From d553cb87d68dbdc3a51726507605518faca56d22 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 11 Nov 2023 21:50:09 -0500 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...-pr_warn_ratelimited-in-bio_check_ro.patch | 43 ++++ ...sercnt-after-timer-timer-is-assigned.patch | 113 ++++++++++ ...ty_inet_conn_request-after-setting-i.patch | 59 ++++++ ...curity_inet_conn_request-after-setti.patch | 85 ++++++++ ...not-broadcast-to-other-cpus-when-sta.patch | 101 +++++++++ ...tion-state-for-idr_for_each_entry_ul.patch | 64 ++++++ ...after-free-in-prp_create_tagged_fram.patch | 42 ++++ ...i2c-iproc-handle-invalid-slave-state.patch | 200 ++++++++++++++++++ ...g-disable-on-non-compliant-aggregate.patch | 56 +++++ ...rection-matching-in-drop-rule-in-swi.patch | 73 +++++++ ...vf-vf-filter-rules-in-switchdev-mode.patch | 191 +++++++++++++++++ ...ice-lag-in-rcu-use-atomic-allocation.patch | 59 ++++++ .../inet-shrink-struct-flowi_common.patch | 44 ++++ ...rmi4-fix-use-after-free-in-rmi_unreg.patch | 43 ++++ ...fy-mac-len-before-reading-mac-header.patch | 113 ++++++++++ queue-6.6/nbd-fix-uaf-in-nbd_open.patch | 73 +++++++ ...n-enetc_setup_xdp_prog-error-message.patch | 47 ++++ ...d-missing-free_percpu-when-page_pool.patch | 48 +++++ ...e-multicast-filter-for-rtl8168h-and-.patch | 43 ++++ ...-always-fill-offloading-tuple-iifidx.patch | 147 +++++++++++++ ...c-msg-send-rather-than-drop-it-with-.patch | 64 ++++++ ...ling-sock-under-state-smc_appfinclos.patch | 111 ++++++++++ ...reference-if-close-work-was-canceled.patch | 40 ++++ ...-enable-support-for-multiple-flexibl.patch | 68 ++++++ ...i-icss-iep-fix-setting-counter-value.patch | 38 ++++ ...x-ipv6-nat-redirect-with-mapped-and-.patch | 97 +++++++++ ...ent-fix-increase-ipv6-literal-buffer.patch | 49 +++++ ...andling-for-io_uring-nvme-passthroug.patch | 46 ++++ queue-6.6/octeontx2-pf-fix-error-codes.patch | 69 ++++++ ...octeontx2-pf-fix-holes-in-error-code.patch | 156 ++++++++++++++ ...tx2-pf-free-pending-and-dropped-sqes.patch | 162 ++++++++++++++ ...ize-appropriate-clock-apis-in-suspen.patch | 51 +++++ ...umber-of-allocations-and-drop-usage-.patch | 115 ++++++++++ ...ct-userspace-disabling-iff_multicast.patch | 42 ++++ ...l-in-riscv_of_parent_hartid-for-disa.patch | 56 +++++ ...iscv-boot-fix-creation-of-loader.bin.patch | 47 ++++ ...xrpc-fix-two-connection-reaping-bugs.patch | 62 ++++++ ...elftests-pmtu.sh-fix-result-checking.patch | 41 ++++ queue-6.6/series | 44 ++++ ...down-device-only-on-system_power_off.patch | 46 ++++ ...policy-for-bearer-related-names-to-n.patch | 111 ++++++++++ ...-uninit-value-in-virtio_transport_re.patch | 106 ++++++++++ ...ove-socket-from-connected-bound-list.patch | 75 +++++++ ...xp4xx-make-sure-restart-always-works.patch | 88 ++++++++ ...vell_gti_wdt-fix-error-code-in-probe.patch | 39 ++++ 45 files changed, 3467 insertions(+) create mode 100644 queue-6.6/blk-core-use-pr_warn_ratelimited-in-bio_check_ro.patch create mode 100644 queue-6.6/bpf-check-map-usercnt-after-timer-timer-is-assigned.patch create mode 100644 queue-6.6/dccp-call-security_inet_conn_request-after-setting-i.patch create mode 100644 queue-6.6/dccp-tcp-call-security_inet_conn_request-after-setti.patch create mode 100644 queue-6.6/drivers-perf-do-not-broadcast-to-other-cpus-when-sta.patch create mode 100644 queue-6.6/fix-termination-state-for-idr_for_each_entry_ul.patch create mode 100644 queue-6.6/hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch create mode 100644 queue-6.6/i2c-iproc-handle-invalid-slave-state.patch create mode 100644 queue-6.6/ice-fix-sriov-lag-disable-on-non-compliant-aggregate.patch create mode 100644 queue-6.6/ice-fix-vf-vf-direction-matching-in-drop-rule-in-swi.patch create mode 100644 queue-6.6/ice-fix-vf-vf-filter-rules-in-switchdev-mode.patch create mode 100644 queue-6.6/ice-lag-in-rcu-use-atomic-allocation.patch create mode 100644 queue-6.6/inet-shrink-struct-flowi_common.patch create mode 100644 queue-6.6/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch create mode 100644 queue-6.6/llc-verify-mac-len-before-reading-mac-header.patch create mode 100644 queue-6.6/nbd-fix-uaf-in-nbd_open.patch create mode 100644 queue-6.6/net-enetc-shorten-enetc_setup_xdp_prog-error-message.patch create mode 100644 queue-6.6/net-page_pool-add-missing-free_percpu-when-page_pool.patch create mode 100644 queue-6.6/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch create mode 100644 queue-6.6/net-sched-act_ct-always-fill-offloading-tuple-iifidx.patch create mode 100644 queue-6.6/net-smc-allow-cdc-msg-send-rather-than-drop-it-with-.patch create mode 100644 queue-6.6/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch create mode 100644 queue-6.6/net-smc-put-sk-reference-if-close-work-was-canceled.patch create mode 100644 queue-6.6/net-stmmac-xgmac-enable-support-for-multiple-flexibl.patch create mode 100644 queue-6.6/net-ti-icss-iep-fix-setting-counter-value.patch create mode 100644 queue-6.6/netfilter-nat-fix-ipv6-nat-redirect-with-mapped-and-.patch create mode 100644 queue-6.6/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch create mode 100644 queue-6.6/nvme-fix-error-handling-for-io_uring-nvme-passthroug.patch create mode 100644 queue-6.6/octeontx2-pf-fix-error-codes.patch create mode 100644 queue-6.6/octeontx2-pf-fix-holes-in-error-code.patch create mode 100644 queue-6.6/octeontx2-pf-free-pending-and-dropped-sqes.patch create mode 100644 queue-6.6/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch create mode 100644 queue-6.6/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch create mode 100644 queue-6.6/r8169-respect-userspace-disabling-iff_multicast.patch create mode 100644 queue-6.6/risc-v-don-t-fail-in-riscv_of_parent_hartid-for-disa.patch create mode 100644 queue-6.6/riscv-boot-fix-creation-of-loader.bin.patch create mode 100644 queue-6.6/rxrpc-fix-two-connection-reaping-bugs.patch create mode 100644 queue-6.6/selftests-pmtu.sh-fix-result-checking.patch create mode 100644 queue-6.6/tg3-power-down-device-only-on-system_power_off.patch create mode 100644 queue-6.6/tipc-change-nla_policy-for-bearer-related-names-to-n.patch create mode 100644 queue-6.6/virtio-vsock-fix-uninit-value-in-virtio_transport_re.patch create mode 100644 queue-6.6/vsock-virtio-remove-socket-from-connected-bound-list.patch create mode 100644 queue-6.6/watchdog-ixp4xx-make-sure-restart-always-works.patch create mode 100644 queue-6.6/watchdog-marvell_gti_wdt-fix-error-code-in-probe.patch diff --git a/queue-6.6/blk-core-use-pr_warn_ratelimited-in-bio_check_ro.patch b/queue-6.6/blk-core-use-pr_warn_ratelimited-in-bio_check_ro.patch new file mode 100644 index 00000000000..a69766e96ab --- /dev/null +++ b/queue-6.6/blk-core-use-pr_warn_ratelimited-in-bio_check_ro.patch @@ -0,0 +1,43 @@ +From 922a2607ee9d6b5c609ab4010c0ae404591731aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 19:12:47 +0800 +Subject: blk-core: use pr_warn_ratelimited() in bio_check_ro() + +From: Yu Kuai + +[ Upstream commit 1b0a151c10a6d823f033023b9fdd9af72a89591b ] + +If one of the underlying disks of raid or dm is set to read-only, then +each io will generate new log, which will cause message storm. This +environment is indeed problematic, however we can't make sure our +naive custormer won't do this, hence use pr_warn_ratelimited() to +prevent message storm in this case. + +Signed-off-by: Yu Kuai +Fixes: 57e95e4670d1 ("block: fix and cleanup bio_check_ro") +Signed-off-by: Ye Bin +Link: https://lore.kernel.org/r/20231107111247.2157820-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 9d51e9894ece7..fdf25b8d6e784 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -501,8 +501,8 @@ static inline void bio_check_ro(struct bio *bio) + if (op_is_write(bio_op(bio)) && bdev_read_only(bio->bi_bdev)) { + if (op_is_flush(bio->bi_opf) && !bio_sectors(bio)) + return; +- pr_warn("Trying to write to read-only block-device %pg\n", +- bio->bi_bdev); ++ pr_warn_ratelimited("Trying to write to read-only block-device %pg\n", ++ bio->bi_bdev); + /* Older lvm-tools actually trigger this */ + } + } +-- +2.42.0 + diff --git a/queue-6.6/bpf-check-map-usercnt-after-timer-timer-is-assigned.patch b/queue-6.6/bpf-check-map-usercnt-after-timer-timer-is-assigned.patch new file mode 100644 index 00000000000..00cfd1cbf78 --- /dev/null +++ b/queue-6.6/bpf-check-map-usercnt-after-timer-timer-is-assigned.patch @@ -0,0 +1,113 @@ +From 679fae24026982c055d504f603b1ddfe3da7112f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 14:36:16 +0800 +Subject: bpf: Check map->usercnt after timer->timer is assigned + +From: Hou Tao + +[ Upstream commit fd381ce60a2d79cc967506208085336d3d268ae0 ] + +When there are concurrent uref release and bpf timer init operations, +the following sequence diagram is possible. It will break the guarantee +provided by bpf_timer: bpf_timer will still be alive after userspace +application releases or unpins the map. It also will lead to kmemleak +for old kernel version which doesn't release bpf_timer when map is +released. + +bpf program X: + +bpf_timer_init() + lock timer->lock + read timer->timer as NULL + read map->usercnt != 0 + + process Y: + + close(map_fd) + // put last uref + bpf_map_put_uref() + atomic_dec_and_test(map->usercnt) + array_map_free_timers() + bpf_timer_cancel_and_free() + // just return + read timer->timer is NULL + + t = bpf_map_kmalloc_node() + timer->timer = t + unlock timer->lock + +Fix the problem by checking map->usercnt after timer->timer is assigned, +so when there are concurrent uref release and bpf timer init, either +bpf_timer_cancel_and_free() from uref release reads a no-NULL timer +or the newly-added atomic64_read() returns a zero usercnt. + +Because atomic_dec_and_test(map->usercnt) and READ_ONCE(timer->timer) +in bpf_timer_cancel_and_free() are not protected by a lock, so add +a memory barrier to guarantee the order between map->usercnt and +timer->timer. Also use WRITE_ONCE(timer->timer, x) to match the lockless +read of timer->timer in bpf_timer_cancel_and_free(). + +Reported-by: Hsin-Wei Hung +Closes: https://lore.kernel.org/bpf/CABcoxUaT2k9hWsS1tNgXyoU3E-=PuOgMn737qK984fbFmfYixQ@mail.gmail.com +Fixes: b00628b1c7d5 ("bpf: Introduce bpf timers.") +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20231030063616.1653024-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 68f54e16c7be0..607be04db75b9 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -1176,13 +1176,6 @@ BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern *, timer, struct bpf_map *, map + ret = -EBUSY; + goto out; + } +- if (!atomic64_read(&map->usercnt)) { +- /* maps with timers must be either held by user space +- * or pinned in bpffs. +- */ +- ret = -EPERM; +- goto out; +- } + /* allocate hrtimer via map_kmalloc to use memcg accounting */ + t = bpf_map_kmalloc_node(map, sizeof(*t), GFP_ATOMIC, map->numa_node); + if (!t) { +@@ -1195,7 +1188,21 @@ BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern *, timer, struct bpf_map *, map + rcu_assign_pointer(t->callback_fn, NULL); + hrtimer_init(&t->timer, clockid, HRTIMER_MODE_REL_SOFT); + t->timer.function = bpf_timer_cb; +- timer->timer = t; ++ WRITE_ONCE(timer->timer, t); ++ /* Guarantee the order between timer->timer and map->usercnt. So ++ * when there are concurrent uref release and bpf timer init, either ++ * bpf_timer_cancel_and_free() called by uref release reads a no-NULL ++ * timer or atomic64_read() below returns a zero usercnt. ++ */ ++ smp_mb(); ++ if (!atomic64_read(&map->usercnt)) { ++ /* maps with timers must be either held by user space ++ * or pinned in bpffs. ++ */ ++ WRITE_ONCE(timer->timer, NULL); ++ kfree(t); ++ ret = -EPERM; ++ } + out: + __bpf_spin_unlock_irqrestore(&timer->lock); + return ret; +@@ -1370,7 +1377,7 @@ void bpf_timer_cancel_and_free(void *val) + /* The subsequent bpf_timer_start/cancel() helpers won't be able to use + * this timer, since it won't be initialized. + */ +- timer->timer = NULL; ++ WRITE_ONCE(timer->timer, NULL); + out: + __bpf_spin_unlock_irqrestore(&timer->lock); + if (!t) +-- +2.42.0 + diff --git a/queue-6.6/dccp-call-security_inet_conn_request-after-setting-i.patch b/queue-6.6/dccp-call-security_inet_conn_request-after-setting-i.patch new file mode 100644 index 00000000000..8858f084d3e --- /dev/null +++ b/queue-6.6/dccp-call-security_inet_conn_request-after-setting-i.patch @@ -0,0 +1,59 @@ +From 5ba31fafb4e1c032de2db08ee2f83666231c6cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:41 -0700 +Subject: dccp: Call security_inet_conn_request() after setting IPv4 addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv4 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after the cited commits. + +This bug was partially fixed by commit 284904aa7946 ("lsm: Relocate +the IPv4 security_inet_conn_request() hooks"). + +This patch fixes the last bug in DCCPv4. + +Fixes: 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux") +Fixes: 07feee8f812f ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 69453b936bd55..524b7e581a036 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -629,9 +629,6 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); +@@ -639,6 +636,9 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + ireq->ireq_family = AF_INET; + ireq->ir_iif = READ_ONCE(sk->sk_bound_dev_if); + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + /* + * Step 3: Process LISTEN state + * +-- +2.42.0 + diff --git a/queue-6.6/dccp-tcp-call-security_inet_conn_request-after-setti.patch b/queue-6.6/dccp-tcp-call-security_inet_conn_request-after-setti.patch new file mode 100644 index 00000000000..2ad97934057 --- /dev/null +++ b/queue-6.6/dccp-tcp-call-security_inet_conn_request-after-setti.patch @@ -0,0 +1,85 @@ +From 3cbb4b9d137990cc1102800a91ef83438d20cae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:42 -0700 +Subject: dccp/tcp: Call security_inet_conn_request() after setting IPv6 + addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv6 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after commit e1adea927080 ("calipso: Allow request sockets to be +relabelled by the lsm."). + +Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request() +hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was +not supported at that time. Finally, the same issue was introduced again +in IPv6. + +Let's apply the same fix on DCCPv6 and TCPv6. + +Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv6.c | 6 +++--- + net/ipv6/syncookies.c | 7 ++++--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index c693a570682fb..6f5a556f4f6d7 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -360,15 +360,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; + ireq->ir_mark = inet_request_mark(sk, skb); + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index 5014aa6634527..8698b49dfc8de 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -180,14 +180,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + treq = tcp_rsk(req); + treq->tfo_listener = false; + +- if (security_inet_conn_request(sk, skb, req)) +- goto out_free; +- + req->mss = mss; + ireq->ir_rmt_port = th->source; + ireq->ir_num = ntohs(th->dest); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; ++ ++ if (security_inet_conn_request(sk, skb, req)) ++ goto out_free; ++ + if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +-- +2.42.0 + diff --git a/queue-6.6/drivers-perf-do-not-broadcast-to-other-cpus-when-sta.patch b/queue-6.6/drivers-perf-do-not-broadcast-to-other-cpus-when-sta.patch new file mode 100644 index 00000000000..1d79d5e20b1 --- /dev/null +++ b/queue-6.6/drivers-perf-do-not-broadcast-to-other-cpus-when-sta.patch @@ -0,0 +1,101 @@ +From 898b716c08a5026f97c30809157c7794b6204bbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 10:40:10 +0200 +Subject: drivers: perf: Do not broadcast to other cpus when starting a counter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +[ Upstream commit 61e3d993c8bd3e80f8f1363ed5e04f88ab531b72 ] + +This command: + +$ perf record -e cycles:k -e instructions:k -c 10000 -m 64M dd if=/dev/zero of=/dev/null count=1000 + +gives rise to this kernel warning: + +[ 444.364395] WARNING: