + "EventName": "PM_VSU0_ISSUE", +- "BriefDescription": "VSU instructions issued to VSU pipe 0." ++ "BriefDescription": "VSU instruction issued to VSU pipe 0." + }, + { + "EventCode": "0x1001C", + "EventName": "PM_ULTRAVISOR_INST_CMPL", +- "BriefDescription": "PowerPC instructions that completed while the thread was in ultravisor state." ++ "BriefDescription": "PowerPC instruction completed while the thread was in ultravisor state." + }, + { + "EventCode": "0x100F0", +@@ -17,12 +17,12 @@ + { + "EventCode": "0x10134", + "EventName": "PM_MRK_ST_DONE_L2", +- "BriefDescription": "Marked stores completed in L2 (RC machine done)." ++ "BriefDescription": "Marked store completed in L2." + }, + { + "EventCode": "0x1505E", + "EventName": "PM_LD_HIT_L1", +- "BriefDescription": "Loads that finished without experiencing an L1 miss." ++ "BriefDescription": "Load finished without experiencing an L1 miss." + }, + { + "EventCode": "0x1F056", +@@ -42,7 +42,7 @@ + { + "EventCode": "0x101E4", + "EventName": "PM_MRK_L1_ICACHE_MISS", +- "BriefDescription": "Marked Instruction suffered an icache Miss." ++ "BriefDescription": "Marked instruction suffered an instruction cache miss." + }, + { + "EventCode": "0x101EA", +@@ -72,7 +72,7 @@ + { + "EventCode": "0x2E010", + "EventName": "PM_ADJUNCT_INST_CMPL", +- "BriefDescription": "PowerPC instructions that completed while the thread is in Adjunct state." ++ "BriefDescription": "PowerPC instruction completed while the thread was in Adjunct state." + }, + { + "EventCode": "0x2E014", +@@ -122,7 +122,7 @@ + { + "EventCode": "0x201E4", + "EventName": "PM_MRK_DATA_FROM_L3MISS", +- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss for a marked load." ++ "BriefDescription": "The processor's L1 data cache was reloaded from beyond the local core's L3 due to a demand miss for a marked instruction." + }, + { + "EventCode": "0x201E8", +@@ -132,17 +132,17 @@ + { + "EventCode": "0x200F2", + "EventName": "PM_INST_DISP", +- "BriefDescription": "PowerPC instructions dispatched." ++ "BriefDescription": "PowerPC instruction dispatched." + }, + { + "EventCode": "0x30132", + "EventName": "PM_MRK_VSU_FIN", +- "BriefDescription": "VSU marked instructions finished. Excludes simple FX instructions issued to the Store Unit." ++ "BriefDescription": "VSU marked instruction finished. Excludes simple FX instructions issued to the Store Unit." + }, + { + "EventCode": "0x30038", + "EventName": "PM_EXEC_STALL_DMISS_LMEM", +- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for a load miss to resolve from the local memory, local OpenCapp cache, or local OpenCapp memory." ++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for a load miss to resolve from the local memory, local OpenCAPI cache, or local OpenCAPI memory." + }, + { + "EventCode": "0x3F04A", +@@ -152,12 +152,12 @@ + { + "EventCode": "0x3405A", + "EventName": "PM_PRIVILEGED_INST_CMPL", +- "BriefDescription": "PowerPC Instructions that completed while the thread is in Privileged state." ++ "BriefDescription": "PowerPC instruction completed while the thread was in Privileged state." + }, + { + "EventCode": "0x3F150", + "EventName": "PM_MRK_ST_DRAIN_CYC", +- "BriefDescription": "cycles to drain st from core to L2." ++ "BriefDescription": "Cycles in which the marked store drained from the core to the L2." + }, + { + "EventCode": "0x3F054", +@@ -182,7 +182,7 @@ + { + "EventCode": "0x4001C", + "EventName": "PM_VSU_FIN", +- "BriefDescription": "VSU instructions finished." ++ "BriefDescription": "VSU instruction finished." + }, + { + "EventCode": "0x4C01A", +@@ -197,7 +197,7 @@ + { + "EventCode": "0x4D022", + "EventName": "PM_HYPERVISOR_INST_CMPL", +- "BriefDescription": "PowerPC instructions that completed while the thread is in hypervisor state." ++ "BriefDescription": "PowerPC instruction completed while the thread was in hypervisor state." + }, + { + "EventCode": "0x4D026", +@@ -212,32 +212,32 @@ + { + "EventCode": "0x40030", + "EventName": "PM_INST_FIN", +- "BriefDescription": "Instructions finished." ++ "BriefDescription": "Instruction finished." + }, + { + "EventCode": "0x44146", + "EventName": "PM_MRK_STCX_CORE_CYC", +- "BriefDescription": "Cycles spent in the core portion of a marked Stcx instruction. It starts counting when the instruction is decoded and stops counting when it drains into the L2." ++ "BriefDescription": "Cycles spent in the core portion of a marked STCX instruction. It starts counting when the instruction is decoded and stops counting when it drains into the L2." + }, + { + "EventCode": "0x44054", + "EventName": "PM_VECTOR_LD_CMPL", +- "BriefDescription": "Vector load instructions completed." ++ "BriefDescription": "Vector load instruction completed." + }, + { + "EventCode": "0x45054", + "EventName": "PM_FMA_CMPL", +- "BriefDescription": "Two floating point instructions completed (FMA class of instructions: fmadd, fnmadd, fmsub, fnmsub). Scalar instructions only." ++ "BriefDescription": "Two floating point instruction completed (FMA class of instructions: fmadd, fnmadd, fmsub, fnmsub). Scalar instructions only." + }, + { + "EventCode": "0x45056", + "EventName": "PM_SCALAR_FLOP_CMPL", +- "BriefDescription": "Scalar floating point instructions completed." ++ "BriefDescription": "Scalar floating point instruction completed." + }, + { + "EventCode": "0x4505C", + "EventName": "PM_MATH_FLOP_CMPL", +- "BriefDescription": "Math floating point instructions completed." ++ "BriefDescription": "Math floating point instruction completed." + }, + { + "EventCode": "0x4D05E", +@@ -252,21 +252,21 @@ + { + "EventCode": "0x401E6", + "EventName": "PM_MRK_INST_FROM_L3MISS", +- "BriefDescription": "The