From: Sasha Levin Date: Sat, 13 Jul 2024 13:26:41 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.99~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44ab80af2402ba6c9a587912c2366db5eea59041;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch b/queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch new file mode 100644 index 00000000000..9d2c98caaa0 --- /dev/null +++ b/queue-4.19/drm-i915-make-find_fw_domain-work-on-intel_uncore.patch @@ -0,0 +1,97 @@ +From f7b99bc8c66986e8eb02c1a656e0e9a08e475a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2019 11:35:38 -0700 +Subject: drm/i915: make find_fw_domain work on intel_uncore + +From: Daniele Ceraolo Spurio + +[ Upstream commit cb7ee69015aaba5e1091af94e73bc72483c08e37 ] + +Remove unneeded usage of dev_priv from 1 extra function. + +Signed-off-by: Daniele Ceraolo Spurio +Cc: Paulo Zanoni +Reviewed-by: Paulo Zanoni +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20190319183543.13679-6-daniele.ceraolospurio@intel.com +Stable-dep-of: 0ec986ed7bab ("tcp: fix incorrect undo caused by DSACK of TLP retransmit") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/intel_uncore.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_uncore.c b/drivers/gpu/drm/i915/intel_uncore.c +index 50b39aa4ffb88..c6cd52b8e4e27 100644 +--- a/drivers/gpu/drm/i915/intel_uncore.c ++++ b/drivers/gpu/drm/i915/intel_uncore.c +@@ -836,13 +836,13 @@ static int fw_range_cmp(u32 offset, const struct intel_forcewake_range *entry) + }) + + static enum forcewake_domains +-find_fw_domain(struct drm_i915_private *dev_priv, u32 offset) ++find_fw_domain(struct intel_uncore *uncore, u32 offset) + { + const struct intel_forcewake_range *entry; + + entry = BSEARCH(offset, +- dev_priv->uncore.fw_domains_table, +- dev_priv->uncore.fw_domains_table_entries, ++ uncore->fw_domains_table, ++ uncore->fw_domains_table_entries, + fw_range_cmp); + + if (!entry) +@@ -854,11 +854,11 @@ find_fw_domain(struct drm_i915_private *dev_priv, u32 offset) + * translate it here to the list of available domains. + */ + if (entry->domains == FORCEWAKE_ALL) +- return dev_priv->uncore.fw_domains; ++ return uncore->fw_domains; + +- WARN(entry->domains & ~dev_priv->uncore.fw_domains, ++ WARN(entry->domains & ~uncore->fw_domains, + "Uninitialized forcewake domain(s) 0x%x accessed at 0x%x\n", +- entry->domains & ~dev_priv->uncore.fw_domains, offset); ++ entry->domains & ~uncore->fw_domains, offset); + + return entry->domains; + } +@@ -886,7 +886,7 @@ static const struct intel_forcewake_range __vlv_fw_ranges[] = { + ({ \ + enum forcewake_domains __fwd = 0; \ + if (NEEDS_FORCE_WAKE((offset))) \ +- __fwd = find_fw_domain(dev_priv, offset); \ ++ __fwd = find_fw_domain(&dev_priv->uncore, offset); \ + __fwd; \ + }) + +@@ -894,7 +894,7 @@ static const struct intel_forcewake_range __vlv_fw_ranges[] = { + ({ \ + enum forcewake_domains __fwd = 0; \ + if (GEN11_NEEDS_FORCE_WAKE((offset))) \ +- __fwd = find_fw_domain(dev_priv, offset); \ ++ __fwd = find_fw_domain(&dev_priv->uncore, offset); \ + __fwd; \ + }) + +@@ -980,7 +980,7 @@ static const struct intel_forcewake_range __chv_fw_ranges[] = { + ({ \ + enum forcewake_domains __fwd = 0; \ + if (NEEDS_FORCE_WAKE((offset)) && !is_gen8_shadowed(offset)) \ +- __fwd = find_fw_domain(dev_priv, offset); \ ++ __fwd = find_fw_domain(&dev_priv->uncore, offset); \ + __fwd; \ + }) + +@@ -988,7 +988,7 @@ static const struct intel_forcewake_range __chv_fw_ranges[] = { + ({ \ + enum forcewake_domains __fwd = 0; \ + if (GEN11_NEEDS_FORCE_WAKE((offset)) && !is_gen11_shadowed(offset)) \ +- __fwd = find_fw_domain(dev_priv, offset); \ ++ __fwd = find_fw_domain(&dev_priv->uncore, offset); \ + __fwd; \ + }) + +-- +2.43.0 + diff --git a/queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch b/queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch new file mode 100644 index 00000000000..f518a0df288 --- /dev/null +++ b/queue-4.19/net-ethernet-lantiq_etop-fix-double-free-in-detach.patch @@ -0,0 +1,43 @@ +From 1a1b9f36544ab98bebf89f1ca7283dd474518120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 22:58:26 +0200 +Subject: net: ethernet: lantiq_etop: fix double free in detach + +From: Aleksander Jan Bajkowski + +[ Upstream commit e1533b6319ab9c3a97dad314dd88b3783bc41b69 ] + +The number of the currently released descriptor is never incremented +which results in the same skb being released multiple times. + +Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") +Reported-by: Joe Perches +Closes: https://lore.kernel.org/all/fc1bf93d92bb5b2f99c6c62745507cc22f3a7b2d.camel@perches.com/ +Signed-off-by: Aleksander Jan Bajkowski +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20240708205826.5176-1-olek2@wp.pl +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index fd391cbd5774e..b41822d08649d 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -221,9 +221,9 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch) + if (ch->dma.irq) + free_irq(ch->dma.irq, priv); + if (IS_RX(ch->idx)) { +- int desc; ++ struct ltq_dma_channel *dma = &ch->dma; + +- for (desc = 0; desc < LTQ_DESC_NUM; desc++) ++ for (dma->desc = 0; dma->desc < LTQ_DESC_NUM; dma->desc++) + dev_kfree_skb_any(ch->skb[ch->dma.desc]); + } + } +-- +2.43.0 + diff --git a/queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch b/queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch new file mode 100644 index 00000000000..4f6aa4fa599 --- /dev/null +++ b/queue-4.19/net-lantiq_etop-add-blank-line-after-declaration.patch @@ -0,0 +1,40 @@ +From 9369aea6ab657e6abdde6630365cea3d4a5024ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 23:00:31 +0100 +Subject: net: lantiq_etop: add blank line after declaration + +From: Aleksander Jan Bajkowski + +[ Upstream commit 4c46625bb586a741b8d0e6bdbddbcb2549fa1d36 ] + +This patch adds a missing line after the declaration and +fixes the checkpatch warning: + +WARNING: Missing a blank line after declarations ++ int desc; ++ for (desc = 0; desc < LTQ_DESC_NUM; desc++) + +Signed-off-by: Aleksander Jan Bajkowski +Link: https://lore.kernel.org/r/20211228220031.71576-1-olek2@wp.pl +Signed-off-by: Jakub Kicinski +Stable-dep-of: e1533b6319ab ("net: ethernet: lantiq_etop: fix double free in detach") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 8c58ae565073f..fd391cbd5774e 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -222,6 +222,7 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch) + free_irq(ch->dma.irq, priv); + if (IS_RX(ch->idx)) { + int desc; ++ + for (desc = 0; desc < LTQ_DESC_NUM; desc++) + dev_kfree_skb_any(ch->skb[ch->dma.desc]); + } +-- +2.43.0 + diff --git a/queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch b/queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch new file mode 100644 index 00000000000..97743933660 --- /dev/null +++ b/queue-4.19/ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch @@ -0,0 +1,67 @@ +From 0a779d4f504d7f5f0a216768681037eb497668e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 14:56:15 +0300 +Subject: ppp: reject claimed-as-LCP but actually malformed packets + +From: Dmitry Antipov + +[ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ] + +Since 'ppp_async_encode()' assumes valid LCP packets (with code +from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that +LCP packet has an actual body beyond PPP_LCP header bytes, and +reject claimed-as-LCP but actually malformed data otherwise. + +Reported-by: syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dmitry Antipov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 220b28711f98e..5c737c6aa58b9 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -74,6 +74,7 @@ + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ + + #define PPP_PROTO_LEN 2 ++#define PPP_LCP_HDRLEN 4 + + /* + * An instance of /dev/ppp can be associated with either a ppp +@@ -495,6 +496,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, + return ret; + } + ++static bool ppp_check_packet(struct sk_buff *skb, size_t count) ++{ ++ /* LCP packets must include LCP header which 4 bytes long: ++ * 1-byte code, 1-byte identifier, and 2-byte length. ++ */ ++ return get_unaligned_be16(skb->data) != PPP_LCP || ++ count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN; ++} ++ + static ssize_t ppp_write(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +@@ -517,6 +527,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, + kfree_skb(skb); + goto out; + } ++ ret = -EINVAL; ++ if (unlikely(!ppp_check_packet(skb, count))) { ++ kfree_skb(skb); ++ goto out; ++ } + + switch (pf->kind) { + case INTERFACE: +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e77d45babe9..ce126ad3eda 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -39,3 +39,8 @@ bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch media-dw2102-fix-a-potential-buffer-overflow.patch i2c-pnx-fix-potential-deadlock-warning-from-del_time.patch nilfs2-fix-incorrect-inode-allocation-from-reserved-inodes.patch +drm-i915-make-find_fw_domain-work-on-intel_uncore.patch +tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch +net-lantiq_etop-add-blank-line-after-declaration.patch +net-ethernet-lantiq_etop-fix-double-free-in-detach.patch +ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch diff --git a/queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch b/queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch new file mode 100644 index 00000000000..d8939170196 --- /dev/null +++ b/queue-4.19/tcp-fix-incorrect-undo-caused-by-dsack-of-tlp-retran.patch @@ -0,0 +1,107 @@ +From ab70f14ef6d52d7a2694d6d68b37472cb72ccf4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 13:12:46 -0400 +Subject: tcp: fix incorrect undo caused by DSACK of TLP retransmit + +From: Neal Cardwell + +[ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ] + +Loss recovery undo_retrans bookkeeping had a long-standing bug where a +DSACK from a spurious TLP retransmit packet could cause an erroneous +undo of a fast recovery or RTO recovery that repaired a single +really-lost packet (in a sequence range outside that of the TLP +retransmit). Basically, because the loss recovery state machine didn't +account for the fact that it sent a TLP retransmit, the DSACK for the +TLP retransmit could erroneously be implicitly be interpreted as +corresponding to the normal fast recovery or RTO recovery retransmit +that plugged a real hole, thus resulting in an improper undo. + +For example, consider the following buggy scenario where there is a +real packet loss but the congestion control response is improperly +undone because of this bug: + ++ send packets P1, P2, P3, P4 ++ P1 is really lost ++ send TLP retransmit of P4 ++ receive SACK for original P2, P3, P4 ++ enter fast recovery, fast-retransmit P1, increment undo_retrans to 1 ++ receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!) ++ receive cumulative ACK for P1-P4 (fast retransmit plugged real hole) + +The fix: when we initialize undo machinery in tcp_init_undo(), if +there is a TLP retransmit in flight, then increment tp->undo_retrans +so that we make sure that we receive a DSACK corresponding to the TLP +retransmit, as well as DSACKs for all later normal retransmits, before +triggering a loss recovery undo. Note that we also have to move the +line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO +we remember the tp->tlp_high_seq value until tcp_init_undo() and clear +it only afterward. + +Also note that the bug dates back to the original 2013 TLP +implementation, commit 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)"). + +However, this patch will only compile and work correctly with kernels +that have tp->tlp_retrans, which was added only in v5.8 in 2020 in +commit 76be93fc0702 ("tcp: allow at most one TLP probe per flight"). +So we associate this fix with that later commit. + +Fixes: 76be93fc0702 ("tcp: allow at most one TLP probe per flight") +Signed-off-by: Neal Cardwell +Reviewed-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Kevin Yang +Link: https://patch.msgid.link/20240703171246.1739561-1-ncardwell.sw@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 11 ++++++++++- + net/ipv4/tcp_timer.c | 2 -- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 9a66c37958451..9254705afa869 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1948,8 +1948,16 @@ void tcp_clear_retrans(struct tcp_sock *tp) + static inline void tcp_init_undo(struct tcp_sock *tp) + { + tp->undo_marker = tp->snd_una; ++ + /* Retransmission still in flight may cause DSACKs later. */ +- tp->undo_retrans = tp->retrans_out ? : -1; ++ /* First, account for regular retransmits in flight: */ ++ tp->undo_retrans = tp->retrans_out; ++ /* Next, account for TLP retransmits in flight: */ ++ if (tp->tlp_high_seq && tp->tlp_retrans) ++ tp->undo_retrans++; ++ /* Finally, avoid 0, because undo_retrans==0 means "can undo now": */ ++ if (!tp->undo_retrans) ++ tp->undo_retrans = -1; + } + + static bool tcp_is_rack(const struct sock *sk) +@@ -2028,6 +2036,7 @@ void tcp_enter_loss(struct sock *sk) + + tcp_set_ca_state(sk, TCP_CA_Loss); + tp->high_seq = tp->snd_nxt; ++ tp->tlp_high_seq = 0; + tcp_ecn_queue_cwr(tp); + + /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index d8d28ba169b4d..cebbac092f322 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -441,8 +441,6 @@ void tcp_retransmit_timer(struct sock *sk) + if (!tp->packets_out || WARN_ON_ONCE(tcp_rtx_queue_empty(sk))) + return; + +- tp->tlp_high_seq = 0; +- + if (!tp->snd_wnd && !sock_flag(sk, SOCK_DEAD) && + !((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))) { + /* Receiver dastardly shrinks window. Our retransmits +-- +2.43.0 +