CPU: 0 PID: 104 at kernel/smp.c:775 smp_call_function_many_cond+0x42c/0x436 +[ 444.364515] Modules linked in: +[ 444.364657] CPU: 0 PID: 104 Comm: perf-exec Not tainted 6.6.0-rc6-00051-g391df82e8ec3-dirty #73 +[ 444.364771] Hardware name: riscv-virtio,qemu (DT) +[ 444.364868] epc : smp_call_function_many_cond+0x42c/0x436 +[ 444.364917] ra : on_each_cpu_cond_mask+0x20/0x32 +[ 444.364948] epc : ffffffff8009f9e0 ra : ffffffff8009fa5a sp : ff20000000003800 +[ 444.364966] gp : ffffffff81500aa0 tp : ff60000002b83000 t0 : ff200000000038c0 +[ 444.364982] t1 : ffffffff815021f0 t2 : 000000000000001f s0 : ff200000000038b0 +[ 444.364998] s1 : ff60000002c54d98 a0 : ff60000002a73940 a1 : 0000000000000000 +[ 444.365013] a2 : 0000000000000000 a3 : 0000000000000003 a4 : 0000000000000100 +[ 444.365029] a5 : 0000000000010100 a6 : 0000000000f00000 a7 : 0000000000000000 +[ 444.365044] s2 : 0000000000000000 s3 : ffffffffffffffff s4 : ff60000002c54d98 +[ 444.365060] s5 : ffffffff81539610 s6 : ffffffff80c20c48 s7 : 0000000000000000 +[ 444.365075] s8 : 0000000000000000 s9 : 0000000000000001 s10: 0000000000000001 +[ 444.365090] s11: ffffffff80099394 t3 : 0000000000000003 t4 : 00000000eac0c6e6 +[ 444.365104] t5 : 0000000400000000 t6 : ff60000002e010d0 +[ 444.365120] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 +[ 444.365226] [] smp_call_function_many_cond+0x42c/0x436 +[ 444.365295] [] on_each_cpu_cond_mask+0x20/0x32 +[ 444.365311] [] pmu_sbi_ctr_start+0x7a/0xaa +[ 444.365327] [] riscv_pmu_start+0x48/0x66 +[ 444.365339] [] perf_adjust_freq_unthr_context+0x196/0x1ac +[ 444.365356] [] perf_event_task_tick+0x78/0x8c +[ 444.365368] [] scheduler_tick+0xe6/0x25e +[ 444.365383] [] update_process_times+0x80/0x96 +[ 444.365398] [] tick_sched_handle+0x26/0x52 +[ 444.365410] [] tick_sched_timer+0x50/0x98 +[ 444.365422] [] __hrtimer_run_queues+0x126/0x18a +[ 444.365433] [] hrtimer_interrupt+0xce/0x1da +[ 444.365444] [] riscv_timer_interrupt+0x30/0x3a +[ 444.365457] [] handle_percpu_devid_irq+0x80/0x114 +[ 444.365470] [] generic_handle_domain_irq+0x1c/0x2a +[ 444.365483] [] riscv_intc_irq+0x2e/0x46 +[ 444.365497] [] handle_riscv_irq+0x4a/0x74 +[ 444.365521] [] do_irq+0x7c/0x7e +[ 444.365796] ---[ end trace 0000000000000000 ]--- + +That's because the fix in commit 3fec323339a4 ("drivers: perf: Fix panic +in riscv SBI mmap support") was wrong since there is no need to broadcast +to other cpus when starting a counter, that's only needed in mmap when +the counters could have already been started on other cpus, so simply +remove this broadcast. + +Fixes: 3fec323339a4 ("drivers: perf: Fix panic in riscv SBI mmap support") +Signed-off-by: Alexandre Ghiti +Tested-by: Clément Léger +Tested-by: Yu Chien Peter Lin +Tested-by: Lad Prabhakar #On +Link: https://lore.kernel.org/r/20231026084010.11888-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + drivers/perf/riscv_pmu_sbi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c +index 96c7f670c8f0d..fcb0c70ca2225 100644 +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -543,8 +543,7 @@ static void pmu_sbi_ctr_start(struct perf_event *event, u64 ival) + + if ((hwc->flags & PERF_EVENT_FLAG_USER_ACCESS) && + (hwc->flags & PERF_EVENT_FLAG_USER_READ_CNT)) +- on_each_cpu_mask(mm_cpumask(event->owner->mm), +- pmu_sbi_set_scounteren, (void *)event, 1); ++ pmu_sbi_set_scounteren((void *)event); + } + + static void pmu_sbi_ctr_stop(struct perf_event *event, unsigned long flag) +@@ -554,8 +553,7 @@ static void pmu_sbi_ctr_stop(struct perf_event *event, unsigned long flag) + + if ((hwc->flags & PERF_EVENT_FLAG_USER_ACCESS) && + (hwc->flags & PERF_EVENT_FLAG_USER_READ_CNT)) +- on_each_cpu_mask(mm_cpumask(event->owner->mm), +- pmu_sbi_reset_scounteren, (void *)event, 1); ++ pmu_sbi_reset_scounteren((void *)event); + + ret = sbi_ecall(SBI_EXT_PMU, SBI_EXT_PMU_COUNTER_STOP, hwc->idx, 1, flag, 0, 0, 0); + if (ret.error && (ret.error != SBI_ERR_ALREADY_STOPPED) && +-- +2.42.0 + diff --git a/queue-6.6/fix-termination-state-for-idr_for_each_entry_ul.patch b/queue-6.6/fix-termination-state-for-idr_for_each_entry_ul.patch new file mode 100644 index 00000000000..5d4bdf267a1 --- /dev/null +++ b/queue-6.6/fix-termination-state-for-idr_for_each_entry_ul.patch @@ -0,0 +1,64 @@ +From e44f3fdfea59c73420ac2f313867b5f6c49518cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 09:53:33 +1100 +Subject: Fix termination state for idr_for_each_entry_ul() + +From: NeilBrown + +[ Upstream commit e8ae8ad479e2d037daa33756e5e72850a7bd37a9 ] + +The comment for idr_for_each_entry_ul() states + + after normal termination @entry is left with the value NULL + +This is not correct in the case where UINT_MAX has an entry in the idr. +In that case @entry will be non-NULL after termination. +No current code depends on the documentation being correct, but to +save future code we should fix it. + +Also fix idr_for_each_entry_continue_ul(). While this is not documented +as leaving @entry as NULL, the mellanox driver appears to depend on +it doing so. So make that explicit in the documentation as well as in +the code. + +Fixes: e33d2b74d805 ("idr: fix overflow case for idr_for_each_entry_ul()") +Cc: Matthew Wilcox +Cc: Chris Mi +Cc: Cong Wang +Signed-off-by: NeilBrown +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/idr.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/idr.h b/include/linux/idr.h +index a0dce14090a9e..da5f5fa4a3a6a 100644 +--- a/include/linux/idr.h ++++ b/include/linux/idr.h +@@ -200,7 +200,7 @@ static inline void idr_preload_end(void) + */ + #define idr_for_each_entry_ul(idr, entry, tmp, id) \ + for (tmp = 0, id = 0; \ +- tmp <= id && ((entry) = idr_get_next_ul(idr, &(id))) != NULL; \ ++ ((entry) = tmp <= id ? idr_get_next_ul(idr, &(id)) : NULL) != NULL; \ + tmp = id, ++id) + + /** +@@ -224,10 +224,12 @@ static inline void idr_preload_end(void) + * @id: Entry ID. + * + * Continue to iterate over entries, continuing after the current position. ++ * After normal termination @entry is left with the value NULL. This ++ * is convenient for a "not found" value. + */ + #define idr_for_each_entry_continue_ul(idr, entry, tmp, id) \ + for (tmp = id; \ +- tmp <= id && ((entry) = idr_get_next_ul(idr, &(id))) != NULL; \ ++ ((entry) = tmp <= id ? idr_get_next_ul(idr, &(id)) : NULL) != NULL; \ + tmp = id, ++id) + + /* +-- +2.42.0 + diff --git a/queue-6.6/hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch b/queue-6.6/hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch new file mode 100644 index 00000000000..1e539a5e993 --- /dev/null +++ b/queue-6.6/hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch @@ -0,0 +1,42 @@ +From 9680c023ee3f31afb499d93d7861d97945a18c15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 15:19:01 +0300 +Subject: hsr: Prevent use after free in prp_create_tagged_frame() + +From: Dan Carpenter + +[ Upstream commit 876f8ab52363f649bcc74072157dfd7adfbabc0d ] + +The prp_fill_rct() function can fail. In that situation, it frees the +skb and returns NULL. Meanwhile on the success path, it returns the +original skb. So it's straight forward to fix bug by using the returned +value. + +Fixes: 451d8123f897 ("net: prp: add packet handling support") +Signed-off-by: Dan Carpenter +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/57af1f28-7f57-4a96-bcd3-b7a0f2340845@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index b71dab630a873..80cdc6f6b34c9 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -342,9 +342,7 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame, + skb = skb_copy_expand(frame->skb_std, 0, + skb_tailroom(frame->skb_std) + HSR_HLEN, + GFP_ATOMIC); +- prp_fill_rct(skb, frame, port); +- +- return skb; ++ return prp_fill_rct(skb, frame, port); + } + + static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, +-- +2.42.0 + diff --git a/queue-6.6/i2c-iproc-handle-invalid-slave-state.patch b/queue-6.6/i2c-iproc-handle-invalid-slave-state.patch new file mode 100644 index 00000000000..ca23c3d4288 --- /dev/null +++ b/queue-6.6/i2c-iproc-handle-invalid-slave-state.patch @@ -0,0 +1,200 @@ +From 46cc150b63cac8acb424200077f583b564463f45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 14:23:51 -0700 +Subject: i2c: iproc: handle invalid slave state + +From: Roman Bacik + +[ Upstream commit ba15a14399c262f91ce30c19fcbdc952262dd1be ] + +Add the code to handle an invalid state when both bits S_RX_EVENT +(indicating a transaction) and S_START_BUSY (indicating the end +of transaction - transition of START_BUSY from 1 to 0) are set in +the interrupt status register during a slave read. + +Signed-off-by: Roman Bacik +Fixes: 1ca1b4516088 ("i2c: iproc: handle Master aborted error") +Acked-by: Ray Jui +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-bcm-iproc.c | 133 ++++++++++++++++------------- + 1 file changed, 75 insertions(+), 58 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-bcm-iproc.c b/drivers/i2c/busses/i2c-bcm-iproc.c +index 51aab662050b1..e905734c26a04 100644 +--- a/drivers/i2c/busses/i2c-bcm-iproc.c ++++ b/drivers/i2c/busses/i2c-bcm-iproc.c +@@ -316,26 +316,44 @@ static void bcm_iproc_i2c_slave_init( + iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, val); + } + +-static void bcm_iproc_i2c_check_slave_status( +- struct bcm_iproc_i2c_dev *iproc_i2c) ++static bool bcm_iproc_i2c_check_slave_status ++ (struct bcm_iproc_i2c_dev *iproc_i2c, u32 status) + { + u32 val; ++ bool recover = false; + +- val = iproc_i2c_rd_reg(iproc_i2c, S_CMD_OFFSET); +- /* status is valid only when START_BUSY is cleared after it was set */ +- if (val & BIT(S_CMD_START_BUSY_SHIFT)) +- return; ++ /* check slave transmit status only if slave is transmitting */ ++ if (!iproc_i2c->slave_rx_only) { ++ val = iproc_i2c_rd_reg(iproc_i2c, S_CMD_OFFSET); ++ /* status is valid only when START_BUSY is cleared */ ++ if (!(val & BIT(S_CMD_START_BUSY_SHIFT))) { ++ val = (val >> S_CMD_STATUS_SHIFT) & S_CMD_STATUS_MASK; ++ if (val == S_CMD_STATUS_TIMEOUT || ++ val == S_CMD_STATUS_MASTER_ABORT) { ++ dev_warn(iproc_i2c->device, ++ (val == S_CMD_STATUS_TIMEOUT) ? ++ "slave random stretch time timeout\n" : ++ "Master aborted read transaction\n"); ++ recover = true; ++ } ++ } ++ } ++ ++ /* RX_EVENT is not valid when START_BUSY is set */ ++ if ((status & BIT(IS_S_RX_EVENT_SHIFT)) && ++ (status & BIT(IS_S_START_BUSY_SHIFT))) { ++ dev_warn(iproc_i2c->device, "Slave aborted read transaction\n"); ++ recover = true; ++ } + +- val = (val >> S_CMD_STATUS_SHIFT) & S_CMD_STATUS_MASK; +- if (val == S_CMD_STATUS_TIMEOUT || val == S_CMD_STATUS_MASTER_ABORT) { +- dev_err(iproc_i2c->device, (val == S_CMD_STATUS_TIMEOUT) ? +- "slave random stretch time timeout\n" : +- "Master aborted read transaction\n"); ++ if (recover) { + /* re-initialize i2c for recovery */ + bcm_iproc_i2c_enable_disable(iproc_i2c, false); + bcm_iproc_i2c_slave_init(iproc_i2c, true); + bcm_iproc_i2c_enable_disable(iproc_i2c, true); + } ++ ++ return recover; + } + + static void bcm_iproc_i2c_slave_read(struct bcm_iproc_i2c_dev *iproc_i2c) +@@ -420,48 +438,6 @@ static bool bcm_iproc_i2c_slave_isr(struct bcm_iproc_i2c_dev *iproc_i2c, + u32 val; + u8 value; + +- /* +- * Slave events in case of master-write, master-write-read and, +- * master-read +- * +- * Master-write : only IS_S_RX_EVENT_SHIFT event +- * Master-write-read: both IS_S_RX_EVENT_SHIFT and IS_S_RD_EVENT_SHIFT +- * events +- * Master-read : both IS_S_RX_EVENT_SHIFT and IS_S_RD_EVENT_SHIFT +- * events or only IS_S_RD_EVENT_SHIFT +- * +- * iproc has a slave rx fifo size of 64 bytes. Rx fifo full interrupt +- * (IS_S_RX_FIFO_FULL_SHIFT) will be generated when RX fifo becomes +- * full. This can happen if Master issues write requests of more than +- * 64 bytes. +- */ +- if (status & BIT(IS_S_RX_EVENT_SHIFT) || +- status & BIT(IS_S_RD_EVENT_SHIFT) || +- status & BIT(IS_S_RX_FIFO_FULL_SHIFT)) { +- /* disable slave interrupts */ +- val = iproc_i2c_rd_reg(iproc_i2c, IE_OFFSET); +- val &= ~iproc_i2c->slave_int_mask; +- iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, val); +- +- if (status & BIT(IS_S_RD_EVENT_SHIFT)) +- /* Master-write-read request */ +- iproc_i2c->slave_rx_only = false; +- else +- /* Master-write request only */ +- iproc_i2c->slave_rx_only = true; +- +- /* schedule tasklet to read data later */ +- tasklet_schedule(&iproc_i2c->slave_rx_tasklet); +- +- /* +- * clear only IS_S_RX_EVENT_SHIFT and +- * IS_S_RX_FIFO_FULL_SHIFT interrupt. +- */ +- val = BIT(IS_S_RX_EVENT_SHIFT); +- if (status & BIT(IS_S_RX_FIFO_FULL_SHIFT)) +- val |= BIT(IS_S_RX_FIFO_FULL_SHIFT); +- iproc_i2c_wr_reg(iproc_i2c, IS_OFFSET, val); +- } + + if (status & BIT(IS_S_TX_UNDERRUN_SHIFT)) { + iproc_i2c->tx_underrun++; +@@ -493,8 +469,9 @@ static bool bcm_iproc_i2c_slave_isr(struct bcm_iproc_i2c_dev *iproc_i2c, + * less than PKT_LENGTH bytes were output on the SMBUS + */ + iproc_i2c->slave_int_mask &= ~BIT(IE_S_TX_UNDERRUN_SHIFT); +- iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, +- iproc_i2c->slave_int_mask); ++ val = iproc_i2c_rd_reg(iproc_i2c, IE_OFFSET); ++ val &= ~BIT(IE_S_TX_UNDERRUN_SHIFT); ++ iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, val); + + /* End of SMBUS for Master Read */ + val = BIT(S_TX_WR_STATUS_SHIFT); +@@ -515,9 +492,49 @@ static bool bcm_iproc_i2c_slave_isr(struct bcm_iproc_i2c_dev *iproc_i2c, + BIT(IS_S_START_BUSY_SHIFT)); + } + +- /* check slave transmit status only if slave is transmitting */ +- if (!iproc_i2c->slave_rx_only) +- bcm_iproc_i2c_check_slave_status(iproc_i2c); ++ /* if the controller has been reset, immediately return from the ISR */ ++ if (bcm_iproc_i2c_check_slave_status(iproc_i2c, status)) ++ return true; ++ ++ /* ++ * Slave events in case of master-write, master-write-read and, ++ * master-read ++ * ++ * Master-write : only IS_S_RX_EVENT_SHIFT event ++ * Master-write-read: both IS_S_RX_EVENT_SHIFT and IS_S_RD_EVENT_SHIFT ++ * events ++ * Master-read : both IS_S_RX_EVENT_SHIFT and IS_S_RD_EVENT_SHIFT ++ * events or only IS_S_RD_EVENT_SHIFT ++ * ++ * iproc has a slave rx fifo size of 64 bytes. Rx fifo full interrupt ++ * (IS_S_RX_FIFO_FULL_SHIFT) will be generated when RX fifo becomes ++ * full. This can happen if Master issues write requests of more than ++ * 64 bytes. ++ */ ++ if (status & BIT(IS_S_RX_EVENT_SHIFT) || ++ status & BIT(IS_S_RD_EVENT_SHIFT) || ++ status & BIT(IS_S_RX_FIFO_FULL_SHIFT)) { ++ /* disable slave interrupts */ ++ val = iproc_i2c_rd_reg(iproc_i2c, IE_OFFSET); ++ val &= ~iproc_i2c->slave_int_mask; ++ iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, val); ++ ++ if (status & BIT(IS_S_RD_EVENT_SHIFT)) ++ /* Master-write-read request */ ++ iproc_i2c->slave_rx_only = false; ++ else ++ /* Master-write request only */ ++ iproc_i2c->slave_rx_only = true; ++ ++ /* schedule tasklet to read data later */ ++ tasklet_schedule(&iproc_i2c->slave_rx_tasklet); ++ ++ /* clear IS_S_RX_FIFO_FULL_SHIFT interrupt */ ++ if (status & BIT(IS_S_RX_FIFO_FULL_SHIFT)) { ++ val = BIT(IS_S_RX_FIFO_FULL_SHIFT); ++ iproc_i2c_wr_reg(iproc_i2c, IS_OFFSET, val); ++ } ++ } + + return true; + } +-- +2.42.0 + diff --git a/queue-6.6/ice-fix-sriov-lag-disable-on-non-compliant-aggregate.patch b/queue-6.6/ice-fix-sriov-lag-disable-on-non-compliant-aggregate.patch new file mode 100644 index 00000000000..700dc800a9b --- /dev/null +++ b/queue-6.6/ice-fix-sriov-lag-disable-on-non-compliant-aggregate.patch @@ -0,0 +1,56 @@ +From 8574d4ad2a30d2bc7c5f24dd2314db39319bca73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 10:32:15 -0700 +Subject: ice: Fix SRIOV LAG disable on non-compliant aggregate + +From: Dave Ertman + +[ Upstream commit 3e39da4fa16c9c09207d98b8a86a6f6436b531c9 ] + +If an attribute of an aggregate interface disqualifies it from supporting +SRIOV, the driver will unwind the SRIOV support. Currently the driver is +clearing the feature bit for all interfaces in the aggregate, but this is +not allowing the other interfaces to unwind successfully on driver unload. + +Only clear the feature bit for the interface that is currently unwinding. + +Fixes: bf65da2eb279 ("ice: enforce interface eligibility and add messaging for SRIOV LAG") +Signed-off-by: Dave Ertman +Reviewed-by: Wojciech Drewek +Reviewed-by: Simon Horman +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lag.