]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 4.19
authorSasha Levin <sashal@kernel.org>
Sat, 13 Jul 2024 13:26:41 +0000 (09:26 -0400)
committerSasha Levin <sashal@kernel.org>
Sat, 13 Jul 2024 13:26:41 +0000 (09:26 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch [new file with mode: 0644]
queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch [new file with mode: 0644]
queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch [new file with mode: 0644]
queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch [new file with mode: 0644]

diff --git a/queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch b/queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch
new file mode 100644 (file)
index 0000000..9d2c98c
--- /dev/null
@@ -0,0 +1,97 @@
+From f7b99bc8c66986e8eb02c1a656e0e9a08e475a15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2019 11:35:38 -0700
+Subject: drm/i915: make find_fw_domain work on intel_uncore
+
+From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+
+[ Upstream commit cb7ee69015aaba5e1091af94e73bc72483c08e37 ]
+
+Remove unneeded usage of dev_priv from 1 extra function.
+
+Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190319183543.13679-6-daniele.ceraolospurio@intel.com
+Stable-dep-of: 0ec986ed7bab ("tcp: fix incorrect undo caused by DSACK of TLP retransmit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/intel_uncore.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_uncore.c b/drivers/gpu/drm/i915/intel_uncore.c
+index 50b39aa4ffb88..c6cd52b8e4e27 100644
+--- a/drivers/gpu/drm/i915/intel_uncore.c
++++ b/drivers/gpu/drm/i915/intel_uncore.c
+@@ -836,13 +836,13 @@ static int fw_range_cmp(u32 offset, const struct intel_forcewake_range *entry)
+ })
+ static enum forcewake_domains
+-find_fw_domain(struct drm_i915_private *dev_priv, u32 offset)
++find_fw_domain(struct intel_uncore *uncore, u32 offset)
+ {
+       const struct intel_forcewake_range *entry;
+       entry = BSEARCH(offset,
+-                      dev_priv->uncore.fw_domains_table,
+-                      dev_priv->uncore.fw_domains_table_entries,
++                      uncore->fw_domains_table,
++                      uncore->fw_domains_table_entries,
+                       fw_range_cmp);
+       if (!entry)
+@@ -854,11 +854,11 @@ find_fw_domain(struct drm_i915_private *dev_priv, u32 offset)
+        * translate it here to the list of available domains.
+        */
+       if (entry->domains == FORCEWAKE_ALL)
+-              return dev_priv->uncore.fw_domains;
++              return uncore->fw_domains;
+-      WARN(entry->domains & ~dev_priv->uncore.fw_domains,
++      WARN(entry->domains & ~uncore->fw_domains,
+            "Uninitialized forcewake domain(s) 0x%x accessed at 0x%x\n",
+-           entry->domains & ~dev_priv->uncore.fw_domains, offset);
++           entry->domains & ~uncore->fw_domains, offset);
+       return entry->domains;
+ }
+@@ -886,7 +886,7 @@ static const struct intel_forcewake_range __vlv_fw_ranges[] = {
+ ({ \
+       enum forcewake_domains __fwd = 0; \
+       if (NEEDS_FORCE_WAKE((offset))) \
+-              __fwd = find_fw_domain(dev_priv, offset); \
++              __fwd = find_fw_domain(&dev_priv->uncore, offset); \
+       __fwd; \
+ })
+@@ -894,7 +894,7 @@ static const struct intel_forcewake_range __vlv_fw_ranges[] = {
+ ({ \
+       enum forcewake_domains __fwd = 0; \
+       if (GEN11_NEEDS_FORCE_WAKE((offset))) \
+-              __fwd = find_fw_domain(dev_priv, offset); \
++              __fwd = find_fw_domain(&dev_priv->uncore, offset); \
+       __fwd; \
+ })
+@@ -980,7 +980,7 @@ static const struct intel_forcewake_range __chv_fw_ranges[] = {
+ ({ \
+       enum forcewake_domains __fwd = 0; \
+       if (NEEDS_FORCE_WAKE((offset)) && !is_gen8_shadowed(offset)) \
+-              __fwd = find_fw_domain(dev_priv, offset); \
++              __fwd = find_fw_domain(&dev_priv->uncore, offset); \
+       __fwd; \
+ })
+@@ -988,7 +988,7 @@ static const struct intel_forcewake_range __chv_fw_ranges[] = {
+ ({ \
+       enum forcewake_domains __fwd = 0; \
+       if (GEN11_NEEDS_FORCE_WAKE((offset)) && !is_gen11_shadowed(offset)) \
+-              __fwd = find_fw_domain(dev_priv, offset); \
++              __fwd = find_fw_domain(&dev_priv->uncore, offset); \
+       __fwd; \
+ })
+-- 
+2.43.0
+
diff --git a/queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch b/queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch
new file mode 100644 (file)
index 0000000..f518a0d
--- /dev/null
@@ -0,0 +1,43 @@
+From 1a1b9f36544ab98bebf89f1ca7283dd474518120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 22:58:26 +0200
+Subject: net: ethernet: lantiq_etop: fix double free in detach
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit e1533b6319ab9c3a97dad314dd88b3783bc41b69 ]
+
+The number of the currently released descriptor is never incremented
+which results in the same skb being released multiple times.
