From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Aug 2023 18:56:53 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v6.4.12~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d96e0ffec3b0aea6d2a37d0bf84b40afaa452844;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	net-fix-the-rto-timer-retransmitting-skb-every-1ms-if-linear-option-is-enabled.patch
	net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
	virtio-net-set-queues-after-driver_ok.patch
---

diff --git a/queue-5.4/net-fix-the-rto-timer-retransmitting-skb-every-1ms-if-linear-option-is-enabled.patch b/queue-5.4/net-fix-the-rto-timer-retransmitting-skb-every-1ms-if-linear-option-is-enabled.patch
new file mode 100644
index 00000000000..3121ce0c8e3
--- /dev/null
+++ b/queue-5.4/net-fix-the-rto-timer-retransmitting-skb-every-1ms-if-linear-option-is-enabled.patch
@@ -0,0 +1,51 @@
+From e4dd0d3a2f64b8bd8029ec70f52bdbebd0644408 Mon Sep 17 00:00:00 2001
+From: Jason Xing <kernelxing@tencent.com>
+Date: Fri, 11 Aug 2023 10:37:47 +0800
+Subject: net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled
+
+From: Jason Xing <kernelxing@tencent.com>
+
+commit e4dd0d3a2f64b8bd8029ec70f52bdbebd0644408 upstream.
+
+In the real workload, I encountered an issue which could cause the RTO
+timer to retransmit the skb per 1ms with linear option enabled. The amount
+of lost-retransmitted skbs can go up to 1000+ instantly.
+
+The root cause is that if the icsk_rto happens to be zero in the 6th round
+(which is the TCP_THIN_LINEAR_RETRIES value), then it will always be zero
+due to the changed calculation method in tcp_retransmit_timer() as follows:
+
+icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
+
+Above line could be converted to
+icsk->icsk_rto = min(0 << 1, TCP_RTO_MAX) = 0
+
+Therefore, the timer expires so quickly without any doubt.
+
+I read through the RFC 6298 and found that the RTO value can be rounded
+up to a certain value, in Linux, say TCP_RTO_MIN as default, which is
+regarded as the lower bound in this patch as suggested by Eric.
+
+Fixes: 36e31b0af587 ("net: TCP thin linear timeouts")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -573,7 +573,9 @@ out_reset_timer:
+ 	    tcp_stream_is_thin(tp) &&
+ 	    icsk->icsk_retransmits <= TCP_THIN_LINEAR_RETRIES) {
+ 		icsk->icsk_backoff = 0;
+-		icsk->icsk_rto = min(__tcp_set_rto(tp), TCP_RTO_MAX);
++		icsk->icsk_rto = clamp(__tcp_set_rto(tp),
++				       tcp_rto_min(sk),
++				       TCP_RTO_MAX);
+ 	} else {
+ 		/* Use normal (exponential) backoff */
+ 		icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
diff --git a/queue-5.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch b/queue-5.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
new file mode 100644
index 00000000000..2c393501ccd
--- /dev/null
+++ b/queue-5.4/net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
@@ -0,0 +1,43 @@
+From d1e0e61d617ba17aa516db707aa871387566bbf7 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Fri, 30 Jun 2023 16:19:11 +0800
+Subject: net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit d1e0e61d617ba17aa516db707aa871387566bbf7 upstream.
+
+According to all consumers code of attrs[XFRMA_SEC_CTX], like
+
+* verify_sec_ctx_len(), convert to xfrm_user_sec_ctx*
+* xfrm_state_construct(), call security_xfrm_state_alloc whose prototype
+is int security_xfrm_state_alloc(.., struct xfrm_user_sec_ctx *sec_ctx);
+* copy_from_user_sec_ctx(), convert to xfrm_user_sec_ctx *
+...
+
+It seems that the expected parsing result for XFRMA_SEC_CTX should be
+structure xfrm_user_sec_ctx, and the current xfrm_sec_ctx is confusing
+and misleading (Luckily, they happen to have same size 8 bytes).
+
+This commit amend the policy structure to xfrm_user_sec_ctx to avoid
+ambiguity.
+
+Fixes: cf5cb79f6946 ("[XFRM] netlink: Establish an attribute policy")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2583,7 +2583,7 @@ static const struct nla_policy xfrma_pol
+ 	[XFRMA_ALG_COMP]	= { .len = sizeof(struct xfrm_algo) },
+ 	[XFRMA_ENCAP]		= { .len = sizeof(struct xfrm_encap_tmpl) },
+ 	[XFRMA_TMPL]		= { .len = sizeof(struct xfrm_user_tmpl) },
+-	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_sec_ctx) },
++	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_user_sec_ctx) },
+ 	[XFRMA_LTIME_VAL]	= { .len = sizeof(struct xfrm_lifetime_cur) },
+ 	[XFRMA_REPLAY_VAL]	= { .len = sizeof(struct xfrm_replay_state) },
+ 	[XFRMA_REPLAY_THRESH]	= { .type = NLA_U32 },
diff --git a/queue-5.4/series b/queue-5.4/series
index 275e80dd72a..1e28f9b5cc3 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -90,3 +90,6 @@ mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
 mmc-block-fix-in_flight-value-error.patch
 netfilter-set-default-timeout-to-3-secs-for-sctp-shutdown-send-and-recv-state.patch
 af_unix-fix-null-ptr-deref-in-unix_stream_sendpage.patch
+virtio-net-set-queues-after-driver_ok.patch
+net-fix-the-rto-timer-retransmitting-skb-every-1ms-if-linear-option-is-enabled.patch
+net-xfrm-amend-xfrma_sec_ctx-nla_policy-structure.patch
diff --git a/queue-5.4/virtio-net-set-queues-after-driver_ok.patch b/queue-5.4/virtio-net-set-queues-after-driver_ok.patch
new file mode 100644
index 00000000000..1fec3bf34d1
--- /dev/null
+++ b/queue-5.4/virtio-net-set-queues-after-driver_ok.patch
@@ -0,0 +1,47 @@
+From 51b813176f098ff61bd2833f627f5319ead098a5 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 9 Aug 2023 23:12:56 -0400
+Subject: virtio-net: set queues after driver_ok
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 51b813176f098ff61bd2833f627f5319ead098a5 upstream.
+
+Commit 25266128fe16 ("virtio-net: fix race between set queues and
+probe") tries to fix the race between set queues and probe by calling
+_virtnet_set_queues() before DRIVER_OK is set. This violates virtio
+spec. Fixing this by setting queues after virtio_device_ready().
+
+Note that rtnl needs to be held for userspace requests to change the
+number of queues. So we are serialized in this way.
+
+Fixes: 25266128fe16 ("virtio-net: fix race between set queues and probe")
+Reported-by: Dragos Tatulea <dtatulea@nvidia.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -3265,8 +3265,6 @@ static int virtnet_probe(struct virtio_d
+ 		}
+ 	}
+ 
+-	_virtnet_set_queues(vi, vi->curr_queue_pairs);
+-
+ 	/* serialize netdev register + virtio_device_ready() with ndo_open() */
+ 	rtnl_lock();
+ 
+@@ -3279,6 +3277,8 @@ static int virtnet_probe(struct virtio_d
+ 
+ 	virtio_device_ready(vdev);
+ 
++	_virtnet_set_queues(vi, vi->curr_queue_pairs);
++
+ 	rtnl_unlock();
+ 
+ 	err = virtnet_cpu_notif_add(vi);