]> www.infradead.org Git - users/willy/xarray.git/log
users/willy/xarray.git
15 months agoBluetooth: hci_core: Don't use hci_prepare_cmd
Luiz Augusto von Dentz [Mon, 1 Jul 2024 20:13:56 +0000 (16:13 -0400)]
Bluetooth: hci_core: Don't use hci_prepare_cmd

This replaces the instance of hci_prepare_cmd with hci_cmd_sync_alloc
since the former is part of hci_request.c which is considered
deprecated.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_core: Remove usage of hci_req_sync
Luiz Augusto von Dentz [Mon, 1 Jul 2024 20:00:08 +0000 (16:00 -0400)]
Bluetooth: hci_core: Remove usage of hci_req_sync

hci_request functions are considered deprecated so this replaces the
usage of hci_req_sync with hci_inquiry_sync.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agodt-bindings: net: bluetooth: convert MT7622 Bluetooth to the json-schema
Rafał Miłecki [Fri, 28 Jun 2024 05:46:35 +0000 (07:46 +0200)]
dt-bindings: net: bluetooth: convert MT7622 Bluetooth to the json-schema

This helps validating DTS files. Introduced changes:
1. Dropped serial details from example
2. Added required example include

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: Fix usage of __hci_cmd_sync_status
Luiz Augusto von Dentz [Mon, 1 Jul 2024 16:07:46 +0000 (12:07 -0400)]
Bluetooth: Fix usage of __hci_cmd_sync_status

__hci_cmd_sync_status shall only be used if hci_req_sync_lock is _not_
required which is not the case of hci_dev_cmd so it needs to use
hci_cmd_sync_status which uses hci_req_sync_lock internally.

Fixes: f1a8f402f13f ("Bluetooth: L2CAP: Fix deadlock")
Reported-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
WangYuli [Sat, 22 Jun 2024 04:09:59 +0000 (12:09 +0800)]
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591

Add the support ID(0x13d3, 0x3591) to usb_device_id table for
Realtek RTL8852BE.

The device table is as follows:

T:  Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#=  5 Spd=12   MxCh= 0
D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=13d3 ProdID=3591 Rev= 0.00
S:  Manufacturer=Realtek
S:  Product=Bluetooth Radio
S:  SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms

Cc: stable@vger.kernel.org
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: WangYuli <wangyuli@uniontech.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_core: cleanup struct hci_dev
Dmitry Antipov [Fri, 21 Jun 2024 13:01:55 +0000 (16:01 +0300)]
Bluetooth: hci_core: cleanup struct hci_dev

Remove unused and set but otherwise unused 'discovery_old_state'
and 'sco_last_tx' members of 'struct hci_dev'. The first one is
a leftover after commit 182ee45da083 ("Bluetooth: hci_sync: Rework
hci_suspend_notifier"); the second one is originated from ancient
2.4.19 and I was unable to find any actual use since that.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel: Fix the sfi name for BlazarU
Kiran K [Thu, 27 Jun 2024 13:06:39 +0000 (18:36 +0530)]
Bluetooth: btintel: Fix the sfi name for BlazarU

Use INTEL_HW_VARIANT() instead of CNVi Id to decide to load Intermediate
Loader (IML) image. Fix the driver loading incorrect firmware for
BlazarU product.

dmesg:
.....
[146.111834] Bluetooth: hci0: Minimum firmware build 1 week 10 2014
[146.111839] Bluetooth: hci0: Bootloader timestamp 2022.18 buildtype 1 build 16362
[146.111848] Bluetooth: hci0: No support for _PRR ACPI method
[146.112204] Bluetooth: hci0: Failed to load Intel firmware file intel/ibt-0291-0291-iml.sfi (-2)

Fixes: 164c62f958f8 ("Bluetooth: btintel: Add firmware ID to firmware name")
Reported-by: Tsigan, Vladislav <vladislav.tsigan@intel.com>
Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: qca: don't disable power management for QCA6390
Bartosz Golaszewski [Mon, 24 Jun 2024 19:45:18 +0000 (21:45 +0200)]
Bluetooth: qca: don't disable power management for QCA6390

We unnecessarily fallthrough the case for QCA6390 when initializing the
device and hit the condition where - due to the lack of the enable-gpio
- we disable power management despite using the power sequencer. We don't
need to look for clocks on this model so it makes more sense to just
register the hci device and break the switch.

Reported-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Fixes: 9a15ce685706 ("Bluetooth: qca: use the power sequencer for QCA6390")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Acked-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # RB5
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci: fix build when POWER_SEQUENCING=m
Krzysztof Kozlowski [Sun, 23 Jun 2024 17:13:52 +0000 (19:13 +0200)]
Bluetooth: hci: fix build when POWER_SEQUENCING=m

BT_HCIUART_QCA, which is a bool and an HCI UART component, uses now
power sequencing, so we need to be sure BT_HCIUART_QCA=y and
POWER_SEQUENCING=m cannot happen:

  /usr/bin/aarch64-linux-gnu-ld: drivers/bluetooth/hci_qca.o: in function `qca_serdev_probe':
  drivers/bluetooth/hci_qca.c:2401:(.text+0xc48): undefined reference to `devm_pwrseq_get'
  /usr/bin/aarch64-linux-gnu-ld: drivers/bluetooth/hci_qca.o: in function `qca_power_shutdown':
  drivers/bluetooth/hci_qca.c:2192:(.text+0x29e8): undefined reference to `pwrseq_power_off'
  /usr/bin/aarch64-linux-gnu-ld: drivers/bluetooth/hci_qca.o: in function `qca_power_on':
  drivers/bluetooth/hci_qca.c:1808:(.text+0x3390): undefined reference to `pwrseq_power_on'

Fixes: 9a15ce685706 ("Bluetooth: qca: use the power sequencer for QCA6390")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel: Fix spelling of *intermediate* in comment
Paul Menzel [Fri, 21 Jun 2024 07:18:57 +0000 (09:18 +0200)]
Bluetooth: btintel: Fix spelling of *intermediate* in comment

Fixes: f3b845e0aea3 ("Bluetooth: btintel: Add support to download intermediate loader")
Cc: Kiran K <kiran.k@intel.com>
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: qca: use the power sequencer for QCA6390
Bartosz Golaszewski [Wed, 12 Jun 2024 08:01:50 +0000 (10:01 +0200)]
Bluetooth: qca: use the power sequencer for QCA6390

Use the pwrseq subsystem's consumer API to run the power-up sequence for
the Bluetooth module of the QCA6390 package.

Tested-by: Amit Pundir <amit.pundir@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8550-QRD, SM8650-QRD & SM8650-HDK
Tested-by: Caleb Connolly <caleb.connolly@linaro.org> # OnePlus 8T
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agodt-bindings: net: bluetooth: qualcomm: describe regulators for QCA6390
Bartosz Golaszewski [Wed, 12 Jun 2024 08:01:49 +0000 (10:01 +0200)]
dt-bindings: net: bluetooth: qualcomm: describe regulators for QCA6390

QCA6390 has a compatible listed in the bindings but is missing the
regulators description. Add the missing supply property and list the
required ones in the allOf section.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoMerge tag 'pwrseq-initial-for-v6.11' of git://git.kernel.org/pub/scm/linux/kernel...
Luiz Augusto von Dentz [Mon, 15 Jul 2024 14:09:20 +0000 (10:09 -0400)]
Merge tag 'pwrseq-initial-for-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into HEAD

Initial implementation of the power sequencing subsystem for linux v6.11

15 months agoBluetooth: btintel: Add firmware ID to firmware name
Kiran K [Wed, 19 Jun 2024 10:09:33 +0000 (15:39 +0530)]
Bluetooth: btintel: Add firmware ID to firmware name

From BlazarI onwards, driver shall append the firmware ID (usually
represents transport type) while constructing the firmware name.
Firmware ID is returned on Intel Read Version command.

The new firmware file name for operational image and ddc file shall be,
ibt-<cnvi_top type+cnvi_top step>-<cnvr_top type+cnvr_top step-fw_id>.[sfi|ddc]

dmesg snippet from BlazarI pcie  product:

......

[17.098858] Bluetooth: hci0: Found device firmware: intel/ibt-0190-0291-pci.sfi
[17.098871] Bluetooth: hci0: Boot Address: 0x10000800
[17.098872] Bluetooth: hci0: Firmware Version: 214-25.24
[17.158229] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[17.158236] Bluetooth: BNEP filters: protocol multicast
[17.158241] Bluetooth: BNEP socket layer initialized
[17.468789] Bluetooth: hci0: Waiting for firmware download to complete
[17.468793] Bluetooth: hci0: Firmware loaded in 361262 usecs
[17.468872] Bluetooth: hci0: Waiting for device to boot
[17.504148] Bluetooth: hci0: Device booted in 34512 usecs
[17.504148] Bluetooth: hci0: Malformed MSFT vendor event: 0x02
[17.504682] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0190-0291-pci.ddc
[17.505380] Bluetooth: hci0: Applying Intel DDC parameters completed
[17.505622] Bluetooth: hci0: Firmware timestamp 2024.25 buildtype 3 build 64726
[17.505624] Bluetooth: hci0: Firmware SHA1: 0x9f4adddc
[17.505838] Bluetooth: hci0: Fseq status: Success (0x00)
[17.505839] Bluetooth: hci0: Fseq executed: 00.00.04.183
[17.505840] Bluetooth: hci0: Fseq BT Top: 00.00.04.183

dmesg snippet from BlazarI usb product:

.......

[14.212072] Bluetooth: hci0: Found device firmware: intel/ibt-0190-0291-usb.sfi
[14.212091] Bluetooth: hci0: Boot Address: 0x10000800
[14.212093] Bluetooth: hci0: Firmware Version: 79-21.24
[14.262125] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[14.262129] Bluetooth: BNEP filters: protocol multicast
[14.262133] Bluetooth: BNEP socket layer initialized
[15.865421] Bluetooth: hci0: Waiting for firmware download to complete
[15.865991] Bluetooth: hci0: Firmware loaded in 1615150 usecs
[15.866017] Bluetooth: hci0: Waiting for device to boot
[15.899934] Bluetooth: hci0: Malformed MSFT vendor event: 0x02
[15.899942] Bluetooth: hci0: Device booted in 33139 usecs
[15.900172] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0190-0291-usb.ddc
[15.901928] Bluetooth: hci0: Applying Intel DDC parameters completed
[15.904993] Bluetooth: hci0: Firmware timestamp 2024.21 buildtype 3 build 63311
[15.904996] Bluetooth: hci0: Firmware SHA1: 0x8b217cf7
[15.908929] Bluetooth: hci0: Fseq status: Success (0x00)
[15.908934] Bluetooth: hci0: Fseq executed: 00.00.04.180
[15.908935] Bluetooth: hci0: Fseq BT Top: 00.00.04.180

Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_core, hci_sync: cleanup struct discovery_state
Dmitry Antipov [Tue, 18 Jun 2024 18:59:32 +0000 (21:59 +0300)]
Bluetooth: hci_core, hci_sync: cleanup struct discovery_state

After commit 78db544b5d27 ("Bluetooth: hci_core: Remove le_restart_scan
work"), 'scan_start' and 'scan_duration' of 'struct discovery_state'
are still initialized but actually unused. So remove the aforementioned
fields and adjust 'hci_discovery_filter_clear()' and 'le_scan_disable()'
accordingly. Compile tested only.

Fixes: 78db544b5d27 ("Bluetooth: hci_core: Remove le_restart_scan work")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
Hilda Wu [Mon, 17 Jun 2024 09:05:18 +0000 (17:05 +0800)]
Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables

Add the support ID 0489:e125 to usb_device_id table for
Realtek RTL8852B chip.

