From e63b3e2066046c05a22d390acad3771ee241ccee Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Aug 2024 08:18:07 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...ditionally-use-snooping-for-amd-hdmi.patch | 82 +++++++++++ ...t-fix-headset-auto-detect-fail-in-th.patch | 127 +++++++++++++++++ ...nexant-reduce-config_pm-dependencies.patch | 54 +++++++ ...-ensure-patched-jump_labels-are-visi.patch | 108 ++++++++++++++ ...nc-fix-suspending-with-wrong-filter-.patch | 59 ++++++++ ...5-hdcp-fix-hdcp2_stream_status-macro.patch | 42 ++++++ ...nouveau-prime-fix-refcount-underflow.patch | 47 +++++++ ...ix-overlay-when-using-screen-targets.patch | 41 ++++++ ...gger-a-modeset-when-the-screen-moves.patch | 76 ++++++++++ ...-sensor-discovery-before-hid-device-.patch | 68 +++++++++ ...hid-amd_sfh-remove-duplicate-cleanup.patch | 76 ++++++++++ ...-split-sensor-and-hid-initialization.patch | 67 +++++++++ ...write_once-when-clearing-ice_rx_ring.patch | 38 +++++ ...ait-for-rx-queue-disable-in-ice_qp_d.patch | 48 +++++++ ...synchronize_rcu-with-synchronize_net.patch | 60 ++++++++ ...f-readiness-in-af_xdp-zc-related-ndo.patch | 67 +++++++++ ...ix-ndisc_is_useropt-handling-for-pio.patch | 92 ++++++++++++ ...net-start-napi-before-enabling-rx-tx.patch | 41 ++++++ ...ix-use-after-free-in-iucv_sock_close.patch | 75 ++++++++++ ...ix-missing-lock-on-sync-reset-reload.patch | 80 +++++++++++ ...-t-use-the-hardcoded-value-of-the-fi.patch | 39 +++++ ...check-for-the-return-value-from-mlx5.patch | 48 +++++++ ...net-mvpp2-don-t-re-use-loop-iterator.patch | 48 +++++++ ...es-fix-null-ptr-deref-in-iptable_nat.patch | 133 ++++++++++++++++++ ...es-fix-potential-null-ptr-deref-in-i.patch | 65 +++++++++ ...dling-for-vm_fault_sigsegv-in-mm_fau.patch | 65 +++++++++ ...ignore-ifla_target_netnsid-when-ifna.patch | 42 ++++++ ...e-care-of-padding-in-struct-zones_ht.patch | 90 ++++++++++++ queue-6.1/series | 28 ++++ 29 files changed, 1906 insertions(+) create mode 100644 queue-6.1/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch create mode 100644 queue-6.1/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch create mode 100644 queue-6.1/alsa-hda-conexant-reduce-config_pm-dependencies.patch create mode 100644 queue-6.1/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch create mode 100644 queue-6.1/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch create mode 100644 queue-6.1/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch create mode 100644 queue-6.1/drm-nouveau-prime-fix-refcount-underflow.patch create mode 100644 queue-6.1/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch create mode 100644 queue-6.1/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch create mode 100644 queue-6.1/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch create mode 100644 queue-6.1/hid-amd_sfh-remove-duplicate-cleanup.patch create mode 100644 queue-6.1/hid-amd_sfh-split-sensor-and-hid-initialization.patch create mode 100644 queue-6.1/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch create mode 100644 queue-6.1/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch create mode 100644 queue-6.1/ice-replace-synchronize_rcu-with-synchronize_net.patch create mode 100644 queue-6.1/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch create mode 100644 queue-6.1/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch create mode 100644 queue-6.1/net-axienet-start-napi-before-enabling-rx-tx.patch create mode 100644 queue-6.1/net-iucv-fix-use-after-free-in-iucv_sock_close.patch create mode 100644 queue-6.1/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch create mode 100644 queue-6.1/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch create mode 100644 queue-6.1/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch create mode 100644 queue-6.1/net-mvpp2-don-t-re-use-loop-iterator.patch create mode 100644 queue-6.1/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch create mode 100644 queue-6.1/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch create mode 100644 queue-6.1/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch create mode 100644 queue-6.1/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch create mode 100644 queue-6.1/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch diff --git a/queue-6.1/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch b/queue-6.1/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch new file mode 100644 index 00000000000..0342ed6b7f6 --- /dev/null +++ b/queue-6.1/alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch @@ -0,0 +1,82 @@ +From 1c979a66e3967a5ab0e7c5181b74700aa2a56bd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 19:05:15 +0200 +Subject: ALSA: hda: Conditionally use snooping for AMD HDMI + +From: Takashi Iwai + +[ Upstream commit 478689b5990deb626a0b3f1ebf165979914d6be4 ] + +The recent regression report revealed that the use of WC pages for AMD +HDMI device together with AMD IOMMU leads to unexpected truncation or +noises. The issue seems triggered by the change in the kernel core +memory allocation that enables IOMMU driver to use always S/G +buffers. Meanwhile, the use of WC pages has been a workaround for the +similar issue with standard pages in the past. So, now we need to +apply the workaround conditionally, namely, only when IOMMU isn't in +place. + +This patch modifies the workaround code to check the DMA ops at first +and apply the snoop-off only when needed. + +Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219087 +Link: https://patch.msgid.link/20240731170521.31714-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_controller.h | 2 +- + sound/pci/hda/hda_intel.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h +index 8556031bcd68e..f31cb31d46362 100644 +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -28,7 +28,7 @@ + #else + #define AZX_DCAPS_I915_COMPONENT 0 /* NOP */ + #endif +-/* 14 unused */ ++#define AZX_DCAPS_AMD_ALLOC_FIX (1 << 14) /* AMD allocation workaround */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ + #define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */ +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index a26f2a2d44cf2..695026c647e1e 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -40,6 +40,7 @@ + + #ifdef CONFIG_X86 + /* for snoop control */ ++#include + #include + #include + #endif +@@ -300,7 +301,7 @@ enum { + + /* quirks for ATI HDMI with snoop off */ + #define AZX_DCAPS_PRESET_ATI_HDMI_NS \ +- (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF) ++ (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_AMD_ALLOC_FIX) + + /* quirks for AMD SB */ + #define AZX_DCAPS_PRESET_AMD_SB \ +@@ -1718,6 +1719,13 @@ static void azx_check_snoop_available(struct azx *chip) + if (chip->driver_caps & AZX_DCAPS_SNOOP_OFF) + snoop = false; + ++#ifdef CONFIG_X86 ++ /* check the presence of DMA ops (i.e. IOMMU), disable snoop conditionally */ ++ if ((chip->driver_caps & AZX_DCAPS_AMD_ALLOC_FIX) && ++ !get_dma_ops(chip->card->dev)) ++ snoop = false; ++#endif ++ + chip->snoop = snoop; + if (!snoop) { + dev_info(chip->card->dev, "Force to non-snoop mode\n"); +-- +2.43.0 + diff --git a/queue-6.1/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch b/queue-6.1/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch new file mode 100644 index 00000000000..616b53379d6 --- /dev/null +++ b/queue-6.1/alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch @@ -0,0 +1,127 @@ +From 5e8a86ba045c4307d6bd04252e67e63eb9b2154a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 18:07:26 +0800 +Subject: ALSA: hda: conexant: Fix headset auto detect fail in the polling mode + +From: songxiebing + +[ Upstream commit e60dc98122110594d0290845160f12916192fc6d ] + +The previous fix (7aeb25908648) only handles the unsol_event reporting +during interrupts and does not include the polling mode used to set +jackroll_ms, so now we are replacing it with +snd_hda_jack_detect_enable_callback. + +Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140") +Co-developed-by: bo liu +Signed-off-by: bo liu +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20240726100726.50824-1-soxiebing@163.