From 534ba455d71ef5018be45e69c0398760faf04a44 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 27 Oct 2023 22:53:48 -0400 Subject: [PATCH] Fixes for 6.5 Signed-off-by: Sasha Levin --- ...timer32k-fix-all-kernel-doc-warnings.patch | 84 ++++ ...a8775p-correct-pmic-gpio-label-in-gp.patch | 45 ++ ...ip-add-i2s0-2ch-bus-bclk-off-pins-to.patch | 51 +++ ...ten-extent-buffer-after-snapshotting.patch | 421 ++++++++++++++++++ .../btrfs-remove-v0-extent-handling.patch | 312 +++++++++++++ ...ng-omap4-mcbsp-functional-clock-and-.patch | 103 +++++ ...ng-omap5-mcbsp-functional-clock-and-.patch | 97 ++++ ...d-gt-forcewake-during-steering-opera.patch | 91 ++++ ...etermine-context-valid-in-oa-reports.patch | 55 +++ ...config-select-regmap-and-regmap_mmio.patch | 42 ++ ...-fix-use_after_free-in-imx_dsp_setup.patch | 42 ++ ...-fragmentation-needed-check-with-gso.patch | 38 ++ queue-6.5/gtp-uapi-fix-gtpa_max.patch | 34 ++ ...-fix-i40e_flag_vf_vlan_pruning-value.patch | 63 +++ ...g-check-for-i40e_txr_flags_wb_on_itr.patch | 38 ++ ...n-disable-queues-when-removing-the-d.patch | 49 ++ ...waitqueues-before-starting-watchdog_.patch | 55 +++ ...l-memory-leak-in-igb_add_ethtool_nfc.patch | 47 ++ ...ambiguity-in-the-ethtool-advertising.patch | 86 ++++ .../neighbour-fix-various-data-races.patch | 176 ++++++++ ...ot-leave-an-empty-skb-in-write-queue.patch | 74 +++ ...-adin1110-fix-uninitialized-variable.patch | 38 ++ ...x-file-ref-count-in-handshake_nl_acc.patch | 93 ++++ ...df7242-fix-some-potential-buffer-ove.patch | 47 ++ ...-additional-checks-for-outdated-flow.patch | 52 +++ ...-fix-uninit-value-access-in-smsc95xx.patch | 103 +++++ ...ble-gc-pushes-back-packets-to-classi.patch | 103 +++++ ...phy_work-if-we-have-an-error-in-prob.patch | 37 ++ ...sb-control-msg-timeout-to-5000ms-as-.patch | 77 ++++ ...irmware-if-we-have-an-error-in-probe.patch | 37 ++ ...load-routine-if-we-have-errors-durin.patch | 38 ++ ...san-reported-data-race-in-rtl_rx-whi.patch | 105 +++++ ...san-reported-data-race-in-rtl_tx-whi.patch | 175 ++++++++ ...ported-data-race-in-rtl_tx-whi.patch-11985 | 136 ++++++ queue-6.5/series | 39 ++ ...o-timeout-when-received-sack-renegin.patch | 96 ++++ .../treewide-spelling-fix-in-comment.patch | 36 ++ ...x-assoc-response-warning-on-failed-l.patch | 43 ++ ...ss-correct-pointer-to-rdev_inform_bs.patch | 38 ++ ...n-t-drop-all-unprotected-public-acti.patch | 81 ++++ 40 files changed, 3377 insertions(+) create mode 100644 queue-6.5/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch create mode 100644 queue-6.5/arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch create mode 100644 queue-6.5/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch create mode 100644 queue-6.5/btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch create mode 100644 queue-6.5/btrfs-remove-v0-extent-handling.patch create mode 100644 queue-6.5/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch create mode 100644 queue-6.5/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch create mode 100644 queue-6.5/drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch create mode 100644 queue-6.5/drm-i915-perf-determine-context-valid-in-oa-reports.patch create mode 100644 queue-6.5/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch create mode 100644 queue-6.5/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch create mode 100644 queue-6.5/gtp-fix-fragmentation-needed-check-with-gso.patch create mode 100644 queue-6.5/gtp-uapi-fix-gtpa_max.patch create mode 100644 queue-6.5/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch create mode 100644 queue-6.5/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch create mode 100644 queue-6.5/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch create mode 100644 queue-6.5/iavf-initialize-waitqueues-before-starting-watchdog_.patch create mode 100644 queue-6.5/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch create mode 100644 queue-6.5/igc-fix-ambiguity-in-the-ethtool-advertising.patch create mode 100644 queue-6.5/neighbour-fix-various-data-races.patch create mode 100644 queue-6.5/net-do-not-leave-an-empty-skb-in-write-queue.patch create mode 100644 queue-6.5/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch create mode 100644 queue-6.5/net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch create mode 100644 queue-6.5/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch create mode 100644 queue-6.5/net-sched-act_ct-additional-checks-for-outdated-flow.patch create mode 100644 queue-6.5/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch create mode 100644 queue-6.5/netfilter-flowtable-gc-pushes-back-packets-to-classi.patch create mode 100644 queue-6.5/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch create mode 100644 queue-6.5/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch create mode 100644 queue-6.5/r8152-release-firmware-if-we-have-an-error-in-probe.patch create mode 100644 queue-6.5/r8152-run-the-unload-routine-if-we-have-errors-durin.patch create mode 100644 queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch create mode 100644 queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch create mode 100644 queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985 create mode 100644 queue-6.5/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch create mode 100644 queue-6.5/treewide-spelling-fix-in-comment.patch create mode 100644 queue-6.5/wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch create mode 100644 queue-6.5/wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch create mode 100644 queue-6.5/wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch diff --git a/queue-6.5/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch b/queue-6.5/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch new file mode 100644 index 00000000000..f95e910c2df --- /dev/null +++ b/queue-6.5/arm-omap-timer32k-fix-all-kernel-doc-warnings.patch @@ -0,0 +1,84 @@ +From d93fb173e62ce53d624e5d54e29531dc05e26294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 17:16:03 -0700 +Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ] + +Fix kernel-doc warnings reported by the kernel test robot: + +timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; ' +timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64' +timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k' +timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k' + +Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement") +Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/ +Cc: Arnd Bergmann +Cc: Vaibhav Hiremath +Cc: Felipe Balbi +Cc: Tony Lindgren +Cc: Xunlei Pang +Cc: John Stultz +Cc: Ingo Molnar +Cc: Aaro Koskinen +Cc: Janusz Krzysztofik +Cc: linux-omap@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Message-ID: <20231007001603.24972-1-rdunlap@infradead.org> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer32k.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c +index 410d17d1d4431..f618a6df29382 100644 +--- a/arch/arm/mach-omap1/timer32k.c ++++ b/arch/arm/mach-omap1/timer32k.c +@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void) + return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0; + } + ++static struct timespec64 persistent_ts; ++static cycles_t cycles; ++static unsigned int persistent_mult, persistent_shift; ++ + /** + * omap_read_persistent_clock64 - Return time from a persistent clock. ++ * @ts: &struct timespec64 for the returned time + * + * Reads the time from a source which isn't disabled during PM, the + * 32k sync timer. Convert the cycles elapsed since last read into + * nsecs and adds to a monotonically increasing timespec64. + */ +-static struct timespec64 persistent_ts; +-static cycles_t cycles; +-static unsigned int persistent_mult, persistent_shift; +- + static void omap_read_persistent_clock64(struct timespec64 *ts) + { + unsigned long long nsecs; +@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts) + /** + * omap_init_clocksource_32k - setup and register counter 32k as a + * kernel clocksource +- * @pbase: base addr of counter_32k module +- * @size: size of counter_32k to map ++ * @vbase: base addr of counter_32k module + * +- * Returns 0 upon success or negative error code upon failure. ++ * Returns: %0 upon success or negative error code upon failure. + * + */ + static int __init omap_init_clocksource_32k(void __iomem *vbase) +-- +2.42.0 + diff --git a/queue-6.5/arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch b/queue-6.5/arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch new file mode 100644 index 00000000000..15692baa870 --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch @@ -0,0 +1,45 @@ +From 6d99329d76811496ef44bbab9df5844612de49f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 15:55:38 +0200 +Subject: arm64: dts: qcom: sa8775p: correct PMIC GPIO label in gpio-ranges + +From: Krzysztof Kozlowski + +[ Upstream commit f822899c28572a854f2c746da5ed707d752458ab ] + +There are several PMICs with GPIO nodes and one of the nodes referenced +other's in gpio-ranges which could result in deferred-probes like: + + qcom-spmi-gpio c440000.spmi:pmic@2:gpio@8800: can't add gpio chip + +Reported-by: Brian Masney +Closes: https://lore.kernel.org/all/ZN5KIlI+RDu92jsi@brian-x1/ +Fixes: e5a893a7cec5 ("arm64: dts: qcom: sa8775p: add PMIC GPIO controller nodes") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Brian Masney +Reviewed-by: Bartosz Golaszewski +Tested-by: Bartosz Golaszewski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230818135538.47481-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi b/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi +index eaa43f022a654..e205ef42f8d43 100644 +--- a/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi ++++ b/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi +@@ -197,7 +197,7 @@ + compatible = "qcom,pmm8654au-gpio", "qcom,spmi-gpio"; + reg = <0x8800>; + gpio-controller; +- gpio-ranges = <&pmm8654au_2_gpios 0 0 12>; ++ gpio-ranges = <&pmm8654au_1_gpios 0 0 12>; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; +-- +2.42.0 + diff --git a/queue-6.5/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch b/queue-6.5/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch new file mode 100644 index 00000000000..5769065bc5d --- /dev/null +++ b/queue-6.5/arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch @@ -0,0 +1,51 @@ +From 702e0678a86e7ebd312cfa19cdc84bf06a1941f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 12:47:26 +0100 +Subject: arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399 + +From: Christopher Obbard + +[ Upstream commit 3975e72b164dc8347a28dd0d5f11b346af534635 ] + +Commit 0efaf8078393 ("arm64: dts: rockchip: add i2s0-2ch-bus pins on +rk3399") introduced a pinctl for i2s0 in two-channel mode. Commit +91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399") +modified i2s0 to switch the corresponding pins off when idle. + +Although an idle pinctrl node was added for i2s0 in 8-channel mode, a +similar idle pinctrl node for i2s0 in 2-channel mode was not added. Add +it. + +Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399") +Signed-off-by: Christopher Obbard +Link: https://lore.kernel.org/r/20231013114737.494410-2-chris.obbard@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index bf1251cc71954..63f3d6e6a8631 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -2440,6 +2440,16 @@ + <4 RK_PA0 1 &pcfg_pull_none>; + }; + ++ i2s0_2ch_bus_bclk_off: i2s0-2ch-bus-bclk-off { ++ rockchip,pins = ++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>, ++ <3 RK_PD1 1 &pcfg_pull_none>, ++ <3 RK_PD2 1 &pcfg_pull_none>, ++ <3 RK_PD3 1 &pcfg_pull_none>, ++ <3 RK_PD7 1 &pcfg_pull_none>, ++ <4 RK_PA0 1 &pcfg_pull_none>; ++ }; ++ + i2s0_8ch_bus: i2s0-8ch-bus { + rockchip,pins = + <3 RK_PD0 1 &pcfg_pull_none>, +-- +2.42.0 + diff --git a/queue-6.5/btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch b/queue-6.5/btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch new file mode 100644 index 00000000000..533e1238cf2 --- /dev/null +++ b/queue-6.5/btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch @@ -0,0 +1,421 @@ +From 7ba1c596a238879a5b66b5efd2b42c8d83f5a602 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:19:28 +0100 +Subject: btrfs: fix unwritten extent buffer after snapshotting a new subvolume + +From: Filipe Manana + +[ Upstream commit eb96e221937af3c7bb8a63208dbab813ca5d3d7e ] + +When creating a snapshot of a subvolume that was created in the current +transaction, we can end up not persisting a dirty extent buffer that is +referenced by the snapshot, resulting in IO errors due to checksum failures +when trying to read the extent buffer later from disk. A sequence of steps +that leads to this is the following: + +1) At ioctl.c:create_subvol() we allocate an extent buffer, with logical + address 36007936, for the leaf/root of a new subvolume that has an ID + of 291. We mark the extent buffer as dirty, and at this point the + subvolume tree has a single node/leaf which is also its root (level 0); + +2) We no longer commit the transaction used to create the subvolume at + create_subvol(). We used to, but that was recently removed in + commit 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol + create"); + +3) The transaction used to create the subvolume has an ID of 33, so the + extent buffer 36007936 has a generation of 33; + +4) Several updates happen to subvolume 291 during transaction 33, several + files created and its tree height changes from 0 to 1, so we end up with + a new root at level 1 and the extent buffer 36007936 is now a leaf of + that new root node, which is extent buffer 36048896. + + The commit root remains as 36007936, since we are still at transaction + 33; + +5) Creation of a snapshot of subvolume 291, with an ID of 292, starts at + ioctl.c:create_snapshot(). This triggers a commit of transaction 33 and + we end up at transaction.c:create_pending_snapshot(), in the critical + section of a transaction commit. + + There we COW the root of subvolume 291, which is extent buffer 36048896. + The COW operation returns extent buffer 36048896, since there's no need + to COW because the extent buffer was created in this transaction and it + was not written yet. + + The we call btrfs_copy_root() against the root node 36048896. During + this operation we allocate a new extent buffer to turn into the root + node of the snapshot, copy the contents of the root node 36048896 into + this snapshot root extent buffer, set the owner to 292 (the ID of the + snapshot), etc, and then we call btrfs_inc_ref(). This will create a + delayed reference for each leaf pointed by the root node with a + reference root of 292 - this includes a reference for the leaf + 36007936. + + After that we set the bit BTRFS_ROOT_FORCE_COW in the root's state. + + Then we call btrfs_insert_dir_item(), to create the directory entry in + in the tree of subvolume 291 that points to the snapshot. This ends up + needing to modify leaf 36007936 to insert the respective directory + items. Because the bit BTRFS_ROOT_FORCE_COW is