From a4791fcb4c95d014a3bb01b141c33b8f7957b133 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 22 Jul 2021 17:49:12 +0200 Subject: [PATCH] 5.13-stable patches added patches: arm-dts-aspeed-fix-ast2600-machines-line-names.patch arm-dts-everest-add-phase-corrections-for-emmc.patch arm-dts-tacoma-add-phase-corrections-for-emmc.patch bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch bpftool-properly-close-va_list-ap-by-va_end-on-error.patch drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch perf-test-bpf-free-obj_buf.patch tcp-annotate-data-races-around-tp-mtu_info.patch tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch tcp-consistently-disable-header-prediction-for-mptcp.patch tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch tools-bpf-fix-error-in-make-c-tools-bpf_install.patch udp-annotate-data-races-around-unix_sk-sk-gso_size.patch udp-properly-flush-normal-packet-at-gro-time.patch vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch vboxsf-add-vboxsf__sf_handle-helpers.patch vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch --- ...peed-fix-ast2600-machines-line-names.patch | 54 +++++ ...erest-add-phase-corrections-for-emmc.patch | 38 +++ ...acoma-add-phase-corrections-for-emmc.patch | 35 +++ ...ors-correctly-and-fix-use-after-free.patch | 229 ++++++++++++++++++ ...-close-va_list-ap-by-va_end-on-error.patch | 40 +++ ...t35510-do-not-fail-if-dsi-read-fails.patch | 42 ++++ ...-padding-in-sensor-message-structure.patch | 48 ++++ ...silly-icmpv6-packet-too-big-messages.patch | 130 ++++++++++ ...ess-kconfig-prompts-for-silent-build.patch | 54 +++++ ...be-driver-when-fw-already-downloaded.patch | 42 ++++ queue-5.13/perf-test-bpf-free-obj_buf.patch | 52 ++++ queue-5.13/series | 22 ++ ...notate-data-races-around-tp-mtu_info.patch | 62 +++++ ...efore-sk_mem_charge-in-zerocopy-path.patch | 43 ++++ ...-disable-header-prediction-for-mptcp.patch | 43 ++++ ...fer-to-not-reset-icsk_ca_initialized.patch | 67 +++++ ...ix-error-in-make-c-tools-bpf_install.patch | 53 ++++ ...ata-races-around-unix_sk-sk-gso_size.patch | 96 ++++++++ ...erly-flush-normal-packet-at-gro-time.patch | 41 ++++ ...r-the-atomic_open-directory-inode-op.patch | 120 +++++++++ ...vboxsf-add-vboxsf__sf_handle-helpers.patch | 156 ++++++++++++ ...excl-flag-to-the-dir-inode-create-op.patch | 72 ++++++ ...turn-the-handle-for-the-created-file.patch | 72 ++++++ 23 files changed, 1611 insertions(+) create mode 100644 queue-5.13/arm-dts-aspeed-fix-ast2600-machines-line-names.patch create mode 100644 queue-5.13/arm-dts-everest-add-phase-corrections-for-emmc.patch create mode 100644 queue-5.13/arm-dts-tacoma-add-phase-corrections-for-emmc.patch create mode 100644 queue-5.13/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch create mode 100644 queue-5.13/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch create mode 100644 queue-5.13/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch create mode 100644 queue-5.13/firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch create mode 100644 queue-5.13/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch create mode 100644 queue-5.13/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch create mode 100644 queue-5.13/mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch create mode 100644 queue-5.13/perf-test-bpf-free-obj_buf.patch create mode 100644 queue-5.13/tcp-annotate-data-races-around-tp-mtu_info.patch create mode 100644 queue-5.13/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch create mode 100644 queue-5.13/tcp-consistently-disable-header-prediction-for-mptcp.patch create mode 100644 queue-5.13/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch create mode 100644 queue-5.13/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch create mode 100644 queue-5.13/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch create mode 100644 