From: Sasha Levin Date: Mon, 24 Jul 2023 01:25:08 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.1.41~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9a9386b6230584814a9f402e83d99082089706e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch b/queue-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch new file mode 100644 index 00000000000..73ffdc1002f --- /dev/null +++ b/queue-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch @@ -0,0 +1,45 @@ +From 902cac1c6b803c5a450ddbc2ebbe6d6bd82b0f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:41 +0200 +Subject: ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 4fd5556608bfa9c2bf276fc115ef04288331aded ] + +The LID0 device on the Nextbook Ares 8A tablet always reports lid +closed causing userspace to suspend the device as soon as booting +is complete. + +Add a DMI quirk to disable the broken lid functionality. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/button.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c +index 0d93a5ef4d071..4861aad1a9e93 100644 +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -82,6 +82,15 @@ static const struct dmi_system_id dmi_lid_quirks[] = { + }, + .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, + }, ++ { ++ /* Nextbook Ares 8A tablet, _LID device always reports lid closed */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, ++ }, + { + /* + * Medion Akoya E2215T, notification of the LID device only +-- +2.39.2 + diff --git a/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch new file mode 100644 index 00000000000..ae71ec7cf65 --- /dev/null +++ b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch @@ -0,0 +1,43 @@ +From 01075c6cf6a48d97ca8aac446b25865c095c8170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:58 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3 + +From: Hans de Goede + +[ Upstream commit 48436f2e9834b46b47b038b605c8142a1c07bc85 ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Apple iMac11,3 . + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 038542b3a80a7..872b5351f0d8f 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -332,6 +332,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Apple iMac11,3 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ + .callback = video_detect_force_native, +-- +2.39.2 + diff --git a/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..f888234733e --- /dev/null +++ b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,44 @@ +From 2e3c70e11d2fee621784ace25e7fdb1e6d130542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:59 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e + (3371 AMD version) + +From: Hans de Goede + +[ Upstream commit bd5d93df86a7ddf98a2a37e9c3751e3cb334a66c ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Lenovo ThinkPad X131e (3371 AMD version). + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 872b5351f0d8f..b02d381e78483 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -332,6 +332,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Lenovo ThinkPad X131e (3371 AMD version) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3371"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Apple iMac11,3 */ +-- +2.39.2 + diff --git a/queue-5.10/arm64-mm-fix-va-range-sanity-check.patch b/queue-5.10/arm64-mm-fix-va-range-sanity-check.patch new file mode 100644 index 00000000000..166e73a5a1c --- /dev/null +++ b/queue-5.10/arm64-mm-fix-va-range-sanity-check.patch @@ -0,0 +1,106 @@ +From 34a94f8f8024cacbb5c3ba4332d0c5de6e2245d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:26:28 +0100 +Subject: arm64: mm: fix VA-range sanity check + +From: Mark Rutland + +[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] + +Both create_mapping_noalloc() and update_mapping_prot() sanity-check +their 'virt' parameter, but the check itself doesn't make much sense. +The condition used today appears to be a historical accident. + +The sanity-check condition: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +... can only be true for the KASAN shadow region or the module region, +and there's no reason to exclude these specifically for creating and +updateing mappings. + +When arm64 support was first upstreamed in commit: + + c1cc1552616d0f35 ("arm64: MMU initialisation") + +... the condition was: + + if (virt < VMALLOC_START) { + [ ... warning here ... ] + return; + } + +At the time, VMALLOC_START was the lowest kernel address, and this was +checking whether 'virt' would be translated via TTBR1. + +Subsequently in commit: + + 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") + +... the condition was changed to: + + if ((virt >= VA_START) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +This appear to have been a thinko. The commit moved the linear map to +the bottom of the kernel address space, with VMALLOC_START being at the +halfway point. The old condition would warn for changes to the linear +map below this, and at the time VA_START was the end of the linear map. + +Subsequently we cleaned up the naming of VA_START in commit: + + 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") + +... keeping the erroneous condition as: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +Correct the condition to check against the start of the TTBR1 address +space, which is currently PAGE_OFFSET. This simplifies the logic, and +more clearly matches the "outside kernel range" message in the warning. + +Signed-off-by: Mark Rutland +Cc: Russell King +Cc: Steve Capper +Cc: Will Deacon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 3284709ef5676..78f9fb638c9cd 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -421,7 +421,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) + static void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +@@ -448,7 +448,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + static void update_mapping_prot(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +-- +2.39.2 + diff --git a/queue-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch b/queue-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch new file mode 100644 index 00000000000..bc50e880870 --- /dev/null +++ b/queue-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch @@ -0,0 +1,166 @@ +From cd8e5d79cab114791c5b98c2d085dd413f493162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 10:04:36 +0900 +Subject: arm64: set __exception_irq_entry with __irq_entry as a default + +From: Youngmin Nam + +[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ] + +filter_irq_stacks() is supposed to cut entries which are related irq entries +from its call stack. +And in_irqentry_text() which is called by filter_irq_stacks() +uses __irqentry_text_start/end symbol to find irq entries in callstack. + +But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", +arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq +between __irqentry_text_start and __irqentry_text_end as we discussed in below link. +https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t + +This problem can makes unintentional deep call stack entries especially +in KASAN enabled situation as below. + +[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity +[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c +[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) +[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c +[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c +[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 +[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 +[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd +[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 +[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 +[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 +[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 +[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 +[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 +[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c +[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 +[ 2479.386231]I[0:launcher-loader: 1719] Call trace: +[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c +[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 +[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 +[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 +[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 +[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 +[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c +[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 +[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 +[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 +[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 +[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c +[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 +[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c +[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 +[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 +[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c +[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 +[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 +[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 +[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158 +[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c +[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0 +[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20 +[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c +[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150 +[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c +[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348 +[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74 +[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0 +[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240 +[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0 +[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28 +[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158 +[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54 +[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0 +[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68 +[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24 +[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c +[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170 +[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98 +[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40 +[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138 +[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0 +[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804 +[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180 +[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4 +[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c +[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c +[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac +[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288 +[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c +[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364 +[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8 +[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8 +[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24 +[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c +[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c +[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0 +[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54 +[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158 +[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134 +[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114 +[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80 +[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114 +[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194 +[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ... + +So let's set __exception_irq_entry with __irq_entry as a default. +Applying this patch, we can see gic_hande_irq is included in Systemp.map as below. + +* Before +ffffffc008010000 T __do_softirq +ffffffc008010000 T __irqentry_text_end +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T __softirqentry_text_start +ffffffc008010000 T _stext +ffffffc00801066c T __softirqentry_text_end +ffffffc008010670 T __entry_text_start + +* After +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T _stext +ffffffc008010000 t gic_handle_irq +ffffffc00801013c t gic_handle_irq +ffffffc008010294 T __irqentry_text_end +ffffffc008010298 T __do_softirq +ffffffc008010298 T __softirqentry_text_start +ffffffc008010904 T __softirqentry_text_end +ffffffc008010908 T __entry_text_start + +Signed-off-by: Youngmin Nam +Signed-off-by: SEO HOYOUNG +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/exception.