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 54 ++++++---------------------------- + 1 file changed, 9 insertions(+), 45 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 17389a3801bd1..4472923ba694b 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -21,12 +21,6 @@ + #include "hda_jack.h" + #include "hda_generic.h" + +-enum { +- CX_HEADSET_NOPRESENT = 0, +- CX_HEADSET_PARTPRESENT, +- CX_HEADSET_ALLPRESENT, +-}; +- + struct conexant_spec { + struct hda_gen_spec gen; + +@@ -48,7 +42,6 @@ struct conexant_spec { + unsigned int gpio_led; + unsigned int gpio_mute_led_mask; + unsigned int gpio_mic_led_mask; +- unsigned int headset_present_flag; + bool is_cx8070_sn6140; + }; + +@@ -250,48 +243,19 @@ static void cx_process_headset_plugin(struct hda_codec *codec) + } + } + +-static void cx_update_headset_mic_vref(struct hda_codec *codec, unsigned int res) ++static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_callback *event) + { +- unsigned int phone_present, mic_persent, phone_tag, mic_tag; +- struct conexant_spec *spec = codec->spec; ++ unsigned int mic_present; + + /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled, + * the node 19 can only be config to microphone or disabled. + * Check hp&mic tag to process headset pulgin&plugout. + */ +- phone_tag = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- mic_tag = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0); +- if ((phone_tag & (res >> AC_UNSOL_RES_TAG_SHIFT)) || +- (mic_tag & (res >> AC_UNSOL_RES_TAG_SHIFT))) { +- phone_present = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_PIN_SENSE, 0x0); +- if (!(phone_present & AC_PINSENSE_PRESENCE)) {/* headphone plugout */ +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; +- snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); +- return; +- } +- if (spec->headset_present_flag == CX_HEADSET_NOPRESENT) { +- spec->headset_present_flag = CX_HEADSET_PARTPRESENT; +- } else if (spec->headset_present_flag == CX_HEADSET_PARTPRESENT) { +- mic_persent = snd_hda_codec_read(codec, 0x19, 0, +- AC_VERB_GET_PIN_SENSE, 0x0); +- /* headset is present */ +- if ((phone_present & AC_PINSENSE_PRESENCE) && +- (mic_persent & AC_PINSENSE_PRESENCE)) { +- cx_process_headset_plugin(codec); +- spec->headset_present_flag = CX_HEADSET_ALLPRESENT; +- } +- } +- } +-} +- +-static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) +-{ +- struct conexant_spec *spec = codec->spec; +- +- if (spec->is_cx8070_sn6140) +- cx_update_headset_mic_vref(codec, res); +- +- snd_hda_jack_unsol_event(codec, res); ++ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0); ++ if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */ ++ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20); ++ else ++ cx_process_headset_plugin(codec); + } + + static int cx_auto_suspend(struct hda_codec *codec) +@@ -305,7 +269,7 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .build_pcms = snd_hda_gen_build_pcms, + .init = cx_auto_init, + .free = cx_auto_free, +- .unsol_event = cx_jack_unsol_event, ++ .unsol_event = snd_hda_jack_unsol_event, + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, + }; +@@ -1163,7 +1127,7 @@ static int patch_conexant_auto(struct hda_codec *codec) + case 0x14f11f86: + case 0x14f11f87: + spec->is_cx8070_sn6140 = true; +- spec->headset_present_flag = CX_HEADSET_NOPRESENT; ++ snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref); + break; + } + +-- +2.43.0 + diff --git a/queue-6.1/alsa-hda-conexant-reduce-config_pm-dependencies.patch b/queue-6.1/alsa-hda-conexant-reduce-config_pm-dependencies.patch new file mode 100644 index 00000000000..670f558957b --- /dev/null +++ b/queue-6.1/alsa-hda-conexant-reduce-config_pm-dependencies.patch @@ -0,0 +1,54 @@ +From b3ad12d5742bba25b7d3c883ce724278d0ce2f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 18:13:50 +0200 +Subject: ALSA: hda: conexant: Reduce CONFIG_PM dependencies + +From: Takashi Iwai + +[ Upstream commit 29d57f6dc62485ee0752767debdfa2783d162beb ] + +CONFIG_PM dependencies got reduced in HD-audio codec core driver, and +now it's time to reduce in HD-audio conexant codec driver, too. + +Simply drop CONFIG_PM ifdefs. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240506161359.6960-8-tiwai@suse.de +Stable-dep-of: e60dc9812211 ("ALSA: hda: conexant: Fix headset auto detect fail in the polling mode") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index e8209178d87bb..17389a3801bd1 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -294,13 +294,11 @@ static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res) + snd_hda_jack_unsol_event(codec, res); + } + +-#ifdef CONFIG_PM + static int cx_auto_suspend(struct hda_codec *codec) + { + cx_auto_shutdown(codec); + return 0; + } +-#endif + + static const struct hda_codec_ops cx_auto_patch_ops = { + .build_controls = snd_hda_gen_build_controls, +@@ -308,10 +306,8 @@ static const struct hda_codec_ops cx_auto_patch_ops = { + .init = cx_auto_init, + .free = cx_auto_free, + .unsol_event = cx_jack_unsol_event, +-#ifdef CONFIG_PM + .suspend = cx_auto_suspend, + .check_power_status = snd_hda_gen_check_power_status, +-#endif + }; + + /* +-- +2.43.0 + diff --git a/queue-6.1/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch b/queue-6.1/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch new file mode 100644 index 00000000000..5f38e6952c0 --- /dev/null +++ b/queue-6.1/arm64-jump_label-ensure-patched-jump_labels-are-visi.patch @@ -0,0 +1,108 @@ +From c0d416ae17b398039d3f567d8cf2ce4c88ffc39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 14:36:01 +0100 +Subject: arm64: jump_label: Ensure patched jump_labels are visible to all CPUs + +From: Will Deacon + +[ Upstream commit cfb00a35786414e7c0e6226b277d9f09657eae74 ] + +Although the Arm architecture permits concurrent modification and +execution of NOP and branch instructions, it still requires some +synchronisation to ensure that other CPUs consistently execute the newly +written instruction: + + > When the modified instructions are observable, each PE that is + > executing the modified instructions must execute an ISB or perform a + > context synchronizing event to ensure execution of the modified + > instructions + +Prior to commit f6cc0c501649 ("arm64: Avoid calling stop_machine() when +patching jump labels"), the arm64 jump_label patching machinery +performed synchronisation using stop_machine() after each modification, +however this was problematic when flipping static keys from atomic +contexts (namely, the arm_arch_timer CPU hotplug startup notifier) and +so we switched to the _nosync() patching routines to avoid "scheduling +while atomic" BUG()s during boot. + +In hindsight, the analysis of the issue in f6cc0c501649 isn't quite +right: it cites the use of IPIs in the default patching routines as the +cause of the lockup, whereas stop_machine() does not rely on IPIs and +the I-cache invalidation is performed using __flush_icache_range(), +which elides the call to kick_all_cpus_sync(). In fact, the blocking +wait for other CPUs is what triggers the BUG() and the problem remains +even after f6cc0c501649, for example because we could block on the +jump_label_mutex. Eventually, the arm_arch_timer driver was fixed to +avoid the static key entirely in commit a862fc2254bd +("clocksource/arm_arch_timer: Remove use of workaround static key"). + +This all leaves the jump_label patching code in a funny situation on +arm64 as we do not synchronise with other CPUs to reduce the likelihood +of a bug which no longer exists. Consequently, toggling a static key on +one CPU cannot be assumed to take effect on other CPUs, leading to +potential issues, for example with missing preempt notifiers. + +Rather than revert f6cc0c501649 and go back to stop_machine() for each +patch site, implement arch_jump_label_transform_apply() and kick all +the other CPUs with an IPI at the end of patching. + +Cc: Alexander Potapenko +Cc: Mark Rutland +Cc: Marc Zyngier +Fixes: f6cc0c501649 ("arm64: Avoid calling stop_machine() when patching jump labels") +Signed-off-by: Will Deacon +Reviewed-by: Catalin Marinas +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240731133601.3073-1-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/jump_label.h | 1 + + arch/arm64/kernel/jump_label.c | 11 +++++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/jump_label.h b/arch/arm64/include/asm/jump_label.h +index b5bd3c38a01b2..e714d7770999e 100644 +--- a/arch/arm64/include/asm/jump_label.h ++++ b/arch/arm64/include/asm/jump_label.h +@@ -13,6 +13,7 @@ + #include + #include + ++#define HAVE_JUMP_LABEL_BATCH + #define JUMP_LABEL_NOP_SIZE AARCH64_INSN_SIZE + + static __always_inline bool arch_static_branch(struct static_key *key, +diff --git a/arch/arm64/kernel/jump_label.c b/arch/arm64/kernel/jump_label.c +index faf88ec9c48e8..f63ea915d6ad2 100644 +--- a/arch/arm64/kernel/jump_label.c ++++ b/arch/arm64/kernel/jump_label.c +@@ -7,11 +7,12 @@ + */ + #include + #include ++#include + #include + #include + +-void arch_jump_label_transform(struct jump_entry *entry, +- enum jump_label_type type) ++bool arch_jump_label_transform_queue(struct jump_entry *entry, ++ enum jump_label_type type) + { + void *addr = (void *)jump_entry_code(entry); + u32 insn; +@@ -25,4 +26,10 @@ void arch_jump_label_transform(struct jump_entry *entry, + } + + aarch64_insn_patch_text_nosync(addr, insn); ++ return true; ++} ++ ++void arch_jump_label_transform_apply(void) ++{ ++ kick_all_cpus_sync(); + } +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch b/queue-6.1/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch new file mode 100644 index 00000000000..114ed072ebb --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch @@ -0,0 +1,59 @@ +From e51eedb864f06b464f95d34beb7a3a2584dc43ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 10:40:03 -0400 +Subject: Bluetooth: hci_sync: Fix suspending with wrong filter policy + +From: Luiz Augusto von Dentz + +[ Upstream commit 96b82af36efaa1787946e021aa3dc5410c05beeb ] + +When suspending the scan filter policy cannot be 0x00 (no acceptlist) +since that means the host has to process every advertisement report +waking up the system, so this attempts to check if hdev is marked as +suspended and if the resulting filter policy would be 0x00 (no +acceptlist) then skip passive scanning if thre no devices in the +acceptlist otherwise reset the filter policy to 0x01 so the acceptlist +is used since the devices programmed there can still wakeup be system. + +Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 57302021b7ebb..320fc1e6dff2a 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2837,6 +2837,27 @@ static int hci_passive_scan_sync(struct hci_dev *hdev) + */ + filter_policy = hci_update_accept_list_sync(hdev); + ++ /* If suspended and filter_policy set to 0x00 (no acceptlist) then ++ * passive scanning cannot be started since that would require the host ++ * to be woken up to process the reports. ++ */ ++ if (hdev->suspended && !filter_policy) { ++ /* Check if accept list is empty then there is no need to scan ++ * while suspended. ++ */ ++ if (list_empty(&hdev->le_accept_list)) ++ return 0; ++ ++ /* If there are devices is the accept_list that means some ++ * devices could not be programmed which in non-suspended case ++ * means filter_policy needs to be set to 0x00 so the host needs ++ * to filter, but since this is treating suspended case we ++ * can ignore device needing host to filter to allow devices in ++ * the acceptlist to be able to wakeup the system. ++ */ ++ filter_policy = 0x01; ++ } ++ + /* When the controller is using random resolvable addresses and + * with that having LE privacy enabled, then controllers with + * Extended Scanner Filter Policies support can now enable support +-- +2.43.0 + diff --git a/queue-6.1/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch b/queue-6.1/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch new file mode 100644 index 00000000000..de87d4b5e8f --- /dev/null +++ b/queue-6.1/drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch @@ -0,0 +1,42 @@ +From 7ae04db6c370c430c7a765612e57093b4d973212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:25:05 +0530 +Subject: drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro + +From: Suraj Kandpal + +[ Upstream commit 555069117390a5d581863bc797fb546bb4417c31 ] + +Fix HDCP2_STREAM_STATUS macro, it called pipe instead of port never +threw a compile error as no one used it. + +--v2 +-Add Fixes [Jani] + +Fixes: d631b984cc90 ("drm/i915/hdcp: Add HDCP 2.2 stream register") +Signed-off-by: Suraj Kandpal +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240730035505.3759899-1-suraj.kandpal@intel.com +(cherry picked from commit 73d7cd542bbd0a7c6881ea0df5255f190a1e7236) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_hdcp_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_hdcp_regs.h b/drivers/gpu/drm/i915/display/intel_hdcp_regs.h +index 2a3733e8966c1..2702cc8c88d8d 100644 +--- a/drivers/gpu/drm/i915/display/intel_hdcp_regs.h ++++ b/drivers/gpu/drm/i915/display/intel_hdcp_regs.h +@@ -249,7 +249,7 @@ + #define HDCP2_STREAM_STATUS(dev_priv, trans, port) \ + (GRAPHICS_VER(dev_priv) >= 12 ? \ + TRANS_HDCP2_STREAM_STATUS(trans) : \ +- PIPE_HDCP2_STREAM_STATUS(pipe)) ++ PIPE_HDCP2_STREAM_STATUS(port)) + + #define _PORTA_HDCP2_AUTH_STREAM 0x66F00 + #define _PORTB_HDCP2_AUTH_STREAM 0x66F04 +-- +2.43.0 + diff --git a/queue-6.1/drm-nouveau-prime-fix-refcount-underflow.patch b/queue-6.1/drm-nouveau-prime-fix-refcount-underflow.patch new file mode 100644 index 00000000000..b6b34247aef --- /dev/null +++ b/queue-6.1/drm-nouveau-prime-fix-refcount-underflow.patch @@ -0,0 +1,47 @@ +From 561fe0429158bd163479569430ce3b0a35886152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 18:58:46 +0200 +Subject: drm/nouveau: prime: fix refcount underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Danilo Krummrich + +[ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ] + +Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and +hence the backing ttm_bo) leads to a refcount underflow. + +Instead of calling nouveau_bo_ref() in the unwind path of +drm_gem_object_init(), clean things up manually. + +Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers") +Reviewed-by: Ben Skeggs +Reviewed-by: Christian König +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org +(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5) +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_prime.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 9608121e49b7e..8340d55aaa987 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -63,7 +63,8 @@ struct drm_gem_object *nouveau_gem_prime_import_sg_table(struct drm_device *dev, + * to the caller, instead of a normal nouveau_bo ttm reference. */ + ret = drm_gem_object_init(dev, &nvbo->bo.base, size); + if (ret) { +- nouveau_bo_ref(NULL, &nvbo); ++ drm_gem_object_release(&nvbo->bo.base); ++ kfree(nvbo); + obj = ERR_PTR(-ENOMEM); + goto unlock; + } +-- +2.43.0 + diff --git a/queue-6.1/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch b/queue-6.1/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch new file mode 100644 index 00000000000..3e4e910a12e --- /dev/null +++ b/queue-6.1/drm-vmwgfx-fix-overlay-when-using-screen-targets.patch @@ -0,0 +1,41 @@ +From ccac35f9573420f6bbac7276306dc7f46ceb7205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 11:36:27 -0500 +Subject: drm/vmwgfx: Fix overlay when using Screen Targets + +From: Ian Forbes + +[ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ] + +This code was never updated to support Screen Targets. +Fixes a bug where Xv playback displays a green screen instead of actual +video contents when 3D acceleration is disabled in the guest. + +Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets") +Reported-by: Doug Brown +Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com +Signed-off-by: Ian Forbes +Tested-by: Doug Brown +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +index abc354ead4e8b..5dcddcb59a6f7 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +@@ -98,7 +98,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv, + { + struct vmw_escape_video_flush *flush; + size_t fifo_size; +- bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object); ++ bool have_so = (dev_priv->active_display_unit != vmw_du_legacy); + int i, num_items; + SVGAGuestPtr ptr; + +-- +2.43.0 + diff --git a/queue-6.1/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch b/queue-6.1/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch new file mode 100644 index 00000000000..f3989e4625b --- /dev/null +++ b/queue-6.1/drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch @@ -0,0 +1,76 @@ +From fd7a6d1a1d593d3bc87831af148e6cc99c5cd5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 15:59:51 -0500 +Subject: drm/vmwgfx: Trigger a modeset when the screen moves + +From: Ian Forbes + +[ Upstream commit 75c3e8a26a35d4f3eee299b3cc7e465f166f4e2d ] + +When multi-monitor is cycled the X,Y position of the Screen Target will +likely change but the resolution will not. We need to trigger a modeset +when this occurs in order to recreate the Screen Target with the correct +X,Y position. + +Fixes a bug where multiple displays are shown in a single scrollable +host window rather than in 2+ windows on separate host displays. + +Fixes: 426826933109 ("drm/vmwgfx: Filter modes which exceed graphics memory") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240624205951.23343-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 29 +++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +index 6dd33d1258d11..e98fde90f4e0c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -1015,6 +1015,32 @@ vmw_stdu_connector_mode_valid(struct drm_connector *connector, + return MODE_OK; + } + ++/* ++ * Trigger a modeset if the X,Y position of the Screen Target changes. ++ * This is needed when multi-mon is cycled. The original Screen Target will have ++ * the same mode but its relative X,Y position in the topology will change. ++ */ ++static int vmw_stdu_connector_atomic_check(struct drm_connector *conn, ++ struct drm_atomic_state *state) ++{ ++ struct drm_connector_state *conn_state; ++ struct vmw_screen_target_display_unit *du; ++ struct drm_crtc_state *new_crtc_state; ++ ++ conn_state = drm_atomic_get_connector_state(state, conn); ++ du = vmw_connector_to_stdu(conn); ++ ++ if (!conn_state->crtc) ++ return 0; ++ ++ new_crtc_state = drm_atomic_get_new_crtc_state(state, conn_state->crtc); ++ if (du->base.gui_x != du->base.set_gui_x || ++ du->base.gui_y != du->base.set_gui_y) ++ new_crtc_state->mode_changed = true; ++ ++ return 0; ++} ++ + static const struct drm_connector_funcs vmw_stdu_connector_funcs = { + .dpms = vmw_du_connector_dpms, + .detect = vmw_du_connector_detect, +@@ -1029,7 +1055,8 @@ static const struct drm_connector_funcs vmw_stdu_connector_funcs = { + static const struct + drm_connector_helper_funcs vmw_stdu_connector_helper_funcs = { + .get_modes = vmw_connector_get_modes, +- .mode_valid = vmw_stdu_connector_mode_valid ++ .mode_valid = vmw_stdu_connector_mode_valid, ++ .atomic_check = vmw_stdu_connector_atomic_check, + }; + + +-- +2.43.0 + diff --git a/queue-6.1/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch b/queue-6.1/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch new file mode 100644 index 00000000000..a7ce5f3400b --- /dev/null +++ b/queue-6.1/hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch @@ -0,0 +1,68 @@ +From b7c38bbf35b41115a91a6b1b63d063fab6b51761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 16:46:16 +0530 +Subject: HID: amd_sfh: Move sensor discovery before HID device initialization + +From: Basavaraj Natikar + +[ Upstream commit 8031b001da700474c11d28629581480b12a0d8d4 ] + +Sensors discovery is independent of HID device initialization. If sensor +discovery fails after HID initialization, then the HID device needs to be +deinitialized. Therefore, sensors discovery should be moved before HID +device initialization. + +Fixes: 7bcfdab3f0c6 ("HID: amd_sfh: if no sensors are enabled, clean up") +Tested-by: Aurinko +Signed-off-by: Basavaraj Natikar +Link: https://patch.msgid.link/20240718111616.3012155-1-Basavaraj.Natikar@amd.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index 6e65379b10d53..4343fef7dd83e 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -287,12 +287,22 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + mp2_ops->start(privdata, info); + cl_data->sensor_sts[i] = amd_sfh_wait_for_response + (privdata, cl_data->sensor_idx[i], SENSOR_ENABLED); ++ ++ if (cl_data->sensor_sts[i] == SENSOR_ENABLED) ++ cl_data->is_any_sensor_enabled = true; ++ } ++ ++ if (!cl_data->is_any_sensor_enabled || ++ (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { ++ dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", ++ cl_data->is_any_sensor_enabled); ++ rc = -EOPNOTSUPP; ++ goto cleanup; + } + + for (i = 0; i < cl_data->num_hid_devices; i++) { + cl_data->cur_hid_dev = i; + if (cl_data->sensor_sts[i] == SENSOR_ENABLED) { +- cl_data->is_any_sensor_enabled = true; + rc = amdtp_hid_probe(i, cl_data); + if (rc) + goto cleanup; +@@ -308,12 +318,6 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + cl_data->sensor_sts[i]); + } + +- if (!cl_data->is_any_sensor_enabled || +- (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { +- dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", cl_data->is_any_sensor_enabled); +- rc = -EOPNOTSUPP; +- goto cleanup; +- } + schedule_delayed_work(&cl_data->work_buffer, msecs_to_jiffies(AMD_SFH_IDLE_LOOP)); + return 0; + +-- +2.43.0 + diff --git a/queue-6.1/hid-amd_sfh-remove-duplicate-cleanup.patch b/queue-6.1/hid-amd_sfh-remove-duplicate-cleanup.patch new file mode 100644 index 00000000000..76f955bbf9f --- /dev/null +++ b/queue-6.1/hid-amd_sfh-remove-duplicate-cleanup.patch @@ -0,0 +1,76 @@ +From 0506fe8334572a67eb59bc310c3a5bf2cc9f4014 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:28:54 +0530 +Subject: HID: amd_sfh: Remove duplicate cleanup + +From: Basavaraj Natikar + +[ Upstream commit e295709054d59e35be44794dd125efee528ccceb ] + +A number of duplicate cleanups are performed that are not necessary. As a +result, remove duplicate cleanups and use common cleanup. + +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Stable-dep-of: 8031b001da70 ("HID: amd_sfh: Move sensor discovery before HID device initialization") +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 27 ++++-------------------- + 1 file changed, 4 insertions(+), 23 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index c751d12f5df89..34eb419b225ed 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -291,18 +291,8 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + cl_data->is_any_sensor_enabled = true; + cl_data->sensor_sts[i] = SENSOR_ENABLED; + rc = amdtp_hid_probe(cl_data->cur_hid_dev, cl_data); +- if (rc) { +- mp2_ops->stop(privdata, cl_data->sensor_idx[i]); +- status = amd_sfh_wait_for_response +- (privdata, cl_data->sensor_idx[i], SENSOR_DISABLED); +- if (status != SENSOR_ENABLED) +- cl_data->sensor_sts[i] = SENSOR_DISABLED; +- dev_dbg(dev, "sid 0x%x (%s) status 0x%x\n", +- cl_data->sensor_idx[i], +- get_sensor_name(cl_data->sensor_idx[i]), +- cl_data->sensor_sts[i]); ++ if (rc) + goto cleanup; +- } + } else { + cl_data->sensor_sts[i] = SENSOR_DISABLED; + dev_dbg(dev, "sid 0x%x (%s) status 0x%x\n", +@@ -316,25 +306,16 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + } + if (!cl_data->is_any_sensor_enabled || + (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { +- amd_sfh_hid_client_deinit(privdata); +- for (i = 0; i < cl_data->num_hid_devices; i++) { +- devm_kfree(dev, cl_data->feature_report[i]); +- devm_kfree(dev, in_data->input_report[i]); +- devm_kfree(dev, cl_data->report_descr[i]); +- } + dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", cl_data->is_any_sensor_enabled); +- return -EOPNOTSUPP; ++ rc = -EOPNOTSUPP; ++ goto cleanup; + } + schedule_delayed_work(&cl_data->work_buffer, msecs_to_jiffies(AMD_SFH_IDLE_LOOP)); + return 0; + + cleanup: ++ amd_sfh_hid_client_deinit(privdata); + for (i = 0; i < cl_data->num_hid_devices; i++) { +- if (in_data->sensor_virt_addr[i]) { +- dma_free_coherent(&privdata->pdev->dev, 8 * sizeof(int), +- in_data->sensor_virt_addr[i], +- cl_data->sensor_dma_addr[i]); +- } + devm_kfree(dev, cl_data->feature_report[i]); + devm_kfree(dev, in_data->input_report[i]); + devm_kfree(dev, cl_data->report_descr[i]); +-- +2.43.0 + diff --git a/queue-6.1/hid-amd_sfh-split-sensor-and-hid-initialization.patch b/queue-6.1/hid-amd_sfh-split-sensor-and-hid-initialization.patch new file mode 100644 index 00000000000..ce7dbf31502 --- /dev/null +++ b/queue-6.1/hid-amd_sfh-split-sensor-and-hid-initialization.patch @@ -0,0 +1,67 @@ +From 426f99be7ff8aa06d4e73642951911e4e2d1634a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 12:28:55 +0530 +Subject: HID: amd_sfh: Split sensor and HID initialization + +From: Basavaraj Natikar + +[ Upstream commit 5ca505c6b0259606361d8f95b0811b783d4e78f7 ] + +Sensors are enabled independently of HID device initialization. Sensor +initialization should be kept separate in this case, while HID devices +should be initialized according to the sensor state. Hence split sensor +initialization and HID initialization into separate blocks. + +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Stable-dep-of: 8031b001da70 ("HID: amd_sfh: Move sensor discovery before HID device initialization") +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index 34eb419b225ed..6e65379b10d53 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -214,7 +214,7 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + struct device *dev; + u32 feature_report_size; + u32 input_report_size; +- int rc, i, status; ++ int rc, i; + u8 cl_idx; + + req_list = &cl_data->req_list; +@@ -285,12 +285,15 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + if (rc) + goto cleanup; + mp2_ops->start(privdata, info); +- status = amd_sfh_wait_for_response +- (privdata, cl_data->sensor_idx[i], SENSOR_ENABLED); +- if (status == SENSOR_ENABLED) { ++ cl_data->sensor_sts[i] = amd_sfh_wait_for_response ++ (privdata, cl_data->sensor_idx[i], SENSOR_ENABLED); ++ } ++ ++ for (i = 0; i < cl_data->num_hid_devices; i++) { ++ cl_data->cur_hid_dev = i; ++ if (cl_data->sensor_sts[i] == SENSOR_ENABLED) { + cl_data->is_any_sensor_enabled = true; +- cl_data->sensor_sts[i] = SENSOR_ENABLED; +- rc = amdtp_hid_probe(cl_data->cur_hid_dev, cl_data); ++ rc = amdtp_hid_probe(i, cl_data); + if (rc) + goto cleanup; + } else { +@@ -304,6 +307,7 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + cl_data->sensor_idx[i], get_sensor_name(cl_data->sensor_idx[i]), + cl_data->sensor_sts[i]); + } ++ + if (!cl_data->is_any_sensor_enabled || + (mp2_ops->discovery_status && mp2_ops->discovery_status(privdata) == 0)) { + dev_warn(dev, "Failed to discover, sensors not enabled is %d\n", cl_data->is_any_sensor_enabled); +-- +2.43.0 + diff --git a/queue-6.1/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch b/queue-6.1/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch new file mode 100644 index 00000000000..00a0a42cd85 --- /dev/null +++ b/queue-6.1/ice-add-missing-write_once-when-clearing-ice_rx_ring.patch @@ -0,0 +1,38 @@ +From 