The device info from /sys/kernel/debug/usb/devices as below.

T:  Bus=01 Lev=01 Prnt=01 Port=07 Cnt=03 Dev#=  5 Spd=12   MxCh= 0
D:  Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0489 ProdID=e125 Rev= 0.00
S:  Manufacturer=Realtek
S:  Product=Bluetooth Radio
S:  SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms

Signed-off-by: Hilda Wu <hildawu@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_event: Set QoS encryption from BIGInfo report
Iulia Tanasescu [Mon, 17 Jun 2024 08:52:06 +0000 (11:52 +0300)]
Bluetooth: hci_event: Set QoS encryption from BIGInfo report

On a Broadcast Sink, after synchronizing to the PA transimitted by a
Broadcast Source, the BIGInfo advertising reports emitted by the
Controller hold the encryption field, which indicates whether the
Broadcast Source is transmitting encrypted streams.

This updates the PA sync hcon QoS with the encryption value reported
in the BIGInfo report, so that this information is accurate if the
userspace tries to access the QoS struct via getsockopt.

Fixes: 1d11d70d1f6b ("Bluetooth: ISO: Pass BIG encryption info through QoS")
Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Add handling for boot-signature timeout errors
Neeraj Sanjay Kale [Fri, 14 Jun 2024 08:23:38 +0000 (13:53 +0530)]
Bluetooth: btnxpuart: Add handling for boot-signature timeout errors

This handles the timeout error codes sent by the chip as part of the
bootloader signatures during firmware download process.

When the bootloader does not receive a response packet from the host
within a specific time, it adds an error code to the bootloader
signature while requesting for the FW chunk from the same offset.

The host is expected to clear this error code with a NAK, and reply to
only those bootloader signatures which have error code 0.

However, the driver was ignoring this error code and replying with the
firmware chunks instead, which is apparently ignored by the chip and the
chip resends the same bootloader signature with the error code again. This
happens in a loop until the error code self clears and firmware download
proceeds ahead, adding a couple of milliseconds to the total firmware
download time.

Commit 689ca16e5232 was an initial implementation which simply printed
the following line during driver debug:
- FW Download received err 0x04 from chip

This commit adds the expected handling to the error codes.

This error handling is valid for data_req bootloader signatures for V3
and future bootloader versions.

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Update firmware names
Neeraj Sanjay Kale [Fri, 14 Jun 2024 08:49:41 +0000 (14:19 +0530)]
Bluetooth: btnxpuart: Update firmware names

This updates the firmware names of 3 chipsets: w8987, w8997, w9098.
These changes are been done to standardize chip specific firmware
file names to be in sync with firmware names of newer chipsets.

The naming convention for BT-only files would be as follows:
For dual-radio WiFi+BT chipsets:
- <protocol-BT><chip-name>_bt_v<HW-version>.bin
For tri-radio WiFi+BT+15.4 chipsets:
- <protocol-BT><protocol-15.4><chip-name>_bt_v<HW-version>.bin

To maintain backward compatibility, this commit adds a provision to
request older firmware file name, if new firmware file name not found in
/lib/firmware/nxp/.

A new device tree property has been introduced called firmware-name, to
override the hardcoded firmware names (old and new) in the driver.

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agodt-bindings: net: bluetooth: nxp: Add firmware-name property
Neeraj Sanjay Kale [Fri, 14 Jun 2024 08:49:40 +0000 (14:19 +0530)]
dt-bindings: net: bluetooth: nxp: Add firmware-name property

This adds a new optional device tree property called firware-name.

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_bcm4377: Add BCM4388 support
Hector Martin [Sun, 2 Jun 2024 09:57:05 +0000 (09:57 +0000)]
Bluetooth: hci_bcm4377: Add BCM4388 support

This new variant needs a different core2_window1 and always uses
beamforming.
The BAR2 also has an offset (RAM start, presumably), so add that.

Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Sven Peter <sven@svenpeter.dev>
[sven: rebased, updated some comments, mentioned 4388 in Kconfig]
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: Add vendor-specific packet classification for ISO data
Ying Hsu [Wed, 29 May 2024 08:00:00 +0000 (08:00 +0000)]
Bluetooth: Add vendor-specific packet classification for ISO data

When HCI raw sockets are opened, the Bluetooth kernel module doesn't
track CIS/BIS connections. User-space applications have to identify
ISO data by maintaining connection information and look up the mapping
for each ACL data packet received. Besides, btsnoop log captured in
kernel couldn't tell ISO data from ACL data in this case.

To avoid additional lookups, this patch introduces vendor-specific
packet classification for Intel BT controllers to distinguish
ISO data packets from ACL data packets.

Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: iso: remove unused struct 'iso_list_data'
Dr. David Alan Gilbert [Fri, 31 May 2024 23:26:14 +0000 (00:26 +0100)]
Bluetooth: iso: remove unused struct 'iso_list_data'

'iso_list_data' has been unused since the original
commit ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type").

Remove it.

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel_pcie: Remove unnecessary memset(0) calls
Thorsten Blum [Fri, 31 May 2024 23:51:33 +0000 (01:51 +0200)]
Bluetooth: btintel_pcie: Remove unnecessary memset(0) calls

Remove memset(0) after dma_alloc_coherent(), which already zeroes out
the memory, and fix the following two Coccinelle/coccicheck warnings
reported by zalloc-simple.cocci:

btintel_pcie.c:837:19-37: WARNING: dma_alloc_coherent used in

/* Allocate full chunk of data buffer for DMA first and do indexing and
 * initialization next, so it can be freed easily
 */
rxq->buf_v_addr   already zeroes out memory, so memset is not needed

btintel_pcie.c:792:19-37: WARNING: dma_alloc_coherent used in

/* Allocate full chunk of data buffer for DMA first and do indexing and
 * initialization next, so it can be freed easily
 */
txq->buf_v_addr   already zeroes out memory, so memset is not needed

Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport")
Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: Use sizeof(*pointer) instead of sizeof(type)
Erick Archer [Fri, 24 May 2024 17:11:51 +0000 (19:11 +0200)]
Bluetooth: Use sizeof(*pointer) instead of sizeof(type)

It is preferred to use sizeof(*pointer) instead of sizeof(type)
due to the type of the variable can change and one needs not
change the former (unlike the latter). This patch has no effect
on runtime behavior.

Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: MGMT: Uninitialized variable in load_conn_param()
Dan Carpenter [Fri, 24 May 2024 10:14:02 +0000 (13:14 +0300)]
Bluetooth: MGMT: Uninitialized variable in load_conn_param()

The "update" variable needs to be initialized to false.

Fixes: 0ece498c27d8 ("Bluetooth: MGMT: Make MGMT_OP_LOAD_CONN_PARAM update existing connection")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth/nokia: Remove unused struct 'hci_nokia_radio_hdr'
Dr. David Alan Gilbert [Thu, 9 May 2024 00:11:38 +0000 (01:11 +0100)]
Bluetooth/nokia: Remove unused struct 'hci_nokia_radio_hdr'

'hci_nokia_radio_hdr' looks like it was unused since it's
initial commit.

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agotty: rfcomm: prefer array indexing over pointer arithmetic
Erick Archer [Fri, 17 May 2024 17:21:50 +0000 (19:21 +0200)]
tty: rfcomm: prefer array indexing over pointer arithmetic

Refactor the list_for_each_entry() loop of rfcomm_get_dev_list()
function to use array indexing instead of pointer arithmetic.

This way, the code is more readable and idiomatic.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agotty: rfcomm: prefer struct_size over open coded arithmetic
Erick Archer [Fri, 17 May 2024 17:21:49 +0000 (19:21 +0200)]
tty: rfcomm: prefer struct_size over open coded arithmetic

This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].

As the "dl" variable is a pointer to "struct rfcomm_dev_list_req" and
this structure ends in a flexible array:

struct rfcomm_dev_list_req {
[...]
struct   rfcomm_dev_info dev_info[];
};

the preferred way in the kernel is to use the struct_size() helper to
do the arithmetic instead of the calculation "size + count * size" in
the kzalloc() and copy_to_user() functions.

At the same time, prepare for the coming implementation by GCC and Clang
of the __counted_by attribute. Flexible array members annotated with
__counted_by can have their accesses bounds-checked at run-time via
CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for
strcpy/memcpy-family functions).

In this case, it is important to note that the logic needs a little
refactoring to ensure that the "dev_num" member is initialized before
the first access to the flex array. Specifically, add the assignment
before the list_for_each_entry() loop.

Also remove the "size" variable as it is no longer needed.

This way, the code is more readable and safer.

This code was detected with the help of Coccinelle, and audited and
modified manually.

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
Link: https://github.com/KSPP/linux/issues/160
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_core: Prefer array indexing over pointer arithmetic
Erick Archer [Sat, 18 May 2024 08:30:39 +0000 (10:30 +0200)]
Bluetooth: hci_core: Prefer array indexing over pointer arithmetic

Refactor the list_for_each_entry() loop of hci_get_dev_list()
function to use array indexing instead of pointer arithmetic.

This way, the code is more readable and idiomatic.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_core: Prefer struct_size over open coded arithmetic
Erick Archer [Sat, 18 May 2024 08:30:38 +0000 (10:30 +0200)]
Bluetooth: hci_core: Prefer struct_size over open coded arithmetic

This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].

As the "dl" variable is a pointer to "struct hci_dev_list_req" and this
structure ends in a flexible array:

struct hci_dev_list_req {
[...]
struct hci_dev_req dev_req[]; /* hci_dev_req structures */
};

the preferred way in the kernel is to use the struct_size() helper to
do the arithmetic instead of the calculation "size + count * size" in
the kzalloc() and copy_to_user() functions.

At the same time, prepare for the coming implementation by GCC and Clang
of the __counted_by attribute. Flexible array members annotated with
__counted_by can have their accesses bounds-checked at run-time via
CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for
strcpy/memcpy-family functions).

In this case, it is important to note that the logic needs a little
refactoring to ensure that the "dev_num" member is initialized before
the first access to the flex array. Specifically, add the assignment
before the list_for_each_entry() loop.

Also remove the "size" variable as it is no longer needed.

This way, the code is more readable and safer.

This code was detected with the help of Coccinelle, and audited and
modified manually.

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
Link: https://github.com/KSPP/linux/issues/160
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel_pcie: Fix irq leak
Kiran K [Fri, 17 May 2024 09:54:46 +0000 (15:24 +0530)]
Bluetooth: btintel_pcie: Fix irq leak

Free irq before releasing irq vector.

Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport")
Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel_pcie: Print Firmware Sequencer information
Kiran K [Fri, 17 May 2024 09:54:45 +0000 (15:24 +0530)]
Bluetooth: btintel_pcie: Print Firmware Sequencer information

Firmware sequencer (FSEQ) is a common code shared across Bluetooth
and Wifi. Printing FSEQ will help to debug if there is any mismatch
between Bluetooth and Wifi FSEQ.

Make 'btintel_print_fseq_info' public and use it in btintel_pcie.c.

dmesg:

....