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h +index 0756191f44f64..59c3facb8a560 100644 +--- a/arch/arm64/include/asm/exception.h ++++ b/arch/arm64/include/asm/exception.h +@@ -8,16 +8,11 @@ + #define __ASM_EXCEPTION_H + + #include +-#include + #include + + #include + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER + #define __exception_irq_entry __irq_entry +-#else +-#define __exception_irq_entry __kprobes +-#endif + + static inline u32 disr_to_esr(u64 disr) + { +-- +2.39.2 + diff --git a/queue-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..ddf2371b569 --- /dev/null +++ b/queue-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 5e0a92ea5cd4596e18185aefba581c0682149ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 6b12f06ee18c3..9c12ee453c616 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -63,11 +63,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/queue-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/queue-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..bffca1287de --- /dev/null +++ b/queue-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 6de5f7786c7355b0e715b0576e11f5e207a88a2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index ba55851fe132c..3326dfced68ab 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/queue-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch b/queue-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch new file mode 100644 index 00000000000..e414278a044 --- /dev/null +++ b/queue-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch @@ -0,0 +1,59 @@ +From e5ee8c5207d9f24f23793dfd48a8e455cc585c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 00:06:02 +0200 +Subject: btrfs: add xxhash to fast checksum implementations + +From: David Sterba + +[ Upstream commit efcfcbc6a36195c42d98e0ee697baba36da94dc8 ] + +The implementation of XXHASH is now CPU only but still fast enough to be +considered for the synchronous checksumming, like non-generic crc32c. + +A userspace benchmark comparing it to various implementations (patched +hash-speedtest from btrfs-progs): + + Block size: 4096 + Iterations: 1000000 + Implementation: builtin + Units: CPU cycles + + NULL-NOP: cycles: 73384294, cycles/i 73 + NULL-MEMCPY: cycles: 228033868, cycles/i 228, 61664.320 MiB/s + CRC32C-ref: cycles: 24758559416, cycles/i 24758, 567.950 MiB/s + CRC32C-NI: cycles: 1194350470, cycles/i 1194, 11773.433 MiB/s + CRC32C-ADLERSW: cycles: 6150186216, cycles/i 6150, 2286.372 MiB/s + CRC32C-ADLERHW: cycles: 626979180, cycles/i 626, 22427.453 MiB/s + CRC32C-PCL: cycles: 466746732, cycles/i 466, 30126.699 MiB/s + XXHASH: cycles: 860656400, cycles/i 860, 16338.188 MiB/s + +Comparing purely software implementation (ref), current outdated +accelerated using crc32q instruction (NI), optimized implementations by +M. Adler (https://stackoverflow.com/questions/17645167/implementing-sse-4-2s-crc32c-in-software/17646775#17646775) +and the best one that was taken from kernel using the PCLMULQDQ +instruction (PCL). + +Reviewed-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 5a114cad988a6..608b939a4d287 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2256,6 +2256,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type) + if (!strstr(crypto_shash_driver_name(csum_shash), "generic")) + set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); + break; ++ case BTRFS_CSUM_TYPE_XXHASH: ++ set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); ++ break; + default: + break; + } +-- +2.39.2 + diff --git a/queue-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch b/queue-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch new file mode 100644 index 00000000000..254c321a533 --- /dev/null +++ b/queue-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch @@ -0,0 +1,74 @@ +From 32748b662883f68786bcaa72bb6bfd10a9f599b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:19:02 +0900 +Subject: debugobjects: Recheck debug_objects_enabled before reporting + +From: Tetsuo Handa + +[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] + +syzbot is reporting false a positive ODEBUG message immediately after +ODEBUG was disabled due to OOM. + + [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled + [ 1062.886755][ T5171] ------------[ cut here ]------------ + [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 + + CPU 0 [ T5171] CPU 1 [T22911] + -------------- -------------- + debug_object_assert_init() { + if (!debug_objects_enabled) + return; + db = get_bucket(addr); + lookup_object_or_alloc() { + debug_objects_enabled = 0; + return NULL; + } + debug_objects_oom() { + pr_warn("Out of memory. ODEBUG disabled\n"); + // all buckets get emptied here, and + } + lookup_object_or_alloc(addr, db, descr, false, true) { + // this bucket is already empty. + return ERR_PTR(-ENOENT); + } + // Emits false positive warning. + debug_print_object(&o, "assert_init"); + } + +Recheck debug_object_enabled in debug_print_object() to avoid that. + +Reported-by: syzbot +Suggested-by: Thomas Gleixner +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp +Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 4c39678c03ee5..4dd9283f6fea0 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -501,6 +501,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) + const