74c4138df66a1ae5cf2f4e4e40fb7d4eef473c2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:15 +0200 +Subject: ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog + +From: Maciej Fijalkowski + +[ Upstream commit 6044ca26210ba72b3dcc649fae1cbedd9e6ab018 ] + +It is read by data path and modified from process context on remote cpu +so it is needed to use WRITE_ONCE to clear the pointer. + +Fixes: efc2214b6047 ("ice: Add support for XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index dbe80e5053a82..bd62781191b3d 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -454,7 +454,7 @@ void ice_free_rx_ring(struct ice_rx_ring *rx_ring) + if (rx_ring->vsi->type == ICE_VSI_PF) + if (xdp_rxq_info_is_reg(&rx_ring->xdp_rxq)) + xdp_rxq_info_unreg(&rx_ring->xdp_rxq); +- rx_ring->xdp_prog = NULL; ++ WRITE_ONCE(rx_ring->xdp_prog, NULL); + if (rx_ring->xsk_pool) { + kfree(rx_ring->xdp_buf); + rx_ring->xdp_buf = NULL; +-- +2.43.0 + diff --git a/queue-6.1/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch b/queue-6.1/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch new file mode 100644 index 00000000000..208f4d514e1 --- /dev/null +++ b/queue-6.1/ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch @@ -0,0 +1,48 @@ +From cadcf6459a2e22627f94581d32fe238187adaee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:10 +0200 +Subject: ice: don't busy wait for Rx queue disable in ice_qp_dis() + +From: Maciej Fijalkowski + +[ Upstream commit 1ff72a2f67791cd4ddad19ed830445f57b30e992 ] + +When ice driver is spammed with multiple xdpsock instances and flow +control is enabled, there are cases when Rx queue gets stuck and unable +to reflect the disable state in QRX_CTRL register. Similar issue has +previously been addressed in commit 13a6233b033f ("ice: Add support to +enable/disable all Rx queues before waiting"). + +To workaround this, let us simply not wait for a disabled state as later +patch will make sure that regardless of the encountered error in the +process of disabling a queue pair, the Rx queue will be enabled. + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index 61e4730bba59e..ebc017dd245f1 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -191,10 +191,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + if (err) + return err; + } +- err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true); +- if (err) +- return err; + ++ ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, false); + ice_qp_clean_rings(vsi, q_idx); + ice_qp_reset_stats(vsi, q_idx); + +-- +2.43.0 + diff --git a/queue-6.1/ice-replace-synchronize_rcu-with-synchronize_net.patch b/queue-6.1/ice-replace-synchronize_rcu-with-synchronize_net.patch new file mode 100644 index 00000000000..0b16072d615 --- /dev/null +++ b/queue-6.1/ice-replace-synchronize_rcu-with-synchronize_net.patch @@ -0,0 +1,60 @@ +From d7ba17b0178a398535d83e2a779bc718b6f7abdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:11 +0200 +Subject: ice: replace synchronize_rcu with synchronize_net + +From: Maciej Fijalkowski + +[ Upstream commit 405d9999aa0b4ae467ef391d1d9c7e0d30ad0841 ] + +Given that ice_qp_dis() is called under rtnl_lock, synchronize_net() can +be called instead of synchronize_rcu() so that XDP rings can finish its +job in a faster way. Also let us do this as earlier in XSK queue disable +flow. + +Additionally, turn off regular Tx queue before disabling irqs and NAPI. + +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index ebc017dd245f1..2677d7c86a6d7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -41,10 +41,8 @@ static void ice_qp_reset_stats(struct ice_vsi *vsi, u16 q_idx) + static void ice_qp_clean_rings(struct ice_vsi *vsi, u16 q_idx) + { + ice_clean_tx_ring(vsi->tx_rings[q_idx]); +- if (ice_is_xdp_ena_vsi(vsi)) { +- synchronize_rcu(); ++ if (ice_is_xdp_ena_vsi(vsi)) + ice_clean_tx_ring(vsi->xdp_rings[q_idx]); +- } + ice_clean_rx_ring(vsi->rx_rings[q_idx]); + } + +@@ -172,11 +170,12 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx) + usleep_range(1000, 2000); + } + ++ synchronize_net(); ++ netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); ++ + ice_qvec_dis_irq(vsi, rx_ring, q_vector); + ice_qvec_toggle_napi(vsi, q_vector, false); + +- netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx)); +- + ice_fill_txq_meta(vsi, tx_ring, &txq_meta); + err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta); + if (err) +-- +2.43.0 + diff --git a/queue-6.1/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch b/queue-6.1/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch new file mode 100644 index 00000000000..a85dcab09a1 --- /dev/null +++ b/queue-6.1/ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch @@ -0,0 +1,67 @@ +From b24fafdce5efea3d24f9a43845797a2a62ce47b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 20:17:09 +0200 +Subject: ice: respect netif readiness in AF_XDP ZC related ndo's + +From: Michal Kubiak + +[ Upstream commit ec145a18687fec8dd97eeb4f30057fa4debef577 ] + +Address a scenario in which XSK ZC Tx produces descriptors to XDP Tx +ring when link is either not yet fully initialized or process of +stopping the netdev has already started. To avoid this, add checks +against carrier readiness in ice_xsk_wakeup() and in ice_xmit_zc(). +One could argue that bailing out early in ice_xsk_wakeup() would be +sufficient but given the fact that we produce Tx descriptors on behalf +of NAPI that is triggered for Rx traffic, the latter is also needed. + +Bringing link up is an asynchronous event executed within +ice_service_task so even though interface has been brought up there is +still a time frame where link is not yet ok. + +Without this patch, when AF_XDP ZC Tx is used simultaneously with stack +Tx, Tx timeouts occur after going through link flap (admin brings +interface down then up again). HW seem to be unable to transmit +descriptor to the wire after HW tail register bump which in turn causes +bit __QUEUE_STATE_STACK_XOFF to be set forever as +netdev_tx_completed_queue() sees no cleaned bytes on the input. + +Fixes: 126cdfe1007a ("ice: xsk: Improve AF_XDP ZC Tx and use batching API") +Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") +Reviewed-by: Shannon Nelson +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Michal Kubiak +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_xsk.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c +index b917f271cdac1..61e4730bba59e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c +@@ -937,6 +937,10 @@ bool ice_xmit_zc(struct ice_tx_ring *xdp_ring) + + ice_clean_xdp_irq_zc(xdp_ring); + ++ if (!netif_carrier_ok(xdp_ring->vsi->netdev) || ++ !netif_running(xdp_ring->vsi->netdev)) ++ return true; ++ + budget = ICE_DESC_UNUSED(xdp_ring); + budget = min_t(u16, budget, ICE_RING_QUARTER(xdp_ring)); + +@@ -980,7 +984,7 @@ ice_xsk_wakeup(struct net_device *netdev, u32 queue_id, + struct ice_vsi *vsi = np->vsi; + struct ice_tx_ring *ring; + +- if (test_bit(ICE_VSI_DOWN, vsi->state)) ++ if (test_bit(ICE_VSI_DOWN, vsi->state) || !netif_carrier_ok(netdev)) + return -ENETDOWN; + + if (!ice_is_xdp_ena_vsi(vsi)) +-- +2.43.0 + diff --git a/queue-6.1/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch b/queue-6.1/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch new file mode 100644 index 00000000000..e52ea5ef2b3 --- /dev/null +++ b/queue-6.1/ipv6-fix-ndisc_is_useropt-handling-for-pio.patch @@ -0,0 +1,92 @@ +From 4b32c0ce37c77d554b6634ace2ef33d9381bb0f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 17:17:48 -0700 +Subject: ipv6: fix ndisc_is_useropt() handling for PIO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ] + +The current logic only works if the PIO is between two +other ND user options. This fixes it so that the PIO +can also be either before or after other ND user options +(for example the first or last option in the RA). + +side note: there's actually Android tests verifying +a portion of the old broken behaviour, so: + https://android-review.googlesource.com/c/kernel/tests/+/3196704 +fixes those up. + +Cc: Jen Linkova +Cc: Lorenzo Colitti +Cc: Patrick Rohr +Cc: David Ahern +Cc: YOSHIFUJI Hideaki / 吉藤英明 +Cc: Jakub Kicinski +Signed-off-by: Maciej Żenczykowski +Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO") +Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 8c5a99fe68030..cfb4cf6e66549 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -227,6 +227,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + return NULL; + memset(ndopts, 0, sizeof(*ndopts)); + while (opt_len) { ++ bool unknown = false; + int l; + if (opt_len < sizeof(struct nd_opt_hdr)) + return NULL; +@@ -262,22 +263,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, + break; + #endif + default: +- if (ndisc_is_useropt(dev, nd_opt)) { +- ndopts->nd_useropts_end = nd_opt; +- if (!ndopts->nd_useropts) +- ndopts->nd_useropts = nd_opt; +- } else { +- /* +- * Unknown options must be silently