processor's instruction cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss for a marked instruction." ++ "BriefDescription": "The processor's instruction cache was reloaded from beyond the local core's L3 due to a demand miss for a marked instruction." + }, + { + "EventCode": "0x401E8", + "EventName": "PM_MRK_DATA_FROM_L2MISS", +- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1 or L2 due to a demand miss for a marked load." ++ "BriefDescription": "The processor's L1 data cache was reloaded from a source beyond the local core's L2 due to a demand miss for a marked instruction." + }, + { + "EventCode": "0x400F0", + "EventName": "PM_LD_DEMAND_MISS_L1_FIN", +- "BriefDescription": "Load Missed L1, counted at finish time." ++ "BriefDescription": "Load missed L1, counted at finish time." + }, + { + "EventCode": "0x400FA", + "EventName": "PM_RUN_INST_CMPL", +- "BriefDescription": "Completed PowerPC instructions gated by the run latch." ++ "BriefDescription": "PowerPC instruction completed while the run latch is set." + } + ] +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json +index b8aded6045faa..449f57e8ba6af 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json +@@ -2,7 +2,7 @@ + { + "EventCode": "0x100FE", + "EventName": "PM_INST_CMPL", +- "BriefDescription": "PowerPC instructions completed." ++ "BriefDescription": "PowerPC instruction completed." + }, + { + "EventCode": "0x1000C", +@@ -12,7 +12,7 @@ + { + "EventCode": "0x1000E", + "EventName": "PM_MMA_ISSUED", +- "BriefDescription": "MMA instructions issued." ++ "BriefDescription": "MMA instruction issued." + }, + { + "EventCode": "0x10012", +@@ -107,7 +107,7 @@ + { + "EventCode": "0x2D012", + "EventName": "PM_VSU1_ISSUE", +- "BriefDescription": "VSU instructions issued to VSU pipe 1." ++ "BriefDescription": "VSU instruction issued to VSU pipe 1." + }, + { + "EventCode": "0x2D018", +@@ -122,7 +122,7 @@ + { + "EventCode": "0x2E01E", + "EventName": "PM_EXEC_STALL_NTC_FLUSH", +- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was executing in any unit before it was flushed. Note that if the flush of the oldest instruction happens after finish, the cycles from dispatch to issue will be included in PM_DISP_STALL and the cycles from issue to finish will be included in PM_EXEC_STALL and its corresponding children. This event will also count cycles when the previous NTF instruction is still completing and the new NTF instruction is stalled at dispatch." ++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was executing in any unit before it was flushed. Note that if the flush of the oldest instruction happens after finish, the cycles from dispatch to issue will be included in PM_DISP_STALL and the cycles from issue to finish will be included in PM_EXEC_STALL and its corresponding children. This event will also count cycles when the previous next-to-finish (NTF) instruction is still completing and the new NTF instruction is stalled at dispatch." + }, + { + "EventCode": "0x2013C", +@@ -137,7 +137,7 @@ + { + "EventCode": "0x201E2", + "EventName": "PM_MRK_LD_MISS_L1", +- "BriefDescription": "Marked DL1 Demand Miss counted at finish time." ++ "BriefDescription": "Marked demand data load miss counted at finish time." + }, + { + "EventCode": "0x200F4", +@@ -172,7 +172,7 @@ + { + "EventCode": "0x30028", + "EventName": "PM_CMPL_STALL_MEM_ECC", +- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for the non-speculative finish of either a stcx waiting for its result or a load waiting for non-critical sectors of data and ECC." ++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for the non-speculative finish of either a STCX waiting for its result or a load waiting for non-critical sectors of data and ECC." + }, + { + "EventCode": "0x30036", +@@ -187,12 +187,12 @@ + { + "EventCode": "0x3F044", + "EventName": "PM_VSU2_ISSUE", +- "BriefDescription": "VSU instructions issued to VSU pipe 2." ++ "BriefDescription": "VSU instruction issued to VSU pipe 2." + }, + { + "EventCode": "0x30058", + "EventName": "PM_TLBIE_FIN", +- "BriefDescription": "TLBIE instructions finished in the LSU. Two TLBIEs can finish each cycle. All will be counted." ++ "BriefDescription": "TLBIE instruction finished in the LSU. Two TLBIEs can finish each cycle. All will be counted." + }, + { + "EventCode": "0x3D058", +@@ -252,7 +252,7 @@ + { + "EventCode": "0x4E012", + "EventName": "PM_EXEC_STALL_UNKNOWN", +- "BriefDescription": "Cycles in which the oldest instruction in the pipeline completed without an ntf_type pulse. The ntf_pulse was missed by the ISU because the NTF finishes and completions came too close together." ++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline completed without an ntf_type pulse. The ntf_pulse was missed by the ISU because the next-to-finish (NTF) instruction finishes and completions came too close together." + }, + { + "EventCode": "0x4D020", +@@ -267,7 +267,7 @@ + { + "EventCode": "0x45058", + "EventName": "PM_IC_MISS_CMPL", +- "BriefDescription": "Non-speculative icache miss, counted at completion." ++ "BriefDescription": "Non-speculative instruction cache miss, counted at completion." + }, + { + "EventCode": "0x4D050", +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pmc.json b/tools/perf/pmu-events/arch/powerpc/power10/pmc.json +index b5d1bd39cfb22..364fedbfb490b 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/pmc.