struct debug_obj_descr *descr = obj->descr; + static int limit; + ++ /* ++ * Don't report if lookup_object_or_alloc() by the current thread ++ * failed because lookup_object_or_alloc()/debug_objects_oom() by a ++ * concurrent thread turned off debug_objects_enabled and cleared ++ * the hash buckets. ++ */ ++ if (!debug_objects_enabled) ++ return; ++ + if (limit < 5 && descr != descr_test) { + void *hint = descr->debug_hint ? + descr->debug_hint(obj->object) : NULL; +-- +2.39.2 + diff --git a/queue-5.10/devlink-report-devlink_port_type_warn-source-device.patch b/queue-5.10/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..566bcbe0d2d --- /dev/null +++ b/queue-5.10/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From e7d166b5c82648002081a09c389843d2cfc48436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 72047750dcd96..00c6944ed6342 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -8092,7 +8092,10 @@ EXPORT_SYMBOL_GPL(devlink_free); + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/queue-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..e778fed7956 --- /dev/null +++ b/queue-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From 9894aa1babc71aab7693e057a671037408cf7e37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index a8a0a448cdb5e..80f54111baec1 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/queue-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..da7b5d56f8a --- /dev/null +++ b/queue-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From 5fc5ae5bcfe10fe347c46c27342375d3544466b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 564bd0407ed81..d663e080b1571 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -602,10 +602,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/queue-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/queue-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..a28196c8c5a --- /dev/null +++ b/queue-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From 28c24578bfd5042256efc1c91c6b3c8408b18260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 4680a2fe6d3cc..05cd70579c169 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -968,7 +968,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/queue-5.10/iavf-fix-use-after-free-in-free_netdev.patch b/queue-5.10/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..e66f5d182ad --- /dev/null +++ b/queue-5.10/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 7aa9176369e824ba7c0892a9ca686a5b70b08713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index e45f3a1a11f36..b64801bc216bb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1377,19 +1377,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/queue-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..e4a166a1081 --- /dev/null +++ b/queue-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From d1b5b76e89bade94a485030ca38a1277811a7f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c5f465814dec3..4465982100127 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9453,6 +9453,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/queue-5.10/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-5.10/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..7a19c410245 --- /dev/null +++ b/queue-5.10/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From e974d01b88c768b3a302a923ee7e765b39fccbd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/queue-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/queue-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..bf2f64db534 --- /dev/null +++ b/queue-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From aa794f5655fbe55a4c5b1f73f22077511a6a7447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index bbf39abc32b79..ae0a857d6076a 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4890,11 +4890,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/queue-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/queue-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..93879f61a6c --- /dev/null +++ b/queue-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From ce0f5dd6857f9bc9ed16056cd85019a75757c467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 32a917e5103a6..55144f7d93037 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -902,6 +902,7 @@ static void flush_pending_writes(struct r10conf *conf) + else + submit_bio_noacct(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1095,6 +1096,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + else + submit_bio_noacct(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/queue-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/queue-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch new file mode 100644 index 00000000000..225042ddc7c --- /dev/null +++ b/queue-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch @@ -0,0 +1,41 @@ +From 1ee913770b2755306f0e129a4ebf089b59039b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 20:21:59 +0800 +Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add + +From: Zhong Jinghua + +[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] + +If the index allocated by idr_alloc greater than MINORMASK >> part_shift, +the device number will overflow, resulting in failure to create a block +device. + +Fix it by imiting the size of the max allocation. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index b6940f0a9c905..e0f805ca0e727 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1723,7 +1723,8 @@ static int nbd_dev_add(int index) + if (err == -ENOSPC) + err = -EEXIST; + } else { +- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); ++ err = idr_alloc(&nbd_index_idr, nbd, 0, ++ (MINORMASK >> part_shift) + 1, GFP_KERNEL); + if (err >= 0) + index = err; + } +-- +2.39.2 + diff --git a/queue-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..d9ce3cf8416 --- /dev/null +++ b/queue-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 96ea5ecf20426f959f93f844b16d3582f11c6c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index a6a455c326288..73efc8b453643 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -104,23 +104,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/queue-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch b/queue-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch new file mode 100644 index 00000000000..e00f5e14e6d --- /dev/null +++ b/queue-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch @@ -0,0 +1,99 @@ +From ae21150f40b0f78661a99973150ac17b5503fced Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 21:32:14 +0900 +Subject: net: Introduce net.ipv4.tcp_migrate_req. + +From: Kuniyuki Iwashima + +[ Upstream commit f9ac779f881c2ec3d1cdcd7fa9d4f9442bf60e80 ] + +This commit adds a new sysctl option: net.ipv4.tcp_migrate_req. If this +option is enabled or eBPF program is attached, we will be able to migrate +child sockets from a listener to another in the same reuseport group after +close() or shutdown() syscalls. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Daniel Borkmann +Reviewed-by: Benjamin Herrenschmidt +Reviewed-by: Eric Dumazet +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210612123224.12525-2-kuniyu@amazon.co.jp +Stable-dep-of: 3a037f0f3c4b ("tcp: annotate data-races around icsk->icsk_syn_retries") +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 25 +++++++++++++++++++++++++ + include/net/netns/ipv4.h | 1 + + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index df26cf4110ef5..252212998378e 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -713,6 +713,31 @@ tcp_syncookies - INTEGER + network connections you can set this knob to 2 to enable + unconditionally generation of syncookies. + ++tcp_migrate_req - BOOLEAN ++ The incoming connection is tied to a specific listening socket when ++ the initial SYN packet is received during the three-way handshake. ++ When a listener is closed, in-flight request sockets during the ++ handshake and established sockets in the accept queue are aborted. ++ ++ If the listener has SO_REUSEPORT enabled, other listeners on the ++ same port should have been able to accept such connections. This ++ option makes it possible to migrate such child sockets to another ++ listener after close() or shutdown(). ++ ++ The BPF_SK_REUSEPORT_SELECT_OR_MIGRATE type of eBPF program should ++ usually be used to define the policy to pick an alive listener. ++ Otherwise, the kernel will randomly pick an alive listener only if ++ this option is enabled. ++ ++ Note that migration between listeners with different settings may ++ crash applications. Let's say migration happens from listener A to ++ B, and only B has TCP_SAVE_SYN enabled. B cannot read SYN data from ++ the requests migrated from A. To avoid such a situation, cancel ++ migration by returning SK_DROP in the type of eBPF program, or ++ disable this option. ++ ++ Default: 0 ++ + tcp_fastopen - INTEGER + Enable TCP Fast Open (RFC7413) to send and accept data in the opening + SYN packet. +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index 4a4a5270ff6f2..9b0d8649ae5b8 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -131,6 +131,7 @@ struct netns_ipv4 { + u8 sysctl_tcp_syn_retries; + u8 sysctl_tcp_synack_retries; + u8 sysctl_tcp_syncookies; ++ u8 sysctl_tcp_migrate_req; + int sysctl_tcp_reordering; + u8 sysctl_tcp_retries1; + u8 sysctl_tcp_retries2; +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 5aa8bde3e9c8e..59ba518a85b9c 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -878,6 +878,15 @@ static struct ctl_table ipv4_net_table[] = { + .proc_handler = proc_dou8vec_minmax, + }, + #endif ++ { ++ .procname = "tcp_migrate_req", ++ .data = &init_net.ipv4.sysctl_tcp_migrate_req, ++ .maxlen = sizeof(u8), ++ .mode = 0644, ++ .proc_handler = proc_dou8vec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE ++ }, + { + .procname = "tcp_reordering", + .data = &init_net.ipv4.sysctl_tcp_reordering, +-- +2.39.2 + diff --git a/queue-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/queue-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..acae9d867aa --- /dev/null +++ b/queue-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 8a36b7e84c4f11a95dcae5ff1a0ca5c7f8d64669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 20d7381378418..28252029bd798 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1134,7 +1134,7 @@ static int esp_init_authenc(struct xfrm_state *x) + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/queue-5.10/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-5.10/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..2234befecca --- /dev/null +++ b/queue-5.10/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 68600431fa18bb9f24aeb659ce4fe926f3c5535a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 7b50e1811678e..2df1036330f80 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/queue-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/queue-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..6950148c07f --- /dev/null +++ b/queue-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From ecaeaa4a0f90773cee09db5c81fc5c4032f37e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index e771e0e8a9bc6..095d16ceafcf8 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3024,23 +3024,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..804f23f75e9 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 5103fefc2d79d684a4a836a73788f1a9d0f3ad70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 9c3a9e3f1ede9..a8d316a58e44c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3276,8 +3276,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -3301,6 +3299,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..5b3ef16ddab --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 949a1f70d02ec54cf43534a8d2eff243dcb11238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index d56f5d7fa5455..9c3a9e3f1ede9 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8914,6 +8914,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/queue-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..669a2fd20a6 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From 