ignored, +- * to accommodate future extension to the +- * protocol. +- */ +- ND_PRINTK(2, notice, +- "%s: ignored unsupported option; type=%d, len=%d\n", +- __func__, +- nd_opt->nd_opt_type, +- nd_opt->nd_opt_len); +- } ++ unknown = true; ++ } ++ if (ndisc_is_useropt(dev, nd_opt)) { ++ ndopts->nd_useropts_end = nd_opt; ++ if (!ndopts->nd_useropts) ++ ndopts->nd_useropts = nd_opt; ++ } else if (unknown) { ++ /* ++ * Unknown options must be silently ignored, ++ * to accommodate future extension to the ++ * protocol. ++ */ ++ ND_PRINTK(2, notice, ++ "%s: ignored unsupported option; type=%d, len=%d\n", ++ __func__, ++ nd_opt->nd_opt_type, ++ nd_opt->nd_opt_len); + } + next_opt: + opt_len -= l; +-- +2.43.0 + diff --git a/queue-6.1/net-axienet-start-napi-before-enabling-rx-tx.patch b/queue-6.1/net-axienet-start-napi-before-enabling-rx-tx.patch new file mode 100644 index 00000000000..13bc5c5c5ef --- /dev/null +++ b/queue-6.1/net-axienet-start-napi-before-enabling-rx-tx.patch @@ -0,0 +1,41 @@ +From d5d34af9d4b69d6486e78cdf5ba4c65128f0112d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 15:06:50 +0800 +Subject: net: axienet: start napi before enabling Rx/Tx + +From: Andy Chiu + +[ Upstream commit 799a829507506924add8a7620493adc1c3cfda30 ] + +softirq may get lost if an Rx interrupt comes before we call +napi_enable. Move napi_enable in front of axienet_setoptions(), which +turns on the device, to address the issue. + +Link: https://lists.gnu.org/archive/html/qemu-devel/2024-07/msg06160.html +Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive") +Signed-off-by: Andy Chiu +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 5ea9dc251dd9a..ff777735be66b 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1825,9 +1825,9 @@ static void axienet_dma_err_handler(struct work_struct *work) + ~(XAE_OPTION_TXEN | XAE_OPTION_RXEN)); + axienet_set_mac_address(ndev, NULL); + axienet_set_multicast_list(ndev); +- axienet_setoptions(ndev, lp->options); + napi_enable(&lp->napi_rx); + napi_enable(&lp->napi_tx); ++ axienet_setoptions(ndev, lp->options); + } + + /** +-- +2.43.0 + diff --git a/queue-6.1/net-iucv-fix-use-after-free-in-iucv_sock_close.patch b/queue-6.1/net-iucv-fix-use-after-free-in-iucv_sock_close.patch new file mode 100644 index 00000000000..944f265ebe2 --- /dev/null +++ b/queue-6.1/net-iucv-fix-use-after-free-in-iucv_sock_close.patch @@ -0,0 +1,75 @@ +From 74d8459a67c95ca6911cb93b015f9ce4915f3fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 14:28:16 +0200 +Subject: net/iucv: fix use after free in iucv_sock_close() + +From: Alexandra Winter + +[ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ] + +iucv_sever_path() is called from process context and from bh context. +iucv->path is used as indicator whether somebody else is taking care of +severing the path (or it is already removed / never existed). +This needs to be done with atomic compare and swap, otherwise there is a +small window where iucv_sock_close() will try to work with a path that has +already been severed and freed by iucv_callback_connrej() called by +iucv_tasklet_fn(). + +Example: +[452744.123844] Call Trace: +[452744.123845] ([<0000001e87f03880>] 0x1e87f03880) +[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 +[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] +[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] +[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] +[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 +[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 +[452744.124820] [<00000000d5421642>] __fput+0xba/0x268 +[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 +[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 +[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 +[452744.125319] Last Breaking-Event-Address: +[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 +[452744.125324] +[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt + +Note that bh_lock_sock() is not serializing the tasklet context against +process context, because the check for sock_owned_by_user() and +corresponding handling is missing. + +Ideas for a future clean-up patch: +A) Correct usage of bh_lock_sock() in tasklet context, as described in +Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/ +Re-enqueue, if needed. This may require adding return values to the +tasklet functions and thus changes to all users of iucv. + +B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. + +Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely") +Reviewed-by: Halil Pasic +Signed-off-by: Alexandra Winter +Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/iucv/af_iucv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 498a0c35b7bb2..815b1df0b2d19 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -335,8 +335,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data) + struct iucv_sock *iucv = iucv_sk(sk); + struct iucv_path *path = iucv->path; + +- if (iucv->path) { +- iucv->path = NULL; ++ /* Whoever resets the path pointer, must sever and free it. */ ++ if (xchg(&iucv->path, NULL)) { + if (with_user_data) { + low_nmcpy(user_data, iucv->src_name); + high_nmcpy(user_data, iucv->dst_name); +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch b/queue-6.1/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch new file mode 100644 index 00000000000..fec5d4698e5 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-missing-lock-on-sync-reset-reload.patch @@ -0,0 +1,80 @@ +From d0a4b9ed662c720cb49c4ab553c8030e667880cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:34 +0300 +Subject: net/mlx5: Fix missing lock on sync reset reload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Moshe Shemesh + +[ Upstream commit 572f9caa9e7295f8c8822e4122c7ae8f1c412ff9 ] + +On sync reset reload work, when remote host updates devlink on reload +actions performed on that host, it misses taking devlink lock before +calling devlink_remote_reload_actions_performed() which results in +triggering lock assert like the following: + +WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50 +… + CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116 + Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015 + Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core] + RIP: 0010:devl_assert_locked+0x3e/0x50 +… + Call Trace: + + ? __warn+0xa4/0x210 + ? devl_assert_locked+0x3e/0x50 + ? report_bug+0x160/0x280 + ? handle_bug+0x3f/0x80 + ? exc_invalid_op+0x17/0x40 + ? asm_exc_invalid_op+0x1a/0x20 + ? devl_assert_locked+0x3e/0x50 + devlink_notify+0x88/0x2b0 + ? mlx5_attach_device+0x20c/0x230 [mlx5_core] + ? __pfx_devlink_notify+0x10/0x10 + ? process_one_work+0x4b6/0xbb0 + process_one_work+0x4b6/0xbb0 +[…] + +Fixes: 84a433a40d0e ("net/mlx5: Lock mlx5 devlink reload callbacks") +Signed-off-by: Moshe Shemesh +Reviewed-by: Maor Gottlieb +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index dec1492da74de..1a818759a9aac 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -145,6 +145,7 @@ int mlx5_fw_reset_set_live_patch(struct mlx5_core_dev *dev) + static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev) + { + struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset; ++ struct devlink *devlink = priv_to_devlink(dev); + + /* if this is the driver that initiated the fw reset, devlink completed the reload */ + if (test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags)) { +@@ -155,9 +156,11 @@ static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev) + mlx5_core_err(dev, "reset reload flow aborted, PCI reads still not working\n"); + else + mlx5_load_one(dev, true); +- devlink_remote_reload_actions_performed(priv_to_devlink(dev), 0, ++ devl_lock(devlink); ++ devlink_remote_reload_actions_performed(devlink, 0, + BIT(DEVLINK_RELOAD_ACTION_DRIVER_REINIT) | + BIT(DEVLINK_RELOAD_ACTION_FW_ACTIVATE)); ++ devl_unlock(devlink); + } + } + +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch b/queue-6.1/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch new file mode 100644 index 00000000000..98d086a62e4 --- /dev/null +++ b/queue-6.1/net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch @@ -0,0 +1,39 @@ +From f1199156c66052f04e92dc3c811cbf82ff90e7ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:33 +0300 +Subject: net/mlx5: Lag, don't use the hardcoded value of the first port + +From: Mark Bloch + +[ Upstream commit 3fda84dc090390573cfbd0b1d70372663315de21 ] + +The cited commit didn't change the body of the loop as it should. +It shouldn't be using MLX5_LAG_P1. + +Fixes: 7e978e7714d6 ("net/mlx5: Lag, use actual number of lag ports") +Signed-off-by: Mark Bloch +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index a283d8ae466b6..4b4d761081115 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -1483,7 +1483,7 @@ u8 mlx5_lag_get_slave_port(struct mlx5_core_dev *dev, + goto unlock; + + for (i = 0; i < ldev->ports; i++) { +- if (ldev->pf[MLX5_LAG_P1].netdev == slave) { ++ if (ldev->pf[i].netdev == slave) { + port = i; + break; + } +-- +2.43.0 + diff --git a/queue-6.1/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch b/queue-6.1/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch new file mode 100644 index 00000000000..7cceee993a3 --- /dev/null +++ b/queue-6.1/net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch @@ -0,0 +1,48 @@ +From 4a806a21e6ebb399c3304728429a23e371e8c6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 09:16:37 +0300 +Subject: net/mlx5e: Add a check for the return value from + mlx5_port_set_eth_ptys + +From: Shahar Shitrit + +[ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ] + +Since the documentation for mlx5_toggle_port_link states that it should +only be used after setting the port register, we add a check for the +return value from mlx5_port_set_eth_ptys to ensure the register was +successfully set before calling it. + +Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters") +Signed-off-by: Shahar Shitrit +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index ceeb23f478e15..3ee61987266c4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1223,7 +1223,12 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + if (!an_changes && link_modes == eproto.admin) + goto out; + +- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ err = mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); ++ if (err) { ++ netdev_err(priv->netdev, "%s: failed to set ptys reg: %d\n", __func__, err); ++ goto out; ++ } ++ + mlx5_toggle_port_link(mdev); + + out: +-- +2.43.0 + diff --git a/queue-6.1/net-mvpp2-don-t-re-use-loop-iterator.patch b/queue-6.1/net-mvpp2-don-t-re-use-loop-iterator.patch new file mode 100644 index 00000000000..5a133d4aa0d --- /dev/null +++ b/queue-6.1/net-mvpp2-don-t-re-use-loop-iterator.patch @@ -0,0 +1,48 @@ +From 372e8f6339a784696a4c432225f41fb3af29479c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:06:56 -0500 +Subject: net: mvpp2: Don't re-use loop iterator + +From: Dan Carpenter + +[ Upstream commit 0aa3ca956c46d849775eae1816cef8fe4bc8b50e ] + +This function has a nested loop. The problem is that both the inside +and outside loop use the same variable as an iterator. I found this +via static analysis so I'm not sure the impact. It could be that it +loops forever or, more likely, the loop exits early. + +Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/eaa8f403-7779-4d81-973d-a9ecddc0bf6f@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 2f80ee84c7ece..bbcdab562513f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -953,13 +953,13 @@ static void mvpp2_bm_pool_update_fc(struct mvpp2_port *port, + static void mvpp2_bm_pool_update_priv_fc(struct mvpp2 *priv, bool en) + { + struct mvpp2_port *port; +- int i; ++ int i, j; + + for (i = 0; i < priv->port_count; i++) { + port = priv->port_list[i]; + if (port->priv->percpu_pools) { +- for (i = 0; i < port->nrxqs; i++) +- mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[i], ++ for (j = 0; j < port->nrxqs; j++) ++ mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[j], + port->tx_fc & en); + } else { + mvpp2_bm_pool_update_fc(port, port->pool_long, port->tx_fc & en); +-- +2.43.0 + diff --git a/queue-6.1/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch b/queue-6.1/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch new file mode 100644 index 00000000000..fe48fbc0fcf --- /dev/null +++ b/queue-6.1/netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch @@ -0,0 +1,133 @@ +From 480bc4653919443e5941ddfc9c71e54eb4d15a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:20 -0700 +Subject: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit 5830aa863981d43560748aa93589c0695191d95d ] + +We had a report that iptables-restore sometimes triggered null-ptr-deref +at boot time. [0] + +The problem is that iptable_nat_table_init() is exposed to user space +before the kernel fully initialises netns. + +In the small race window, a user could call iptable_nat_table_init() +that accesses net_generic(net, iptable_nat_net_id), which is available +only after registering iptable_nat_net_ops. + +Let's call register_pernet_subsys() before xt_register_template(). + +[0]: +bpfilter: Loaded bpfilter_umh pid 11702 +Started bpfilter +BUG: kernel NULL pointer dereference, address: 0000000000000013 + PF: supervisor write access in kernel mode + PF: error_code(0x0002) - not-present page +PGD 0 P4D 0 +PREEMPT SMP NOPTI +CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1 +Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017 +RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat +Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c +RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246 +RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80 +RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0 +RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240 +R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000 +R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004 +FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? xt_find_table_lock (net/netfilter/x_tables.c:1259) + ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) + ? page_fault_oops (arch/x86/mm/fault.c:727) + ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) + ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570) + ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat + xt_find_table_lock (net/netfilter/x_tables.c:1259) + xt_request_find_table_lock (net/netfilter/x_tables.c:1287) + get_info (net/ipv4/netfilter/ip_tables.c:965) + ? security_capable (security/security.c:809 (discriminator 13)) + ? ns_capable (kernel/capability.c:376 kernel/capability.c:397) + ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656) + ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter + nf_getsockopt (net/netfilter/nf_sockopt.c:116) + ip_getsockopt (net/ipv4/ip_sockglue.c:1827) + __sys_getsockopt (net/socket.c:2327) + __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339) + do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) +RIP: 0033:0x7f62844685ee +Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09 +RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee +RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0 +R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2 +R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008 + +Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs +CR2: 0000000000000013 + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Reported-by: Takahiro Kawahara +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/iptable_nat.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c +index 56f6ecc43451e..12ca666d6e2c1 100644 +--- a/net/ipv4/netfilter/iptable_nat.c ++++ b/net/ipv4/netfilter/iptable_nat.c +@@ -145,25 +145,27 @@ static struct pernet_operations iptable_nat_net_ops = { + + static int __init iptable_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv4_table, +- iptable_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[iptable_nat_net_id] must be allocated ++ * before calling iptable_nat_table_init(). ++ */ ++ ret = register_pernet_subsys(&iptable_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&iptable_nat_net_ops); +- if (ret < 0) { +- xt_unregister_template(&nf_nat_ipv4_table); +- return ret; +- } ++ ret = xt_register_template(&nf_nat_ipv4_table, ++ iptable_nat_table_init); ++ if (ret < 0) ++ unregister_pernet_subsys(&iptable_nat_net_ops); + + return ret; + } + + static void __exit iptable_nat_exit(void) + { +- unregister_pernet_subsys(&iptable_nat_net_ops); + xt_unregister_template(&nf_nat_ipv4_table); ++ unregister_pernet_subsys(&iptable_nat_net_ops); + } + + module_init(iptable_nat_init); +-- +2.43.0 + diff --git a/queue-6.1/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch b/queue-6.1/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch new file mode 100644 index 00000000000..2e4936206bc --- /dev/null +++ b/queue-6.1/netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch @@ -0,0 +1,65 @@ +From b6631a12be88c7dea2228946abab87528cc77521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 12:28:21 -0700 +Subject: netfilter: iptables: Fix potential null-ptr-deref in + ip6table_nat_table_init(). + +From: Kuniyuki Iwashima + +[ Upstream commit c22921df777de5606f1047b1345b8d22ef1c0b34 ] + +ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id], +but the function is exposed to user space before the entry is allocated +via register_pernet_subsys(). + +Let's call register_pernet_subsys() before xt_register_template(). + +Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6table_nat.