[ 5335.695740] Bluetooth: hci0: Device booted in 33872 usecs
[ 5335.695918] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0190-0291.ddc
[ 5335.697011] Bluetooth: hci0: Applying Intel DDC parameters completed
[ 5335.697837] Bluetooth: hci0: Firmware timestamp 2024.20 buildtype 0 build 62871
[ 5335.697848] Bluetooth: hci0: Firmware SHA1: 0xeffdce06
[ 5335.698655] Bluetooth: hci0: Fseq status: Success (0x00)
[ 5335.698666] Bluetooth: hci0: Fseq executed: 00.00.04.176
[ 5335.698670] Bluetooth: hci0: Fseq BT Top: 00.00.04.176
[ 5335.750204] Bluetooth: MGMT ver 1.22

Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btusb: mediatek: add MT7922 subsystem reset
Hao Qin [Wed, 15 May 2024 23:15:21 +0000 (16:15 -0700)]
Bluetooth: btusb: mediatek: add MT7922 subsystem reset

Add the support of MT7922 bluetooth subsystem reset that was called the
auto revert to self-recover from the fatal error in the controller like
the host encounters HCI cmd timeout or the controller crashes.

Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Hao Qin <hao.qin@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btusb: mediatek: reset the controller before downloading the fw
Hao Qin [Wed, 15 May 2024 23:15:20 +0000 (16:15 -0700)]
Bluetooth: btusb: mediatek: reset the controller before downloading the fw

Reset the controller before downloading the firmware to improve its
reliability. This includes situations like cold or warm reboots, ensuring
the controller is in its initial state before starting the firmware
download.

Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Co-developed-by: Chris Lu <chris.lu@mediatek.com>
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Signed-off-by: Hao Qin <hao.qin@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btusb: mediatek: refactor the function btusb_mtk_reset
Hao Qin [Wed, 15 May 2024 23:15:19 +0000 (16:15 -0700)]
Bluetooth: btusb: mediatek: refactor the function btusb_mtk_reset

Extract the function btusb_mtk_subsys_reset from the btusb_mtk_reset
for the future handling of resetting bluetooth controller without
the USB reset.

Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Hao Qin <hao.qin@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btmtk: apply the common btmtk_fw_get_filename
Sean Wang [Wed, 15 May 2024 23:15:18 +0000 (16:15 -0700)]
Bluetooth: btmtk: apply the common btmtk_fw_get_filename

Apply the common btmtk_fw_get_filename to avoid the similar coding in each
driver.

Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btmtk: add the function to get the fw name
Sean Wang [Wed, 15 May 2024 23:15:17 +0000 (16:15 -0700)]
Bluetooth: btmtk: add the function to get the fw name

Include a shared function to get the firmware name, to prevent repeating
code for similar chipsets.

Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btintel: Refactor btintel_set_ppag()
Kiran K [Thu, 16 May 2024 12:24:36 +0000 (17:54 +0530)]
Bluetooth: btintel: Refactor btintel_set_ppag()

Current flow iterates the ACPI table associated with Bluetooth
controller looking for PPAG method. Method name can be directly passed
to acpi_evaluate_object function instead of iterating the table.

Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna Gain(PPAG)")
Signed-off-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading
Luke Wang [Fri, 17 May 2024 11:15:35 +0000 (19:15 +0800)]
Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

When unload the btnxpuart driver, its associated timer will be deleted.
If the timer happens to be modified at this moment, it leads to the
kernel call this timer even after the driver unloaded, resulting in
kernel panic.
Use timer_shutdown_sync() instead of del_timer_sync() to prevent rearming.

panic log:
  Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
  Modules linked in: algif_hash algif_skcipher af_alg moal(O) mlan(O) crct10dif_ce polyval_ce polyval_generic   snd_soc_imx_card snd_soc_fsl_asoc_card snd_soc_imx_audmux mxc_jpeg_encdec v4l2_jpeg snd_soc_wm8962 snd_soc_fsl_micfil   snd_soc_fsl_sai flexcan snd_soc_fsl_utils ap130x rpmsg_ctrl imx_pcm_dma can_dev rpmsg_char pwm_fan fuse [last unloaded:   btnxpuart]
  CPU: 5 PID: 723 Comm: memtester Tainted: G           O       6.6.23-lts-next-06207-g4aef2658ac28 #1
  Hardware name: NXP i.MX95 19X19 board (DT)
  pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
  pc : 0xffff80007a2cf464
  lr : call_timer_fn.isra.0+0x24/0x80
...
  Call trace:
   0xffff80007a2cf464
   __run_timers+0x234/0x280
   run_timer_softirq+0x20/0x40
   __do_softirq+0x100/0x26c
   ____do_softirq+0x10/0x1c
   call_on_irq_stack+0x24/0x4c
   do_softirq_own_stack+0x1c/0x2c
   irq_exit_rcu+0xc0/0xdc
   el0_interrupt+0x54/0xd8
   __el0_irq_handler_common+0x18/0x24
   el0t_64_irq_handler+0x10/0x1c
   el0t_64_irq+0x190/0x194
  Code: ???????? ???????? ???????? ???????? (????????)
  ---[ end trace 0000000000000000 ]---
  Kernel panic - not syncing: Oops: Fatal exception in interrupt
  SMP: stopping secondary CPUs
  Kernel Offset: disabled
  CPU features: 0x0,c0000000,40028143,1000721b
  Memory Limit: none
  ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Handle FW Download Abort scenario
Neeraj Sanjay Kale [Wed, 15 May 2024 07:06:57 +0000 (12:36 +0530)]
Bluetooth: btnxpuart: Handle FW Download Abort scenario

This adds a new flag BTNXPUART_FW_DOWNLOAD_ABORT which handles the
situation where driver is removed while firmware download is in
progress.

logs:
modprobe btnxpuart
[65239.230431] Bluetooth: hci0: ChipID: 7601, Version: 0
[65239.236670] Bluetooth: hci0: Request Firmware: nxp/uartspi_n61x_v1.bin.se
rmmod btnxpuart
[65241.425300] Bluetooth: hci0: FW Download Aborted

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Tested-by: Guillaume Legoupil <guillaume.legoupil@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Enable status prints for firmware download
Neeraj Sanjay Kale [Wed, 15 May 2024 07:06:56 +0000 (12:36 +0530)]
Bluetooth: btnxpuart: Enable status prints for firmware download

This enables prints for firmware download which can help automation
tests to verify firmware download functionality.

dmesg logs before:
modprobe btnxpuart
[ 1999.187264] Bluetooth: MGMT ver 1.22

dmesg logs with this patch:
modprobe btnxpuart
[16179.758515] Bluetooth: hci0: ChipID: 7601, Version: 0
[16179.764748] Bluetooth: hci0: Request Firmware: nxp/uartspi_n61x_v1.bin.se
[16181.217490] Bluetooth: hci0: FW Download Complete: 372696 bytes
[16182.701398] Bluetooth: MGMT ver 1.22

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Tested-by: Guillaume Legoupil <guillaume.legoupil@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()
Neeraj Sanjay Kale [Wed, 15 May 2024 07:06:55 +0000 (12:36 +0530)]
Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()

This adds a check before freeing the rx->skb in flush and close
functions to handle the kernel crash seen while removing driver after FW
download fails or before FW download completes.

dmesg log:
[   54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080
[   54.643398] Mem abort info:
[   54.646204]   ESR = 0x0000000096000004
[   54.649964]   EC = 0x25: DABT (current EL), IL = 32 bits
[   54.655286]   SET = 0, FnV = 0
[   54.658348]   EA = 0, S1PTW = 0
[   54.661498]   FSC = 0x04: level 0 translation fault
[   54.666391] Data abort info:
[   54.669273]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   54.674768]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   54.674771]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000
[   54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000
[   54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[   54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse
[   54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2
[   54.744364] Hardware name: FSL i.MX8MM EVK board (DT)
[   54.744368] Workqueue: hci0 hci_power_on
[   54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   54.757249] pc : kfree_skb_reason+0x18/0xb0
[   54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart]
[   54.782921] sp : ffff8000805ebca0
[   54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000
[   54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230
[   54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92
[   54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff
[   54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857
[   54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642
[   54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688
[   54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000
[   54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000
[   54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac
[   54.857599] Call trace:
[   54.857601]  kfree_skb_reason+0x18/0xb0
[   54.863878]  btnxpuart_flush+0x40/0x58 [btnxpuart]
[   54.863888]  hci_dev_open_sync+0x3a8/0xa04
[   54.872773]  hci_power_on+0x54/0x2e4
[   54.881832]  process_one_work+0x138/0x260
[   54.881842]  worker_thread+0x32c/0x438
[   54.881847]  kthread+0x118/0x11c
[   54.881853]  ret_from_fork+0x10/0x20
[   54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400)
[   54.896410] ---[ end trace 0000000000000000 ]---

Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Tested-by: Guillaume Legoupil <guillaume.legoupil@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_bcm4377: Increase boot timeout
Hector Martin [Wed, 15 May 2024 18:15:03 +0000 (18:15 +0000)]
Bluetooth: hci_bcm4377: Increase boot timeout

BCM4388 takes over 2 seconds to boot, so increase the timeout.

Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Sven Peter <sven@svenpeter.dev>
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: hci_bcm4377: Use correct unit for timeouts
Sven Peter [Wed, 15 May 2024 18:15:02 +0000 (18:15 +0000)]
Bluetooth: hci_bcm4377: Use correct unit for timeouts

BCM4377_TIMEOUT is always used to wait for completitions and their API
expects a timeout in jiffies instead of msecs.

Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoBluetooth: MGMT: Make MGMT_OP_LOAD_CONN_PARAM update existing connection
Luiz Augusto von Dentz [Fri, 10 May 2024 14:36:45 +0000 (10:36 -0400)]
Bluetooth: MGMT: Make MGMT_OP_LOAD_CONN_PARAM update existing connection

This makes MGMT_OP_LOAD_CONN_PARAM update existing connection by
dectecting the request is just for one connection, parameters already
exists and there is a connection.

Since this is a new behavior the revision is also updated to enable
userspace to detect it.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
15 months agoMerge branch 'introduce-en7581-ethernet-support'
Jakub Kicinski [Sun, 14 Jul 2024 14:46:55 +0000 (07:46 -0700)]
Merge branch 'introduce-en7581-ethernet-support'

Lorenzo Bianconi says:

====================
Introduce EN7581 ethernet support

Add airoha_eth driver in order to introduce ethernet support for
Airoha EN7581 SoC available on EN7581 development board.
EN7581 mac controller is mainly composed by Frame Engine (FE) and
QoS-DMA (QDMA) modules. FE is used for traffic offloading (just basic
functionalities are supported now) while QDMA is used for DMA operation
and QOS functionalities between mac layer and the dsa switch (hw QoS is
not available yet and it will be added in the future).
Currently only hw lan features are available, hw wan will be added with
subsequent patches.
====================

Link: https://patch.msgid.link/cover.1720818878.git.lorenzo@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: airoha: Introduce ethernet support for EN7581 SoC
Lorenzo Bianconi [Fri, 12 Jul 2024 21:27:58 +0000 (23:27 +0200)]
net: airoha: Introduce ethernet support for EN7581 SoC

Add airoha_eth driver in order to introduce ethernet support for
Airoha EN7581 SoC available on EN7581 development board (en7581-evb).
EN7581 mac controller is mainly composed by the Frame Engine (PSE+PPE)
and QoS-DMA (QDMA) modules. FE is used for traffic offloading (just
basic functionalities are currently supported) while QDMA is used for
DMA operations and QOS functionalities between the mac layer and the
external modules conncted to the FE GDM ports (e.g MT7530 DSA switch
or external phys).
A general overview of airoha_eth architecture is reported below:

               ┌───────┐                                     ┌───────┐
               │ QDMA2 │                                     │ QDMA1 │
               └───┬───┘                                     └───┬───┘
                   │                                             │
           ┌───────▼─────────────────────────────────────────────▼────────┐
           │                                                              │
           │       P5                                            P0       │
           │                                                              │
           │                                                              │
           │                                                              │    ┌──────┐
           │                                                           P3 ├────► GDM3 │
           │                                                              │    └──────┘
           │                                                              │
           │                                                              │
┌─────┐    │                                                              │
│ PPE ◄────┤ P4                          PSE                              │
└─────┘    │                                                              │
           │                                                              │
           │                                                              │
           │                                                              │    ┌──────┐
           │                                                           P9 ├────► GDM4 │
           │                                                              │    └──────┘
           │                                                              │
           │                                                              │
           │                                                              │
           │        P2                                           P1       │
           └─────────┬───────────────────────────────────────────┬────────┘
                     │                                           │
                 ┌───▼──┐                                     ┌──▼───┐
                 │ GDM2 │                                     │ GDM1 │
                 └──────┘                                     └──┬───┘
                                                                 │
                                                            ┌────▼─────┐
                                                            │  MT7530  │
                                                            └──────────┘

Currently only hw LAN features (QDMA1+GDM1) are available while hw WAN
(QDMA2+GDM{2,3,4}) ones will be added with subsequent patches introducing
traffic offloading support.