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/pmc.json +@@ -12,11 +12,11 @@ + { + "EventCode": "0x45052", + "EventName": "PM_4FLOP_CMPL", +- "BriefDescription": "Four floating point instructions completed (fadd, fmul, fsub, fcmp, fsel, fabs, fnabs, fres, fsqrte, fneg)." ++ "BriefDescription": "Four floating point instruction completed (fadd, fmul, fsub, fcmp, fsel, fabs, fnabs, fres, fsqrte, fneg)." + }, + { + "EventCode": "0x4D054", + "EventName": "PM_8FLOP_CMPL", +- "BriefDescription": "Four Double Precision vector instructions completed." ++ "BriefDescription": "Four Double Precision vector instruction completed." + } + ] +diff --git a/tools/perf/pmu-events/arch/powerpc/power10/translation.json b/tools/perf/pmu-events/arch/powerpc/power10/translation.json +index db3766dca07c5..3e47b804a0a8f 100644 +--- a/tools/perf/pmu-events/arch/powerpc/power10/translation.json ++++ b/tools/perf/pmu-events/arch/powerpc/power10/translation.json +@@ -17,7 +17,7 @@ + { + "EventCode": "0x2011C", + "EventName": "PM_MRK_NTF_CYC", +- "BriefDescription": "Cycles during which the marked instruction is the oldest in the pipeline (NTF or NTC)." ++ "BriefDescription": "Cycles in which the marked instruction is the oldest in the pipeline (next-to-finish or next-to-complete)." + }, + { + "EventCode": "0x2E01C", +@@ -37,7 +37,7 @@ + { + "EventCode": "0x200FE", + "EventName": "PM_DATA_FROM_L2MISS", +- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1 or L2 due to a demand miss." ++ "BriefDescription": "The processor's L1 data cache was reloaded from a source beyond the local core's L2 due to a demand miss." + }, + { + "EventCode": "0x30010", +@@ -52,6 +52,6 @@ + { + "EventCode": "0x4D05C", + "EventName": "PM_DPP_FLOP_CMPL", +- "BriefDescription": "Double-Precision or Quad-Precision instructions completed." ++ "BriefDescription": "Double-Precision or Quad-Precision instruction completed." + } + ] +-- +2.40.1 + diff --git a/queue-5.15/pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch b/queue-5.15/pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch new file mode 100644 index 00000000000..da2d0209104 --- /dev/null +++ b/queue-5.15/pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch @@ -0,0 +1,66 @@ +From b4b3527bcf0eb73a8eb3e79de6afeb7b552d650d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 19:54:17 +0100 +Subject: pwm: atmel-tcb: Convert to platform remove callback returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 9609284a76978daf53a54e05cff36873a75e4d13 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Claudiu Beznea +Signed-off-by: Thierry Reding +Stable-dep-of: c11622324c02 ("pwm: atmel-tcb: Fix resource freeing in error path and remove") +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-atmel-tcb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c +index 36f7ea381838d..2a06b7dd224c9 100644 +--- a/drivers/pwm/pwm-atmel-tcb.c ++++ b/drivers/pwm/pwm-atmel-tcb.c +@@ -500,7 +500,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + return err; + } + +-static int atmel_tcb_pwm_remove(struct platform_device *pdev) ++static void atmel_tcb_pwm_remove(struct platform_device *pdev) + { + struct atmel_tcb_pwm_chip *tcbpwm = platform_get_drvdata(pdev); + +@@ -509,8 +509,6 @@ static int atmel_tcb_pwm_remove(struct platform_device *pdev) + clk_disable_unprepare(tcbpwm->slow_clk); + clk_put(tcbpwm->slow_clk); + clk_put(tcbpwm->clk); +- +- return 0; + } + + static const struct of_device_id atmel_tcb_pwm_dt_ids[] = { +@@ -564,7 +562,7 @@ static struct platform_driver atmel_tcb_pwm_driver = { + .pm = &atmel_tcb_pwm_pm_ops, + }, + .probe = atmel_tcb_pwm_probe, +- .remove = atmel_tcb_pwm_remove, ++ .remove_new = atmel_tcb_pwm_remove, + }; + module_platform_driver(atmel_tcb_pwm_driver); + +-- +2.40.1 + diff --git a/queue-5.15/pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch b/queue-5.15/pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch new file mode 100644 index 00000000000..7cfd6d8e505 --- /dev/null +++ b/queue-5.15/pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch @@ -0,0 +1,90 @@ +From 9ec3743398f3d9dab88aaae4431f028cd425146f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:20:10 +0200 +Subject: pwm: atmel-tcb: Fix resource freeing in error path and remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit c11622324c023415fb69196c5fc3782d2b8cced0 ] + +Several resources were not freed in the error path and the remove +function. Add the forgotten items. + +Fixes: 34cbcd72588f ("pwm: atmel-tcb: Add sama5d2 support") +Fixes: 061f8572a31c ("pwm: atmel-tcb: Switch to new binding") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Claudiu Beznea +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-atmel-tcb.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c +index 4e07d4694bb60..bb415be73bbe4 100644 +--- a/drivers/pwm/pwm-atmel-tcb.c ++++ b/drivers/pwm/pwm-atmel-tcb.c +@@ -450,16 +450,20 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + tcbpwm->clk = of_clk_get_by_name(np->parent, clk_name); + if (IS_ERR(tcbpwm->clk)) + tcbpwm->clk = of_clk_get_by_name(np->parent, "t0_clk"); +- if (IS_ERR(tcbpwm->clk)) +- return PTR_ERR(tcbpwm->clk); ++ if (IS_ERR(tcbpwm->clk)) { ++ err = PTR_ERR(tcbpwm->clk); ++ goto err_slow_clk; ++ } + + match = of_match_node(atmel_tcb_of_match, np->parent); + config = match->data; + + if (config->has_gclk) { + tcbpwm->gclk = of_clk_get_by_name(np->parent, "gclk"); +- if (IS_ERR(tcbpwm->gclk)) +- return PTR_ERR(tcbpwm->gclk); ++ if (IS_ERR(tcbpwm->gclk)) { ++ err = PTR_ERR(tcbpwm->gclk); ++ goto err_clk; ++ } + } + + tcbpwm->chip.dev = &pdev->dev; +@@ -470,7 +474,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + + err = clk_prepare_enable(tcbpwm->slow_clk); + if (err) +- goto err_slow_clk; ++ goto err_gclk; + + spin_lock_init(&tcbpwm->lock); + +@@ -485,6 +489,12 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + err_disable_clk: + clk_disable_unprepare(tcbpwm->slow_clk); + ++err_gclk: ++ clk_put(tcbpwm->gclk); ++ ++err_clk: ++ clk_put(tcbpwm->clk); ++ + err_slow_clk: + clk_put(tcbpwm->slow_clk); + +@@ -498,8 +508,9 @@ static void atmel_tcb_pwm_remove(struct platform_device *pdev) + pwmchip_remove(&tcbpwm->chip); + + clk_disable_unprepare(tcbpwm->slow_clk); +- clk_put(tcbpwm->slow_clk); ++ clk_put(tcbpwm->gclk); + clk_put(tcbpwm->clk); ++ clk_put(tcbpwm->slow_clk); + } + + static const struct of_device_id atmel_tcb_pwm_dt_ids[] = { +-- +2.40.1 + diff --git a/queue-5.15/pwm-atmel-tcb-harmonize-resource-allocation-order.patch b/queue-5.15/pwm-atmel-tcb-harmonize-resource-allocation-order.patch new file mode 100644 index 00000000000..0f61e3164d6 --- /dev/null +++ b/queue-5.15/pwm-atmel-tcb-harmonize-resource-allocation-order.patch @@ -0,0 +1,124 @@ +From e50415b70fa109744547090d47d8c8898bea3801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:20:09 +0200 +Subject: pwm: atmel-tcb: Harmonize resource allocation order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 0323e8fedd1ef25342cf7abf3a2024f5670362b8 ] + +Allocate driver data as first resource in the probe function. This way it +can be used during allocation of the other resources (instead of assigning +these to local variables first and update driver data only when it's +allocated). Also as driver data is allocated using a devm function this +should happen first to have the order of freeing resources in the error +path and the remove function in reverse. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Stable-dep-of: c11622324c02 ("pwm: atmel-tcb: Fix resource freeing in error path and remove") +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-atmel-tcb.c | 49 +++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 29 deletions(-) + +diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c +index 2a06b7dd224c9..4e07d4694bb60 100644 +--- a/drivers/pwm/pwm-atmel-tcb.c ++++ b/drivers/pwm/pwm-atmel-tcb.c +@@ -422,13 +422,14 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + struct atmel_tcb_pwm_chip *tcbpwm; + const struct atmel_tcb_config *config; + struct device_node *np = pdev->dev.of_node; +- struct regmap *regmap; +- struct clk *clk, *gclk = NULL; +- struct clk *slow_clk; + char clk_name[] = "t0_clk"; + int err; + int channel; + ++ tcbpwm = devm_kzalloc(&pdev->dev, sizeof(*tcbpwm), GFP_KERNEL); ++ if (tcbpwm == NULL) ++ return -ENOMEM; ++ + err = of_property_read_u32(np, "reg", &channel); + if (err < 0) { + dev_err(&pdev->dev, +@@ -437,47 +438,37 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + return err; + } + +- regmap = syscon_node_to_regmap(np->parent); +- if (IS_ERR(regmap)) +- return PTR_ERR(regmap); ++ tcbpwm->regmap = syscon_node_to_regmap(np->parent); ++ if (IS_ERR(tcbpwm->regmap)) ++ return PTR_ERR(tcbpwm->regmap); + +- slow_clk = of_clk_get_by_name(np->parent, "slow_clk"); +- if (IS_ERR(slow_clk)) +- return PTR_ERR(slow_clk); ++ tcbpwm->slow_clk = of_clk_get_by_name(np->parent, "slow_clk"); ++ if (IS_ERR(tcbpwm->slow_clk)) ++ return PTR_ERR(tcbpwm->slow_clk); + + clk_name[1] += channel; +- clk = of_clk_get_by_name(np->parent, clk_name); +- if (IS_ERR(clk)) +- clk = of_clk_get_by_name(np->parent, "t0_clk"); +- if (IS_ERR(clk)) +- return PTR_ERR(clk); ++ tcbpwm->clk = of_clk_get_by_name(np->parent, clk_name); ++ if (IS_ERR(tcbpwm->clk)) ++ tcbpwm->clk = of_clk_get_by_name(np->parent, "t0_clk"); ++ if (IS_ERR(tcbpwm->clk)) ++ return PTR_ERR(tcbpwm->clk); + + match = of_match_node(atmel_tcb_of_match, np->parent); + config = match->data; + + if (config->has_gclk) { +- gclk = of_clk_get_by_name(np->parent, "gclk"); +- if (IS_ERR(gclk)) +- return PTR_ERR(gclk); +- } +- +- tcbpwm = devm_kzalloc(&pdev->dev, sizeof(*tcbpwm), GFP_KERNEL); +- if (tcbpwm == NULL) { +- err = -ENOMEM; +- goto err_slow_clk; ++ tcbpwm->gclk = of_clk_get_by_name(np->parent, "gclk"); ++ if (IS_ERR(tcbpwm->gclk)) ++ return PTR_ERR(tcbpwm->gclk); + } + + tcbpwm->chip.dev = &pdev->dev; + tcbpwm->chip.ops = &atmel_tcb_pwm_ops; + tcbpwm->chip.npwm = NPWM; + tcbpwm->channel = channel; +- tcbpwm->regmap = regmap; +- tcbpwm->clk = clk; +- tcbpwm->gclk = gclk; +- tcbpwm->slow_clk = slow_clk; + tcbpwm->width = config->counter_width; + +- err = clk_prepare_enable(slow_clk); ++ err = clk_prepare_enable(tcbpwm->slow_clk); + if (err) + goto err_slow_clk; + +@@ -495,7 +486,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev) + clk_disable_unprepare(tcbpwm->slow_clk); + + err_slow_clk: +- clk_put(slow_clk); ++ clk_put(tcbpwm->slow_clk); + + return err; + } +-- +2.40.1 + diff --git a/queue-5.15/pwm-lpc32xx-remove-handling-of-pwm-channels.patch b/queue-5.15/pwm-lpc32xx-remove-handling-of-pwm-channels.patch new file mode 100644 index 00000000000..c31bc7f9103 --- /dev/null +++ b/queue-5.15/pwm-lpc32xx-remove-handling-of-pwm-channels.patch @@ -0,0 +1,88 @@ +From 5daef882710980a74006e1adfb35b574d5c8a625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:52:57 +0200 +Subject: pwm: lpc32xx: Remove handling of PWM channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Zapolskiy + +[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ] + +Because LPC32xx PWM controllers have only a single output which is +registered as the only PWM device/channel per controller, it is known in +advance that pwm->hwpwm value is always 0. On basis of this fact +simplify the code by removing operations with pwm->hwpwm, there is no +controls which require channel number as input. + +Even though I wasn't aware at the time when I forward ported that patch, +this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL +before devm_pwmchip_add() is called. + +Reported-by: Dan Carpenter +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Uwe Kleine-König +Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpc32xx.