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lag.c b/drivers/net/ethernet/intel/ice/ice_lag.c +index 7b1256992dcf6..a8da5f8374451 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lag.c ++++ b/drivers/net/ethernet/intel/ice/ice_lag.c +@@ -1529,18 +1529,12 @@ static void ice_lag_chk_disabled_bond(struct ice_lag *lag, void *ptr) + */ + static void ice_lag_disable_sriov_bond(struct ice_lag *lag) + { +- struct ice_lag_netdev_list *entry; + struct ice_netdev_priv *np; +- struct net_device *netdev; + struct ice_pf *pf; + +- list_for_each_entry(entry, lag->netdev_head, node) { +- netdev = entry->netdev; +- np = netdev_priv(netdev); +- pf = np->vsi->back; +- +- ice_clear_feature_support(pf, ICE_F_SRIOV_LAG); +- } ++ np = netdev_priv(lag->netdev); ++ pf = np->vsi->back; ++ ice_clear_feature_support(pf, ICE_F_SRIOV_LAG); + } + + /** +-- +2.42.0 + diff --git a/queue-6.6/ice-fix-vf-vf-direction-matching-in-drop-rule-in-swi.patch b/queue-6.6/ice-fix-vf-vf-direction-matching-in-drop-rule-in-swi.patch new file mode 100644 index 00000000000..0a7b885b8da --- /dev/null +++ b/queue-6.6/ice-fix-vf-vf-direction-matching-in-drop-rule-in-swi.patch @@ -0,0 +1,73 @@ +From bcd4d8892fb553de77286e9a1558b93aa4cc13c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 16:47:24 +0200 +Subject: ice: Fix VF-VF direction matching in drop rule in switchdev + +From: Marcin Szycik + +[ Upstream commit 68c51db3a16d258e730dd1c04a1de2f7ab038ddf ] + +When adding a drop rule on a VF, rule direction is not being set, which +results in it always being set to ingress (ICE_ESWITCH_FLTR_INGRESS +equals 0). Because of this, drop rules added on port representors don't +match any packets. + +To fix it, set rule direction in drop action to egress when netdev is a +port representor, otherwise set it to ingress. + +Fixes: 0960a27bd479 ("ice: Add direction metadata") +Reviewed-by: Michal Swiatkowski +Signed-off-by: Marcin Szycik +Tested-by: Sujai Buvaneswaran +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_tc_lib.c | 24 ++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +index 0e75fc6b3c060..dd03cb69ad26b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +@@ -670,6 +670,25 @@ static int ice_tc_setup_redirect_action(struct net_device *filter_dev, + return 0; + } + ++static int ++ice_tc_setup_drop_action(struct net_device *filter_dev, ++ struct ice_tc_flower_fltr *fltr) ++{ ++ fltr->action.fltr_act = ICE_DROP_PACKET; ++ ++ if (ice_is_port_repr_netdev(filter_dev)) { ++ fltr->direction = ICE_ESWITCH_FLTR_EGRESS; ++ } else if (ice_tc_is_dev_uplink(filter_dev)) { ++ fltr->direction = ICE_ESWITCH_FLTR_INGRESS; ++ } else { ++ NL_SET_ERR_MSG_MOD(fltr->extack, ++ "Unsupported netdevice in switchdev mode"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int ice_eswitch_tc_parse_action(struct net_device *filter_dev, + struct ice_tc_flower_fltr *fltr, + struct flow_action_entry *act) +@@ -678,7 +697,10 @@ static int ice_eswitch_tc_parse_action(struct net_device *filter_dev, + + switch (act->id) { + case FLOW_ACTION_DROP: +- fltr->action.fltr_act = ICE_DROP_PACKET; ++ err = ice_tc_setup_drop_action(filter_dev, fltr); ++ if (err) ++ return err; ++ + break; + + case FLOW_ACTION_REDIRECT: +-- +2.42.0 + diff --git a/queue-6.6/ice-fix-vf-vf-filter-rules-in-switchdev-mode.patch b/queue-6.6/ice-fix-vf-vf-filter-rules-in-switchdev-mode.patch new file mode 100644 index 00000000000..5b6846b3afe --- /dev/null +++ b/queue-6.6/ice-fix-vf-vf-filter-rules-in-switchdev-mode.patch @@ -0,0 +1,191 @@ +From 083036d86621b1cb597720379ba67e1dc2169f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 19:13:42 +0530 +Subject: ice: Fix VF-VF filter rules in switchdev mode + +From: Aniruddha Paul + +[ Upstream commit 8b3c8c55ccbc02920b0ae6601c66df24f0d833bd ] + +Any packet leaving VSI i.e VF's VSI is considered as +egress traffic by HW, thus failing to match the added +rule. + +Mark the direction for redirect rules as below: +1. VF-VF - Egress +2. Uplink-VF - Ingress +3. VF-Uplink - Egress +4. Link_Partner-Uplink - Ingress +5. Link_Partner-VF - Ingress + +Fixes: 0960a27bd479 ("ice: Add direction metadata") +Reviewed-by: Przemek Kitszel +Reviewed-by: Wojciech Drewek +Signed-off-by: Aniruddha Paul +Tested-by: Sujai Buvaneswaran +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_tc_lib.c | 90 ++++++++++++++------- + 1 file changed, 62 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +index 37b54db91df27..0e75fc6b3c060 100644 +--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c +@@ -630,32 +630,61 @@ bool ice_is_tunnel_supported(struct net_device *dev) + return ice_tc_tun_get_type(dev) != TNL_LAST; + } + +-static int +-ice_eswitch_tc_parse_action(struct ice_tc_flower_fltr *fltr, +- struct flow_action_entry *act) ++static bool ice_tc_is_dev_uplink(struct net_device *dev) ++{ ++ return netif_is_ice(dev) || ice_is_tunnel_supported(dev); ++} ++ ++static int ice_tc_setup_redirect_action(struct net_device *filter_dev, ++ struct ice_tc_flower_fltr *fltr, ++ struct net_device *target_dev) + { + struct ice_repr *repr; + ++ fltr->action.fltr_act = ICE_FWD_TO_VSI; ++ ++ if (ice_is_port_repr_netdev(filter_dev) && ++ ice_is_port_repr_netdev(target_dev)) { ++ repr = ice_netdev_to_repr(target_dev); ++ ++ fltr->dest_vsi = repr->src_vsi; ++ fltr->direction = ICE_ESWITCH_FLTR_EGRESS; ++ } else if (ice_is_port_repr_netdev(filter_dev) && ++ ice_tc_is_dev_uplink(target_dev)) { ++ repr = ice_netdev_to_repr(filter_dev); ++ ++ fltr->dest_vsi = repr->src_vsi->back->switchdev.uplink_vsi; ++ fltr->direction = ICE_ESWITCH_FLTR_EGRESS; ++ } else if (ice_tc_is_dev_uplink(filter_dev) && ++ ice_is_port_repr_netdev(target_dev)) { ++ repr = ice_netdev_to_repr(target_dev); ++ ++ fltr->dest_vsi = repr->src_vsi; ++ fltr->direction = ICE_ESWITCH_FLTR_INGRESS; ++ } else { ++ NL_SET_ERR_MSG_MOD(fltr->extack, ++ "Unsupported netdevice in switchdev mode"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ ++static int ice_eswitch_tc_parse_action(struct net_device *filter_dev, ++ struct ice_tc_flower_fltr *fltr, ++ struct flow_action_entry *act) ++{ ++ int err; ++ + switch (act->id) { + case FLOW_ACTION_DROP: + fltr->action.fltr_act = ICE_DROP_PACKET; + break; + + case FLOW_ACTION_REDIRECT: +- fltr->action.fltr_act = ICE_FWD_TO_VSI; +- +- if (ice_is_port_repr_netdev(act->dev)) { +- repr = ice_netdev_to_repr(act->dev); +- +- fltr->dest_vsi = repr->src_vsi; +- fltr->direction = ICE_ESWITCH_FLTR_INGRESS; +- } else if (netif_is_ice(act->dev) || +- ice_is_tunnel_supported(act->dev)) { +- fltr->direction = ICE_ESWITCH_FLTR_EGRESS; +- } else { +- NL_SET_ERR_MSG_MOD(fltr->extack, "Unsupported netdevice in switchdev mode"); +- return -EINVAL; +- } ++ err = ice_tc_setup_redirect_action(filter_dev, fltr, act->dev); ++ if (err) ++ return err; + + break; + +@@ -696,10 +725,6 @@ ice_eswitch_add_tc_fltr(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr) + goto exit; + } + +- /* egress traffic is always redirect to uplink */ +- if (fltr->direction == ICE_ESWITCH_FLTR_EGRESS) +- fltr->dest_vsi = vsi->back->switchdev.uplink_vsi; +- + rule_info.sw_act.fltr_act = fltr->action.fltr_act; + if (fltr->action.fltr_act != ICE_DROP_PACKET) + rule_info.sw_act.vsi_handle = fltr->dest_vsi->idx; +@@ -713,13 +738,21 @@ ice_eswitch_add_tc_fltr(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr) + rule_info.flags_info.act_valid = true; + + if (fltr->direction == ICE_ESWITCH_FLTR_INGRESS) { ++ /* Uplink to VF */ + rule_info.sw_act.flag |= ICE_FLTR_RX; + rule_info.sw_act.src = hw->pf_id; + rule_info.flags_info.act = ICE_SINGLE_ACT_LB_ENABLE; +- } else { ++ } else if (fltr->direction == ICE_ESWITCH_FLTR_EGRESS && ++ fltr->dest_vsi == vsi->back->switchdev.uplink_vsi) { ++ /* VF to Uplink */ + rule_info.sw_act.flag |= ICE_FLTR_TX; + rule_info.sw_act.src = vsi->idx; + rule_info.flags_info.act = ICE_SINGLE_ACT_LAN_ENABLE; ++ } else { ++ /* VF to VF */ ++ rule_info.sw_act.flag |= ICE_FLTR_TX; ++ rule_info.sw_act.src = vsi->idx; ++ rule_info.flags_info.act = ICE_SINGLE_ACT_LB_ENABLE; + } + + /* specify the cookie as filter_rule_id */ +@@ -1745,16 +1778,17 @@ ice_tc_parse_action(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr, + + /** + * ice_parse_tc_flower_actions - Parse the actions for a TC filter ++ * @filter_dev: Pointer to device on which filter is being added + * @vsi: Pointer to VSI + * @cls_flower: Pointer to TC flower offload structure + * @fltr: Pointer to TC flower filter structure + * + * Parse the actions for a TC filter + */ +-static int +-ice_parse_tc_flower_actions(struct ice_vsi *vsi, +- struct flow_cls_offload *cls_flower, +- struct ice_tc_flower_fltr *fltr) ++static int ice_parse_tc_flower_actions(struct net_device *filter_dev, ++ struct ice_vsi *vsi, ++ struct flow_cls_offload *cls_flower, ++ struct ice_tc_flower_fltr *fltr) + { + struct flow_rule *rule = flow_cls_offload_flow_rule(cls_flower); + struct flow_action *flow_action = &rule->action; +@@ -1769,7 +1803,7 @@ ice_parse_tc_flower_actions(struct ice_vsi *vsi, + + flow_action_for_each(i, act, flow_action) { + if (ice_is_eswitch_mode_switchdev(vsi->back)) +- err = ice_eswitch_tc_parse_action(fltr, act); ++ err = ice_eswitch_tc_parse_action(filter_dev, fltr, act); + else + err = ice_tc_parse_action(vsi, fltr, act); + if (err) +@@ -1856,7 +1890,7 @@ ice_add_tc_fltr(struct net_device *netdev, struct ice_vsi *vsi, + if (err < 0) + goto err; + +- err = ice_parse_tc_flower_actions(vsi, f, fltr); ++ err = ice_parse_tc_flower_actions(netdev, vsi, f, fltr); + if (err < 0) + goto err; + +-- +2.42.0 + diff --git a/queue-6.6/ice-lag-in-rcu-use-atomic-allocation.patch b/queue-6.6/ice-lag-in-rcu-use-atomic-allocation.patch new file mode 100644 index 00000000000..bd6dfbd48e7 --- /dev/null +++ b/queue-6.6/ice-lag-in-rcu-use-atomic-allocation.patch @@ -0,0 +1,59 @@ +From 926525f9df4a0876001dbac27ae8811c21479ed7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 12:59:53 +0200 +Subject: ice: lag: in RCU, use atomic allocation + +From: Michal Schmidt + +[ Upstream commit e1db8c2a01d7e12bd566106fbeefa3c5cccd2003 ] + +Sleeping is not allowed in RCU read-side critical sections. +Use atomic allocations under rcu_read_lock. + +Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface") +Fixes: 41ccedf5ca8f ("ice: implement lag netdev event handler") +Fixes: 3579aa86fb40 ("ice: update reset path for SRIOV LAG support") +Signed-off-by: Michal Schmidt +Reviewed-by: Wojciech Drewek +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lag.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lag.c b/drivers/net/ethernet/intel/ice/ice_lag.c +index a8da5f8374451..fb40ad98e6aad 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lag.c ++++ b/drivers/net/ethernet/intel/ice/ice_lag.c +@@ -595,7 +595,7 @@ void ice_lag_move_new_vf_nodes(struct ice_vf *vf) + INIT_LIST_HEAD(&ndlist.node); + rcu_read_lock(); + for_each_netdev_in_bond_rcu(lag->upper_netdev, tmp_nd) { +- nl = kzalloc(sizeof(*nl), GFP_KERNEL); ++ nl = kzalloc(sizeof(*nl), GFP_ATOMIC); + if (!nl) + break; + +@@ -1666,7 +1666,7 @@ ice_lag_event_handler(struct notifier_block *notif_blk, unsigned long event, + + rcu_read_lock(); + for_each_netdev_in_bond_rcu(upper_netdev, tmp_nd) { +- nd_list = kzalloc(sizeof(*nd_list), GFP_KERNEL); ++ nd_list = kzalloc(sizeof(*nd_list), GFP_ATOMIC); + if (!nd_list) + break; + +@@ -2040,7 +2040,7 @@ void ice_lag_rebuild(struct ice_pf *pf) + INIT_LIST_HEAD(&ndlist.node); + rcu_read_lock(); + for_each_netdev_in_bond_rcu(lag->upper_netdev, tmp_nd) { +- nl = kzalloc(sizeof(*nl), GFP_KERNEL); ++ nl = kzalloc(sizeof(*nl), GFP_ATOMIC); + if (!nl) + break; + +-- +2.42.0 + diff --git a/queue-6.6/inet-shrink-struct-flowi_common.patch b/queue-6.6/inet-shrink-struct-flowi_common.patch new file mode 100644 index 00000000000..acbc2d64747 --- /dev/null +++ b/queue-6.6/inet-shrink-struct-flowi_common.patch @@ -0,0 +1,44 @@ +From 276e70d6dc5b22a326a29ece54464b60351ec716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 14:10:37 +0000 +Subject: inet: shrink struct flowi_common + +From: Eric Dumazet + +[ Upstream commit 1726483b79a72e0150734d5367e4a0238bf8fcff ] + +I am looking at syzbot reports triggering kernel stack overflows +involving a cascade of ipvlan devices. + +We can save 8 bytes in struct flowi_common. + +This patch alone will not fix the issue, but is a start. + +Fixes: 24ba14406c5c ("route: Add multipath_hash in flowi_common to make user-define hash") +Signed-off-by: Eric Dumazet +Cc: wenxu +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20231025141037.3448203-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/flow.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/flow.h b/include/net/flow.h +index 7f0adda3bf2fe..335bbc52171c1 100644 +--- a/include/net/flow.h ++++ b/include/net/flow.h +@@ -40,8 +40,8 @@ struct flowi_common { + #define FLOWI_FLAG_KNOWN_NH 0x02 + __u32 flowic_secid; + kuid_t flowic_uid; +- struct flowi_tunnel flowic_tun_key; + __u32 flowic_multipath_hash; ++ struct flowi_tunnel flowic_tun_key; + }; + + union flowi_uli { +-- +2.42.0 + diff --git a/queue-6.6/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch b/queue-6.6/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch new file mode 100644 index 00000000000..56169a9bd56 --- /dev/null +++ b/queue-6.6/input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch @@ -0,0 +1,43 @@ +From aa6075cde8f843795acb3d79175470093bcf6b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Oct 2023 02:53:36 +0000 +Subject: Input: synaptics-rmi4 - fix use after free in + rmi_unregister_function() + +From: Dan Carpenter + +[ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ] + +The put_device() calls rmi_release_function() which frees "fn" so the +dereference on the next line "fn->num_of_irqs" is a use after free. +Move the put_device() to the end to fix this. + +Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c +index f2e093b0b9982..1b45b1d3077de 100644 +--- a/drivers/input/rmi4/rmi_bus.c ++++ b/drivers/input/rmi4/rmi_bus.c +@@ -277,11 +277,11 @@ void rmi_unregister_function(struct rmi_function *fn) + + device_del(&fn->dev); + of_node_put(fn->dev.of_node); +- put_device(&fn->dev); + + for (i = 0; i < fn->num_of_irqs; i++) + irq_dispose_mapping(fn->irq[i]); + ++ put_device(&fn->dev); + } + + /** +-- +2.42.0 + diff --git a/queue-6.6/llc-verify-mac-len-before-reading-mac-header.patch b/queue-6.6/llc-verify-mac-len-before-reading-mac-header.patch new file mode 100644 index 00000000000..7582b7aa8c1 --- /dev/null +++ b/queue-6.6/llc-verify-mac-len-before-reading-mac-header.patch @@ -0,0 +1,113 @@ +From 19dd16f45eefddd5b5b92797b727a7156c54806e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 19:42:38 -0400 +Subject: llc: verify mac len before reading mac header + +From: Willem de Bruijn + +[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ] + +LLC reads the mac header with eth_hdr without verifying that the skb +has an Ethernet header. + +Syzbot was able to enter llc_rcv on a tun device. Tun can insert +packets without mac len and with user configurable skb->protocol +(passing a tun_pi header when not configuring IFF_NO_PI). + + BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 + __netif_receive_skb_one_core net/core/dev.c:5523 [inline] + __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 + netif_receive_skb_internal net/core/dev.c:5723 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5782 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 + tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 + +Add a mac_len test before all three eth_hdr(skb) calls under net/llc. + +There are further uses in include/net/llc_pdu.h. All these are +protected by a test skb->protocol == ETH_P_802_2. Which does not +protect against this tun scenario. + +But the mac_len test added in this patch in llc_fixup_skb will +indirectly protect those too. That is called from llc_rcv before any +other LLC code. + +It is tempting to just add a blanket mac_len check in llc_rcv, but +not sure whether that could break valid LLC paths that do not assume +an Ethernet header. 