Tested-by: Benjamin Larsson <benjamin.larsson@genexis.eu>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/274945d2391c195098ab180a46d0617b18b9e42c.1720818878.git.lorenzo@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agodt-bindings: net: airoha: Add EN7581 ethernet controller
Lorenzo Bianconi [Fri, 12 Jul 2024 21:27:57 +0000 (23:27 +0200)]
dt-bindings: net: airoha: Add EN7581 ethernet controller

Introduce device-tree binding documentation for Airoha EN7581 ethernet
mac controller.

Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/7dfecf8aa4e6519562a94455b95c49e1b3c858a0.1720818878.git.lorenzo@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next...
Jakub Kicinski [Sun, 14 Jul 2024 14:37:29 +0000 (07:37 -0700)]
Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue

Tony Nguyen says:

====================
ice: Switch API optimizations

Marcin Szycik says:

Optimize the process of creating a recipe in the switch block by removing
duplicate switch ID words and changing how result indexes are fitted into
recipes. In many cases this can decrease the number of recipes required to
add a certain set of rules, potentially allowing a more varied set of rules
to be created. Total rule count will also increase, since less words will
be left unused/wasted. There are only 64 rules available in total, so every
one counts.

After this modification, many fields and some structs became unused or were
simplified, resulting in overall simpler implementation.

* '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue:
  ice: Add tracepoint for adding and removing switch rules
  ice: Remove unused members from switch API
  ice: Optimize switch recipe creation
  ice: remove unused recipe bookkeeping data
  ice: Simplify bitmap setting in adding recipe
  ice: Remove reading all recipes before adding a new one
  ice: Remove unused struct ice_prot_lkup_ext members
====================

Link: https://patch.msgid.link/20240711181312.2019606-1-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next...
Jakub Kicinski [Sat, 13 Jul 2024 23:04:52 +0000 (16:04 -0700)]
Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue

Tony Nguyen says:

====================
Intel Wired LAN Driver Updates 2024-07-11 (net/intel)

This series contains updates to most Intel network drivers.

Tony removes MODULE_AUTHOR from drivers containing the entry.

Simon Horman corrects a kdoc entry for i40e.

Pawel adds implementation for devlink param "local_forwarding" on ice.

Michal removes unneeded call, and code, for eswitch rebuild for ice.

Sasha removed a no longer used field from igc.

* '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue:
  igc: Remove the internal 'eee_advert' field
  ice: remove eswitch rebuild
  ice: Add support for devlink local_forwarding param
  i40e: correct i40e_addr_to_hkey() name in kdoc
  net: intel: Remove MODULE_AUTHORs
====================

Link: https://patch.msgid.link/20240711201932.2019925-1-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agosfc: falcon: Make I2C terminology more inclusive
Easwar Hariharan [Thu, 11 Jul 2024 05:27:32 +0000 (05:27 +0000)]
sfc: falcon: Make I2C terminology more inclusive

I2C v7, SMBus 3.2, and I3C 1.1.1 specifications have replaced "master/slave"
with more appropriate terms. Inspired by Wolfram's series to fix drivers/i2c/,
fix the terminology for users of I2C_ALGOBIT bitbanging interface, now that
the approved verbiage exists in the specification.

Reviewed-by: Martin Habets <habetsm.xilinx@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Link: https://patch.msgid.link/20240711052734.1273652-5-eahariha@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: phy: dp83td510: add cable testing support
Oleksij Rempel [Fri, 12 Jul 2024 15:28:48 +0000 (17:28 +0200)]
net: phy: dp83td510: add cable testing support

This patch implements the TDR test procedure as described in
"Application Note DP83TD510E Cable Diagnostics Toolkit revC", section 3.2.

The procedure was tested with "draka 08 signalkabel 2x0.8mm". The reported
cable length was 5 meters more for each 20 meters of actual cable length.
For instance, a 20-meter cable showed as 25 meters, and a 40-meter cable
showed as 50 meters. Since other parts of the diagnostics provided by this
PHY (e.g., Active Link Cable Diagnostics) require accurate cable
characterization to provide proper results, this tuning can be implemented
in a separate patch/interface.

Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
changes v2:
- add comments
- change post silence time to 1000ms
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20240712152848.2479912-1-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: dpaa: Fix compilation Warning
Breno Leitao [Fri, 12 Jul 2024 13:48:16 +0000 (06:48 -0700)]
net: dpaa: Fix compilation Warning

Remove variables that are defined and incremented but never read.
This issue appeared in network tests[1] as:

drivers/net/ethernet/freescale/dpaa/dpaa_eth_sysfs.c:38:6: warning: variable 'i' set but not used [-Wunused-but-set-variable]
38 |         int i = 0;
   |             ^

Link: https://netdev.bots.linux.dev/static/nipa/870263/13729811/build_clang/stderr
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20240712134817.913756-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: mlx5: expose NETIF_F_NTUPLE when ARFS is compiled out
Jakub Kicinski [Thu, 11 Jul 2024 22:37:22 +0000 (15:37 -0700)]
eth: mlx5: expose NETIF_F_NTUPLE when ARFS is compiled out

ARFS depends on NTUPLE filters, but the inverse is not true.
Drivers which don't support ARFS commonly still support NTUPLE
filtering. mlx5 has a Kconfig option to disable ARFS (MLX5_EN_ARFS)
and does not advertise NTUPLE filters as a feature at all when ARFS
is compiled out. That's not correct, ntuple filters indeed still work
just fine (as long as MLX5_EN_RXNFC is enabled).

This is needed to make the RSS test not skip all RSS context
related testing.

Acked-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20240711223722.297676-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoselftests: mptcp: lib: fix shellcheck errors
Matthieu Baerts (NGI0) [Fri, 12 Jul 2024 10:00:15 +0000 (12:00 +0200)]
selftests: mptcp: lib: fix shellcheck errors

It looks like we missed these two errors recently:

  - SC2068: Double quote array expansions to avoid re-splitting elements.
  - SC2145: Argument mixes string and array. Use * or separate argument.

Two simple fixes, it is not supposed to change the behaviour as the
variable names should not have any spaces in their names. Still, better
to fix them to easily spot new issues.

Fixes: f265d3119a29 ("selftests: mptcp: lib: use setup/cleanup_ns helpers")
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240712-upstream-net-next-20240712-selftests-mptcp-fix-shellcheck-v1-1-1cb7180db40a@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch 'mlx5-misc-2023-07-08-sf-max-eq'
Jakub Kicinski [Sat, 13 Jul 2024 22:44:18 +0000 (15:44 -0700)]
Merge branch 'mlx5-misc-2023-07-08-sf-max-eq'

Saeed Mahameed says:

====================
mlx5 misc 2023-07-08 (sf max eq)

Link: https://patchwork.kernel.org/project/netdevbpf/patch/20240708080025.1593555-2-tariqt@nvidia.com/
====================

Link: https://patch.msgid.link/20240712003310.355106-1-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet/mlx5: Use set number of max EQs
Daniel Jurgens [Fri, 12 Jul 2024 00:33:10 +0000 (17:33 -0700)]
net/mlx5: Use set number of max EQs

If a maximum number of EQs has been set for an SF, use that amount.

Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20240712003310.355106-5-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet/mlx5: Set default max eqs for SFs
Daniel Jurgens [Fri, 12 Jul 2024 00:33:09 +0000 (17:33 -0700)]
net/mlx5: Set default max eqs for SFs

If the user hasn't configured max_io_eqs set a low default. The SF
driver shouldn't try to create more than this, but FW will enforce this
limit.

Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20240712003310.355106-4-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet/mlx5: Set sf_eq_usage for SF max EQs
Daniel Jurgens [Fri, 12 Jul 2024 00:33:08 +0000 (17:33 -0700)]
net/mlx5: Set sf_eq_usage for SF max EQs

When setting max_io_eqs for an SF function also set the sf_eq_usage_cap.
This is to indicate to the SF driver from the PF that the user has set
the max io eqs via devlink. So the SF driver can later query the proper
max eq value from the new cap.

Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20240712003310.355106-3-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet/mlx5: IFC updates for SF max IO EQs
Daniel Jurgens [Fri, 12 Jul 2024 00:33:07 +0000 (17:33 -0700)]
net/mlx5: IFC updates for SF max IO EQs

Expose a new cap sf_eq_usage. The vhca_resource_manager can write this
cap, indicating the SF driver should use max_num_eqs_24b to determine
how many EQs to use.

Will be used in the next patch, to indicate to the SF driver from the PF
that the user has set the max io eqs via devlink. So the SF driver can
later query the proper max eq value from the new cap.

devlink port function set pci/0000:08:00.0/32768 max_io_eqs 32

Signed-off-by: Daniel Jurgens <danielj@nvidia.com>
Reviewed-by: William Tu <witu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20240712003310.355106-2-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: mvpp2: Improve data types and use min()
Thorsten Blum [Thu, 11 Jul 2024 15:47:43 +0000 (17:47 +0200)]
net: mvpp2: Improve data types and use min()

Change the data type of the variable freq in mvpp2_rx_time_coal_set()
and mvpp2_tx_time_coal_set() to u32 because port->priv->tclk also has
the data type u32.

Change the data type of the function parameter clk_hz in
mvpp2_usec_to_cycles() and mvpp2_cycles_to_usec() to u32 accordingly
and remove the following Coccinelle/coccicheck warning reported by
do_div.cocci:

  WARNING: do_div() does a 64-by-32 division, please consider using div64_ul instead

Use min() to simplify the code and improve its readability.

Compile-tested only.

Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240711154741.174745-1-thorsten.blum@toblux.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: ethtool: Monotonically increase the message sequence number
Danielle Ratson [Thu, 11 Jul 2024 08:09:34 +0000 (11:09 +0300)]
net: ethtool: Monotonically increase the message sequence number

Currently, during the module firmware flashing process, unicast
notifications are sent from the kernel using the same sequence number,
making it impossible for user space to track missed notifications.

Monotonically increase the message sequence number, so the order of
notifications could be tracked effectively.

Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Link: https://patch.msgid.link/20240711080934.2071869-1-danieller@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch 'tcp-make-simultaneous-connect-rfc-compliant'
Jakub Kicinski [Sat, 13 Jul 2024 22:19:53 +0000 (15:19 -0700)]
Merge branch 'tcp-make-simultaneous-connect-rfc-compliant'

Kuniyuki Iwashima says:

====================
tcp: Make simultaneous connect() RFC-compliant.

