From: Greg Kroah-Hartman Date: Sat, 25 May 2024 15:12:49 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.9.3~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83d26adcdb0c526473743543e5cf0be383eda12b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch ring-buffer-fix-a-race-between-readers-and-resize-checks.patch tools-latency-collector-fix-wformat-security-compile-warns.patch --- diff --git a/queue-5.15/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch b/queue-5.15/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch new file mode 100644 index 00000000000..f20c96760fc --- /dev/null +++ b/queue-5.15/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch @@ -0,0 +1,58 @@ +From 5eefb477d21a26183bc3499aeefa991198315a2d Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Fri, 10 May 2024 13:30:55 +0200 +Subject: net: smc91x: Fix m68k kernel compilation for ColdFire CPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thorsten Blum + +commit 5eefb477d21a26183bc3499aeefa991198315a2d upstream. + +Compiling the m68k kernel with support for the ColdFire CPU family fails +with the following error: + +In file included from drivers/net/ethernet/smsc/smc91x.c:80: +drivers/net/ethernet/smsc/smc91x.c: In function ‘smc_reset’: +drivers/net/ethernet/smsc/smc91x.h:160:40: error: implicit declaration of function ‘_swapw’; did you mean ‘swap’? [-Werror=implicit-function-declaration] + 160 | #define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) + | ^~~~~~ +drivers/net/ethernet/smsc/smc91x.h:904:25: note: in expansion of macro ‘SMC_outw’ + 904 | SMC_outw(lp, x, ioaddr, BANK_SELECT); \ + | ^~~~~~~~ +drivers/net/ethernet/smsc/smc91x.c:250:9: note: in expansion of macro ‘SMC_SELECT_BANK’ + 250 | SMC_SELECT_BANK(lp, 2); + | ^~~~~~~~~~~~~~~ +cc1: some warnings being treated as errors + +The function _swapw() was removed in commit d97cf70af097 ("m68k: use +asm-generic/io.h for non-MMU io access functions"), but is still used in +drivers/net/ethernet/smsc/smc91x.h. + +Use ioread16be() and iowrite16be() to resolve the error. + +Cc: stable@vger.kernel.org +Fixes: d97cf70af097 ("m68k: use asm-generic/io.h for non-MMU io access functions") +Signed-off-by: Thorsten Blum +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20240510113054.186648-2-thorsten.blum@toblux.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/smc91x.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/smc91x.h ++++ b/drivers/net/ethernet/smsc/smc91x.h +@@ -175,8 +175,8 @@ static inline void mcf_outsw(void *a, un + writew(*wp++, a); + } + +-#define SMC_inw(a, r) _swapw(readw((a) + (r))) +-#define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) ++#define SMC_inw(a, r) ioread16be((a) + (r)) ++#define SMC_outw(lp, v, a, r) iowrite16be(v, (a) + (r)) + #define SMC_insw(a, r, p, l) mcf_insw(a + r, p, l) + #define SMC_outsw(a, r, p, l) mcf_outsw(a + r, p, l) + diff --git a/queue-5.15/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch b/queue-5.15/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch new file mode 100644 index 00000000000..c8ec9dd520e --- /dev/null +++ b/queue-5.15/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch @@ -0,0 +1,55 @@ +From c71e3a5cffd5309d7f84444df03d5b72600cc417 Mon Sep 17 00:00:00 2001 +From: Ken Milmore +Date: Tue, 21 May 2024 23:45:50 +0100 +Subject: r8169: Fix possible ring buffer corruption on fragmented Tx packets. + +From: Ken Milmore + +commit c71e3a5cffd5309d7f84444df03d5b72600cc417 upstream. + +An issue was found on the RTL8125b when transmitting small fragmented +packets, whereby invalid entries were inserted into the transmit ring +buffer, subsequently leading to calls to dma_unmap_single() with a null +address. + +This was caused by rtl8169_start_xmit() not noticing changes to nr_frags +which may occur when small packets are padded (to work around hardware +quirks) in rtl8169_tso_csum_v2(). + +To fix this, postpone inspecting nr_frags until after any padding has been +applied. + +Fixes: 9020845fb5d6 ("r8169: improve rtl8169_start_xmit") +Cc: stable@vger.kernel.org +Signed-off-by: Ken Milmore +Reviewed-by: Heiner Kallweit +Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4273,11 +4273,11 @@ static void rtl8169_doorbell(struct rtl8 + static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, + struct net_device *dev) + { +- unsigned int frags = skb_shinfo(skb)->nr_frags; + struct rtl8169_private *tp = netdev_priv(dev); + unsigned int entry = tp->cur_tx % NUM_TX_DESC; + struct TxDesc *txd_first, *txd_last; + bool stop_queue, door_bell; ++ unsigned int frags; + u32 opts[2]; + + if (unlikely(!rtl_tx_slots_avail(tp))) { +@@ -4300,6 +4300,7 @@ static netdev_tx_t rtl8169_start_xmit(st + + txd_first = tp->TxDescArray + entry; + ++ frags = skb_shinfo(skb)->nr_frags; + if (frags) { + if (rtl8169_xmit_frags(tp, skb, opts, entry)) + goto err_dma_1; diff --git a/queue-5.15/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch b/queue-5.15/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch new file mode 100644 index 00000000000..2b816986f55 --- /dev/null +++ b/queue-5.15/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch @@ -0,0 +1,44 @@ +From eabb8a9be1e4a12f3bf37ceb7411083e3775672d Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 15 May 2024 08:18:01 +0200 +Subject: Revert "r8169: don't try to disable interrupts if NAPI is, scheduled already" + +From: Heiner Kallweit + +commit eabb8a9be1e4a12f3bf37ceb7411083e3775672d upstream. + +This reverts commit 7274c4147afbf46f45b8501edbdad6da8cd013b9. + +Ken reported that RTL8125b can lock up if gro_flush_timeout has the +default value of 20000 and napi_defer_hard_irqs is set to 0. +In this scenario device interrupts aren't disabled, what seems to +trigger some silicon bug under heavy load. I was able to reproduce this +behavior on RTL8168h. Fix this by reverting 7274c4147afb. + +Fixes: 7274c4147afb ("r8169: don't try to disable interrupts if NAPI is scheduled already") +Cc: stable@vger.kernel.org +Reported-by: Ken Milmore +Signed-off-by: Heiner Kallweit +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/9b5b6f4c-4f54-4b90-b0b3-8d8023c2e780@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4617,10 +4617,8 @@ static irqreturn_t rtl8169_interrupt(int + rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING); + } + +- if (napi_schedule_prep(&tp->napi)) { +- rtl_irq_disable(tp); +- __napi_schedule(&tp->napi); +- } ++ rtl_irq_disable(tp); ++ napi_schedule(&tp->napi); + out: + rtl_ack_events(tp, status); + diff --git a/queue-5.15/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch b/queue-5.15/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch new file mode 100644 index 00000000000..b4715dc9e55 --- /dev/null +++ b/queue-5.15/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch @@ -0,0 +1,134 @@ +From c2274b908db05529980ec056359fae916939fdaa Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Fri, 17 May 2024 15:40:08 +0200 +Subject: ring-buffer: Fix a race between readers and resize checks + +From: Petr Pavlu + +commit c2274b908db05529980ec056359fae916939fdaa upstream. + +The reader code in rb_get_reader_page() swaps a new reader page into the +ring buffer by doing cmpxchg on old->list.prev->next to point it to the +new page. Following that, if the operation is successful, +old->list.next->prev gets updated too. This means the underlying +doubly-linked list is temporarily inconsistent, page->prev->next or +page->next->prev might not be equal back to page for some page in the +ring buffer. + +The resize operation in ring_buffer_resize() can be invoked in parallel. +It calls rb_check_pages() which can detect the described inconsistency +and stop further tracing: + +[ 190.271762] ------------[ cut here ]------------ +[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 +[ 190.271789] Modules linked in: [...] +[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 +[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f +[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 +[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 +[ 190.272023] Code: [...] +[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 +[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 +[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 +[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 +[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 +[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 +[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 +[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 +[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 190.272077] Call Trace: +[ 190.272098] +[ 190.272189] ring_buffer_resize+0x2ab/0x460 +[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 +[ 190.272206] tracing_resize_ring_buffer+0x65/0x90 +[ 190.272216] tracing_entries_write+0x74/0xc0 +[ 190.272225] vfs_write+0xf5/0x420 +[ 190.272248] ksys_write+0x67/0xe0 +[ 190.272256] do_syscall_64+0x82/0x170 +[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 190.272373] RIP: 0033:0x7f1bd657d263 +[ 190.272381] Code: [...] +[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 +[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 +[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 +[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 +[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 +[ 190.272412] +[ 190.272414] ---[ end trace 0000000000000000 ]--- + +Note that ring_buffer_resize() calls rb_check_pages() only if the parent +trace_buffer has recording disabled. Recent commit d78ab792705c +("tracing: Stop current tracer when resizing buffer") causes that it is +now always the case which makes it more likely to experience this issue. + +The window to hit this race is nonetheless very small. To help +reproducing it, one can add a delay loop in rb_get_reader_page(): + + ret = rb_head_page_replace(reader, cpu_buffer->reader_page); + if (!ret) + goto spin; + for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ + __asm__ __volatile__ ("" : : : "memory"); + rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; + +.. and then run the following commands on the target system: + + echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable + while true; do + echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + done & + while true; do + for i in /sys/kernel/tracing/per_cpu/*; do + timeout 0.1 cat $i/trace_pipe; sleep 0.2 + done + done + +To fix the problem, make sure ring_buffer_resize() doesn't invoke +rb_check_pages() concurrently with a reader operating on the same +ring_buffer_per_cpu by taking its cpu_buffer->reader_lock. + +Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavlu@suse.com + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Fixes: 659f451ff213 ("ring-buffer: Add integrity check at end of iter read") +Signed-off-by: Petr Pavlu +[ Fixed whitespace ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1568,6 +1568,11 @@ static int rb_check_bpage(struct ring_bu + * + * As a safety measure we check to make sure the data pages have not + * been corrupted. ++ * ++ * Callers of this function need to guarantee that the list of pages doesn't get ++ * modified during the check. In particular, if it's possible that the function ++ * is invoked with concurrent readers which can swap in a new reader page then ++ * the caller should take cpu_buffer->reader_lock. + */ + static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + { +@@ -2289,8 +2294,12 @@ int ring_buffer_resize(struct trace_buff + */ + synchronize_rcu(); + for_each_buffer_cpu(buffer, cpu) { ++ unsigned long flags; ++ + cpu_buffer = buffer->buffers[cpu]; ++ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); + rb_check_pages(cpu_buffer); ++ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); + } + atomic_dec(&buffer->record_disabled); + } diff --git a/queue-5.15/series b/queue-5.15/series index 984e0aa9edb..d082b487d4e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -2,3 +2,8 @@ tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch tty-n_gsm-fix-missing-receive-state-reset-after-mode-switch.patch speakup-fix-sizeof-vs-array_size-bug.patch serial-8250_bcm7271-use-default_mux_rate-if-possible.patch +revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch +r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch +ring-buffer-fix-a-race-between-readers-and-resize-checks.patch +tools-latency-collector-fix-wformat-security-compile-warns.patch +net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch diff --git a/queue-5.15/tools-latency-collector-fix-wformat-security-compile-warns.patch b/queue-5.15/tools-latency-collector-fix-wformat-security-compile-warns.patch new file mode 100644 index 00000000000..f335f53b79e --- /dev/null +++ b/queue-5.15/tools-latency-collector-fix-wformat-security-compile-warns.patch @@ -0,0 +1,89 @@ +From df73757cf8f66fa54c4721c53b0916af3c4d9818 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 3 Apr 2024 19:10:09 -0600 +Subject: tools/latency-collector: Fix -Wformat-security compile warns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +commit df73757cf8f66fa54c4721c53b0916af3c4d9818 upstream. + +Fix the following -Wformat-security compile warnings adding missing +format arguments: + +latency-collector.c: In function ‘show_available’: +latency-collector.c:938:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 938 | warnx(no_tracer_msg); + | ^~~~~ + +latency-collector.c:943:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 943 | warnx(no_latency_tr_msg); + | ^~~~~ + +latency-collector.c: In function ‘find_default_tracer’: +latency-collector.c:986:25: warning: format not a string literal and +no format arguments [-Wformat-security] + 986 | errx(EXIT_FAILURE, no_tracer_msg); + | + ^~~~ +latency-collector.c: In function ‘scan_arguments’: +latency-collector.c:1881:33: warning: format not a string literal and +no format arguments [-Wformat-security] + 1881 | errx(EXIT_FAILURE, no_tracer_msg); + | ^~~~ + +Link: https://lore.kernel.org/linux-trace-kernel/20240404011009.32945-1-skhan@linuxfoundation.org + +Cc: stable@vger.kernel.org +Fixes: e23db805da2df ("tracing/tools: Add the latency-collector to tools directory") +Signed-off-by: Shuah Khan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/latency/latency-collector.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/tracing/latency/latency-collector.c b/tools/tracing/latency/latency-collector.c +index 0fd9c747d396..cf263fe9deaf 100644 +--- a/tools/tracing/latency/latency-collector.c ++++ b/tools/tracing/latency/latency-collector.c +@@ -935,12 +935,12 @@ static void show_available(void) + } + + if (!tracers) { +- warnx(no_tracer_msg); ++ warnx("%s", no_tracer_msg); + return; + } + + if (!found) { +- warnx(no_latency_tr_msg); ++ warnx("%s", no_latency_tr_msg); + tracefs_list_free(tracers); + return; + } +@@ -983,7 +983,7 @@ static const char *find_default_tracer(void) + for (i = 0; relevant_tracers[i]; i++) { + valid = tracer_valid(relevant_tracers[i], ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (valid) + return relevant_tracers[i]; + } +@@ -1878,7 +1878,7 @@ static void scan_arguments(int argc, char *argv[]) + } + valid = tracer_valid(current_tracer, ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (!valid) + errx(EXIT_FAILURE, + "The tracer %s is not supported by your kernel!\n", current_tracer); +-- +2.45.1 +