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c +index ddeab5687cb81..45b613dbc1c7b 100644 +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (duty_cycles > 255) + duty_cycles = 255; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~0xFFFF; + val |= (period_cycles << 8) | duty_cycles; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm) + if (ret) + return ret; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val |= PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + return 0; + } +@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) + struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip); + u32 val; + +- val = readl(lpc32xx->base + (pwm->hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_ENABLE; +- writel(val, lpc32xx->base + (pwm->hwpwm << 2)); ++ writel(val, lpc32xx->base); + + clk_disable_unprepare(lpc32xx->clk); + } +@@ -118,9 +118,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev) + lpc32xx->chip.npwm = 1; + + /* If PWM is disabled, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val = readl(lpc32xx->base); + val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ writel(val, lpc32xx->base); + + ret = devm_pwmchip_add(&pdev->dev, &lpc32xx->chip); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-5.15/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch b/queue-5.15/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch new file mode 100644 index 00000000000..305c1a3a1c3 --- /dev/null +++ b/queue-5.15/s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch @@ -0,0 +1,37 @@ +From 7a5bfec4213203571d8d18c36ee8c9eb474a89c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 13:59:59 +0300 +Subject: s390/zcrypt: don't leak memory if dev_set_name() fails + +From: Andy Shevchenko + +[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ] + +When dev_set_name() fails, zcdn_create() doesn't free the newly +allocated resources. Do it. + +Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Harald Freudenberger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c +index 356318746dd16..17b3f1ea3a5c2 100644 +--- a/drivers/s390/crypto/zcrypt_api.c ++++ b/drivers/s390/crypto/zcrypt_api.c +@@ -398,6 +398,7 @@ static int zcdn_create(const char *name) + ZCRYPT_NAME "_%d", (int) MINOR(devt)); + nodename[sizeof(nodename)-1] = '\0'; + if (dev_set_name(&zcdndev->device, nodename)) { ++ kfree(zcdndev); + rc = -EINVAL; + goto unlockout; + } +-- +2.40.1 + diff --git a/queue-5.15/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch b/queue-5.15/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch new file mode 100644 index 00000000000..e4dbfb29389 --- /dev/null +++ b/queue-5.15/sctp-annotate-data-races-around-sk-sk_wmem_queued.patch @@ -0,0 +1,152 @@ +From cebbc0ad227148ef8003de539c3890f705e8f4d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 09:45:19 +0000 +Subject: sctp: annotate data-races around sk->sk_wmem_queued + +From: Eric Dumazet + +[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ] + +sk->sk_wmem_queued can be read locklessly from sctp_poll() + +Use sk_wmem_queued_add() when the field is changed, +and add READ_ONCE() annotations in sctp_writeable() +and sctp_assocs_seq_show() + +syzbot reported: + +BUG: KCSAN: data-race in sctp_poll / sctp_wfree + +read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0: +sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147 +skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988 +skb_release_all net/core/skbuff.c:1000 [inline] +__kfree_skb+0x16/0x140 net/core/skbuff.c:1016 +consume_skb+0x57/0x180 net/core/skbuff.c:1232 +sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline] +sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530 +sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128 +sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515 +sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381 +sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline] +sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline] +sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] +sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169 +sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051 +sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80 +sctp_rcv+0x116e/0x1340 net/sctp/input.c:243 +sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +process_backlog+0x21f/0x380 net/core/dev.c:5894 +__napi_poll+0x60/0x3b0 net/core/dev.c:6460 +napi_poll net/core/dev.c:6527 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6660 +__do_softirq+0xc1/0x265 kernel/softirq.c:553 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:389 +ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145 +ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1: +sctp_writeable net/sctp/socket.c:9304 [inline] +sctp_poll+0x265/0x410 net/sctp/socket.c:8671 +sock_poll+0x253/0x270 net/socket.c:1374 +vfs_poll include/linux/poll.h:88 [inline] +do_pollfd fs/select.c:873 [inline] +do_poll fs/select.c:921 [inline] +do_sys_poll+0x636/0xc00 fs/select.c:1015 +__do_sys_ppoll fs/select.c:1121 [inline] +__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101 +__x64_sys_ppoll+0x67/0x80 fs/select.c:1101 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00019e80 -> 0x0000cc80 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/proc.c | 2 +- + net/sctp/socket.