Patch 1 fixes an issue that BPF TCP option parser is triggered for ACK
instead of SYN+ACK in the case of simultaneous connect().

Patch 2 removes an wrong assumption in tcp_ao/self-connnect tests.

v2: https://lore.kernel.org/netdev/20240708180852.92919-1-kuniyu@amazon.com/
v1: https://lore.kernel.org/netdev/20240704035703.95065-1-kuniyu@amazon.com/
====================

Link: https://patch.msgid.link/20240710171246.87533-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoselftests: tcp: Remove broken SNMP assumptions for TCP AO self-connect tests.
Kuniyuki Iwashima [Wed, 10 Jul 2024 17:12:46 +0000 (10:12 -0700)]
selftests: tcp: Remove broken SNMP assumptions for TCP AO self-connect tests.

tcp_ao/self-connect.c checked the following SNMP stats before/after
connect() to confirm that the test exercises the simultaneous connect()
path.

  * TCPChallengeACK
  * TCPSYNChallenge

But the stats should not be counted for self-connect in the first place,
and the assumption is no longer true.

Let's remove the check.

Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Dmitry Safonov <dima@arista.com>
Link: https://patch.msgid.link/20240710171246.87533-3-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agotcp: Don't drop SYN+ACK for simultaneous connect().
Kuniyuki Iwashima [Wed, 10 Jul 2024 17:12:45 +0000 (10:12 -0700)]
tcp: Don't drop SYN+ACK for simultaneous connect().

RFC 9293 states that in the case of simultaneous connect(), the connection
gets established when SYN+ACK is received. [0]

      TCP Peer A                                       TCP Peer B

  1.  CLOSED                                           CLOSED
  2.  SYN-SENT     --> <SEQ=100><CTL=SYN>              ...
  3.  SYN-RECEIVED <-- <SEQ=300><CTL=SYN>              <-- SYN-SENT
  4.               ... <SEQ=100><CTL=SYN>              --> SYN-RECEIVED
  5.  SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
  6.  ESTABLISHED  <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
  7.               ... <SEQ=100><ACK=301><CTL=SYN,ACK> --> ESTABLISHED

However, since commit 0c24604b68fc ("tcp: implement RFC 5961 4.2"), such a
SYN+ACK is dropped in tcp_validate_incoming() and responded with Challenge
ACK.

For example, the write() syscall in the following packetdrill script fails
with -EAGAIN, and wrong SNMP stats get incremented.

   0 socket(..., SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_TCP) = 3
  +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress)

  +0 > S  0:0(0) <mss 1460,sackOK,TS val 1000 ecr 0,nop,wscale 8>
  +0 < S  0:0(0) win 1000 <mss 1000>
  +0 > S. 0:0(0) ack 1 <mss 1460,sackOK,TS val 3308134035 ecr 0,nop,wscale 8>
  +0 < S. 0:0(0) ack 1 win 1000

  +0 write(3, ..., 100) = 100
  +0 > P. 1:101(100) ack 1

  --

  # packetdrill cross-synack.pkt
  cross-synack.pkt:13: runtime error in write call: Expected result 100 but got -1 with errno 11 (Resource temporarily unavailable)
  # nstat
  ...
  TcpExtTCPChallengeACK           1                  0.0
  TcpExtTCPSYNChallenge           1                  0.0

The problem is that bpf_skops_established() is triggered by the Challenge
ACK instead of SYN+ACK.  This causes the bpf prog to miss the chance to
check if the peer supports a TCP option that is expected to be exchanged
in SYN and SYN+ACK.

Let's accept a bare SYN+ACK for active-open TCP_SYN_RECV sockets to avoid
such a situation.

Note that tcp_ack_snd_check() in tcp_rcv_state_process() is skipped not to
send an unnecessary ACK, but this could be a bit risky for net.git, so this
targets for net-next.

Link: https://www.rfc-editor.org/rfc/rfc9293.html#section-3.5-7
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240710171246.87533-2-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agotest/vsock: add install target
Peng Fan [Wed, 10 Jul 2024 12:27:28 +0000 (20:27 +0800)]
test/vsock: add install target

Add install target for vsock to make Yocto easy to install the images.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20240710122728.45044-1-peng.fan@oss.nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMAINTAINERS: add 5 missing tcp-related files
Eric Dumazet [Fri, 12 Jul 2024 23:42:13 +0000 (23:42 +0000)]
MAINTAINERS: add 5 missing tcp-related files

Following files are part of TCP stack:

- net/ipv4/inet_connection_sock.c
- net/ipv4/inet_hashtables.c
- net/ipv4/inet_timewait_sock.c
- net/ipv6/inet6_connection_sock.c
- net/ipv6/inet6_hashtables.c

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240712234213.3178593-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next...
Jakub Kicinski [Sat, 13 Jul 2024 05:27:25 +0000 (22:27 -0700)]
Merge branch '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue

Tony Nguyen says:

====================
idpf: XDP chapter I: convert Rx to libeth

Alexander Lobakin says:

XDP for idpf is currently 5 chapters:
* convert Rx to libeth (this);
* convert Tx and stats to libeth;
* generic XDP and XSk code changes, libeth_xdp;
* actual XDP for idpf via libeth_xdp;
* XSk for idpf (^).

Part I does the following:
* splits &idpf_queue into 4 (RQ, SQ, FQ, CQ) and puts them on a diet;
* ensures optimal cacheline placement, strictly asserts CL sizes;
* moves currently unused/dead singleq mode out of line;
* reuses libeth's Rx ptype definitions and helpers;
* uses libeth's Rx buffer management for both header and payload;
* eliminates memcpy()s and coherent DMA uses on hotpath, uses
  napi_build_skb() instead of in-place short skb allocation.

Most idpf patches, except for the queue split, removes more lines
than adds.

Expect far better memory utilization and +5-8% on Rx depending on
the case (+17% on skb XDP_DROP :>).

* '200GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue:
  idpf: use libeth Rx buffer management for payload buffer
  idpf: convert header split mode to libeth + napi_build_skb()
  libeth: support different types of buffers for Rx
  idpf: remove legacy Page Pool Ethtool stats
  idpf: reuse libeth's definitions of parsed ptype structures
  idpf: compile singleq code only under default-n CONFIG_IDPF_SINGLEQ
  idpf: merge singleq and splitq &net_device_ops
  idpf: strictly assert cachelines of queue and queue vector structures
  idpf: avoid bloating &idpf_q_vector with big %NR_CPUS
  idpf: split &idpf_queue into 4 strictly-typed queue structures
  idpf: stop using macros for accessing queue descriptors
  libeth: add cacheline / struct layout assertion helpers
  page_pool: use __cacheline_group_{begin, end}_aligned()
  cache: add __cacheline_group_{begin, end}_aligned() (+ couple more)
====================

Link: https://patch.msgid.link/20240710203031.188081-1-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf...
Jakub Kicinski [Sat, 13 Jul 2024 05:25:53 +0000 (22:25 -0700)]
Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

Daniel Borkmann says:

====================
pull-request: bpf-next 2024-07-12

We've added 23 non-merge commits during the last 3 day(s) which contain
a total of 18 files changed, 234 insertions(+), 243 deletions(-).

The main changes are:

1) Improve BPF verifier by utilizing overflow.h helpers to check
   for overflows, from Shung-Hsi Yu.

2) Fix NULL pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
   when attr->attach_prog_fd was not specified, from Tengda Wu.

3) Fix arm64 BPF JIT when generating code for BPF trampolines with
   BPF_TRAMP_F_CALL_ORIG which corrupted upper address bits,
   from Puranjay Mohan.

4) Remove test_run callback from lwt_seg6local_prog_ops which never worked
   in the first place and caused syzbot reports,
   from Sebastian Andrzej Siewior.

5) Relax BPF verifier to accept non-zero offset on KF_TRUSTED_ARGS/
   /KF_RCU-typed BPF kfuncs, from Matt Bobrowski.

6) Fix a long standing bug in libbpf with regards to handling of BPF
   skeleton's forward and backward compatibility, from Andrii Nakryiko.

7) Annotate btf_{seq,snprintf}_show functions with __printf,
   from Alan Maguire.

8) BPF selftest improvements to reuse common network helpers in sk_lookup
   test and dropping the open-coded inetaddr_len() and make_socket() ones,
   from Geliang Tang.

* tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next: (23 commits)
  selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()
  bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
  selftests/bpf: DENYLIST.aarch64: Skip fexit_sleep again
  bpf: use check_sub_overflow() to check for subtraction overflows
  bpf: use check_add_overflow() to check for addition overflows
  bpf: fix overflow check in adjust_jmp_off()
  bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
  bpf: annotate BTF show functions with __printf
  bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
  selftests/bpf: Close obj in error path in xdp_adjust_tail
  selftests/bpf: Null checks for links in bpf_tcp_ca
  selftests/bpf: Use connect_fd_to_fd in sk_lookup
  selftests/bpf: Use start_server_addr in sk_lookup
  selftests/bpf: Use start_server_str in sk_lookup
  selftests/bpf: Close fd in error path in drop_on_reuseport
  selftests/bpf: Add ASSERT_OK_FD macro
  selftests/bpf: Add backlog for network_helper_opts
  selftests/bpf: fix compilation failure when CONFIG_NF_FLOW_TABLE=m
  bpf: Remove tst_run from lwt_seg6local_prog_ops.
  bpf: relax zero fixed offset constraint on KF_TRUSTED_ARGS/KF_RCU
  ...
====================

Link: https://patch.msgid.link/20240712212448.5378-1-daniel@iogearbox.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Jakub Kicinski [Sat, 13 Jul 2024 05:17:55 +0000 (22:17 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Cross-merge networking fixes after downstream PR.

Conflicts:

drivers/net/ethernet/broadcom/bnxt/bnxt.c
  f7ce5eb2cb79 ("bnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring()")
  20c8ad72eb7f ("eth: bnxt: use the RSS context XArray instead of the local list")

Adjacent changes:

net/ethtool/ioctl.c
  503757c80928 ("net: ethtool: Fix RSS setting")
  eac9122f0c41 ("net: ethtool: record custom RSS contexts in the XArray")

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge branch 'eth-bnxt-use-the-new-rss-api'
Jakub Kicinski [Sat, 13 Jul 2024 05:16:28 +0000 (22:16 -0700)]
Merge branch 'eth-bnxt-use-the-new-rss-api'

Jakub Kicinski says:

====================
eth: bnxt: use the new RSS API

Convert bnxt from using the set_rxfh API to separate create/modify/remove
callbacks.

Two small extensions to the core APIs are necessary:
 - the ability to discard contexts if for some catastrophic reasons
   device can no longer provide them;
 - the ability to reserve space in the context for RSS table growth.

The driver is adjusted to store indirection tables on u32 to make
it easier to use core structs directly.

With that out of the way the conversion is fairly straightforward.

