From d238360ef8def426718cbb34aae15fe363dacbfb Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Dec 2023 21:36:57 -0500 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...-support-for-multiple-sohard-arcnet-.patch | 216 +++++++++ ...ting-the-sg-structure-should-also-up.patch | 74 +++ ...uire-cap_sys_admin-when-joining-even.patch | 164 +++++++ ...rrupt-controller-allow-power-domain-.patch | 45 ++ ...mpatibles-don-t-follow-symlinks-when.patch | 75 +++ ...mpatibles-handle-cfile-arguments-in-.patch | 62 +++ ...vsc-rndis_filter-needs-to-select-nls.patch | 44 ++ ...e-fix-unexpected-mfs-warning-message.patch | 58 +++ ..._coalesce_usecs-even-if-rx_coalesce_.patch | 79 +++ ...ork-handling-in-split-interrupt-mode.patch | 67 +++ ...c-fix-snprintf-format-length-warning.patch | 45 ++ ...avoid-skb_pull-failure-in-ipgre_xmit.patch | 58 +++ ...fix-potential-null-deref-in-fib6_add.patch | 79 +++ ...rrectly-identify-secure-boot-with-de.patch | 120 +++++ ...liminate-potential-uninitialized-var.patch | 38 ++ ...x-null-dereference-of-skb-pointer-in.patch | 148 ++++++ ...otential-use-after-free-in-bnxt_init.patch | 43 ++ ...net-hns-fix-fake-link-up-on-xge-port.patch | 74 +++ ...g-head-when-modify-the-tx-feature-wh.patch | 161 ++++++ .../net-stmmac-fix-fpe-events-losing.patch | 243 ++++++++++ ...les-bail-out-on-mismatching-dynset-a.patch | 48 ++ ...les-fix-exist-matching-on-bigendian-.patch | 94 ++++ ...les-validate-family-when-identifying.patch | 53 ++ ...thdr-add-boolean-dccp-option-matchin.patch | 190 ++++++++ ...er-fix-for-unsafe-access-of-sk-sk_so.patch | 71 +++ ...-af-add-missing-mcs-flr-handler-call.patch | 38 ++ ...ust-tx-credits-when-mcs-external-byp.patch | 153 ++++++ ...ck-return-value-of-nix_get_nixlf-bef.patch | 45 ++ ...-a-use-after-free-in-rvu_npa_registe.patch | 61 +++ ...ontx2-af-fix-mcs-sa-cam-entries-size.patch | 38 ++ ...x2-af-fix-mcs-stats-register-address.patch | 93 ++++ ...tx2-af-update-tx-link-register-range.patch | 41 ++ ...-missing-mutex-lock-in-otx2_get_paus.patch | 51 ++ ...sider-both-rx-and-tx-packet-stats-fo.patch | 101 ++++ ...f_reconfig_get_state_change-return-v.patch | 41 ++ ...x-add-null-pointer-checks-for-devm_k.patch | 92 ++++ ...x-check-devm_hwmon_device_register_w.patch | 48 ++ ...s-wmi-move-i8042-filter-install-to-s.patch | 111 +++++ ...-wmi-skip-blocks-with-zero-instances.patch | 49 ++ ...cap_net_admin-when-joining-packets-g.patch | 117 +++++ ...52_inaccessible-checks-to-more-loops.patch | 72 +++ ...l8152_inaccessible-to-r8153_aldps_en.patch | 39 ++ ...2_inaccessible-to-r8153_pre_firmware.patch | 39 ++ ...2_inaccessible-to-r8156b_wait_loadin.patch | 40 ++ ...l8152_unplug-to-rtl8152_inaccessible.patch | 458 ++++++++++++++++++ queue-6.1/series | 48 ++ ...ot-accept-ack-of-bytes-we-never-sent.patch | 106 ++++ .../tcp-fix-mid-stream-window-clamp.patch | 104 ++++ ...lling-event-check-for-unbound-socket.patch | 56 +++ 49 files changed, 4390 insertions(+) create mode 100644 queue-6.1/arcnet-restoring-support-for-multiple-sohard-arcnet-.patch create mode 100644 queue-6.1/bpf-sockmap-updating-the-sg-structure-should-also-up.patch create mode 100644 queue-6.1/drop_monitor-require-cap_sys_admin-when-joining-even.patch create mode 100644 queue-6.1/dt-bindings-interrupt-controller-allow-power-domain-.patch create mode 100644 queue-6.1/dt-dt-extract-compatibles-don-t-follow-symlinks-when.patch create mode 100644 queue-6.1/dt-dt-extract-compatibles-handle-cfile-arguments-in-.patch create mode 100644 queue-6.1/hv_netvsc-rndis_filter-needs-to-select-nls.patch create mode 100644 queue-6.1/i40e-fix-unexpected-mfs-warning-message.patch create mode 100644 queue-6.1/iavf-validate-tx_coalesce_usecs-even-if-rx_coalesce_.patch create mode 100644 queue-6.1/ionic-fix-dim-work-handling-in-split-interrupt-mode.patch create mode 100644 queue-6.1/ionic-fix-snprintf-format-length-warning.patch create mode 100644 queue-6.1/ipv4-ip_gre-avoid-skb_pull-failure-in-ipgre_xmit.patch create mode 100644 queue-6.1/ipv6-fix-potential-null-deref-in-fib6_add.patch create mode 100644 queue-6.1/mlxbf-bootctl-correctly-identify-secure-boot-with-de.patch create mode 100644 queue-6.1/mm-damon-sysfs-eliminate-potential-uninitialized-var.patch create mode 100644 queue-6.1/net-atlantic-fix-null-dereference-of-skb-pointer-in.patch create mode 100644 queue-6.1/net-bnxt-fix-a-potential-use-after-free-in-bnxt_init.patch create mode 100644 queue-6.1/net-hns-fix-fake-link-up-on-xge-port.patch create mode 100644 queue-6.1/net-hns-fix-wrong-head-when-modify-the-tx-feature-wh.patch create mode 100644 queue-6.1/net-stmmac-fix-fpe-events-losing.patch create mode 100644 queue-6.1/netfilter-nf_tables-bail-out-on-mismatching-dynset-a.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch create mode 100644 queue-6.1/netfilter-nf_tables-validate-family-when-identifying.patch create mode 100644 queue-6.1/netfilter-nft_exthdr-add-boolean-dccp-option-matchin.patch create mode 100644 queue-6.1/netfilter-xt_owner-fix-for-unsafe-access-of-sk-sk_so.patch create mode 100644 queue-6.1/octeontx2-af-add-missing-mcs-flr-handler-call.patch create mode 100644 queue-6.1/octeontx2-af-adjust-tx-credits-when-mcs-external-byp.patch create mode 100644 queue-6.1/octeontx2-af-check-return-value-of-nix_get_nixlf-bef.patch create mode 100644 queue-6.1/octeontx2-af-fix-a-use-after-free-in-rvu_npa_registe.patch create mode 100644 queue-6.1/octeontx2-af-fix-mcs-sa-cam-entries-size.patch create mode 100644 queue-6.1/octeontx2-af-fix-mcs-stats-register-address.patch create mode 100644 queue-6.1/octeontx2-af-update-tx-link-register-range.patch create mode 100644 queue-6.1/octeontx2-pf-add-missing-mutex-lock-in-otx2_get_paus.patch create mode 100644 queue-6.1/octeontx2-pf-consider-both-rx-and-tx-packet-stats-fo.patch create mode 100644 queue-6.1/of-dynamic-fix-of_reconfig_get_state_change-return-v.patch create mode 100644 queue-6.1/platform-mellanox-add-null-pointer-checks-for-devm_k.patch create mode 100644 queue-6.1/platform-mellanox-check-devm_hwmon_device_register_w.patch create mode 100644 queue-6.1/platform-x86-asus-wmi-move-i8042-filter-install-to-s.patch create mode 100644 queue-6.1/platform-x86-wmi-skip-blocks-with-zero-instances.patch create mode 100644 queue-6.1/psample-require-cap_net_admin-when-joining-packets-g.patch create mode 100644 queue-6.1/r8152-add-rtl8152_inaccessible-checks-to-more-loops.patch create mode 100644 queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_aldps_en.patch create mode 100644 queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_pre_firmware.patch create mode 100644 queue-6.1/r8152-add-rtl8152_inaccessible-to-r8156b_wait_loadin.patch create mode 100644 queue-6.1/r8152-rename-rtl8152_unplug-to-rtl8152_inaccessible.patch create mode 100644 queue-6.1/tcp-do-not-accept-ack-of-bytes-we-never-sent.patch create mode 100644 queue-6.1/tcp-fix-mid-stream-window-clamp.patch create mode 100644 queue-6.1/xsk-skip-polling-event-check-for-unbound-socket.patch diff --git a/queue-6.1/arcnet-restoring-support-for-multiple-sohard-arcnet-.patch b/queue-6.1/arcnet-restoring-support-for-multiple-sohard-arcnet-.patch new file mode 100644 index 00000000000..967ba175d13 --- /dev/null +++ b/queue-6.1/arcnet-restoring-support-for-multiple-sohard-arcnet-.patch @@ -0,0 +1,216 @@ +From 85f90a468ac174ebe0e8e4cafa9fd754dc92f46b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:35:03 +0100 +Subject: arcnet: restoring support for multiple Sohard Arcnet cards + +From: Thomas Reichinger + +[ Upstream commit 6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea ] + +Probe of Sohard Arcnet cards fails, +if 2 or more cards are installed in a system. +See kernel log: +[ 2.759203] arcnet: arcnet loaded +[ 2.763648] arcnet:com20020: COM20020 chipset support (by David Woodhouse et al.) +[ 2.770585] arcnet:com20020_pci: COM20020 PCI support +[ 2.772295] com20020 0000:02:00.0: enabling device (0000 -> 0003) +[ 2.772354] (unnamed net_device) (uninitialized): PLX-PCI Controls +... +[ 3.071301] com20020 0000:02:00.0 arc0-0 (uninitialized): PCI COM20020: station FFh found at F080h, IRQ 101. +[ 3.071305] com20020 0000:02:00.0 arc0-0 (uninitialized): Using CKP 64 - data rate 2.5 Mb/s +[ 3.071534] com20020 0000:07:00.0: enabling device (0000 -> 0003) +[ 3.071581] (unnamed net_device) (uninitialized): PLX-PCI Controls +... +[ 3.369501] com20020 0000:07:00.0: Led pci:green:tx:0-0 renamed to pci:green:tx:0-0_1 due to name collision +[ 3.369535] com20020 0000:07:00.0: Led pci:red:recon:0-0 renamed to pci:red:recon:0-0_1 due to name collision +[ 3.370586] com20020 0000:07:00.0 arc0-0 (uninitialized): PCI COM20020: station E1h found at C000h, IRQ 35. +[ 3.370589] com20020 0000:07:00.0 arc0-0 (uninitialized): Using CKP 64 - data rate 2.5 Mb/s +[ 3.370608] com20020: probe of 0000:07:00.0 failed with error -5 + +commit 5ef216c1f848 ("arcnet: com20020-pci: add rotary index support") +changes the device name of all COM20020 based PCI cards, +even if only some cards support this: + snprintf(dev->name, sizeof(dev->name), "arc%d-%d", dev->dev_id, i); + +The error happens because all Sohard Arcnet cards would be called arc0-0, +since the Sohard Arcnet cards don't have a PLX rotary coder. +I.e. EAE Arcnet cards have a PLX rotary coder, +which sets the first decimal, ensuring unique devices names. + +This patch adds two new card feature flags to indicate +which cards support LEDs and the PLX rotary coder. +For EAE based cards the names still depend on the PLX rotary coder +(untested, since missing EAE hardware). +For Sohard based cards, this patch will result in devices +being called arc0, arc1, ... (tested). + +Signed-off-by: Thomas Reichinger +Fixes: 5ef216c1f848 ("arcnet: com20020-pci: add rotary index support") +Link: https://lore.kernel.org/r/20231130113503.6812-1-thomas.reichinger@sohard.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/arcdevice.h | 2 + + drivers/net/arcnet/com20020-pci.c | 89 ++++++++++++++++--------------- + 2 files changed, 48 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/arcnet/arcdevice.h b/drivers/net/arcnet/arcdevice.h +index 19e996a829c9d..b54275389f8ac 100644 +--- a/drivers/net/arcnet/arcdevice.h ++++ b/drivers/net/arcnet/arcdevice.h +@@ -186,6 +186,8 @@ do { \ + #define ARC_IS_5MBIT 1 /* card default speed is 5MBit */ + #define ARC_CAN_10MBIT 2 /* card uses COM20022, supporting 10MBit, + but default is 2.5MBit. */ ++#define ARC_HAS_LED 4 /* card has software controlled LEDs */ ++#define ARC_HAS_ROTARY 8 /* card has rotary encoder */ + + /* information needed to define an encapsulation driver */ + struct ArcProto { +diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c +index c580acb8b1d34..7b5c8bb02f119 100644 +--- a/drivers/net/arcnet/com20020-pci.c ++++ b/drivers/net/arcnet/com20020-pci.c +@@ -213,12 +213,13 @@ static int com20020pci_probe(struct pci_dev *pdev, + if (!strncmp(ci->name, "EAE PLX-PCI FB2", 15)) + lp->backplane = 1; + +- /* Get the dev_id from the PLX rotary coder */ +- if (!strncmp(ci->name, "EAE PLX-PCI MA1", 15)) +- dev_id_mask = 0x3; +- dev->dev_id = (inb(priv->misc + ci->rotary) >> 4) & dev_id_mask; +- +- snprintf(dev->name, sizeof(dev->name), "arc%d-%d", dev->dev_id, i); ++ if (ci->flags & ARC_HAS_ROTARY) { ++ /* Get the dev_id from the PLX rotary coder */ ++ if (!strncmp(ci->name, "EAE PLX-PCI MA1", 15)) ++ dev_id_mask = 0x3; ++ dev->dev_id = (inb(priv->misc + ci->rotary) >> 4) & dev_id_mask; ++ snprintf(dev->name, sizeof(dev->name), "arc%d-%d", dev->dev_id, i); ++ } + + if (arcnet_inb(ioaddr, COM20020_REG_R_STATUS) == 0xFF) { + pr_err("IO address %Xh is empty!\n", ioaddr); +@@ -230,6 +231,10 @@ static int com20020pci_probe(struct pci_dev *pdev, + goto err_free_arcdev; + } + ++ ret = com20020_found(dev, IRQF_SHARED); ++ if (ret) ++ goto err_free_arcdev; ++ + card = devm_kzalloc(&pdev->dev, sizeof(struct com20020_dev), + GFP_KERNEL); + if (!card) { +@@ -239,41 +244,39 @@ static int com20020pci_probe(struct pci_dev *pdev, + + card->index = i; + card->pci_priv = priv; +- card->tx_led.brightness_set = led_tx_set; +- card->tx_led.default_trigger = devm_kasprintf(&pdev->dev, +- GFP_KERNEL, "arc%d-%d-tx", +- dev->dev_id, i); +- card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, +- "pci:green:tx:%d-%d", +- dev->dev_id, i); +- +- card->tx_led.dev = &dev->dev; +- card->recon_led.brightness_set = led_recon_set; +- card->recon_led.default_trigger = devm_kasprintf(&pdev->dev, +- GFP_KERNEL, "arc%d-%d-recon", +- dev->dev_id, i); +- card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, +- "pci:red:recon:%d-%d", +- dev->dev_id, i); +- card->recon_led.dev = &dev->dev; +- card->dev = dev; +- +- ret = devm_led_classdev_register(&pdev->dev, &card->tx_led); +- if (ret) +- goto err_free_arcdev; + +- ret = devm_led_classdev_register(&pdev->dev, &card->recon_led); +- if (ret) +- goto err_free_arcdev; +- +- dev_set_drvdata(&dev->dev, card); +- +- ret = com20020_found(dev, IRQF_SHARED); +- if (ret) +- goto err_free_arcdev; +- +- devm_arcnet_led_init(dev, dev->dev_id, i); ++ if (ci->flags & ARC_HAS_LED) { ++ card->tx_led.brightness_set = led_tx_set; ++ card->tx_led.default_trigger = devm_kasprintf(&pdev->dev, ++ GFP_KERNEL, "arc%d-%d-tx", ++ dev->dev_id, i); ++ card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, ++ "pci:green:tx:%d-%d", ++ dev->dev_id, i); ++ ++ card->tx_led.dev = &dev->dev; ++ card->recon_led.brightness_set = led_recon_set; ++ card->recon_led.default_trigger = devm_kasprintf(&pdev->dev, ++ GFP_KERNEL, "arc%d-%d-recon", ++ dev->dev_id, i); ++ card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, ++ "pci:red:recon:%d-%d", ++ dev->dev_id, i); ++ card->recon_led.dev = &dev->dev; ++ ++ ret = devm_led_classdev_register(&pdev->dev, &card->tx_led); ++ if (ret) ++ goto err_free_arcdev; ++ ++ ret = devm_led_classdev_register(&pdev->dev, &card->recon_led); ++ if (ret) ++ goto err_free_arcdev; ++ ++ dev_set_drvdata(&dev->dev, card); ++ devm_arcnet_led_init(dev, dev->dev_id, i); ++ } + ++ card->dev = dev; + list_add(&card->list, &priv->list_dev); + continue; + +@@ -329,7 +332,7 @@ static struct com20020_pci_card_info card_info_5mbit = { + }; + + static struct com20020_pci_card_info card_info_sohard = { +- .name = "PLX-PCI", ++ .name = "SOHARD SH ARC-PCI", + .devcount = 1, + /* SOHARD needs PCI base addr 4 */ + .chan_map_tbl = { +@@ -364,7 +367,7 @@ static struct com20020_pci_card_info card_info_eae_arc1 = { + }, + }, + .rotary = 0x0, +- .flags = ARC_CAN_10MBIT, ++ .flags = ARC_HAS_ROTARY | ARC_HAS_LED | ARC_CAN_10MBIT, + }; + + static struct com20020_pci_card_info card_info_eae_ma1 = { +@@ -396,7 +399,7 @@ static struct com20020_pci_card_info card_info_eae_ma1 = { + }, + }, + .rotary = 0x0, +- .flags = ARC_CAN_10MBIT, ++ .flags = ARC_HAS_ROTARY | ARC_HAS_LED | ARC_CAN_10MBIT, + }; + + static struct com20020_pci_card_info card_info_eae_fb2 = { +@@ -421,7 +424,7 @@ static struct com20020_pci_card_info card_info_eae_fb2 = { + }, + }, + .rotary = 0x0, +- .flags = ARC_CAN_10MBIT, ++ .flags = ARC_HAS_ROTARY | ARC_HAS_LED | ARC_CAN_10MBIT, + }; + + static const struct pci_device_id com20020pci_id_table[] = { +-- +2.42.0 + diff --git a/queue-6.1/bpf-sockmap-updating-the-sg-structure-should-also-up.patch b/queue-6.1/bpf-sockmap-updating-the-sg-structure-should-also-up.patch new file mode 100644 index 00000000000..f566bb652c1 --- /dev/null +++ b/queue-6.1/bpf-sockmap-updating-the-sg-structure-should-also-up.patch @@ -0,0 +1,74 @@ +From 2474d6f9a744d665f79c9e6f58e3c89a9c874117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 15:27:06 -0800 +Subject: bpf: sockmap, updating the sg structure should also update curr + +From: John Fastabend + +[ Upstream commit bb9aefde5bbaf6c168c77ba635c155b4980c2287 ] + +Curr pointer should be updated when the sg structure is shifted. + +Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") +Signed-off-by: John Fastabend +Link: https://lore.kernel.org/r/20231206232706.374377-3-john.fastabend@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index adc327f4af1e9..3a6110ea4009f 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2582,6 +2582,22 @@ BPF_CALL_2(bpf_msg_cork_bytes, struct sk_msg *, msg, u32, bytes) + return 0; + } + ++static void sk_msg_reset_curr(struct sk_msg *msg) ++{ ++ u32 i = msg->sg.start; ++ u32 len = 0; ++ ++ do { ++ len += sk_msg_elem(msg, i)->length; ++ sk_msg_iter_var_next(i); ++ if (len >= msg->sg.size) ++ break; ++ } while (i != msg->sg.end); ++ ++ msg->sg.curr = i; ++ msg->sg.copybreak = 0; ++} ++ + static const struct bpf_func_proto bpf_msg_cork_bytes_proto = { + .func = bpf_msg_cork_bytes, + .gpl_only = false, +@@ -2701,6 +2717,7 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_msg *, msg, u32, start, + msg->sg.end - shift + NR_MSG_FRAG_IDS : + msg->sg.end - shift; + out: ++ sk_msg_reset_curr(msg); + msg->data = sg_virt(&msg->sg.data[first_sge]) + start - offset; + msg->data_end = msg->data + bytes; + return 0; +@@ -2837,6 +2854,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start, + msg->sg.data[new] = rsge; + } + ++ sk_msg_reset_curr(msg); + sk_msg_compute_data_pointers(msg); + return 0; + } +@@ -3005,6 +3023,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, + + sk_mem_uncharge(msg->sk, len - pop); + msg->sg.size -= (len - pop); ++ sk_msg_reset_curr(msg); + sk_msg_compute_data_pointers(msg); + return 0; + } +-- +2.42.0 + diff --git a/queue-6.1/drop_monitor-require-cap_sys_admin-when-joining-even.patch b/queue-6.1/drop_monitor-require-cap_sys_admin-when-joining-even.patch new file mode 100644 index 00000000000..a8420c8677e --- /dev/null +++ b/queue-6.1/drop_monitor-require-cap_sys_admin-when-joining-even.patch @@ -0,0 +1,164 @@ +From b6088b9d7047c3a7078594adf053d6b497a7c1da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 23:31:02 +0200 +Subject: drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group + +From: Ido Schimmel + +[ Upstream commit e03781879a0d524ce3126678d50a80484a513c4b ] + +The "NET_DM" generic netlink family notifies drop locations over the +"events" multicast group. This is problematic since by default generic +netlink allows non-root users to listen to these notifications. + +Fix by adding a new field to the generic netlink multicast group +structure that when set prevents non-root users or root without the +'CAP_SYS_ADMIN' capability (in the user namespace owning the network +namespace) from joining the group. Set this field for the "events" +group. Use 'CAP_SYS_ADMIN' rather than 'CAP_NET_ADMIN' because of the +nature of the information that is shared over this group. + +Note that the capability check in this case will always be performed +against the initial user namespace since the family is not netns aware +and only operates in the initial network namespace. + +A new field is added to the structure rather than using the "flags" +field because the existing field uses uAPI flags and it is inappropriate +to add a new uAPI flag for an internal kernel check. In net-next we can +rework the "flags" field to use internal flags and fold the new field +into it. But for now, in order to reduce the amount of changes, add a +new field. + +Since the information can only be consumed by root, mark the control +plane operations that start and stop the tracing as root-only using the +'GENL_ADMIN_PERM' flag. + +Tested using [1]. + +Before: + + # capsh -- -c ./dm_repo + # capsh --drop=cap_sys_admin -- -c ./dm_repo + +After: + + # capsh -- -c ./dm_repo + # capsh --drop=cap_sys_admin -- -c ./dm_repo + Failed