87d298c12c1adcafaf724fd215f7c32d83d761ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a8d316a58e44c..40ed4dd530c5a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9185,6 +9185,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/queue-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..9d874a6ce1f --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From 0e16d022fdda3fa766dc1f96580784be0ef3726f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 40ed4dd530c5a..356416564d9f4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3611,6 +3611,8 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/queue-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/queue-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..7d82a09cc83 --- /dev/null +++ b/queue-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 6af637ced32834d5a6788762f311e79483caf404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 7c759e9b4d848..3be93175b3ffd 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1904,7 +1904,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/queue-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/queue-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..e242d7f32cc --- /dev/null +++ b/queue-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From eb43108a06c518908542e1d2996bcadd3efaf26b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 54aeb276b9a0a..000dd89c4baff 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1311,8 +1311,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/queue-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/queue-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..d2e788cf364 --- /dev/null +++ b/queue-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From 741cf68c3c6d048f2b4d89cb79ed4807e70aba81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index 0d71151575eef..3a05ebb9aa253 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -189,18 +189,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -676,7 +664,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -766,6 +754,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/queue-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/queue-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..fd19ac90a33 --- /dev/null +++ b/queue-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From 5216cc0ac2f214c416f34fe068087b14cdecf74c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index ae60f838ebb92..2c634010cc7bd 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -125,7 +125,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 6d12a724d2b6b..29569b1c3d8c8 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -140,25 +140,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/queue-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..281ca059aeb --- /dev/null +++ b/queue-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From d1fa5bb6bc29cd8905517b4deeaed2ae8621e919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 79bf550c9dfc5..ad050f8476b8e 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -571,20 +571,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -593,7 +581,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index a00102d7c7fd4..c411c87ae865f 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/queue-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..15bd35ed36b --- /dev/null +++ b/queue-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From aa9c2e9964e704506bf2f729c9f37c606e5f134c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 45c1d03aff735..d53f57ac76094 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -9883,7 +9883,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = sched_nr_migrate_break, + .cpus = cpus, +-- +2.39.2 + diff --git a/queue-5.10/security-keys-modify-mismatched-function-name.patch b/queue-5.10/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..f7dc30780a8 --- /dev/null +++ b/queue-5.10/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From 8d91e0fbb055599545d4e65cfad02a225ea28d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 4c19d3abddbee..65f68856414a6 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -21,7 +21,7 @@ static struct tpm2_hash tpm2_hash_map[] = { + }; + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 4c1b743d4a0..bfcf4e7b451 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -453,3 +453,54 @@ drm-client-fix-memory-leak-in-drm_client_target_cloned.patch drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch asoc-fsl_sai-disable-bit-clock-with-transmitter.patch ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +debugobjects-recheck-debug_objects_enabled-before-re.patch +nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +btrfs-add-xxhash-to-fast-checksum-implementations.patch +acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch +acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch +arm64-mm-fix-va-range-sanity-check.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +security-keys-modify-mismatched-function-name.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +net-introduce-net.ipv4.tcp_migrate_req.patch +tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch diff --git a/queue-5.10/spi-bcm63xx-fix-max-prepend-length.patch b/queue-5.10/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..11c43be47eb --- /dev/null +++ b/queue-5.10/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 082784b88b3b03b8a09a0673da1c9ab07da22836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 96d075e633f43..d36384fef0d71 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..6b743df5d9a --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From bed93777d170210391d32a46a87d0ff63de6c8f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 6e3340379d85f..11a98144bda0b 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -473,7 +473,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0a5f61b3423bf..3dd9b76f40559 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3894,7 +3894,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 39fb037ce5f3f..92d63cf3e50b9 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -312,6 +312,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -324,10 +325,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..ff24feea4cc --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From 367637dea0336c607dbac022703f9f6b302ec390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index dfea3088bc7e9..5f71a1c74e7e0 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -740,7 +740,7 @@ static void reqsk_timer_handler(struct timer_list *t) + if (inet_sk_state_load(sk_listener) != TCP_LISTEN) + goto drop; + +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index fc4d560909b50..e172348fc5c61 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3072,7 +3072,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3337,7 +3337,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -3743,7 +3743,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..2271c6a9fe7 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From e752652992c7b8660dfb5cf676d65f0a1e9064e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8a441dfd258d5..0a5f61b3423bf 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3081,7 +3081,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3393,7 +3393,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -3890,7 +3890,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..143612ae199 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From e50601d4ffb95bdbf617214b868758b651bcfb2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f7c951463d9cf..50d674d35e520 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3359,9 +3359,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -3752,8 +3752,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/queue-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..0fb2d9a0b1c --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From fc732a1c785d31fce9b0f37f48a3ca54429ef2d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index d62d5d7764ade..b40780fde7915 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -960,7 +960,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 8d854feebdb00..01e27620b7ee5 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -523,7 +523,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -586,7 +586,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -726,8 +726,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index e4ad274ec7a30..86e896351364e 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -874,7 +874,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 5392aebd48f1e..79d6f6ea3c546 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1151,7 +1151,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority); + } +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..f1bca89db23 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From 93d79268fd6e764464c76730da750ee51106f127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 92de7c049f19e..428f84f6e0d0c 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1451,9 +1451,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 053e4880d8f0f..b5a05b0984146 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3126,7 +3126,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3324,7 +3324,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..75e60dcd015 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From b96f0c21c9566b9083c9bbedaf421e2d62a1763f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 428f84f6e0d0c..be81a930b91fa 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1475,9 +1475,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b5a05b0984146..80212bb0400c2 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3138,7 +3138,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3330,7 +3331,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..3b9d3c3ab6f --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From 58df9721b9e37d7f9babeb82251fd4793e391f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index e231101e5001b..92de7c049f19e 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1459,9 +1459,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 39919d1436cea..053e4880d8f0f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3093,7 +3093,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-linger2.patch b/queue-5.10/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..969891e0072 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From d718041fee098bdedeaae7c3a2d86ad19178270a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index e172348fc5c61..f7c951463d9cf 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3350,11 +3350,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3747,7 +3747,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..78ff68aa0e7 --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From c4dae4f69b56617886cbd40d67654642369cc696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index be81a930b91fa..dcca41f3a2240 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1991,7 +1991,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + /* @wake is one when sk_stream_write_space() calls us. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 50d674d35e520..8a441dfd258d5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3437,7 +3437,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -3913,7 +3913,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/queue-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/queue-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..cc3844b275a --- /dev/null +++ b/queue-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 1fecea20f22ac90b576cacdac0fb8d3346f91456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cc42ceadc1127..39919d1436cea 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3447,7 +3447,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -3902,7 +3902,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/queue-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch b/queue-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch new file mode 100644 index 00000000000..748eda21b25 --- /dev/null +++ b/queue-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch @@ -0,0 +1,86 @@ +From 5609bae549edcfd300f49a00a4e0dbb2f54a59ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:46 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. + +From: Kuniyuki Iwashima + +[ Upstream commit 20a3b1c0f603e8c55c3396abd12dfcfb523e4d3c ] + +While reading sysctl_tcp_syn(ack)?