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/proc.c b/net/sctp/proc.c +index 982a87b3e11f8..963b94517ec20 100644 +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -284,7 +284,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v) + assoc->init_retries, assoc->shutdown_retries, + assoc->rtx_data_chunks, + refcount_read(&sk->sk_wmem_alloc), +- sk->sk_wmem_queued, ++ READ_ONCE(sk->sk_wmem_queued), + sk->sk_sndbuf, + sk->sk_rcvbuf); + seq_printf(seq, "\n"); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 717e2f60370b3..36a37fef27719 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -68,7 +68,7 @@ + #include + + /* Forward declarations for internal helper functions. */ +-static bool sctp_writeable(struct sock *sk); ++static bool sctp_writeable(const struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + size_t msg_len); +@@ -138,7 +138,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk) + + refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc); + asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk); +- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk)); + sk_mem_charge(sk, chunk->skb->truesize); + } + +@@ -9148,7 +9148,7 @@ static void sctp_wfree(struct sk_buff *skb) + struct sock *sk = asoc->base.sk; + + sk_mem_uncharge(sk, skb->truesize); +- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk); ++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk))); + asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk); + WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk), + &sk->sk_wmem_alloc)); +@@ -9303,9 +9303,9 @@ void sctp_write_space(struct sock *sk) + * UDP-style sockets or TCP-style sockets, this code should work. + * - Daisy + */ +-static bool sctp_writeable(struct sock *sk) ++static bool sctp_writeable(const struct sock *sk) + { +- return sk->sk_sndbuf > sk->sk_wmem_queued; ++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued); + } + + /* Wait for an association to go into ESTABLISHED state. If timeout is 0, +-- +2.40.1 + diff --git a/queue-5.15/series b/queue-5.15/series index c6a458e26d1..daf2515015a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -404,3 +404,60 @@ clk-qcom-mss-sc7180-fix-missing-resume-during-probe.patch nfs-fix-a-potential-data-corruption.patch nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch bus-mhi-host-skip-mhi-reset-if-device-is-in-rddm.patch +kbuild-do-not-run-depmod-for-make-modules_sign.patch +gfs2-switch-to-wait_event-in-gfs2_logd.patch +gfs2-low-memory-forced-flush-fixes.patch +kconfig-fix-possible-buffer-overflow.patch +perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch +perf-trace-really-free-the-evsel-priv-area.patch +pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch +pwm-atmel-tcb-harmonize-resource-allocation-order.patch +pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch +backlight-gpio_backlight-drop-output-gpio-direction-.patch +input-tca6416-keypad-always-expect-proper-irq-number.patch +input-tca6416-keypad-fix-interrupt-enable-disbalance.patch +perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch +x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch +perf-vendor-events-update-the-json-events-descriptio.patch +perf-vendor-events-drop-some-of-the-json-events-for-.patch +perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch +watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch +pwm-lpc32xx-remove-handling-of-pwm-channels.patch +net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch +sctp-annotate-data-races-around-sk-sk_wmem_queued.patch +ipv4-annotate-data-races-around-fi-fib_dead.patch +net-read-sk-sk_family-once-in-sk_mc_loop.patch +net-fib-avoid-warn-splat-in-flow-dissector.patch +xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch +ceph-make-members-in-struct-ceph_mds_request_args_ex.patch +drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch +ipv4-ignore-dst-hint-for-multipath-routes.patch +igb-disable-virtualization-features-on-82580.patch +gve-fix-frag_list-chaining.patch +veth-fixing-transmit-return-status-for-dropped-packe.patch +net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch +net-phy-micrel-correct-bit-assignments-for-phy_devic.patch +af_unix-fix-data-races-around-user-unix_inflight.patch +af_unix-fix-data-race-around-unix_tot_inflight.patch +af_unix-fix-data-races-around-sk-sk_shutdown.patch +af_unix-fix-data-race-around-sk-sk_err.patch +net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch +kcm-destroy-mutex-in-kcm_exit_net.patch +octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch +igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch +igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch +igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch +s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch +idr-fix-param-name-in-idr_alloc_cyclic-doc.patch +ip_tunnels-use-dev_stats_inc.patch +net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch +net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch +net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch +netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch +netfilter-nfnetlink_osf-avoid-oob-read.patch +net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch +net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch +net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch +net-hns3-fix-the-port-information-display-when-sfp-i.patch +net-hns3-remove-gso-partial-feature-bit.patch +sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch diff --git a/queue-5.15/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch b/queue-5.15/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch new file mode 100644 index 00000000000..9abc1c1cbb3 --- /dev/null +++ b/queue-5.15/sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch @@ -0,0 +1,121 @@ +From fb9b620cd8d946c1fe2713d2103bb17711dd77d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:07:42 +0200 +Subject: sh: boards: Fix CEU buffer size passed to + dma_declare_coherent_memory() + +From: Petr Tesarik + +[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ] + +In all these cases, the last argument to dma_declare_coherent_memory() is +the buffer end address, but the expected value should be the size of the +reserved region. + +Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver") +Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver") +Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver") +Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver") +Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver") +Signed-off-by: Petr Tesarik +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Jacopo Mondi +Reviewed-by: John Paul Adrian Glaubitz +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/boards/mach-ap325rxa/setup.c | 2 +- + arch/sh/boards/mach-ecovec24/setup.c | 6 ++---- + arch/sh/boards/mach-kfr2r09/setup.c | 2 +- + arch/sh/boards/mach-migor/setup.c | 2 +- + arch/sh/boards/mach-se/7724/setup.c | 6 ++---- + 5 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c +index bac8a058ebd7c..05bd42dde107b 100644 +--- a/arch/sh/boards/mach-ap325rxa/setup.c ++++ b/arch/sh/boards/mach-ap325rxa/setup.c +@@ -530,7 +530,7 @@ static int __init ap325rxa_devices_setup(void) + device_initialize(&ap325rxa_ceu_device.dev); + dma_declare_coherent_memory(&ap325rxa_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&ap325rxa_ceu_device); + +diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c +index bab91a99124e1..9730a992dab33 100644 +--- a/arch/sh/boards/mach-ecovec24/setup.c ++++ b/arch/sh/boards/mach-ecovec24/setup.c +@@ -1454,15 +1454,13 @@ static int __init arch_setup(void) + device_initialize(&ecovec_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[0]); + + device_initialize(&ecovec_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ecovec_ceu_devices[1]); + + gpiod_add_lookup_table(&cn12_power_gpiod_table); +diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c +index eeb5ce341efdd..4a1caa3e7cf5a 100644 +--- a/arch/sh/boards/mach-kfr2r09/setup.c ++++ b/arch/sh/boards/mach-kfr2r09/setup.c +@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void) + device_initialize(&kfr2r09_ceu_device.dev); + dma_declare_coherent_memory(&kfr2r09_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&kfr2r09_ceu_device); + +diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c +index 6703a2122c0d6..bd4ccd9f8dd06 100644 +--- a/arch/sh/boards/mach-migor/setup.c ++++ b/arch/sh/boards/mach-migor/setup.c +@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void) + device_initialize(&migor_ceu_device.dev); + dma_declare_coherent_memory(&migor_ceu_device.dev, + ceu_dma_membase, ceu_dma_membase, +- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + + platform_device_add(&migor_ceu_device); + +diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c +index 8d6541ba01865..edc7712e4a804 100644 +--- a/arch/sh/boards/mach-se/7724/setup.c ++++ b/arch/sh/boards/mach-se/7724/setup.c +@@ -940,15 +940,13 @@ static int __init devices_setup(void) + device_initialize(&ms7724se_ceu_devices[0]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev, + ceu0_dma_membase, ceu0_dma_membase, +- ceu0_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[0]); + + device_initialize(&ms7724se_ceu_devices[1]->dev); + dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev, + ceu1_dma_membase, ceu1_dma_membase, +- ceu1_dma_membase + +- CEU_BUFFER_MEMORY_SIZE - 1); ++ CEU_BUFFER_MEMORY_SIZE); + platform_device_add(ms7724se_ceu_devices[1]); + + return platform_add_devices(ms7724se_devices, +-- +2.40.1 + diff --git a/queue-5.15/veth-fixing-transmit-return-status-for-dropped-packe.patch b/queue-5.15/veth-fixing-transmit-return-status-for-dropped-packe.patch new file mode 100644 index 00000000000..56729096ff3 --- /dev/null +++ b/queue-5.15/veth-fixing-transmit-return-status-for-dropped-packe.patch @@ -0,0 +1,54 @@ +From e4f6d3896da94d4f9d21fbe11780a7cb58ce9547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 12:09:21 +0800 +Subject: veth: Fixing transmit return status for dropped packets + +From: Liang Chen + +[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ] + +The veth_xmit function returns NETDEV_TX_OK even when packets are dropped. +This behavior leads to incorrect calculations of statistics counts, as +well as things like txq->trans_start updates. + +Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.") +Signed-off-by: Liang Chen +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 45ee44f66e77d..984a153804096 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -320,6 +320,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct veth_priv *rcv_priv, *priv = netdev_priv(dev); + struct veth_rq *rq = NULL; ++ int ret = NETDEV_TX_OK; + struct net_device *rcv; + int length = skb->len; + bool use_napi = false; +@@ -352,6 +353,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + } else { + drop: + atomic64_inc(&priv->dropped); ++ ret = NET_XMIT_DROP; + } + + if (use_napi) +@@ -359,7 +361,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + + rcu_read_unlock(); + +- return NETDEV_TX_OK; ++ return ret; + } + + static u64 veth_stats_tx(struct net_device *dev, u64 *packets, u64 *bytes) +-- +2.40.1 + diff --git