set for the root's state, + we need to COW the leaf. We end up at btrfs_force_cow_block() and then + at update_ref_for_cow(). + + At update_ref_for_cow() we call btrfs_block_can_be_shared() which + returns false, despite the fact the leaf 36007936 is shared - the + subvolume's root and the snapshot's root point to that leaf. The + reason that it incorrectly returns false is because the commit root + of the subvolume is extent buffer 36007936 - it was the initial root + of the subvolume when we created it. So btrfs_block_can_be_shared() + which has the following logic: + + int btrfs_block_can_be_shared(struct btrfs_root *root, + struct extent_buffer *buf) + { + if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) && + buf != root->node && buf != root->commit_root && + (btrfs_header_generation(buf) <= + btrfs_root_last_snapshot(&root->root_item) || + btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) + return 1; + + return 0; + } + + Returns false (0) since 'buf' (extent buffer 36007936) matches the + root's commit root. + + As a result, at update_ref_for_cow(), we don't check for the number + of references for extent buffer 36007936, we just assume it's not + shared and therefore that it has only 1 reference, so we set the local + variable 'refs' to 1. + + Later on, in the final if-else statement at update_ref_for_cow(): + + static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct extent_buffer *buf, + struct extent_buffer *cow, + int *last_ref) + { + (...) + if (refs > 1) { + (...) + } else { + (...) + btrfs_clear_buffer_dirty(trans, buf); + *last_ref = 1; + } + } + + So we mark the extent buffer 36007936 as not dirty, and as a result + we don't write it to disk later in the transaction commit, despite the + fact that the snapshot's root points to it. + + Attempting to access the leaf or dumping the tree for example shows + that the extent buffer was not written: + + $ btrfs inspect-internal dump-tree -t 292 /dev/sdb + btrfs-progs v6.2.2 + file tree key (292 ROOT_ITEM 33) + node 36110336 level 1 items 2 free space 119 generation 33 owner 292 + node 36110336 flags 0x1(WRITTEN) backref revision 1 + checksum stored a8103e3e + checksum calced a8103e3e + fs uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 + chunk uuid e8c9c885-78f4-4d31-85fe-89e5f5fd4a07 + key (256 INODE_ITEM 0) block 36007936 gen 33 + key (257 EXTENT_DATA 0) block 36052992 gen 33 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + total bytes 107374182400 + bytes used 38572032 + uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 + + The respective on disk region is full of zeroes as the device was + trimmed at mkfs time. + + Obviously 'btrfs check' also detects and complains about this: + + $ btrfs check /dev/sdb + Opening filesystem to check... + Checking filesystem on /dev/sdb + UUID: 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 + generation: 33 (33) + [1/7] checking root items + [2/7] checking extents + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + bad tree block 36007936, bytenr mismatch, want=36007936, have=0 + owner ref check failed [36007936 4096] + ERROR: errors found in extent allocation tree or chunk allocation + [3/7] checking free space tree + [4/7] checking fs roots + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 + bad tree block 36007936, bytenr mismatch, want=36007936, have=0 + The following tree block(s) is corrupted in tree 292: + tree block bytenr: 36110336, level: 1, node key: (256, 1, 0) + root 292 root dir 256 not found + ERROR: errors found in fs roots + found 38572032 bytes used, error(s) found + total csum bytes: 16048 + total tree bytes: 1265664 + total fs tree bytes: 1118208 + total extent tree bytes: 65536 + btree space waste bytes: 562598 + file data blocks allocated: 65978368 + referenced 36569088 + +Fix this by updating btrfs_block_can_be_shared() to consider that an +extent buffer may be shared if it matches the commit root and if its +generation matches the current transaction's generation. + +This can be reproduced with the following script: + + $ cat test.sh + #!/bin/bash + + MNT=/mnt/sdi + DEV=/dev/sdi + + # Use a filesystem with a 64K node size so that we have the same node + # size on every machine regardless of its page size (on x86_64 default + # node size is 16K due to the 4K page size, while on PPC it's 64K by + # default). This way we can make sure we are able to create a btree for + # the subvolume with a height of 2. + mkfs.btrfs -f -n 64K $DEV + mount $DEV $MNT + + btrfs subvolume create $MNT/subvol + + # Create a few empty files on the subvolume, this bumps its btree + # height to 2 (root node at level 1 and 2 leaves). + for ((i = 1; i <= 300; i++)); do + echo -n > $MNT/subvol/file_$i + done + + btrfs subvolume snapshot -r $MNT/subvol $MNT/subvol/snap + + umount $DEV + + btrfs check $DEV + +Running it on a 6.5 kernel (or any 6.6-rc kernel at the moment): + + $ ./test.sh + Create subvolume '/mnt/sdi/subvol' + Create a readonly snapshot of '/mnt/sdi/subvol' in '/mnt/sdi/subvol/snap' + Opening filesystem to check... + Checking filesystem on /dev/sdi + UUID: bbdde2ff-7d02-45ca-8a73-3c36f23755a1 + [1/7] checking root items + [2/7] checking extents + parent transid verify failed on 30539776 wanted 7 found 5 + parent transid verify failed on 30539776 wanted 7 found 5 + parent transid verify failed on 30539776 wanted 7 found 5 + Ignoring transid failure + owner ref check failed [30539776 65536] + ERROR: errors found in extent allocation tree or chunk allocation + [3/7] checking free space tree + [4/7] checking fs roots + parent transid verify failed on 30539776 wanted 7 found 5 + Ignoring transid failure + Wrong key of child node/leaf, wanted: (256, 1, 0), have: (2, 132, 0) + Wrong generation of child node/leaf, wanted: 5, have: 7 + root 257 root dir 256 not found + ERROR: errors found in fs roots + found 917504 bytes used, error(s) found + total csum bytes: 0 + total tree bytes: 851968 + total fs tree bytes: 393216 + total extent tree bytes: 65536 + btree space waste bytes: 736550 + file data blocks allocated: 0 + referenced 0 + +A test case for fstests will follow soon. + +Fixes: 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create") +CC: stable@vger.kernel.org # 6.5+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 14 +++++++++----- + fs/btrfs/backref.h | 3 ++- + fs/btrfs/ctree.c | 21 ++++++++++++++++----- + fs/btrfs/ctree.h | 3 ++- + fs/btrfs/relocation.c | 7 ++++--- + 5 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index b7d54efb47288..a4a809efc92fc 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -3196,12 +3196,14 @@ static int handle_direct_tree_backref(struct btrfs_backref_cache *cache, + * We still need to do a tree search to find out the parents. This is for + * TREE_BLOCK_REF backref (keyed or inlined). + * ++ * @trans: Transaction handle. + * @ref_key: The same as @ref_key in handle_direct_tree_backref() + * @tree_key: The first key of this tree block. + * @path: A clean (released) path, to avoid allocating path every time + * the function get called. + */ +-static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, ++static int handle_indirect_tree_backref(struct btrfs_trans_handle *trans, ++ struct btrfs_backref_cache *cache, + struct btrfs_path *path, + struct btrfs_key *ref_key, + struct btrfs_key *tree_key, +@@ -3315,7 +3317,7 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, + * If we know the block isn't shared we can avoid + * checking its backrefs. + */ +- if (btrfs_block_can_be_shared(root, eb)) ++ if (btrfs_block_can_be_shared(trans, root, eb)) + upper->checked = 0; + else + upper->checked = 1; +@@ -3363,11 +3365,13 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache, + * links aren't yet bi-directional. Needs to finish such links. + * Use btrfs_backref_finish_upper_links() to finish such linkage. + * ++ * @trans: Transaction handle. + * @path: Released path for indirect tree backref lookup + * @iter: Released backref iter for extent tree search + * @node_key: The first key of the tree block + */ +-int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, ++int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans, ++ struct btrfs_backref_cache *cache, + struct btrfs_path *path, + struct btrfs_backref_iter *iter, + struct btrfs_key *node_key, +@@ -3467,8 +3471,8 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, + * offset means the root objectid. We need to search + * the tree to get its parent bytenr. + */ +- ret = handle_indirect_tree_backref(cache, path, &key, node_key, +- cur); ++ ret = handle_indirect_tree_backref(trans, cache, path, ++ &key, node_key, cur); + if (ret < 0) + goto out; + } +diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h +index 1616e3e3f1e41..71d535e03dca8 100644 +--- a/fs/btrfs/backref.h ++++ b/fs/btrfs/backref.h +@@ -540,7 +540,8 @@ static inline void btrfs_backref_panic(struct btrfs_fs_info *fs_info, + bytenr); + } + +-int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, ++int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans, ++ struct btrfs_backref_cache *cache, + struct btrfs_path *path, + struct btrfs_backref_iter *iter, + struct btrfs_key *node_key, +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index da519c1b6ad08..617d4827eec26 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -367,7 +367,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, + /* + * check if the tree block can be shared by multiple trees + */ +-int btrfs_block_can_be_shared(struct btrfs_root *root, ++int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans, ++ struct btrfs_root *root, + struct extent_buffer *buf) + { + /* +@@ -376,11 +377,21 @@ int btrfs_block_can_be_shared(struct btrfs_root *root, + * not allocated by tree relocation, we know the block is not shared. + */ + if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) && +- buf != root->node && buf != root->commit_root && ++ buf != root->node && + (btrfs_header_generation(buf) <= + btrfs_root_last_snapshot(&root->root_item) || +- btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) +- return 1; ++ btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) { ++ if (buf != root->commit_root) ++ return 1; ++ /* ++ * An extent buffer that used to be the commit root may still be ++ * shared because the tree height may have increased and it ++ * became a child of a higher level root. This can happen when ++ * snapshotting a subvolume created in the current transaction. ++ */ ++ if (btrfs_header_generation(buf) == trans->transid) ++ return 1; ++ } + + return 0; + } +@@ -415,7 +426,7 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + * are only allowed for blocks use full backrefs. + */ + +- if (btrfs_block_can_be_shared(root, buf)) { ++ if (btrfs_block_can_be_shared(trans, root, buf)) { + ret = btrfs_lookup_extent_info(trans, fs_info, buf->start, + btrfs_header_level(buf), 1, + &refs, &flags); +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 9419f4e37a58c..ff40acd63a374 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -540,7 +540,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct extent_buffer *buf, + struct extent_buffer **cow_ret, u64 new_root_objectid); +-int btrfs_block_can_be_shared(struct btrfs_root *root, ++int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans, ++ struct btrfs_root *root, + struct extent_buffer *buf); + int btrfs_del_ptr(struct btrfs_trans_handle *trans, struct btrfs_root *root, + struct btrfs_path *path, int level, int slot); +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index d69a331a6d113..62ed57551824c 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -466,6 +466,7 @@ static bool handle_useless_nodes(struct reloc_control *rc, + * cached. + */ + static noinline_for_stack struct btrfs_backref_node *build_backref_tree( ++ struct btrfs_trans_handle *trans, + struct reloc_control *rc, struct btrfs_key *node_key, + int level, u64 bytenr) + { +@@ -499,8 +500,8 @@ static noinline_for_stack struct btrfs_backref_node *build_backref_tree( + + /* Breadth-first search to build backref cache */ + do { +- ret = btrfs_backref_add_tree_node(cache, path, iter, node_key, +- cur); ++ ret = btrfs_backref_add_tree_node(trans, cache, path, iter, ++ node_key, cur); + if (ret < 0) { + err = ret; + goto out; +@@ -2803,7 +2804,7 @@ int relocate_tree_blocks(struct btrfs_trans_handle *trans, + + /* Do tree relocation */ + rbtree_postorder_for_each_entry_safe(block, next, blocks, rb_node) { +- node = build_backref_tree(rc, &block->key, ++ node = build_backref_tree(trans, rc, &block->key, + block->level, block->bytenr); + if (IS_ERR(node)) { + err = PTR_ERR(node); +-- +2.42.0 + diff --git a/queue-6.5/btrfs-remove-v0-extent-handling.patch b/queue-6.5/btrfs-remove-v0-extent-handling.patch new file mode 100644 index 00000000000..12e116455a7 --- /dev/null +++ b/queue-6.5/btrfs-remove-v0-extent-handling.patch @@ -0,0 +1,312 @@ +From b3fe10d1e2394dc1c147a22f83e7f286f6e1f354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 19:02:11 +0800 +Subject: btrfs: remove v0 extent handling + +From: Qu Wenruo + +[ Upstream commit 182741d287fb1ea870ee6ef45aa1915a0b031233 ] + +The v0 extent item has been deprecated for a long time, and we don't have +any report from the community either. + +So it's time to remove the v0 extent specific error handling, and just +treat them as regular extent tree corruption. + +This patch would remove the btrfs_print_v0_err() helper, and enhance the +involved error handling to treat them just as any extent tree +corruption. No reports regarding v0 extents have been seen since the +graceful handling was added in 2018. + +This involves: + +- btrfs_backref_add_tree_node() + This change is a little tricky, the new code is changed to only handle + BTRFS_TREE_BLOCK_REF_KEY and BTRFS_SHARED_BLOCK_REF_KEY. + + But this is safe, as we have rejected any unknown inline refs through + btrfs_get_extent_inline_ref_type(). + For keyed backrefs, we're safe to skip anything we don't know (that's + if it can pass tree-checker in the first place). + +- btrfs_lookup_extent_info() +- lookup_inline_extent_backref() +- run_delayed_extent_op() +- __btrfs_free_extent() +- add_tree_block() + Regular error handling of unexpected extent tree item, and abort + transaction (if we have a trans handle). + +- remove_extent_data_ref() + It's pretty much the same as the regular rejection of unknown backref + key. + But for this particular case, we can also remove a BUG_ON(). + +- extent_data_ref_count() + We can remove the BTRFS_EXTENT_REF_V0_KEY BUG_ON(), as it would be + rejected by the only caller. + +- btrfs_print_leaf() + Remove the handling for BTRFS_EXTENT_REF_V0_KEY. + +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: eb96e221937a ("btrfs: fix unwritten extent buffer after snapshotting a new subvolume") +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 29 +++++++++++---------------- + fs/btrfs/extent-tree.c | 35 ++++++++++++++++++++------------- + fs/btrfs/messages.c | 6 ------ + fs/btrfs/messages.h | 2 -- + fs/btrfs/print-tree.c | 10 ++++------ + fs/btrfs/relocation.c | 11 ++++++----- + include/trace/events/btrfs.h | 1 - + include/uapi/linux/btrfs_tree.h | 6 +++++- + 8 files changed, 48 insertions(+), 52 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 79336fa853db3..b7d54efb47288 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -3373,7 +3373,6 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, + struct btrfs_key *node_key, + struct btrfs_backref_node *cur) + { +- struct btrfs_fs_info *fs_info = cache->fs_info; + struct btrfs_backref_edge *edge; + struct btrfs_backref_node *exist; + int ret; +@@ -3462,25 +3461,21 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache, + ret = handle_direct_tree_backref(cache, &key, cur); + if (ret < 0) + goto out; +- continue; +- } else if (unlikely(key.type == BTRFS_EXTENT_REF_V0_KEY)) { +- ret = -EINVAL; +- btrfs_print_v0_err(fs_info); +- btrfs_handle_fs_error(fs_info, ret, NULL); +- goto out; +- } else if (key.type != BTRFS_TREE_BLOCK_REF_KEY) { +- continue; ++ } else if (key.type == BTRFS_TREE_BLOCK_REF_KEY) { ++ /* ++ * key.type == BTRFS_TREE_BLOCK_REF_KEY, inline ref ++ * offset means the root objectid. We need to search ++ * the tree to get its parent bytenr. ++ */ ++ ret = handle_indirect_tree_backref(cache, path, &key, node_key, ++ cur); ++ if (ret < 0) ++ goto out; + } +- + /* +- * key.type == BTRFS_TREE_BLOCK_REF_KEY, inline ref offset +- * means the root objectid. We need to search the tree to get +- * its parent bytenr. ++ * Unrecognized tree backref items (if it can pass tree-checker) ++ * would be ignored. + */ +- ret = handle_indirect_tree_backref(cache, path, &key, node_key, +- cur); +- if (ret < 0) +- goto out; + } + ret = 0; + cur->checked = 1; +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 2cf8d646085c2..14ea6b587e97b 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -187,8 +187,10 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, + num_refs = btrfs_extent_refs(leaf, ei); + extent_flags = btrfs_extent_flags(leaf, ei); + } else { +- ret = -EINVAL; +- btrfs_print_v0_err(fs_info); ++ ret = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected extent item size, has %u expect >= %zu", ++ item_size, sizeof(*ei)); + if (trans) + btrfs_abort_transaction(trans, ret); + else +@@ -624,12 +626,12 @@ static noinline int remove_extent_data_ref(struct btrfs_trans_handle *trans, + ref2 = btrfs_item_ptr(leaf, path->slots[0], + struct btrfs_shared_data_ref); + num_refs = btrfs_shared_data_ref_count(leaf, ref2); +- } else if (unlikely(key.type == BTRFS_EXTENT_REF_V0_KEY)) { +- btrfs_print_v0_err(trans->fs_info); +- btrfs_abort_transaction(trans, -EINVAL); +- return -EINVAL; + } else { +- BUG(); ++ btrfs_err(trans->fs_info, ++ "unrecognized backref key (%llu %u %llu)", ++ key.objectid, key.type, key.offset); ++ btrfs_abort_transaction(trans, -EUCLEAN); ++ return -EUCLEAN; + } + + BUG_ON(num_refs < refs_to_drop); +@@ -660,7 +662,6 @@ static noinline u32 extent_data_ref_count(struct btrfs_path *path, + leaf = path->nodes[0]; + btrfs_item_key_to_cpu(leaf, &key, path->slots[0]); + +- BUG_ON(key.type == BTRFS_EXTENT_REF_V0_KEY); + if (iref) { + /* + * If type is invalid, we should have bailed out earlier than +@@ -881,8 +882,10 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans, + leaf = path->nodes[0]; + item_size = btrfs_item_size(leaf, path->slots[0]); + if (unlikely(item_size < sizeof(*ei))) { +- err = -EINVAL; +- btrfs_print_v0_err(fs_info); ++ err = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected extent item size, has %llu expect >= %zu", ++ item_size, sizeof(*ei)); + btrfs_abort_transaction(trans, err); + goto out; + } +@@ -1683,8 +1686,10 @@ static int run_delayed_extent_op(struct btrfs_trans_handle *trans, + item_size = btrfs_item_size(leaf, path->slots[0]); + + if (unlikely(item_size < sizeof(*ei))) { +- err = -EINVAL; +- btrfs_print_v0_err(fs_info); ++ err = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected extent item size, has %u expect >= %zu", ++ item_size, sizeof(*ei)); + btrfs_abort_transaction(trans, err); + goto out; + } +@@ -3113,8 +3118,10 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans, + leaf = path->nodes[0]; + item_size = btrfs_item_size(leaf, extent_slot); + if (unlikely(item_size < sizeof(*ei))) { +- ret = -EINVAL; +- btrfs_print_v0_err(info); ++ ret = -EUCLEAN; ++ btrfs_err(trans->fs_info, ++ "unexpected extent item size, has %u expect >= %zu", ++ item_size, sizeof(*ei)); + btrfs_abort_transaction(trans, ret); + goto out; + } +diff --git a/fs/btrfs/messages.c b/fs/btrfs/messages.c +index 23fc11af498ac..21f2d101f681d 100644 +--- a/fs/btrfs/messages.c ++++ b/fs/btrfs/messages.c +@@ -252,12 +252,6 @@ void __cold _btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, + } + #endif + +-void __cold btrfs_print_v0_err(struct btrfs_fs_info *fs_info) +-{ +- btrfs_err(fs_info, +-"Unsupported V0 extent filesystem detected. Aborting. Please re-create your filesystem with a newer kernel"); +-} +- + #if BITS_PER_LONG == 32 + void __cold btrfs_warn_32bit_limit(struct btrfs_fs_info *fs_info) + { +diff --git a/fs/btrfs/messages.h b/fs/btrfs/messages.h +index deedc1a168e24..1ae6f8e23e071 100644 +--- a/fs/btrfs/messages.h ++++ b/fs/btrfs/messages.h +@@ -181,8 +181,6 @@ do { \ + #define ASSERT(expr) (void)(expr) + #endif + +-void __cold btrfs_print_v0_err(struct btrfs_fs_info *fs_info); +- + __printf(5, 6) + __cold + void __btrfs_handle_fs_error(struct btrfs_fs_info *fs_info, const char *function, +diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c +index aa06d9ca911d9..0c93439e929fb 100644 +--- a/fs/btrfs/print-tree.c ++++ b/fs/btrfs/print-tree.c +@@ -95,8 +95,10 @@ static void print_extent_item(const struct extent_buffer *eb, int slot, int type + int ref_index = 0; + + if (unlikely(item_size < sizeof(*ei))) { +- btrfs_print_v0_err(eb->fs_info); +- btrfs_handle_fs_error(eb->fs_info, -EINVAL, NULL); ++ btrfs_err(eb->fs_info, ++ "unexpected extent item size, has %u expect >= %zu", ++ item_size, sizeof(*ei)); ++ btrfs_handle_fs_error(eb->fs_info, -EUCLEAN, NULL); + } + + ei = btrfs_item_ptr(eb, slot, struct btrfs_extent_item); +@@ -291,10 +293,6 @@ void btrfs_print_leaf(const struct extent_buffer *l) + btrfs_file_extent_num_bytes(l, fi), + btrfs_file_extent_ram_bytes(l, fi)); + break; +- case BTRFS_EXTENT_REF_V0_KEY: +- btrfs_print_v0_err(fs_info); +- btrfs_handle_fs_error(fs_info, -EINVAL, NULL); +- break; + case BTRFS_BLOCK_GROUP_ITEM_KEY: + bi = btrfs_item_ptr(l, i, + struct btrfs_block_group_item); +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 5f4ff7d5b5c19..d69a331a6d113 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -3256,12 +3256,13 @@ static int add_tree_block(struct reloc_control *rc, + if (type == BTRFS_TREE_BLOCK_REF_KEY) + owner = btrfs_extent_inline_ref_offset(eb, iref); + } +- } else if (unlikely(item_size == sizeof(struct btrfs_extent_item_v0))) { +- btrfs_print_v0_err(eb->fs_info); +- btrfs_handle_fs_error(eb->fs_info, -EINVAL, NULL); +- return -EINVAL; + } else { +- BUG(); ++ btrfs_print_leaf(eb); ++ btrfs_err(rc->block_group->fs_info, ++ "unrecognized tree backref at tree block %llu slot %u", ++ eb->start, path->slots[0]); ++ btrfs_release_path(path); ++ return -EUCLEAN; + } + + btrfs_release_path(path); +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index a8206f5332e99..da0734b182f2f 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -38,7 +38,6 @@ struct find_free_extent_ctl; + __print_symbolic(type, \ + { BTRFS_TREE_BLOCK_REF_KEY, "TREE_BLOCK_REF" }, \ + { BTRFS_EXTENT_DATA_REF_KEY, "EXTENT_DATA_REF" }, \ +- { BTRFS_EXTENT_REF_V0_KEY, "EXTENT_REF_V0" }, \ + { BTRFS_SHARED_BLOCK_REF_KEY, "SHARED_BLOCK_REF" }, \ + { BTRFS_SHARED_DATA_REF_KEY, "SHARED_DATA_REF" }) + +diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h +index ab38d0f411fa4..fc3c32186d7eb 100644 +--- a/include/uapi/linux/btrfs_tree.h ++++ b/include/uapi/linux/btrfs_tree.h +@@ -220,7 +220,11 @@ + + #define BTRFS_EXTENT_DATA_REF_KEY 178 + +-#define BTRFS_EXTENT_REF_V0_KEY 180 ++/* ++ * Obsolete key. Defintion removed in 6.6, value may be reused in the future. ++ * ++ * #define BTRFS_EXTENT_REF_V0_KEY 180 ++ */ + + #define BTRFS_SHARED_BLOCK_REF_KEY 182 + +-- +2.42.0 + diff --git a/queue-6.5/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch b/queue-6.5/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch new file mode 100644 index 00000000000..638df3a96f5 --- /dev/null +++ b/queue-6.5/clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch @@ -0,0 +1,103 @@ +From ee73007bfdcfe85432af4d890118a676b0331fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 10:15:56 +0300 +Subject: clk: ti: Fix missing omap4 mcbsp functional clock and aliases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit cc2d819dd7df94a72bde7b9b9331a6535084092d ] + +We are using a wrong mcbsp functional clock. The interconnect target module +driver provided clock for mcbsp is not same as the mcbsp functional clock +known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should +have been added before we dropped the legacy platform data. + +Additionally we are also missing the clock aliases for the clocks used by +the audio driver if reparenting is needed. This causes audio driver errors +like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas. +The mcbsp clock aliases too should have been added before we dropped the +legacy platform data. + +Let's add the clocks and aliases with a single patch to fix the issue. + +Fixes: 349355ce3a05 ("ARM: OMAP2+: Drop legacy platform data for omap4 mcbsp") +Reported-by: Andreas Kemnade +Reported-by: Péter Ujfalusi +Acked-by: Stephen Boyd +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi | 6 ++++++ + arch/arm/boot/dts/ti/omap/omap4-l4.dtsi | 2 ++ + drivers/clk/ti/clk-44xx.c | 5 +++++ + 3 files changed, 13 insertions(+) + +diff --git a/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi b/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi +index 7ae8b620515c5..59f546a278f87 100644 +--- a/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi ++++ b/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi +@@ -109,6 +109,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49022000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP1_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -142,6 +144,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49024000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP2_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -175,6 +179,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49026000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP4_MCBSP3_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi b/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi +index 46b8f9efd4131..3fcef3080eaec 100644 +--- a/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi ++++ b/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi +@@ -2043,6 +2043,8 @@ + compatible = "ti,omap4-mcbsp"; + reg = <0x0 0xff>; /* L4 Interconnect */ + reg-names = "mpu"; ++ clocks = <&l4_per_clkctrl OMAP4_MCBSP4_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/drivers/clk/ti/clk-44xx.c b/drivers/clk/ti/clk-44xx.c +index 868bc7af21b0b..9b2824ed785b9 100644 +--- a/drivers/clk/ti/clk-44xx.c ++++ b/drivers/clk/ti/clk-44xx.c +@@ -749,9 +749,14 @@ static struct ti_dt_clk omap44xx_clks[] = { + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), ++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"), ++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"), ++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"), + DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4-per-clkctrl:00c0:26"), ++ DT_CLK("48096000.mcbsp", "prcm_fck", "l4-per-clkctrl:00c0:26"), + DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3-init-clkctrl:00c0:8"), + DT_CLK(NULL, "otg_60m_gfclk", "l3-init-clkctrl:0040:24"), ++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"), + DT_CLK(NULL, "per_mcbsp4_gfclk", "l4-per-clkctrl:00c0:24"), + DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu-sys-clkctrl:0000:20"), + DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu-sys-clkctrl:0000:22"), +-- +2.42.0 + diff --git a/queue-6.5/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch b/queue-6.5/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch new file mode 100644 index 00000000000..0476e1db6fc --- /dev/null +++ b/queue-6.5/clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch @@ -0,0 +1,97 @@ +From 257d43fdcd6b3fc3d33c5efc0dc88693a068ad93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 10:15:56 +0300 +Subject: clk: ti: Fix missing omap5 mcbsp functional clock and aliases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit 0b9a4a67c60d3e15b39a69d480a50ce7eeff9bc1 ] + +We are using a wrong mcbsp functional clock. The interconnect target module +driver provided clock for mcbsp is not same as the mcbsp functional clock +known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should +have been added before we dropped the legacy platform data. + +Additionally we are also missing the clock aliases for the clocks used by +the audio driver if reparenting is needed. This causes audio driver errors +like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas. +The mcbsp clock aliases too should have been added before we dropped the +legacy platform data. + +Let's add the clocks and aliases with a single patch to fix the issue +similar to omap4. On omap5, there is no mcbsp4 instance on the l4_per +interconnect. + +Fixes: b1da0fa21bd1 ("ARM: OMAP2+: Drop legacy platform data for omap5 mcbsp") +Cc: H. Nikolaus Schaller +Reported-by: Andreas Kemnade +Reported-by: Péter Ujfalusi +Acked-by: Stephen Boyd +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi | 6 ++++++ + drivers/clk/ti/clk-54xx.c | 4 ++++ + 2 files changed, 10 insertions(+) + +diff --git a/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi b/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi +index a03bca5a35844..97b0c3b5f573f 100644 +--- a/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi ++++ b/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi +@@ -109,6 +109,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49022000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP1_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -142,6 +144,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49024000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP2_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +@@ -175,6 +179,8 @@ + reg = <0x0 0xff>, /* MPU private access */ + <0x49026000 0xff>; /* L3 Interconnect */ + reg-names = "mpu", "dma"; ++ clocks = <&abe_clkctrl OMAP5_MCBSP3_CLKCTRL 24>; ++ clock-names = "fck"; + interrupts = ; + interrupt-names = "common"; + ti,buffer-size = <128>; +diff --git a/drivers/clk/ti/clk-54xx.c b/drivers/clk/ti/clk-54xx.c +index b4aff76eb3735..74dfd5823f835 100644 +--- a/drivers/clk/ti/clk-54xx.c ++++ b/drivers/clk/ti/clk-54xx.c +@@ -565,15 +565,19 @@ static struct ti_dt_clk