_retries, they can be changed +concurrently. Thus, we need to add READ_ONCE() to their readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Stable-dep-of: 3a037f0f3c4b ("tcp: annotate data-races around icsk->icsk_syn_retries") +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 3 ++- + net/ipv4/tcp.c | 3 ++- + net/ipv4/tcp_timer.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 406305aaec904..dfea3088bc7e9 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -740,7 +740,8 @@ static void reqsk_timer_handler(struct timer_list *t) + if (inet_sk_state_load(sk_listener) != TCP_LISTEN) + goto drop; + +- max_syn_ack_retries = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_synack_retries; ++ max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. + * If synack was not acknowledged for 1 second, it means +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 80212bb0400c2..fc4d560909b50 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3743,7 +3743,8 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; ++ val = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: + val = tp->linger2; +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 888683f2ff3ee..715fdfa3e2ae9 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -239,7 +239,8 @@ static int tcp_write_timeout(struct sock *sk) + if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) { + if (icsk->icsk_retransmits) + __dst_negative_advice(sk); +- retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; ++ retry_until = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + expired = icsk->icsk_retransmits >= retry_until; + } else { + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) { +@@ -406,12 +407,15 @@ abort: tcp_write_err(sk); + static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req) + { + struct inet_connection_sock *icsk = inet_csk(sk); +- int max_retries = icsk->icsk_syn_retries ? : +- sock_net(sk)->ipv4.sysctl_tcp_synack_retries + 1; /* add one more retry for fastopen */ + struct tcp_sock *tp = tcp_sk(sk); ++ int max_retries; + + req->rsk_ops->syn_ack_timeout(req); + ++ /* add one more retry for fastopen */ ++ max_retries = icsk->icsk_syn_retries ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_synack_retries) + 1; ++ + if (req->num_timeout >= max_retries) { + tcp_write_err(sk); + return; +-- +2.39.2 + diff --git a/queue-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/queue-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch new file mode 100644 index 00000000000..e484d3c942e --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch @@ -0,0 +1,71 @@ +From 2a0d96a84b6baa7fa82851e9ded05c7368c35b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:54:45 +0200 +Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full + channel range + +From: Maxime Bizon + +[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] + +Because of what seems to be a typo, a 6Ghz-only phy for which the BDF +does not allow the 7115Mhz channel will fail to register: + + WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 + Modules linked in: ath11k_pci sbsa_gwdt + CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 + Hardware name: Freebox V7R Board (DT) + Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : wiphy_register+0x914/0x954 + lr : ieee80211_register_hw+0x67c/0xc10 + sp : ffffff800b123aa0 + x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 + x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 + x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 + x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f + x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd + x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 + x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 + x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 + x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + wiphy_register+0x914/0x954 + ieee80211_register_hw+0x67c/0xc10 + ath11k_mac_register+0x7c4/0xe10 + ath11k_core_qmi_firmware_ready+0x1f4/0x570 + ath11k_qmi_driver_event_work+0x198/0x590 + process_one_work+0x1b8/0x328 + worker_thread+0x6c/0x414 + kthread+0x100/0x104 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 + ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 + ath11k_pci 0002:01:00.0: failed to create pdev core: -22 + +Signed-off-by: Maxime Bizon +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 67faf62999ded..3170c54c97b74 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -6044,7 +6044,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, + } + + if (supported_bands & WMI_HOST_WLAN_5G_CAP) { +- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { ++ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { + channels = kmemdup(ath11k_6ghz_channels, + sizeof(ath11k_6ghz_channels), GFP_KERNEL); + if (!channels) { +-- +2.39.2 + diff --git a/queue-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..990be131166 --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From b227f04f18826febef34fe9ee8ddc24b52cbbdf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 09f870c48a4f6..141581fa74c82 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2590,7 +2590,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/queue-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..fcd95c5c924 --- /dev/null +++ b/queue-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 448ba391d938b5debce6420f1dd1363b203dd19a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 76a80a41615be..a57f54bc0e1a7 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 +