802.2 LLC may be used on top of non-802.3 +protocols in principle. The below referenced commit shows that used +to, on top of Token Ring. + +At least one of the three eth_hdr uses goes back to before the start +of git history. But the one that syzbot exercises is introduced in +this commit. That commit is old enough (2008), that effectively all +stable kernels should receive this. + +Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses") +Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 10 ++++++++-- + net/llc/llc_s_ac.c | 3 +++ + net/llc/llc_station.c | 3 +++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 7cac441862e21..51bccfb00a9cd 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -127,8 +127,14 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + skb->transport_header += llc_len; + skb_pull(skb, llc_len); + if (skb->protocol == htons(ETH_P_802_2)) { +- __be16 pdulen = eth_hdr(skb)->h_proto; +- s32 data_size = ntohs(pdulen) - llc_len; ++ __be16 pdulen; ++ s32 data_size; ++ ++ if (skb->mac_len < ETH_HLEN) ++ return 0; ++ ++ pdulen = eth_hdr(skb)->h_proto; ++ data_size = ntohs(pdulen) - llc_len; + + if (data_size < 0 || + !pskb_may_pull(skb, data_size)) +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 79d1cef8f15a9..06fb8e6944b06 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -153,6 +153,9 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb) + int rc = 1; + u32 data_size; + ++ if (skb->mac_len < ETH_HLEN) ++ return 1; ++ + llc_pdu_decode_sa(skb, mac_da); + llc_pdu_decode_da(skb, mac_sa); + llc_pdu_decode_ssap(skb, &dsap); +diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c +index 05c6ae0920534..f506542925109 100644 +--- a/net/llc/llc_station.c ++++ b/net/llc/llc_station.c +@@ -76,6 +76,9 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb) + u32 data_size; + struct sk_buff *nskb; + ++ if (skb->mac_len < ETH_HLEN) ++ goto out; ++ + /* The test request command is type U (llc_len = 3) */ + data_size = ntohs(eth_hdr(skb)->h_proto) - 3; + nskb = llc_alloc_frame(NULL, skb->dev, LLC_PDU_TYPE_U, data_size); +-- +2.42.0 + diff --git a/queue-6.6/nbd-fix-uaf-in-nbd_open.patch b/queue-6.6/nbd-fix-uaf-in-nbd_open.patch new file mode 100644 index 00000000000..7f0fcca6f6a --- /dev/null +++ b/queue-6.6/nbd-fix-uaf-in-nbd_open.patch @@ -0,0 +1,73 @@ +From 9bfd87e640f47cc5f94621ccce8174f9451c39e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 18:34:35 +0800 +Subject: nbd: fix uaf in nbd_open + +From: Li Lingfeng + +[ Upstream commit 327462725b0f759f093788dfbcb2f1fd132f956b ] + +Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and +blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set +disk->private_data as NULL as before. UAF may be triggered in nbd_open() +if someone tries to open nbd device right after nbd_put() since nbd has +been free in nbd_dev_remove(). + +Fix this by implementing ->free_disk and free private data in it. + +Fixes: 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk") +Signed-off-by: Li Lingfeng +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20231107103435.2074904-1-lilingfeng@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 800f131222fc8..855fdf5c3b4ea 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -250,7 +250,6 @@ static void nbd_dev_remove(struct nbd_device *nbd) + struct gendisk *disk = nbd->disk; + + del_gendisk(disk); +- put_disk(disk); + blk_mq_free_tag_set(&nbd->tag_set); + + /* +@@ -261,7 +260,7 @@ static void nbd_dev_remove(struct nbd_device *nbd) + idr_remove(&nbd_index_idr, nbd->index); + mutex_unlock(&nbd_index_mutex); + destroy_workqueue(nbd->recv_workq); +- kfree(nbd); ++ put_disk(disk); + } + + static void nbd_dev_remove_work(struct work_struct *work) +@@ -1608,6 +1607,13 @@ static void nbd_release(struct gendisk *disk) + nbd_put(nbd); + } + ++static void nbd_free_disk(struct gendisk *disk) ++{ ++ struct nbd_device *nbd = disk->private_data; ++ ++ kfree(nbd); ++} ++ + static const struct block_device_operations nbd_fops = + { + .owner = THIS_MODULE, +@@ -1615,6 +1621,7 @@ static const struct block_device_operations nbd_fops = + .release = nbd_release, + .ioctl = nbd_ioctl, + .compat_ioctl = nbd_ioctl, ++ .free_disk = nbd_free_disk, + }; + + #if IS_ENABLED(CONFIG_DEBUG_FS) +-- +2.42.0 + diff --git a/queue-6.6/net-enetc-shorten-enetc_setup_xdp_prog-error-message.patch b/queue-6.6/net-enetc-shorten-enetc_setup_xdp_prog-error-message.patch new file mode 100644 index 00000000000..82f252830e7 --- /dev/null +++ b/queue-6.6/net-enetc-shorten-enetc_setup_xdp_prog-error-message.patch @@ -0,0 +1,47 @@ +From 72fde1c7c39c2b8dc93c504d82b0024cac5f6253 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Nov 2023 18:03:11 +0200 +Subject: net: enetc: shorten enetc_setup_xdp_prog() error message to fit + NETLINK_MAX_FMTMSG_LEN + +From: Vladimir Oltean + +[ Upstream commit f968c56417f00be4cb62eadeed042a1e3c80dc53 ] + +NETLINK_MAX_FMTMSG_LEN is currently hardcoded to 80, and we provide an +error printf-formatted string having 96 characters including the +terminating \0. Assuming each %d (representing a queue) gets replaced by +a number having at most 2 digits (a reasonable assumption), the final +string is also 96 characters wide, which is too much. + +Reduce the verbiage a bit by removing some (partially) redundant words, +which makes the new printf-formatted string be 73 characters wide with +the trailing newline. + +Fixes: 800db2d125c2 ("net: enetc: ensure we always have a minimum number of TXQs for stack") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/lkml/202311061336.4dsWMT1h-lkp@intel.com/ +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20231106160311.616118-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index 35461165de0d2..b92e3aa7cd041 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2769,7 +2769,7 @@ static int enetc_setup_xdp_prog(struct net_device *ndev, struct bpf_prog *prog, + if (priv->min_num_stack_tx_queues + num_xdp_tx_queues > + priv->num_tx_rings) { + NL_SET_ERR_MSG_FMT_MOD(extack, +- "Reserving %d XDP TXQs does not leave a minimum of %d TXQs for network stack (total %d available)", ++ "Reserving %d XDP TXQs does not leave a minimum of %d for stack (total %d)", + num_xdp_tx_queues, + priv->min_num_stack_tx_queues, + priv->num_tx_rings); +-- +2.42.0 + diff --git a/queue-6.6/net-page_pool-add-missing-free_percpu-when-page_pool.patch b/queue-6.6/net-page_pool-add-missing-free_percpu-when-page_pool.patch new file mode 100644 index 00000000000..c4fb43ec56a --- /dev/null +++ b/queue-6.6/net-page_pool-add-missing-free_percpu-when-page_pool.patch @@ -0,0 +1,48 @@ +From 169c8cd2011279bf9f7c4f4ab1b97f3bc34f2b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 17:12:56 +0800 +Subject: net: page_pool: add missing free_percpu when page_pool_init fail + +From: Jian Shen + +[ Upstream commit 8ffbd1669ed1d58939d6e878dffaa2f60bf961a4 ] + +When ptr_ring_init() returns failure in page_pool_init(), free_percpu() +is not called to free pool->recycle_stats, which may cause memory +leak. + +Fixes: ad6fa1e1ab1b ("page_pool: Add recycle stats") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Reviewed-by: Yunsheng Lin +Reviewed-by: Jiri Pirko +Reviewed-by: Somnath Kotur +Reviewed-by: Ilias Apalodimas +Link: https://lore.kernel.org/r/20231030091256.2915394-1-shaojijie@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/page_pool.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/core/page_pool.c b/net/core/page_pool.c +index 77cb75e63aca1..31f923e7b5c40 100644 +--- a/net/core/page_pool.c ++++ b/net/core/page_pool.c +@@ -221,8 +221,12 @@ static int page_pool_init(struct page_pool *pool, + return -ENOMEM; + #endif + +- if (ptr_ring_init(&pool->ring, ring_qsize, GFP_KERNEL) < 0) ++ if (ptr_ring_init(&pool->ring, ring_qsize, GFP_KERNEL) < 0) { ++#ifdef CONFIG_PAGE_POOL_STATS ++ free_percpu(pool->recycle_stats); ++#endif + return -ENOMEM; ++ } + + atomic_set(&pool->pages_state_release_cnt, 0); + +-- +2.42.0 + diff --git a/queue-6.6/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch b/queue-6.6/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch new file mode 100644 index 00000000000..c406711d06a --- /dev/null +++ b/queue-6.6/net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch @@ -0,0 +1,43 @@ +From 421d834aeb0d88c32966fed0af664a87dd5c73d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 16:50:14 -0400 +Subject: net: r8169: Disable multicast filter for RTL8168H and RTL8107E + +From: Patrick Thompson + +[ Upstream commit efa5f1311c4998e9e6317c52bc5ee93b3a0f36df ] + +RTL8168H and RTL8107E ethernet adapters erroneously filter unicast +eapol packets unless allmulti is enabled. These devices correspond to +RTL_GIGA_MAC_VER_46 and VER_48. Add an exception for VER_46 and VER_48 +in the same way that VER_35 has an exception. + +Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E") +Signed-off-by: Patrick Thompson +Reviewed-by: Jacob Keller +Reviewed-by: Heiner Kallweit +Link: https://lore.kernel.org/r/20231030205031.177855-1-ptf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index a987defb575cf..4b8251cdb4363 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2584,7 +2584,9 @@ static void rtl_set_rx_mode(struct net_device *dev) + rx_mode |= AcceptAllPhys; + } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT || + dev->flags & IFF_ALLMULTI || +- tp->mac_version == RTL_GIGA_MAC_VER_35) { ++ tp->mac_version == RTL_GIGA_MAC_VER_35 || ++ tp->mac_version == RTL_GIGA_MAC_VER_46 || ++ tp->mac_version == RTL_GIGA_MAC_VER_48) { + /* accept all multicasts */ + } else if (netdev_mc_empty(dev)) { + rx_mode &= ~AcceptMulticast; +-- +2.42.0 + diff --git a/queue-6.6/net-sched-act_ct-always-fill-offloading-tuple-iifidx.patch b/queue-6.6/net-sched-act_ct-always-fill-offloading-tuple-iifidx.patch new file mode 100644 index 00000000000..e96c0fdd3a0 --- /dev/null +++ b/queue-6.6/net-sched-act_ct-always-fill-offloading-tuple-iifidx.patch @@ -0,0 +1,147 @@ +From 54d132db57c16b6cf4c7eea61f8a56e45a28e886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 16:14:10 +0100 +Subject: net/sched: act_ct: Always fill offloading tuple iifidx + +From: Vlad Buslov + +[ Upstream commit 9bc64bd0cd765f696fcd40fc98909b1f7c73b2ba ] + +Referenced commit doesn't always set iifidx when offloading the flow to +hardware. Fix the following cases: + +- nf_conn_act_ct_ext_fill() is called before extension is created with +nf_conn_act_ct_ext_add() in tcf_ct_act(). This can cause rule offload with +unspecified iifidx when connection is offloaded after only single +original-direction packet has been processed by tc data path. Always fill +the new nf_conn_act_ct_ext instance after creating it in +nf_conn_act_ct_ext_add(). + +- Offloading of unidirectional UDP NEW connections is now supported, but ct +flow iifidx field is not updated when connection is promoted to +bidirectional which can result reply-direction iifidx to be zero when +refreshing the connection. Fill in the extension and update flow iifidx +before calling flow_offload_refresh(). + +Fixes: 9795ded7f924 ("net/sched: act_ct: Fill offloading tuple iifidx") +Reviewed-by: Paul Blakey +Signed-off-by: Vlad Buslov +Reviewed-by: Simon Horman +Fixes: 6a9bad0069cf ("net/sched: act_ct: offload UDP NEW connections") +Link: https://lore.kernel.org/r/20231103151410.764271-1-vladbu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack_act_ct.h | 30 ++++++++++++--------- + net/openvswitch/conntrack.c | 2 +- + net/sched/act_ct.c | 15 ++++++++++- + 3 files changed, 32 insertions(+), 15 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack_act_ct.h b/include/net/netfilter/nf_conntrack_act_ct.h +index 078d3c52c03f9..e5f2f0b73a9a0 100644 +--- a/include/net/netfilter/nf_conntrack_act_ct.h ++++ b/include/net/netfilter/nf_conntrack_act_ct.h +@@ -20,7 +20,22 @@ static inline struct nf_conn_act_ct_ext *nf_conn_act_ct_ext_find(const struct nf + #endif + } + +-static inline struct nf_conn_act_ct_ext *nf_conn_act_ct_ext_add(struct nf_conn *ct) ++static inline void nf_conn_act_ct_ext_fill(struct sk_buff *skb, struct nf_conn *ct, ++ enum ip_conntrack_info ctinfo) ++{ ++#if IS_ENABLED(CONFIG_NET_ACT_CT) ++ struct nf_conn_act_ct_ext *act_ct_ext; ++ ++ act_ct_ext = nf_conn_act_ct_ext_find(ct); ++ if (dev_net(skb->dev) == &init_net && act_ct_ext) ++ act_ct_ext->ifindex[CTINFO2DIR(ctinfo)] = skb->dev->ifindex; ++#endif ++} ++ ++static inline struct ++nf_conn_act_ct_ext *nf_conn_act_ct_ext_add(struct sk_buff *skb, ++ struct nf_conn *ct, ++ enum ip_conntrack_info ctinfo) + { + #if IS_ENABLED(CONFIG_NET_ACT_CT) + struct nf_conn_act_ct_ext *act_ct = nf_ct_ext_find(ct, NF_CT_EXT_ACT_CT); +@@ -29,22 +44,11 @@ static inline struct nf_conn_act_ct_ext *nf_conn_act_ct_ext_add(struct nf_conn * + return act_ct; + + act_ct = nf_ct_ext_add(ct, NF_CT_EXT_ACT_CT, GFP_ATOMIC); ++ nf_conn_act_ct_ext_fill(skb, ct, ctinfo); + return act_ct; + #else + return NULL; + #endif + } + +-static inline void nf_conn_act_ct_ext_fill(struct sk_buff *skb, struct nf_conn *ct, +- enum ip_conntrack_info ctinfo) +-{ +-#if IS_ENABLED(CONFIG_NET_ACT_CT) +- struct nf_conn_act_ct_ext *act_ct_ext; +- +- act_ct_ext = nf_conn_act_ct_ext_find(ct); +- if (dev_net(skb->dev) == &init_net && act_ct_ext) +- act_ct_ext->ifindex[CTINFO2DIR(ctinfo)] = skb->dev->ifindex; +-#endif +-} +- + #endif /* _NF_CONNTRACK_ACT_CT_H */ +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 0b9a785dea459..3019a4406ca4f 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -985,7 +985,7 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, + if (err) + return err; + +- nf_conn_act_ct_ext_add(ct); ++ nf_conn_act_ct_ext_add(skb, ct, ctinfo); + } else if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) && + labels_nonzero(&info->labels.mask)) { + err = ovs_ct_set_labels(ct, key, &info->labels.value, +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index fb52d6f9aff93..3922d825ef2d8 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -376,6 +376,17 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, + entry->tuplehash[dir].tuple.tc.iifidx = act_ct_ext->ifindex[dir]; + } + ++static void tcf_ct_flow_ct_ext_ifidx_update(struct flow_offload *entry) ++{ ++ struct nf_conn_act_ct_ext *act_ct_ext; ++ ++ act_ct_ext = nf_conn_act_ct_ext_find(entry->ct); ++ if (act_ct_ext) { ++ tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_ORIGINAL); ++ tcf_ct_flow_tc_ifidx(entry, act_ct_ext, FLOW_OFFLOAD_DIR_REPLY); ++ } ++} ++ + static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, + struct nf_conn *ct, + bool tcp, bool bidirectional) +@@ -671,6 +682,8 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, + else + ctinfo = IP_CT_ESTABLISHED_REPLY; + ++ nf_conn_act_ct_ext_fill(skb, ct, ctinfo); ++ tcf_ct_flow_ct_ext_ifidx_update(flow); + flow_offload_refresh(nf_ft, flow, force_refresh); + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) { + /* Process this flow in SW to allow promoting to ASSURED */ +@@ -1030,7 +1043,7 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a, + tcf_ct_act_set_labels(ct, p->labels, p->labels_mask); + + if (!nf_ct_is_confirmed(ct)) +- nf_conn_act_ct_ext_add(ct); ++ nf_conn_act_ct_ext_add(skb, ct, ctinfo); + + /* This will take care of sending queued events + * even if the connection is already confirmed. +-- +2.42.0 + diff --git a/queue-6.6/net-smc-allow-cdc-msg-send-rather-than-drop-it-with-.patch b/queue-6.6/net-smc-allow-cdc-msg-send-rather-than-drop-it-with-.patch new file mode 100644 index 00000000000..85d3868cc02 --- /dev/null +++ b/queue-6.6/net-smc-allow-cdc-msg-send-rather-than-drop-it-with-.patch @@ -0,0 +1,64 @@ +From 2daf447cd6012b251382dc8968176075130da4ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 14:07:39 +0800 +Subject: net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc + +From: D. Wythe + +[ Upstream commit c5bf605ba4f9d6fbbb120595ab95002f4716edcb ] + +This patch re-fix the issues mentioned by commit 22a825c541d7 +("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()"). + +Blocking sending message do solve the issues though, but it also +prevents the peer to receive the final message. Besides, in logic, +whether the sndbuf_desc is NULL or not have no impact on the processing +of cdc message sending. + +Hence that, this patch allows the cdc message sending but to check the +sndbuf_desc with care in smc_cdc_tx_handler(). + +Fixes: 22a825c541d7 ("net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()") +Signed-off-by: D. Wythe +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_cdc.