Since the opposition to discarding contexts was relatively mild
and its what bnxt does already, I'm sticking to that. We may very
well need to revisit that at a later time.

v1: https://lore.kernel.org/all/20240702234757.4188344-1-kuba@kernel.org/
====================

Link: https://patch.msgid.link/20240711220713.283778-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: use the indir table from ethtool context
Jakub Kicinski [Thu, 11 Jul 2024 22:07:13 +0000 (15:07 -0700)]
eth: bnxt: use the indir table from ethtool context

Instead of allocating a separate indir table in the vnic use
the one already present in the RSS context allocated by the core.
This saves some LoC and also we won't have to worry about syncing
the local version back to the core, once core learns how to dump
contexts.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-12-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: bump the entry size in indir tables to u32
Jakub Kicinski [Thu, 11 Jul 2024 22:07:12 +0000 (15:07 -0700)]
eth: bnxt: bump the entry size in indir tables to u32

Ethtool core stores indirection table with u32 entries, "just to be safe".
Switch the type in the driver, so that it's easier to swap local tables
for the core ones. Memory allocations already use sizeof(*entry), switch
the memset()s as well.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: pad out the correct indirection table
Jakub Kicinski [Thu, 11 Jul 2024 22:07:11 +0000 (15:07 -0700)]
eth: bnxt: pad out the correct indirection table

bnxt allocates tables of max size, and changes the used size
based on number of active rings. The unused entries get padded
out with zeros. bnxt_modify_rss() seems to always pad out
the table of the main / default RSS context, instead of
the table of the modified context.

I haven't observed any behavior change due to this patch,
so I don't think it's a fix. Not entirely sure what role
the padding plays, 0 is a valid queue ID.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-10-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: use the RSS context XArray instead of the local list
Jakub Kicinski [Thu, 11 Jul 2024 22:07:10 +0000 (15:07 -0700)]
eth: bnxt: use the RSS context XArray instead of the local list

Core already maintains all RSS contexts in an XArray, no need
to keep a second list in the driver.

Remove bnxt_get_max_rss_ctx_ring() completely since core performs
the same check already.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: use context priv for struct bnxt_rss_ctx
Jakub Kicinski [Thu, 11 Jul 2024 22:07:09 +0000 (15:07 -0700)]
eth: bnxt: use context priv for struct bnxt_rss_ctx

Core can allocate space for per-context driver-private data,
use it for struct bnxt_rss_ctx. Inline bnxt_alloc_rss_ctx()
at this point, most of the init (as in the actions bnxt_del_one_rss_ctx()
will undo) is open coded in bnxt_create_rxfh_context(), anyway.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-8-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: depend on core cleaning up RSS contexts
Jakub Kicinski [Thu, 11 Jul 2024 22:07:08 +0000 (15:07 -0700)]
eth: bnxt: depend on core cleaning up RSS contexts

New RSS context API removes old contexts on netdev unregister.
No need to wipe them manually.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: remove rss_ctx_bmap
Jakub Kicinski [Thu, 11 Jul 2024 22:07:07 +0000 (15:07 -0700)]
eth: bnxt: remove rss_ctx_bmap

Core will allocate IDs for the driver, from the range
[1, BNXT_MAX_ETH_RSS_CTX], no need to track the allocations.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: move from .set_rxfh to .create_rxfh_context and friends
Jakub Kicinski [Thu, 11 Jul 2024 22:07:06 +0000 (15:07 -0700)]
eth: bnxt: move from .set_rxfh to .create_rxfh_context and friends

Use the new ethtool ops for RSS context management. The conversion
is pretty straightforward cut / paste of the right chunks of the
combined handler. Main change is that we let the core pick the IDs
(bitmap will be removed separately for ease of review), so we need
to tell the core when we lose a context.
Since the new API passes rxfh as const, change bnxt_modify_rss()
to also take const.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoeth: bnxt: allow deleting RSS contexts when the device is down
Jakub Kicinski [Thu, 11 Jul 2024 22:07:05 +0000 (15:07 -0700)]
eth: bnxt: allow deleting RSS contexts when the device is down

Contexts get deleted from FW when the device is down, but they
are kept in SW and re-added back on open. bnxt_set_rxfh_context()
apparently does not want to deal with complexity of dealing with
both the device down and device up cases. This is perhaps acceptable
for creating new contexts, but not being able to delete contexts
makes core-driven cleanups messy. Specifically with the new RSS
API core will try to delete contexts automatically after bringing
the device down.

Support the delete-while-down case. Skip the FW logic and delete
just the driver state.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: ethtool: let drivers declare max size of RSS indir table and key
Jakub Kicinski [Thu, 11 Jul 2024 22:07:04 +0000 (15:07 -0700)]
net: ethtool: let drivers declare max size of RSS indir table and key

Some drivers (bnxt but I think also mlx5 from ML discussions) change
the size of the indirection table depending on the number of Rx rings.
Decouple the max table size from the size of the currently used table,
so that we can reserve space in the context for table growth.

Static members in ethtool_ops are good enough for now, we can add
callbacks to read the max size more dynamically if someone needs
that.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agonet: ethtool: let drivers remove lost RSS contexts
Jakub Kicinski [Thu, 11 Jul 2024 22:07:03 +0000 (15:07 -0700)]
net: ethtool: let drivers remove lost RSS contexts

RSS contexts may get lost from a device, in various extreme circumstances.
Specifically if the firmware leaks resources and resets, or crashes and
either recovers in partially working state or the crash causes a
different FW version to run - creating the context again may fail.

Drivers should do their absolute best to prevent this from happening.
When it does, however, telling user that a context exists, when it can't
possibly be used any more is counter productive. Add a helper for
drivers to discard contexts. Print an error, in the future netlink
notification will also be sent.

More robust approaches were proposed, like keeping the contexts
but marking them as "dead" (but possibly resurrected by next reset).
That may be better but it's unclear at this stage whether the
effort is worth the benefits.

Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20240711220713.283778-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoMerge tag 'net-6.10-rc8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Linus Torvalds [Sat, 13 Jul 2024 01:33:33 +0000 (18:33 -0700)]
Merge tag 'net-6.10-rc8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull more networking fixes from Jakub Kicinski:
 "A quick follow up to yesterday's pull. We got a regressions report for
  the bnxt patch as soon as it got to your tree. The ethtool fix is also
  good to have, although it's an older regression.

  Current release - regressions:

   - eth: bnxt_en: fix crash in bnxt_get_max_rss_ctx_ring() on older HW
     when user tries to decrease the ring count

  Previous releases - regressions:

   - ethtool: fix RSS setting, accept "no change" setting if the driver
     doesn't support the new features

   - eth: i40e: remove needless retries of NVM update, don't wait 20min
     when we know the firmware update won't succeed"

* tag 'net-6.10-rc8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net:
  bnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring()
  octeontx2-af: fix issue with IPv4 match for RSS
  octeontx2-af: fix issue with IPv6 ext match for RSS
  octeontx2-af: fix detection of IP layer
  octeontx2-af: fix a issue with cpt_lf_alloc mailbox
  octeontx2-af: replace cpt slot with lf id on reg write
  i40e: fix: remove needless retries of NVM update
  net: ethtool: Fix RSS setting

15 months agobnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring()
Michael Chan [Fri, 12 Jul 2024 17:53:18 +0000 (10:53 -0700)]
bnxt_en: Fix crash in bnxt_get_max_rss_ctx_ring()

On older chips not supporting multiple RSS contexts, reducing
ethtool channels will crash:

BUG: kernel NULL pointer dereference, address: 00000000000000b8
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 7032 Comm: ethtool Tainted: G S                 6.10.0-rc4 #1
Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
RIP: 0010:bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en]
Code: c3 d3 eb 4c 8b 83 38 01 00 00 48 8d bb 38 01 00 00 4c 39 c7 74 42 41 8d 54 24 ff 31 c0 0f b7 d2 4c 8d 4c 12 02 66 85 ed 74 1d <49> 8b 90 b8 00 00 00 49 8d 34 11 0f b7 0a 66 39 c8 0f 42 c1 48 83
RSP: 0018:ffffaaa501d23ba8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8efdf600c940 RCX: 0000000000000000
RDX: 000000000000007f RSI: ffffffffacf429c4 RDI: ffff8efdf600ca78
RBP: 0000000000000080 R08: 0000000000000000 R09: 0000000000000100
R10: 0000000000000001 R11: ffffaaa501d238c0 R12: 0000000000000080
R13: 0000000000000000 R14: ffff8efdf600c000 R15: 0000000000000006
FS:  00007f977a7d2740(0000) GS:ffff8f041f840000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b8 CR3: 00000002320aa004 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die_body+0x15/0x60
? page_fault_oops+0x157/0x440
? do_user_addr_fault+0x60/0x770
? _raw_spin_lock_irqsave+0x12/0x40
? exc_page_fault+0x61/0x120
? asm_exc_page_fault+0x22/0x30
? bnxt_get_max_rss_ctx_ring+0x4c/0x90 [bnxt_en]
? bnxt_get_max_rss_ctx_ring+0x25/0x90 [bnxt_en]
bnxt_set_channels+0x9d/0x340 [bnxt_en]
ethtool_set_channels+0x14b/0x210
__dev_ethtool+0xdf8/0x2890
? preempt_count_add+0x6a/0xa0
? percpu_counter_add_batch+0x23/0x90
? filemap_map_pages+0x417/0x4a0
? avc_has_extended_perms+0x185/0x420
? __pfx_udp_ioctl+0x10/0x10
? sk_ioctl+0x55/0xf0
? kmalloc_trace_noprof+0xe0/0x210
? dev_ethtool+0x54/0x170
dev_ethtool+0xa2/0x170
dev_ioctl+0xbe/0x530
sock_do_ioctl+0xa3/0xf0
sock_ioctl+0x20d/0x2e0

bp->rss_ctx_list is not initialized if the chip or firmware does not
support multiple RSS contexts.  Fix it by adding a check in
bnxt_get_max_rss_ctx_ring() before proceeding to reference
bp->rss_ctx_list.

Fixes: 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count with active RSS contexts")
Reported-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/netdev/ZpFEJeNpwxW1aW9k@gmail.com/
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20240712175318.166811-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
15 months agoselftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()
Tengda Wu [Thu, 11 Jul 2024 14:58:19 +0000 (22:58 +0800)]
selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()

This test verifies that resolve_prog_type() works as expected when
`attach_prog_fd` is not passed in.

`prog->aux->dst_prog` in resolve_prog_type() is assigned by
`attach_prog_fd`, and would be NULL if `attach_prog_fd` is not provided.

Loading EXT prog with bpf_dynptr_from_skb() kfunc call in this way will
lead to null-pointer-deref.

Verify that the null-pointer-deref bug in resolve_prog_type() is fixed.

Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240711145819.254178-3-wutengda@huaweicloud.com
15 months agobpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
Tengda Wu [Thu, 11 Jul 2024 14:58:18 +0000 (22:58 +0800)]
bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT

When loading a EXT program without specifying `attr->attach_prog_fd`,
the `prog->aux->dst_prog` will be null. At this time, calling
resolve_prog_type() anywhere will result in a null pointer dereference.

Example stack trace:

[    8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
[    8.108262] Mem abort info:
[    8.108384]   ESR = 0x0000000096000004
[    8.108547]   EC = 0x25: DABT (current EL), IL = 32 bits
[    8.108722]   SET = 0, FnV = 0
[    8.108827]   EA = 0, S1PTW = 0
[    8.108939]   FSC = 0x04: level 0 translation fault
[    8.109102] Data abort info:
[    8.109203]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    8.109399]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    8.109614]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000
[    8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000
[    8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    8.112783] Modules linked in:
[    8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1
[    8.113230] Hardware name: linux,dummy-virt (DT)
[    8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    8.113429] pc : may_access_direct_pkt_data+0x24/0xa0
[    8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8
[    8.113798] sp : ffff80008283b9f0
[    8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001
[    8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000
[    8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000
[    8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff
[    8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720
[    8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720
[    8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4
[    8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f
[    8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c
[    8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000
[    8.114126] Call trace:
[    8.114159]  may_access_direct_pkt_data+0x24/0xa0
[    8.114202]  bpf_check+0x3bc/0x28c0
[    8.114214]  bpf_prog_load+0x658/0xa58
[    8.114227]  __sys_bpf+0xc50/0x2250
[    8.114240]  __arm64_sys_bpf+0x28/0x40
[    8.114254]  invoke_syscall.constprop.0+0x54/0xf0
[    8.114273]  do_el0_svc+0x4c/0xd8
[    8.114289]  el0_svc+0x3c/0x140
[    8.114305]  el0t_64_sync_handler+0x134/0x150
[    8.114331]  el0t_64_sync+0x168/0x170
[    8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403)
[    8.118672] ---[ end trace 0000000000000000 ]---

One way to fix it is by forcing `attach_prog_fd` non-empty when
bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type`
API broken which use verifier log to probe prog type and will log
nothing if we reject invalid EXT prog before bpf_check().