+
+Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
+Reported-by: Joe Perches <joe@perches.com>
+Closes: https://lore.kernel.org/all/fc1bf93d92bb5b2f99c6c62745507cc22f3a7b2d.camel@perches.com/
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20240708205826.5176-1-olek2@wp.pl
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index fd391cbd5774e..b41822d08649d 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -221,9 +221,9 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch)
+       if (ch->dma.irq)
+               free_irq(ch->dma.irq, priv);
+       if (IS_RX(ch->idx)) {
+-              int desc;
++              struct ltq_dma_channel *dma = &ch->dma;
+-              for (desc = 0; desc < LTQ_DESC_NUM; desc++)
++              for (dma->desc = 0; dma->desc < LTQ_DESC_NUM; dma->desc++)
+                       dev_kfree_skb_any(ch->skb[ch->dma.desc]);
+       }
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch b/queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch
new file mode 100644 (file)
index 0000000..4f6aa4f
--- /dev/null
@@ -0,0 +1,40 @@
+From 9369aea6ab657e6abdde6630365cea3d4a5024ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 23:00:31 +0100
+Subject: net: lantiq_etop: add blank line after declaration
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 4c46625bb586a741b8d0e6bdbddbcb2549fa1d36 ]
+
+This patch adds a missing line after the declaration and
+fixes the checkpatch warning:
+
+WARNING: Missing a blank line after declarations
++              int desc;
++              for (desc = 0; desc < LTQ_DESC_NUM; desc++)
+
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Link: https://lore.kernel.org/r/20211228220031.71576-1-olek2@wp.pl
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: e1533b6319ab ("net: ethernet: lantiq_etop: fix double free in detach")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index 8c58ae565073f..fd391cbd5774e 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -222,6 +222,7 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch)
+               free_irq(ch->dma.irq, priv);
+       if (IS_RX(ch->idx)) {
+               int desc;
++
+               for (desc = 0; desc < LTQ_DESC_NUM; desc++)
+                       dev_kfree_skb_any(ch->skb[ch->dma.desc]);
+       }
+-- 
+2.43.0
+
diff --git a/queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch b/queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch
new file mode 100644 (file)
index 0000000..9774393
--- /dev/null
@@ -0,0 +1,67 @@
+From 0a779d4f504d7f5f0a216768681037eb497668e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 14:56:15 +0300
+Subject: ppp: reject claimed-as-LCP but actually malformed packets
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ]
+
+Since 'ppp_async_encode()' assumes valid LCP packets (with code
+from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
+LCP packet has an actual body beyond PPP_LCP header bytes, and
+reject claimed-as-LCP but actually malformed data otherwise.
+
+Reported-by: syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 220b28711f98e..5c737c6aa58b9 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -74,6 +74,7 @@
+ #define MPHDRLEN_SSN  4       /* ditto with short sequence numbers */
+ #define PPP_PROTO_LEN 2
++#define PPP_LCP_HDRLEN        4
+ /*
+  * An instance of /dev/ppp can be associated with either a ppp
+@@ -495,6 +496,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf,
+       return ret;
+ }
++static bool ppp_check_packet(struct sk_buff *skb, size_t count)
++{
++      /* LCP packets must include LCP header which 4 bytes long:
++       * 1-byte code, 1-byte identifier, and 2-byte length.