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 01bdb7909a14b..3c06625ceb200 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -28,13 +28,15 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd, + { + struct smc_cdc_tx_pend *cdcpend = (struct smc_cdc_tx_pend *)pnd_snd; + struct smc_connection *conn = cdcpend->conn; ++ struct smc_buf_desc *sndbuf_desc; + struct smc_sock *smc; + int diff; + ++ sndbuf_desc = conn->sndbuf_desc; + smc = container_of(conn, struct smc_sock, conn); + bh_lock_sock(&smc->sk); +- if (!wc_status) { +- diff = smc_curs_diff(cdcpend->conn->sndbuf_desc->len, ++ if (!wc_status && sndbuf_desc) { ++ diff = smc_curs_diff(sndbuf_desc->len, + &cdcpend->conn->tx_curs_fin, + &cdcpend->cursor); + /* sndbuf_space is decreased in smc_sendmsg */ +@@ -114,9 +116,6 @@ int smc_cdc_msg_send(struct smc_connection *conn, + union smc_host_cursor cfed; + int rc; + +- if (unlikely(!READ_ONCE(conn->sndbuf_desc))) +- return -ENOBUFS; +- + smc_cdc_add_pending_send(conn, pend); + + conn->tx_cdc_seq++; +-- +2.42.0 + diff --git a/queue-6.6/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch b/queue-6.6/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch new file mode 100644 index 00000000000..38a681680ab --- /dev/null +++ b/queue-6.6/net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch @@ -0,0 +1,111 @@ +From 223599dbb1895fa6e5dcd60d9c478fa2a0d6744c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 14:07:38 +0800 +Subject: net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT + +From: D. Wythe + +[ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ] + +Considering scenario: + + smc_cdc_rx_handler +__smc_release + sock_set_flag +smc_close_active() +sock_set_flag + +__set_bit(DEAD) __set_bit(DONE) + +Dues to __set_bit is not atomic, the DEAD or DONE might be lost. +if the DEAD flag lost, the state SMC_CLOSED will be never be reached +in smc_close_passive_work: + +if (sock_flag(sk, SOCK_DEAD) && + smc_close_sent_any_close(conn)) { + sk->sk_state = SMC_CLOSED; +} else { + /* just shutdown, but not yet closed locally */ + sk->sk_state = SMC_APPFINCLOSEWAIT; +} + +Replace sock_set_flags or __set_bit to set_bit will fix this problem. +Since set_bit is atomic. + +Fixes: b38d732477e4 ("smc: socket closing and linkgroup cleanup") +Signed-off-by: D. Wythe +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 ++-- + net/smc/smc.h | 5 +++++ + net/smc/smc_cdc.c | 2 +- + net/smc/smc_close.c | 2 +- + 4 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 35ddebae88941..4c047e0e1625e 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -275,7 +275,7 @@ static int __smc_release(struct smc_sock *smc) + + if (!smc->use_fallback) { + rc = smc_close_active(smc); +- sock_set_flag(sk, SOCK_DEAD); ++ smc_sock_set_flag(sk, SOCK_DEAD); + sk->sk_shutdown |= SHUTDOWN_MASK; + } else { + if (sk->sk_state != SMC_CLOSED) { +@@ -1743,7 +1743,7 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc) + if (new_clcsock) + sock_release(new_clcsock); + new_sk->sk_state = SMC_CLOSED; +- sock_set_flag(new_sk, SOCK_DEAD); ++ smc_sock_set_flag(new_sk, SOCK_DEAD); + sock_put(new_sk); /* final */ + *new_smc = NULL; + goto out; +diff --git a/net/smc/smc.h b/net/smc/smc.h +index 24745fde4ac26..e377980b84145 100644 +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -377,4 +377,9 @@ int smc_nl_dump_hs_limitation(struct sk_buff *skb, struct netlink_callback *cb); + int smc_nl_enable_hs_limitation(struct sk_buff *skb, struct genl_info *info); + int smc_nl_disable_hs_limitation(struct sk_buff *skb, struct genl_info *info); + ++static inline void smc_sock_set_flag(struct sock *sk, enum sock_flags flag) ++{ ++ set_bit(flag, &sk->sk_flags); ++} ++ + #endif /* __SMC_H */ +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 89105e95b4523..01bdb7909a14b 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -385,7 +385,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc, + smc->sk.sk_shutdown |= RCV_SHUTDOWN; + if (smc->clcsock && smc->clcsock->sk) + smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN; +- sock_set_flag(&smc->sk, SOCK_DONE); ++ smc_sock_set_flag(&smc->sk, SOCK_DONE); + sock_hold(&smc->sk); /* sock_put in close_work */ + if (!queue_work(smc_close_wq, &conn->close_work)) + sock_put(&smc->sk); +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index dbdf03e8aa5b5..449ef454b53be 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -173,7 +173,7 @@ void smc_close_active_abort(struct smc_sock *smc) + break; + } + +- sock_set_flag(sk, SOCK_DEAD); ++ smc_sock_set_flag(sk, SOCK_DEAD); + sk->sk_state_change(sk); + + if (release_clcsock) { +-- +2.42.0 + diff --git a/queue-6.6/net-smc-put-sk-reference-if-close-work-was-canceled.patch b/queue-6.6/net-smc-put-sk-reference-if-close-work-was-canceled.patch new file mode 100644 index 00000000000..65c8cbe91d7 --- /dev/null +++ b/queue-6.6/net-smc-put-sk-reference-if-close-work-was-canceled.patch @@ -0,0 +1,40 @@ +From 14860f79e7fcf313eb23cbe07bdb8b7bf24a9c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 14:07:40 +0800 +Subject: net/smc: put sk reference if close work was canceled + +From: D. Wythe + +[ Upstream commit aa96fbd6d78d9770323b21e2c92bd38821be8852 ] + +Note that we always hold a reference to sock when attempting +to submit close_work. Therefore, if we have successfully +canceled close_work from pending, we MUST release that reference +to avoid potential leaks. + +Fixes: 42bfba9eaa33 ("net/smc: immediate termination for SMCD link groups") +Signed-off-by: D. Wythe +Reviewed-by: Dust Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_close.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c +index 449ef454b53be..10219f55aad14 100644 +--- a/net/smc/smc_close.c ++++ b/net/smc/smc_close.c +@@ -116,7 +116,8 @@ static void smc_close_cancel_work(struct smc_sock *smc) + struct sock *sk = &smc->sk; + + release_sock(sk); +- cancel_work_sync(&smc->conn.close_work); ++ if (cancel_work_sync(&smc->conn.close_work)) ++ sock_put(sk); + cancel_delayed_work_sync(&smc->conn.tx_work); + lock_sock(sk); + } +-- +2.42.0 + diff --git a/queue-6.6/net-stmmac-xgmac-enable-support-for-multiple-flexibl.patch b/queue-6.6/net-stmmac-xgmac-enable-support-for-multiple-flexibl.patch new file mode 100644 index 00000000000..3632c43e045 --- /dev/null +++ b/queue-6.6/net-stmmac-xgmac-enable-support-for-multiple-flexibl.patch @@ -0,0 +1,68 @@ +From c7012147b12167bd2a738b3c7498c86236763f89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 10:27:29 +0800 +Subject: net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs + +From: Furong Xu <0x1207@gmail.com> + +[ Upstream commit db456d90a4c1b43b6251fa4348c8adc59b583274 ] + +From XGMAC Core 3.20 and later, each Flexible PPS has individual PPSEN bit +to select Fixed mode or Flexible mode. The PPSEN must be set, or it stays +in Fixed PPS mode by default. +XGMAC Core prior 3.20, only PPSEN0(bit 4) is writable. PPSEN{1,2,3} are +read-only reserved, and they are already in Flexible mode by default, our +new code always set PPSEN{1,2,3} do not make things worse ;-) + +Fixes: 95eaf3cd0a90 ("net: stmmac: dwxgmac: Add Flexible PPS support") +Reviewed-by: Serge Semin +Reviewed-by: Jacob Keller +Signed-off-by: Furong Xu <0x1207@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 2 +- + .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 14 +++++++++++++- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +index 7a8f47e7b728b..a4e8b498dea96 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h +@@ -259,7 +259,7 @@ + ((val) << XGMAC_PPS_MINIDX(x)) + #define XGMAC_PPSCMD_START 0x2 + #define XGMAC_PPSCMD_STOP 0x5 +-#define XGMAC_PPSEN0 BIT(4) ++#define XGMAC_PPSENx(x) BIT(4 + (x) * 8) + #define XGMAC_PPSx_TARGET_TIME_SEC(x) (0x00000d80 + (x) * 0x10) + #define XGMAC_PPSx_TARGET_TIME_NSEC(x) (0x00000d84 + (x) * 0x10) + #define XGMAC_TRGTBUSY0 BIT(31) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index f352be269deb5..453e88b75be08 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -1178,7 +1178,19 @@ static int dwxgmac2_flex_pps_config(void __iomem *ioaddr, int index, + + val |= XGMAC_PPSCMDx(index, XGMAC_PPSCMD_START); + val |= XGMAC_TRGTMODSELx(index, XGMAC_PPSCMD_START); +- val |= XGMAC_PPSEN0; ++ ++ /* XGMAC Core has 4 PPS outputs at most. ++ * ++ * Prior XGMAC Core 3.20, Fixed mode or Flexible mode are selectable for ++ * PPS0 only via PPSEN0. PPS{1,2,3} are in Flexible mode by default, ++ * and can not be switched to Fixed mode, since PPSEN{1,2,3} are ++ * read-only reserved to 0. ++ * But we always set PPSEN{1,2,3} do not make things worse ;-) ++ * ++ * From XGMAC Core 3.20 and later, PPSEN{0,1,2,3} are writable and must ++ * be set, or the PPS outputs stay in Fixed PPS mode by default. ++ */ ++ val |= XGMAC_PPSENx(index); + + writel(cfg->start.tv_sec, ioaddr + XGMAC_PPSx_TARGET_TIME_SEC(index)); + +-- +2.42.0 + diff --git a/queue-6.6/net-ti-icss-iep-fix-setting-counter-value.patch b/queue-6.6/net-ti-icss-iep-fix-setting-counter-value.patch new file mode 100644 index 00000000000..05a1acf7ad2 --- /dev/null +++ b/queue-6.6/net-ti-icss-iep-fix-setting-counter-value.patch @@ -0,0 +1,38 @@ +From 828e3ddae007d55b8f996fc7f259fae910ee9154 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 12:00:36 +0000 +Subject: net: ti: icss-iep: fix setting counter value + +From: Diogo Ivo + +[ Upstream commit 83b9dda8afa4e968d9cce253f390b01c0612a2a5 ] + +Currently icss_iep_set_counter() writes the upper 32-bits of the +counter value to both the lower and upper counter registers, so +fix this by writing the appropriate value to the lower register. + +Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") +Signed-off-by: Diogo Ivo +Link: https://lore.kernel.org/r/20231107120037.1513546-1-diogo.ivo@siemens.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icss_iep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/icssg/icss_iep.c b/drivers/net/ethernet/ti/icssg/icss_iep.c +index 4cf2a52e43783..3025e9c189702 100644 +--- a/drivers/net/ethernet/ti/icssg/icss_iep.c ++++ b/drivers/net/ethernet/ti/icssg/icss_iep.c +@@ -177,7 +177,7 @@ static void icss_iep_set_counter(struct icss_iep *iep, u64 ns) + if (iep->plat_data->flags & ICSS_IEP_64BIT_COUNTER_SUPPORT) + writel(upper_32_bits(ns), iep->base + + iep->plat_data->reg_offs[ICSS_IEP_COUNT_REG1]); +- writel(upper_32_bits(ns), iep->base + iep->plat_data->reg_offs[ICSS_IEP_COUNT_REG0]); ++ writel(lower_32_bits(ns), iep->base + iep->plat_data->reg_offs[ICSS_IEP_COUNT_REG0]); + } + + static void icss_iep_update_to_next_boundary(struct icss_iep *iep, u64 start_ns); +-- +2.42.0 + diff --git a/queue-6.6/netfilter-nat-fix-ipv6-nat-redirect-with-mapped-and-.patch b/queue-6.6/netfilter-nat-fix-ipv6-nat-redirect-with-mapped-and-.patch new file mode 100644 index 00000000000..cb140988a52 --- /dev/null +++ b/queue-6.6/netfilter-nat-fix-ipv6-nat-redirect-with-mapped-and-.patch @@ -0,0 +1,97 @@ +From 60cd5796330051b02cac666c4ee5eb3ed891170f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 13:18:53 +0100 +Subject: netfilter: nat: fix ipv6 nat redirect with mapped and scoped + addresses + +From: Florian Westphal + +[ Upstream commit 80abbe8a8263106fe45a4f293b92b5c74cc9cc8a ] + +The ipv6 redirect target was derived from the ipv4 one, i.e. its +identical to a 'dnat' with the first (primary) address assigned to the +network interface. The code has been moved around to make it usable +from nf_tables too, but its still the same as it was back when this +was added in 2012. + +IPv6, however, has different types of addresses, if the 'wrong' address +comes first the redirection does not work. + +In Daniels case, the addresses are: + inet6 ::ffff:192 ... + inet6 2a01: ... + +... so the function attempts to redirect to the mapped address. + +Add more checks before the address is deemed correct: +1. If the packets' daddr is scoped, search for a scoped address too +2. skip tentative addresses +3. skip mapped addresses + +Use the first address that appears to match our needs. + +Reported-by: Daniel Huhardeaux +Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/ +Fixes: 115e23ac78f8 ("netfilter: ip6tables: add REDIRECT target") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_nat_redirect.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c +index 6616ba5d0b049..5b37487d9d11f 100644 +--- a/net/netfilter/nf_nat_redirect.c ++++ b/net/netfilter/nf_nat_redirect.c +@@ -80,6 +80,26 @@ EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4); + + static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT; + ++static bool nf_nat_redirect_ipv6_usable(const struct inet6_ifaddr *ifa, unsigned int scope) ++{ ++ unsigned int ifa_addr_type = ipv6_addr_type(&ifa->addr); ++ ++ if (ifa_addr_type & IPV6_ADDR_MAPPED) ++ return false; ++ ++ if ((ifa->flags & IFA_F_TENTATIVE) && (!(ifa->flags & IFA_F_OPTIMISTIC))) ++ return false; ++ ++ if (scope) { ++ unsigned int ifa_scope = ifa_addr_type & IPV6_ADDR_SCOPE_MASK; ++ ++ if (!(scope & ifa_scope)) ++ return false; ++ } ++ ++ return true; ++} ++ + unsigned int + nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range, + unsigned int hooknum) +@@ -89,14 +109,19 @@ nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range, + if (hooknum == NF_INET_LOCAL_OUT) { + newdst.in6 = loopback_addr; + } else { ++ unsigned int scope = ipv6_addr_scope(&ipv6_hdr(skb)->daddr); + struct inet6_dev *idev; +- struct inet6_ifaddr *ifa; + bool addr = false; + + idev = __in6_dev_get(skb->dev); + if (idev != NULL) { ++ const struct inet6_ifaddr *ifa; ++ + read_lock_bh(&idev->lock); + list_for_each_entry(ifa, &idev->addr_list, if_list) { ++ if (!nf_nat_redirect_ipv6_usable(ifa, scope)) ++ continue; ++ + newdst.in6 = ifa->addr; + addr = true; + break; +-- +2.42.0 + diff --git a/queue-6.6/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch b/queue-6.6/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch new file mode 100644 index 00000000000..c87b59d7cd0 --- /dev/null +++ b/queue-6.6/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch @@ -0,0 +1,49 @@ +From e03e5f8ab409601f0d34e0d2f220ed624bfc21ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 11:56:00 -0800 +Subject: netfilter: xt_recent: fix (increase) ipv6 literal buffer length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ] + +in6_pton() supports 'low-32-bit dot-decimal representation' +(this is useful with DNS64/NAT64 networks for example): + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT + # cat /proc/self/net/xt_recent/DEFAULT + src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829 + +but the provided buffer is too short: + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT + -bash: echo: write error: Invalid argument + +Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support") +Signed-off-by: Maciej Żenczykowski +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_recent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index 7ddb9a78e3fc8..ef93e0d3bee04 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -561,7 +561,7 @@ recent_mt_proc_write(struct file *file, const char __user *input, + { + struct recent_table *t = pde_data(file_inode(file)); + struct recent_entry *e; +- char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")]; ++ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")]; + const char *c = buf; + union nf_inet_addr addr = {}; + u_int16_t family; +-- +2.42.0 + diff --git a/queue-6.6/nvme-fix-error-handling-for-io_uring-nvme-passthroug.patch b/queue-6.6/nvme-fix-error-handling-for-io_uring-nvme-passthroug.patch new file mode 100644 index 00000000000..a71601d6241 --- /dev/null +++ b/queue-6.6/nvme-fix-error-handling-for-io_uring-nvme-passthroug.patch @@ -0,0 +1,46 @@ +From