queue-5.13/udp-properly-flush-normal-packet-at-gro-time.patch create mode 100644 queue-5.13/vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch create mode 100644 queue-5.13/vboxsf-add-vboxsf__sf_handle-helpers.patch create mode 100644 queue-5.13/vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch create mode 100644 queue-5.13/vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch diff --git a/queue-5.13/arm-dts-aspeed-fix-ast2600-machines-line-names.patch b/queue-5.13/arm-dts-aspeed-fix-ast2600-machines-line-names.patch new file mode 100644 index 00000000000..5332930edc6 --- /dev/null +++ b/queue-5.13/arm-dts-aspeed-fix-ast2600-machines-line-names.patch @@ -0,0 +1,54 @@ +From ca46ad2214473df1a6a9496be17156d65ba89b9f Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Thu, 24 Jun 2021 18:37:42 +0930 +Subject: ARM: dts: aspeed: Fix AST2600 machines line names + +From: Joel Stanley + +commit ca46ad2214473df1a6a9496be17156d65ba89b9f upstream. + +Tacoma and Rainier both have a line-names array that is too long: + + gpio gpiochip0: gpio-line-names is length 232 but should be at most length 208 + +This was probably copied from an AST2500 device tree that did have more +GPIOs on the controller. + +Fixes: e9b24b55ca4f ("ARM: dts: aspeed: rainier: Add gpio line names") +Fixes: 2f68e4e7df67 ("ARM: dts: aspeed: tacoma: Add gpio line names") +Link: https://lore.kernel.org/r/20210624090742.56640-1-joel@jms.id.au +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts | 5 +---- + arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts | 5 +---- + 2 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-rainier.dts +@@ -280,10 +280,7 @@ + /*W0-W7*/ "","","","","","","","", + /*X0-X7*/ "","","","","","","","", + /*Y0-Y7*/ "","","","","","","","", +- /*Z0-Z7*/ "","","","","","","","", +- /*AA0-AA7*/ "","","","","","","","", +- /*AB0-AB7*/ "","","","","","","","", +- /*AC0-AC7*/ "","","","","","","",""; ++ /*Z0-Z7*/ "","","","","","","",""; + + pin_mclr_vpp { + gpio-hog; +--- a/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts +@@ -136,10 +136,7 @@ + /*W0-W7*/ "","","","","","","","", + /*X0-X7*/ "","","","","","","","", + /*Y0-Y7*/ "","","","","","","","", +- /*Z0-Z7*/ "","","","","","","","", +- /*AA0-AA7*/ "","","","","","","","", +- /*AB0-AB7*/ "","","","","","","","", +- /*AC0-AC7*/ "","","","","","","",""; ++ /*Z0-Z7*/ "","","","","","","",""; + }; + + &fmc { diff --git a/queue-5.13/arm-dts-everest-add-phase-corrections-for-emmc.patch b/queue-5.13/arm-dts-everest-add-phase-corrections-for-emmc.patch new file mode 100644 index 00000000000..9c87020ffb7 --- /dev/null +++ b/queue-5.13/arm-dts-everest-add-phase-corrections-for-emmc.patch @@ -0,0 +1,38 @@ +From faffd1b2bde3ee428d6891961f6a60f8e08749d6 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Mon, 28 Jun 2021 11:06:05 +0930 +Subject: ARM: dts: everest: Add phase corrections for eMMC + +From: Andrew Jeffery + +commit faffd1b2bde3ee428d6891961f6a60f8e08749d6 upstream. + +The values were determined experimentally via boot tests, not by +measuring the bus behaviour with a scope. We plan to do scope +measurements to confirm or refine the values and will update the +devicetree if necessary once these have been obtained. + +However, with the patch we can write and read data without issue, where +as booting the system without the patch failed at the point of mounting +the rootfs. + +Signed-off-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20210628013605.1257346-1-andrew@aj.id.au +Fixes: 2fc88f92359d ("mmc: sdhci-of-aspeed: Expose clock phase controls") +Fixes: a5c5168478d7 ("ARM: dts: aspeed: Add Everest BMC machine") +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-ibm-everest.dts +@@ -1068,6 +1068,7 @@ + + &emmc { + status = "okay"; ++ clk-phase-mmc-hs200 = <180>, <180>; + }; + + &fsim0 { diff --git