a/queue-5.15/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch b/queue-5.15/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch new file mode 100644 index 00000000000..e8c5a3f0f69 --- /dev/null +++ b/queue-5.15/watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch @@ -0,0 +1,40 @@ +From 883814e14e3e35046c77337f26c578cf2c07eb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 17:32:20 +0530 +Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load + +From: Raag Jadav + +[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ] + +When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver +needs to be loaded manually, for the lack of module alias. +This causes unintended resets in cases where watchdog timer is +set-up by bootloader and the driver is not explicitly loaded. +Add MODULE_ALIAS() to load the driver automatically at boot and +avoid this issue. + +Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support") +Signed-off-by: Raag Jadav +Reviewed-by: Andy Shevchenko +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/intel-mid_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c +index 9b2173f765c8c..fb7fae750181b 100644 +--- a/drivers/watchdog/intel-mid_wdt.c ++++ b/drivers/watchdog/intel-mid_wdt.c +@@ -203,3 +203,4 @@ module_platform_driver(mid_wdt_driver); + MODULE_AUTHOR("David Cohen "); + MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform"); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:intel_mid_wdt"); +-- +2.40.1 + diff --git a/queue-5.15/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch b/queue-5.15/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch new file mode 100644 index 00000000000..de5456b42bd --- /dev/null +++ b/queue-5.15/x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch @@ -0,0 +1,45 @@ +From f35268533a214a3e158edf7aa497c57a8c2c6b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 13:18:52 -0700 +Subject: x86/virt: Drop unnecessary check on extended CPUID level in + cpu_has_svm() + +From: Sean Christopherson + +[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ] + +Drop the explicit check on the extended CPUID level in cpu_has_svm(), the +kernel's cached CPUID info will leave the entire SVM leaf unset if said +leaf is not supported by hardware. Prior to using cached information, +the check was needed to avoid false positives due to Intel's rather crazy +CPUID behavior of returning the values of the maximum supported leaf if +the specified leaf is unsupported. + +Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()") +Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/virtext.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h +index 3b12e6b994123..6c2e3ff3cb28f 100644 +--- a/arch/x86/include/asm/virtext.h ++++ b/arch/x86/include/asm/virtext.h +@@ -101,12 +101,6 @@ static inline int cpu_has_svm(const char **msg) + return 0; + } + +- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) { +- if (msg) +- *msg = "can't execute cpuid_8000000a"; +- return 0; +- } +- + if (!boot_cpu_has(X86_FEATURE_SVM)) { + if (msg) + *msg = "svm not available"; +-- +2.40.1 + diff --git a/queue-5.15/xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch b/queue-5.15/xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch new file mode 100644 index 00000000000..bde733c7b87 --- /dev/null +++ b/queue-5.15/xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch @@ -0,0 +1,58 @@ +From c848be58f3d687cb13a749fa08a308d565c0c8ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 12:01:17 +0200 +Subject: xsk: Fix xsk_diag use-after-free error during socket cleanup + +From: Magnus Karlsson + +[ Upstream commit 3e019d8a05a38abb5c85d4f1e85fda964610aa14 ] + +Fix a use-after-free error that is possible if the xsk_diag interface +is used after the socket has been unbound from the device. This can +happen either due to the socket being closed or the device +disappearing. In the early days of AF_XDP, the way we tested that a +socket was not bound to a device was to simply check if the netdevice +pointer in the xsk socket structure was NULL. Later, a better system +was introduced by having an explicit state variable in the xsk socket +struct. For example, the state of a socket that is on the way to being +closed and has been unbound from the device is XSK_UNBOUND. + +The commit in the Fixes tag below deleted the old way of signalling +that a socket is unbound, setting dev to NULL. This in the belief that +all code using the old way had been exterminated. That was +unfortunately not true as the xsk diagnostics code was still using the +old way and thus does not work as intended when a socket is going +down. Fix this by introducing a test against the state variable. If +the socket is in the state XSK_UNBOUND, simply abort the diagnostic's +netlink operation. + +Fixes: 18b1ab7aa76b ("xsk: Fix race at socket teardown") +Reported-by: syzbot+822d1359297e2694f873@syzkaller.appspotmail.com +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+822d1359297e2694f873@syzkaller.appspotmail.com +Tested-by: Maciej Fijalkowski +Reviewed-by: Maciej Fijalkowski +Link: https://lore.kernel.org/bpf/20230831100119.17408-1-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c +index c014217f5fa7d..22b36c8143cfd 100644 +--- a/net/xdp/xsk_diag.c ++++ b/net/xdp/xsk_diag.c +@@ -111,6 +111,9 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb, + sock_diag_save_cookie(sk, msg->xdiag_cookie); + + mutex_lock(&xs->mutex); ++ if (READ_ONCE(xs->state) == XSK_UNBOUND) ++ goto out_nlmsg_trim; ++ + if ((req->xdiag_show & XDP_SHOW_INFO) && xsk_diag_put_info(xs, nlskb)) + goto out_nlmsg_trim; + +-- +2.40.1 + -- 2.47.3