c57d50962400ee1ff1fe75a509328569616ac8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 00:54:30 +0530 +Subject: nvme: fix error-handling for io_uring nvme-passthrough + +From: Anuj Gupta + +[ Upstream commit 1147dd0503564fa0e03489a039f9e0c748a03db4 ] + +Driver may return an error before submitting the command to the device. +Ensure that such error is propagated up. + +Fixes: 456cba386e94 ("nvme: wire-up uring-cmd support for io-passthru on char-device.") +Signed-off-by: Anuj Gupta +Signed-off-by: Kanchan Joshi +Reviewed-by: Niklas Cassel +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/ioctl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c +index 747c879e8982b..529b9954d2b8c 100644 +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -510,10 +510,13 @@ static enum rq_end_io_ret nvme_uring_cmd_end_io(struct request *req, + struct nvme_uring_cmd_pdu *pdu = nvme_uring_cmd_pdu(ioucmd); + + req->bio = pdu->bio; +- if (nvme_req(req)->flags & NVME_REQ_CANCELLED) ++ if (nvme_req(req)->flags & NVME_REQ_CANCELLED) { + pdu->nvme_status = -EINTR; +- else ++ } else { + pdu->nvme_status = nvme_req(req)->status; ++ if (!pdu->nvme_status) ++ pdu->nvme_status = blk_status_to_errno(err); ++ } + pdu->u.result = le64_to_cpu(nvme_req(req)->result.u64); + + /* +-- +2.42.0 + diff --git a/queue-6.6/octeontx2-pf-fix-error-codes.patch b/queue-6.6/octeontx2-pf-fix-error-codes.patch new file mode 100644 index 00000000000..0ee04464d7a --- /dev/null +++ b/queue-6.6/octeontx2-pf-fix-error-codes.patch @@ -0,0 +1,69 @@ +From b048cc45ceaebc09bc592a948f4f4a2a700f5f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 07:49:52 +0530 +Subject: octeontx2-pf: Fix error codes + +From: Ratheesh Kannoth + +[ Upstream commit 96b9a68d1a6e4f889d453874c9e359aa720b520f ] + +Some of error codes were wrong. Fix the same. + +Fixes: 51afe9026d0c ("octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]") +Signed-off-by: Ratheesh Kannoth +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20231027021953.1819959-1-rkannoth@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/nic/otx2_struct.h | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h +index fa37b9f312cae..4e5899d8fa2e6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h +@@ -318,23 +318,23 @@ enum nix_snd_status_e { + NIX_SND_STATUS_EXT_ERR = 0x6, + NIX_SND_STATUS_JUMP_FAULT = 0x7, + NIX_SND_STATUS_JUMP_POISON = 0x8, +- NIX_SND_STATUS_CRC_ERR = 0x9, +- NIX_SND_STATUS_IMM_ERR = 0x10, +- NIX_SND_STATUS_SG_ERR = 0x11, +- NIX_SND_STATUS_MEM_ERR = 0x12, +- NIX_SND_STATUS_INVALID_SUBDC = 0x13, +- NIX_SND_STATUS_SUBDC_ORDER_ERR = 0x14, +- NIX_SND_STATUS_DATA_FAULT = 0x15, +- NIX_SND_STATUS_DATA_POISON = 0x16, +- NIX_SND_STATUS_NPC_DROP_ACTION = 0x17, +- NIX_SND_STATUS_LOCK_VIOL = 0x18, +- NIX_SND_STATUS_NPC_UCAST_CHAN_ERR = 0x19, +- NIX_SND_STATUS_NPC_MCAST_CHAN_ERR = 0x20, +- NIX_SND_STATUS_NPC_MCAST_ABORT = 0x21, +- NIX_SND_STATUS_NPC_VTAG_PTR_ERR = 0x22, +- NIX_SND_STATUS_NPC_VTAG_SIZE_ERR = 0x23, +- NIX_SND_STATUS_SEND_MEM_FAULT = 0x24, +- NIX_SND_STATUS_SEND_STATS_ERR = 0x25, ++ NIX_SND_STATUS_CRC_ERR = 0x10, ++ NIX_SND_STATUS_IMM_ERR = 0x11, ++ NIX_SND_STATUS_SG_ERR = 0x12, ++ NIX_SND_STATUS_MEM_ERR = 0x13, ++ NIX_SND_STATUS_INVALID_SUBDC = 0x14, ++ NIX_SND_STATUS_SUBDC_ORDER_ERR = 0x15, ++ NIX_SND_STATUS_DATA_FAULT = 0x16, ++ NIX_SND_STATUS_DATA_POISON = 0x17, ++ NIX_SND_STATUS_NPC_DROP_ACTION = 0x20, ++ NIX_SND_STATUS_LOCK_VIOL = 0x21, ++ NIX_SND_STATUS_NPC_UCAST_CHAN_ERR = 0x22, ++ NIX_SND_STATUS_NPC_MCAST_CHAN_ERR = 0x23, ++ NIX_SND_STATUS_NPC_MCAST_ABORT = 0x24, ++ NIX_SND_STATUS_NPC_VTAG_PTR_ERR = 0x25, ++ NIX_SND_STATUS_NPC_VTAG_SIZE_ERR = 0x26, ++ NIX_SND_STATUS_SEND_MEM_FAULT = 0x27, ++ NIX_SND_STATUS_SEND_STATS_ERR = 0x28, + NIX_SND_STATUS_MAX, + }; + +-- +2.42.0 + diff --git a/queue-6.6/octeontx2-pf-fix-holes-in-error-code.patch b/queue-6.6/octeontx2-pf-fix-holes-in-error-code.patch new file mode 100644 index 00000000000..3319ce750f1 --- /dev/null +++ b/queue-6.6/octeontx2-pf-fix-holes-in-error-code.patch @@ -0,0 +1,156 @@ +From eacd9c701121c239fed4a73dbd1e03d6f25bd1ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 07:49:53 +0530 +Subject: octeontx2-pf: Fix holes in error code + +From: Ratheesh Kannoth + +[ Upstream commit 7aeeb2cb7a2570bb69a87ad14018b03e06ce5be5 ] + +Error code strings are not getting printed properly +due to holes. Print error code as well. + +Fixes: 51afe9026d0c ("octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]") +Signed-off-by: Ratheesh Kannoth +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20231027021953.1819959-2-rkannoth@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 80 +++++++++++-------- + 1 file changed, 46 insertions(+), 34 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 6daf4d58c25d6..125fe231702a4 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1193,31 +1193,32 @@ static char *nix_mnqerr_e_str[NIX_MNQERR_MAX] = { + }; + + static char *nix_snd_status_e_str[NIX_SND_STATUS_MAX] = { +- "NIX_SND_STATUS_GOOD", +- "NIX_SND_STATUS_SQ_CTX_FAULT", +- "NIX_SND_STATUS_SQ_CTX_POISON", +- "NIX_SND_STATUS_SQB_FAULT", +- "NIX_SND_STATUS_SQB_POISON", +- "NIX_SND_STATUS_HDR_ERR", +- "NIX_SND_STATUS_EXT_ERR", +- "NIX_SND_STATUS_JUMP_FAULT", +- "NIX_SND_STATUS_JUMP_POISON", +- "NIX_SND_STATUS_CRC_ERR", +- "NIX_SND_STATUS_IMM_ERR", +- "NIX_SND_STATUS_SG_ERR", +- "NIX_SND_STATUS_MEM_ERR", +- "NIX_SND_STATUS_INVALID_SUBDC", +- "NIX_SND_STATUS_SUBDC_ORDER_ERR", +- "NIX_SND_STATUS_DATA_FAULT", +- "NIX_SND_STATUS_DATA_POISON", +- "NIX_SND_STATUS_NPC_DROP_ACTION", +- "NIX_SND_STATUS_LOCK_VIOL", +- "NIX_SND_STATUS_NPC_UCAST_CHAN_ERR", +- "NIX_SND_STATUS_NPC_MCAST_CHAN_ERR", +- "NIX_SND_STATUS_NPC_MCAST_ABORT", +- "NIX_SND_STATUS_NPC_VTAG_PTR_ERR", +- "NIX_SND_STATUS_NPC_VTAG_SIZE_ERR", +- "NIX_SND_STATUS_SEND_STATS_ERR", ++ [NIX_SND_STATUS_GOOD] = "NIX_SND_STATUS_GOOD", ++ [NIX_SND_STATUS_SQ_CTX_FAULT] = "NIX_SND_STATUS_SQ_CTX_FAULT", ++ [NIX_SND_STATUS_SQ_CTX_POISON] = "NIX_SND_STATUS_SQ_CTX_POISON", ++ [NIX_SND_STATUS_SQB_FAULT] = "NIX_SND_STATUS_SQB_FAULT", ++ [NIX_SND_STATUS_SQB_POISON] = "NIX_SND_STATUS_SQB_POISON", ++ [NIX_SND_STATUS_HDR_ERR] = "NIX_SND_STATUS_HDR_ERR", ++ [NIX_SND_STATUS_EXT_ERR] = "NIX_SND_STATUS_EXT_ERR", ++ [NIX_SND_STATUS_JUMP_FAULT] = "NIX_SND_STATUS_JUMP_FAULT", ++ [NIX_SND_STATUS_JUMP_POISON] = "NIX_SND_STATUS_JUMP_POISON", ++ [NIX_SND_STATUS_CRC_ERR] = "NIX_SND_STATUS_CRC_ERR", ++ [NIX_SND_STATUS_IMM_ERR] = "NIX_SND_STATUS_IMM_ERR", ++ [NIX_SND_STATUS_SG_ERR] = "NIX_SND_STATUS_SG_ERR", ++ [NIX_SND_STATUS_MEM_ERR] = "NIX_SND_STATUS_MEM_ERR", ++ [NIX_SND_STATUS_INVALID_SUBDC] = "NIX_SND_STATUS_INVALID_SUBDC", ++ [NIX_SND_STATUS_SUBDC_ORDER_ERR] = "NIX_SND_STATUS_SUBDC_ORDER_ERR", ++ [NIX_SND_STATUS_DATA_FAULT] = "NIX_SND_STATUS_DATA_FAULT", ++ [NIX_SND_STATUS_DATA_POISON] = "NIX_SND_STATUS_DATA_POISON", ++ [NIX_SND_STATUS_NPC_DROP_ACTION] = "NIX_SND_STATUS_NPC_DROP_ACTION", ++ [NIX_SND_STATUS_LOCK_VIOL] = "NIX_SND_STATUS_LOCK_VIOL", ++ [NIX_SND_STATUS_NPC_UCAST_CHAN_ERR] = "NIX_SND_STAT_NPC_UCAST_CHAN_ERR", ++ [NIX_SND_STATUS_NPC_MCAST_CHAN_ERR] = "NIX_SND_STAT_NPC_MCAST_CHAN_ERR", ++ [NIX_SND_STATUS_NPC_MCAST_ABORT] = "NIX_SND_STATUS_NPC_MCAST_ABORT", ++ [NIX_SND_STATUS_NPC_VTAG_PTR_ERR] = "NIX_SND_STATUS_NPC_VTAG_PTR_ERR", ++ [NIX_SND_STATUS_NPC_VTAG_SIZE_ERR] = "NIX_SND_STATUS_NPC_VTAG_SIZE_ERR", ++ [NIX_SND_STATUS_SEND_MEM_FAULT] = "NIX_SND_STATUS_SEND_MEM_FAULT", ++ [NIX_SND_STATUS_SEND_STATS_ERR] = "NIX_SND_STATUS_SEND_STATS_ERR", + }; + + static irqreturn_t otx2_q_intr_handler(int irq, void *data) +@@ -1238,14 +1239,16 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data) + continue; + + if (val & BIT_ULL(42)) { +- netdev_err(pf->netdev, "CQ%lld: error reading NIX_LF_CQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n", ++ netdev_err(pf->netdev, ++ "CQ%lld: error reading NIX_LF_CQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n", + qidx, otx2_read64(pf, NIX_LF_ERR_INT)); + } else { + if (val & BIT_ULL(NIX_CQERRINT_DOOR_ERR)) + netdev_err(pf->netdev, "CQ%lld: Doorbell error", + qidx); + if (val & BIT_ULL(NIX_CQERRINT_CQE_FAULT)) +- netdev_err(pf->netdev, "CQ%lld: Memory fault on CQE write to LLC/DRAM", ++ netdev_err(pf->netdev, ++ "CQ%lld: Memory fault on CQE write to LLC/DRAM", + qidx); + } + +@@ -1272,7 +1275,8 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data) + (val & NIX_SQINT_BITS)); + + if (val & BIT_ULL(42)) { +- netdev_err(pf->netdev, "SQ%lld: error reading NIX_LF_SQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n", ++ netdev_err(pf->netdev, ++ "SQ%lld: error reading NIX_LF_SQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n", + qidx, otx2_read64(pf, NIX_LF_ERR_INT)); + goto done; + } +@@ -1282,8 +1286,11 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data) + goto chk_mnq_err_dbg; + + sq_op_err_code = FIELD_GET(GENMASK(7, 0), sq_op_err_dbg); +- netdev_err(pf->netdev, "SQ%lld: NIX_LF_SQ_OP_ERR_DBG(%llx) err=%s\n", +- qidx, sq_op_err_dbg, nix_sqoperr_e_str[sq_op_err_code]); ++ netdev_err(pf->netdev, ++ "SQ%lld: NIX_LF_SQ_OP_ERR_DBG(0x%llx) err=%s(%#x)\n", ++ qidx, sq_op_err_dbg, ++ nix_sqoperr_e_str[sq_op_err_code], ++ sq_op_err_code); + + otx2_write64(pf, NIX_LF_SQ_OP_ERR_DBG, BIT_ULL(44)); + +@@ -1300,16 +1307,21 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data) + goto chk_snd_err_dbg; + + mnq_err_code = FIELD_GET(GENMASK(7, 0), mnq_err_dbg); +- netdev_err(pf->netdev, "SQ%lld: NIX_LF_MNQ_ERR_DBG(%llx) err=%s\n", +- qidx, mnq_err_dbg, nix_mnqerr_e_str[mnq_err_code]); ++ netdev_err(pf->netdev, ++ "SQ%lld: NIX_LF_MNQ_ERR_DBG(0x%llx) err=%s(%#x)\n", ++ qidx, mnq_err_dbg, nix_mnqerr_e_str[mnq_err_code], ++ mnq_err_code); + otx2_write64(pf, NIX_LF_MNQ_ERR_DBG, BIT_ULL(44)); + + chk_snd_err_dbg: + snd_err_dbg = otx2_read64(pf, NIX_LF_SEND_ERR_DBG); + if (snd_err_dbg & BIT(44)) { + snd_err_code = FIELD_GET(GENMASK(7, 0), snd_err_dbg); +- netdev_err(pf->netdev, "SQ%lld: NIX_LF_SND_ERR_DBG:0x%llx err=%s\n", +- qidx, snd_err_dbg, nix_snd_status_e_str[snd_err_code]); ++ netdev_err(pf->netdev, ++ "SQ%lld: NIX_LF_SND_ERR_DBG:0x%llx err=%s(%#x)\n", ++ qidx, snd_err_dbg, ++ nix_snd_status_e_str[snd_err_code], ++ snd_err_code); + otx2_write64(pf, NIX_LF_SEND_ERR_DBG, BIT_ULL(44)); + } + +-- +2.42.0 + diff --git a/queue-6.6/octeontx2-pf-free-pending-and-dropped-sqes.patch b/queue-6.6/octeontx2-pf-free-pending-and-dropped-sqes.patch new file mode 100644 index 00000000000..0aed2506711 --- /dev/null +++ b/queue-6.6/octeontx2-pf-free-pending-and-dropped-sqes.patch @@ -0,0 +1,162 @@ +From a00056879209072c7ff7538ea342921606f4a90d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 16:53:45 +0530 +Subject: octeontx2-pf: Free pending and dropped SQEs + +From: Geetha sowjanya + +[ Upstream commit 3423ca23e08bf285a324237abe88e7e7d9becfe6 ] + +On interface down, the pending SQEs in the NIX get dropped +or drained out during SMQ flush. But skb's pointed by these +SQEs never get free or updated to the stack as respective CQE +never get added. +This patch fixes the issue by freeing all valid skb's in SQ SG list. + +Fixes: b1bc8457e9d0 ("octeontx2-pf: Cleanup all receive buffers in SG descriptor") +Signed-off-by: Geetha sowjanya +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/nic/otx2_common.c | 15 +++---- + .../marvell/octeontx2/nic/otx2_common.h | 1 + + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 1 + + .../marvell/octeontx2/nic/otx2_txrx.c | 42 +++++++++++++++++++ + 4 files changed, 49 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index 818ce76185b2f..629cf1659e5f9 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -818,7 +818,6 @@ void otx2_sqb_flush(struct otx2_nic *pfvf) + int qidx, sqe_tail, sqe_head; + struct otx2_snd_queue *sq; + u64 incr, *ptr, val; +- int timeout = 1000; + + ptr = (u64 *)otx2_get_regaddr(pfvf, NIX_LF_SQ_OP_STATUS); + for (qidx = 0; qidx < otx2_get_total_tx_queues(pfvf); qidx++) { +@@ -827,15 +826,11 @@ void otx2_sqb_flush(struct otx2_nic *pfvf) + continue; + + incr = (u64)qidx << 32; +- while (timeout) { +- val = otx2_atomic64_add(incr, ptr); +- sqe_head = (val >> 20) & 0x3F; +- sqe_tail = (val >> 28) & 0x3F; +- if (sqe_head == sqe_tail) +- break; +- usleep_range(1, 3); +- timeout--; +- } ++ val = otx2_atomic64_add(incr, ptr); ++ sqe_head = (val >> 20) & 0x3F; ++ sqe_tail = (val >> 28) & 0x3F; ++ if (sqe_head != sqe_tail) ++ usleep_range(50, 60); + } + } + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +index c04a8ee53a82f..e7c69b57147e0 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -977,6 +977,7 @@ int otx2_txschq_config(struct otx2_nic *pfvf, int lvl, int prio, bool pfc_en); + int otx2_txsch_alloc(struct otx2_nic *pfvf); + void otx2_txschq_stop(struct otx2_nic *pfvf); + void otx2_txschq_free_one(struct otx2_nic *pfvf, u16 lvl, u16 schq); ++void otx2_free_pending_sqe(struct otx2_nic *pfvf); + void otx2_sqb_flush(struct otx2_nic *pfvf); + int otx2_alloc_rbuf(struct otx2_nic *pfvf, struct otx2_pool *pool, + dma_addr_t *dma); +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 125fe231702a4..91b99fd703616 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1601,6 +1601,7 @@ static void otx2_free_hw_resources(struct otx2_nic *pf) + else + otx2_cleanup_tx_cqes(pf, cq); + } ++ otx2_free_pending_sqe(pf); + + otx2_free_sq_res(pf); + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +index 53b2a4ef52985..6ee15f3c25ede 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -1247,9 +1247,11 @@ void otx2_cleanup_rx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq, int q + + void otx2_cleanup_tx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq) + { ++ int tx_pkts = 0, tx_bytes = 0; + struct sk_buff *skb = NULL; + struct otx2_snd_queue *sq; + struct nix_cqe_tx_s *cqe; ++ struct netdev_queue *txq; + int processed_cqe = 0; + struct sg_list *sg; + int qidx; +@@ -1270,12 +1272,20 @@ void otx2_cleanup_tx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq) + sg = &sq->sg[cqe->comp.sqe_id]; + skb = (struct sk_buff *)sg->skb; + if (skb) { ++ tx_bytes += skb->len; ++ tx_pkts++; + otx2_dma_unmap_skb_frags(pfvf, sg); + dev_kfree_skb_any(skb); + sg->skb = (u64)NULL; + } + } + ++ if (likely(tx_pkts)) { ++ if (qidx >= pfvf->hw.tx_queues) ++ qidx -= pfvf->hw.xdp_queues; ++ txq = netdev_get_tx_queue(pfvf->netdev, qidx); ++ netdev_tx_completed_queue(txq, tx_pkts, tx_bytes); ++ } + /* Free CQEs to HW */ + otx2_write64(pfvf, NIX_LF_CQ_OP_DOOR, + ((u64)cq->cq_idx << 32) | processed_cqe); +@@ -1302,6 +1312,38 @@ int otx2_rxtx_enable(struct otx2_nic *pfvf, bool enable) + return err; + } + ++void otx2_free_pending_sqe(struct otx2_nic *pfvf) ++{ ++ int tx_pkts = 0, tx_bytes = 0; ++ struct sk_buff *skb = NULL; ++ struct otx2_snd_queue *sq; ++ struct netdev_queue *txq; ++ struct sg_list *sg; ++ int sq_idx, sqe; ++ ++ for (sq_idx = 0; sq_idx < pfvf->hw.tx_queues; sq_idx++) { ++ sq = &pfvf->qset.sq[sq_idx]; ++ for (sqe = 0; sqe < sq->sqe_cnt; sqe++) { ++ sg = &sq->sg[sqe]; ++ skb = (struct sk_buff *)sg->skb; ++ if (skb) { ++ tx_bytes += skb->len; ++ tx_pkts++; ++ otx2_dma_unmap_skb_frags(pfvf, sg); ++ dev_kfree_skb_any(skb); ++ sg->skb = (u64)NULL; ++ } ++ } ++ ++ if (!tx_pkts) ++ continue; ++ txq = netdev_get_tx_queue(pfvf->netdev, sq_idx); ++ netdev_tx_completed_queue(txq, tx_pkts, tx_bytes); ++ tx_pkts = 0; ++ tx_bytes = 0; ++ } ++} ++ + static void otx2_xdp_sqe_add_sg(struct otx2_snd_queue *sq, u64 dma_addr, + int len, int *offset) + { +-- +2.42.0 + diff --git a/queue-6.6/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch b/queue-6.6/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch new file mode 100644 index 00000000000..a271e05a25f --- /dev/null +++ b/queue-6.6/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch @@ -0,0 +1,51 @@ +From bd3422b4d39bbde7013a0beced6780f117d34f52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 10:54:14 -0700 +Subject: pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit e9bc4411548aaa738905d37851a0146c16b3bb21 ] + +The suspend/resume functions currently utilize +clk_disable()/clk_enable() respectively which may be no-ops with certain +clock providers such as SCMI. Fix this to use clk_disable_unprepare() +and clk_prepare_enable() respectively as we should. + +Fixes: 3a9f5957020f ("pwm: Add Broadcom BCM7038 PWM controller support") +Signed-off-by: Florian Fainelli +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-brcmstb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-brcmstb.c b/drivers/pwm/pwm-brcmstb.c +index a3faa9a3de7cc..a7d529bf76adc 100644 +--- a/drivers/pwm/pwm-brcmstb.c ++++ b/drivers/pwm/pwm-brcmstb.c +@@ -288,7 +288,7 @@ static int brcmstb_pwm_suspend(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_disable(p->clk); ++ clk_disable_unprepare(p->clk); + + return 0; + } +@@ -297,7 +297,7 @@ static int brcmstb_pwm_resume(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_enable(p->clk); ++ clk_prepare_enable(p->clk); + + return 0; + } +-- +2.42.0 + diff --git a/queue-6.6/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch b/queue-6.6/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch new file mode 100644 index 00000000000..9d6c1858de1 --- /dev/null +++ b/queue-6.6/pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch @@ -0,0 +1,115 @@ +From 7ed368e070bcff67002913a9fc5227d1d13f8ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 10:06:48 +0200 +Subject: pwm: sti: Reduce number of allocations and drop usage of chip_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 2d6812b41e0d832919d72c72ebddf361df53ba1b ] + +Instead of using one allocation per capture channel, use a single one. Also +store it in driver data instead of chip data. + +This has several advantages: + + - driver data isn't cleared when pwm_put() is called + - Reduces memory fragmentation + +Also register the pwm chip only after the per capture channel data is +initialized as the capture callback relies on this initialization and it +might be called even before pwmchip_add() returns. + +It would be still better to have struct sti_pwm_compat_data and the +per-channel data struct sti_cpt_ddata in a single memory chunk, but that's +not easily possible because the number of capture channels isn't known yet +when the driver data struct is allocated. + +Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()") +Reported-by: George Stark +Fixes: c97267ae831d ("pwm: sti: Add PWM capture callback") +Link: https://lore.kernel.org/r/20230705080650.2353391-7-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sti.