From: Greg Kroah-Hartman Date: Sun, 8 Sep 2024 10:07:53 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v4.19.322~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1d6c9bef86e87946eaa8f1813a25e6d2b30eb72;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch --- diff --git a/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch new file mode 100644 index 00000000000..fd075bbe93a --- /dev/null +++ b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch @@ -0,0 +1,48 @@ +From 0a50c35277f96481a5a6ed5faf347f282040c57d Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 29 Aug 2024 15:03:20 +0300 +Subject: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX + +From: Roger Quadros + +commit 0a50c35277f96481a5a6ed5faf347f282040c57d upstream. + +If number of TX queues are set to 1 we get a NULL pointer +dereference during XDP_TX. + +~# ethtool -L eth0 tx 1 +~# ./xdp-trafficgen udp -A -a eth0 -t 2 +Transmitting on eth0 (ifindex 2) +[ 241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 + +Fix this by using actual TX queues instead of max TX queues +when picking the TX channel in am65_cpsw_ndo_xdp_xmit(). + +Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support") +Signed-off-by: Roger Quadros +Reviewed-by: Jacob Keller +Acked-by: Julien Panis +Reviewed-by: MD Danish Anwar +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1918,12 +1918,13 @@ static int am65_cpsw_ndo_bpf(struct net_ + static int am65_cpsw_ndo_xdp_xmit(struct net_device *ndev, int n, + struct xdp_frame **frames, u32 flags) + { ++ struct am65_cpsw_common *common = am65_ndev_to_common(ndev); + struct am65_cpsw_tx_chn *tx_chn; + struct netdev_queue *netif_txq; + int cpu = smp_processor_id(); + int i, nxmit = 0; + +- tx_chn = &am65_ndev_to_common(ndev)->tx_chns[cpu % AM65_CPSW_MAX_TX_QUEUES]; ++ tx_chn = &common->tx_chns[cpu % common->tx_ch_num]; + netif_txq = netdev_get_tx_queue(ndev, tx_chn->id); + + __netif_tx_lock(netif_txq, cpu); diff --git a/queue-6.10/series b/queue-6.10/series index f9e41c202c0..cce8fb225e6 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -1,2 +1,4 @@ libfs-fix-get_stashed_dentry.patch sch-netem-fix-use-after-free-in-netem_dequeue.patch +xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch +net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch diff --git a/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch b/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch new file mode 100644 index 00000000000..7104092860e --- /dev/null +++ b/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch @@ -0,0 +1,63 @@ +From 95179935beadccaf0f0bb461adb778731e293da4 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Thu, 22 Aug 2024 16:59:33 -0700 +Subject: xfs: xfs_finobt_count_blocks() walks the wrong btree + +From: Dave Chinner + +commit 95179935beadccaf0f0bb461adb778731e293da4 upstream. + +As a result of the factoring in commit 14dd46cf31f4 ("xfs: split +xfs_inobt_init_cursor"), mount started taking a long time on a +user's filesystem. For Anders, this made mount times regress from +under a second to over 15 minutes for a filesystem with only 30 +million inodes in it. + +Anders bisected it down to the above commit, but even then the bug +was not obvious. In this commit, over 20 calls to +xfs_inobt_init_cursor() were modified, and some we modified to call +a new function named xfs_finobt_init_cursor(). + +If that takes you a moment to reread those function names to see +what the rename was, then you have realised why this bug wasn't +spotted during review. And it wasn't spotted on inspection even +after the bisect pointed at this commit - a single missing "f" isn't +the easiest thing for a human eye to notice.... + +The result is that xfs_finobt_count_blocks() now incorrectly calls +xfs_inobt_init_cursor() so it is now walking the inobt instead of +the finobt. Hence when there are lots of allocated inodes in a +filesystem, mount takes a -long- time run because it now walks a +massive allocated inode btrees instead of the small, nearly empty +free inode btrees. It also means all the finobt space reservations +are wrong, so mount could potentially given ENOSPC on kernel +upgrade. + +In hindsight, commit 14dd46cf31f4 should have been two commits - the +first to convert the finobt callers to the new API, the second to +modify the xfs_inobt_init_cursor() API for the inobt callers. That +would have made the bug very obvious during review. + +Fixes: 14dd46cf31f4 ("xfs: split xfs_inobt_init_cursor") +Reported-by: Anders Blomdell +Signed-off-by: Dave Chinner +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Chandan Babu R +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/libxfs/xfs_ialloc_btree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/libxfs/xfs_ialloc_btree.c ++++ b/fs/xfs/libxfs/xfs_ialloc_btree.c +@@ -749,7 +749,7 @@ xfs_finobt_count_blocks( + if (error) + return error; + +- cur = xfs_inobt_init_cursor(pag, tp, agbp); ++ cur = xfs_finobt_init_cursor(pag, tp, agbp); + error = xfs_btree_count_blocks(cur, tree_blocks); + xfs_btree_del_cursor(cur, error); + xfs_trans_brelse(tp, agbp);