Another way is by adding null check in resolve_prog_type().

The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to
prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted
to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before
that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows
the logic below:

  prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type;

It implies that when EXT program is not yet attached to `dst_prog`,
the prog type should be EXT itself. This code worked fine in the past.
So just keep using it.

Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog`
is not present in resolve_prog_type().

Fixes: 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT")
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20240711145819.254178-2-wutengda@huaweicloud.com
15 months agoMerge tag 'for-6.10-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave...
Linus Torvalds [Fri, 12 Jul 2024 19:08:42 +0000 (12:08 -0700)]
Merge tag 'for-6.10-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "Fix a regression in extent map shrinker behaviour.

  In the past weeks we got reports from users that there are huge
  latency spikes or freezes. This was bisected to newly added shrinker
  of extent maps (it was added to fix a build up of the structures in
  memory).

  I'm assuming that the freezes would happen to many users after release
  so I'd like to get it merged now so it's in 6.10. Although the diff
  size is not small the changes are relatively straightforward, the
  reporters verified the fixes and we did testing on our side.

  The fixes:

   - adjust behaviour under memory pressure and check lock or scheduling
     conditions, bail out if needed

   - synchronize tracking of the scanning progress so inode ranges are
     not skipped or work duplicated

   - do a delayed iput when scanning a root so evicting an inode does
     not slow things down in case of lots of dirty data, also fix
     lockdep warning, a deadlock could happen when writing the dirty
     data would need to start a transaction"

* tag 'for-6.10-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: avoid races when tracking progress for extent map shrinking
  btrfs: stop extent map shrinker if reschedule is needed
  btrfs: use delayed iput during extent map shrinking

15 months agoMerge tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client
Linus Torvalds [Fri, 12 Jul 2024 17:39:29 +0000 (10:39 -0700)]
Merge tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "A fix for a possible use-after-free following "rbd unmap" or "umount"
  marked for stable and two kernel-doc fixups"

* tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client:
  libceph: fix crush_choose_firstn() kernel-doc warnings
  libceph: suppress crush_choose_indep() kernel-doc warnings
  libceph: fix race between delayed_work() and ceph_monc_stop()

15 months agoMerge tag 'pmdomain-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh...
Linus Torvalds [Fri, 12 Jul 2024 17:29:49 +0000 (10:29 -0700)]
Merge tag 'pmdomain-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm

Pull pmdomain fix from Ulf Hansson:

 - qcom: Skip retention level for rpmhpd's

* tag 'pmdomain-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
  pmdomain: qcom: rpmhpd: Skip retention level for Power Domains

15 months agoMerge tag 'mmc-v6.10-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
Linus Torvalds [Fri, 12 Jul 2024 17:26:48 +0000 (10:26 -0700)]
Merge tag 'mmc-v6.10-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC host fixes from Ulf Hansson:

 - davinci_mmc: Prevent transmitted data size from exceeding sgm's
   length

 - sdhci: Fix max_seg_size for 64KiB PAGE_SIZE

* tag 'mmc-v6.10-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length
  mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE

15 months agoselftests/bpf: DENYLIST.aarch64: Skip fexit_sleep again
Daniel Borkmann [Fri, 12 Jul 2024 16:12:30 +0000 (18:12 +0200)]
selftests/bpf: DENYLIST.aarch64: Skip fexit_sleep again

Revert commit 90dc946059b7 ("selftests/bpf: DENYLIST.aarch64: Remove
fexit_sleep") again. The fix in 19d3c179a377 ("bpf, arm64: Fix trampoline
for BPF_TRAMP_F_CALL_ORIG") does not address all of the issues and BPF
CI is still hanging and timing out:

   https://github.com/kernel-patches/bpf/actions/runs/9905842936/job/27366435436

   [...]
   #89/11   fexit_bpf2bpf/func_replace_global_func:OK
   #89/12   fexit_bpf2bpf/fentry_to_cgroup_bpf:OK
   #89/13   fexit_bpf2bpf/func_replace_progmap:OK
   #89      fexit_bpf2bpf:OK
   Error: The operation was canceled.

Thus more investigation work & fixing is needed before the test can be put
in place again.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/bpf/20240705145009.32340-1-puranjay@kernel.org
15 months agoMerge tag 'arm-fixes-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Linus Torvalds [Fri, 12 Jul 2024 16:00:25 +0000 (09:00 -0700)]
Merge tag 'arm-fixes-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Arnd Bergmann:
 "Most of these changes are Qualcomm SoC specific and came in just after
  I sent out the last set of fixes. This includes two regression fixes
  for SoC drivers, a defconfig change to ensure the Lenovo X13s is
  usable and 11 changes to DT files to fix regressions and minor
  platform specific issues.

  Tony and Chunyan step back from their respective maintainership roles
  on the omap and unisoc platforms, and Christophe in turn takes over
  maintaining some of the Freescale SoC drivers that he has been taking
  care of in practice already.

  Lastly, there are two trivial fixes for the davinci and sunxi
  platforms"

* tag 'arm-fixes-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  MAINTAINERS: Update FREESCALE SOC DRIVERS and QUICC ENGINE LIBRARY
  MAINTAINERS: Add more maintainers for omaps
  ARM: davinci: Convert comma to semicolon
  MAINTAINERS: Move myself from SPRD Maintainer to Reviewer
  Revert "dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries"
  arm64: dts: qcom: qdu1000: Fix LLCC reg property
  arm64: dts: qcom: sm6115: add iommu for sdhc_1
  arm64: dts: qcom: x1e80100-crd: fix DAI used for headset recording
  arm64: dts: qcom: x1e80100-crd: fix WCD audio codec TX port mapping
  soc: qcom: pmic_glink: disable UCSI on sc8280xp
  arm64: defconfig: enable Elan i2c-hid driver
  arm64: dts: qcom: sc8280xp-crd: use external pull up for touch reset
  arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on
  arm64: dts: qcom: x1e80100: Fix PCIe 6a reg offsets and add MHI
  arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical timer
  arm64: dts: allwinner: Fix PMIC interrupt number
  arm64: dts: qcom: sc8280xp: Set status = "reserved" on PSHOLD
  arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers
  arm64: dts: qcom: sc8180x: Fix LLCC reg property again

15 months agoMerge branch 'use-overflow-h-helpers-to-check-for-overflows'
Alexei Starovoitov [Fri, 12 Jul 2024 15:54:08 +0000 (08:54 -0700)]
Merge branch 'use-overflow-h-helpers-to-check-for-overflows'

Shung-Hsi Yu says:

====================
Use overflow.h helpers to check for overflows

This patch set refactors kernel/bpf/verifier.c to use type-agnostic, generic
overflow-check helpers defined in include/linux/overflow.h to check for addition
and subtraction overflow, and drop the signed_*_overflows() helpers we currently
have in kernel/bpf/verifier.c; with a fix for overflow check in adjust_jmp_off()
in patch 1.

There should be no functional change in how the verifier works and  the main
motivation is to make future refactoring[1] easier.

While check_mul_overflow() also exists and could potentially replace what
we have in scalar*_min_max_mul(), it does not help with refactoring and
would either change how the verifier works (e.g. lifting restriction on
umax<=U32_MAX and u32_max<=U16_MAX) or make the code slightly harder to
read, so it is left for future endeavour.

Changes from v2 <https://lore.kernel.org/r/20240701055907.82481-1-shung-hsi.yu@suse.com>
- add fix for 5337ac4c9b80 ("bpf: Fix the corner case with may_goto and jump to
  the 1st insn.") to correct the overflow check for general jump instructions
- adapt to changes in commit 5337ac4c9b80 ("bpf: Fix the corner case with
  may_goto and jump to the 1st insn.")
  - refactor in adjust_jmp_off() as well and remove signed_add16_overflow()

Changes from v1 <https://lore.kernel.org/r/20240623070324.12634-1-shung-hsi.yu@suse.com>:
- use pointers to values in dst_reg directly as the sum/diff pointer and
  remove the else branch (Jiri)
- change local variables to be dst_reg pointers instead of src_reg values
- include comparison of generated assembly before & after the change
  (Alexei)

1: https://github.com/kernel-patches/bpf/pull/7205/commits
====================

Link: https://lore.kernel.org/r/20240712080127.136608-1-shung-hsi.yu@suse.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
15 months agobpf: use check_sub_overflow() to check for subtraction overflows
Shung-Hsi Yu [Fri, 12 Jul 2024 08:01:26 +0000 (16:01 +0800)]
bpf: use check_sub_overflow() to check for subtraction overflows

Similar to previous patch that drops signed_add*_overflows() and uses
(compiler) builtin-based check_add_overflow(), do the same for
signed_sub*_overflows() and replace them with the generic
check_sub_overflow() to make future refactoring easier and have the
checks implemented more efficiently.

Unsigned overflow check for subtraction does not use helpers and are
simple enough already, so they're left untouched.

After the change GCC 13.3.0 generates cleaner assembly on x86_64:

if (check_sub_overflow(*dst_smin, src_reg->smax_value, dst_smin) ||
   139bf: mov    0x28(%r12),%rax
   139c4: mov    %edx,0x54(%r12)
   139c9: sub    %r11,%rax
   139cc: mov    %rax,0x28(%r12)
   139d1: jo     14627 <adjust_reg_min_max_vals+0x1237>
    check_sub_overflow(*dst_smax, src_reg->smin_value, dst_smax)) {
   139d7: mov    0x30(%r12),%rax
   139dc: sub    %r9,%rax
   139df: mov    %rax,0x30(%r12)
if (check_sub_overflow(*dst_smin, src_reg->smax_value, dst_smin) ||
   139e4: jo     14627 <adjust_reg_min_max_vals+0x1237>
   ...
*dst_smin = S64_MIN;
   14627: movabs $0x8000000000000000,%rax
   14631: mov    %rax,0x28(%r12)
*dst_smax = S64_MAX;
   14636: sub    $0x1,%rax
   1463a: mov    %rax,0x30(%r12)

