From 63e5b35cbe47ad2bc2d8e48a5a99df61c99afc1b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Mar 2020 11:32:33 +0100 Subject: [PATCH] 5.5-stable patches added patches: cgroup-cgroup_procs_next-should-increase-position-index.patch cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch cgroup-iterate-tasks-that-did-not-finish-do_exit.patch iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch --- ..._next-should-increase-position-index.patch | 85 +++++++++++++++ ...ix-psi_show-crash-on-32bit-ino-archs.patch | 63 +++++++++++ ...te-tasks-that-did-not-finish-do_exit.patch | 100 ++++++++++++++++++ ...ce-warn_taint-with-pr_warn-add_taint.patch | 53 ++++++++++ ...phy_sku-nvm-section-for-3168-devices.patch | 41 +++++++ ..._next-should-increase-position-index.patch | 35 ++++++ ...nite-loop-when-expr-is-not-available.patch | 67 ++++++++++++ ..._next-should-increase-position-index.patch | 35 ++++++ ..._next-should-increase-position-index.patch | 69 ++++++++++++ ..._next-should-increase-position-index.patch | 61 +++++++++++ queue-5.5/series | 11 ++ ...-hw_queue-stopped-on-arbitrary-error.patch | 51 +++++++++ 12 files changed, 671 insertions(+) create mode 100644 queue-5.5/cgroup-cgroup_procs_next-should-increase-position-index.patch create mode 100644 queue-5.5/cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch create mode 100644 queue-5.5/cgroup-iterate-tasks-that-did-not-finish-do_exit.patch create mode 100644 queue-5.5/iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch create mode 100644 queue-5.5/iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch create mode 100644 queue-5.5/netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch create mode 100644 queue-5.5/netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch create mode 100644 queue-5.5/netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch create mode 100644 queue-5.5/netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch create mode 100644 queue-5.5/netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch create mode 100644 queue-5.5/virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch diff --git a/queue-5.5/cgroup-cgroup_procs_next-should-increase-position-index.patch b/queue-5.5/cgroup-cgroup_procs_next-should-increase-position-index.patch new file mode 100644 index 00000000000..b0f1b6175c4 --- /dev/null +++ b/queue-5.5/cgroup-cgroup_procs_next-should-increase-position-index.patch @@ -0,0 +1,85 @@ +From 2d4ecb030dcc90fb725ecbfc82ce5d6c37906e0e Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 30 Jan 2020 13:34:59 +0300 +Subject: cgroup: cgroup_procs_next should increase position index + +From: Vasily Averin + +commit 2d4ecb030dcc90fb725ecbfc82ce5d6c37906e0e upstream. + +If seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output: + +1) dd bs=1 skip output of each 2nd elements +$ dd if=/sys/fs/cgroup/cgroup.procs bs=8 count=1 +2 +3 +4 +5 +1+0 records in +1+0 records out +8 bytes copied, 0,000267297 s, 29,9 kB/s +[test@localhost ~]$ dd if=/sys/fs/cgroup/cgroup.procs bs=1 count=8 +2 +4 <<< NB! 3 was skipped +6 <<< ... and 5 too +8 <<< ... and 7 +8+0 records in +8+0 records out +8 bytes copied, 5,2123e-05 s, 153 kB/s + + This happen because __cgroup_procs_start() makes an extra + extra cgroup_procs_next() call + +2) read after lseek beyond end of file generates whole last line. +3) read after lseek into middle of last line generates +expected rest of last line and unexpected whole line once again. + +Additionally patch removes an extra position index changes in +__cgroup_procs_start() + +Cc: stable@vger.kernel.org +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4600,6 +4600,9 @@ static void *cgroup_procs_next(struct se + struct kernfs_open_file *of = s->private; + struct css_task_iter *it = of->priv; + ++ if (pos) ++ (*pos)++; ++ + return css_task_iter_next(it); + } + +@@ -4615,7 +4618,7 @@ static void *__cgroup_procs_start(struct + * from position 0, so we can simply keep iterating on !0 *pos. + */ + if (!it) { +- if (WARN_ON_ONCE((*pos)++)) ++ if (WARN_ON_ONCE((*pos))) + return ERR_PTR(-EINVAL); + + it = kzalloc(sizeof(*it), GFP_KERNEL); +@@ -4623,10 +4626,11 @@ static void *__cgroup_procs_start(struct + return ERR_PTR(-ENOMEM); + of->priv = it; + css_task_iter_start(&cgrp->self, iter_flags, it); +- } else if (!