++       */
++      return get_unaligned_be16(skb->data) != PPP_LCP ||
++              count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;
++}
++
+ static ssize_t ppp_write(struct file *file, const char __user *buf,
+                        size_t count, loff_t *ppos)
+ {
+@@ -517,6 +527,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
+               kfree_skb(skb);
+               goto out;
+       }
++      ret = -EINVAL;
++      if (unlikely(!ppp_check_packet(skb, count))) {
++              kfree_skb(skb);
++              goto out;
++      }
+       switch (pf->kind) {
+       case INTERFACE:
+-- 
+2.43.0
+
index e77d45babe95353cb932157463e7fd7f3b2f1de4..ce126ad3edad073419c003b9fe0407d1b5b93477 100644 (file)
@@ -39,3 +39,8 @@ bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch
 media-dw2102-fix-a-potential-buffer-overflow.patch
 i2c-pnx-fix-potential-deadlock-warning-from-del_time.patch
 nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch
+drm-i915-make-find_fw_domain-work-on-intel_uncore.patch
+tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch
+net-lantiq_etop-add-blank-line-after-declaration.patch
+net-ethernet-lantiq_etop-fix-double-free-in-detach.patch
+ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch
diff --git a/queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch b/queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch
new file mode 100644 (file)
index 0000000..d893917
--- /dev/null
@@ -0,0 +1,107 @@
+From ab70f14ef6d52d7a2694d6d68b37472cb72ccf4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 13:12:46 -0400
+Subject: tcp: fix incorrect undo caused by DSACK of TLP retransmit
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ]
+
+Loss recovery undo_retrans bookkeeping had a long-standing bug where a
+DSACK from a spurious TLP retransmit packet could cause an erroneous
+undo of a fast recovery or RTO recovery that repaired a single
+really-lost packet (in a sequence range outside that of the TLP
+retransmit). Basically, because the loss recovery state machine didn't
+account for the fact that it sent a TLP retransmit, the DSACK for the
+TLP retransmit could erroneously be implicitly be interpreted as
+corresponding to the normal fast recovery or RTO recovery retransmit
+that plugged a real hole, thus resulting in an improper undo.
+
+For example, consider the following buggy scenario where there is a
+real packet loss but the congestion control response is improperly
+undone because of this bug:
+
++ send packets P1, P2, P3, P4
++ P1 is really lost
++ send TLP retransmit of P4
++ receive SACK for original P2, P3, P4
++ enter fast recovery, fast-retransmit P1, increment undo_retrans to 1
++ receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!)
++ receive cumulative ACK for P1-P4 (fast retransmit plugged real hole)
+
+The fix: when we initialize undo machinery in tcp_init_undo(), if
+there is a TLP retransmit in flight, then increment tp->undo_retrans
+so that we make sure that we receive a DSACK corresponding to the TLP
+retransmit, as well as DSACKs for all later normal retransmits, before
+triggering a loss recovery undo. Note that we also have to move the
+line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO
+we remember the tp->tlp_high_seq value until tcp_init_undo() and clear
+it only afterward.
+
+Also note that the bug dates back to the original 2013 TLP
+implementation, commit 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)").
+
+However, this patch will only compile and work correctly with kernels
+that have tp->tlp_retrans, which was added only in v5.8 in 2020 in
+commit 76be93fc0702 ("tcp: allow at most one TLP probe per flight").
+So we associate this fix with that later commit.
+
+Fixes: 76be93fc0702 ("tcp: allow at most one TLP probe per flight")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Kevin Yang <yyd@google.com>
+Link: https://patch.msgid.link/20240703171246.1739561-1-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 11 ++++++++++-
+ net/ipv4/tcp_timer.c |  2 --
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 9a66c37958451..9254705afa869 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1948,8 +1948,16 @@ void tcp_clear_retrans(struct tcp_sock *tp)
+ static inline void tcp_init_undo(struct tcp_sock *tp)
+ {
+       tp->undo_marker = tp->snd_una;
++
+       /* Retransmission still in flight may cause DSACKs later. */
+-      tp->undo_retrans = tp->retrans_out ? : -1;
++      /* First, account for regular retransmits in flight: */
++      tp->undo_retrans = tp->retrans_out;
++      /* Next, account for TLP retransmits in flight: */
++      if (tp->tlp_high_seq && tp->tlp_retrans)
++              tp->undo_retrans++;
++      /* Finally, avoid 0, because undo_retrans==0 means "can undo now": */
++      if (!tp->undo_retrans)
++              tp->undo_retrans = -1;
+ }
+ static bool tcp_is_rack(const struct sock *sk)
+@@ -2028,6 +2036,7 @@ void tcp_enter_loss(struct sock *sk)
+       tcp_set_ca_state(sk, TCP_CA_Loss);
+       tp->high_seq = tp->snd_nxt;
++      tp->tlp_high_seq = 0;
+       tcp_ecn_queue_cwr(tp);
+       /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous
+diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
+index d8d28ba169b4d..cebbac092f322 100644
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -441,8 +441,6 @@ void tcp_retransmit_timer(struct sock *sk)
+       if (!tp->packets_out || WARN_ON_ONCE(tcp_rtx_queue_empty(sk)))
+               return;
+-      tp->tlp_high_seq = 0;
+-
+       if (!tp->snd_wnd && !sock_flag(sk, SOCK_DEAD) &&
+           !((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))) {
+               /* Receiver dastardly shrinks window. Our retransmits
+-- 
+2.43.0
+