omap54xx_clks[] = { + DT_CLK(NULL, "gpio8_dbclk", "l4per-clkctrl:00f8:8"), + DT_CLK(NULL, "mcbsp1_gfclk", "abe-clkctrl:0028:24"), + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), ++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"), + DT_CLK(NULL, "mcbsp2_gfclk", "abe-clkctrl:0030:24"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), ++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"), + DT_CLK(NULL, "mcbsp3_gfclk", "abe-clkctrl:0038:24"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), ++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"), + DT_CLK(NULL, "mmc1_32khz_clk", "l3init-clkctrl:0008:8"), + DT_CLK(NULL, "mmc1_fclk", "l3init-clkctrl:0008:25"), + DT_CLK(NULL, "mmc1_fclk_mux", "l3init-clkctrl:0008:24"), + DT_CLK(NULL, "mmc2_fclk", "l3init-clkctrl:0010:25"), + DT_CLK(NULL, "mmc2_fclk_mux", "l3init-clkctrl:0010:24"), ++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"), + DT_CLK(NULL, "sata_ref_clk", "l3init-clkctrl:0068:8"), + DT_CLK(NULL, "timer10_gfclk_mux", "l4per-clkctrl:0008:24"), + DT_CLK(NULL, "timer11_gfclk_mux", "l4per-clkctrl:0010:24"), +-- +2.42.0 + diff --git a/queue-6.5/drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch b/queue-6.5/drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch new file mode 100644 index 00000000000..004b4a34189 --- /dev/null +++ b/queue-6.5/drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch @@ -0,0 +1,91 @@ +From 7bb19663c9d4e8e95f794c50d467e1fc1afbcec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 10:02:42 -0700 +Subject: drm/i915/mcr: Hold GT forcewake during steering operations + +From: Matt Roper + +[ Upstream commit 78cc55e0b64c820673a796635daf82c7eadfe152 ] + +The steering control and semaphore registers are inside an "always on" +power domain with respect to RC6. However there are some issues if +higher-level platform sleep states are entering/exiting at the same time +these registers are accessed. Grabbing GT forcewake and holding it over +the entire lock/steer/unlock cycle ensures that those sleep states have +been fully exited before we access these registers. + +This is expected to become a formally documented/numbered workaround +soon. + +Note that this patch alone isn't expected to have an immediately +noticeable impact on MCR (mis)behavior; an upcoming pcode firmware +update will also be necessary to provide the other half of this +workaround. + +v2: + - Move the forcewake inside the Xe_LPG-specific IP version check. This + should only be necessary on platforms that have a steering semaphore. + +Fixes: 3100240bf846 ("drm/i915/mtl: Add hardware-level lock for steering") +Cc: Radhakrishna Sripada +Cc: Jonathan Cavitt +Signed-off-by: Matt Roper +Reviewed-by: Radhakrishna Sripada +Reviewed-by: Jonathan Cavitt +Reviewed-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20231019170241.2102037-2-matthew.d.roper@intel.com +(cherry picked from commit 8fa1c7cd1fe9cdfc426a603e1f1eecd3f463c487) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_gt_mcr.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gt_mcr.c b/drivers/gpu/drm/i915/gt/intel_gt_mcr.c +index 0b414eae16831..2c0f1f3e28ff8 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gt_mcr.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt_mcr.c +@@ -376,9 +376,26 @@ void intel_gt_mcr_lock(struct intel_gt *gt, unsigned long *flags) + * driver threads, but also with hardware/firmware agents. A dedicated + * locking register is used. + */ +- if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) ++ if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) { ++ /* ++ * The steering control and semaphore registers are inside an ++ * "always on" power domain with respect to RC6. However there ++ * are some issues if higher-level platform sleep states are ++ * entering/exiting at the same time these registers are ++ * accessed. Grabbing GT forcewake and holding it over the ++ * entire lock/steer/unlock cycle ensures that those sleep ++ * states have been fully exited before we access these ++ * registers. This wakeref will be released in the unlock ++ * routine. ++ * ++ * This is expected to become a formally documented/numbered ++ * workaround soon. ++ */ ++ intel_uncore_forcewake_get(gt->uncore, FORCEWAKE_GT); ++ + err = wait_for(intel_uncore_read_fw(gt->uncore, + MTL_STEER_SEMAPHORE) == 0x1, 100); ++ } + + /* + * Even on platforms with a hardware lock, we'll continue to grab +@@ -415,8 +432,11 @@ void intel_gt_mcr_unlock(struct intel_gt *gt, unsigned long flags) + { + spin_unlock_irqrestore(>->mcr_lock, flags); + +- if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) ++ if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) { + intel_uncore_write_fw(gt->uncore, MTL_STEER_SEMAPHORE, 0x1); ++ ++ intel_uncore_forcewake_put(gt->uncore, FORCEWAKE_GT); ++ } + } + + /** +-- +2.42.0 + diff --git a/queue-6.5/drm-i915-perf-determine-context-valid-in-oa-reports.patch b/queue-6.5/drm-i915-perf-determine-context-valid-in-oa-reports.patch new file mode 100644 index 00000000000..c243694c3ba --- /dev/null +++ b/queue-6.5/drm-i915-perf-determine-context-valid-in-oa-reports.patch @@ -0,0 +1,55 @@ +From aa421104e17f265ecb7ce60a8230a96facf4fcd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 13:28:54 -0700 +Subject: drm/i915/perf: Determine context valid in OA reports + +From: Umesh Nerlige Ramappa + +[ Upstream commit cba94bbcff08d209710dd7bdc139caad675a6f8d ] + +When supporting OA for TGL, it was seen that the context valid bit in +the report ID was not defined, however revisiting the spec seems to have +this bit defined. The bit is used to determine if a context is valid on +a context switch and is essential to determine active and idle periods +for a context. Re-enable the context valid bit for gen12 platforms. + +BSpec: 52196 (description of report_id) + +v2: Include BSpec reference (Ashutosh) + +Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Ashutosh Dixit +Link: https://patchwork.freedesktop.org/patch/msgid/20230802202854.1224547-1-umesh.nerlige.ramappa@intel.com +(cherry picked from commit 7eeaedf79989a8f131939782832e21e9218ed2a0) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_perf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c +index 49c6f1ff11284..331685e1b7b7d 100644 +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -482,8 +482,7 @@ static void oa_report_id_clear(struct i915_perf_stream *stream, u32 *report) + static bool oa_report_ctx_invalid(struct i915_perf_stream *stream, void *report) + { + return !(oa_report_id(stream, report) & +- stream->perf->gen8_valid_ctx_bit) && +- GRAPHICS_VER(stream->perf->i915) <= 11; ++ stream->perf->gen8_valid_ctx_bit); + } + + static u64 oa_timestamp(struct i915_perf_stream *stream, void *report) +@@ -5106,6 +5105,7 @@ static void i915_perf_init_info(struct drm_i915_private *i915) + perf->gen8_valid_ctx_bit = BIT(16); + break; + case 12: ++ perf->gen8_valid_ctx_bit = BIT(16); + /* + * Calculate offset at runtime in oa_pin_context for gen12 and + * cache the value in perf->ctx_oactxctrl_offset. +-- +2.42.0 + diff --git a/queue-6.5/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch b/queue-6.5/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch new file mode 100644 index 00000000000..a888c7c795f --- /dev/null +++ b/queue-6.5/drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch @@ -0,0 +1,42 @@ +From fb32f77b3dcbe36b67aa07c3bf693ce8b7c1cfe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 10:42:07 +0800 +Subject: drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO + +From: Sui Jingfeng + +[ Upstream commit 4e6c38c38723a954b85aa9ee62603bb4a37acbb4 ] + +drm/logicvc driver is depend on REGMAP and REGMAP_MMIO, should select this +two kconfig option, otherwise the driver failed to compile on platform +without REGMAP_MMIO selected: + +ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/gpu/drm/logicvc/logicvc-drm.ko] undefined! +make[1]: *** [scripts/Makefile.modpost:136: Module.symvers] Error 1 +make: *** [Makefile:1978: modpost] Error 2 + +Signed-off-by: Sui Jingfeng +Acked-by: Paul Kocialkowski +Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller") +Link: https://patchwork.freedesktop.org/patch/msgid/20230608024207.581401-1-suijingfeng@loongson.cn +Signed-off-by: Paul Kocialkowski +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/logicvc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/logicvc/Kconfig b/drivers/gpu/drm/logicvc/Kconfig +index fa7a883688094..1df22a852a23e 100644 +--- a/drivers/gpu/drm/logicvc/Kconfig ++++ b/drivers/gpu/drm/logicvc/Kconfig +@@ -5,5 +5,7 @@ config DRM_LOGICVC + select DRM_KMS_HELPER + select DRM_KMS_DMA_HELPER + select DRM_GEM_DMA_HELPER ++ select REGMAP ++ select REGMAP_MMIO + help + DRM display driver for the logiCVC programmable logic block from Xylon +-- +2.42.0 + diff --git a/queue-6.5/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch b/queue-6.5/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch new file mode 100644 index 00000000000..f58977fd5f5 --- /dev/null +++ b/queue-6.5/firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch @@ -0,0 +1,42 @@ +From 13a8a8d212bc7d1a30c49b927e894b898c9f7f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Oct 2023 11:29:08 +0800 +Subject: firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() + +From: Hao Ge + +[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ] + +dsp_chan->name and chan_name points to same block of memory, +because dev_err still needs to be used it,so we need free +it's memory after use to avoid use_after_free. + +Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()") +Signed-off-by: Hao Ge +Reviewed-by: Daniel Baluta +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-dsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c +index 1f410809d3ee4..0f656e4191d5c 100644 +--- a/drivers/firmware/imx/imx-dsp.c ++++ b/drivers/firmware/imx/imx-dsp.c +@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc) + dsp_chan->idx = i % 2; + dsp_chan->ch = mbox_request_channel_byname(cl, chan_name); + if (IS_ERR(dsp_chan->ch)) { +- kfree(dsp_chan->name); + ret = PTR_ERR(dsp_chan->ch); + if (ret != -EPROBE_DEFER) + dev_err(dev, "Failed to request mbox chan %s ret %d\n", + chan_name, ret); ++ kfree(dsp_chan->name); + goto out; + } + +-- +2.42.0 + diff --git a/queue-6.5/gtp-fix-fragmentation-needed-check-with-gso.patch b/queue-6.5/gtp-fix-fragmentation-needed-check-with-gso.patch new file mode 100644 index 00000000000..effb25605bc --- /dev/null +++ b/queue-6.5/gtp-fix-fragmentation-needed-check-with-gso.patch @@ -0,0 +1,38 @@ +From a4273208a9f3e6c5dd146958076068bd0f14bc8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:18 +0200 +Subject: gtp: fix fragmentation needed check with gso + +From: Pablo Neira Ayuso + +[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ] + +Call skb_gso_validate_network_len() to check if packet is over PMTU. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index acb20ad4e37eb..477b4d4f860bd 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -871,8 +871,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev, + + skb_dst_update_pmtu_no_confirm(skb, mtu); + +- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) && +- mtu < ntohs(iph->tot_len)) { ++ if (iph->frag_off & htons(IP_DF) && ++ ((!skb_is_gso(skb) && skb->len > mtu) || ++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) { + netdev_dbg(dev, "packet too big, fragmentation needed\n"); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); +-- +2.42.0 + diff --git a/queue-6.5/gtp-uapi-fix-gtpa_max.patch b/queue-6.5/gtp-uapi-fix-gtpa_max.patch new file mode 100644 index 00000000000..289efee52cf --- /dev/null +++ b/queue-6.5/gtp-uapi-fix-gtpa_max.patch @@ -0,0 +1,34 @@ +From e53e51a5cbcbb25540a2e915d2e9914e3cef4807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Oct 2023 22:25:17 +0200 +Subject: gtp: uapi: fix GTPA_MAX + +From: Pablo Neira Ayuso + +[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ] + +Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/uapi/linux/gtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h +index 2f61298a7b779..3dcdb9e33cba2 100644 +--- a/include/uapi/linux/gtp.h ++++ b/include/uapi/linux/gtp.h +@@ -33,6 +33,6 @@ enum gtp_attrs { + GTPA_PAD, + __GTPA_MAX, + }; +-#define GTPA_MAX (__GTPA_MAX + 1) ++#define GTPA_MAX (__GTPA_MAX - 1) + + #endif /* _UAPI_LINUX_GTP_H_ */ +-- +2.42.0 + diff --git a/queue-6.5/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch b/queue-6.5/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch new file mode 100644 index 00000000000..bc62c2409b0 --- /dev/null +++ b/queue-6.5/i40e-fix-i40e_flag_vf_vlan_pruning-value.patch @@ -0,0 +1,63 @@ +From 0b59e6dea85ad94e8e4b2e914222f76b9ad931af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 18:37:20 +0200 +Subject: i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value + +From: Ivan Vecera + +[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ] + +Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new +PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with +existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag. + +Move the affected flag at the end of the flags and fix its value. + +Reproducer: +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off +[ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled) +netlink error: Operation not supported +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off +[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off + +The link-down-on-close flag cannot be modified after setting vf-vlan-pruning +because vf-vlan-pruning shares the same bit with total-port-shutdown flag +that prevents any modification of link-down-on-close flag. + +Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning") +Cc: Mateusz Palczewski +Cc: Simon Horman +Signed-off-by: Ivan Vecera +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index 6e310a5394678..55bb0b5310d5b 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -580,7 +580,6 @@ struct i40e_pf { + #define I40E_FLAG_DISABLE_FW_LLDP BIT(24) + #define I40E_FLAG_RS_FEC BIT(25) + #define I40E_FLAG_BASE_R_FEC BIT(26) +-#define I40E_FLAG_VF_VLAN_PRUNING BIT(27) + /* TOTAL_PORT_SHUTDOWN + * Allows to physically disable the link on the NIC's port. + * If enabled, (after link down request from the OS) +@@ -603,6 +602,7 @@ struct i40e_pf { + * in abilities field of i40e_aq_set_phy_config structure + */ + #define I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED BIT(27) ++#define I40E_FLAG_VF_VLAN_PRUNING BIT(28) + + struct i40e_client_instance *cinst; + bool stat_offsets_loaded; +-- +2.42.0 + diff --git a/queue-6.5/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch b/queue-6.5/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch new file mode 100644 index 00000000000..c03c4c11171 --- /dev/null +++ b/queue-6.5/i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch @@ -0,0 +1,38 @@ +From 2c6341835c8dcdd57a157f2447f0db01c7b222d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 14:27:14 -0700 +Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR + +From: Ivan Vecera + +[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ] + +The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one. + +Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722") +Signed-off-by: Ivan Vecera +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 93485a6824365..b59fef9d7c4ad 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2854,7 +2854,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget) + return budget; + } + +- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR) ++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR) + q_vector->arm_wb_state = false; + + /* Exit the polling mode, but don't re-enable interrupts if stack might +-- +2.42.0 + diff --git a/queue-6.5/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch b/queue-6.5/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch new file mode 100644 index 00000000000..b6d88aa92ca --- /dev/null +++ b/queue-6.5/iavf-in-iavf_down-disable-queues-when-removing-the-d.patch @@ -0,0 +1,49 @@ +From 2e3dd3d45c67b0db46f0396f7c4bd52d7f3a8c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 11:32:13 -0700 +Subject: iavf: in iavf_down, disable queues when removing the driver + +From: Michal Schmidt + +[ Upstream commit 53798666648af3aa0dd512c2380576627237a800 ] + +In iavf_down, we're skipping the scheduling of certain operations if +the driver is being removed. However, the IAVF_FLAG_AQ_DISABLE_QUEUES +request must not be skipped in this case, because iavf_close waits +for the transition to the __IAVF_DOWN state, which happens in +iavf_virtchnl_completion after the queues are released. + +Without this fix, "rmmod iavf" takes half a second per interface that's +up and prints the "Device resources not yet released" warning. + +Fixes: c8de44b577eb ("iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set") +Signed-off-by: Michal Schmidt +Reviewed-by: Wojciech Drewek +Tested-by: Rafal Romanowski +Tested-by: Jacob Keller +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231025183213.874283-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 14875cd85a8e3..13bfc9333a8c3 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1437,9 +1437,9 @@ void iavf_down(struct iavf_adapter *adapter) + adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER; + if (!list_empty(&adapter->adv_rss_list_head)) + adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG; +- adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + } + ++ adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0); + } + +-- +2.42.0 + diff --git a/queue-6.5/iavf-initialize-waitqueues-before-starting-watchdog_.patch b/queue-6.5/iavf-initialize-waitqueues-before-starting-watchdog_.patch new file mode 100644 index 00000000000..ad409647810 --- /dev/null +++ b/queue-6.5/iavf-initialize-waitqueues-before-starting-watchdog_.patch @@ -0,0 +1,55 @@ +From ce9da8719169cf4553583353126f37726a154df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 09:13:46 +0200 +Subject: iavf: initialize waitqueues before starting watchdog_task + +From: Michal Schmidt + +[ Upstream commit 7db3111043885c146e795c199d39c3f9042d97c0 ] + +It is not safe to initialize the waitqueues after queueing the +watchdog_task. It will be using them. + +The chance of this causing a real problem is very small, because +there will be some sleeping before any of the waitqueues get used. +I got a crash only after inserting an artificial sleep in iavf_probe. + +Queue the watchdog_task as the last step in iavf_probe. Add a comment to +prevent repeating the mistake. + +Fixes: fe2647ab0c99 ("i40evf: prevent VF close returning before state transitions to DOWN") +Signed-off-by: Michal Schmidt +Reviewed-by: Paul Menzel +Reviewed-by: Przemek Kitszel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 8ea5c0825c3c4..14875cd85a8e3 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -4982,8 +4982,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + INIT_WORK(&adapter->finish_config, iavf_finish_config); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); +- queue_delayed_work(adapter->wq, &adapter->watchdog_task, +- msecs_to_jiffies(5 * (pdev->devfn & 0x07))); + + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); +@@ -4994,6 +4992,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + ++ queue_delayed_work(adapter->wq, &adapter->watchdog_task, ++ msecs_to_jiffies(5 * (pdev->devfn & 0x07))); ++ /* Initialization goes on in the work. Do not add more of it below. */ + return 0; + + err_ioremap: +-- +2.42.0 + diff --git a/queue-6.5/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch b/queue-6.5/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch new file mode 100644 index 00000000000..5b2b0c12cbf --- /dev/null +++ b/queue-6.5/igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch @@ -0,0 +1,47 @@ +From 0c5c602061eb8b4f6e5f69c98351ad60167a04dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:40:35 -0700 +Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry + +From: Mateusz Palczewski + +[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ] + +Add check for return of igb_update_ethtool_nfc_entry so that in case +of any potential errors the memory alocated for input will be freed. + +Fixes: 0e71def25281 ("igb: add support of RX network flow classification") +Reviewed-by: Wojciech Drewek +Signed-off-by: Mateusz Palczewski +Tested-by: Arpana Arland (A Contingent worker at Intel) +Signed-off-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c +index 319ed601eaa1e..4ee849985e2b8 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c ++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c +@@ -2978,11 +2978,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter, + if (err) + goto err_out_w_lock; + +- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx); ++ if (err) ++ goto err_out_input_filter; + + spin_unlock(&adapter->nfc_lock); + return 0; + ++err_out_input_filter: ++ igb_erase_filter(adapter, input); + err_out_w_lock: + spin_unlock(&adapter->nfc_lock); + err_out: +-- +2.42.0 + diff --git a/queue-6.5/igc-fix-ambiguity-in-the-ethtool-advertising.patch b/queue-6.5/igc-fix-ambiguity-in-the-ethtool-advertising.patch new file mode 100644 index 00000000000..5807b1d19e8 --- /dev/null +++ b/queue-6.5/igc-fix-ambiguity-in-the-ethtool-advertising.patch @@ -0,0 +1,86 @@ +From 73868dc2281cb618093659565c86d84c26904538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 13:36:41 -0700 +Subject: igc: Fix ambiguity in the ethtool advertising + +From: Sasha Neftin + +[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ] + +The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to +advertise 2500M speed support and TP (twisted pair) properly. Convert to +'ethtool_link_ksettings_test_link_mode' to advertise supported speed and +eliminate ambiguity. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Suggested-by: Dima Ruinskiy +Suggested-by: Vitaly Lifshits +Signed-off-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Jacob Keller +Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------ + 1 file changed, 25 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index 7ab6dd58e4001..dd8a9d27a1670 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1817,7 +1817,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + struct igc_adapter *adapter = netdev_priv(netdev); + struct net_device *dev = adapter->netdev; + struct igc_hw *hw = &adapter->hw; +- u32 advertising; ++ u16 advertised = 0; + + /* When adapter in resetting mode, autoneg/speed/duplex + * cannot be changed +@@ -1842,18 +1842,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev, + while (test_and_set_bit(__IGC_RESETTING, &adapter->state)) + usleep_range(1000, 2000); + +- ethtool_convert_link_mode_to_legacy_u32(&advertising, +- cmd->link_modes.advertising); +- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT. +- * We have to check this and convert it to ADVERTISE_2500_FULL +- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly. +- */ +- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full)) +- advertising |= ADVERTISE_2500_FULL; ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 2500baseT_Full)) ++ advertised |= ADVERTISE_2500_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 1000baseT_Full)) ++ advertised |= ADVERTISE_1000_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Full)) ++ advertised |= ADVERTISE_100_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 100baseT_Half)) ++ advertised |= ADVERTISE_100_HALF; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Full)) ++ advertised |= ADVERTISE_10_FULL; ++ ++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising, ++ 10baseT_Half)) ++ advertised |= ADVERTISE_10_HALF; + + if (cmd->base.autoneg == AUTONEG_ENABLE) { + hw->mac.autoneg = 1; +- hw->phy.autoneg_advertised = advertising; ++ hw->phy.autoneg_advertised = advertised; + if (adapter->fc_autoneg) + hw->fc.requested_mode = igc_fc_default; + } else { +-- +2.42.0 + diff --git a/queue-6.5/neighbour-fix-various-data-races.patch b/queue-6.5/neighbour-fix-various-data-races.patch new file mode 100644 index 00000000000..13ea1cfcbfe --- /dev/null +++ b/queue-6.5/neighbour-fix-various-data-races.patch @@ -0,0 +1,176 @@ +From 8fbf62904e406e112d817f8173caf187e60172a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 12:21:04 +0000 +Subject: neighbour: fix various data-races + +From: Eric Dumazet + +[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ] + +1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval + can be written from sysfs. + +2) tbl->last_flush is read locklessly from neigh_alloc() + +3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info() + +4) neightbl_fill_info() reads cpu stats that can be changed concurrently. + +Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 67 +++++++++++++++++++++++--------------------- + 1 file changed, 35 insertions(+), 32 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index f16ec0e8a0348..4a1d669b46f90 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -251,7 +251,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl) + + static int neigh_forced_gc(struct neigh_table *tbl) + { +- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2; ++ int max_clean = atomic_read(&tbl->gc_entries) - ++ READ_ONCE(tbl->gc_thresh2); + unsigned long tref = jiffies - 5 * HZ; + struct neighbour *n, *tmp; + int shrunk = 0; +@@ -280,7 +281,7 @@ static int neigh_forced_gc(struct neigh_table *tbl) + } + } + +- tbl->last_flush = jiffies; ++ WRITE_ONCE(tbl->last_flush, jiffies); + + write_unlock_bh(&tbl->lock); + +@@ -464,17 +465,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, + { + struct neighbour *n = NULL; + unsigned long now = jiffies; +- int entries; ++ int entries, gc_thresh3; + + if (exempt_from_gc) + goto do_alloc; + + entries = atomic_inc_return(&tbl->gc_entries) - 1; +- if (entries >= tbl->gc_thresh3 || +- (entries >= tbl->gc_thresh2 && +- time_after(now, tbl->last_flush + 5 * HZ))) { +- if (!neigh_forced_gc(tbl) && +- entries >= tbl->gc_thresh3) { ++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3); ++ if (entries >= gc_thresh3 || ++ (entries >= READ_ONCE(tbl->gc_thresh2) && ++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) { ++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) { + net_info_ratelimited("%s: neighbor table overflow!\n", + tbl->id); + NEIGH_CACHE_STAT_INC(tbl, table_fulls); +@@ -955,13 +956,14 @@ static void neigh_periodic_work(struct work_struct *work) + + if (time_after(jiffies, tbl->last_rand + 300 * HZ)) { + struct neigh_parms *p; +- tbl->last_rand = jiffies; ++ ++ WRITE_ONCE(tbl->last_rand, jiffies); + list_for_each_entry(p, &tbl->parms_list, list) + p->reachable_time = + neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME)); + } + +- if (atomic_read(&tbl->entries) < tbl->gc_thresh1) ++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1)) + goto out; + + for (i = 0 ; i < (1 << nht->hash_shift); i++) { +@@ -2167,15 +2169,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + ndtmsg->ndtm_pad2 = 0; + + if (nla_put_string(skb, NDTA_NAME, tbl->id) || +- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) || +- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) || +- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) || +- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3)) ++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval), ++ NDTA_PAD) || ++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) || ++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) || ++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3))) + goto nla_put_failure; + { + unsigned long now = jiffies; +- long flush_delta = now - tbl->last_flush; +- long rand_delta = now - tbl->last_rand; ++ long flush_delta = now - READ_ONCE(tbl->last_flush); ++ long rand_delta = now - READ_ONCE(tbl->last_rand); + struct neigh_hash_table *nht; + struct ndt_config ndc = { + .ndtc_key_len = tbl->key_len, +@@ -2183,7 +2186,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + .ndtc_entries = atomic_read(&tbl->entries), + .ndtc_last_flush = jiffies_to_msecs(flush_delta), + .ndtc_last_rand = jiffies_to_msecs(rand_delta), +- .ndtc_proxy_qlen = tbl->proxy_queue.qlen, ++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen), + }; + + rcu_read_lock(); +@@ -2206,17 +2209,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl, + struct neigh_statistics *st; + + st = per_cpu_ptr(tbl->stats, cpu); +- ndst.ndts_allocs += st->allocs; +- ndst.ndts_destroys += st->destroys; +- ndst.ndts_hash_grows += st->hash_grows; +- ndst.ndts_res_failed += st->res_failed; +- ndst.ndts_lookups += st->lookups; +- ndst.ndts_hits += st->hits; +- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast; +- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast; +- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs; +- ndst.ndts_forced_gc_runs += st->forced_gc_runs; +- ndst.ndts_table_fulls += st->table_fulls; ++ ndst.ndts_allocs += READ_ONCE(st->allocs); ++ ndst.ndts_destroys += READ_ONCE(st->destroys); ++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows); ++ ndst.ndts_res_failed += READ_ONCE(st->res_failed); ++ ndst.ndts_lookups += READ_ONCE(st->lookups); ++ ndst.ndts_hits += READ_ONCE(st->hits); ++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast); ++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast); ++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs); ++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs); ++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls); + } + + if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst, +@@ -2445,16 +2448,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, + goto errout_tbl_lock; + + if (tb[NDTA_THRESH1]) +- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]); ++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1])); + + if (tb[NDTA_THRESH2]) +- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]); ++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2])); + + if (tb[NDTA_THRESH3]) +- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]); ++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3])); + + if (tb[NDTA_GC_INTERVAL]) +- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]); ++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL])); + + err = 0; + +-- +2.42.0 + diff --git a/queue-6.5/net-do-not-leave-an-empty-skb-in-write-queue.patch