(*pos)++) { ++ } else if (!(*pos)) { + css_task_iter_end(it); + css_task_iter_start(&cgrp->self, iter_flags, it); +- } ++ } else ++ return it->cur_task; + + return cgroup_procs_next(s, NULL, NULL); + } diff --git a/queue-5.5/cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch b/queue-5.5/cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch new file mode 100644 index 00000000000..e4b03af37e8 --- /dev/null +++ b/queue-5.5/cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch @@ -0,0 +1,63 @@ +From 190ecb190a9cd8c0599d8499b901e3c32e87966a Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Sun, 23 Feb 2020 22:00:07 -0500 +Subject: cgroup: fix psi_show() crash on 32bit ino archs + +From: Qian Cai + +commit 190ecb190a9cd8c0599d8499b901e3c32e87966a upstream. + +Similar to the commit d7495343228f ("cgroup: fix incorrect +WARN_ON_ONCE() in cgroup_setup_root()"), cgroup_id(root_cgrp) does not +equal to 1 on 32bit ino archs which triggers all sorts of issues with +psi_show() on s390x. For example, + + BUG: KASAN: slab-out-of-bounds in collect_percpu_times+0x2d0/ + Read of size 4 at addr 000000001e0ce000 by task read_all/3667 + collect_percpu_times+0x2d0/0x798 + psi_show+0x7c/0x2a8 + seq_read+0x2ac/0x830 + vfs_read+0x92/0x150 + ksys_read+0xe2/0x188 + system_call+0xd8/0x2b4 + +Fix it by using cgroup_ino(). + +Fixes: 743210386c03 ("cgroup: use cgrp->kn->id as the cgroup ID") +Signed-off-by: Qian Cai +Acked-by: Johannes Weiner +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org # v5.5 +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3547,21 +3547,21 @@ static int cpu_stat_show(struct seq_file + static int cgroup_io_pressure_show(struct seq_file *seq, void *v) + { + struct cgroup *cgrp = seq_css(seq)->cgroup; +- struct psi_group *psi = cgroup_id(cgrp) == 1 ? &psi_system : &cgrp->psi; ++ struct psi_group *psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; + + return psi_show(seq, psi, PSI_IO); + } + static int cgroup_memory_pressure_show(struct seq_file *seq, void *v) + { + struct cgroup *cgrp = seq_css(seq)->cgroup; +- struct psi_group *psi = cgroup_id(cgrp) == 1 ? &psi_system : &cgrp->psi; ++ struct psi_group *psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; + + return psi_show(seq, psi, PSI_MEM); + } + static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) + { + struct cgroup *cgrp = seq_css(seq)->cgroup; +- struct psi_group *psi = cgroup_id(cgrp) == 1 ? &psi_system : &cgrp->psi; ++ struct psi_group *psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; + + return psi_show(seq, psi, PSI_CPU); + } diff --git a/queue-5.5/cgroup-iterate-tasks-that-did-not-finish-do_exit.patch b/queue-5.5/cgroup-iterate-tasks-that-did-not-finish-do_exit.patch new file mode 100644 index 00000000000..15a5c7b512e --- /dev/null +++ b/queue-5.5/cgroup-iterate-tasks-that-did-not-finish-do_exit.patch @@ -0,0 +1,100 @@ +From 9c974c77246460fa6a92c18554c3311c8c83c160 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 24 Jan 2020 12:40:15 +0100 +Subject: cgroup: Iterate tasks that did not finish do_exit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit 9c974c77246460fa6a92c18554c3311c8c83c160 upstream. + +PF_EXITING is set earlier than actual removal from css_set when a task +is exitting. This can confuse cgroup.procs readers who see no PF_EXITING +tasks, however, rmdir is checking against css_set membership so it can +transitionally fail with EBUSY. + +Fix this by listing tasks that weren't unlinked from css_set active +lists. +It may happen that other users of the task iterator (without +CSS_TASK_ITER_PROCS) spot a PF_EXITING task before cgroup_exit(). This +is equal to the state before commit c03cd7738a83 ("cgroup: Include dying +leaders with live threads in PROCS iterations") but it may be reviewed +later. + +Reported-by: Suren Baghdasaryan +Fixes: c03cd7738a83 ("cgroup: Include dying leaders with live threads in PROCS iterations") +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup.c | 23 ++++++++++++++++------- + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -62,6 +62,7 @@ struct css_task_iter { + struct list_head *mg_tasks_head; + struct list_head *dying_tasks_head; + ++ struct list_head *cur_tasks_head; + struct css_set *cur_cset; + struct css_set *cur_dcset; + struct task_struct *cur_task; +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4405,12 +4405,16 @@ static void css_task_iter_advance_css_se + } + } while (!css_set_populated(cset) && list_empty(&cset->dying_tasks)); + +- if (!list_empty(&cset->tasks)) ++ if (!list_empty(&cset->tasks)) { + it->task_pos = cset->tasks.next; +- else if (!list_empty(&cset->mg_tasks)) ++ it->cur_tasks_head = &cset->tasks; ++ } else if (!list_empty(&cset->mg_tasks)) { + it->task_pos = cset->mg_tasks.next; +- else ++ it->cur_tasks_head = &cset->mg_tasks; ++ } else { + it->task_pos = cset->dying_tasks.next; ++ it->cur_tasks_head = &cset->dying_tasks; ++ } + + it->tasks_head = &cset->tasks; + it->mg_tasks_head = &cset->mg_tasks; +@@ -4468,10 +4472,14 @@ repeat: + else + it->task_pos = it->task_pos->next; + +- if (it->task_pos == it->tasks_head) ++ if (it->task_pos == it->tasks_head) { + it->task_pos = it->mg_tasks_head->next; +- if (it->task_pos == it->mg_tasks_head) ++ it->cur_tasks_head = it->mg_tasks_head; ++ } ++ if (it->task_pos == it->mg_tasks_head) { + it->task_pos = it->dying_tasks_head->next; ++ it->cur_tasks_head = it->dying_tasks_head; ++ } + if (it->task_pos == it->dying_tasks_head) + css_task_iter_advance_css_set(it); + } else { +@@ -4490,11 +4498,12 @@ repeat: + goto repeat; + + /* and dying leaders w/o live member threads */ +- if (!atomic_read(&task->signal->live)) ++ if (it->cur_tasks_head == it->dying_tasks_head && ++ !atomic_read(&task->signal->live)) + goto repeat; + } else { + /* skip all dying ones */ +- if (task->flags & PF_EXITING) ++ if (it->cur_tasks_head == it->dying_tasks_head) + goto repeat; + } + } diff --git a/queue-5.5/iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch b/queue-5.5/iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch new file mode 100644 index 00000000000..a275e6ce466 --- /dev/null +++ b/queue-5.5/iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch @@ -0,0 +1,53 @@ +From 81ee85d0462410de8eeeec1b9761941fd6ed8c7b Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Mar 2020 19:25:10 +0100 +Subject: iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint + +From: Hans de Goede + +commit 81ee85d0462410de8eeeec1b9761941fd6ed8c7b upstream. + +Quoting from the comment describing the WARN functions in +include/asm-generic/bug.h: + + * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report + * significant kernel issues that need prompt attention if they should ever + * appear at runtime. + * + * Do not use these macros when checking for invalid external inputs + +The (buggy) firmware tables which the dmar code was calling WARN_TAINT +for really are invalid external inputs. They are not under the kernel's +control and the issues in them cannot be fixed by a kernel update. +So logging a backtrace, which invites bug reports to be filed about this, +is not helpful. + +Fixes: 556ab45f9a77 ("ioat2: catch and recover from broken vtd configurations v6") +Signed-off-by: Hans de Goede +Acked-by: Lu Baolu +Link: https://lore.kernel.org/r/20200309182510.373875-1-hdegoede@redhat.com +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=701847 +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -4141,10 +4141,11 @@ static void quirk_ioat_snb_local_iommu(s + + /* we know that the this iommu should be at offset 0xa000 from vtbar */ + drhd = dmar_find_matched_drhd_unit(pdev); +- if (WARN_TAINT_ONCE(!drhd || drhd->reg_base_addr - vtbar != 0xa000, +- TAINT_FIRMWARE_WORKAROUND, +- "BIOS assigned incorrect VT-d unit for Intel(R) QuickData Technology device\n")) ++ if (!drhd || drhd->reg_base_addr - vtbar != 0xa000) { ++ pr_warn_once(FW_BUG "BIOS assigned incorrect VT-d unit for Intel(R) QuickData Technology device\n"); ++ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); + pdev->dev.archdata.iommu = DUMMY_DEVICE_DOMAIN_INFO; ++ } + } + DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_IOAT_SNB, quirk_ioat_snb_local_iommu); + diff --git a/queue-5.5/iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch b/queue-5.5/iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch new file mode 100644 index 00000000000..2582979667f --- /dev/null +++ b/queue-5.5/iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch @@ -0,0 +1,41 @@ +From a9149d243f259ad8f02b1e23dfe8ba06128f15e1 Mon Sep 17 00:00:00 2001 +From: Dan Moulding +Date: Tue, 28 Jan 