to join "events" multicast group + +[1] + $ cat dm.c + #include + #include + #include + #include + + int main(int argc, char **argv) + { + struct nl_sock *sk; + int grp, err; + + sk = nl_socket_alloc(); + if (!sk) { + fprintf(stderr, "Failed to allocate socket\n"); + return -1; + } + + err = genl_connect(sk); + if (err) { + fprintf(stderr, "Failed to connect socket\n"); + return err; + } + + grp = genl_ctrl_resolve_grp(sk, "NET_DM", "events"); + if (grp < 0) { + fprintf(stderr, + "Failed to resolve \"events\" multicast group\n"); + return grp; + } + + err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE); + if (err) { + fprintf(stderr, "Failed to join \"events\" multicast group\n"); + return err; + } + + return 0; + } + $ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o dm_repo dm.c + +Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") +Reported-by: "The UK's National Cyber Security Centre (NCSC)" +Signed-off-by: Ido Schimmel +Reviewed-by: Jacob Keller +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231206213102.1824398-3-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/genetlink.h | 2 ++ + net/core/drop_monitor.c | 4 +++- + net/netlink/genetlink.c | 3 +++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/include/net/genetlink.h b/include/net/genetlink.h +index 9f97f73615b69..b9e5a22ae3ff9 100644 +--- a/include/net/genetlink.h ++++ b/include/net/genetlink.h +@@ -12,10 +12,12 @@ + * struct genl_multicast_group - generic netlink multicast group + * @name: name of the multicast group, names are per-family + * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM) ++ * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding + */ + struct genl_multicast_group { + char name[GENL_NAMSIZ]; + u8 flags; ++ u8 cap_sys_admin:1; + }; + + struct genl_ops; +diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c +index f084a4a6b7ab2..8e0a90b45df22 100644 +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -181,7 +181,7 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data) + } + + static const struct genl_multicast_group dropmon_mcgrps[] = { +- { .name = "events", }, ++ { .name = "events", .cap_sys_admin = 1 }, + }; + + static void send_dm_alert(struct work_struct *work) +@@ -1604,11 +1604,13 @@ static const struct genl_small_ops dropmon_ops[] = { + .cmd = NET_DM_CMD_START, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = net_dm_cmd_trace, ++ .flags = GENL_ADMIN_PERM, + }, + { + .cmd = NET_DM_CMD_STOP, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = net_dm_cmd_trace, ++ .flags = GENL_ADMIN_PERM, + }, + { + .cmd = NET_DM_CMD_CONFIG_GET, +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c +index 3e16527beb914..505d3b910cc29 100644 +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -1438,6 +1438,9 @@ static int genl_bind(struct net *net, int group) + if ((grp->flags & GENL_UNS_ADMIN_PERM) && + !ns_capable(net->user_ns, CAP_NET_ADMIN)) + ret = -EPERM; ++ if (grp->cap_sys_admin && ++ !ns_capable(net->user_ns, CAP_SYS_ADMIN)) ++ ret = -EPERM; + + break; + } +-- +2.42.0 + diff --git a/queue-6.1/dt-bindings-interrupt-controller-allow-power-domain-.patch b/queue-6.1/dt-bindings-interrupt-controller-allow-power-domain-.patch new file mode 100644 index 00000000000..0f82529498c --- /dev/null +++ b/queue-6.1/dt-bindings-interrupt-controller-allow-power-domain-.patch @@ -0,0 +1,45 @@ +From b98d3fca512408135e8a934c7e42db69568e35b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 20:12:31 +0100 +Subject: dt-bindings: interrupt-controller: Allow #power-domain-cells + +From: Konrad Dybcio + +[ Upstream commit c0a2755aced969e0125fd68ccd95269b28d8913a ] + +MPM provides a single genpd. Allow #power-domain-cells = <0>. + +Fixes: 54fc9851c0e0 ("dt-bindings: interrupt-controller: Add Qualcomm MPM support") +Acked-by: Shawn Guo +Acked-by: Krzysztof Kozlowski +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231129-topic-mpmbindingspd-v2-1-acbe909ceee1@linaro.org +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/interrupt-controller/qcom,mpm.yaml | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Documentation/devicetree/bindings/interrupt-controller/qcom,mpm.yaml b/Documentation/devicetree/bindings/interrupt-controller/qcom,mpm.yaml +index 509d20c091af8..6a206111d4e0f 100644 +--- a/Documentation/devicetree/bindings/interrupt-controller/qcom,mpm.yaml ++++ b/Documentation/devicetree/bindings/interrupt-controller/qcom,mpm.yaml +@@ -62,6 +62,9 @@ properties: + - description: MPM pin number + - description: GIC SPI number for the MPM pin + ++ '#power-domain-cells': ++ const: 0 ++ + required: + - compatible + - reg +@@ -93,4 +96,5 @@ examples: + <86 183>, + <90 260>, + <91 260>; ++ #power-domain-cells = <0>; + }; +-- +2.42.0 + diff --git a/queue-6.1/dt-dt-extract-compatibles-don-t-follow-symlinks-when.patch b/queue-6.1/dt-dt-extract-compatibles-don-t-follow-symlinks-when.patch new file mode 100644 index 00000000000..318dd6fdcd1 --- /dev/null +++ b/queue-6.1/dt-dt-extract-compatibles-don-t-follow-symlinks-when.patch @@ -0,0 +1,75 @@ +From 97d08af10b480e53e9da237196dc3bdf1f4c3a0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 17:55:28 -0500 +Subject: dt: dt-extract-compatibles: Don't follow symlinks when walking tree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 8f51593cdcab82fb23ef2e1a0010b2e6f99aae02 ] + +The iglob function, which we use to find C source files in the kernel +tree, always follows symbolic links. This can cause unintentional +recursions whenever a symbolic link points to a parent directory. A +common scenario is building the kernel with the output set to a +directory inside the kernel tree, which will contain such a symlink. + +Instead of using the iglob function, use os.walk to traverse the +directory tree, which by default doesn't follow symbolic links. fnmatch +is then used to match the glob on the filename, as well as ignore hidden +files (which were ignored by default with iglob). + +This approach runs just as fast as using iglob. + +Fixes: b6acf8073517 ("dt: Add a check for undocumented compatible strings in kernel") +Reported-by: Aishwarya TCV +Closes: https://lore.kernel.org/all/e90cb52f-d55b-d3ba-3933-6cc7b43fcfbc@arm.com +Signed-off-by: "Nícolas F. R. A. Prado" +Link: https://lore.kernel.org/r/20231107225624.9811-1-nfraprado@collabora.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + scripts/dtc/dt-extract-compatibles | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/scripts/dtc/dt-extract-compatibles b/scripts/dtc/dt-extract-compatibles +index 05c47e3d8c00e..9686a1cf85498 100755 +--- a/scripts/dtc/dt-extract-compatibles ++++ b/scripts/dtc/dt-extract-compatibles +@@ -1,8 +1,8 @@ + #!/usr/bin/env python3 + # SPDX-License-Identifier: GPL-2.0-only + ++import fnmatch + import os +-import glob + import re + import argparse + +@@ -49,10 +49,20 @@ def print_compat(filename, compatibles): + else: + print(*compatibles, sep='\n') + ++def glob_without_symlinks(root, glob): ++ for path, dirs, files in os.walk(root): ++ # Ignore hidden directories ++ for d in dirs: ++ if fnmatch.fnmatch(d, ".*"): ++ dirs.remove(d) ++ for f in files: ++ if fnmatch.fnmatch(f, glob): ++ yield os.path.join(path, f) ++ + def files_to_parse(path_args): + for f in path_args: + if os.path.isdir(f): +- for filename in glob.iglob(f + "/**/*.c", recursive=True): ++ for filename in glob_without_symlinks(f, "*.c"): + yield filename + else: + yield f +-- +2.42.0 + diff --git a/queue-6.1/dt-dt-extract-compatibles-handle-cfile-arguments-in-.patch b/queue-6.1/dt-dt-extract-compatibles-handle-cfile-arguments-in-.patch new file mode 100644 index 00000000000..59ed6a358bd --- /dev/null +++ b/queue-6.1/dt-dt-extract-compatibles-handle-cfile-arguments-in-.patch @@ -0,0 +1,62 @@ +From 7e609b95f2eb404cd19d1a34a01f95c3cde6ecc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Aug 2023 17:13:10 -0400 +Subject: dt: dt-extract-compatibles: Handle cfile arguments in generator + function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit eb2139fc0da63b89a2ad565ecd8133a37e8b7c4f ] + +Move the handling of the cfile arguments to a separate generator +function to avoid redundancy. + +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20230828211424.2964562-2-nfraprado@collabora.com +Signed-off-by: Rob Herring +Stable-dep-of: 8f51593cdcab ("dt: dt-extract-compatibles: Don't follow symlinks when walking tree") +Signed-off-by: Sasha Levin +--- + scripts/dtc/dt-extract-compatibles | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/scripts/dtc/dt-extract-compatibles b/scripts/dtc/dt-extract-compatibles +index a1119762ed086..05c47e3d8c00e 100755 +--- a/scripts/dtc/dt-extract-compatibles ++++ b/scripts/dtc/dt-extract-compatibles +@@ -49,6 +49,14 @@ def print_compat(filename, compatibles): + else: + print(*compatibles, sep='\n') + ++def files_to_parse(path_args): ++ for f in path_args: ++ if os.path.isdir(f): ++ for filename in glob.iglob(f + "/**/*.c", recursive=True): ++ yield filename ++ else: ++ yield f ++ + show_filename = False + + if __name__ == "__main__": +@@ -59,11 +67,6 @@ if __name__ == "__main__": + + show_filename = args.with_filename + +- for f in args.cfile: +- if os.path.isdir(f): +- for filename in glob.iglob(f + "/**/*.c", recursive=True): +- compat_list = parse_compatibles(filename) +- print_compat(filename, compat_list) +- else: +- compat_list = parse_compatibles(f) +- print_compat(f, compat_list) ++ for f in files_to_parse(args.cfile): ++ compat_list = parse_compatibles(f) ++ print_compat(f, compat_list) +-- +2.42.0 + diff --git a/queue-6.1/hv_netvsc-rndis_filter-needs-to-select-nls.patch b/queue-6.1/hv_netvsc-rndis_filter-needs-to-select-nls.patch new file mode 100644 index 00000000000..24bc616ba3a --- /dev/null +++ b/queue-6.1/hv_netvsc-rndis_filter-needs-to-select-nls.patch @@ -0,0 +1,44 @@ +From 9532fbfb79c991e43ca0ee728bf94683b73a66b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 21:58:53 -0800 +Subject: hv_netvsc: rndis_filter needs to select NLS + +From: Randy Dunlap + +[ Upstream commit 6c89f49964375c904cea33c0247467873f4daf2c ] + +rndis_filter uses utf8s_to_utf16s() which is provided by setting +NLS, so select NLS to fix the build error: + +ERROR: modpost: "utf8s_to_utf16s" [drivers/net/hyperv/hv_netvsc.ko] undefined! + +Fixes: 1ce09e899d28 ("hyperv: Add support for setting MAC from within guests") +Signed-off-by: Randy Dunlap +Cc: Haiyang Zhang +Cc: K. Y. Srinivasan +Cc: Wei Liu +Cc: Dexuan Cui +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20231130055853.19069-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hyperv/Kconfig b/drivers/net/hyperv/Kconfig +index ca7bf7f897d36..c8cbd85adcf99 100644 +--- a/drivers/net/hyperv/Kconfig ++++ b/drivers/net/hyperv/Kconfig +@@ -3,5 +3,6 @@ config HYPERV_NET + tristate "Microsoft Hyper-V virtual network driver" + depends on HYPERV + select UCS2_STRING ++ select NLS + help + Select this option to enable the Hyper-V virtual network driver. +-- +2.42.0 + diff --git a/queue-6.1/i40e-fix-unexpected-mfs-warning-message.patch b/queue-6.1/i40e-fix-unexpected-mfs-warning-message.patch new file mode 100644 index 00000000000..d31f94c4204 --- /dev/null +++ b/queue-6.1/i40e-fix-unexpected-mfs-warning-message.patch @@ -0,0 +1,58 @@ +From 417d244fd44a8e27db9e7b73ceac1adec4b5475b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 09:12:09 +0100 +Subject: i40e: Fix unexpected MFS warning message + +From: Ivan Vecera + +[ Upstream commit 7d9f22b3d3ef379ed05bd3f3e2de83dfa8da8258 ] + +Commit 3a2c6ced90e1 ("i40e: Add a check to see if MFS is set") added +a warning message that reports unexpected size of port's MFS (max +frame size) value. This message use for the port number local +variable 'i' that is wrong. +In i40e_probe() this 'i' variable is used only to iterate VSIs +to find FDIR VSI: + + +... +/* if FDIR VSI was set up, start it now */ + for (i = 0; i < pf->num_alloc_vsi; i++) { + if (pf->vsi[i] && pf->vsi[i]->type == I40E_VSI_FDIR) { + i40e_vsi_open(pf->vsi[i]); + break; + } + } +... + + +So the warning message use for the port number index of FDIR VSI +if this exists or pf->num_alloc_vsi if not. + +Fix the message by using 'pf->hw.port' for the port number. + +Fixes: 3a2c6ced90e1 ("i40e: Add a check to see if MFS is set") +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 9f5824eb8808a..b4157ff370a31 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -16158,7 +16158,7 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + I40E_PRTGL_SAH_MFS_MASK) >> I40E_PRTGL_SAH_MFS_SHIFT; + if (val < MAX_FRAME_SIZE_DEFAULT) + dev_warn(&pdev->dev, "MFS for port %x has been set below the default: %x\n", +- i, val); ++ pf->hw.port, val); + + /* Add a filter to drop all Flow control frames from any VSI from being + * transmitted. By doing so we stop a malicious VF from sending out +-- +2.42.0 + diff --git a/queue-6.1/iavf-validate-tx_coalesce_usecs-even-if-rx_coalesce_.patch b/queue-6.1/iavf-validate-tx_coalesce_usecs-even-if-rx_coalesce_.patch new file mode 100644 index 00000000000..893fabf729a --- /dev/null +++ b/queue-6.1/iavf-validate-tx_coalesce_usecs-even-if-rx_coalesce_.patch @@ -0,0 +1,79 @@ +From 7e7f3c84a3dc572b1b9614206f2b0882e37d7169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 15:33:50 -0800 +Subject: iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero + +From: Jacob Keller + +[ Upstream commit a206d9959f5ccd0fb2d54a997c993947ae0e881c ] + +In __iavf_set_coalesce, the driver checks both ec->rx_coalesce_usecs and +ec->tx_coalesce_usecs for validity. It does this via a chain if if/else-if +blocks. If every single branch of the series of if statements exited, this +would be fine. However, the rx_coalesce_usecs is checked against zero to +print an informative message if use_adaptive_rx_coalesce is enabled. If +this check is true, it short circuits the entire chain of statements, +preventing validation of the tx_coalesce_usecs field. + +Indeed, since commit e792779e6b63 ("iavf: Prevent changing static ITR +values if adaptive moderation is on") the iavf driver actually rejects any +change to the tx_coalesce_usecs or rx_coalesce_usecs when +use_adaptive_tx_coalesce or use_adaptive_rx_coalesce is enabled, making +this checking a bit redundant. + +Fix this error by removing the unnecessary and redundant checks for +use_adaptive_rx_coalesce and use_adaptive_tx_coalesce. Since zero is a +valid value, and since the tx_coalesce_usecs and rx_coalesce_usecs fields +are already unsigned, remove the minimum value check. This allows assigning +an ITR value ranging from 0-8160 as described by the printed message. + +Fixes: 65e87c0398f5 ("i40evf: support queue-specific settings for interrupt moderation") +Signed-off-by: Jacob Keller +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 12 ++---------- + drivers/net/ethernet/intel/iavf/iavf_txrx.h | 1 - + 2 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index c13b4fa659ee9..31e02624aca48 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -829,18 +829,10 @@ static int __iavf_set_coalesce(struct net_device *netdev, + struct iavf_adapter *adapter = netdev_priv(netdev); + int i; + +- if (ec->rx_coalesce_usecs == 0) { +- if (ec->use_adaptive_rx_coalesce) +- netif_info(adapter, drv, netdev, "rx-usecs=0, need to disable adaptive-rx for a complete disable\n"); +- } else if ((ec->rx_coalesce_usecs < IAVF_MIN_ITR) || +- (ec->rx_coalesce_usecs > IAVF_MAX_ITR)) { ++ if (ec->rx_coalesce_usecs > IAVF_MAX_ITR) { + netif_info(adapter, drv, netdev, "Invalid value, rx-usecs range is 0-8160\n"); + return -EINVAL; +- } else if (ec->tx_coalesce_usecs == 0) { +- if (ec->use_adaptive_tx_coalesce) +- netif_info(adapter, drv, netdev, "tx-usecs=0, need to disable adaptive-tx for a complete disable\n"); +- } else if ((ec->tx_coalesce_usecs < IAVF_MIN_ITR) || +- (ec->tx_coalesce_usecs > IAVF_MAX_ITR)) { ++ } else if (ec->tx_coalesce_usecs > IAVF_MAX_ITR) { + netif_info(adapter, drv, netdev, "Invalid value, tx-usecs range is 0-8160\n"); + return -EINVAL; + } +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +index 7e6ee32d19b69..10ba36602c0c1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +@@ -15,7 +15,6 @@ + */ + #define IAVF_ITR_DYNAMIC 0x8000 /* use top bit as a flag */ + #define IAVF_ITR_MASK 0x1FFE /* mask for ITR register value */ +-#define IAVF_MIN_ITR 2 /* reg uses 2 usec resolution */ + #define IAVF_ITR_100K 10 /* all values below must be even */ + #define IAVF_ITR_50K 20 + #define IAVF_ITR_20K 50 +-- +2.42.0 + diff --git a/queue-6.1/ionic-fix-dim-work-handling-in-split-interrupt-mode.patch b/queue-6.1/ionic-fix-dim-work-handling-in-split-interrupt-mode.patch new file mode 100644 index 00000000000..0af73d39b51 --- /dev/null +++ b/queue-6.1/ionic-fix-dim-work-handling-in-split-interrupt-mode.patch @@ -0,0 +1,67 @@ +From 65a9be045666af75324d5affa9687a1a50d420c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 11:22:34 -0800 +Subject: ionic: Fix dim work handling in split interrupt mode + +From: Brett Creeley + +[ Upstream commit 4115ba677c35f694b62298e55f0e04ce84eed469 ] + +Currently ionic_dim_work() is incorrect when in +split interrupt mode. This is because the interrupt +rate is only being changed for the Rx side even for +dim running on Tx. Fix this by using the qcq from +the container_of macro. Also, introduce some local +variables for a bit of cleanup. + +Fixes: a6ff85e0a2d9 ("ionic: remove intr coalesce update from napi") +Signed-off-by: Brett Creeley +Signed-off-by: Shannon Nelson +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231204192234.21017-3-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index a89ab455af67d..f7634884c7508 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -46,24 +46,24 @@ static void ionic_lif_queue_identify(struct ionic_lif *lif); + static void ionic_dim_work(struct work_struct *work) + { + struct dim *dim = container_of(work, struct dim, work); ++ struct ionic_intr_info *intr; + struct dim_cq_moder cur_moder; + struct ionic_qcq *qcq; ++ struct ionic_lif *lif; + u32 new_coal; + + cur_moder = net_dim_get_rx_moderation(dim->mode, dim->profile_ix); + qcq = container_of(dim, struct ionic_qcq, dim); +- new_coal = ionic_coal_usec_to_hw(qcq->q.lif->ionic, cur_moder.usec); ++ lif = qcq->q.lif; ++ new_coal = ionic_coal_usec_to_hw(lif->ionic, cur_moder.usec); + new_coal = new_coal ? new_coal : 1; + +- if (qcq->intr.dim_coal_hw != new_coal) { +- unsigned int qi = qcq->cq.bound_q->index; +- struct ionic_lif *lif = qcq->q.lif; +- +- qcq->intr.dim_coal_hw = new_coal; ++ intr = &qcq->intr; ++ if (intr->dim_coal_hw != new_coal) { ++ intr->dim_coal_hw = new_coal; + + ionic_intr_coal_init(lif->ionic->idev.intr_ctrl, +- lif->rxqcqs[qi]->intr.index, +- qcq->intr.dim_coal_hw); ++ intr->index, intr->dim_coal_hw); + } + + dim->state = DIM_START_MEASURE; +-- +2.42.0 + diff --git a/queue-6.1/ionic-fix-snprintf-format-length-warning.patch b/queue-6.1/ionic-fix-snprintf-format-length-warning.patch new file mode 100644 index 00000000000..6132c536a37 --- /dev/null +++ b/queue-6.1/ionic-fix-snprintf-format-length-warning.patch @@ -0,0 +1,45 @@ +From c87b898db129a91d610e5e20a04f613c7ca1d7c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 11:22:33 -0800 +Subject: ionic: fix snprintf format length warning + +From: Shannon Nelson + +[ Upstream commit 0ceb3860a67652f9d36dfdecfcd2cb3eb2f4537d ] + +Our friendly kernel test robot has reminded us that with a new +check we have a warning about a potential string truncation. +In this case it really doesn't hurt anything, but it is worth +addressing especially since there really is no reason to reserve +so many bytes for our queue names. It seems that cutting the +queue name buffer length in half stops the complaint. + +Fixes: c06107cabea3 ("ionic: more ionic name tweaks") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202311300201.lO8v7mKU-lkp@intel.com/ +Signed-off-by: Shannon Nelson +Reviewed-by: Brett Creeley +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20231204192234.21017-2-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_dev.