b/queue-6.5/net-do-not-leave-an-empty-skb-in-write-queue.patch new file mode 100644 index 00000000000..afe86560284 --- /dev/null +++ b/queue-6.5/net-do-not-leave-an-empty-skb-in-write-queue.patch @@ -0,0 +1,74 @@ +From e62d51cac4718aabe24c628b1f61f1ef5064f862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 11:24:57 +0000 +Subject: net: do not leave an empty skb in write queue + +From: Eric Dumazet + +[ Upstream commit 72bf4f1767f0386970dc04726dc5bc2e3991dc19 ] + +Under memory stress conditions, tcp_sendmsg_locked() +might call sk_stream_wait_memory(), thus releasing the socket lock. + +If a fresh skb has been allocated prior to this, +we should not leave it in the write queue otherwise +tcp_write_xmit() could panic. + +This apparently does not happen often, but a future change +in __sk_mem_raise_allocated() that Shakeel and others are +considering would increase chances of being hurt. + +Under discussion is to remove this controversial part: + + /* Fail only if socket is _under_ its sndbuf. + * In this case we cannot block, so that we have to fail. + */ + if (sk->sk_wmem_queued + size >= sk->sk_sndbuf) { + /* Force charge with __GFP_NOFAIL */ + if (memcg_charge && !charged) { + mem_cgroup_charge_skmem(sk->sk_memcg, amt, + gfp_memcg_charge() | __GFP_NOFAIL); + } + return 1; + } + +Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") +Signed-off-by: Eric Dumazet +Reviewed-by: Shakeel Butt +Link: https://lore.kernel.org/r/20231019112457.1190114-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 9bdc1b2eaf734..a0a87446f827c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -925,10 +925,11 @@ int tcp_send_mss(struct sock *sk, int *size_goal, int flags) + return mss_now; + } + +-/* In some cases, both sendmsg() could have added an skb to the write queue, +- * but failed adding payload on it. We need to remove it to consume less ++/* In some cases, sendmsg() could have added an skb to the write queue, ++ * but failed adding payload on it. We need to remove it to consume less + * memory, but more importantly be able to generate EPOLLOUT for Edge Trigger +- * epoll() users. ++ * epoll() users. Another reason is that tcp_write_xmit() does not like ++ * finding an empty skb in the write queue. + */ + void tcp_remove_empty_skb(struct sock *sk) + { +@@ -1286,6 +1287,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size) + + wait_for_space: + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); ++ tcp_remove_empty_skb(sk); + if (copied) + tcp_push(sk, flags & ~MSG_MORE, mss_now, + TCP_NAGLE_PUSH, size_goal); +-- +2.42.0 + diff --git a/queue-6.5/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch b/queue-6.5/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..97d4049a8c1 --- /dev/null +++ b/queue-6.5/net-ethernet-adi-adin1110-fix-uninitialized-variable.patch @@ -0,0 +1,38 @@ +From 9cdb285d676d628cfe803ae19d5f024c6d70b45f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 09:20:53 +0300 +Subject: net: ethernet: adi: adin1110: Fix uninitialized variable + +From: Dell Jin + +[ Upstream commit 965f9b8c0c1b37fa2a0e3ef56e40d5666d4cbb5c ] + +The spi_transfer struct has to have all it's fields initialized to 0 in +this case, since not all of them are set before starting the transfer. +Otherwise, spi_sync_transfer() will sometimes return an error. + +Fixes: a526a3cc9c8d ("net: ethernet: adi: adin1110: Fix SPI transfers") +Signed-off-by: Dell Jin +Signed-off-by: Ciprian Regus +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index ca66b747b7c5d..d7c274af6d4da 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -294,7 +294,7 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv) + { + struct adin1110_priv *priv = port_priv->priv; + u32 header_len = ADIN1110_RD_HEADER_LEN; +- struct spi_transfer t; ++ struct spi_transfer t = {0}; + u32 frame_size_no_fcs; + struct sk_buff *rxb; + u32 frame_size; +-- +2.42.0 + diff --git a/queue-6.5/net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch b/queue-6.5/net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch new file mode 100644 index 00000000000..c055afb8aff --- /dev/null +++ b/queue-6.5/net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch @@ -0,0 +1,93 @@ +From 2c307fd167276a5b7ca5df018f7e2dd808f9e723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 14:58:47 +0200 +Subject: net/handshake: fix file ref count in handshake_nl_accept_doit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Moritz Wanzenböck + +[ Upstream commit 7798b59409c345d4a6034a4326bceb9f7e2e8b58 ] + +If req->hr_proto->hp_accept() fail, we call fput() twice: +Once in the error path, but also a second time because sock->file +is at that point already associated with the file descriptor. Once +the task exits, as it would probably do after receiving an error +reading from netlink, the fd is closed, calling fput() a second time. + +To fix, we move installing the file after the error path for the +hp_accept() call. In the case of errors we simply put the unused fd. +In case of success we can use fd_install() to link the sock->file +to the reserved fd. + +Fixes: 7ea9c1ec66bc ("net/handshake: Fix handshake_dup() ref counting") +Signed-off-by: Moritz Wanzenböck +Reviewed-by: Chuck Lever +Link: https://lore.kernel.org/r/20231019125847.276443-1-moritz.wanzenboeck@linbit.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/handshake/netlink.c | 30 +++++------------------------- + 1 file changed, 5 insertions(+), 25 deletions(-) + +diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c +index d0bc1dd8e65a8..80c7302692c74 100644 +--- a/net/handshake/netlink.c ++++ b/net/handshake/netlink.c +@@ -87,29 +87,6 @@ struct nlmsghdr *handshake_genl_put(struct sk_buff *msg, + } + EXPORT_SYMBOL(handshake_genl_put); + +-/* +- * dup() a kernel socket for use as a user space file descriptor +- * in the current process. The kernel socket must have an +- * instatiated struct file. +- * +- * Implicit argument: "current()" +- */ +-static int handshake_dup(struct socket *sock) +-{ +- struct file *file; +- int newfd; +- +- file = get_file(sock->file); +- newfd = get_unused_fd_flags(O_CLOEXEC); +- if (newfd < 0) { +- fput(file); +- return newfd; +- } +- +- fd_install(newfd, file); +- return newfd; +-} +- + int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = sock_net(skb->sk); +@@ -133,17 +110,20 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info) + goto out_status; + + sock = req->hr_sk->sk_socket; +- fd = handshake_dup(sock); ++ fd = get_unused_fd_flags(O_CLOEXEC); + if (fd < 0) { + err = fd; + goto out_complete; + } ++ + err = req->hr_proto->hp_accept(req, info, fd); + if (err) { +- fput(sock->file); ++ put_unused_fd(fd); + goto out_complete; + } + ++ fd_install(fd, get_file(sock->file)); ++ + trace_handshake_cmd_accept(net, req, req->hr_sk, fd); + return 0; + +-- +2.42.0 + diff --git a/queue-6.5/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch b/queue-6.5/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch new file mode 100644 index 00000000000..0823f177293 --- /dev/null +++ b/queue-6.5/net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch @@ -0,0 +1,47 @@ +From 84dbcbccb3f51734794f4a4eb1c83c825ec23da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 20:03:53 +0200 +Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in + adf7242_stats_show() + +From: Christophe JAILLET + +[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ] + +strncat() usage in adf7242_debugfs_init() is wrong. +The size given to strncat() is the maximum number of bytes that can be +written, excluding the trailing NULL. + +Here, the size that is passed, DNAME_INLINE_LEN, does not take into account +the size of "adf7242-" that is already in the array. + +In order to fix it, use snprintf() instead. + +Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index a03490ba2e5b3..cc7ddc40020fd 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset) + + static void adf7242_debugfs_init(struct adf7242_local *lp) + { +- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-"; ++ char debugfs_dir_name[DNAME_INLINE_LEN + 1]; + +- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN); ++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name), ++ "adf7242-%s", dev_name(&lp->spi->dev)); + + lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL); + +-- +2.42.0 + diff --git a/queue-6.5/net-sched-act_ct-additional-checks-for-outdated-flow.patch b/queue-6.5/net-sched-act_ct-additional-checks-for-outdated-flow.patch new file mode 100644 index 00000000000..1ed2ce7791b --- /dev/null +++ b/queue-6.5/net-sched-act_ct-additional-checks-for-outdated-flow.patch @@ -0,0 +1,52 @@ +From 1eff7a5d1b589c39d98a3c21eb5d3bcd0f28dcdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 21:58:57 +0200 +Subject: net/sched: act_ct: additional checks for outdated flows + +From: Vlad Buslov + +[ Upstream commit a63b6622120cd03a304796dbccb80655b3a21798 ] + +Current nf_flow_is_outdated() implementation considers any flow table flow +which state diverged from its underlying CT connection status for teardown +which can be problematic in the following cases: + +- Flow has never been offloaded to hardware in the first place either +because flow table has hardware offload disabled (flag +NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add' +workqueue to be offloaded for the first time. The former is incorrect, the +later generates excessive deletions and additions of flows. + +- Flow is already pending to be updated on the workqueue. Tearing down such +flows will also generate excessive removals from the flow table, especially +on highly loaded system where the latency to re-offload a flow via 'add' +workqueue can be quite high. + +When considering a flow for teardown as outdated verify that it is both +offloaded to hardware and doesn't have any pending updates. + +Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple") +Reviewed-by: Paul Blakey +Signed-off-by: Vlad Buslov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 2b5ef83e44243..ad7c955453782 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -281,6 +281,8 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, + static bool tcf_ct_flow_is_outdated(const struct flow_offload *flow) + { + return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) && ++ test_bit(IPS_HW_OFFLOAD_BIT, &flow->ct->status) && ++ !test_bit(NF_FLOW_HW_PENDING, &flow->flags) && + !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); + } + +-- +2.42.0 + diff --git a/queue-6.5/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch b/queue-6.5/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch new file mode 100644 index 00000000000..392e10aa6ae --- /dev/null +++ b/queue-6.5/net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch @@ -0,0 +1,103 @@ +From 38a6770cd7aff449253eefd648a6c4107c6d0cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 02:03:44 +0900 +Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg + +From: Shigeru Yoshida + +[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ] + +syzbot reported the following uninit-value access issue [1]: + +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 +smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD +===================================================== +BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750 + usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207 + usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238 + usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293 + really_probe+0x506/0xf40 drivers/base/dd.c:658 + __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 + driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 + __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 + bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 + __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 + device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 + bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 + device_add+0x16ae/0x1f20 drivers/base/core.c:3622 + usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589 + hub_port_connect drivers/usb/core/hub.c:5440 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] + port_event drivers/usb/core/hub.c:5740 [inline] + hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703 + worker_thread+0xf45/0x1490 kernel/workqueue.c:2784 + kthread+0x3e8/0x540 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Local variable buf.i225 created at: + smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline] + smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892 + smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 + +CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Workqueue: usb_hub_wq hub_event +===================================================== + +Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in +__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads +less bytes than requested (zero byte in the reproducer). In this case, +'buf' is not properly filled. + +This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads +less bytes than requested. + +sysbot reported similar uninit-value access issue [2]. The root cause is +the same as mentioned above, and this patch addresses it as well. + +Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") +Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1] +Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2] +Signed-off-by: Shigeru Yoshida +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 17da42fe605c3..a530f20ee2575 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -95,7 +95,9 @@ static int __must_check smsc95xx_read_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (ret < 0) { ++ if (ret < 4) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + if (ret != -ENODEV) + netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", + index, ret); +-- +2.42.0 + diff --git a/queue-6.5/netfilter-flowtable-gc-pushes-back-packets-to-classi.patch b/queue-6.5/netfilter-flowtable-gc-pushes-back-packets-to-classi.patch new file mode 100644 index 00000000000..f4954d82c2c --- /dev/null +++ b/queue-6.5/netfilter-flowtable-gc-pushes-back-packets-to-classi.patch @@ -0,0 +1,103 @@ +From e141d5c920143223efc185ce29ea2f3e9ac4035b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 21:09:47 +0200 +Subject: netfilter: flowtable: GC pushes back packets to classic path + +From: Pablo Neira Ayuso + +[ Upstream commit 735795f68b37e9bb49f642407a0d49b1631ea1c7 ] + +Since 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded +unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY +back to classic path in every run, ie. every second. This is because of +a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct. + +In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on +and IPS_SEEN_REPLY is unreliable since users decide when to offload the +flow before, such bit might be set on at a later stage. + +Fix it by adding a custom .gc handler that sched/act_ct can use to +deal with its NF_FLOW_HW_ESTABLISHED bit. + +Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple") +Reported-by: Vladimir Smelhaus +Reviewed-by: Paul Blakey +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_flow_table.h | 1 + + net/netfilter/nf_flow_table_core.c | 14 +++++++------- + net/sched/act_ct.c | 7 +++++++ + 3 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index d466e1a3b0b19..fe1507c1db828 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -53,6 +53,7 @@ struct nf_flowtable_type { + struct list_head list; + int family; + int (*init)(struct nf_flowtable *ft); ++ bool (*gc)(const struct flow_offload *flow); + int (*setup)(struct nf_flowtable *ft, + struct net_device *dev, + enum flow_block_command cmd); +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 1d34d700bd09b..920a5a29ae1dc 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -316,12 +316,6 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, + } + EXPORT_SYMBOL_GPL(flow_offload_refresh); + +-static bool nf_flow_is_outdated(const struct flow_offload *flow) +-{ +- return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) && +- !