2020 02:31:07 -0700 +Subject: iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices + +From: Dan Moulding + +commit a9149d243f259ad8f02b1e23dfe8ba06128f15e1 upstream. + +The logic for checking required NVM sections was recently fixed in +commit b3f20e098293 ("iwlwifi: mvm: fix NVM check for 3168 +devices"). However, with that fixed the else is now taken for 3168 +devices and within the else clause there is a mandatory check for the +PHY_SKU section. This causes the parsing to fail for 3168 devices. + +The PHY_SKU section is really only mandatory for the IWL_NVM_EXT +layout (the phy_sku parameter of iwl_parse_nvm_data is only used when +the NVM type is IWL_NVM_EXT). So this changes the PHY_SKU section +check so that it's only mandatory for IWL_NVM_EXT. + +Fixes: b3f20e098293 ("iwlwifi: mvm: fix NVM check for 3168 devices") +Signed-off-by: Dan Moulding +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -308,7 +308,8 @@ iwl_parse_nvm_sections(struct iwl_mvm *m + } + + /* PHY_SKU section is mandatory in B0 */ +- if (!mvm->nvm_sections[NVM_SECTION_TYPE_PHY_SKU].data) { ++ if (mvm->trans->cfg->nvm_type == IWL_NVM_EXT && ++ !mvm->nvm_sections[NVM_SECTION_TYPE_PHY_SKU].data) { + IWL_ERR(mvm, + "Can't parse phy_sku in B0, empty sections\n"); + return NULL; diff --git a/queue-5.5/netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch b/queue-5.5/netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..cb539375916 --- /dev/null +++ b/queue-5.5/netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From dc15af8e9dbd039ebb06336597d2c491ef46ab74 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 25 Feb 2020 10:05:47 +0300 +Subject: netfilter: nf_conntrack: ct_cpu_seq_next should increase position index + +From: Vasily Averin + +commit dc15af8e9dbd039ebb06336597d2c491ef46ab74 upstream. + +If .next function does not change position index, +following .show function will repeat output related +to current position index. + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_standalone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -411,7 +411,7 @@ static void *ct_cpu_seq_next(struct seq_ + *pos = cpu + 1; + return per_cpu_ptr(net->ct.stat, cpu); + } +- ++ (*pos)++; + return NULL; + } + diff --git a/queue-5.5/netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch b/queue-5.5/netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch new file mode 100644 index 00000000000..546a0a7c6ec --- /dev/null +++ b/queue-5.5/netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch @@ -0,0 +1,67 @@ +From 1d305ba40eb8081ff21eeb8ca6ba5c70fd920934 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 5 Mar 2020 11:15:36 +0100 +Subject: netfilter: nf_tables: fix infinite loop when expr is not available + +From: Florian Westphal + +commit 1d305ba40eb8081ff21eeb8ca6ba5c70fd920934 upstream. + +nft will loop forever if the kernel doesn't support an expression: + +1. nft_expr_type_get() appends the family specific name to the module list. +2. -EAGAIN is returned to nfnetlink, nfnetlink calls abort path. +3. abort path sets ->done to true and calls request_module for the + expression. +4. nfnetlink replays the batch, we end up in nft_expr_type_get() again. +5. nft_expr_type_get attempts to append family-specific name. This + one already exists on the list, so we continue +6. nft_expr_type_get adds the generic expression name to the module + list. -EAGAIN is returned, nfnetlink calls abort path. +7. abort path encounters the family-specific expression which + has 'done' set, so it gets removed. +8. abort path requests the generic expression name, sets done to true. +9. batch is replayed. + +If the expression could not be loaded, then we will end up back at 1), +because the family-specific name got removed and the cycle starts again. + +Note that userspace can SIGKILL the nft process to stop the cycle, but +the desired behaviour is to return an error after the generic expr name +fails to load the expression. + +Fixes: eb014de4fd418 ("netfilter: nf_tables: autoload modules from the abort path") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7250,13 +7250,8 @@ static void nf_tables_module_autoload(st + list_splice_init(&net->nft.module_list, &module_list); + mutex_unlock(&net->nft.commit_mutex); + list_for_each_entry_safe(req, next, &module_list, list) { +- if (req->done) { +- list_del(&req->list); +- kfree(req); +- } else { +- request_module("%s", req->module); +- req->done = true; +- } ++ request_module("%s", req->module); ++ req->done = true; + } + mutex_lock(&net->nft.commit_mutex); + list_splice(&module_list, &net->nft.module_list); +@@ -8039,6 +8034,7 @@ static void __net_exit nf_tables_exit_ne + __nft_release_tables(net); + mutex_unlock(&net->nft.commit_mutex); + WARN_ON_ONCE(!list_empty(&net->nft.tables)); ++ WARN_ON_ONCE(!list_empty(&net->nft.module_list)); + } + + static struct pernet_operations nf_tables_net_ops = { diff --git a/queue-5.5/netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch b/queue-5.5/netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..2b14a1aa3a2 --- /dev/null +++ b/queue-5.5/netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From bb71f846a0002239f7058c84f1496648ff4a5c20 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 25 Feb 2020 10:05:59 +0300 +Subject: netfilter: synproxy: synproxy_cpu_seq_next should increase position index + +From: Vasily Averin + +commit bb71f846a0002239f7058c84f1496648ff4a5c20 upstream. + +If .next function does not change position index, +following .show function will repeat output related +to current position index. + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_synproxy_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -267,7 +267,7 @@ static void *synproxy_cpu_seq_next(struc + *pos = cpu + 1; + return per_cpu_ptr(snet->stats, cpu); + } +- ++ (*pos)++; + return NULL; + } + diff --git a/queue-5.5/netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch b/queue-5.5/netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..97c893dec94 --- /dev/null +++ b/queue-5.5/netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch @@ -0,0 +1,69 @@ +From ee84f19cbbe9cf7cba2958acb03163fed3ecbb0f Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 25 Feb 2020 10:07:12 +0300 +Subject: netfilter: x_tables: xt_mttg_seq_next should increase position index + +From: Vasily Averin + +commit ee84f19cbbe9cf7cba2958acb03163fed3ecbb0f upstream. + +If .next function does not change position index, +following .show function will repeat output related +to current position index. + +Without patch: + # dd if=/proc/net/ip_tables_matches # original file output + conntrack + conntrack + conntrack + recent + recent + icmp + udplite + udp + tcp + 0+1 records in + 0+1 records out + 65 bytes copied, 5.4074e-05 s, 1.2 MB/s + + # dd if=/proc/net/ip_tables_matches bs=62 skip=1 + dd: /proc/net/ip_tables_matches: cannot skip to specified offset + cp <<< end of last line + tcp <<< and then unexpected whole last line once again + 0+1 records in + 0+1 records out + 7 bytes copied, 0.000102447 s, 68.3 kB/s + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1551,6 +1551,9 @@ static void *xt_mttg_seq_next(struct seq + uint8_t nfproto = (unsigned long)PDE_DATA(file_inode(seq->file)); + struct nf_mttg_trav *trav = seq->private; + ++ if (ppos != NULL) ++ ++(*ppos); ++ + switch (trav->class) { + case MTTG_TRAV_INIT: + trav->class = MTTG_TRAV_NFP_UNSPEC; +@@ -1576,9 +1579,6 @@ static void *xt_mttg_seq_next(struct seq + default: + return NULL; + } +- +- if (ppos != NULL) +- ++*ppos; + return trav; + } + diff --git a/queue-5.5/netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch b/queue-5.5/netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..35e30495b62 --- /dev/null +++ b/queue-5.5/netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch @@ -0,0 +1,61 @@ +From db25517a550926f609c63054b12ea9ad515e1a10 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 25 Feb 2020 10:06:29 +0300 +Subject: netfilter: xt_recent: recent_seq_next should increase position index + +From: Vasily Averin + +commit db25517a550926f609c63054b12ea9ad515e1a10 upstream. + +If .next function does not change position index, +following .show function will repeat output related +to current position index. + +Without the patch: + # dd if=/proc/net/xt_recent/SSH # original file outpt + src=127.0.0.4 ttl: 0 last_seen: 6275444819 oldest_pkt: 1 6275444819 + src=127.0.0.2 ttl: 0 last_seen: 6275438906 oldest_pkt: 1 6275438906 + src=127.0.0.3 ttl: 0 last_seen: 6275441953 oldest_pkt: 1 6275441953 + 0+1 records in + 0+1 records out + 204 bytes