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +index 93a4258421667..13dfcf9f75dad 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +@@ -214,7 +214,7 @@ struct ionic_desc_info { + void *cb_arg; + }; + +-#define IONIC_QUEUE_NAME_MAX_SZ 32 ++#define IONIC_QUEUE_NAME_MAX_SZ 16 + + struct ionic_queue { + struct device *dev; +-- +2.42.0 + diff --git a/queue-6.1/ipv4-ip_gre-avoid-skb_pull-failure-in-ipgre_xmit.patch b/queue-6.1/ipv4-ip_gre-avoid-skb_pull-failure-in-ipgre_xmit.patch new file mode 100644 index 00000000000..2019d8006fe --- /dev/null +++ b/queue-6.1/ipv4-ip_gre-avoid-skb_pull-failure-in-ipgre_xmit.patch @@ -0,0 +1,58 @@ +From 89b910628461c2b6b8a04e4f1a9df26eb967593c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Dec 2023 01:14:41 +0900 +Subject: ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() + +From: Shigeru Yoshida + +[ Upstream commit 80d875cfc9d3711a029f234ef7d680db79e8fa4b ] + +In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns +true. For example, applications can use PF_PACKET to create a malformed +packet with no IP header. This type of packet causes a problem such as +uninit-value access. + +This patch ensures that skb_pull() can pull the required size by checking +the skb with pskb_network_may_pull() before skb_pull(). + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Eric Dumazet +Reviewed-by: Suman Ghosh +Link: https://lore.kernel.org/r/20231202161441.221135-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 5b8242265617d..d67d026d7f975 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -634,15 +634,18 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { ++ int pull_len = tunnel->hlen + sizeof(struct iphdr); ++ + if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; + +- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing +- * to gre header. +- */ +- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); ++ if (!pskb_network_may_pull(skb, pull_len)) ++ goto free_skb; ++ ++ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ ++ skb_pull(skb, pull_len); + skb_reset_mac_header(skb); + + if (skb->ip_summed == CHECKSUM_PARTIAL && +-- +2.42.0 + diff --git a/queue-6.1/ipv6-fix-potential-null-deref-in-fib6_add.patch b/queue-6.1/ipv6-fix-potential-null-deref-in-fib6_add.patch new file mode 100644 index 00000000000..52fbc203eec --- /dev/null +++ b/queue-6.1/ipv6-fix-potential-null-deref-in-fib6_add.patch @@ -0,0 +1,79 @@ +From 867f2ee8234b63b84074124d5308b4489db698f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 16:06:30 +0000 +Subject: ipv6: fix potential NULL deref in fib6_add() + +From: Eric Dumazet + +[ Upstream commit 75475bb51e78a3f54ad2f69380f2a1c985e85f2d ] + +If fib6_find_prefix() returns NULL, we should silently fallback +using fib6_null_entry regardless of RT6_DEBUG value. + +syzbot reported: + +WARNING: CPU: 0 PID: 5477 at net/ipv6/ip6_fib.c:1516 fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516 +Modules linked in: +CPU: 0 PID: 5477 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00029-g9b6de136b5f0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516 +Code: 00 48 8b 54 24 68 e8 42 22 00 00 48 85 c0 74 14 49 89 c6 e8 d5 d3 c2 f7 eb 5d e8 ce d3 c2 f7 e9 ca 00 00 00 e8 c4 d3 c2 f7 90 <0f> 0b 90 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 38 80 3c 01 00 +RSP: 0018:ffffc90005067740 EFLAGS: 00010293 +RAX: ffffffff89cba5bc RBX: ffffc90005067ab0 RCX: ffff88801a2e9dc0 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 +RBP: ffffc90005067980 R08: ffffffff89cbca85 R09: 1ffff110040d4b85 +R10: dffffc0000000000 R11: ffffed10040d4b86 R12: 00000000ffffffff +R13: 1ffff110051c3904 R14: ffff8880206a5c00 R15: ffff888028e1c820 +FS: 00007f763783c6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f763783bff8 CR3: 000000007f74d000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +__ip6_ins_rt net/ipv6/route.c:1303 [inline] +ip6_route_add+0x88/0x120 net/ipv6/route.c:3847 +ipv6_route_ioctl+0x525/0x7b0 net/ipv6/route.c:4467 +inet6_ioctl+0x21a/0x270 net/ipv6/af_inet6.c:575 +sock_do_ioctl+0x152/0x460 net/socket.c:1220 +sock_ioctl+0x615/0x8c0 net/socket.c:1339 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:871 [inline] +__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82 + +Fixes: 7bbfe00e0252 ("ipv6: fix general protection fault in fib6_add()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Wei Wang +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20231129160630.3509216-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index eb6640f9a7921..1840735e9cb07 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1502,13 +1502,9 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt, + if (!pn_leaf && !(pn->fn_flags & RTN_RTINFO)) { + pn_leaf = fib6_find_prefix(info->nl_net, table, + pn); +-#if RT6_DEBUG >= 2 +- if (!pn_leaf) { +- WARN_ON(!pn_leaf); ++ if (!pn_leaf) + pn_leaf = + info->nl_net->ipv6.fib6_null_entry; +- } +-#endif + fib6_info_hold(pn_leaf); + rcu_assign_pointer(pn->leaf, pn_leaf); + } +-- +2.42.0 + diff --git a/queue-6.1/mlxbf-bootctl-correctly-identify-secure-boot-with-de.patch b/queue-6.1/mlxbf-bootctl-correctly-identify-secure-boot-with-de.patch new file mode 100644 index 00000000000..f4165da0168 --- /dev/null +++ b/queue-6.1/mlxbf-bootctl-correctly-identify-secure-boot-with-de.patch @@ -0,0 +1,120 @@ +From 4085de594de77fa2705c594ac3f6cd89b3900792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 13:35:15 -0500 +Subject: mlxbf-bootctl: correctly identify secure boot with development keys +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Thompson + +[ Upstream commit d4eef75279f5e9d594f5785502038c763ce42268 ] + +The secure boot state of the BlueField SoC is represented by two bits: + 0 = production state + 1 = secure boot enabled + 2 = non-secure (secure boot disabled) + 3 = RMA state +There is also a single bit to indicate whether production keys or +development keys are being used when secure boot is enabled. +This single bit (specified by MLXBF_BOOTCTL_SB_DEV_MASK) only has +meaning if secure boot state equals 1 (secure boot enabled). + +The secure boot states are as follows: +- “GA secured” is when secure boot is enabled with official production keys. +- “Secured (development)” is when secure boot is enabled with development keys. + +Without this fix “GA Secured” is displayed on development cards which is +misleading. This patch updates the logic in "lifecycle_state_show()" to +handle the case where the SoC is configured for secure boot and is using +development keys. + +Fixes: 79e29cb8fbc5c ("platform/mellanox: Add bootctl driver for Mellanox BlueField Soc") +Reviewed-by: Khalil Blaiech +Signed-off-by: David Thompson +Link: https://lore.kernel.org/r/20231130183515.17214-1-davthompson@nvidia.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-bootctl.c | 39 +++++++++++++++-------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-bootctl.c b/drivers/platform/mellanox/mlxbf-bootctl.c +index 1c7a288b59a5c..6a171a4f9dc68 100644 +--- a/drivers/platform/mellanox/mlxbf-bootctl.c ++++ b/drivers/platform/mellanox/mlxbf-bootctl.c +@@ -17,6 +17,7 @@ + + #define MLXBF_BOOTCTL_SB_SECURE_MASK 0x03 + #define MLXBF_BOOTCTL_SB_TEST_MASK 0x0c ++#define MLXBF_BOOTCTL_SB_DEV_MASK BIT(4) + + #define MLXBF_SB_KEY_NUM 4 + +@@ -37,11 +38,18 @@ static struct mlxbf_bootctl_name boot_names[] = { + { MLXBF_BOOTCTL_NONE, "none" }, + }; + ++enum { ++ MLXBF_BOOTCTL_SB_LIFECYCLE_PRODUCTION = 0, ++ MLXBF_BOOTCTL_SB_LIFECYCLE_GA_SECURE = 1, ++ MLXBF_BOOTCTL_SB_LIFECYCLE_GA_NON_SECURE = 2, ++ MLXBF_BOOTCTL_SB_LIFECYCLE_RMA = 3 ++}; ++ + static const char * const mlxbf_bootctl_lifecycle_states[] = { +- [0] = "Production", +- [1] = "GA Secured", +- [2] = "GA Non-Secured", +- [3] = "RMA", ++ [MLXBF_BOOTCTL_SB_LIFECYCLE_PRODUCTION] = "Production", ++ [MLXBF_BOOTCTL_SB_LIFECYCLE_GA_SECURE] = "GA Secured", ++ [MLXBF_BOOTCTL_SB_LIFECYCLE_GA_NON_SECURE] = "GA Non-Secured", ++ [MLXBF_BOOTCTL_SB_LIFECYCLE_RMA] = "RMA", + }; + + /* ARM SMC call which is atomic and no need for lock. */ +@@ -165,25 +173,30 @@ static ssize_t second_reset_action_store(struct device *dev, + static ssize_t lifecycle_state_show(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ int status_bits; ++ int use_dev_key; ++ int test_state; + int lc_state; + +- lc_state = mlxbf_bootctl_smc(MLXBF_BOOTCTL_GET_TBB_FUSE_STATUS, +- MLXBF_BOOTCTL_FUSE_STATUS_LIFECYCLE); +- if (lc_state < 0) +- return lc_state; ++ status_bits = mlxbf_bootctl_smc(MLXBF_BOOTCTL_GET_TBB_FUSE_STATUS, ++ MLXBF_BOOTCTL_FUSE_STATUS_LIFECYCLE); ++ if (status_bits < 0) ++ return status_bits; + +- lc_state &= +- MLXBF_BOOTCTL_SB_TEST_MASK | MLXBF_BOOTCTL_SB_SECURE_MASK; ++ use_dev_key = status_bits & MLXBF_BOOTCTL_SB_DEV_MASK; ++ test_state = status_bits & MLXBF_BOOTCTL_SB_TEST_MASK; ++ lc_state = status_bits & MLXBF_BOOTCTL_SB_SECURE_MASK; + + /* + * If the test bits are set, we specify that the current state may be + * due to using the test bits. + */ +- if (lc_state & MLXBF_BOOTCTL_SB_TEST_MASK) { +- lc_state &= MLXBF_BOOTCTL_SB_SECURE_MASK; +- ++ if (test_state) { + return sprintf(buf, "%s(test)\n", + mlxbf_bootctl_lifecycle_states[lc_state]); ++ } else if (use_dev_key && ++ (lc_state == MLXBF_BOOTCTL_SB_LIFECYCLE_GA_SECURE)) { ++ return sprintf(buf, "Secured (development)\n"); + } + + return sprintf(buf, "%s\n", mlxbf_bootctl_lifecycle_states[lc_state]); +-- +2.42.0 + diff --git a/queue-6.1/mm-damon-sysfs-eliminate-potential-uninitialized-var.patch b/queue-6.1/mm-damon-sysfs-eliminate-potential-uninitialized-var.patch new file mode 100644 index 00000000000..26a4c29e6a3 --- /dev/null +++ b/queue-6.1/mm-damon-sysfs-eliminate-potential-uninitialized-var.patch @@ -0,0 +1,38 @@ +From ac8261a6460b8f098205fd6d566b11a58a005736 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Nov 2023 17:07:40 +0300 +Subject: mm/damon/sysfs: eliminate potential uninitialized variable warning + +From: Dan Carpenter + +[ Upstream commit 85c2ceaafbd306814a3a4740bf4d95ac26a8b36a ] + +The "err" variable is not initialized if damon_target_has_pid(ctx) is +false and sys_target->regions->nr is zero. + +Link: https://lkml.kernel.org/r/739e6aaf-a634-4e33-98a8-16546379ec9f@moroto.mountain +Fixes: 0bcd216c4741 ("mm/damon/sysfs: update monitoring target regions for online input commit") +Signed-off-by: Dan Carpenter +Reviewed-by: SeongJae Park +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/damon/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c +index dbf5e4de97a0f..9ea21b6d266be 100644 +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -2210,7 +2210,7 @@ static int damon_sysfs_update_target(struct damon_target *target, + struct damon_ctx *ctx, + struct damon_sysfs_target *sys_target) + { +- int err; ++ int err = 0; + + if (damon_target_has_pid(ctx)) { + err = damon_sysfs_update_target_pid(target, sys_target->pid); +-- +2.42.0 + diff --git a/queue-6.1/net-atlantic-fix-null-dereference-of-skb-pointer-in.patch b/queue-6.1/net-atlantic-fix-null-dereference-of-skb-pointer-in.patch new file mode 100644 index 00000000000..b843e57f534 --- /dev/null +++ b/queue-6.1/net-atlantic-fix-null-dereference-of-skb-pointer-in.patch @@ -0,0 +1,148 @@ +From bb6077eb5bbc1aa9638f6ce2a2e683f40d12e6fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 11:58:10 +0300 +Subject: net: atlantic: Fix NULL dereference of skb pointer in + +From: Daniil Maximov + +[ Upstream commit cbe860be36095e68e4e5561ab43610982fb429fd ] + +If is_ptp_ring == true in the loop of __aq_ring_xdp_clean function, +then a timestamp is stored from a packet in a field of skb object, +which is not allocated at the moment of the call (skb == NULL). + +Generalize aq_ptp_extract_ts and other affected functions so they don't +work with struct sk_buff*, but with struct skb_shared_hwtstamps*. + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Fixes: 26efaef759a1 ("net: atlantic: Implement xdp data plane") +Signed-off-by: Daniil Maximov +Reviewed-by: Igor Russkikh +Link: https://lore.kernel.org/r/20231204085810.1681386-1-daniil31415it@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/aquantia/atlantic/aq_ptp.c | 10 +++++----- + .../net/ethernet/aquantia/atlantic/aq_ptp.h | 4 ++-- + .../net/ethernet/aquantia/atlantic/aq_ring.c | 18 ++++++++++++------ + 3 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c +index 80b44043e6c53..28c9b6f1a54f1 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.c +@@ -553,17 +553,17 @@ void aq_ptp_tx_hwtstamp(struct aq_nic_s *aq_nic, u64 timestamp) + + /* aq_ptp_rx_hwtstamp - utility function which checks for RX time stamp + * @adapter: pointer to adapter struct +- * @skb: particular skb to send timestamp with ++ * @shhwtstamps: particular skb_shared_hwtstamps to save timestamp + * + * if the timestamp is valid, we convert it into the timecounter ns + * value, then store that result into the hwtstamps structure which + * is passed up the network stack + */ +-static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct sk_buff *skb, ++static void aq_ptp_rx_hwtstamp(struct aq_ptp_s *aq_ptp, struct skb_shared_hwtstamps *shhwtstamps, + u64 timestamp) + { + timestamp -= atomic_read(&aq_ptp->offset_ingress); +- aq_ptp_convert_to_hwtstamp(aq_ptp, skb_hwtstamps(skb), timestamp); ++ aq_ptp_convert_to_hwtstamp(aq_ptp, shhwtstamps, timestamp); + } + + void aq_ptp_hwtstamp_config_get(struct aq_ptp_s *aq_ptp, +@@ -639,7 +639,7 @@ bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring) + &aq_ptp->ptp_rx == ring || &aq_ptp->hwts_rx == ring; + } + +-u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p, ++u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps *shhwtstamps, u8 *p, + unsigned int len) + { + struct aq_ptp_s *aq_ptp = aq_nic->aq_ptp; +@@ -648,7 +648,7 @@ u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p, + p, len, ×tamp); + + if (ret > 0) +- aq_ptp_rx_hwtstamp(aq_ptp, skb, timestamp); ++ aq_ptp_rx_hwtstamp(aq_ptp, shhwtstamps, timestamp); + + return ret; + } +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h +index 28ccb7ca2df9e..210b723f22072 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ptp.h +@@ -67,7 +67,7 @@ int aq_ptp_hwtstamp_config_set(struct aq_ptp_s *aq_ptp, + /* Return either ring is belong to PTP or not*/ + bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring); + +-u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct sk_buff *skb, u8 *p, ++u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, struct skb_shared_hwtstamps *shhwtstamps, u8 *p, + unsigned int len); + + struct ptp_clock *aq_ptp_get_ptp_clock(struct aq_ptp_s *aq_ptp); +@@ -143,7 +143,7 @@ static inline bool aq_ptp_ring(struct aq_nic_s *aq_nic, struct aq_ring_s *ring) + } + + static inline u16 aq_ptp_extract_ts(struct aq_nic_s *aq_nic, +- struct sk_buff *skb, u8 *p, ++ struct skb_shared_hwtstamps *shhwtstamps, u8 *p, + unsigned int len) + { + return 0; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 2dc8d215a5918..b5a49166fa972 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -647,7 +647,7 @@ static int __aq_ring_rx_clean(struct aq_ring_s *self, struct napi_struct *napi, + } + if (is_ptp_ring) + buff->len -= +- aq_ptp_extract_ts(self->aq_nic, skb, ++ aq_ptp_extract_ts(self->aq_nic, skb_hwtstamps(skb), + aq_buf_vaddr(&buff->rxdata), + buff->len); + +@@ -742,6 +742,8 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring, + struct aq_ring_buff_s *buff = &rx_ring->buff_ring[rx_ring->sw_head]; + bool is_ptp_ring = aq_ptp_ring(rx_ring->aq_nic, rx_ring); + struct aq_ring_buff_s *buff_ = NULL; ++ u16 ptp_hwtstamp_len = 0; ++ struct skb_shared_hwtstamps shhwtstamps; + struct sk_buff *skb = NULL; + unsigned int next_ = 0U; + struct xdp_buff xdp; +@@ -810,11 +812,12 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring, + hard_start = page_address(buff->rxdata.page) + + buff->rxdata.pg_off - rx_ring->page_offset; + +- if (is_ptp_ring) +- buff->len -= +- aq_ptp_extract_ts(rx_ring->aq_nic, skb, +- aq_buf_vaddr(&buff->rxdata), +- buff->len); ++ if (is_ptp_ring) { ++ ptp_hwtstamp_len = aq_ptp_extract_ts(rx_ring->aq_nic, &shhwtstamps, ++ aq_buf_vaddr(&buff->rxdata), ++ buff->len); ++ buff->len -= ptp_hwtstamp_len; ++ } + + xdp_init_buff(&xdp, frame_sz, &rx_ring->xdp_rxq); + xdp_prepare_buff(&xdp, hard_start, rx_ring->page_offset, +@@ -834,6 +837,9 @@ static int __aq_ring_xdp_clean(struct aq_ring_s *rx_ring, + if (IS_ERR(skb) || !skb) + continue; + ++ if (ptp_hwtstamp_len > 0) ++ *skb_hwtstamps(skb) = shhwtstamps; ++ + if (buff->is_vlan) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), + buff->vlan_rx_tag); +-- +2.42.0 + diff --git a/queue-6.1/net-bnxt-fix-a-potential-use-after-free-in-bnxt_init.patch b/queue-6.1/net-bnxt-fix-a-potential-use-after-free-in-bnxt_init.patch new file mode 100644 index 00000000000..87d708aa309 --- /dev/null +++ b/queue-6.1/net-bnxt-fix-a-potential-use-after-free-in-bnxt_init.patch @@ -0,0 +1,43 @@ +From 44d885c7382dbbd7527834bed81f03493b0d85ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 10:40:04 +0800 +Subject: net: bnxt: fix a potential use-after-free in bnxt_init_tc + +From: Dinghao Liu + +[ Upstream commit d007caaaf052f82ca2340d4c7b32d04a3f5dbf3f ] + +When flow_indr_dev_register() fails, bnxt_init_tc will free +bp->tc_info through kfree(). However, the caller function +bnxt_init_one() will ignore this failure and call +bnxt_shutdown_tc() on failure of bnxt_dl_register(), where +a use-after-free happens. Fix this issue by setting +bp->tc_info to NULL after kfree(). + +Fixes: 627c89d00fb9 ("bnxt_en: flow_offload: offload tunnel decap rules via indirect callbacks") +Signed-off-by: Dinghao Liu +Reviewed-by: Pavan Chebbi +Reviewed-by: Michael Chan +Reviewed-by: Somnath Kotur +Link: https://lore.kernel.org/r/20231204024004.8245-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +index d8afcf8d6b30e..4d6663ff84722 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +@@ -2075,6 +2075,7 @@ int bnxt_init_tc(struct bnxt *bp) + rhashtable_destroy(&tc_info->flow_table); + free_tc_info: + kfree(tc_info); ++ bp->tc_info = NULL; + return rc; + } + +-- +2.42.0 + diff --git a/queue-6.1/net-hns-fix-fake-link-up-on-xge-port.patch b/queue-6.1/net-hns-fix-fake-link-up-on-xge-port.patch new file mode 100644 index 00000000000..b188faf897d --- /dev/null +++ b/queue-6.1/net-hns-fix-fake-link-up-on-xge-port.patch @@ -0,0 +1,74 @@ +From 92301e25a4a9dbed66900697f8e994320a5375af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 22:32:32 +0800 +Subject: net: hns: fix fake link up on xge port + +From: Yonglong Liu + +[ Upstream commit f708aba40f9c1eeb9c7e93ed4863b5f85b09b288 ] + +If a xge port just connect with an optical module and no fiber, +it may have a fake link up because there may be interference on +the hardware. This patch adds an anti-shake to avoid the problem. +And the time of anti-shake is base on tests. + +Fixes: b917078c1c10 ("net: hns: Add ACPI support to check SFP present") +Signed-off-by: Yonglong Liu +Signed-off-by: Jijie Shao +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +index 928d934cb21a5..f75668c479351 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -66,6 +66,27 @@ static enum mac_mode hns_get_enet_interface(const struct hns_mac_cb *mac_cb) + } + } + ++static u32 hns_mac_link_anti_shake(struct mac_driver *mac_ctrl_drv) ++{ ++#define HNS_MAC_LINK_WAIT_TIME 5 ++#define HNS_MAC_LINK_WAIT_CNT 40 ++ ++ u32 link_status = 0; ++ int i; ++ ++ if (!mac_ctrl_drv->get_link_status) ++ return link_status; ++ ++ for (i = 0; i < HNS_MAC_LINK_WAIT_CNT; i++) { ++ msleep(HNS_MAC_LINK_WAIT_TIME); ++ mac_ctrl_drv->get_link_status(mac_ctrl_drv, &link_status); ++ if (!link_status) ++ break; ++ } ++ ++ return link_status; ++} ++ + void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status) + { + struct mac_driver *mac_ctrl_drv; +@@ -83,6 +104,14 @@ void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status) + &sfp_prsnt); + if (!ret) + *link_status = *link_status && sfp_prsnt; ++ ++ /* for FIBER port, it may have a fake link up. ++ * when the link status changes from down to up, we need to do ++ * anti-shake. the anti-shake time is base on tests. ++ * only FIBER port need to do this. ++ */ ++ if (*link_status && !mac_cb->link) ++ *link_status = hns_mac_link_anti_shake(mac_ctrl_drv); + } + + mac_cb->link = *link_status; +-- +2.42.0 + diff --git a/queue-6.1/net-hns-fix-wrong-head-when-modify-the-tx-feature-wh.patch b/queue-6.1/net-hns-fix-wrong-head-when-modify-the-tx-feature-wh.patch new file mode 100644 index 00000000000..03a7331948a --- /dev/null +++ b/queue-6.1/net-hns-fix-wrong-head-when-modify-the-tx-feature-wh.patch @@ -0,0 +1,161 @@ +From 32a031bbd21628409f3e380d544d4ad813803a05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 22:32:31 +0800 +Subject: net: hns: fix wrong head when modify the tx feature when sending + packets + +From: Yonglong Liu + +[ Upstream commit 84757d0839451b20b11e993128f0a77393ca50c1 ] + +Upon changing the tx feature, the hns driver will modify the +maybe_stop_tx() and fill_desc() functions, if the modify happens +during packet sending, will cause the hardware and software +pointers do not match, and the port can not work anymore. + +This patch deletes the maybe_stop_tx() and fill_desc() functions +modification when setting tx feature, and use the skb_is_gro() +to determine which functions to use in the tx path. + +Fixes: 38f616da1c28 ("net:hns: Add support of ethtool TSO set option for Hip06 in HNS") +Signed-off-by: Yonglong Liu +Signed-off-by: Jijie Shao +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 53 +++++++++++-------- + drivers/net/ethernet/hisilicon/hns/hns_enet.h | 3 +- + 2 files changed, 33 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 7cf10d1e2b311..85722afe21770 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -142,7 +142,8 @@ MODULE_DEVICE_TABLE(acpi, hns_enet_acpi_match); + + static void fill_desc(struct hnae_ring *ring, void *priv, + int size, dma_addr_t dma, int frag_end, +- int buf_num, enum hns_desc_type type, int mtu) ++ int buf_num, enum hns_desc_type type, int mtu, ++ bool is_gso) + { + struct hnae_desc *desc = &ring->desc[ring->next_to_use]; + struct hnae_desc_cb *desc_cb = &ring->desc_cb[ring->next_to_use]; +@@ -275,6 +276,15 @@ static int hns_nic_maybe_stop_tso( + return 0; + } + ++static int hns_nic_maybe_stop_tx_v2(struct sk_buff **out_skb, int *bnum, ++ struct hnae_ring *ring) ++{ ++ if (skb_is_gso(*out_skb)) ++ return hns_nic_maybe_stop_tso(out_skb, bnum, ring); ++ else ++ return hns_nic_maybe_stop_tx(out_skb, bnum, ring); ++} ++ + static void fill_tso_desc(struct hnae_ring *ring, void *priv, + int size, dma_addr_t dma, int frag_end, + int buf_num, enum hns_desc_type type, int mtu) +@@ -300,6 +310,19 @@ static void fill_tso_desc(struct hnae_ring *ring, void *priv, + mtu); + } + ++static void fill_desc_v2(struct hnae_ring *ring, void *priv, ++ int size, dma_addr_t dma, int frag_end, ++ int buf_num, enum hns_desc_type type, int mtu, ++ bool is_gso) ++{ ++ if (is_gso) ++ fill_tso_desc(ring, priv, size, dma, frag_end, buf_num, type, ++ mtu); ++ else ++ fill_v2_desc(ring, priv, size, dma, frag_end, buf_num, type, ++ mtu); ++} ++ + netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + struct sk_buff *skb, + struct hns_nic_ring_data *ring_data) +@@ -313,6 +336,7 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + int seg_num; + dma_addr_t dma; + int size, next_to_use; ++ bool is_gso; + int i; + + switch (priv->ops.maybe_stop_tx(&skb, &buf_num, ring)) { +@@ -339,8 +363,9 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + ring->stats.sw_err_cnt++; + goto out_err_tx_ok; + } ++ is_gso = skb_is_gso(skb); + priv->ops.fill_desc(ring, skb, size, dma, seg_num == 1 ? 1 : 0, +- buf_num, DESC_TYPE_SKB, ndev->mtu); ++ buf_num, DESC_TYPE_SKB, ndev->mtu, is_gso); + + /* fill the fragments */ + for (i = 1; i < seg_num; i++) { +@@ -354,7 +379,7 @@ netdev_tx_t hns_nic_net_xmit_hw(struct net_device *ndev, + } + priv->ops.fill_desc(ring, skb_frag_page(frag), size, dma, + seg_num - 1 == i ? 1 : 0, buf_num, +- DESC_TYPE_PAGE, ndev->mtu); ++ DESC_TYPE_PAGE, ndev->mtu, is_gso); + } + + /*complete translate all packets*/ +@@ -1776,15 +1801,6 @@ static int hns_nic_set_features(struct net_device *netdev, + netdev_info(netdev, "enet v1 do not support tso!\n"); + break; + default: +- if (features & (NETIF_F_TSO | NETIF_F_TSO6)) { +- priv->ops.fill_desc = fill_tso_desc; +- priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tso; +- /* The chip only support 7*4096 */ +- netif_set_tso_max_size(netdev, 7 * 4096); +- } else { +- priv->ops.fill_desc = fill_v2_desc; +- priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tx; +- } + break; + } + netdev->features = features; +@@ -2159,16 +2175,9 @@ static void hns_nic_set_priv_ops(struct net_device *netdev) + priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tx; + } else { + priv->ops.get_rxd_bnum = get_v2rx_desc_bnum; +- if ((netdev->features & NETIF_F_TSO) || +- (netdev->features & NETIF_F_TSO6)) { +- priv->ops.fill_desc = fill_tso_desc; +- priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tso; +- /* This chip only support 7*4096 */ +- netif_set_tso_max_size(netdev, 7 * 4096); +- } else { +- priv->ops.fill_desc = fill_v2_desc; +- priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tx; +- } ++ priv->ops.fill_desc = fill_desc_v2; ++ priv->ops.maybe_stop_tx = hns_nic_maybe_stop_tx_v2; ++ netif_set_tso_max_size(netdev, 7 * 4096); + /* enable tso when init + * control tso on/off through TSE bit in bd + */ +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.h b/drivers/net/ethernet/hisilicon/hns/hns_enet.h +index ffa9d6573f54b..3f3ee032f631c 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.h +@@ -44,7 +44,8 @@ struct hns_nic_ring_data { + struct hns_nic_ops { + void (*fill_desc)(struct hnae_ring *ring, void *priv, + int size, dma_addr_t dma, int frag_end, +- int buf_num, enum hns_desc_type type, int mtu); ++ int buf_num, enum hns_desc_type type, int mtu, ++ bool is_gso); + int (*maybe_stop_tx)(struct sk_buff **out_skb, + int *bnum, struct hnae_ring *ring); + void (*get_rxd_bnum)(u32 bnum_flag, int *out_bnum); +-- +2.42.0 + diff --git a/queue-6.1/net-stmmac-fix-fpe-events-losing.patch b/queue-6.1/net-stmmac-fix-fpe-events-losing.patch new file mode 100644 index 00000000000..9cd069139ce --- /dev/null +++ b/queue-6.1/net-stmmac-fix-fpe-events-losing.patch @@ -0,0 +1,243 @@ +From b18cd3d225b1ea8498f5a730e3e79c501460133b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 03:22:03 +0000 +Subject: net: stmmac: fix FPE events losing + +From: Jianheng Zhang + +[ Upstream commit 37e4b8df27bc68340f3fc80dbb27e3549c7f881c ] + +The status bits of register MAC_FPE_CTRL_STS are clear on read. Using +32-bit read for MAC_FPE_CTRL_STS in dwmac5_fpe_configure() and +dwmac5_fpe_send_mpacket() clear the status bits. Then the stmmac interrupt +handler missing FPE event status and leads to FPE handshaking failure and +retries. +To avoid clear status bits of MAC_FPE_CTRL_STS in dwmac5_fpe_configure() +and dwmac5_fpe_send_mpacket(), add fpe_csr to stmmac_fpe_cfg structure to +cache the control bits of MAC_FPE_CTRL_STS and to avoid reading +MAC_FPE_CTRL_STS in those methods. + +Fixes: 5a5586112b92 ("net: stmmac: support FPE link partner hand-shaking procedure") +Reviewed-by: Serge Semin +Signed-off-by: Jianheng Zhang +Link: https://lore.kernel.org/r/CY5PR12MB637225A7CF529D5BE0FBE59CBF81A@CY5PR12MB6372.namprd12.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 45 ++++++++----------- + drivers/net/ethernet/stmicro/stmmac/dwmac5.h | 4 +- + .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 3 +- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 4 +- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 8 +++- + .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + + include/linux/stmmac.h | 1 + + 7 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +index e95d35f1e5a0c..8fd167501fa0e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +@@ -710,28 +710,22 @@ void dwmac5_est_irq_status(void __iomem *ioaddr, struct net_device *dev, + } + } + +-void dwmac5_fpe_configure(void __iomem *ioaddr, u32 num_txq, u32 num_rxq, ++void dwmac5_fpe_configure(void __iomem *ioaddr, struct stmmac_fpe_cfg *cfg, ++ u32 num_txq, u32 num_rxq, + bool enable) + { + u32 value; + +- if (!enable) { +- value = readl(ioaddr + MAC_FPE_CTRL_STS); +- +- value &= ~EFPE; +- +- writel(value, ioaddr + MAC_FPE_CTRL_STS); +- return; ++ if (enable) { ++ cfg->fpe_csr = EFPE; ++ value = readl(ioaddr + GMAC_RXQ_CTRL1); ++ value &= ~GMAC_RXQCTRL_FPRQ; ++ value |= (num_rxq - 1) << GMAC_RXQCTRL_FPRQ_SHIFT; ++ writel(value, ioaddr + GMAC_RXQ_CTRL1); ++ } else { ++ cfg->fpe_csr = 0; + } +- +- value = readl(ioaddr + GMAC_RXQ_CTRL1); +- value &= ~GMAC_RXQCTRL_FPRQ; +- value |= (num_rxq - 1) << GMAC_RXQCTRL_FPRQ_SHIFT; +- writel(value, ioaddr + GMAC_RXQ_CTRL1); +- +- value = readl(ioaddr + MAC_FPE_CTRL_STS); +- value |= EFPE; +- writel(value, ioaddr + MAC_FPE_CTRL_STS); ++ writel(cfg->fpe_csr, ioaddr + MAC_FPE_CTRL_STS); + } + + int dwmac5_fpe_irq_status(void __iomem *ioaddr, struct net_device *dev) +@@ -741,6 +735,9 @@ int dwmac5_fpe_irq_status(void __iomem *ioaddr, struct net_device *dev) + + status = FPE_EVENT_UNKNOWN; + ++ /* Reads from the MAC_FPE_CTRL_STS register should only be performed ++ * here, since the status flags of MAC_FPE_CTRL_STS are "clear on read" ++ */ + value = readl(ioaddr + MAC_FPE_CTRL_STS); + + if (value & TRSP) { +@@ -766,19 +763,15 @@ int dwmac5_fpe_irq_status(void __iomem *ioaddr, struct net_device *dev) + return status; + } + +-void dwmac5_fpe_send_mpacket(void __iomem *ioaddr, enum stmmac_mpacket_type type) ++void dwmac5_fpe_send_mpacket(void __iomem *ioaddr, struct stmmac_fpe_cfg *cfg, ++ enum stmmac_mpacket_type type) + { +- u32 value; ++ u32 value = cfg->fpe_csr; + +- value = readl(ioaddr + MAC_FPE_CTRL_STS); +- +- if (type == MPACKET_VERIFY) { +- value &= ~SRSP; ++ if (type == MPACKET_VERIFY) + value |= SVER; +- } else { +- value &= ~SVER; ++ else if (type == MPACKET_RESPONSE) + value |= SRSP; +- } + + writel(value, ioaddr + MAC_FPE_CTRL_STS); + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac5.h b/drivers/net/ethernet/stmicro/stmmac/dwmac5.h +index 53c138d0ff480..34e620790eb37 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.h +@@ -153,9 +153,11 @@ int dwmac5_est_configure(void __iomem *ioaddr, struct stmmac_est *cfg, + unsigned int ptp_rate); + void dwmac5_est_irq_status(void __iomem *ioaddr, struct net_device *dev, + struct stmmac_extra_stats *x, u32 txqcnt); +-void dwmac5_fpe_configure(void __iomem *ioaddr, u32 num_txq, u32 num_rxq, ++void dwmac5_fpe_configure(void __iomem *ioaddr, struct stmmac_fpe_cfg *cfg, ++ u32 num_txq, u32 num_rxq, + bool enable); + void dwmac5_fpe_send_mpacket(void __iomem *ioaddr, ++ struct stmmac_fpe_cfg *cfg, + enum stmmac_mpacket_type type); + int dwmac5_fpe_irq_status(void __iomem *ioaddr, struct net_device *dev); + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index f30e08a106cbe..c2181c277291b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -1441,7 +1441,8 @@ static int dwxgmac3_est_configure(void __iomem *ioaddr, struct stmmac_est *cfg, + return 0; + } + +-static void dwxgmac3_fpe_configure(void __iomem *ioaddr, u32 num_txq, ++static void dwxgmac3_fpe_configure(void __iomem *ioaddr, struct stmmac_fpe_cfg *cfg, ++ u32 num_txq, + u32 num_rxq, bool enable) + { + u32 value; +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 592b4067f9b8f..b2b9cf04bc726 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -392,9 +392,11 @@ struct stmmac_ops { + unsigned int ptp_rate); + void (*est_irq_status)(void __iomem *ioaddr, struct net_device *dev, + struct stmmac_extra_stats *x, u32 txqcnt); +- void (*fpe_configure)(void __iomem *ioaddr, u32 num_txq, u32 num_rxq, ++ void (*fpe_configure)(void __iomem *ioaddr, struct stmmac_fpe_cfg *cfg, ++ u32 num_txq, u32 num_rxq, + bool enable); + void (*fpe_send_mpacket)(void __iomem *ioaddr, ++ struct stmmac_fpe_cfg *cfg, + enum stmmac_mpacket_type type); + int (*fpe_irq_status)(void __iomem *ioaddr, struct net_device *dev); + }; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 9f76c2f7d513b..69aac8ed84f67 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -957,7 +957,8 @@ static void stmmac_fpe_link_state_handle(struct stmmac_priv *priv, bool is_up) + bool *hs_enable = &fpe_cfg->hs_enable; + + if (is_up && *hs_enable) { +- stmmac_fpe_send_mpacket(priv, priv->ioaddr, MPACKET_VERIFY); ++ stmmac_fpe_send_mpacket(priv, priv->ioaddr, fpe_cfg, ++ MPACKET_VERIFY); + } else { + *lo_state = FPE_STATE_OFF; + *lp_state = FPE_STATE_OFF; +@@ -5704,6 +5705,7 @@ static void stmmac_fpe_event_status(struct stmmac_priv *priv, int status) + /* If user has requested FPE enable, quickly response */ + if (*hs_enable) + stmmac_fpe_send_mpacket(priv, priv->ioaddr, ++ fpe_cfg, + MPACKET_RESPONSE); + } + +@@ -7028,6 +7030,7 @@ static void stmmac_fpe_lp_task(struct work_struct *work) + if (*lo_state == FPE_STATE_ENTERING_ON && + *lp_state == FPE_STATE_ENTERING_ON) { + stmmac_fpe_configure(priv, priv->ioaddr, ++ fpe_cfg, + priv->plat->tx_queues_to_use, + priv->plat->rx_queues_to_use, + *enable); +@@ -7046,6 +7049,7 @@ static void stmmac_fpe_lp_task(struct work_struct *work) + netdev_info(priv->dev, SEND_VERIFY_MPAKCET_FMT, + *lo_state, *lp_state); + stmmac_fpe_send_mpacket(priv, priv->ioaddr, ++ fpe_cfg, + MPACKET_VERIFY); + } + /* Sleep then retry */ +@@ -7060,6 +7064,7 @@ void stmmac_fpe_handshake(struct stmmac_priv *priv, bool enable) + if (priv->plat->fpe_cfg->hs_enable != enable) { + if (enable) { + stmmac_fpe_send_mpacket(priv, priv->ioaddr, ++ priv->plat->fpe_cfg, + MPACKET_VERIFY); + } else { + priv->plat->fpe_cfg->lo_fpe_state = FPE_STATE_OFF; +@@ -7472,6 +7477,7 @@ int stmmac_suspend(struct device *dev) + if (priv->dma_cap.fpesel) { + /* Disable FPE */ + stmmac_fpe_configure(priv, priv->ioaddr, ++ priv->plat->fpe_cfg, + priv->plat->tx_queues_to_use, + priv->plat->rx_queues_to_use, false); + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 773e415cc2de6..390c900832cd2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -1073,6 +1073,7 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + + priv->plat->fpe_cfg->enable = false; + stmmac_fpe_configure(priv, priv->ioaddr, ++ priv->plat->fpe_cfg, + priv->plat->tx_queues_to_use, + priv->plat->rx_queues_to_use, + false); +diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h +index d82ff9fa1a6e8..9f4a4f70270df 100644 +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -172,6 +172,7 @@ struct stmmac_fpe_cfg { + bool hs_enable; /* FPE handshake enable */ + enum stmmac_fpe_state lp_fpe_state; /* Link Partner FPE state */ + enum stmmac_fpe_state lo_fpe_state; /* Local station FPE state */ ++ u32 fpe_csr; /* MAC_FPE_CTRL_STS reg cache */ + }; + + struct stmmac_safety_feature_cfg { +-- +2.42.0 + diff --git a/queue-6.1/netfilter-nf_tables-bail-out-on-mismatching-dynset-a.patch b/queue-6.1/netfilter-nf_tables-bail-out-on-mismatching-dynset-a.patch new file mode 100644 index 00000000000..b671d263be7 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-bail-out-on-mismatching-dynset-a.patch @@ -0,0 +1,48 @@ +From 78361a6ea8ead051cd92636d8a617a99ed67ae12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 14:25:33 +0100 +Subject: netfilter: nf_tables: bail out on mismatching dynset and set + expressions + +From: Pablo Neira Ayuso + +[ Upstream commit 3701cd390fd731ee7ae8b8006246c8db82c72bea ] + +If dynset expressions provided by userspace is larger than the declared +set expressions, then bail out. + +Fixes: 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") +Reported-by: Xingyuan Mo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_dynset.