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c +index b1d1373648a38..c8800f84b917f 100644 +--- a/drivers/pwm/pwm-sti.c ++++ b/drivers/pwm/pwm-sti.c +@@ -79,6 +79,7 @@ struct sti_pwm_compat_data { + unsigned int cpt_num_devs; + unsigned int max_pwm_cnt; + unsigned int max_prescale; ++ struct sti_cpt_ddata *ddata; + }; + + struct sti_pwm_chip { +@@ -314,7 +315,7 @@ static int sti_pwm_capture(struct pwm_chip *chip, struct pwm_device *pwm, + { + struct sti_pwm_chip *pc = to_sti_pwmchip(chip); + struct sti_pwm_compat_data *cdata = pc->cdata; +- struct sti_cpt_ddata *ddata = pwm_get_chip_data(pwm); ++ struct sti_cpt_ddata *ddata = &cdata->ddata[pwm->hwpwm]; + struct device *dev = pc->dev; + unsigned int effective_ticks; + unsigned long long high, low; +@@ -440,7 +441,7 @@ static irqreturn_t sti_pwm_interrupt(int irq, void *data) + while (cpt_int_stat) { + devicenum = ffs(cpt_int_stat) - 1; + +- ddata = pwm_get_chip_data(&pc->chip.pwms[devicenum]); ++ ddata = &pc->cdata->ddata[devicenum]; + + /* + * Capture input: +@@ -638,30 +639,28 @@ static int sti_pwm_probe(struct platform_device *pdev) + dev_err(dev, "failed to prepare clock\n"); + return ret; + } ++ ++ cdata->ddata = devm_kzalloc(dev, cdata->cpt_num_devs * sizeof(*cdata->ddata), GFP_KERNEL); ++ if (!cdata->ddata) ++ return -ENOMEM; + } + + pc->chip.dev = dev; + pc->chip.ops = &sti_pwm_ops; + pc->chip.npwm = pc->cdata->pwm_num_devs; + +- ret = pwmchip_add(&pc->chip); +- if (ret < 0) { +- clk_unprepare(pc->pwm_clk); +- clk_unprepare(pc->cpt_clk); +- return ret; +- } +- + for (i = 0; i < cdata->cpt_num_devs; i++) { +- struct sti_cpt_ddata *ddata; +- +- ddata = devm_kzalloc(dev, sizeof(*ddata), GFP_KERNEL); +- if (!ddata) +- return -ENOMEM; ++ struct sti_cpt_ddata *ddata = &cdata->ddata[i]; + + init_waitqueue_head(&ddata->wait); + mutex_init(&ddata->lock); ++ } + +- pwm_set_chip_data(&pc->chip.pwms[i], ddata); ++ ret = pwmchip_add(&pc->chip); ++ if (ret < 0) { ++ clk_unprepare(pc->pwm_clk); ++ clk_unprepare(pc->cpt_clk); ++ return ret; + } + + platform_set_drvdata(pdev, pc); +-- +2.42.0 + diff --git a/queue-6.6/r8169-respect-userspace-disabling-iff_multicast.patch b/queue-6.6/r8169-respect-userspace-disabling-iff_multicast.patch new file mode 100644 index 00000000000..721ed5c6a5a --- /dev/null +++ b/queue-6.6/r8169-respect-userspace-disabling-iff_multicast.patch @@ -0,0 +1,42 @@ +From f370049db42225a1897321962f297a7eca59ceec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 23:43:36 +0100 +Subject: r8169: respect userspace disabling IFF_MULTICAST + +From: Heiner Kallweit + +[ Upstream commit 8999ce4cfc87e61b4143ec2e7b93d8e92e11fa7f ] + +So far we ignore the setting of IFF_MULTICAST. Fix this and clear bit +AcceptMulticast if IFF_MULTICAST isn't set. + +Note: Based on the implementations I've seen it doesn't seem to be 100% clear +what a driver is supposed to do if IFF_ALLMULTI is set but IFF_MULTICAST +is not. This patch is based on the understanding that IFF_MULTICAST has +precedence. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/4a57ba02-d52d-4369-9f14-3565e6c1f7dc@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 4b8251cdb4363..0c76c162b8a9f 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2582,6 +2582,8 @@ static void rtl_set_rx_mode(struct net_device *dev) + + if (dev->flags & IFF_PROMISC) { + rx_mode |= AcceptAllPhys; ++ } else if (!(dev->flags & IFF_MULTICAST)) { ++ rx_mode &= ~AcceptMulticast; + } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT || + dev->flags & IFF_ALLMULTI || + tp->mac_version == RTL_GIGA_MAC_VER_35 || +-- +2.42.0 + diff --git a/queue-6.6/risc-v-don-t-fail-in-riscv_of_parent_hartid-for-disa.patch b/queue-6.6/risc-v-don-t-fail-in-riscv_of_parent_hartid-for-disa.patch new file mode 100644 index 00000000000..f9935761bf4 --- /dev/null +++ b/queue-6.6/risc-v-don-t-fail-in-riscv_of_parent_hartid-for-disa.patch @@ -0,0 +1,56 @@ +From aef4f87b6653518d5f507ee4883c8f166b6f5de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 21:12:53 +0530 +Subject: RISC-V: Don't fail in riscv_of_parent_hartid() for disabled HARTs + +From: Anup Patel + +[ Upstream commit c4676f8dc1e12e68d6511f9ed89707fdad4c962c ] + +The riscv_of_processor_hartid() used by riscv_of_parent_hartid() fails +for HARTs disabled in the DT. This results in the following warning +thrown by the RISC-V INTC driver for the E-core on SiFive boards: + +[ 0.000000] riscv-intc: unable to find hart id for /cpus/cpu@0/interrupt-controller + +The riscv_of_parent_hartid() is only expected to read the hartid +from the DT so we directly call of_get_cpu_hwid() instead of calling +riscv_of_processor_hartid(). + +Fixes: ad635e723e17 ("riscv: cpu: Add 64bit hartid support on RV64") +Signed-off-by: Anup Patel +Reviewed-by: Atish Patra +Link: https://lore.kernel.org/r/20231027154254.355853-2-apatel@ventanamicro.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cpu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/riscv/kernel/cpu.c b/arch/riscv/kernel/cpu.c +index c17dacb1141cb..157ace8b262c2 100644 +--- a/arch/riscv/kernel/cpu.c ++++ b/arch/riscv/kernel/cpu.c +@@ -125,13 +125,14 @@ int __init riscv_early_of_processor_hartid(struct device_node *node, unsigned lo + */ + int riscv_of_parent_hartid(struct device_node *node, unsigned long *hartid) + { +- int rc; +- + for (; node; node = node->parent) { + if (of_device_is_compatible(node, "riscv")) { +- rc = riscv_of_processor_hartid(node, hartid); +- if (!rc) +- return 0; ++ *hartid = (unsigned long)of_get_cpu_hwid(node, 0); ++ if (*hartid == ~0UL) { ++ pr_warn("Found CPU without hart ID\n"); ++ return -ENODEV; ++ } ++ return 0; + } + } + +-- +2.42.0 + diff --git a/queue-6.6/riscv-boot-fix-creation-of-loader.bin.patch b/queue-6.6/riscv-boot-fix-creation-of-loader.bin.patch new file mode 100644 index 00000000000..6b869131947 --- /dev/null +++ b/queue-6.6/riscv-boot-fix-creation-of-loader.bin.patch @@ -0,0 +1,47 @@ +From 79affb7dc42d7e442427f69f35b8846fc44f43ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 16:53:18 +0200 +Subject: riscv: boot: Fix creation of loader.bin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 57a4542cb7c9baa1509c3366b57a08d75b212ead ] + +When flashing loader.bin for K210 using kflash: + +    [ERROR] This is an ELF file and cannot be programmed to flash directly: arch/riscv/boot/loader.bin + +Before, loader.bin relied on "OBJCOPYFLAGS := -O binary" in the main +RISC-V Makefile to create a boot image with the right format. With this +removed, the image is now created in the wrong (ELF) format. + +Fix this by adding an explicit rule. + +Fixes: 505b02957e74f0c5 ("riscv: Remove duplicate objcopy flag") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/1086025809583809538dfecaa899892218f44e7e.1698159066.git.geert+renesas@glider.be +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/boot/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/boot/Makefile b/arch/riscv/boot/Makefile +index 22b13947bd131..8e7fc0edf21d3 100644 +--- a/arch/riscv/boot/Makefile ++++ b/arch/riscv/boot/Makefile +@@ -17,6 +17,7 @@ + KCOV_INSTRUMENT := n + + OBJCOPYFLAGS_Image :=-O binary -R .note -R .note.gnu.build-id -R .comment -S ++OBJCOPYFLAGS_loader.bin :=-O binary + OBJCOPYFLAGS_xipImage :=-O binary -R .note -R .note.gnu.build-id -R .comment -S + + targets := Image Image.* loader loader.o loader.lds loader.bin +-- +2.42.0 + diff --git a/queue-6.6/rxrpc-fix-two-connection-reaping-bugs.patch b/queue-6.6/rxrpc-fix-two-connection-reaping-bugs.patch new file mode 100644 index 00000000000..209c1de4a90 --- /dev/null +++ b/queue-6.6/rxrpc-fix-two-connection-reaping-bugs.patch @@ -0,0 +1,62 @@ +From 1d833101964178f6702371e02c2a54d523e1bd5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 00:49:34 +0100 +Subject: rxrpc: Fix two connection reaping bugs + +From: David Howells + +[ Upstream commit 61e4a86600029e6e8d468d1fad6b6c749bebed19 ] + +Fix two connection reaping bugs: + + (1) rxrpc_connection_expiry is in units of seconds, so + rxrpc_disconnect_call() needs to multiply it by HZ when adding it to + jiffies. + + (2) rxrpc_client_conn_reap_timeout() should set RXRPC_CLIENT_REAP_TIMER if + local->kill_all_client_conns is clear, not if it is set (in which case + we don't need the timer). Without this, old client connections don't + get cleaned up until the local endpoint is cleaned up. + +Fixes: 5040011d073d ("rxrpc: Make the local endpoint hold a ref on a connected call") +Fixes: 0d6bf319bc5a ("rxrpc: Move the client conn cache management to the I/O thread") +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/783911.1698364174@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_object.c | 2 +- + net/rxrpc/local_object.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c +index ac85d4644a3c3..df8a271948a1c 100644 +--- a/net/rxrpc/conn_object.c ++++ b/net/rxrpc/conn_object.c +@@ -212,7 +212,7 @@ void rxrpc_disconnect_call(struct rxrpc_call *call) + conn->idle_timestamp = jiffies; + if (atomic_dec_and_test(&conn->active)) + rxrpc_set_service_reap_timer(conn->rxnet, +- jiffies + rxrpc_connection_expiry); ++ jiffies + rxrpc_connection_expiry * HZ); + } + + rxrpc_put_call(call, rxrpc_call_put_io_thread); +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 7d910aee4f8cb..c553a30e9c838 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -87,7 +87,7 @@ static void rxrpc_client_conn_reap_timeout(struct timer_list *timer) + struct rxrpc_local *local = + container_of(timer, struct rxrpc_local, client_conn_reap_timer); + +- if (local->kill_all_client_conns && ++ if (!local->kill_all_client_conns && + test_and_set_bit(RXRPC_CLIENT_CONN_REAP_TIMER, &local->client_conn_flags)) + rxrpc_wake_up_io_thread(local); + } +-- +2.42.0 + diff --git a/queue-6.6/selftests-pmtu.sh-fix-result-checking.patch b/queue-6.6/selftests-pmtu.sh-fix-result-checking.patch new file mode 100644 index 00000000000..7cc5afb9ed8 --- /dev/null +++ b/queue-6.6/selftests-pmtu.sh-fix-result-checking.patch @@ -0,0 +1,41 @@ +From e79ed592b3dd92a8e85b2feecb25939ae018a0a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 11:47:32 +0800 +Subject: selftests: pmtu.sh: fix result checking + +From: Hangbin Liu + +[ Upstream commit 63e201916b27260218e528a2f8758be47f99bbf4 ] + +In the PMTU test, when all previous tests are skipped and the new test +passes, the exit code is set to 0. However, the current check mistakenly +treats this as an assignment, causing the check to pass every time. + +Consequently, regardless of how many tests have failed, if the latest test +passes, the PMTU test will report a pass. + +Fixes: 2a9d3716b810 ("selftests: pmtu.sh: improve the test result processing") +Signed-off-by: Hangbin Liu +Acked-by: Po-Hsu Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/pmtu.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh +index f838dd370f6af..b3b2dc5a630cf 100755 +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -2048,7 +2048,7 @@ run_test() { + case $ret in + 0) + all_skipped=false +- [ $exitcode=$ksft_skip ] && exitcode=0 ++ [ $exitcode -eq $ksft_skip ] && exitcode=0 + ;; + $ksft_skip) + [ $all_skipped = true ] && exitcode=$ksft_skip +-- +2.42.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 0110fcc42c1..07867e0e398 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -533,3 +533,47 @@ cpupower-fix-reference-to-nonexistent-document.patch regmap-prevent-noinc-writes-from-clobbering-cache.patch drm-amdgpu-gfx10-11-use-memcpy_to-fromio-for-mqds.patch drm-amdgpu-don-t-put-mqds-in-vram-on-arm-arm64.patch +pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch +pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch +input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch +watchdog-marvell_gti_wdt-fix-error-code-in-probe.patch +watchdog-ixp4xx-make-sure-restart-always-works.patch +llc-verify-mac-len-before-reading-mac-header.patch +hsr-prevent-use-after-free-in-prp_create_tagged_fram.patch +tipc-change-nla_policy-for-bearer-related-names-to-n.patch +rxrpc-fix-two-connection-reaping-bugs.patch +bpf-check-map-usercnt-after-timer-timer-is-assigned.patch +inet-shrink-struct-flowi_common.patch +octeontx2-pf-fix-error-codes.patch +octeontx2-pf-fix-holes-in-error-code.patch +net-page_pool-add-missing-free_percpu-when-page_pool.patch +dccp-call-security_inet_conn_request-after-setting-i.patch +dccp-tcp-call-security_inet_conn_request-after-setti.patch +net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch +fix-termination-state-for-idr_for_each_entry_ul.patch +net-stmmac-xgmac-enable-support-for-multiple-flexibl.patch +selftests-pmtu.sh-fix-result-checking.patch +octeontx2-pf-free-pending-and-dropped-sqes.patch +net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch +net-smc-allow-cdc-msg-send-rather-than-drop-it-with-.patch +net-smc-put-sk-reference-if-close-work-was-canceled.patch +nvme-fix-error-handling-for-io_uring-nvme-passthroug.patch +riscv-boot-fix-creation-of-loader.bin.patch +ice-fix-sriov-lag-disable-on-non-compliant-aggregate.patch +ice-lag-in-rcu-use-atomic-allocation.patch +ice-fix-vf-vf-filter-rules-in-switchdev-mode.patch +ice-fix-vf-vf-direction-matching-in-drop-rule-in-swi.patch +tg3-power-down-device-only-on-system_power_off.patch +nbd-fix-uaf-in-nbd_open.patch +blk-core-use-pr_warn_ratelimited-in-bio_check_ro.patch +vsock-virtio-remove-socket-from-connected-bound-list.patch +r8169-respect-userspace-disabling-iff_multicast.patch +virtio-vsock-fix-uninit-value-in-virtio_transport_re.patch +net-enetc-shorten-enetc_setup_xdp_prog-error-message.patch +i2c-iproc-handle-invalid-slave-state.patch +netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch +netfilter-nat-fix-ipv6-nat-redirect-with-mapped-and-.patch +net-sched-act_ct-always-fill-offloading-tuple-iifidx.patch +risc-v-don-t-fail-in-riscv_of_parent_hartid-for-disa.patch +net-ti-icss-iep-fix-setting-counter-value.patch +drivers-perf-do-not-broadcast-to-other-cpus-when-sta.patch diff --git a/queue-6.6/tg3-power-down-device-only-on-system_power_off.patch b/queue-6.6/tg3-power-down-device-only-on-system_power_off.patch new file mode 100644 index 00000000000..3b01ec39b82 --- /dev/null +++ b/queue-6.6/tg3-power-down-device-only-on-system_power_off.patch @@ -0,0 +1,46 @@ +From 1033233c609bc1d9de47a1459f554694a56fca2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 13:50:29 +0200 +Subject: tg3: power down device only on SYSTEM_POWER_OFF + +From: George Shuklin + +[ Upstream commit 9fc3bc7643341dc5be7d269f3d3dbe441d8d7ac3 ] + +Dell R650xs servers hangs on reboot if tg3 driver calls +tg3_power_down. + +This happens only if network adapters (BCM5720 for R650xs) were +initialized using SNP (e.g. by booting ipxe.efi). + +The actual problem is on Dell side, but this fix allows servers +to come back alive after reboot. + +Signed-off-by: George Shuklin +Fixes: 2ca1c94ce0b6 ("tg3: Disable tg3 device on system reboot to avoid triggering AER") +Reviewed-by: Pavan Chebbi +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20231103115029.83273-1-george.shuklin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 14b311196b8f8..22b00912f7ac8 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -18078,7 +18078,8 @@ static void tg3_shutdown(struct pci_dev *pdev) + if (netif_running(dev)) + dev_close(dev); + +- tg3_power_down(tp); ++ if (system_state == SYSTEM_POWER_OFF) ++ tg3_power_down(tp); + + rtnl_unlock(); + +-- +2.42.0 + diff --git a/queue-6.6/tipc-change-nla_policy-for-bearer-related-names-to-n.patch b/queue-6.6/tipc-change-nla_policy-for-bearer-related-names-to-n.patch new file mode 100644 index 00000000000..a396b799053 --- /dev/null +++ b/queue-6.6/tipc-change-nla_policy-for-bearer-related-names-to-n.patch @@ -0,0 +1,111 @@ +From 5ec281b57cc8f3e7f865f30fe9454b5b496014b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 16:55:40 +0900 +Subject: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING + +From: Shigeru Yoshida + +[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ] + +syzbot reported the following uninit-value access issue [1]: + +===================================================== +BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] +BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 + strlen lib/string.c:418 [inline] + strstr+0xb8/0x2f0 lib/string.c:756 + tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 + genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] + genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 + netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 + __alloc_skb+0x318/0x740 net/core/skbuff.c:650 + alloc_skb include/linux/skbuff.h:1286 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] + netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +TIPC bearer-related names including link names must be null-terminated +strings. If a link name which is not null-terminated is passed through +netlink, strstr() and similar functions can cause buffer overrun. This +causes the above issue. + +This patch changes the nla_policy for bearer-related names from NLA_STRING +to NLA_NUL_STRING. This resolves the issue by ensuring that only +null-terminated strings are accepted as bearer-related names. + +syzbot reported similar uninit-value issue related to bearer names [2]. The +root cause of this issue is that a non-null-terminated bearer name was +passed. This patch also resolved this issue. + +Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api") +Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") +Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1] +Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2] +Signed-off-by: Shigeru Yoshida +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c +index e8fd257c0e688..1a9a5bdaccf4f 100644 +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -88,7 +88,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + + const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = { + [TIPC_NLA_LINK_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_LINK_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_LINK_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_LINK_NAME }, + [TIPC_NLA_LINK_MTU] = { .type = NLA_U32 }, + [TIPC_NLA_LINK_BROADCAST] = { .type = NLA_FLAG }, +@@ -125,7 +125,7 @@ const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { + + const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = { + [TIPC_NLA_BEARER_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_BEARER_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_BEARER_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_BEARER_NAME }, + [TIPC_NLA_BEARER_PROP] = { .type = NLA_NESTED }, + [TIPC_NLA_BEARER_DOMAIN] = { .type = NLA_U32 } +-- +2.42.0 + diff --git a/queue-6.6/virtio-vsock-fix-uninit-value-in-virtio_transport_re.patch b/queue-6.6/virtio-vsock-fix-uninit-value-in-virtio_transport_re.patch new file mode 100644 index 00000000000..49814636645 --- /dev/null +++ b/queue-6.6/virtio-vsock-fix-uninit-value-in-virtio_transport_re.patch @@ -0,0 +1,106 @@ +From 8b0003ac17c2aa4e046b5c89e3161c44ece6908b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 00:05:31 +0900 +Subject: virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt() + +From: Shigeru Yoshida + +[ Upstream commit 34c4effacfc329aeca5635a69fd9e0f6c90b4101 ] + +KMSAN reported the following uninit-value access issue: + +===================================================== +BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 + virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 + vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 + worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 + kthread+0x3cc/0x520 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Uninit was stored to memory at: + virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline] + virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 + vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 + worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 + kthread+0x3cc/0x520 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Uninit was created at: + slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 + kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 + __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 + alloc_skb include/linux/skbuff.h:1286 [inline] + virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline] + virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 + virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline] + virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 + vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 + process_one_work kernel/workqueue.c:2630 [inline] + process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 + worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 + kthread+0x3cc/0x520 kernel/kthread.c:388 + ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 +Workqueue: vsock-loopback vsock_loopback_work +===================================================== + +The following simple reproducer can cause the issue described above: + +int main(void) +{ + int sock; + struct sockaddr_vm addr = { + .svm_family = AF_VSOCK, + .svm_cid = VMADDR_CID_ANY, + .svm_port = 1234, + }; + + sock = socket(AF_VSOCK, SOCK_STREAM, 0); + connect(sock, (struct sockaddr *)&addr, sizeof(addr)); + return 0; +} + +This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the +`struct virtio_vsock_hdr` are not initialized when a new skb is allocated +in `virtio_transport_init_hdr()`. This patch resolves the issue by +initializing these fields during allocation. + +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Reported-and-tested-by: syzbot+0c8ce1da0ac31abbadcd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0c8ce1da0ac31abbadcd +Signed-off-by: Shigeru Yoshida +Reviewed-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20231104150531.257952-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index eb1465d506ef3..8bc272b6003bb 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -68,6 +68,8 @@ virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *info, + hdr->dst_port = cpu_to_le32(dst_port); + hdr->flags = cpu_to_le32(info->flags); + hdr->len = cpu_to_le32(len); ++ hdr->buf_alloc = cpu_to_le32(0); ++ hdr->fwd_cnt = cpu_to_le32(0); + + if (info->msg && len > 0) { + payload = skb_put(skb, len); +-- +2.42.0 + diff --git a/queue-6.6/vsock-virtio-remove-socket-from-connected-bound-list.patch b/queue-6.6/vsock-virtio-remove-socket-from-connected-bound-list.patch new file mode 100644 index 00000000000..9011e3fcb10 --- /dev/null +++ b/queue-6.6/vsock-virtio-remove-socket-from-connected-bound-list.patch @@ -0,0 +1,75 @@ +From ec4fd202dbdedf3a9fd04af0147d834cb089f11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 18:55:48 +0100 +Subject: vsock/virtio: remove socket from connected/bound list on shutdown + +From: Filippo Storniolo + +[ Upstream commit 3a5cc90a4d1756072619fe511d07621bdef7f120 ] + +If the same remote peer, using the same port, tries to connect +to a server on a listening port more than once, the server will +reject the connection, causing a "connection reset by peer" +error on the remote peer. This is due to the presence of a +dangling socket from a previous connection in both the connected +and bound socket lists. +The inconsistency of the above lists only occurs when the remote +peer disconnects and the server remains active. + +This bug does not occur when the server socket is closed: +virtio_transport_release() will eventually schedule a call to +virtio_transport_do_close() and the latter will remove the socket +from the bound and connected socket lists and clear the sk_buff. + +However, virtio_transport_do_close() will only perform the above +actions if it has been scheduled, and this will not happen +if the server is processing the shutdown message from a remote peer. + +To fix this, introduce a call to vsock_remove_sock() +when the server is handling a client disconnect. +This is to remove the socket from the bound and connected socket +lists without clearing the sk_buff. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Reported-by: Daan De Meyer +Tested-by: Daan De Meyer +Co-developed-by: Luigi Leonardi +Signed-off-by: Luigi Leonardi +Signed-off-by: Filippo Storniolo +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 352d042b130b5..eb1465d506ef3 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1204,11 +1204,17 @@ virtio_transport_recv_connected(struct sock *sk, + vsk->peer_shutdown |= RCV_SHUTDOWN; + if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SHUTDOWN_SEND) + vsk->peer_shutdown |= SEND_SHUTDOWN; +- if (vsk->peer_shutdown == SHUTDOWN_MASK && +- vsock_stream_has_data(vsk) <= 0 && +- !sock_flag(sk, SOCK_DONE)) { +- (void)virtio_transport_reset(vsk, NULL); +- virtio_transport_do_close(vsk, true); ++ if (vsk->peer_shutdown == SHUTDOWN_MASK) { ++ if (vsock_stream_has_data(vsk) <= 0 && !sock_flag(sk, SOCK_DONE)) { ++ (void)virtio_transport_reset(vsk, NULL); ++ virtio_transport_do_close(vsk, true); ++ } ++ /* Remove this socket anyway because the remote peer sent ++ * the shutdown. This way a new connection will succeed ++ * if the remote peer uses the same source port, ++ * even if the old socket is still unreleased, but now disconnected. ++ */ ++ vsock_remove_sock(vsk); + } + if (le32_to_cpu(virtio_vsock_hdr(skb)->flags)) + sk->sk_state_change(sk); +-- +2.42.0 + diff --git a/queue-6.6/watchdog-ixp4xx-make-sure-restart-always-works.patch b/queue-6.6/watchdog-ixp4xx-make-sure-restart-always-works.patch new file mode 100644 index 00000000000..4175826080e --- /dev/null +++ b/queue-6.6/watchdog-ixp4xx-make-sure-restart-always-works.patch @@ -0,0 +1,88 @@ +From 730fd45446a870f3d4fa1d4a7fc94446439804e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 11:13:44 +0200 +Subject: watchdog: ixp4xx: Make sure restart always works + +From: Linus Walleij + +[ Upstream commit b4075ecfe348a44209534c75ad72392c63a489a6 ] + +The IXP4xx watchdog in early "A0" silicon is unreliable and +cannot be registered, however for some systems such as the +USRobotics USR8200 the watchdog is the only restart option, +so implement a "dummy" watchdog that can only support restart +in this case. + +Fixes: 1aea522809e6 ("watchdog: ixp4xx: Implement restart") +Signed-off-by: Linus Walleij +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230926-ixp4xx-wdt-restart-v2-1-15cf4639b423@linaro.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/ixp4xx_wdt.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/ixp4xx_wdt.c b/drivers/watchdog/ixp4xx_wdt.c +index 607ce4b8df574..ec0c08652ec2f 100644 +--- a/drivers/watchdog/ixp4xx_wdt.c ++++ b/drivers/watchdog/ixp4xx_wdt.c +@@ -105,6 +105,25 @@ static const struct watchdog_ops ixp4xx_wdt_ops = { + .owner = THIS_MODULE, + }; + ++/* ++ * The A0 version of the IXP422 had a bug in the watchdog making ++ * is useless, but we still need to use it to restart the system ++ * as it is the only way, so in this special case we register a ++ * "dummy" watchdog that doesn't really work, but will support ++ * the restart operation. ++ */ ++static int ixp4xx_wdt_dummy(struct watchdog_device *wdd) ++{ ++ return 0; ++} ++ ++static const struct watchdog_ops ixp4xx_wdt_restart_only_ops = { ++ .start = ixp4xx_wdt_dummy, ++ .stop = ixp4xx_wdt_dummy, ++ .restart = ixp4xx_wdt_restart, ++ .owner = THIS_MODULE, ++}; ++ + static const struct watchdog_info ixp4xx_wdt_info = { + .options = WDIOF_KEEPALIVEPING + | WDIOF_MAGICCLOSE +@@ -114,14 +133,17 @@ static const struct watchdog_info ixp4xx_wdt_info = { + + static int ixp4xx_wdt_probe(struct platform_device *pdev) + { ++ static const struct watchdog_ops *iwdt_ops; + struct device *dev = &pdev->dev; + struct ixp4xx_wdt *iwdt; + struct clk *clk; + int ret; + + if (!(read_cpuid_id() & 0xf) && !cpu_is_ixp46x()) { +- dev_err(dev, "Rev. A0 IXP42x CPU detected - watchdog disabled\n"); +- return -ENODEV; ++ dev_info(dev, "Rev. A0 IXP42x CPU detected - only restart supported\n"); ++ iwdt_ops = &ixp4xx_wdt_restart_only_ops; ++ } else { ++ iwdt_ops = &ixp4xx_wdt_ops; + } + + iwdt = devm_kzalloc(dev, sizeof(*iwdt), GFP_KERNEL); +@@ -141,7 +163,7 @@ static int ixp4xx_wdt_probe(struct platform_device *pdev) + iwdt->rate = IXP4XX_TIMER_FREQ; + + iwdt->wdd.info = &ixp4xx_wdt_info; +- iwdt->wdd.ops = &ixp4xx_wdt_ops; ++ iwdt->wdd.ops = iwdt_ops; + iwdt->wdd.min_timeout = 1; + iwdt->wdd.max_timeout = U32_MAX / iwdt->rate; + iwdt->wdd.parent = dev; +-- +2.42.0 + diff --git a/queue-6.6/watchdog-marvell_gti_wdt-fix-error-code-in-probe.patch b/queue-6.6/watchdog-marvell_gti_wdt-fix-error-code-in-probe.patch new file mode 100644 index 00000000000..9e3431176c8 --- /dev/null +++ b/queue-6.6/watchdog-marvell_gti_wdt-fix-error-code-in-probe.patch @@ -0,0 +1,39 @@ +From 7bff56d9495e6e03caa67068aa2435443cf6136c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Sep 2023 12:53:15 +0300 +Subject: watchdog: marvell_gti_wdt: Fix error code in probe() + +From: Dan Carpenter + +[ Upstream commit 4b2b39f9395bc66c616d8d5a83642950fc3719b1 ] + +This error path accidentally returns success. Return -EINVAL instead. + +Fixes: ef9e7fe2c890 ("Watchdog: Add marvell GTI watchdog driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Bharat Bhushan +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/af326fd7-ac71-43a1-b7de-81779b61d242@moroto.mountain +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/marvell_gti_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/marvell_gti_wdt.c b/drivers/watchdog/marvell_gti_wdt.c +index d7eb8286e11ec..1ec1e014ba831 100644 +--- a/drivers/watchdog/marvell_gti_wdt.c ++++ b/drivers/watchdog/marvell_gti_wdt.c +@@ -271,7 +271,7 @@ static int gti_wdt_probe(struct platform_device *pdev) + &wdt_idx); + if (!err) { + if (wdt_idx >= priv->data->gti_num_timers) +- return dev_err_probe(&pdev->dev, err, ++ return dev_err_probe(&pdev->dev, -EINVAL, + "GTI wdog timer index not valid"); + + priv->wdt_timer_idx = wdt_idx; +-- +2.42.0 + -- 2.47.3