a/queue-5.13/arm-dts-tacoma-add-phase-corrections-for-emmc.patch b/queue-5.13/arm-dts-tacoma-add-phase-corrections-for-emmc.patch new file mode 100644 index 00000000000..8a750c15450 --- /dev/null +++ b/queue-5.13/arm-dts-tacoma-add-phase-corrections-for-emmc.patch @@ -0,0 +1,35 @@ +From 2d6608b57c50c54c3e46649110e8ea5a40959c30 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Fri, 25 Jun 2021 15:40:17 +0930 +Subject: ARM: dts: tacoma: Add phase corrections for eMMC + +From: Andrew Jeffery + +commit 2d6608b57c50c54c3e46649110e8ea5a40959c30 upstream. + +The degree values were reversed out from the magic tap values of 7 (in) +and 15 + inversion (out) initially suggested by Aspeed. + +With the patch tacoma survives several gigabytes of reads and writes +using dd while without it locks up randomly during the boot process. + +Signed-off-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20210625061017.1149942-1-andrew@aj.id.au +Fixes: 2fc88f92359d ("mmc: sdhci-of-aspeed: Expose clock phase controls") +Fixes: 961216c135a8 ("ARM: dts: aspeed: Add Rainier system") +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts ++++ b/arch/arm/boot/dts/aspeed-bmc-opp-tacoma.dts +@@ -186,6 +186,7 @@ + + &emmc { + status = "okay"; ++ clk-phase-mmc-hs200 = <36>, <270>; + }; + + &fsim0 { diff --git a/queue-5.13/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch b/queue-5.13/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch new file mode 100644 index 00000000000..c210abf13c8 --- /dev/null +++ b/queue-5.13/bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch @@ -0,0 +1,229 @@ +From f263a81451c12da5a342d90572e317e611846f2c Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Wed, 7 Jul 2021 15:38:47 -0700 +Subject: bpf: Track subprog poke descriptors correctly and fix use-after-free + +From: John Fastabend + +commit f263a81451c12da5a342d90572e317e611846f2c upstream. + +Subprograms are calling map_poke_track(), but on program release there is no +hook to call map_poke_untrack(). However, on program release, the aux memory +(and poke descriptor table) is freed even though we still have a reference to +it in the element list of the map aux data. When we run map_poke_run(), we then +end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run(): + + [...] + [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e + [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337 + [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399 + [ 402.824715] Call Trace: + [ 402.824719] dump_stack+0x93/0xc2 + [ 402.824727] print_address_description.constprop.0+0x1a/0x140 + [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824744] kasan_report.cold+0x7c/0xd8 + [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e + [ 402.824757] prog_array_map_poke_run+0xc2/0x34e + [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 + [...] + +The elements concerned are walked as follows: + + for (i = 0; i < elem->aux->size_poke_tab; i++) { + poke = &elem->aux->poke_tab[i]; + [...] + +The access to size_poke_tab is a 4 byte read, verified by checking offsets +in the KASAN dump: + + [ 402.825004] The buggy address belongs to the object at ffff8881905a7800 + which belongs to the cache kmalloc-1k of size 1024 + [ 402.825008] The buggy address is located 320 bytes inside of + 1024-byte region [ffff8881905a7800, ffff8881905a7c00) + +The pahole output of bpf_prog_aux: + + struct bpf_prog_aux { + [...] + /* --- cacheline 5 boundary (320 bytes) --- */ + u32 size_poke_tab; /* 320 4 */ + [...] + +In general, subprograms do not necessarily manage their own data structures. +For example, BTF func_info and linfo are just pointers to the main program +structure. This allows reference counting and cleanup to be done on the latter +which simplifies their management a bit. The aux->poke_tab struct, however, +did not follow this logic. The initial proposed fix for this use-after-free +bug further embedded poke data tracking into the subprogram with proper +reference counting. However, Daniel and Alexei questioned why we were treating +these objects special; I agree, its unnecessary. The fix here removes the per +subprogram poke table allocation and map tracking and instead simply points +the aux->poke_tab pointer at the main programs poke table. This way, map +tracking is simplified to the main program and we do not need to manage them +per subprogram. + +This also means, bpf_prog_free_deferred(), which unwinds the program reference +counting and kfrees objects, needs to ensure that we don't try to double free +the poke_tab when free'ing the subprog structures. This is easily solved by +NULL'ing the poke_tab pointer. The second detail is to ensure that per +subprogram JIT logic only does fixups on poke_tab[] entries it owns. To do +this, we add a pointer in the poke structure to point at the subprogram value +so JITs can easily check while walking the poke_tab structure if the current +entry belongs to the current program. The aux pointer is stable and therefore +suitable for such comparison. On the jit_subprogs() error path, we omit +cleaning up the poke->aux field because these are only ever referenced from +the JIT side, but on error we will never make it to the JIT, so its fine to +leave them dangling. Removing these pointers would complicate the error path +for no reason. However, we do need to untrack all poke descriptors from the +main program as otherwise they could race with the freeing of JIT memory from +the subprograms. Lastly, a748c6975dea3 ("bpf: propagate poke descriptors to +subprograms") had an off-by-one on the subprogram instruction index range +check as it was testing 'insn_idx >= subprog_start && insn_idx <= subprog_end'. +However, subprog_end is the next subprogram's start instruction. + +Fixes: a748c6975dea3 ("bpf: propagate poke descriptors to subprograms") +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210707223848.14580-2-john.fastabend@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 3 ++ + include/linux/bpf.h | 1 + kernel/bpf/core.c | 8 +++++ + kernel/bpf/verifier.c | 60 +++++++++++++++----------------------------- + 4 files changed, 32 insertions(+), 40 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -576,6 +576,9 @@ static void bpf_tail_call_direct_fixup(s + + for (i = 0; i < prog->aux->size_poke_tab; i++) { + poke = &prog->aux->poke_tab[i]; ++ if (poke->aux && poke->aux != prog->aux) ++ continue; ++ + WARN_ON_ONCE(READ_ONCE(poke->tailcall_target_stable)); + + if (poke->reason != BPF_POKE_REASON_TAIL_CALL) +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -777,6 +777,7 @@ struct bpf_jit_poke_descriptor { + void *tailcall_target; + void *tailcall_bypass; + void *bypass_addr; ++ void *aux; + union { + struct { + struct bpf_map *map; +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2236,8 +2236,14 @@ static void bpf_prog_free_deferred(struc + #endif + if (aux->dst_trampoline) + bpf_trampoline_put(aux->dst_trampoline); +- for (i = 0; i < aux->func_cnt; i++) ++ for (i = 0; i < aux->func_cnt; i++) { ++ /* We can just unlink the subprog poke descriptor table as ++ * it was originally linked to the main program and is also ++ * released along with it. ++ */ ++ aux->func[i]->aux->poke_tab = NULL; + bpf_jit_free(aux->func[i]); ++ } + if (aux->func_cnt) { + kfree(aux->func); + bpf_prog_unlock_free(aux->prog); +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -12106,33 +12106,19 @@ static int jit_subprogs(struct bpf_verif + goto out_free; + func[i]->is_func = 1; + func[i]->aux->func_idx = i; +- /* the btf and func_info will be freed only at prog->aux */ ++ /* Below members will be freed only at prog->aux */ + func[i]->aux->btf = prog->aux->btf; + func[i]->aux->func_info = prog->aux->func_info; ++ func[i]->aux->poke_tab = prog->aux->poke_tab; ++ func[i]->aux->size_poke_tab = prog->aux->size_poke_tab; + + for (j = 0; j < prog->aux->size_poke_tab; j++) { +- u32 insn_idx = prog->aux->poke_tab[j].insn_idx; +- int ret; ++ struct bpf_jit_poke_descriptor *poke; + +- if (!