copied, 6.1332e-05 s, 3.3 MB/s + +Read after lseek into middle of last line (offset 140 in example below) +generates expected end of last line and then unexpected whole last line +once again + + # dd if=/proc/net/xt_recent/SSH bs=140 skip=1 + dd: /proc/net/xt_recent/SSH: cannot skip to specified offset + 127.0.0.3 ttl: 0 last_seen: 6275441953 oldest_pkt: 1 6275441953 + src=127.0.0.3 ttl: 0 last_seen: 6275441953 oldest_pkt: 1 6275441953 + 0+1 records in + 0+1 records out + 132 bytes copied, 6.2487e-05 s, 2.1 MB/s + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_recent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -492,12 +492,12 @@ static void *recent_seq_next(struct seq_ + const struct recent_entry *e = v; + const struct list_head *head = e->list.next; + ++ (*pos)++; + while (head == &t->iphash[st->bucket]) { + if (++st->bucket >= ip_list_hash_size) + return NULL; + head = t->iphash[st->bucket].next; + } +- (*pos)++; + return list_entry(head, struct recent_entry, list); + } + diff --git a/queue-5.5/series b/queue-5.5/series index 66ed72222aa..7bb9dcf2270 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -69,3 +69,14 @@ s390-qeth-handle-error-when-backing-rx-buffer.patch net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch net-dsa-mv88e6xxx-add-missing-mask-of-atu-occupancy-register.patch net-phy-avoid-multiple-suspends.patch +cgroup-fix-psi_show-crash-on-32bit-ino-archs.patch +cgroup-cgroup_procs_next-should-increase-position-index.patch +cgroup-iterate-tasks-that-did-not-finish-do_exit.patch +netfilter-nf_tables-fix-infinite-loop-when-expr-is-not-available.patch +iwlwifi-mvm-do-not-require-phy_sku-nvm-section-for-3168-devices.patch +virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch +iommu-vt-d-quirk_ioat_snb_local_iommu-replace-warn_taint-with-pr_warn-add_taint.patch +netfilter-nf_conntrack-ct_cpu_seq_next-should-increase-position-index.patch +netfilter-synproxy-synproxy_cpu_seq_next-should-increase-position-index.patch +netfilter-xt_recent-recent_seq_next-should-increase-position-index.patch +netfilter-x_tables-xt_mttg_seq_next-should-increase-position-index.patch diff --git a/queue-5.5/virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch b/queue-5.5/virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch new file mode 100644 index 00000000000..d1a17b494ea --- /dev/null +++ b/queue-5.5/virtio-blk-fix-hw_queue-stopped-on-arbitrary-error.patch @@ -0,0 +1,51 @@ +From f5f6b95c72f7f8bb46eace8c5306c752d0133daa Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Thu, 13 Feb 2020 13:37:27 +0100 +Subject: virtio-blk: fix hw_queue stopped on arbitrary error + +From: Halil Pasic + +commit f5f6b95c72f7f8bb46eace8c5306c752d0133daa upstream. + +Since nobody else is going to restart our hw_queue for us, the +blk_mq_start_stopped_hw_queues() is in virtblk_done() is not sufficient +necessarily sufficient to ensure that the queue will get started again. +In case of global resource outage (-ENOMEM because mapping failure, +because of swiotlb full) our virtqueue may be empty and we can get +stuck with a stopped hw_queue. + +Let us not stop the queue on arbitrary errors, but only on -EONSPC which +indicates a full virtqueue, where the hw_queue is guaranteed to get +started by virtblk_done() before when it makes sense to carry on +submitting requests. Let us also remove a stale comment. + +Signed-off-by: Halil Pasic +Cc: Jens Axboe +Fixes: f7728002c1c7 ("virtio_ring: fix return code on DMA mapping fails") +Link: https://lore.kernel.org/r/20200213123728.61216-2-pasic@linux.ibm.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/virtio_blk.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -339,10 +339,12 @@ static blk_status_t virtio_queue_rq(stru + err = virtblk_add_req(vblk->vqs[qid].vq, vbr, vbr->sg, num); + if (err) { + virtqueue_kick(vblk->vqs[qid].vq); +- blk_mq_stop_hw_queue(hctx); ++ /* Don't stop the queue if -ENOMEM: we may have failed to ++ * bounce the buffer due to global resource outage. ++ */ ++ if (err == -ENOSPC) ++ blk_mq_stop_hw_queue(hctx); + spin_unlock_irqrestore(&vblk->vqs[qid].lock, flags); +- /* Out of mem doesn't actually happen, since we fall back +- * to direct descriptors */ + if (err == -ENOMEM || err == -ENOSPC) + return BLK_STS_DEV_RESOURCE; + return BLK_STS_IOERR; -- 2.47.3