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index cf9a1ae87d9b1..a470e5f612843 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -279,10 +279,15 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + priv->expr_array[i] = dynset_expr; + priv->num_exprs++; + +- if (set->num_exprs && +- dynset_expr->ops != set->exprs[i]->ops) { +- err = -EOPNOTSUPP; +- goto err_expr_free; ++ if (set->num_exprs) { ++ if (i >= set->num_exprs) { ++ err = -EINVAL; ++ goto err_expr_free; ++ } ++ if (dynset_expr->ops != set->exprs[i]->ops) { ++ err = -EOPNOTSUPP; ++ goto err_expr_free; ++ } + } + i++; + } +-- +2.42.0 + diff --git a/queue-6.1/netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch b/queue-6.1/netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch new file mode 100644 index 00000000000..f931bcc4273 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch @@ -0,0 +1,94 @@ +From 0ce5ff9c9a5263d5eeefa2394449c6488c63d277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 12:29:54 +0100 +Subject: netfilter: nf_tables: fix 'exist' matching on bigendian arches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Westphal + +[ Upstream commit 63331e37fb227e796894b31d713697612c8dee7f ] + +Maze reports "tcp option fastopen exists" fails to match on +OpenWrt 22.03.5, r20134-5f15225c1e (5.10.176) router. + +"tcp option fastopen exists" translates to: +inet + [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +.. but existing nft userspace generates a 1-byte compare. + +On LSB (x86), "*reg32 = 1" is identical to nft_reg_store8(reg32, 1), but +not on MSB, which will place the 1 last. IOW, on bigendian aches the cmp8 +is awalys false. + +Make sure we store this in a consistent fashion, so existing userspace +will also work on MSB (bigendian). + +Regardless of this patch we can also change nft userspace to generate +'reg32 == 0' and 'reg32 != 0' instead of u8 == 0 // u8 == 1 when +adding 'option x missing/exists' expressions as well. + +Fixes: 3c1fece8819e ("netfilter: nft_exthdr: Allow checking TCP option presence, too") +Fixes: b9f9a485fb0e ("netfilter: nft_exthdr: add boolean DCCP option matching") +Fixes: 055c4b34b94f ("netfilter: nft_fib: Support existence check") +Reported-by: Maciej Å»enczykowski +Closes: https://lore.kernel.org/netfilter-devel/CAHo-OozyEqHUjL2-ntATzeZOiuftLWZ_HU6TOM_js4qLfDEAJg@mail.gmail.com/ +Signed-off-by: Florian Westphal +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 4 ++-- + net/netfilter/nft_fib.c | 8 ++++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index f96706de1ad05..de588f7b69c45 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -215,7 +215,7 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, + + offset = i + priv->offset; + if (priv->flags & NFT_EXTHDR_F_PRESENT) { +- *dest = 1; ++ nft_reg_store8(dest, 1); + } else { + if (priv->len % NFT_REG32_SIZE) + dest[priv->len / NFT_REG32_SIZE] = 0; +@@ -462,7 +462,7 @@ static void nft_exthdr_dccp_eval(const struct nft_expr *expr, + type = bufp[0]; + + if (type == priv->type) { +- *dest = 1; ++ nft_reg_store8(dest, 1); + return; + } + +diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c +index 1f12d7ade606c..5748415f74d0b 100644 +--- a/net/netfilter/nft_fib.c ++++ b/net/netfilter/nft_fib.c +@@ -144,11 +144,15 @@ void nft_fib_store_result(void *reg, const struct nft_fib *priv, + switch (priv->result) { + case NFT_FIB_RESULT_OIF: + index = dev ? dev->ifindex : 0; +- *dreg = (priv->flags & NFTA_FIB_F_PRESENT) ? !!index : index; ++ if (priv->flags & NFTA_FIB_F_PRESENT) ++ nft_reg_store8(dreg, !!index); ++ else ++ *dreg = index; ++ + break; + case NFT_FIB_RESULT_OIFNAME: + if (priv->flags & NFTA_FIB_F_PRESENT) +- *dreg = !!dev; ++ nft_reg_store8(dreg, !!dev); + else + strncpy(reg, dev ? dev->name : "", IFNAMSIZ); + break; +-- +2.42.0 + diff --git a/queue-6.1/netfilter-nf_tables-validate-family-when-identifying.patch b/queue-6.1/netfilter-nf_tables-validate-family-when-identifying.patch new file mode 100644 index 00000000000..f7719c44a8c --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-validate-family-when-identifying.patch @@ -0,0 +1,53 @@ +From 7d772fb7db7c0b7b8f9da4e503ba994e19ab6cb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 14:51:48 +0100 +Subject: netfilter: nf_tables: validate family when identifying table via + handle + +From: Pablo Neira Ayuso + +[ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ] + +Validate table family when looking up for it via NFTA_TABLE_HANDLE. + +Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") +Reported-by: Xingyuan Mo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 421211eba838b..05fa5141af516 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -805,7 +805,7 @@ static struct nft_table *nft_table_lookup(const struct net *net, + + static struct nft_table *nft_table_lookup_byhandle(const struct net *net, + const struct nlattr *nla, +- u8 genmask, u32 nlpid) ++ int family, u8 genmask, u32 nlpid) + { + struct nftables_pernet *nft_net; + struct nft_table *table; +@@ -813,6 +813,7 @@ static struct nft_table *nft_table_lookup_byhandle(const struct net *net, + nft_net = nft_pernet(net); + list_for_each_entry(table, &nft_net->tables, list) { + if (be64_to_cpu(nla_get_be64(nla)) == table->handle && ++ table->family == family && + nft_active_genmask(table, genmask)) { + if (nft_table_has_owner(table) && + nlpid && table->nlpid != nlpid) +@@ -1537,7 +1538,7 @@ static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, + + if (nla[NFTA_TABLE_HANDLE]) { + attr = nla[NFTA_TABLE_HANDLE]; +- table = nft_table_lookup_byhandle(net, attr, genmask, ++ table = nft_table_lookup_byhandle(net, attr, family, genmask, + NETLINK_CB(skb).portid); + } else { + attr = nla[NFTA_TABLE_NAME]; +-- +2.42.0 + diff --git a/queue-6.1/netfilter-nft_exthdr-add-boolean-dccp-option-matchin.patch b/queue-6.1/netfilter-nft_exthdr-add-boolean-dccp-option-matchin.patch new file mode 100644 index 00000000000..d1e33c4fed5 --- /dev/null +++ b/queue-6.1/netfilter-nft_exthdr-add-boolean-dccp-option-matchin.patch @@ -0,0 +1,190 @@ +From c4b6ebd601ab205b9ea4673ce86a1305a50848c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 22:19:45 +0100 +Subject: netfilter: nft_exthdr: add boolean DCCP option matching + +From: Jeremy Sowden + +[ Upstream commit b9f9a485fb0eb80b0e2b90410b28cbb9b0e85687 ] + +The xt_dccp iptables module supports the matching of DCCP packets based +on the presence or absence of DCCP options. Extend nft_exthdr to add +this functionality to nftables. + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930 +Signed-off-by: Jeremy Sowden +Signed-off-by: Florian Westphal +Stable-dep-of: 63331e37fb22 ("netfilter: nf_tables: fix 'exist' matching on bigendian arches") +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/nf_tables.h | 2 + + net/netfilter/nft_exthdr.c | 106 +++++++++++++++++++++++ + 2 files changed, 108 insertions(+) + +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h +index 466fd3f4447c2..af8f4c304d272 100644 +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -816,12 +816,14 @@ enum nft_exthdr_flags { + * @NFT_EXTHDR_OP_TCP: match against tcp options + * @NFT_EXTHDR_OP_IPV4: match against ipv4 options + * @NFT_EXTHDR_OP_SCTP: match against sctp chunks ++ * @NFT_EXTHDR_OP_DCCP: match against dccp otions + */ + enum nft_exthdr_op { + NFT_EXTHDR_OP_IPV6, + NFT_EXTHDR_OP_TCPOPT, + NFT_EXTHDR_OP_IPV4, + NFT_EXTHDR_OP_SCTP, ++ NFT_EXTHDR_OP_DCCP, + __NFT_EXTHDR_OP_MAX + }; + #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index efb50c2b41f32..f96706de1ad05 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -409,6 +410,82 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, + regs->verdict.code = NFT_BREAK; + } + ++static void nft_exthdr_dccp_eval(const struct nft_expr *expr, ++ struct nft_regs *regs, ++ const struct nft_pktinfo *pkt) ++{ ++ struct nft_exthdr *priv = nft_expr_priv(expr); ++ unsigned int thoff, dataoff, optoff, optlen, i; ++ u32 *dest = ®s->data[priv->dreg]; ++ const struct dccp_hdr *dh; ++ struct dccp_hdr _dh; ++ ++ if (pkt->tprot != IPPROTO_DCCP || pkt->fragoff) ++ goto err; ++ ++ thoff = nft_thoff(pkt); ++ ++ dh = skb_header_pointer(pkt->skb, thoff, sizeof(_dh), &_dh); ++ if (!dh) ++ goto err; ++ ++ dataoff = dh->dccph_doff * sizeof(u32); ++ optoff = __dccp_hdr_len(dh); ++ if (dataoff <= optoff) ++ goto err; ++ ++ optlen = dataoff - optoff; ++ ++ for (i = 0; i < optlen; ) { ++ /* Options 0 (DCCPO_PADDING) - 31 (DCCPO_MAX_RESERVED) are 1B in ++ * the length; the remaining options are at least 2B long. In ++ * all cases, the first byte contains the option type. In ++ * multi-byte options, the second byte contains the option ++ * length, which must be at least two: 1 for the type plus 1 for ++ * the length plus 0-253 for any following option data. We ++ * aren't interested in the option data, only the type and the ++ * length, so we don't need to read more than two bytes at a ++ * time. ++ */ ++ unsigned int buflen = optlen - i; ++ u8 buf[2], *bufp; ++ u8 type, len; ++ ++ if (buflen > sizeof(buf)) ++ buflen = sizeof(buf); ++ ++ bufp = skb_header_pointer(pkt->skb, thoff + optoff + i, buflen, ++ &buf); ++ if (!bufp) ++ goto err; ++ ++ type = bufp[0]; ++ ++ if (type == priv->type) { ++ *dest = 1; ++ return; ++ } ++ ++ if (type <= DCCPO_MAX_RESERVED) { ++ i++; ++ continue; ++ } ++ ++ if (buflen < 2) ++ goto err; ++ ++ len = bufp[1]; ++ ++ if (len < 2) ++ goto err; ++ ++ i += len; ++ } ++ ++err: ++ *dest = 0; ++} ++ + static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { + [NFTA_EXTHDR_DREG] = { .type = NLA_U32 }, + [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 }, +@@ -560,6 +637,22 @@ static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx, + return 0; + } + ++static int nft_exthdr_dccp_init(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nlattr * const tb[]) ++{ ++ struct nft_exthdr *priv = nft_expr_priv(expr); ++ int err = nft_exthdr_init(ctx, expr, tb); ++ ++ if (err < 0) ++ return err; ++ ++ if (!(priv->flags & NFT_EXTHDR_F_PRESENT)) ++ return -EOPNOTSUPP; ++ ++ return 0; ++} ++ + static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv) + { + if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type)) +@@ -686,6 +779,15 @@ static const struct nft_expr_ops nft_exthdr_sctp_ops = { + .reduce = nft_exthdr_reduce, + }; + ++static const struct nft_expr_ops nft_exthdr_dccp_ops = { ++ .type = &nft_exthdr_type, ++ .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)), ++ .eval = nft_exthdr_dccp_eval, ++ .init = nft_exthdr_dccp_init, ++ .dump = nft_exthdr_dump, ++ .reduce = nft_exthdr_reduce, ++}; ++ + static const struct nft_expr_ops * + nft_exthdr_select_ops(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) +@@ -720,6 +822,10 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx, + if (tb[NFTA_EXTHDR_DREG]) + return &nft_exthdr_sctp_ops; + break; ++ case NFT_EXTHDR_OP_DCCP: ++ if (tb[NFTA_EXTHDR_DREG]) ++ return &nft_exthdr_dccp_ops; ++ break; + } + + return ERR_PTR(-EOPNOTSUPP); +-- +2.42.0 + diff --git a/queue-6.1/netfilter-xt_owner-fix-for-unsafe-access-of-sk-sk_so.patch b/queue-6.1/netfilter-xt_owner-fix-for-unsafe-access-of-sk-sk_so.patch new file mode 100644 index 00000000000..dad0c52f1dc --- /dev/null +++ b/queue-6.1/netfilter-xt_owner-fix-for-unsafe-access-of-sk-sk_so.patch @@ -0,0 +1,71 @@ +From 3c98bd0c3321ff2d730fedd8a1d2f561a1d48d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 21:58:12 +0100 +Subject: netfilter: xt_owner: Fix for unsafe access of sk->sk_socket + +From: Phil Sutter + +[ Upstream commit 7ae836a3d630e146b732fe8ef7d86b243748751f ] + +A concurrently running sock_orphan() may NULL the sk_socket pointer in +between check and deref. Follow other users (like nft_meta.c for +instance) and acquire sk_callback_lock before dereferencing sk_socket. + +Fixes: 0265ab44bacc ("[NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner") +Reported-by: Jann Horn +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_owner.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c +index e85ce69924aee..50332888c8d23 100644 +--- a/net/netfilter/xt_owner.c ++++ b/net/netfilter/xt_owner.c +@@ -76,18 +76,23 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) + */ + return false; + +- filp = sk->sk_socket->file; +- if (filp == NULL) ++ read_lock_bh(&sk->sk_callback_lock); ++ filp = sk->sk_socket ? sk->sk_socket->file : NULL; ++ if (filp == NULL) { ++ read_unlock_bh(&sk->sk_callback_lock); + return ((info->match ^ info->invert) & + (XT_OWNER_UID | XT_OWNER_GID)) == 0; ++ } + + if (info->match & XT_OWNER_UID) { + kuid_t uid_min = make_kuid(net->user_ns, info->uid_min); + kuid_t uid_max = make_kuid(net->user_ns, info->uid_max); + if ((uid_gte(filp->f_cred->fsuid, uid_min) && + uid_lte(filp->f_cred->fsuid, uid_max)) ^ +- !(info->invert & XT_OWNER_UID)) ++ !(info->invert & XT_OWNER_UID)) { ++ read_unlock_bh(&sk->sk_callback_lock); + return false; ++ } + } + + if (info->match & XT_OWNER_GID) { +@@ -112,10 +117,13 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) + } + } + +- if (match ^ !(info->invert & XT_OWNER_GID)) ++ if (match ^ !(info->invert & XT_OWNER_GID)) { ++ read_unlock_bh(&sk->sk_callback_lock); + return false; ++ } + } + ++ read_unlock_bh(&sk->sk_callback_lock); + return true; + } + +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-add-missing-mcs-flr-handler-call.patch b/queue-6.1/octeontx2-af-add-missing-mcs-flr-handler-call.patch new file mode 100644 index 00000000000..1814cc1dcd3 --- /dev/null +++ b/queue-6.1/octeontx2-af-add-missing-mcs-flr-handler-call.patch @@ -0,0 +1,38 @@ +From f40a1440cac1753e8403798ae82d18261c8dd948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 13:34:33 +0530 +Subject: octeontx2-af: Add missing mcs flr handler call + +From: Geetha sowjanya + +[ Upstream commit d431abd0a9aa27be379fb5f8304062071b0f5a7e ] + +If mcs resources are attached to PF/VF. These resources need +to be freed on FLR. This patch add missing mcs flr call on PF FLR. + +Fixes: bd69476e86fc ("octeontx2-af: cn10k: mcs: Install a default TCAM for normal traffic") +Signed-off-by: Geetha sowjanya +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 733add3a9dc6b..d88d86bf07b03 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -2622,6 +2622,9 @@ static void __rvu_flr_handler(struct rvu *rvu, u16 pcifunc) + */ + rvu_npc_free_mcam_entries(rvu, pcifunc, -1); + ++ if (rvu->mcs_blk_cnt) ++ rvu_mcs_flr_handler(rvu, pcifunc); ++ + mutex_unlock(&rvu->flr_lock); + } + +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-adjust-tx-credits-when-mcs-external-byp.patch b/queue-6.1/octeontx2-af-adjust-tx-credits-when-mcs-external-byp.patch new file mode 100644 index 00000000000..913bd35e959 --- /dev/null +++ b/queue-6.1/octeontx2-af-adjust-tx-credits-when-mcs-external-byp.patch @@ -0,0 +1,153 @@ +From be346a3c4ff84600623a062a9a7d67d260171e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 13:34:30 +0530 +Subject: octeontx2-af: Adjust Tx credits when MCS external bypass is disabled + +From: Nithin Dabilpuram + +[ Upstream commit dca6fa8644b89f54345e55501b1419316ba5cb29 ] + +When MCS external bypass is disabled, MCS returns additional +2 credits(32B) for every packet Tx'ed on LMAC. To account for +these extra credits, NIX_AF_TX_LINKX_NORM_CREDIT.CC_MCS_CNT +needs to be configured as otherwise NIX Tx credits would overflow +and will never be returned to idle state credit count +causing issues with credit control and MTU change. + +This patch fixes the same by configuring CC_MCS_CNT at probe +time for MCS enabled SoC's + +Fixes: bd69476e86fc ("octeontx2-af: cn10k: mcs: Install a default TCAM for normal traffic") +Signed-off-by: Nithin Dabilpuram +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/mcs.c | 14 +++++++++++++- + drivers/net/ethernet/marvell/octeontx2/af/mcs.h | 2 ++ + drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 1 + + .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 8 ++++++++ + .../net/ethernet/marvell/octeontx2/af/rvu_reg.h | 1 + + 5 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mcs.c b/drivers/net/ethernet/marvell/octeontx2/af/mcs.c +index c43f19dfbd744..bd87507cf8eaa 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mcs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mcs.c +@@ -1219,6 +1219,17 @@ struct mcs *mcs_get_pdata(int mcs_id) + return NULL; + } + ++bool is_mcs_bypass(int mcs_id) ++{ ++ struct mcs *mcs_dev; ++ ++ list_for_each_entry(mcs_dev, &mcs_list, mcs_list) { ++ if (mcs_dev->mcs_id == mcs_id) ++ return mcs_dev->bypass; ++ } ++ return true; ++} ++ + void mcs_set_port_cfg(struct mcs *mcs, struct mcs_port_cfg_set_req *req) + { + u64 val = 0; +@@ -1436,7 +1447,7 @@ static int mcs_x2p_calibration(struct mcs *mcs) + return err; + } + +-static void mcs_set_external_bypass(struct mcs *mcs, u8 bypass) ++static void mcs_set_external_bypass(struct mcs *mcs, bool bypass) + { + u64 val; + +@@ -1447,6 +1458,7 @@ static void mcs_set_external_bypass(struct mcs *mcs, u8 bypass) + else + val &= ~BIT_ULL(6); + mcs_reg_write(mcs, MCSX_MIL_GLOBAL, val); ++ mcs->bypass = bypass; + } + + static void mcs_global_cfg(struct mcs *mcs) +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mcs.h b/drivers/net/ethernet/marvell/octeontx2/af/mcs.h +index 0f89dcb764654..f927cc61dfd21 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mcs.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mcs.h +@@ -149,6 +149,7 @@ struct mcs { + u16 num_vec; + void *rvu; + u16 *tx_sa_active; ++ bool bypass; + }; + + struct mcs_ops { +@@ -206,6 +207,7 @@ void mcs_get_custom_tag_cfg(struct mcs *mcs, struct mcs_custom_tag_cfg_get_req * + int mcs_alloc_ctrlpktrule(struct rsrc_bmap *rsrc, u16 *pf_map, u16 offset, u16 pcifunc); + int mcs_free_ctrlpktrule(struct mcs *mcs, struct mcs_free_ctrl_pkt_rule_req *req); + int mcs_ctrlpktrule_write(struct mcs *mcs, struct mcs_ctrl_pkt_rule_write_req *req); ++bool is_mcs_bypass(int mcs_id); + + /* CN10K-B APIs */ + void cn10kb_mcs_set_hw_capabilities(struct mcs *mcs); +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +index a3346ea7876c5..95a7bc396e8ea 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +@@ -325,6 +325,7 @@ struct nix_hw { + struct nix_txvlan txvlan; + struct nix_ipolicer *ipolicer; + u64 *tx_credits; ++ u8 cc_mcs_cnt; + }; + + /* RVU block's capabilities or functionality, +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +index 7310047136986..959f36efdc4a6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c +@@ -12,6 +12,7 @@ + #include "rvu_reg.h" + #include "rvu.h" + #include "npc.h" ++#include "mcs.h" + #include "cgx.h" + #include "lmac_common.h" + #include "rvu_npc_hash.h" +@@ -4164,6 +4165,12 @@ static void nix_link_config(struct rvu *rvu, int blkaddr, + SDP_HW_MAX_FRS << 16 | NIC_HW_MIN_FRS); + } + ++ /* Get MCS external bypass status for CN10K-B */ ++ if (mcs_get_blkcnt() == 1) { ++ /* Adjust for 2 credits when external bypass is disabled */ ++ nix_hw->cc_mcs_cnt = is_mcs_bypass(0) ? 0 : 2; ++ } ++ + /* Set credits for Tx links assuming max packet length allowed. + * This will be reconfigured based on MTU set for PF/VF. + */ +@@ -4187,6 +4194,7 @@ static void nix_link_config(struct rvu *rvu, int blkaddr, + tx_credits = (lmac_fifo_len - lmac_max_frs) / 16; + /* Enable credits and set credit pkt count to max allowed */ + cfg = (tx_credits << 12) | (0x1FF << 2) | BIT_ULL(1); ++ cfg |= FIELD_PREP(NIX_AF_LINKX_MCS_CNT_MASK, nix_hw->cc_mcs_cnt); + + link = iter + slink; + nix_hw->tx_credits[link] = tx_credits; +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h +index 39f7a7cb27558..b690e5566f12a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h +@@ -434,6 +434,7 @@ + + #define NIX_AF_LINKX_BASE_MASK GENMASK_ULL(11, 0) + #define NIX_AF_LINKX_RANGE_MASK GENMASK_ULL(19, 16) ++#define NIX_AF_LINKX_MCS_CNT_MASK GENMASK_ULL(33, 32) + + /* SSO */ + #define SSO_AF_CONST (0x1000) +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-check-return-value-of-nix_get_nixlf-bef.patch b/queue-6.1/octeontx2-af-check-return-value-of-nix_get_nixlf-bef.patch new file mode 100644 index 00000000000..99fa32aa956 --- /dev/null +++ b/queue-6.1/octeontx2-af-check-return-value-of-nix_get_nixlf-bef.patch @@ -0,0 +1,45 @@ +From b2d15b718f08c40a483b1c6510141379ec7988e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 11:11:48 +0530 +Subject: octeontx2-af: Check return value of nix_get_nixlf before using nixlf + +From: Subbaraya Sundeep + +[ Upstream commit 830139e7b6911266a84a77e1f18abf758995cc89 ] + +If a NIXLF is not attached to a PF/VF device then +nix_get_nixlf function fails and returns proper error +code. But npc_get_default_entry_action does not check it +and uses garbage value in subsequent calls. Fix this +by cheking the return value of nix_get_nixlf. + +Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +index 16cfc802e348d..f65805860c8d4 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c +@@ -389,7 +389,13 @@ static u64 npc_get_default_entry_action(struct rvu *rvu, struct npc_mcam *mcam, + int bank, nixlf, index; + + /* get ucast entry rule entry index */ +- nix_get_nixlf(rvu, pf_func, &nixlf, NULL); ++ if (nix_get_nixlf(rvu, pf_func, &nixlf, NULL)) { ++ dev_err(rvu->dev, "%s: nixlf not attached to pcifunc:0x%x\n", ++ __func__, pf_func); ++ /* Action 0 is drop */ ++ return 0; ++ } ++ + index = npc_get_nixlf_mcam_index(mcam, pf_func, nixlf, + NIXLF_UCAST_ENTRY); + bank = npc_get_bank(mcam, index); +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-fix-a-use-after-free-in-rvu_npa_registe.patch b/queue-6.1/octeontx2-af-fix-a-use-after-free-in-rvu_npa_registe.patch new file mode 100644 index 00000000000..b57081cf0ae --- /dev/null +++ b/queue-6.1/octeontx2-af-fix-a-use-after-free-in-rvu_npa_registe.patch @@ -0,0 +1,61 @@ +From 690acb951042266a0e65a46edea9b280b2f28ed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Dec 2023 17:59:02 +0800 +Subject: octeontx2-af: fix a use-after-free in rvu_npa_register_reporters + +From: Zhipeng Lu + +[ Upstream commit 3c91c909f13f0c32b0d54d75c3f798479b1a84f5 ] + +The rvu_dl will be freed in rvu_npa_health_reporters_destroy(rvu_dl) +after the create_workqueue fails, and after that free, the rvu_dl will +be translate back through rvu_npa_health_reporters_create, +rvu_health_reporters_create, and rvu_register_dl. Finally it goes to the +err_dl_health label, being freed again in +rvu_health_reporters_destroy(rvu) by rvu_npa_health_reporters_destroy. +In the second calls of rvu_npa_health_reporters_destroy, however, +it uses rvu_dl->rvu_npa_health_reporter, which is already freed at +the end of rvu_npa_health_reporters_destroy in the first call. + +So this patch prevents the first destroy by instantly returning -ENONMEN +when create_workqueue fails. In addition, since the failure of +create_workqueue is the only entrence of label err, it has been +integrated into the error-handling path of create_workqueue. + +Fixes: f1168d1e207c ("octeontx2-af: Add devlink health reporters for NPA") +Signed-off-by: Zhipeng Lu +Acked-by: Paolo Abeni +Acked-by: Geethasowjanya Akula +Link: https://lore.kernel.org/r/20231202095902.3264863-1-alexious@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index dc7bd2ce78f7d..d609512998992 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -1285,7 +1285,7 @@ static int rvu_npa_register_reporters(struct rvu_devlink *rvu_dl) + + rvu_dl->devlink_wq = create_workqueue("rvu_devlink_wq"); + if (!rvu_dl->devlink_wq) +- goto err; ++ return -ENOMEM; + + INIT_WORK(&rvu_reporters->intr_work, rvu_npa_intr_work); + INIT_WORK(&rvu_reporters->err_work, rvu_npa_err_work); +@@ -1293,9 +1293,6 @@ static int rvu_npa_register_reporters(struct rvu_devlink *rvu_dl) + INIT_WORK(&rvu_reporters->ras_work, rvu_npa_ras_work); + + return 0; +-err: +- rvu_npa_health_reporters_destroy(rvu_dl); +- return -ENOMEM; + } + + static int rvu_npa_health_reporters_create(struct rvu_devlink *rvu_dl) +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-fix-mcs-sa-cam-entries-size.patch b/queue-6.1/octeontx2-af-fix-mcs-sa-cam-entries-size.patch new file mode 100644 index 00000000000..98549b7962c --- /dev/null +++ b/queue-6.1/octeontx2-af-fix-mcs-sa-cam-entries-size.patch @@ -0,0 +1,38 @@ +From ca459be67e77550f37ce3701f50cce348b0ceb0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 13:34:31 +0530 +Subject: octeontx2-af: Fix mcs sa cam entries size + +From: Geetha sowjanya + +[ Upstream commit 9723b2cca1f0e980c53156b52ea73b93966b3c8a ] + +On latest silicon versions SA cam entries increased to 256. +This patch fixes the datatype of sa_entries in mcs_hw_info +struct to u16 to hold 256 entries. + +Fixes: 080bbd19c9dd ("octeontx2-af: cn10k: mcs: Add mailboxes for port related operations") +Signed-off-by: Geetha sowjanya +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/mbox.