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c +index bf3cb3a13600c..52d597b16b658 100644 +--- a/net/ipv6/netfilter/ip6table_nat.c ++++ b/net/ipv6/netfilter/ip6table_nat.c +@@ -147,23 +147,27 @@ static struct pernet_operations ip6table_nat_net_ops = { + + static int __init ip6table_nat_init(void) + { +- int ret = xt_register_template(&nf_nat_ipv6_table, +- ip6table_nat_table_init); ++ int ret; + ++ /* net->gen->ptr[ip6table_nat_net_id] must be allocated ++ * before calling ip6t_nat_register_lookups(). ++ */ ++ ret = register_pernet_subsys(&ip6table_nat_net_ops); + if (ret < 0) + return ret; + +- ret = register_pernet_subsys(&ip6table_nat_net_ops); ++ ret = xt_register_template(&nf_nat_ipv6_table, ++ ip6table_nat_table_init); + if (ret) +- xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + + return ret; + } + + static void __exit ip6table_nat_exit(void) + { +- unregister_pernet_subsys(&ip6table_nat_net_ops); + xt_unregister_template(&nf_nat_ipv6_table); ++ unregister_pernet_subsys(&ip6table_nat_net_ops); + } + + module_init(ip6table_nat_init); +-- +2.43.0 + diff --git a/queue-6.1/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch b/queue-6.1/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch new file mode 100644 index 00000000000..785cab95739 --- /dev/null +++ b/queue-6.1/riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch @@ -0,0 +1,65 @@ +From 6836854c85cb59f3442b589de2ccbf1530d8ec1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 16:45:47 +0800 +Subject: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() + +From: Zhe Qiao + +[ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ] + +Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly +kill the process and we don't BUG() the kernel. + +Fixes: 07037db5d479 ("RISC-V: Paging and MMU") +Signed-off-by: Zhe Qiao +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/fault.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c +index 274bc6dd839fa..05d7d36479648 100644 +--- a/arch/riscv/mm/fault.c ++++ b/arch/riscv/mm/fault.c +@@ -60,26 +60,27 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr) + + static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault) + { ++ if (!user_mode(regs)) { ++ no_context(regs, addr); ++ return; ++ } ++ + if (fault & VM_FAULT_OOM) { + /* + * We ran out of memory, call the OOM killer, and return the userspace + * (which will retry the fault, or kill us if we got oom-killed). + */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + pagefault_out_of_memory(); + return; + } else if (fault & VM_FAULT_SIGBUS) { + /* Kernel mode? Handle exceptions or die */ +- if (!user_mode(regs)) { +- no_context(regs, addr); +- return; +- } + do_trap(regs, SIGBUS, BUS_ADRERR, addr); + return; ++ } else if (fault & VM_FAULT_SIGSEGV) { ++ do_trap(regs, SIGSEGV, SEGV_MAPERR, addr); ++ return; + } ++ + BUG(); + } + +-- +2.43.0 + diff --git a/queue-6.1/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch b/queue-6.1/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch new file mode 100644 index 00000000000..bbcf9086b59 --- /dev/null +++ b/queue-6.1/rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch @@ -0,0 +1,42 @@ +From 7374a27fd31557f42410c05acf013cfd26b48463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 17:19:53 -0700 +Subject: rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified + in rtnl_dellink(). + +From: Kuniyuki Iwashima + +[ Upstream commit 9415d375d8520e0ed55f0c0b058928da9a5b5b3d ] + +The cited commit accidentally replaced tgt_net with net in rtnl_dellink(). + +As a result, IFLA_TARGET_NETNSID is ignored if the interface is specified +with IFLA_IFNAME or IFLA_ALT_IFNAME. + +Let's pass tgt_net to rtnl_dev_get(). + +Fixes: cc6090e985d7 ("net: rtnetlink: introduce helper to get net_device instance by ifname") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 1163226c025c1..be663a7382ce9 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3178,7 +3178,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, + if (ifm->ifi_index > 0) + dev = __dev_get_by_index(tgt_net, ifm->ifi_index); + else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) +- dev = rtnl_dev_get(net, tb); ++ dev = rtnl_dev_get(tgt_net, tb); + else if (tb[IFLA_GROUP]) + err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP])); + else +-- +2.43.0 + diff --git a/queue-6.1/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch b/queue-6.1/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch new file mode 100644 index 00000000000..83b93ddfe33 --- /dev/null +++ b/queue-6.1/sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch @@ -0,0 +1,90 @@ +From 4bd71a76aa5b717badfcc16b6ce2d505f6d2db3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 09:27:45 +0000 +Subject: sched: act_ct: take care of padding in struct zones_ht_key + +From: Eric Dumazet + +[ Upstream commit 2191a54f63225b548fd8346be3611c3219a24738 ] + +Blamed commit increased lookup key size from 2 bytes to 16 bytes, +because zones_ht_key got a struct net pointer. + +Make sure rhashtable_lookup() is not using the padding bytes +which are not initialized. + + BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline] + BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + rht_ptr_rcu include/linux/rhashtable.h:376 [inline] + __rhashtable_lookup include/linux/rhashtable.h:607 [inline] + rhashtable_lookup include/linux/rhashtable.h:646 [inline] + rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] + tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425 + tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488 + tcf_action_add net/sched/act_api.c:2061 [inline] + tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118 + rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550 + rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2597 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651 + __sys_sendmsg net/socket.c:2680 [inline] + __do_sys_sendmsg net/socket.c:2689 [inline] + __se_sys_sendmsg net/socket.c:2687 [inline] + __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687 + x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable key created at: + tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324 + tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408 + +Fixes: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table") +Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Cc: Xin Long +Reviewed-by: Simon Horman +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 44ff7f356ec15..9594dbc32165f 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -42,6 +42,8 @@ static DEFINE_MUTEX(zones_mutex); + struct zones_ht_key { + struct net *net; + u16 zone; ++ /* Note : pad[] must be the last field. */ ++ u8 pad[]; + }; + + struct tcf_ct_flow_table { +@@ -58,7 +60,7 @@ struct tcf_ct_flow_table { + static const struct rhashtable_params zones_params = { + .head_offset = offsetof(struct tcf_ct_flow_table, node), + .key_offset = offsetof(struct tcf_ct_flow_table, key), +- .key_len = sizeof_field(struct tcf_ct_flow_table, key), ++ .key_len = offsetof(struct zones_ht_key, pad), + .automatic_shrinking = true, + }; + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index c8c16a50bd1..4143b829f49 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -35,3 +35,31 @@ mips-loongson64-dts-add-rtc-support-to-loongson-2k10.patch mips-loongson64-dts-fix-pcie-port-nodes-for-ls7a.patch mips-dts-loongson-fix-liointc-irq-polarity.patch mips-dts-loongson-fix-ls2k1000-rtc-interrupt.patch +hid-amd_sfh-remove-duplicate-cleanup.patch +hid-amd_sfh-split-sensor-and-hid-initialization.patch +hid-amd_sfh-move-sensor-discovery-before-hid-device-.patch +drm-nouveau-prime-fix-refcount-underflow.patch +drm-vmwgfx-fix-overlay-when-using-screen-targets.patch +drm-vmwgfx-trigger-a-modeset-when-the-screen-moves.patch +sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch +alsa-hda-conexant-reduce-config_pm-dependencies.patch +alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch +bluetooth-hci_sync-fix-suspending-with-wrong-filter-.patch +net-axienet-start-napi-before-enabling-rx-tx.patch +rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch +ice-respect-netif-readiness-in-af_xdp-zc-related-ndo.patch +ice-don-t-busy-wait-for-rx-queue-disable-in-ice_qp_d.patch +ice-replace-synchronize_rcu-with-synchronize_net.patch +ice-add-missing-write_once-when-clearing-ice_rx_ring.patch +net-iucv-fix-use-after-free-in-iucv_sock_close.patch +drm-i915-hdcp-fix-hdcp2_stream_status-macro.patch +net-mvpp2-don-t-re-use-loop-iterator.patch +alsa-hda-conditionally-use-snooping-for-amd-hdmi.patch +netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch +netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch +net-mlx5-lag-don-t-use-the-hardcoded-value-of-the-fi.patch +net-mlx5-fix-missing-lock-on-sync-reset-reload.patch +net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch +ipv6-fix-ndisc_is_useropt-handling-for-pio.patch +riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch +arm64-jump_label-ensure-patched-jump_labels-are-visi.patch -- 2.47.3