Before the change it gives:

if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
   13a50: mov    0x28(%r12),%rdi
   13a55: mov    %edx,0x54(%r12)
dst_reg->smax_value = S64_MAX;
   13a5a: movabs $0x7fffffffffffffff,%rdx
   13a64: mov    %eax,0x50(%r12)
dst_reg->smin_value = S64_MIN;
   13a69: movabs $0x8000000000000000,%rax
s64 res = (s64)((u64)a - (u64)b);
   13a73: mov    %rdi,%rsi
   13a76: sub    %rcx,%rsi
if (b < 0)
   13a79: test   %rcx,%rcx
   13a7c: js     145ea <adjust_reg_min_max_vals+0x119a>
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
   13a82: cmp    %rsi,%rdi
   13a85: jl     13ac7 <adjust_reg_min_max_vals+0x677>
    signed_sub_overflows(dst_reg->smax_value, smin_val)) {
   13a87: mov    0x30(%r12),%r8
s64 res = (s64)((u64)a - (u64)b);
   13a8c: mov    %r8,%rax
   13a8f: sub    %r9,%rax
return res > a;
   13a92: cmp    %rax,%r8
   13a95: setl   %sil
if (b < 0)
   13a99: test   %r9,%r9
   13a9c: js     147d1 <adjust_reg_min_max_vals+0x1381>
dst_reg->smax_value = S64_MAX;
   13aa2: movabs $0x7fffffffffffffff,%rdx
dst_reg->smin_value = S64_MIN;
   13aac: movabs $0x8000000000000000,%rax
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
   13ab6: test   %sil,%sil
   13ab9: jne    13ac7 <adjust_reg_min_max_vals+0x677>
dst_reg->smin_value -= smax_val;
   13abb: mov    %rdi,%rax
dst_reg->smax_value -= smin_val;
   13abe: mov    %r8,%rdx
dst_reg->smin_value -= smax_val;
   13ac1: sub    %rcx,%rax
dst_reg->smax_value -= smin_val;
   13ac4: sub    %r9,%rdx
   13ac7: mov    %rax,0x28(%r12)
   ...
   13ad1: mov    %rdx,0x30(%r12)
   ...
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
   145ea: cmp    %rsi,%rdi
   145ed: jg     13ac7 <adjust_reg_min_max_vals+0x677>
   145f3: jmp    13a87 <adjust_reg_min_max_vals+0x637>

Suggested-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20240712080127.136608-4-shung-hsi.yu@suse.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
15 months agobpf: use check_add_overflow() to check for addition overflows
Shung-Hsi Yu [Fri, 12 Jul 2024 08:01:25 +0000 (16:01 +0800)]
bpf: use check_add_overflow() to check for addition overflows

signed_add*_overflows() was added back when there was no overflow-check
helper. With the introduction of such helpers in commit f0907827a8a91
("compiler.h: enable builtin overflow checkers and add fallback code"), we
can drop signed_add*_overflows() in kernel/bpf/verifier.c and use the
generic check_add_overflow() instead.

This will make future refactoring easier, and takes advantage of
compiler-emitted hardware instructions that efficiently implement these
checks.

After the change GCC 13.3.0 generates cleaner assembly on x86_64:

err = adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg);
   13625: mov    0x28(%rbx),%r9  /*  r9 = src_reg->smin_value */
   13629: mov    0x30(%rbx),%rcx /* rcx = src_reg->smax_value */
   ...
if (check_add_overflow(*dst_smin, src_reg->smin_value, dst_smin) ||
   141c1: mov    %r9,%rax
   141c4: add    0x28(%r12),%rax
   141c9: mov    %rax,0x28(%r12)
   141ce: jo     146e4 <adjust_reg_min_max_vals+0x1294>
    check_add_overflow(*dst_smax, src_reg->smax_value, dst_smax)) {
   141d4: add    0x30(%r12),%rcx
   141d9: mov    %rcx,0x30(%r12)
if (check_add_overflow(*dst_smin, src_reg->smin_value, dst_smin) ||
   141de: jo     146e4 <adjust_reg_min_max_vals+0x1294>
   ...
*dst_smin = S64_MIN;
   146e4: movabs $0x8000000000000000,%rax
   146ee: mov    %rax,0x28(%r12)
*dst_smax = S64_MAX;
   146f3: sub    $0x1,%rax
   146f7: mov    %rax,0x30(%r12)

Before the change it gives:

s64 smin_val = src_reg->smin_value;
     675: mov    0x28(%rsi),%r8
s64 smax_val = src_reg->smax_value;
u64 umin_val = src_reg->umin_value;
u64 umax_val = src_reg->umax_value;
     679: mov    %rdi,%rax /* rax = dst_reg */
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
     67c: mov    0x28(%rdi),%rdi /* rdi = dst_reg->smin_value */
u64 umin_val = src_reg->umin_value;
     680: mov    0x38(%rsi),%rdx
u64 umax_val = src_reg->umax_value;
     684: mov    0x40(%rsi),%rcx
s64 res = (s64)((u64)a + (u64)b);
     688: lea    (%r8,%rdi,1),%r9 /* r9 = dst_reg->smin_value + src_reg->smin_value */
return res < a;
     68c: cmp    %r9,%rdi
     68f: setg   %r10b /* r10b = (dst_reg->smin_value + src_reg->smin_value) > dst_reg->smin_value */
if (b < 0)
     693: test   %r8,%r8
     696: js     72b <scalar_min_max_add+0xbb>
    signed_add_overflows(dst_reg->smax_value, smax_val)) {
dst_reg->smin_value = S64_MIN;
dst_reg->smax_value = S64_MAX;
     69c: movabs $0x7fffffffffffffff,%rdi
s64 smax_val = src_reg->smax_value;
     6a6: mov    0x30(%rsi),%r8
dst_reg->smin_value = S64_MIN;
     6aa: 00 00 00  movabs $0x8000000000000000,%rsi
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
     6b4: test   %r10b,%r10b /* (dst_reg->smin_value + src_reg->smin_value) > dst_reg->smin_value ? goto 6cb */
     6b7: jne    6cb <scalar_min_max_add+0x5b>
    signed_add_overflows(dst_reg->smax_value, smax_val)) {
     6b9: mov    0x30(%rax),%r10   /* r10 = dst_reg->smax_value */
s64 res = (s64)((u64)a + (u64)b);
     6bd: lea    (%r10,%r8,1),%r11 /* r11 = dst_reg->smax_value + src_reg->smax_value */
if (b < 0)
     6c1: test   %r8,%r8
     6c4: js     71e <scalar_min_max_add+0xae>
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
     6c6: cmp    %r11,%r10 /* (dst_reg->smax_value + src_reg->smax_value) <= dst_reg->smax_value ? goto 723 */
     6c9: jle    723 <scalar_min_max_add+0xb3>
} else {
dst_reg->smin_value += smin_val;
dst_reg->smax_value += smax_val;
}
     6cb: mov    %rsi,0x28(%rax)
     ...
     6d5: mov    %rdi,0x30(%rax)
     ...
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
     71e: cmp    %r11,%r10
     721: jl     6cb <scalar_min_max_add+0x5b>
dst_reg->smin_value += smin_val;
     723: mov    %r9,%rsi
dst_reg->smax_value += smax_val;
     726: mov    %r11,%rdi
     729: jmp    6cb <scalar_min_max_add+0x5b>
return res > a;
     72b: cmp    %r9,%rdi
     72e: setl   %r10b
     732: jmp    69c <scalar_min_max_add+0x2c>
     737: nopw   0x0(%rax,%rax,1)

Note: unlike adjust_ptr_min_max_vals() and scalar*_min_max_add(), it is
necessary to introduce intermediate variable in adjust_jmp_off() to keep
the functional behavior unchanged. Without an intermediate variable
imm/off will be altered even on overflow.

Suggested-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://lore.kernel.org/r/20240712080127.136608-3-shung-hsi.yu@suse.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
15 months agobpf: fix overflow check in adjust_jmp_off()
Shung-Hsi Yu [Fri, 12 Jul 2024 08:01:24 +0000 (16:01 +0800)]
bpf: fix overflow check in adjust_jmp_off()

adjust_jmp_off() incorrectly used the insn->imm field for all overflow check,
which is incorrect as that should only be done or the BPF_JMP32 | BPF_JA case,
not the general jump instruction case. Fix it by using insn->off for overflow
check in the general case.

Fixes: 5337ac4c9b80 ("bpf: Fix the corner case with may_goto and jump to the 1st insn.")
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://lore.kernel.org/r/20240712080127.136608-2-shung-hsi.yu@suse.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
15 months agoMerge tag 'char-misc-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 12 Jul 2024 15:45:27 +0000 (08:45 -0700)]
Merge tag 'char-misc-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char / misc driver fixes from Greg KH:
 "Here are some small remaining driver fixes for 6.10-final that have
  all been in linux-next for a while and resolve reported issues.
  Included in here are:

   - mei driver fixes (and a spelling fix at the end just to be clean)

   - iio driver fixes for reported problems

   - fastrpc bugfixes

   - nvmem small fixes"

* tag 'char-misc-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  mei: vsc: Fix spelling error
  mei: vsc: Enhance SPI transfer of IVSC ROM
  mei: vsc: Utilize the appropriate byte order swap function
  mei: vsc: Prevent timeout error with added delay post-firmware download
  mei: vsc: Enhance IVSC chipset stability during warm reboot
  nvmem: core: limit cell sysfs permissions to main attribute ones
  nvmem: core: only change name to fram for current attribute
  nvmem: meson-efuse: Fix return value of nvmem callbacks
  nvmem: rmem: Fix return value of rmem_read()
  misc: microchip: pci1xxxx: Fix return value of nvmem callbacks
  hpet: Support 32-bit userspace
  misc: fastrpc: Restrict untrusted app to attach to privileged PD
  misc: fastrpc: Fix ownership reassignment of remote heap
  misc: fastrpc: Fix memory leak in audio daemon attach operation
  misc: fastrpc: Avoid updating PD type for capability request
  misc: fastrpc: Copy the complete capability structure to user
  misc: fastrpc: Fix DSP capabilities request
  iio: light: apds9306: Fix error handing
  iio: trigger: Fix condition for own trigger

15 months agoMerge tag 'tty-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Linus Torvalds [Fri, 12 Jul 2024 15:39:44 +0000 (08:39 -0700)]
Merge tag 'tty-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty / serial fixes from Greg KH:
 "Here are some small serial driver fixes for 6.10-final. Included in
  here are:

   - qcom-geni fixes for a much much much discussed issue and everyone
     now seems to be agreed that this is the proper way forward to
     resolve the reported lockups

   - imx serial driver bugfixes

   - 8250_omap errata fix

   - ma35d1 serial driver bugfix

  All of these have been in linux-next for over a week with no reported
  issues"

* tag 'tty-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  serial: qcom-geni: do not kill the machine on fifo underrun
  serial: qcom-geni: fix hard lockup on buffer flush
  serial: qcom-geni: fix soft lockup on sw flow control and suspend
  serial: imx: ensure RTS signal is not left active after shutdown
  tty: serial: ma35d1: Add a NULL check for of_node
  serial: 8250_omap: Fix Errata i2310 with RX FIFO level check
  serial: imx: only set receiver level if it is zero

15 months agoMerge tag 'usb-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Linus Torvalds [Fri, 12 Jul 2024 15:35:56 +0000 (08:35 -0700)]
Merge tag 'usb-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small USB driver fixes and new device ids for
  6.10-final. Included in here are:

   - new usb-serial device ids for reported devices

   - syzbot-triggered duplicate endpoint bugfix

   - gadget bugfix for configfs memory overwrite

   - xhci resume bugfix

   - new device quirk added

   - usb core error path bugfix

  All of these have been in linux-next (most for a while) with no
  reported issues"

* tag 'usb-6.10-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: serial: mos7840: fix crash on resume
  USB: serial: option: add Rolling RW350-GL variants
  USB: serial: option: add support for Foxconn T99W651
  USB: serial: option: add Netprisma LCUK54 series modules
  usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
  usb: dwc3: pci: add support for the Intel Panther Lake
  usb: core: add missing of_node_put() in usb_of_has_devices_or_graph
  USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
  USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
  xhci: always resume roothubs if xHC was reset during resume
  USB: serial: option: add Telit generic core-dump composition
  USB: serial: option: add Fibocom FM350-GL
  USB: serial: option: add Telit FN912 rmnet compositions