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h +index a0c31f5b2ce05..03ebabd616353 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mbox.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mbox.h +@@ -1877,7 +1877,7 @@ struct mcs_hw_info { + u8 tcam_entries; /* RX/TX Tcam entries per mcs block */ + u8 secy_entries; /* RX/TX SECY entries per mcs block */ + u8 sc_entries; /* RX/TX SC CAM entries per mcs block */ +- u8 sa_entries; /* PN table entries = SA entries */ ++ u16 sa_entries; /* PN table entries = SA entries */ + u64 rsvd[16]; + }; + +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-fix-mcs-stats-register-address.patch b/queue-6.1/octeontx2-af-fix-mcs-stats-register-address.patch new file mode 100644 index 00000000000..c90555a94a2 --- /dev/null +++ b/queue-6.1/octeontx2-af-fix-mcs-stats-register-address.patch @@ -0,0 +1,93 @@ +From 9ebcfd607bd86ec3a946df8f6523a1015c67a422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 13:34:32 +0530 +Subject: octeontx2-af: Fix mcs stats register address + +From: Geetha sowjanya + +[ Upstream commit 3ba98a8c6f8ceb4e01a78f973d8d9017020bbd57 ] + +This patch adds the miss mcs stats register +for mcs supported platforms. + +Fixes: 9312150af8da ("octeontx2-af: cn10k: mcs: Support for stats collection") +Signed-off-by: Geetha sowjanya +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/mcs.c | 4 +-- + .../ethernet/marvell/octeontx2/af/mcs_reg.h | 31 ++++++++++++++++--- + 2 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mcs.c b/drivers/net/ethernet/marvell/octeontx2/af/mcs.c +index bd87507cf8eaa..c1775bd01c2b4 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mcs.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mcs.c +@@ -117,7 +117,7 @@ void mcs_get_rx_secy_stats(struct mcs *mcs, struct mcs_secy_stats *stats, int id + reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYTAGGEDCTLX(id); + stats->pkt_tagged_ctl_cnt = mcs_reg_read(mcs, reg); + +- reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYUNTAGGEDORNOTAGX(id); ++ reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYUNTAGGEDX(id); + stats->pkt_untaged_cnt = mcs_reg_read(mcs, reg); + + reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYCTLX(id); +@@ -215,7 +215,7 @@ void mcs_get_sc_stats(struct mcs *mcs, struct mcs_sc_stats *stats, + reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSCNOTVALIDX(id); + stats->pkt_notvalid_cnt = mcs_reg_read(mcs, reg); + +- reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSCUNCHECKEDOROKX(id); ++ reg = MCSX_CSE_RX_MEM_SLAVE_INPKTSSCUNCHECKEDX(id); + stats->pkt_unchecked_cnt = mcs_reg_read(mcs, reg); + + if (mcs->hw->mcs_blks > 1) { +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/mcs_reg.h b/drivers/net/ethernet/marvell/octeontx2/af/mcs_reg.h +index f3ab01fc363c8..f4c6de89002c1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/mcs_reg.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/mcs_reg.h +@@ -810,14 +810,37 @@ + offset = 0x9d8ull; \ + offset; }) + ++#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSCUNCHECKEDX(a) ({ \ ++ u64 offset; \ ++ \ ++ offset = 0xee80ull; \ ++ if (mcs->hw->mcs_blks > 1) \ ++ offset = 0xe818ull; \ ++ offset += (a) * 0x8ull; \ ++ offset; }) ++ ++#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYUNTAGGEDX(a) ({ \ ++ u64 offset; \ ++ \ ++ offset = 0xa680ull; \ ++ if (mcs->hw->mcs_blks > 1) \ ++ offset = 0xd018ull; \ ++ offset += (a) * 0x8ull; \ ++ offset; }) ++ ++#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSCLATEORDELAYEDX(a) ({ \ ++ u64 offset; \ ++ \ ++ offset = 0xf680ull; \ ++ if (mcs->hw->mcs_blks > 1) \ ++ offset = 0xe018ull; \ ++ offset += (a) * 0x8ull; \ ++ offset; }) ++ + #define MCSX_CSE_RX_MEM_SLAVE_INOCTETSSCDECRYPTEDX(a) (0xe680ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INOCTETSSCVALIDATEX(a) (0xde80ull + (a) * 0x8ull) +-#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYUNTAGGEDORNOTAGX(a) (0xa680ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYNOTAGX(a) (0xd218 + (a) * 0x8ull) +-#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYUNTAGGEDX(a) (0xd018ull + (a) * 0x8ull) +-#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSCUNCHECKEDOROKX(a) (0xee80ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INPKTSSECYCTLX(a) (0xb680ull + (a) * 0x8ull) +-#define MCSX_CSE_RX_MEM_SLAVE_INPKTSSCLATEORDELAYEDX(a) (0xf680ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INPKTSSAINVALIDX(a) (0x12680ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INPKTSSANOTUSINGSAERRORX(a) (0x15680ull + (a) * 0x8ull) + #define MCSX_CSE_RX_MEM_SLAVE_INPKTSSANOTVALIDX(a) (0x13680ull + (a) * 0x8ull) +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-af-update-tx-link-register-range.patch b/queue-6.1/octeontx2-af-update-tx-link-register-range.patch new file mode 100644 index 00000000000..92cf60e52ee --- /dev/null +++ b/queue-6.1/octeontx2-af-update-tx-link-register-range.patch @@ -0,0 +1,41 @@ +From 5be70ab09ba5ca55e550cafd875dfd84d1e06ddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 13:34:34 +0530 +Subject: octeontx2-af: Update Tx link register range + +From: Rahul Bhansali + +[ Upstream commit 7336fc196748f82646b630d5a2e9d283e200b988 ] + +On new silicons the TX channels for transmit level has increased. +This patch fixes the respective register offset range to +configure the newly added channels. + +Fixes: b279bbb3314e ("octeontx2-af: NIX Tx scheduler queue config support") +Signed-off-by: Rahul Bhansali +Signed-off-by: Geetha sowjanya +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.c +index b3150f0532919..d46ac29adb966 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.c +@@ -31,8 +31,8 @@ static struct hw_reg_map txsch_reg_map[NIX_TXSCH_LVL_CNT] = { + {NIX_TXSCH_LVL_TL4, 3, 0xFFFF, {{0x0B00, 0x0B08}, {0x0B10, 0x0B18}, + {0x1200, 0x12E0} } }, + {NIX_TXSCH_LVL_TL3, 4, 0xFFFF, {{0x1000, 0x10E0}, {0x1600, 0x1608}, +- {0x1610, 0x1618}, {0x1700, 0x17B0} } }, +- {NIX_TXSCH_LVL_TL2, 2, 0xFFFF, {{0x0E00, 0x0EE0}, {0x1700, 0x17B0} } }, ++ {0x1610, 0x1618}, {0x1700, 0x17C8} } }, ++ {NIX_TXSCH_LVL_TL2, 2, 0xFFFF, {{0x0E00, 0x0EE0}, {0x1700, 0x17C8} } }, + {NIX_TXSCH_LVL_TL1, 1, 0xFFFF, {{0x0C00, 0x0D98} } }, + }; + +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-pf-add-missing-mutex-lock-in-otx2_get_paus.patch b/queue-6.1/octeontx2-pf-add-missing-mutex-lock-in-otx2_get_paus.patch new file mode 100644 index 00000000000..ee7cdf50160 --- /dev/null +++ b/queue-6.1/octeontx2-pf-add-missing-mutex-lock-in-otx2_get_paus.patch @@ -0,0 +1,51 @@ +From a3d18bedaecd82bcd315a0da67a9eb6d2e69f921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 10:53:42 +0530 +Subject: octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam + +From: Subbaraya Sundeep + +[ Upstream commit 9572c949385aa2ef10368287c439bcb7935137c8 ] + +All the mailbox messages sent to AF needs to be guarded +by mutex lock. Add the missing lock in otx2_get_pauseparam +function. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool") +Signed-off-by: Subbaraya Sundeep +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index aaf1af2a402ec..af779ae40d3c2 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -323,9 +323,12 @@ static void otx2_get_pauseparam(struct net_device *netdev, + if (is_otx2_lbkvf(pfvf->pdev)) + return; + ++ mutex_lock(&pfvf->mbox.lock); + req = otx2_mbox_alloc_msg_cgx_cfg_pause_frm(&pfvf->mbox); +- if (!req) ++ if (!req) { ++ mutex_unlock(&pfvf->mbox.lock); + return; ++ } + + if (!otx2_sync_mbox_msg(&pfvf->mbox)) { + rsp = (struct cgx_pause_frm_cfg *) +@@ -333,6 +336,7 @@ static void otx2_get_pauseparam(struct net_device *netdev, + pause->rx_pause = rsp->rx_pause; + pause->tx_pause = rsp->tx_pause; + } ++ mutex_unlock(&pfvf->mbox.lock); + } + + static int otx2_set_pauseparam(struct net_device *netdev, +-- +2.42.0 + diff --git a/queue-6.1/octeontx2-pf-consider-both-rx-and-tx-packet-stats-fo.patch b/queue-6.1/octeontx2-pf-consider-both-rx-and-tx-packet-stats-fo.patch new file mode 100644 index 00000000000..c77fc46b2b9 --- /dev/null +++ b/queue-6.1/octeontx2-pf-consider-both-rx-and-tx-packet-stats-fo.patch @@ -0,0 +1,101 @@ +From cbe12d77d37d5cbc07524aa6768c2b6d2b3db20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 11:03:30 +0530 +Subject: octeontx2-pf: consider both Rx and Tx packet stats for adaptive + interrupt coalescing + +From: Naveen Mamindlapalli + +[ Upstream commit adbf100fc47001c93d7e513ecac6fd6e04d5b4a1 ] + +The current adaptive interrupt coalescing code updates only rx +packet stats for dim algorithm. This patch also updates tx packet +stats which will be useful when there is only tx traffic. +Also moved configuring hardware adaptive interrupt setting to +driver dim callback. + +Fixes: 6e144b47f560 ("octeontx2-pf: Add support for adaptive interrupt coalescing") +Signed-off-by: Naveen Mamindlapalli +Signed-off-by: Suman Ghosh +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20231201053330.3903694-1-sumang@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 9 +++++++++ + .../marvell/octeontx2/nic/otx2_txrx.c | 20 +++++++++---------- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 18c5d2b3f7f95..55807e2043edf 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1676,6 +1676,14 @@ static void otx2_do_set_rx_mode(struct otx2_nic *pf) + mutex_unlock(&pf->mbox.lock); + } + ++static void otx2_set_irq_coalesce(struct otx2_nic *pfvf) ++{ ++ int cint; ++ ++ for (cint = 0; cint < pfvf->hw.cint_cnt; cint++) ++ otx2_config_irq_coalescing(pfvf, cint); ++} ++ + static void otx2_dim_work(struct work_struct *w) + { + struct dim_cq_moder cur_moder; +@@ -1691,6 +1699,7 @@ static void otx2_dim_work(struct work_struct *w) + CQ_TIMER_THRESH_MAX : cur_moder.usec; + pfvf->hw.cq_ecount_wait = (cur_moder.pkts > NAPI_POLL_WEIGHT) ? + NAPI_POLL_WEIGHT : cur_moder.pkts; ++ otx2_set_irq_coalesce(pfvf); + dim->state = DIM_START_MEASURE; + } + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index 20d801d30c732..aee392a15b23c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -510,11 +510,18 @@ static void otx2_adjust_adaptive_coalese(struct otx2_nic *pfvf, struct otx2_cq_p + { + struct dim_sample dim_sample; + u64 rx_frames, rx_bytes; ++ u64 tx_frames, tx_bytes; + + rx_frames = OTX2_GET_RX_STATS(RX_BCAST) + OTX2_GET_RX_STATS(RX_MCAST) + + OTX2_GET_RX_STATS(RX_UCAST); + rx_bytes = OTX2_GET_RX_STATS(RX_OCTS); +- dim_update_sample(pfvf->napi_events, rx_frames, rx_bytes, &dim_sample); ++ tx_bytes = OTX2_GET_TX_STATS(TX_OCTS); ++ tx_frames = OTX2_GET_TX_STATS(TX_UCAST); ++ ++ dim_update_sample(pfvf->napi_events, ++ rx_frames + tx_frames, ++ rx_bytes + tx_bytes, ++ &dim_sample); + net_dim(&cq_poll->dim, dim_sample); + } + +@@ -555,16 +562,9 @@ int otx2_napi_handler(struct napi_struct *napi, int budget) + if (pfvf->flags & OTX2_FLAG_INTF_DOWN) + return workdone; + +- /* Check for adaptive interrupt coalesce */ +- if (workdone != 0 && +- ((pfvf->flags & OTX2_FLAG_ADPTV_INT_COAL_ENABLED) == +- OTX2_FLAG_ADPTV_INT_COAL_ENABLED)) { +- /* Adjust irq coalese using net_dim */ ++ /* Adjust irq coalese using net_dim */ ++ if (pfvf->flags & OTX2_FLAG_ADPTV_INT_COAL_ENABLED) + otx2_adjust_adaptive_coalese(pfvf, cq_poll); +- /* Update irq coalescing */ +- for (i = 0; i < pfvf->hw.cint_cnt; i++) +- otx2_config_irq_coalescing(pfvf, i); +- } + + /* Re-enable interrupts */ + otx2_write64(pfvf, NIX_LF_CINTX_ENA_W1S(cq_poll->cint_idx), +-- +2.42.0 + diff --git a/queue-6.1/of-dynamic-fix-of_reconfig_get_state_change-return-v.patch b/queue-6.1/of-dynamic-fix-of_reconfig_get_state_change-return-v.patch new file mode 100644 index 00000000000..4fb1a40bfd6 --- /dev/null +++ b/queue-6.1/of-dynamic-fix-of_reconfig_get_state_change-return-v.patch @@ -0,0 +1,41 @@ +From b25f652ac8d71c4dcb826fa56a6f4392d69559ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 15:47:18 +0100 +Subject: of: dynamic: Fix of_reconfig_get_state_change() return value + documentation + +From: Luca Ceresoli + +[ Upstream commit d79972789d17499b6091ded2fc0c6763c501a5ba ] + +The documented numeric return values do not match the actual returned +values. Fix them by using the enum names instead of raw numbers. + +Fixes: b53a2340d0d3 ("of/reconfig: Add of_reconfig_get_state_change() of notifier helper.") +Signed-off-by: Luca Ceresoli +Link: https://lore.kernel.org/r/20231123-fix-of_reconfig_get_state_change-docs-v1-1-f51892050ff9@bootlin.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 0fbf331a748fd..9bb9fe0fad07c 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -104,8 +104,9 @@ int of_reconfig_notify(unsigned long action, struct of_reconfig_data *p) + * + * Returns the new state of a device based on the notifier used. + * +- * Return: 0 on device going from enabled to disabled, 1 on device +- * going from disabled to enabled and -1 on no change. ++ * Return: OF_RECONFIG_CHANGE_REMOVE on device going from enabled to ++ * disabled, OF_RECONFIG_CHANGE_ADD on device going from disabled to ++ * enabled and OF_RECONFIG_NO_CHANGE on no change. + */ + int of_reconfig_get_state_change(unsigned long action, struct of_reconfig_data *pr) + { +-- +2.42.0 + diff --git a/queue-6.1/platform-mellanox-add-null-pointer-checks-for-devm_k.patch b/queue-6.1/platform-mellanox-add-null-pointer-checks-for-devm_k.patch new file mode 100644 index 00000000000..dc5a3652d75 --- /dev/null +++ b/queue-6.1/platform-mellanox-add-null-pointer-checks-for-devm_k.patch @@ -0,0 +1,92 @@ +From 450eea065e87331b3951ff05607670f45e5b51f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 13:54:47 +0800 +Subject: platform/mellanox: Add null pointer checks for devm_kasprintf() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunwu Chan + +[ Upstream commit 2c7c857f5fed997be93047d2de853d7f10c8defe ] + +devm_kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Compile-tested only. + +Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") +Suggested-by: Ilpo Järvinen +Suggested-by: Vadim Pasternak +Signed-off-by: Kunwu Chan +Reviewed-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20231201055447.2356001-1-chentao@kylinos.cn +[ij: split the change into two] +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index 2d4bbe99959ef..925bfc4aef8ce 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -1202,6 +1202,8 @@ static int mlxbf_pmc_init_perftype_counter(struct device *dev, int blk_num) + attr->dev_attr.show = mlxbf_pmc_event_list_show; + attr->nr = blk_num; + attr->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL, "event_list"); ++ if (!attr->dev_attr.attr.name) ++ return -ENOMEM; + pmc->block[blk_num].block_attr[i] = &attr->dev_attr.attr; + attr = NULL; + +@@ -1214,6 +1216,8 @@ static int mlxbf_pmc_init_perftype_counter(struct device *dev, int blk_num) + attr->nr = blk_num; + attr->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL, + "enable"); ++ if (!attr->dev_attr.attr.name) ++ return -ENOMEM; + pmc->block[blk_num].block_attr[++i] = &attr->dev_attr.attr; + attr = NULL; + } +@@ -1240,6 +1244,8 @@ static int mlxbf_pmc_init_perftype_counter(struct device *dev, int blk_num) + attr->nr = blk_num; + attr->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL, + "counter%d", j); ++ if (!attr->dev_attr.attr.name) ++ return -ENOMEM; + pmc->block[blk_num].block_attr[++i] = &attr->dev_attr.attr; + attr = NULL; + +@@ -1251,6 +1257,8 @@ static int mlxbf_pmc_init_perftype_counter(struct device *dev, int blk_num) + attr->nr = blk_num; + attr->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL, + "event%d", j); ++ if (!attr->dev_attr.attr.name) ++ return -ENOMEM; + pmc->block[blk_num].block_attr[++i] = &attr->dev_attr.attr; + attr = NULL; + } +@@ -1283,6 +1291,8 @@ static int mlxbf_pmc_init_perftype_reg(struct device *dev, int blk_num) + attr->nr = blk_num; + attr->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL, + events[j].evt_name); ++ if (!attr->dev_attr.attr.name) ++ return -ENOMEM; + pmc->block[blk_num].block_attr[i] = &attr->dev_attr.attr; + attr = NULL; + i++; +@@ -1311,6 +1321,8 @@ static int mlxbf_pmc_create_groups(struct device *dev, int blk_num) + pmc->block[blk_num].block_attr_grp.attrs = pmc->block[blk_num].block_attr; + pmc->block[blk_num].block_attr_grp.name = devm_kasprintf( + dev, GFP_KERNEL, pmc->block_name[blk_num]); ++ if (!pmc->block[blk_num].block_attr_grp.name) ++ return -ENOMEM; + pmc->groups[blk_num] = &pmc->block[blk_num].block_attr_grp; + + return 0; +-- +2.42.0 + diff --git a/queue-6.1/platform-mellanox-check-devm_hwmon_device_register_w.patch b/queue-6.1/platform-mellanox-check-devm_hwmon_device_register_w.patch new file mode 100644 index 00000000000..2b3448e233b --- /dev/null +++ b/queue-6.1/platform-mellanox-check-devm_hwmon_device_register_w.patch @@ -0,0 +1,48 @@ +From 31c7241c8301c05450a31634a6ba556a05ed303e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 13:54:47 +0800 +Subject: platform/mellanox: Check devm_hwmon_device_register_with_groups() + return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunwu Chan + +[ Upstream commit 3494a594315b56516988afb6854d75dee5b501db ] + +devm_hwmon_device_register_with_groups() returns an error pointer upon +failure. Check its return value for errors. + +Compile-tested only. + +Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") +Suggested-by: Ilpo Järvinen +Suggested-by: Vadim Pasternak +Signed-off-by: Kunwu Chan +Reviewed-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20231201055447.2356001-1-chentao@kylinos.cn +[ij: split the change into two] +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index 925bfc4aef8ce..db7a1d360cd2c 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -1454,6 +1454,8 @@ static int mlxbf_pmc_probe(struct platform_device *pdev) + + pmc->hwmon_dev = devm_hwmon_device_register_with_groups( + dev, "bfperf", pmc, pmc->groups); ++ if (IS_ERR(pmc->hwmon_dev)) ++ return PTR_ERR(pmc->hwmon_dev); + platform_set_drvdata(pdev, pmc); + + return 0; +-- +2.42.0 + diff --git a/queue-6.1/platform-x86-asus-wmi-move-i8042-filter-install-to-s.patch b/queue-6.1/platform-x86-asus-wmi-move-i8042-filter-install-to-s.patch new file mode 100644 index 00000000000..288016c3c7d --- /dev/null +++ b/queue-6.1/platform-x86-asus-wmi-move-i8042-filter-install-to-s.patch @@ -0,0 +1,111 @@ +From 3fe69b3e533609a7da95f3b4dd9708b1be492cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 16:42:33 +0100 +Subject: platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi + code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit b52cbca22cbf6c9d2700c1e576d0ddcc670e49d5 ] + +asus-nb-wmi calls i8042_install_filter() in some cases, but it never +calls i8042_remove_filter(). This means that a dangling pointer to +the filter function is left after rmmod leading to crashes. + +Fix this by moving the i8042-filter installation to the shared +asus-wmi code and also remove it from the shared code on driver unbind. + +Fixes: b5643539b825 ("platform/x86: asus-wmi: Filter buggy scan codes on ASUS Q500A") +Cc: Oleksij Rempel +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20231120154235.610808-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 2 +- + drivers/platform/x86/asus-nb-wmi.c | 11 ----------- + drivers/platform/x86/asus-wmi.c | 8 ++++++++ + 3 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 1396a839dd8a4..d5acef3202dad 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -271,6 +271,7 @@ config ASUS_WMI + depends on RFKILL || RFKILL = n + depends on HOTPLUG_PCI + depends on ACPI_VIDEO || ACPI_VIDEO = n ++ depends on SERIO_I8042 || SERIO_I8042 = n + select INPUT_SPARSEKMAP + select LEDS_CLASS + select NEW_LEDS +@@ -287,7 +288,6 @@ config ASUS_WMI + config ASUS_NB_WMI + tristate "Asus Notebook WMI Driver" + depends on ASUS_WMI +- depends on SERIO_I8042 || SERIO_I8042 = n + help + This is a driver for newer Asus notebooks. It adds extra features + like wireless radio and bluetooth control, leds, hotkeys, backlight... +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index df1db54d4e183..af3da303e2b15 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -501,8 +501,6 @@ static const struct dmi_system_id asus_quirks[] = { + + static void asus_nb_wmi_quirks(struct asus_wmi_driver *driver) + { +- int ret; +- + quirks = &quirk_asus_unknown; + dmi_check_system(asus_quirks); + +@@ -517,15 +515,6 @@ static void asus_nb_wmi_quirks(struct asus_wmi_driver *driver) + + if (tablet_mode_sw != -1) + quirks->tablet_switch_mode = tablet_mode_sw; +- +- if (quirks->i8042_filter) { +- ret = i8042_install_filter(quirks->i8042_filter); +- if (ret) { +- pr_warn("Unable to install key filter\n"); +- return; +- } +- pr_info("Using i8042 filter function for receiving events\n"); +- } + } + + static const struct key_entry asus_nb_wmi_keymap[] = { +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 49dd55b8e8faf..296150eaef929 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -3839,6 +3839,12 @@ static int asus_wmi_add(struct platform_device *pdev) + goto fail_wmi_handler; + } + ++ if (asus->driver->quirks->i8042_filter) { ++ err = i8042_install_filter(asus->driver->quirks->i8042_filter); ++ if (err) ++ pr_warn("Unable to install key filter - %d\n", err); ++ } ++ + asus_wmi_battery_init(asus); + + asus_wmi_debugfs_init(asus); +@@ -3873,6 +3879,8 @@ static int asus_wmi_remove(struct platform_device *device) + struct asus_wmi *asus; + + asus = platform_get_drvdata(device); ++ if (asus->driver->quirks->i8042_filter) ++ i8042_remove_filter(asus->driver->quirks->i8042_filter); + wmi_remove_notify_handler(asus->driver->event_guid); + asus_wmi_backlight_exit(asus); + asus_wmi_input_exit(asus); +-- +2.42.0 + diff --git a/queue-6.1/platform-x86-wmi-skip-blocks-with-zero-instances.patch b/queue-6.1/platform-x86-wmi-skip-blocks-with-zero-instances.patch new file mode 100644 index 00000000000..9cf85a1004b --- /dev/null +++ b/queue-6.1/platform-x86-wmi-skip-blocks-with-zero-instances.patch @@ -0,0 +1,49 @@ +From 238bf56c3faaa318c655cfcc5c4e3557d80632fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 19:16:54 +0100 +Subject: platform/x86: wmi: Skip blocks with zero instances +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit cbf54f37600e874d82886aa3b2f471778cae01ce ] + +Some machines like the HP Omen 17 ck2000nf contain WMI blocks +with zero instances, so any WMI driver which tries to handle the +associated WMI device will fail. +Skip such WMI blocks to avoid confusing any WMI drivers. + +Reported-by: Alexis Belmonte +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218188 +Fixes: bff431e49ff5 ("ACPI: WMI: Add ACPI-WMI mapping driver") +Tested-by: Alexis Belmonte +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20231129181654.5800-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 2b79377cc21e2..b3f3e23a64eee 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1227,6 +1227,11 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + if (debug_dump_wdg) + wmi_dump_wdg(&gblock[i]); + ++ if (!gblock[i].instance_count) { ++ dev_info(wmi_bus_dev, FW_INFO "%pUL has zero instances\n", &gblock[i].guid); ++ continue; ++ } ++ + if (guid_already_parsed_for_legacy(device, &gblock[i].guid)) + continue; + +-- +2.42.0 + diff --git a/queue-6.1/psample-require-cap_net_admin-when-joining-packets-g.patch b/queue-6.1/psample-require-cap_net_admin-when-joining-packets-g.patch new file mode 100644 index 00000000000..4875d3b6a58 --- /dev/null +++ b/queue-6.1/psample-require-cap_net_admin-when-joining-packets-g.patch @@ -0,0 +1,117 @@ +From 229eb2e498a5e25a9422bb904a0e1461fdd90bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 23:31:01 +0200 +Subject: psample: Require 'CAP_NET_ADMIN' when joining "packets" group + +From: Ido Schimmel + +[ Upstream commit 44ec98ea5ea9cfecd31a5c4cc124703cb5442832 ] + +The "psample" generic netlink family notifies sampled packets over the +"packets" multicast group. This is problematic since by default generic +netlink allows non-root users to listen to these notifications. + +Fix by marking the group with the 'GENL_UNS_ADMIN_PERM' flag. This will +prevent non-root users or root without the 'CAP_NET_ADMIN' capability +(in the user namespace owning the network namespace) from joining the +group. + +Tested using [1]. + +Before: + + # capsh -- -c ./psample_repo + # capsh --drop=cap_net_admin -- -c ./psample_repo + +After: + + # capsh -- -c ./psample_repo + # capsh --drop=cap_net_admin -- -c ./psample_repo + Failed to join "packets" multicast group + +[1] + $ cat psample.c + #include + #include + #include + #include + + int join_grp(struct nl_sock *sk, const char *grp_name) + { + int grp, err; + + grp = genl_ctrl_resolve_grp(sk, "psample", grp_name); + if (grp < 0) { + fprintf(stderr, "Failed to resolve \"%s\" multicast group\n", + grp_name); + return grp; + } + + err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE); + if (err) { + fprintf(stderr, "Failed to join \"%s\" multicast group\n", + grp_name); + return err; + } + + return 0; + } + + int main(int argc, char **argv) + { + struct nl_sock *sk; + int err; + + sk = nl_socket_alloc(); + if (!sk) { + fprintf(stderr, "Failed to allocate socket\n"); + return -1; + } + + err = genl_connect(sk); + if (err) { + fprintf(stderr, "Failed to connect socket\n"); + return err; + } + + err = join_grp(sk, "config"); + if (err) + return err; + + err = join_grp(sk, "packets"); + if (err) + return err; + + return 0; + } + $ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o psample_repo psample.c + +Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling") +Reported-by: "The UK's National Cyber Security Centre (NCSC)" +Signed-off-by: Ido Schimmel +Reviewed-by: Jacob Keller +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231206213102.1824398-2-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/psample/psample.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/psample/psample.c b/net/psample/psample.c +index 81a794e36f535..c34e902855dbe 100644 +--- a/net/psample/psample.c ++++ b/net/psample/psample.c +@@ -31,7 +31,8 @@ enum psample_nl_multicast_groups { + + static const struct genl_multicast_group psample_nl_mcgrps[] = { + [PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME }, +- [PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME }, ++ [PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME, ++ .flags = GENL_UNS_ADMIN_PERM }, + }; + + static struct genl_family psample_nl_family __ro_after_init; +-- +2.42.0 + diff --git a/queue-6.1/r8152-add-rtl8152_inaccessible-checks-to-more-loops.patch b/queue-6.1/r8152-add-rtl8152_inaccessible-checks-to-more-loops.patch new file mode 100644 index 00000000000..c87cd126b16 --- /dev/null +++ b/queue-6.1/r8152-add-rtl8152_inaccessible-checks-to-more-loops.patch @@ -0,0 +1,72 @@ +From bfb9723defc4df94d4a00c6ab5d2a22b990c9912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 13:25:21 -0800 +Subject: r8152: Add RTL8152_INACCESSIBLE checks to more loops + +From: Douglas Anderson + +[ Upstream commit 32a574c7e2685aa8138754d4d755f9246cc6bd48 ] + +Previous commits added checks for RTL8152_INACCESSIBLE in the loops in +the driver. There are still a few more that keep tripping the driver +up in error cases and make things take longer than they should. Add +those in. + +All the loops that are part of this commit existed in some form or +another since the r8152 driver was first introduced, though +RTL8152_INACCESSIBLE was known as RTL8152_UNPLUG before commit +715f67f33af4 ("r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE") + +Fixes: ac718b69301c ("net/usb: new driver for RTL8152") +Reviewed-by: Grant Grundler +Signed-off-by: Douglas Anderson +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 76792269222ea..2cee9b2a21615 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -2857,6 +2857,8 @@ static void rtl8152_nic_reset(struct r8152 *tp) + ocp_write_byte(tp, MCU_TYPE_PLA, PLA_CR, CR_RST); + + for (i = 0; i < 1000; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ break; + if (!(ocp_read_byte(tp, MCU_TYPE_PLA, PLA_CR) & CR_RST)) + break; + usleep_range(100, 400); +@@ -3186,6 +3188,8 @@ static void rtl_disable(struct r8152 *tp) + rxdy_gated_en(tp, true); + + for (i = 0; i < 1000; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ break; + ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); + if ((ocp_data & FIFO_EMPTY) == FIFO_EMPTY) + break; +@@ -3193,6 +3197,8 @@ static void rtl_disable(struct r8152 *tp) + } + + for (i = 0; i < 1000; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ break; + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_TCR0) & TCR0_TX_EMPTY) + break; + usleep_range(1000, 2000); +@@ -5381,6 +5387,8 @@ static void wait_oob_link_list_ready(struct r8152 *tp) + int i; + + for (i = 0; i < 1000; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ break; + ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); + if (ocp_data & LINK_LIST_READY) + break; +-- +2.42.0 + diff --git a/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_aldps_en.patch b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_aldps_en.patch new file mode 100644 index 00000000000..1cdb29362c1 --- /dev/null +++ b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_aldps_en.patch @@ -0,0 +1,39 @@ +From 5d947f5606a96d30f50e914c0513c2b689394079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 13:25:24 -0800 +Subject: r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() + +From: Douglas Anderson + +[ Upstream commit 79321a793945fdbff2f405f84712d0ab81bed287 ] + +Delay loops in r8152 should break out if RTL8152_INACCESSIBLE is set +so that they don't delay too long if the device becomes +inaccessible. Add the break to the loop in r8153_aldps_en(). + +Fixes: 4214cc550bf9 ("r8152: check if disabling ALDPS is finished") +Reviewed-by: Grant Grundler +Signed-off-by: Douglas Anderson +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index b8ad038dd36bf..4d833781294a4 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5685,6 +5685,8 @@ static void r8153_aldps_en(struct r8152 *tp, bool enable) + data &= ~EN_ALDPS; + ocp_reg_write(tp, OCP_POWER_CFG, data); + for (i = 0; i < 20; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ return; + usleep_range(1000, 2000); + if (ocp_read_word(tp, MCU_TYPE_PLA, 0xe000) & 0x0100) + break; +-- +2.42.0 + diff --git a/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_pre_firmware.patch b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_pre_firmware.patch new file mode 100644 index 00000000000..80a229b201a --- /dev/null +++ b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8153_pre_firmware.patch @@ -0,0 +1,39 @@ +From d6e167787ddd43204cd27050296bef992c798533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 13:25:23 -0800 +Subject: r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1() + +From: Douglas Anderson + +[ Upstream commit 8c53a7bd706535a9cf4e2ec3a4e8d61d46353ca0 ] + +Delay loops in r8152 should break out if RTL8152_INACCESSIBLE is set +so that they don't delay too long if the device becomes +inaccessible. Add the break to the loop in r8153_pre_firmware_1(). + +Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153") +Reviewed-by: Grant Grundler +Signed-off-by: Douglas Anderson +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 8b463a9c5e44c..b8ad038dd36bf 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5527,6 +5527,8 @@ static int r8153_pre_firmware_1(struct r8152 *tp) + for (i = 0; i < 104; i++) { + u32 ocp_data = ocp_read_byte(tp, MCU_TYPE_USB, USB_WDT1_CTRL); + ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ return -ENODEV; + if (!(ocp_data & WTD1_EN)) + break; + usleep_range(1000, 2000); +-- +2.42.0 + diff --git a/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8156b_wait_loadin.patch b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8156b_wait_loadin.patch new file mode 100644 index 00000000000..3331b579582 --- /dev/null +++ b/queue-6.1/r8152-add-rtl8152_inaccessible-to-r8156b_wait_loadin.patch @@ -0,0 +1,40 @@ +From fe8c0392440431f6ee3adf1e79b4b42c5020d7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 13:25:22 -0800 +Subject: r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash() + +From: Douglas Anderson + +[ Upstream commit 8a67b47fced9f6a84101eb9ec5ce4c7d64204bc7 ] + +Delay loops in r8152 should break out if RTL8152_INACCESSIBLE is set +so that they don't delay too long if the device becomes +inaccessible. Add the break to the loop in +r8156b_wait_loading_flash(). + +Fixes: 195aae321c82 ("r8152: support new chips") +Reviewed-by: Grant Grundler +Signed-off-by: Douglas Anderson +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 2cee9b2a21615..8b463a9c5e44c 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5403,6 +5403,8 @@ static void r8156b_wait_loading_flash(struct r8152 *tp) + int i; + + for (i = 0; i < 100; i++) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ break; + if (ocp_read_word(tp, MCU_TYPE_USB, USB_GPHY_CTRL) & GPHY_PATCH_DONE) + break; + usleep_range(1000, 2000); +-- +2.42.0 + diff --git a/queue-6.1/r8152-rename-rtl8152_unplug-to-rtl8152_inaccessible.patch b/queue-6.1/r8152-rename-rtl8152_unplug-to-rtl8152_inaccessible.patch new file mode 100644 index 00000000000..4e78b84810a --- /dev/null +++ b/queue-6.1/r8152-rename-rtl8152_unplug-to-rtl8152_inaccessible.patch @@ -0,0 +1,458 @@ +From 8cda8ab6831bd019e61dbea0ad7ecd73513afb0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 14:06:58 -0700 +Subject: r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE + +From: Douglas Anderson + +[ Upstream commit 715f67f33af45ce2cc3a5b1ef133cc8c8e7787b0 ] + +Whenever the RTL8152_UNPLUG is set that just tells the driver that all +accesses will fail and we should just immediately bail. A future patch +will use this same concept at a time when the driver hasn't actually +been unplugged but is about to be reset. Rename the flag in +preparation for the future patch. + +This is a no-op change and just a search and replace. + +Signed-off-by: Douglas Anderson +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Stable-dep-of: 32a574c7e268 ("r8152: Add RTL8152_INACCESSIBLE checks to more loops") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 96 ++++++++++++++++++++--------------------- + 1 file changed, 48 insertions(+), 48 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 345e341d22338..76792269222ea 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -763,7 +763,7 @@ enum rtl_register_content { + + /* rtl8152 flags */ + enum rtl8152_flags { +- RTL8152_UNPLUG = 0, ++ RTL8152_INACCESSIBLE = 0, + RTL8152_SET_RX_MODE, + WORK_ENABLE, + RTL8152_LINK_CHG, +@@ -1244,7 +1244,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + static void rtl_set_unplug(struct r8152 *tp) + { + if (tp->udev->state == USB_STATE_NOTATTACHED) { +- set_bit(RTL8152_UNPLUG, &tp->flags); ++ set_bit(RTL8152_INACCESSIBLE, &tp->flags); + smp_mb__after_atomic(); + } + } +@@ -1255,7 +1255,7 @@ static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size, + u16 limit = 64; + int ret = 0; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + /* both size and indix must be 4 bytes align */ +@@ -1299,7 +1299,7 @@ static int generic_ocp_write(struct r8152 *tp, u16 index, u16 byteen, + u16 byteen_start, byteen_end, byen; + u16 limit = 512; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + /* both size and indix must be 4 bytes align */ +@@ -1529,7 +1529,7 @@ static int read_mii_word(struct net_device *netdev, int phy_id, int reg) + struct r8152 *tp = netdev_priv(netdev); + int ret; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + if (phy_id != R8152_PHY_ID) +@@ -1545,7 +1545,7 @@ void write_mii_word(struct net_device *netdev, int phy_id, int reg, int val) + { + struct r8152 *tp = netdev_priv(netdev); + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (phy_id != R8152_PHY_ID) +@@ -1750,7 +1750,7 @@ static void read_bulk_callback(struct urb *urb) + if (!tp) + return; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (!test_bit(WORK_ENABLE, &tp->flags)) +@@ -1842,7 +1842,7 @@ static void write_bulk_callback(struct urb *urb) + if (!test_bit(WORK_ENABLE, &tp->flags)) + return; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (!skb_queue_empty(&tp->tx_queue)) +@@ -1863,7 +1863,7 @@ static void intr_callback(struct urb *urb) + if (!test_bit(WORK_ENABLE, &tp->flags)) + return; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + switch (status) { +@@ -2607,7 +2607,7 @@ static void bottom_half(struct tasklet_struct *t) + { + struct r8152 *tp = from_tasklet(tp, t, tx_tl); + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (!test_bit(WORK_ENABLE, &tp->flags)) +@@ -2650,7 +2650,7 @@ int r8152_submit_rx(struct r8152 *tp, struct rx_agg *agg, gfp_t mem_flags) + int ret; + + /* The rx would be stopped, so skip submitting */ +- if (test_bit(RTL8152_UNPLUG, &tp->flags) || ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags) || + !test_bit(WORK_ENABLE, &tp->flags) || !netif_carrier_ok(tp->netdev)) + return 0; + +@@ -3050,7 +3050,7 @@ static int rtl_enable(struct r8152 *tp) + + static int rtl8152_enable(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + set_tx_qlen(tp); +@@ -3137,7 +3137,7 @@ static int rtl8153_enable(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + set_tx_qlen(tp); +@@ -3169,7 +3169,7 @@ static void rtl_disable(struct r8152 *tp) + u32 ocp_data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + return; + } +@@ -3623,7 +3623,7 @@ static u16 r8153_phy_status(struct r8152 *tp, u16 desired) + } + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + break; + } + +@@ -3655,7 +3655,7 @@ static void r8153b_ups_en(struct r8152 *tp, bool enable) + int i; + + for (i = 0; i < 500; i++) { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) +@@ -3697,7 +3697,7 @@ static void r8153c_ups_en(struct r8152 *tp, bool enable) + int i; + + for (i = 0; i < 500; i++) { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) +@@ -4062,8 +4062,8 @@ static int rtl_phy_patch_request(struct r8152 *tp, bool request, bool wait) + for (i = 0; wait && i < 5000; i++) { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) +- break; ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ return -ENODEV; + + usleep_range(1000, 2000); + ocp_data = ocp_reg_read(tp, OCP_PHY_PATCH_STAT); +@@ -6026,7 +6026,7 @@ static int rtl8156_enable(struct r8152 *tp) + u32 ocp_data; + u16 speed; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + r8156_fc_parameter(tp); +@@ -6084,7 +6084,7 @@ static int rtl8156b_enable(struct r8152 *tp) + u32 ocp_data; + u16 speed; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + set_tx_qlen(tp); +@@ -6270,7 +6270,7 @@ static int rtl8152_set_speed(struct r8152 *tp, u8 autoneg, u32 speed, u8 duplex, + + static void rtl8152_up(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8152_aldps_en(tp, false); +@@ -6280,7 +6280,7 @@ static void rtl8152_up(struct r8152 *tp) + + static void rtl8152_down(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + return; + } +@@ -6295,7 +6295,7 @@ static void rtl8153_up(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153_u1u2en(tp, false); +@@ -6335,7 +6335,7 @@ static void rtl8153_down(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + return; + } +@@ -6356,7 +6356,7 @@ static void rtl8153b_up(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_u1u2en(tp, false); +@@ -6380,7 +6380,7 @@ static void rtl8153b_down(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + return; + } +@@ -6417,7 +6417,7 @@ static void rtl8153c_up(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_u1u2en(tp, false); +@@ -6498,7 +6498,7 @@ static void rtl8156_up(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_u1u2en(tp, false); +@@ -6571,7 +6571,7 @@ static void rtl8156_down(struct r8152 *tp) + { + u32 ocp_data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + return; + } +@@ -6709,7 +6709,7 @@ static void rtl_work_func_t(struct work_struct *work) + /* If the device is unplugged or !netif_running(), the workqueue + * doesn't need to wake the device, and could return directly. + */ +- if (test_bit(RTL8152_UNPLUG, &tp->flags) || !netif_running(tp->netdev)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags) || !netif_running(tp->netdev)) + return; + + if (usb_autopm_get_interface(tp->intf) < 0) +@@ -6748,7 +6748,7 @@ static void rtl_hw_phy_work_func_t(struct work_struct *work) + { + struct r8152 *tp = container_of(work, struct r8152, hw_phy_work.work); + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (usb_autopm_get_interface(tp->intf) < 0) +@@ -6875,7 +6875,7 @@ static int rtl8152_close(struct net_device *netdev) + netif_stop_queue(netdev); + + res = usb_autopm_get_interface(tp->intf); +- if (res < 0 || test_bit(RTL8152_UNPLUG, &tp->flags)) { ++ if (res < 0 || test_bit(RTL8152_INACCESSIBLE, &tp->flags)) { + rtl_drop_queued_tx(tp); + rtl_stop_rx(tp); + } else { +@@ -6908,7 +6908,7 @@ static void r8152b_init(struct r8152 *tp) + u32 ocp_data; + u16 data; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + data = r8152_mdio_read(tp, MII_BMCR); +@@ -6952,7 +6952,7 @@ static void r8153_init(struct r8152 *tp) + u16 data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153_u1u2en(tp, false); +@@ -6963,7 +6963,7 @@ static void r8153_init(struct r8152 *tp) + break; + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + break; + } + +@@ -7092,7 +7092,7 @@ static void r8153b_init(struct r8152 *tp) + u16 data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_u1u2en(tp, false); +@@ -7103,7 +7103,7 @@ static void r8153b_init(struct r8152 *tp) + break; + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + break; + } + +@@ -7174,7 +7174,7 @@ static void r8153c_init(struct r8152 *tp) + u16 data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_u1u2en(tp, false); +@@ -7194,7 +7194,7 @@ static void r8153c_init(struct r8152 *tp) + break; + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + } + +@@ -8023,7 +8023,7 @@ static void r8156_init(struct r8152 *tp) + u16 data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + ocp_data = ocp_read_byte(tp, MCU_TYPE_USB, USB_ECM_OP); +@@ -8044,7 +8044,7 @@ static void r8156_init(struct r8152 *tp) + break; + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + } + +@@ -8119,7 +8119,7 @@ static void r8156b_init(struct r8152 *tp) + u16 data; + int i; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + ocp_data = ocp_read_byte(tp, MCU_TYPE_USB, USB_ECM_OP); +@@ -8153,7 +8153,7 @@ static void r8156b_init(struct r8152 *tp) + break; + + msleep(20); +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + } + +@@ -9219,7 +9219,7 @@ static int rtl8152_ioctl(struct net_device *netdev, struct ifreq *rq, int cmd) + struct mii_ioctl_data *data = if_mii(rq); + int res; + +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return -ENODEV; + + res = usb_autopm_get_interface(tp->intf); +@@ -9321,7 +9321,7 @@ static const struct net_device_ops rtl8152_netdev_ops = { + + static void rtl8152_unload(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + if (tp->version != RTL_VER_01) +@@ -9330,7 +9330,7 @@ static void rtl8152_unload(struct r8152 *tp) + + static void rtl8153_unload(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153_power_cut_en(tp, false); +@@ -9338,7 +9338,7 @@ static void rtl8153_unload(struct r8152 *tp) + + static void rtl8153b_unload(struct r8152 *tp) + { +- if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) + return; + + r8153b_power_cut_en(tp, false); +-- +2.42.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 2f1cbbc7b66..0ee904072e7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -13,3 +13,51 @@ x86-coco-disable-32-bit-emulation-by-default-on-tdx-and-sev.patch x86-entry-convert-int-0x80-emulation-to-idtentry.patch x86-entry-do-not-allow-external-0x80-interrupts.patch x86-tdx-allow-32-bit-emulation-by-default.patch +dt-dt-extract-compatibles-handle-cfile-arguments-in-.patch +dt-dt-extract-compatibles-don-t-follow-symlinks-when.patch +platform-x86-asus-wmi-move-i8042-filter-install-to-s.patch +of-dynamic-fix-of_reconfig_get_state_change-return-v.patch +platform-x86-wmi-skip-blocks-with-zero-instances.patch +ipv6-fix-potential-null-deref-in-fib6_add.patch +octeontx2-pf-add-missing-mutex-lock-in-otx2_get_paus.patch +octeontx2-af-check-return-value-of-nix_get_nixlf-bef.patch +hv_netvsc-rndis_filter-needs-to-select-nls.patch +r8152-rename-rtl8152_unplug-to-rtl8152_inaccessible.patch +r8152-add-rtl8152_inaccessible-checks-to-more-loops.patch +r8152-add-rtl8152_inaccessible-to-r8156b_wait_loadin.patch +r8152-add-rtl8152_inaccessible-to-r8153_pre_firmware.patch +r8152-add-rtl8152_inaccessible-to-r8153_aldps_en.patch +mlxbf-bootctl-correctly-identify-secure-boot-with-de.patch +platform-mellanox-add-null-pointer-checks-for-devm_k.patch +platform-mellanox-check-devm_hwmon_device_register_w.patch +arcnet-restoring-support-for-multiple-sohard-arcnet-.patch +octeontx2-pf-consider-both-rx-and-tx-packet-stats-fo.patch +net-stmmac-fix-fpe-events-losing.patch +xsk-skip-polling-event-check-for-unbound-socket.patch +octeontx2-af-fix-a-use-after-free-in-rvu_npa_registe.patch +i40e-fix-unexpected-mfs-warning-message.patch +iavf-validate-tx_coalesce_usecs-even-if-rx_coalesce_.patch +net-bnxt-fix-a-potential-use-after-free-in-bnxt_init.patch +tcp-fix-mid-stream-window-clamp.patch +ionic-fix-snprintf-format-length-warning.patch +ionic-fix-dim-work-handling-in-split-interrupt-mode.patch +ipv4-ip_gre-avoid-skb_pull-failure-in-ipgre_xmit.patch +net-atlantic-fix-null-dereference-of-skb-pointer-in.patch +net-hns-fix-wrong-head-when-modify-the-tx-feature-wh.patch +net-hns-fix-fake-link-up-on-xge-port.patch +octeontx2-af-adjust-tx-credits-when-mcs-external-byp.patch +octeontx2-af-fix-mcs-sa-cam-entries-size.patch +octeontx2-af-fix-mcs-stats-register-address.patch +octeontx2-af-add-missing-mcs-flr-handler-call.patch +octeontx2-af-update-tx-link-register-range.patch +dt-bindings-interrupt-controller-allow-power-domain-.patch +netfilter-nft_exthdr-add-boolean-dccp-option-matchin.patch +netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch +netfilter-nf_tables-bail-out-on-mismatching-dynset-a.patch +netfilter-nf_tables-validate-family-when-identifying.patch +netfilter-xt_owner-fix-for-unsafe-access-of-sk-sk_so.patch +tcp-do-not-accept-ack-of-bytes-we-never-sent.patch +bpf-sockmap-updating-the-sg-structure-should-also-up.patch +psample-require-cap_net_admin-when-joining-packets-g.patch +drop_monitor-require-cap_sys_admin-when-joining-even.patch +mm-damon-sysfs-eliminate-potential-uninitialized-var.patch diff --git a/queue-6.1/tcp-do-not-accept-ack-of-bytes-we-never-sent.patch b/queue-6.1/tcp-do-not-accept-ack-of-bytes-we-never-sent.patch new file mode 100644 index 00000000000..3ba2fdcc17a --- /dev/null +++ b/queue-6.1/tcp-do-not-accept-ack-of-bytes-we-never-sent.patch @@ -0,0 +1,106 @@ +From cc13b0901d4d99bfb4183aef931d40fef120aad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 16:18:41 +0000 +Subject: tcp: do not accept ACK of bytes we never sent + +From: Eric Dumazet + +[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ] + +This patch is based on a detailed report and ideas from Yepeng Pan +and Christian Rossow. + +ACK seq validation is currently following RFC 5961 5.2 guidelines: + + The ACK value is considered acceptable only if + it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= + SND.NXT). All incoming segments whose ACK value doesn't satisfy the + above condition MUST be discarded and an ACK sent back. It needs to + be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a + duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK + acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an + ACK, drop the segment, and return". The "ignored" above implies that + the processing of the incoming data segment continues, which means + the ACK value is treated as acceptable. This mitigation makes the + ACK check more stringent since any ACK < SND.UNA wouldn't be + accepted, instead only ACKs that are in the range ((SND.UNA - + MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. + +This can be refined for new (and possibly spoofed) flows, +by not accepting ACK for bytes that were never sent. + +This greatly improves TCP security at a little cost. + +I added a Fixes: tag to make sure this patch will reach stable trees, +even if the 'blamed' patch was adhering to the RFC. + +tp->bytes_acked was added in linux-4.2 + +Following packetdrill test (courtesy of Yepeng Pan) shows +the issue at hand: + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 ++0 bind(3, ..., ...) = 0 ++0 listen(3, 1024) = 0 + +// ---------------- Handshake ------------------- // + +// when window scale is set to 14 the window size can be extended to +// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet +// with ack number in (Server_ISN+1-1073725440. Server_ISN+1) +// ,though this ack number acknowledges some data never +// sent by the server. + ++0 < S 0:0(0) win 65535 ++0 > S. 0:0(0) ack 1 <...> ++0 < . 1:1(0) ack 1 win 65535 ++0 accept(3, ..., ...) = 4 + +// For the established connection, we send an ACK packet, +// the ack packet uses ack number 1 - 1073725300 + 2^32, +// where 2^32 is used to wrap around. +// Note: we used 1073725300 instead of 1073725440 to avoid possible +// edge cases. +// 1 - 1073725300 + 2^32 = 3221241997 + +// Oops, old kernels happily accept this packet. ++0 < . 1:1001(1000) ack 3221241997 win 65535 + +// After the kernel fix the following will be replaced by a challenge ACK, +// and prior malicious frame would be dropped. ++0 > . 1:1(0) ack 1001 + +Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") +Signed-off-by: Eric Dumazet +Reported-by: Yepeng Pan +Reported-by: Christian Rossow +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20231205161841.2702925-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 65dae3d43684f..34460c9b37ae2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3803,8 +3803,12 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + * then we can probably ignore it. + */ + if (before(ack, prior_snd_una)) { ++ u32 max_window; ++ ++ /* do not accept ACK for bytes we never sent. */ ++ max_window = min_t(u64, tp->max_window, tp->bytes_acked); + /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */ +- if (before(ack, prior_snd_una - tp->max_window)) { ++ if (before(ack, prior_snd_una - max_window)) { + if (!(flag & FLAG_NO_CHALLENGE_ACK)) + tcp_send_challenge_ack(sk); + return -SKB_DROP_REASON_TCP_TOO_OLD_ACK; +-- +2.42.0 + diff --git a/queue-6.1/tcp-fix-mid-stream-window-clamp.patch b/queue-6.1/tcp-fix-mid-stream-window-clamp.patch new file mode 100644 index 00000000000..9ebd21f9c3d --- /dev/null +++ b/queue-6.1/tcp-fix-mid-stream-window-clamp.patch @@ -0,0 +1,104 @@ +From ce2243b50d9bd22745046e32f655aca22e4a1c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 17:08:05 +0100 +Subject: tcp: fix mid stream window clamp. + +From: Paolo Abeni + +[ Upstream commit 58d3aade20cdddbac6c9707ac0f3f5f8c1278b74 ] + +After the blamed commit below, if the user-space application performs +window clamping when tp->rcv_wnd is 0, the TCP socket will never be +able to announce a non 0 receive window, even after completely emptying +the receive buffer and re-setting the window clamp to higher values. + +Refactor tcp_set_window_clamp() to address the issue: when the user +decreases the current clamp value, set rcv_ssthresh according to the +same logic used at buffer initialization, but ensuring reserved mem +provisioning. + +To avoid code duplication factor-out the relevant bits from +tcp_adjust_rcv_ssthresh() in a new helper and reuse it in the above +scenario. + +When increasing the clamp value, give the rcv_ssthresh a chance to grow +according to previously implemented heuristic. + +Fixes: 3aa7857fe1d7 ("tcp: enable mid stream window clamp") +Reported-by: David Gibson +Reported-by: Stefano Brivio +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/705dad54e6e6e9a010e571bf58e0b35a8ae70503.1701706073.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 22 +++++++++++++++++++--- + 2 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 19646fdec23dc..c3d56b337f358 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1460,17 +1460,22 @@ static inline int tcp_full_space(const struct sock *sk) + return tcp_win_from_space(sk, READ_ONCE(sk->sk_rcvbuf)); + } + +-static inline void tcp_adjust_rcv_ssthresh(struct sock *sk) ++static inline void __tcp_adjust_rcv_ssthresh(struct sock *sk, u32 new_ssthresh) + { + int unused_mem = sk_unused_reserved_mem(sk); + struct tcp_sock *tp = tcp_sk(sk); + +- tp->rcv_ssthresh = min(tp->rcv_ssthresh, 4U * tp->advmss); ++ tp->rcv_ssthresh = min(tp->rcv_ssthresh, new_ssthresh); + if (unused_mem) + tp->rcv_ssthresh = max_t(u32, tp->rcv_ssthresh, + tcp_win_from_space(sk, unused_mem)); + } + ++static inline void tcp_adjust_rcv_ssthresh(struct sock *sk) ++{ ++ __tcp_adjust_rcv_ssthresh(sk, 4U * tcp_sk(sk)->advmss); ++} ++ + void tcp_cleanup_rbuf(struct sock *sk, int copied); + void __tcp_cleanup_rbuf(struct sock *sk, int copied); + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 288678f17ccaf..58409ea2da0af 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3473,9 +3473,25 @@ int tcp_set_window_clamp(struct sock *sk, int val) + return -EINVAL; + tp->window_clamp = 0; + } else { +- tp->window_clamp = val < SOCK_MIN_RCVBUF / 2 ? +- SOCK_MIN_RCVBUF / 2 : val; +- tp->rcv_ssthresh = min(tp->rcv_wnd, tp->window_clamp); ++ u32 new_rcv_ssthresh, old_window_clamp = tp->window_clamp; ++ u32 new_window_clamp = val < SOCK_MIN_RCVBUF / 2 ? ++ SOCK_MIN_RCVBUF / 2 : val; ++ ++ if (new_window_clamp == old_window_clamp) ++ return 0; ++ ++ tp->window_clamp = new_window_clamp; ++ if (new_window_clamp < old_window_clamp) { ++ /* need to apply the reserved mem provisioning only ++ * when shrinking the window clamp ++ */ ++ __tcp_adjust_rcv_ssthresh(sk, tp->window_clamp); ++ ++ } else { ++ new_rcv_ssthresh = min(tp->rcv_wnd, tp->window_clamp); ++ tp->rcv_ssthresh = max(new_rcv_ssthresh, ++ tp->rcv_ssthresh); ++ } + } + return 0; + } +-- +2.42.0 + diff --git a/queue-6.1/xsk-skip-polling-event-check-for-unbound-socket.patch b/queue-6.1/xsk-skip-polling-event-check-for-unbound-socket.patch new file mode 100644 index 00000000000..7796de9713d --- /dev/null +++ b/queue-6.1/xsk-skip-polling-event-check-for-unbound-socket.patch @@ -0,0 +1,56 @@ +From 6b36b9ac45d3d7864f6a1c3ff3ba87647019cb3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 15:10:52 +0900 +Subject: xsk: Skip polling event check for unbound socket + +From: Yewon Choi + +[ Upstream commit e4d008d49a7135214e0ee70537405b6a069e3a3f ] + +In xsk_poll(), checking available events and setting mask bits should +be executed only when a socket has been bound. Setting mask bits for +unbound socket is meaningless. + +Currently, it checks events even when xsk_check_common() failed. +To prevent this, we move goto location (skip_tx) after that checking. + +Fixes: 1596dae2f17e ("xsk: check IFF_UP earlier in Tx path") +Signed-off-by: Yewon Choi +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20231201061048.GA1510@libra05 +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index f7592638e61d3..5c8e02d56fd43 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -722,7 +722,7 @@ static __poll_t xsk_poll(struct file *file, struct socket *sock, + + rcu_read_lock(); + if (xsk_check_common(xs)) +- goto skip_tx; ++ goto out; + + pool = xs->pool; + +@@ -734,12 +734,11 @@ static __poll_t xsk_poll(struct file *file, struct socket *sock, + xsk_generic_xmit(sk); + } + +-skip_tx: + if (xs->rx && !xskq_prod_is_empty(xs->rx)) + mask |= EPOLLIN | EPOLLRDNORM; + if (xs->tx && xsk_tx_writeable(xs)) + mask |= EPOLLOUT | EPOLLWRNORM; +- ++out: + rcu_read_unlock(); + return mask; + } +-- +2.42.0 + -- 2.47.3