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); +-} +- + static inline bool nf_flow_has_expired(const struct flow_offload *flow) + { + return nf_flow_timeout_delta(flow->timeout) <= 0; +@@ -407,12 +401,18 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table, + return err; + } + ++static bool nf_flow_custom_gc(struct nf_flowtable *flow_table, ++ const struct flow_offload *flow) ++{ ++ return flow_table->type->gc && flow_table->type->gc(flow); ++} ++ + static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, + struct flow_offload *flow, void *data) + { + if (nf_flow_has_expired(flow) || + nf_ct_is_dying(flow->ct) || +- nf_flow_is_outdated(flow)) ++ nf_flow_custom_gc(flow_table, flow)) + flow_offload_teardown(flow); + + if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) { +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index abc71a06d634a..2b5ef83e44243 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -278,7 +278,14 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, + return err; + } + ++static bool tcf_ct_flow_is_outdated(const struct flow_offload *flow) ++{ ++ return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) && ++ !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); ++} ++ + static struct nf_flowtable_type flowtable_ct = { ++ .gc = tcf_ct_flow_is_outdated, + .action = tcf_ct_flow_table_fill_actions, + .owner = THIS_MODULE, + }; +-- +2.42.0 + diff --git a/queue-6.5/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch b/queue-6.5/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch new file mode 100644 index 00000000000..77c4e49616a --- /dev/null +++ b/queue-6.5/r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch @@ -0,0 +1,37 @@ +From 9f5132a0fef378399d984a91e8bbe4ec8f64b07d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:54 -0700 +Subject: r8152: Cancel hw_phy_work if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ] + +The error handling in rtl8152_probe() is missing a call to cancel the +hw_phy_work. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 86fbad8c2264c..a894f267d375d 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9802,6 +9802,7 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); +-- +2.42.0 + diff --git a/queue-6.5/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch b/queue-6.5/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch new file mode 100644 index 00000000000..f0ee9ac28f4 --- /dev/null +++ b/queue-6.5/r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch @@ -0,0 +1,77 @@ +From d7a0fde276f8f1c7755a973491fdf804805f1122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:52 -0700 +Subject: r8152: Increase USB control msg timeout to 5000ms as per spec + +From: Douglas Anderson + +[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ] + +According to the comment next to USB_CTRL_GET_TIMEOUT and +USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is +usually quite fast, the spec allows them to take up to 5 seconds. +Let's increase the timeout in the Realtek driver from 500ms to 5000ms +(using the #defines) to account for this. + +This is not just a theoretical change. The need for the longer timeout +was seen in testing. Specifically, if you drop a sc7180-trogdor based +Chromebook into the kdb debugger and then "go" again after sitting in +the debugger for a while, the next USB control message takes a long +time. Out of ~40 tests the slowest USB control message was 4.5 +seconds. + +While dropping into kdb is not exactly an end-user scenario, the above +is similar to what could happen due to an temporary interrupt storm, +what could happen if there was a host controller (HW or SW) issue, or +what could happen if the Realtek device got into a confused state and +needed time to recover. + +This change is fairly critical since the r8152 driver in Linux doesn't +expect register reads/writes (which are backed by USB control +messages) to fail. + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Suggested-by: Hayes Wang +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index e88bedca8f32f..bf83ce5317cea 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1212,7 +1212,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in, + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT); + if (ret < 0) + memset(data, 0xff, size); + else +@@ -1235,7 +1235,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + + ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out, + RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE, +- value, index, tmp, size, 500); ++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT); + + kfree(tmp); + +@@ -9512,7 +9512,8 @@ static u8 __rtl_get_hw_ver(struct usb_device *udev) + + ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, +- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500); ++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), ++ USB_CTRL_GET_TIMEOUT); + if (ret > 0) + ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK; + +-- +2.42.0 + diff --git a/queue-6.5/r8152-release-firmware-if-we-have-an-error-in-probe.patch b/queue-6.5/r8152-release-firmware-if-we-have-an-error-in-probe.patch new file mode 100644 index 00000000000..464f26aa001 --- /dev/null +++ b/queue-6.5/r8152-release-firmware-if-we-have-an-error-in-probe.patch @@ -0,0 +1,37 @@ +From 73a15d73014065f2c34eb2b1e3c79e423c798cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:55 -0700 +Subject: r8152: Release firmware if we have an error in probe + +From: Douglas Anderson + +[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ] + +The error handling in rtl8152_probe() is missing a call to release +firmware. Add it in to match what's in the cleanup code in +rtl8152_disconnect(). + +Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index a894f267d375d..14497e5558bf9 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9805,6 +9805,7 @@ static int rtl8152_probe(struct usb_interface *intf, + cancel_delayed_work_sync(&tp->hw_phy_work); + if (tp->rtl_ops.unload) + tp->rtl_ops.unload(tp); ++ rtl8152_release_firmware(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-6.5/r8152-run-the-unload-routine-if-we-have-errors-durin.patch b/queue-6.5/r8152-run-the-unload-routine-if-we-have-errors-durin.patch new file mode 100644 index 00000000000..4c8070bce22 --- /dev/null +++ b/queue-6.5/r8152-run-the-unload-routine-if-we-have-errors-durin.patch @@ -0,0 +1,38 @@ +From c8439599d45089a16d9f8d32f1f5cd3b6863ad6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:53 -0700 +Subject: r8152: Run the unload routine if we have errors during probe + +From: Douglas Anderson + +[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ] + +The rtl8152_probe() function lacks a call to the chip-specific +unload() routine when it sees an error in probe. Add it in to match +the cleanup code in rtl8152_disconnect(). + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index bf83ce5317cea..86fbad8c2264c 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -9802,6 +9802,8 @@ static int rtl8152_probe(struct usb_interface *intf, + + out1: + tasklet_kill(&tp->tx_tl); ++ if (tp->rtl_ops.unload) ++ tp->rtl_ops.unload(tp); + usb_set_intfdata(intf, NULL); + out: + free_netdev(netdev); +-- +2.42.0 + diff --git a/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch new file mode 100644 index 00000000000..bcf3e4d20be --- /dev/null +++ b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch @@ -0,0 +1,105 @@ +From 4ec497e12fc582311dfcfd3aad9ae25811210207 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:38 +0200 +Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading + desc->opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ] + +KCSAN reported the following data-race bug: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 + +race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x80003fff -> 0x3402805f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +drivers/net/ethernet/realtek/r8169_main.c: +========================================== + 4429 + → 4430 status = le32_to_cpu(desc->opts1); + 4431 if (status & DescOwn) + 4432 break; + 4433 + 4434 /* This barrier is needed to keep us from reading + 4435 * any other fields out of the Rx descriptor until + 4436 * we know the status of DescOwn + 4437 */ + 4438 dma_rmb(); + 4439 + 4440 if (unlikely(status & RxRES)) { + 4441 if (net_ratelimit()) + 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", + +Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to +desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from +happening: + + 4429 + → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); + 4431 if (status & DescOwn) + 4432 break; + 4433 + +As the consequence of this fix, this KCSAN warning was eliminated. + +Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private") +Suggested-by: Marco Elver +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 7e14a1d958c8e..361b90007148b 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4427,7 +4427,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, int budget + dma_addr_t addr; + u32 status; + +- status = le32_to_cpu(desc->opts1); ++ status = le32_to_cpu(READ_ONCE(desc->opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch new file mode 100644 index 00000000000..5933003d6c3 --- /dev/null +++ b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch @@ -0,0 +1,175 @@ +From 21bd7d34226ffd8b7f143efb71e18e698cbc6b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:34 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx() while reading + tp->cur_tx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169] + +write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29: +rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169 +dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560) +sch_direct_xmit (net/sched/sch_generic.c:342) +__dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306) +ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233) +__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293) +ip_finish_output (net/ipv4/ip_output.c:328) +ip_output (net/ipv4/ip_output.c:435) +ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486) +udp_send_skb (net/ipv4/udp.c:963) +udp_sendmsg (net/ipv4/udp.c:1246) +inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4)) +sock_sendmsg (net/socket.c:730 net/socket.c:753) +__sys_sendto (net/socket.c:2177) +__x64_sys_sendto (net/socket.c:2185) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) +asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0x002f4815 -> 0x002f4816 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The write side of drivers/net/ethernet/realtek/r8169_main.c is: +================== + 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ + 4252 smp_wmb(); + 4253 + → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); + 4255 + 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp), + 4257 R8169_TX_STOP_THRS, + 4258 R8169_TX_START_THRS); + +The read side is the function rtl_tx(): + + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + → 4397 if (tp->cur_tx != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the +line 4363: + + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + +but the same solution is required for protecting the other access to tp->cur_tx: + + → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + +The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397 +might have suffered read tearing under some compiler optimisations. + +The fix eliminated the KCSAN data-race report for this bug. + +It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363 +and line 4397. This test should certainly not be cached by the compiler in some register +for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line +4254 in the meantime. + +Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings") +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 6351a2dc13bce..281aaa8518472 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4394,7 +4394,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + * If skb is NULL then we come here again once a tx irq is + * triggered after the last fragment is marked transmitted. + */ +- if (tp->cur_tx != dirty_tx && skb) ++ if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + rtl8169_doorbell(tp); + } + } +-- +2.42.0 + diff --git a/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985 b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985 new file mode 100644 index 00000000000..62565b847a5 --- /dev/null +++ b/queue-6.5/r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985 @@ -0,0 +1,136 @@ +From 7b075c9b3a126c8497c28f47eed506f927c5ac00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 21:34:36 +0200 +Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading + TxDescArray[entry].opts1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Goran Todorovac + +[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ] + +KCSAN reported the following data-race: + +================================================================== +BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 + +race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: +rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 +__napi_poll (net/core/dev.c:6527) +net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) +__do_softirq (kernel/softirq.c:553) +__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) +irq_exit_rcu (kernel/softirq.c:647) +sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) +asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) +cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) +cpuidle_enter (drivers/cpuidle/cpuidle.c:390) +call_cpuidle (kernel/sched/idle.c:135) +do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) +cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) +start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) +secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) + +value changed: 0xb0000042 -> 0x00000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 +Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 +================================================================== + +The read side is in + +drivers/net/ethernet/realtek/r8169_main.c +========================================= + 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + 4356 int budget) + 4357 { + 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; + 4359 struct sk_buff *skb; + 4360 + 4361 dirty_tx = tp->dirty_tx; + 4362 + 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { + 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; + 4365 u32 status; + 4366 + → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); + 4368 if (status & DescOwn) + 4369 break; + 4370 + 4371 skb = tp->tx_skb[entry].skb; + 4372 rtl8169_unmap_tx_skb(tp, entry); + 4373 + 4374 if (skb) { + 4375 pkts_compl++; + 4376 bytes_compl += skb->len; + 4377 napi_consume_skb(skb, budget); + 4378 } + 4379 dirty_tx++; + 4380 } + 4381 + 4382 if (tp->dirty_tx != dirty_tx) { + 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); + 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); + 4385 + 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, + 4387 rtl_tx_slots_avail(tp), + 4388 R8169_TX_START_THRS); + 4389 /* + 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are + 4391 * too close. Let's kick an extra TxPoll request when a burst + 4392 * of start_xmit activity is detected (if it is not detected, + 4393 * it is slow enough). -- FR + 4394 * If skb is NULL then we come here again once a tx irq is + 4395 * triggered after the last fragment is marked transmitted. + 4396 */ + 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) + 4398 rtl8169_doorbell(tp); + 4399 } + 4400 } + +tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes +this KCSAN warning. + + 4366 + → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + 4368 if (status & DescOwn) + 4369 break; + 4370 + +Cc: Heiner Kallweit +Cc: nic_swsd@realtek.com +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Marco Elver +Cc: netdev@vger.kernel.org +Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ +Signed-off-by: Mirsad Goran Todorovac +Acked-by: Marco Elver +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 281aaa8518472..7e14a1d958c8e 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4364,7 +4364,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, + unsigned int entry = dirty_tx % NUM_TX_DESC; + u32 status; + +- status = le32_to_cpu(tp->TxDescArray[entry].opts1); ++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); + if (status & DescOwn) + break; + +-- +2.42.0 + diff --git a/queue-6.5/series b/queue-6.5/series index c065f256ecf..c722f1a1621 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -40,3 +40,42 @@ accel-ivpu-don-t-enter-d0i3-during-flr.patch drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch drm-dp_mst-fix-null-deref-in-get_mst_branch_device_by_guid_helper.patch +btrfs-remove-v0-extent-handling.patch +btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch +arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch +arm-omap-timer32k-fix-all-kernel-doc-warnings.patch +firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch +clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch +clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch +arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch +r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985 +r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch +iavf-initialize-waitqueues-before-starting-watchdog_.patch +i40e-fix-i40e_flag_vf_vlan_pruning-value.patch +treewide-spelling-fix-in-comment.patch +igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch +net-do-not-leave-an-empty-skb-in-write-queue.patch +neighbour-fix-various-data-races.patch +igc-fix-ambiguity-in-the-ethtool-advertising.patch +net-ethernet-adi-adin1110-fix-uninitialized-variable.patch +net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch +net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch +r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch +r8152-run-the-unload-routine-if-we-have-errors-durin.patch +r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch +r8152-release-firmware-if-we-have-an-error-in-probe.patch +tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch +wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch +wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch +wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch +net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch +gtp-uapi-fix-gtpa_max.patch +gtp-fix-fragmentation-needed-check-with-gso.patch +drm-i915-perf-determine-context-valid-in-oa-reports.patch +i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch +netfilter-flowtable-gc-pushes-back-packets-to-classi.patch +net-sched-act_ct-additional-checks-for-outdated-flow.patch +drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch +drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch +iavf-in-iavf_down-disable-queues-when-removing-the-d.patch diff --git a/queue-6.5/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch b/queue-6.5/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch new file mode 100644 index 00000000000..7835ea68a3d --- /dev/null +++ b/queue-6.5/tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch @@ -0,0 +1,96 @@ +From 58a14745efbc88dcf599a39d1c2ceaa279c4a180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 08:19:47 +0800 +Subject: tcp: fix wrong RTO timeout when received SACK reneging + +From: Fred Chen + +[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ] + +This commit fix wrong RTO timeout when received SACK reneging. + +When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging() +will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future. + +But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when +CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer() +is moved after tcp_fastretrans_alert()(which do the SACK reneging check), +so the RTO timeout will be overwrited by tcp_set_xmit_timer() with +icsk_rto instead of 1/2*srtt. + +Here is a packetdrill script to check this bug: +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++0 bind(3, ..., ...) = 0 ++0 listen(3, 1) = 0 + +// simulate srtt to 100ms ++0 < S 0:0(0) win 32792 ++0 > S. 0:0(0) ack 1 ++.1 < . 1:1(0) ack 1 win 1024 + ++0 accept(3, ..., ...) = 4 + ++0 write(4, ..., 10000) = 10000 ++0 > P. 1:10001(10000) ack 1 + +// inject sack ++.1 < . 1:1(0) ack 1 win 257 ++0 > . 1:1001(1000) ack 1 + +// inject sack reneging ++.1 < . 1:1(0) ack 1001 win 257 + +// we expect rto fired in 1/2*srtt (50ms) ++.05 > . 1001:2001(1000) ack 1 + +This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when +tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid +being overwrited later. + +Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") +Signed-off-by: Fred Chen +Reviewed-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index a5781f86ac375..7d544f965b264 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2202,16 +2202,17 @@ void tcp_enter_loss(struct sock *sk) + * restore sanity to the SACK scoreboard. If the apparent reneging + * persists until this RTO then we'll clear the SACK scoreboard. + */ +-static bool tcp_check_sack_reneging(struct sock *sk, int flag) ++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag) + { +- if (flag & FLAG_SACK_RENEGING && +- flag & FLAG_SND_UNA_ADVANCED) { ++ if (*ack_flag & FLAG_SACK_RENEGING && ++ *ack_flag & FLAG_SND_UNA_ADVANCED) { + struct tcp_sock *tp = tcp_sk(sk); + unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4), + msecs_to_jiffies(10)); + + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, + delay, TCP_RTO_MAX); ++ *ack_flag &= ~FLAG_SET_XMIT_TIMER; + return true; + } + return false; +@@ -2981,7 +2982,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + tp->prior_ssthresh = 0; + + /* B. In all the states check for reneging SACKs. */ +- if (tcp_check_sack_reneging(sk, flag)) ++ if (tcp_check_sack_reneging(sk, ack_flag)) + return; + + /* C. Check consistency of the current state. */ +-- +2.42.0 + diff --git a/queue-6.5/treewide-spelling-fix-in-comment.patch b/queue-6.5/treewide-spelling-fix-in-comment.patch new file mode 100644 index 00000000000..2ec00d7106f --- /dev/null +++ b/queue-6.5/treewide-spelling-fix-in-comment.patch @@ -0,0 +1,36 @@ +From b76acb567ec191b728bbfd9c76c1da76835f7e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:31:56 +0800 +Subject: treewide: Spelling fix in comment + +From: Kunwu Chan + +[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ] + +reques -> request + +Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3") +Signed-off-by: Kunwu Chan +Reviewed-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +index dc14a66583ff3..44488c153ea25 100644 +--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c ++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c +@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev, + key_index = wl->current_key; + + if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) { +- /* reques to change default key index */ ++ /* request to change default key index */ + pr_debug("%s: request to change default key to %d\n", + __func__, key_index); + wl->current_key = key_index; +-- +2.42.0 + diff --git a/queue-6.5/wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch b/queue-6.5/wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch new file mode 100644 index 00000000000..49c007a3dad --- /dev/null +++ b/queue-6.5/wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch @@ -0,0 +1,43 @@ +From 2c52a4c1f2361185c5da60ad515fb7149126bd4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 11:42:51 +0200 +Subject: wifi: cfg80211: fix assoc response warning on failed links + +From: Johannes Berg + +[ Upstream commit c434b2be2d80d236bb090fdb493d4bd5ed589238 ] + +The warning here shouldn't be done before we even set the +bss field (or should've used the input data). Move the +assignment before the warning to fix it. + +We noticed this now because of Wen's bugfix, where the bug +fixed there had previously hidden this other bug. + +Fixes: 53ad07e9823b ("wifi: cfg80211: support reporting failed links") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index 3e2c398abddcc..55a1d3633853f 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -43,10 +43,11 @@ void cfg80211_rx_assoc_resp(struct net_device *dev, + + for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { + cr.links[link_id].status = data->links[link_id].status; ++ cr.links[link_id].bss = data->links[link_id].bss; ++ + WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS && + (!cr.ap_mld_addr || !cr.links[link_id].bss)); + +- cr.links[link_id].bss = data->links[link_id].bss; + if (!cr.links[link_id].bss) + continue; + cr.links[link_id].bssid = data->links[link_id].bss->bssid; +-- +2.42.0 + diff --git a/queue-6.5/wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch b/queue-6.5/wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch new file mode 100644 index 00000000000..4a2e8a4f522 --- /dev/null +++ b/queue-6.5/wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch @@ -0,0 +1,38 @@ +From e2733f864069d28f9e1d1fcc816b6c5218970a47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Oct 2023 08:48:27 -0700 +Subject: wifi: cfg80211: pass correct pointer to rdev_inform_bss() + +From: Ben Greear + +[ Upstream commit 3e3929ef889e650dd585dc0f4f7f18240688811a ] + +Confusing struct member names here resulted in passing +the wrong pointer, causing crashes. Pass the correct one. + +Fixes: eb142608e2c4 ("wifi: cfg80211: use a struct for inform_single_bss data") +Signed-off-by: Ben Greear +Link: https://lore.kernel.org/r/20231021154827.1142734-1-greearb@candelatech.com +[rewrite commit message, add fixes] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 939deecf0bbef..8210a6090ac16 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2125,7 +2125,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, + if (!res) + goto drop; + +- rdev_inform_bss(rdev, &res->pub, ies, data->drv_data); ++ rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data); + + if (data->bss_source == BSS_SOURCE_MBSSID) { + /* this is a nontransmitting bss, we need to add it to +-- +2.42.0 + diff --git a/queue-6.5/wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch b/queue-6.5/wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch new file mode 100644 index 00000000000..b466ddc2d3b --- /dev/null +++ b/queue-6.5/wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch @@ -0,0 +1,81 @@ +From 8c47c76ec8c3b00ab3060f748d4e48f5549d737d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Oct 2023 14:52:48 +0300 +Subject: wifi: mac80211: don't drop all unprotected public action frames + +From: Avraham Stern + +[ Upstream commit 91535613b6090fc968c601d11d4e2f16b333713c ] + +Not all public action frames have a protected variant. When MFP is +enabled drop only public action frames that have a dual protected +variant. + +Fixes: 76a3059cf124 ("wifi: mac80211: drop some unprotected action frames") +Signed-off-by: Avraham Stern +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20231016145213.2973e3c8d3bb.I6198b8d3b04cf4a97b06660d346caec3032f232a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 29 +++++++++++++++++++++++++++++ + net/mac80211/rx.c | 3 +-- + 2 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index 4b998090898e3..1d7aea6342171 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -4236,6 +4236,35 @@ static inline bool ieee80211_is_public_action(struct ieee80211_hdr *hdr, + return mgmt->u.action.category == WLAN_CATEGORY_PUBLIC; + } + ++/** ++ * ieee80211_is_protected_dual_of_public_action - check if skb contains a ++ * protected dual of public action management frame ++ * @skb: the skb containing the frame, length will be checked ++ * ++ * Return: true if the skb contains a protected dual of public action ++ * management frame, false otherwise. ++ */ ++static inline bool ++ieee80211_is_protected_dual_of_public_action(struct sk_buff *skb) ++{ ++ u8 action; ++ ++ if (!ieee80211_is_public_action((void *)skb->data, skb->len) || ++ skb->len < IEEE80211_MIN_ACTION_SIZE + 1) ++ return false; ++ ++ action = *(u8 *)(skb->data + IEEE80211_MIN_ACTION_SIZE); ++ ++ return action != WLAN_PUB_ACTION_20_40_BSS_COEX && ++ action != WLAN_PUB_ACTION_DSE_REG_LOC_ANN && ++ action != WLAN_PUB_ACTION_MSMT_PILOT && ++ action != WLAN_PUB_ACTION_TDLS_DISCOVER_RES && ++ action != WLAN_PUB_ACTION_LOC_TRACK_NOTI && ++ action != WLAN_PUB_ACTION_FTM_REQUEST && ++ action != WLAN_PUB_ACTION_FTM_RESPONSE && ++ action != WLAN_PUB_ACTION_FILS_DISCOVERY; ++} ++ + /** + * _ieee80211_is_group_privacy_action - check if frame is a group addressed + * privacy action frame +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index e751cda5eef69..8f6b6f56b65b4 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2468,8 +2468,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx) + + /* drop unicast public action frames when using MPF */ + if (is_unicast_ether_addr(mgmt->da) && +- ieee80211_is_public_action((void *)rx->skb->data, +- rx->skb->len)) ++ ieee80211_is_protected_dual_of_public_action(rx->skb)) + return -EACCES; + } + +-- +2.42.0 + -- 2.47.3