(insn_idx >= subprog_start && +- insn_idx <= subprog_end)) +- continue; +- +- ret = bpf_jit_add_poke_descriptor(func[i], +- &prog->aux->poke_tab[j]); +- if (ret < 0) { +- verbose(env, "adding tail call poke descriptor failed\n"); +- goto out_free; +- } +- +- func[i]->insnsi[insn_idx - subprog_start].imm = ret + 1; +- +- map_ptr = func[i]->aux->poke_tab[ret].tail_call.map; +- ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux); +- if (ret < 0) { +- verbose(env, "tracking tail call prog failed\n"); +- goto out_free; +- } ++ poke = &prog->aux->poke_tab[j]; ++ if (poke->insn_idx < subprog_end && ++ poke->insn_idx >= subprog_start) ++ poke->aux = func[i]->aux; + } + + /* Use bpf_prog_F_tag to indicate functions in stack traces. +@@ -12163,18 +12149,6 @@ static int jit_subprogs(struct bpf_verif + cond_resched(); + } + +- /* Untrack main program's aux structs so that during map_poke_run() +- * we will not stumble upon the unfilled poke descriptors; each +- * of the main program's poke descs got distributed across subprogs +- * and got tracked onto map, so we are sure that none of them will +- * be missed after the operation below +- */ +- for (i = 0; i < prog->aux->size_poke_tab; i++) { +- map_ptr = prog->aux->poke_tab[i].tail_call.map; +- +- map_ptr->ops->map_poke_untrack(map_ptr, prog->aux); +- } +- + /* at this point all bpf functions were successfully JITed + * now populate all bpf_calls with correct addresses and + * run last pass of JIT +@@ -12252,14 +12226,22 @@ static int jit_subprogs(struct bpf_verif + bpf_prog_jit_attempt_done(prog); + return 0; + out_free: ++ /* We failed JIT'ing, so at this point we need to unregister poke ++ * descriptors from subprogs, so that kernel is not attempting to ++ * patch it anymore as we're freeing the subprog JIT memory. ++ */ ++ for (i = 0; i < prog->aux->size_poke_tab; i++) { ++ map_ptr = prog->aux->poke_tab[i].tail_call.map; ++ map_ptr->ops->map_poke_untrack(map_ptr, prog->aux); ++ } ++ /* At this point we're guaranteed that poke descriptors are not ++ * live anymore. We can just unlink its descriptor table as it's ++ * released with the main prog. ++ */ + for (i = 0; i < env->subprog_cnt; i++) { + if (!func[i]) + continue; +- +- for (j = 0; j < func[i]->aux->size_poke_tab; j++) { +- map_ptr = func[i]->aux->poke_tab[j].tail_call.map; +- map_ptr->ops->map_poke_untrack(map_ptr, func[i]->aux); +- } ++ func[i]->aux->poke_tab = NULL; + bpf_jit_free(func[i]); + } + kfree(func); diff --git a/queue-5.13/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch b/queue-5.13/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch new file mode 100644 index 00000000000..58b2cc932a9 --- /dev/null +++ b/queue-5.13/bpftool-properly-close-va_list-ap-by-va_end-on-error.patch @@ -0,0 +1,40 @@ +From bc832065b60f973771ff3e657214bb21b559833c Mon Sep 17 00:00:00 2001 +From: Gu Shengxian +Date: Mon, 5 Jul 2021 18:35:43 -0700 +Subject: bpftool: Properly close va_list 'ap' by va_end() on error + +From: Gu Shengxian + +commit bc832065b60f973771ff3e657214bb21b559833c upstream. + +va_list 'ap' was opened but not closed by va_end() in error case. It should +be closed by va_end() before the return. + +Fixes: aa52bcbe0e72 ("tools: bpftool: Fix json dump crash on powerpc") +Signed-off-by: Gu Shengxian +Signed-off-by: Daniel Borkmann +Cc: Jiri Olsa +Link: https://lore.kernel.org/bpf/20210706013543.671114-1-gushengxian507419@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/bpftool/jit_disasm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/bpf/bpftool/jit_disasm.c ++++ b/tools/bpf/bpftool/jit_disasm.c +@@ -43,11 +43,13 @@ static int fprintf_json(void *out, const + { + va_list ap; + char *s; ++ int err; + + va_start(ap, fmt); +- if (vasprintf(&s, fmt, ap) < 0) +- return -1; ++ err = vasprintf(&s, fmt, ap); + va_end(ap); ++ if (err < 0) ++ return -1; + + if (!oper_count) { + int i; diff --git a/queue-5.13/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch b/queue-5.13/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch new file mode 100644 index 00000000000..faf970bf165 --- /dev/null +++ b/queue-5.13/drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch @@ -0,0 +1,42 @@ +From 1988e0d84161dabd99d1c27033fbd6ee439bf432 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 4 Jun 2021 01:18:30 +0200 +Subject: drm/panel: nt35510: Do not fail if DSI read fails + +From: Linus Walleij + +commit 1988e0d84161dabd99d1c27033fbd6ee439bf432 upstream. + +Failing to read the MTP over DSI should not bring down the +system and make us bail out from using the display, it turns +out that this happens when toggling the display off and on, +and that write is often still working so the display output +is just fine. Printing an error is enough. + +Tested by killing the Gnome session repeatedly on the +Samsung Skomer. + +Fixes: 899f24ed8d3a ("drm/panel: Add driver for Novatek NT35510-based panels") +Cc: Stephan Gerhold +Reported-by: newbyte@disroot.org +Acked-by: Stefan Hansson +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20210603231830.3200040-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-novatek-nt35510.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/panel/panel-novatek-nt35510.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt35510.c +@@ -706,9 +706,7 @@ static int nt35510_power_on(struct nt355 + if (ret) + return ret; + +- ret = nt35510_read_id(nt); +- if (ret) +- return ret; ++ nt35510_read_id(nt); + + /* Set up stuff in manufacturer control, page 1 */ + ret = nt35510_send_long(nt, dsi, MCS_CMD_MAUCCTR, diff --git a/queue-5.13/firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch b/queue-5.13/firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch new file mode 100644 index 00000000000..3b2475b9a06 --- /dev/null +++ b/queue-5.13/firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch @@ -0,0 +1,48 @@ +From 187a002b07e8089f0b5657eafec50b5d05625569 Mon Sep 17 00:00:00 2001 +From: Cristian Marussi +Date: Mon, 28 Jun 2021 18:00:42 +0100 +Subject: firmware: arm_scmi: Avoid padding in sensor message structure + +From: Cristian Marussi + +commit 187a002b07e8089f0b5657eafec50b5d05625569 upstream. + +scmi_resp_sensor_reading_complete structure is meant to represent an +SCMI asynchronous reading complete message. The readings field with +a 64bit type forces padding and breaks reads in scmi_sensor_reading_get. + +Split it in two adjacent 32bit readings_low/high subfields to avoid the +padding within the structure. Alternatively we could to mark the structure +packed. + +Link: https://lore.kernel.org/r/20210628170042.34105-1-cristian.marussi@arm.com +Fixes: e2083d3673916 ("firmware: arm_scmi: Add SCMI v3.0 sensors timestamped reads") +Signed-off-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/sensors.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/arm_scmi/sensors.c ++++ b/drivers/firmware/arm_scmi/sensors.c +@@ -166,7 +166,8 @@ struct scmi_msg_sensor_reading_get { + + struct scmi_resp_sensor_reading_complete { + __le32 id; +- __le64 readings; ++ __le32 readings_low; ++ __le32 readings_high; + }; + + struct scmi_sensor_reading_resp { +@@ -717,7 +718,8 @@ static int scmi_sensor_reading_get(const + + resp = t->rx.buf; + if (le32_to_cpu(resp->id) == sensor_id) +- *value = get_unaligned_le64(&resp->readings); ++ *value = ++ get_unaligned_le64(&resp->readings_low); + else + ret = -EPROTO; + } diff --git a/queue-5.13/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch b/queue-5.13/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch new file mode 100644 index 00000000000..00c773a898e --- /dev/null +++ b/queue-5.13/ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch @@ -0,0 +1,130 @@ +From c7bb4b89033b764eb07db4e060548a6311d801ee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Jul 2021 00:21:09 -0700 +Subject: ipv6: tcp: drop silly ICMPv6 packet too big messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit c7bb4b89033b764eb07db4e060548a6311d801ee upstream. + +While TCP stack scales reasonably well, there is still one part that +can be used to DDOS it. + +IPv6 Packet too big messages have to lookup/insert a new route, +and if abused by attackers, can easily put hosts under high stress, +with many cpus contending on a spinlock while one is stuck in fib6_run_gc() + +ip6_protocol_deliver_rcu() + icmpv6_rcv() + icmpv6_notify() + tcp_v6_err() + tcp_v6_mtu_reduced() + inet6_csk_update_pmtu() + ip6_rt_update_pmtu() + __ip6_rt_update_pmtu() + ip6_rt_cache_alloc() + ip6_dst_alloc() + dst_alloc() + ip6_dst_gc() + fib6_run_gc() + spin_lock_bh() ... + +Some of our servers have been hit by malicious ICMPv6 packets +trying to _increase_ the MTU/MSS of TCP flows. + +We believe these ICMPv6 packets are a result of a bug in one ISP stack, +since they were blindly sent back for _every_ (small) packet sent to them. + +These packets are for one TCP flow: +09:24:36.266491 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.266509 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.316688 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.316704 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 +09:24:36.608151 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240 + +TCP stack can filter some silly requests : + +1) MTU below IPV6_MIN_MTU can be filtered early in tcp_v6_err() +2) tcp_v6_mtu_reduced() can drop requests trying to increase current MSS. + +This tests happen before the IPv6 routing stack is entered, thus +removing the potential contention and route exhaustion. + +Note that IPv6 stack was performing these checks, but too late +(ie : after the route has been added, and after the potential +garbage collect war) + +v2: fix typo caught by Martin, thanks ! +v3: exports tcp_mtu_to_mss(), caught by David, thanks ! + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reviewed-by: Maciej Å»enczykowski +Cc: Martin KaFai Lau +Acked-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 1 + + net/ipv6/tcp_ipv6.c | 19 +++++++++++++++++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1732,6 +1732,7 @@ int tcp_mtu_to_mss(struct sock *sk, int + return __tcp_mtu_to_mss(sk, pmtu) - + (tcp_sk(sk)->tcp_header_len - sizeof(struct tcphdr)); + } ++EXPORT_SYMBOL(tcp_mtu_to_mss); + + /* Inverse of above */ + int tcp_mss_to_mtu(struct sock *sk, int mss) +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -348,11 +348,20 @@ failure: + static void tcp_v6_mtu_reduced(struct sock *sk) + { + struct dst_entry *dst; ++ u32 mtu; + + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; + +- dst = inet6_csk_update_pmtu(sk, READ_ONCE(tcp_sk(sk)->mtu_info)); ++ mtu = READ_ONCE(tcp_sk(sk)->mtu_info); ++ ++ /* Drop requests trying to increase our current mss. ++ * Check done in __ip6_rt_update_pmtu() is too late. ++ */ ++ if (tcp_mtu_to_mss(sk, mtu) >= tcp_sk(sk)->mss_cache) ++ return; ++ ++ dst = inet6_csk_update_pmtu(sk, mtu); + if (!dst) + return; + +@@ -433,6 +442,8 @@ static int tcp_v6_err(struct sk_buff *sk + } + + if (type == ICMPV6_PKT_TOOBIG) { ++ u32 mtu = ntohl(info); ++ + /* We are not interested in TCP_LISTEN and open_requests + * (SYN-ACKs send out by Linux are always <576bytes so + * they should go through unfragmented). +@@ -443,7 +454,11 @@ static int tcp_v6_err(struct sk_buff *sk + if (!ip6_sk_accept_pmtu(sk)) + goto out; + +- WRITE_ONCE(tp->mtu_info, ntohl(info)); ++ if (mtu < IPV6_MIN_MTU) ++ goto out; ++ ++ WRITE_ONCE(tp->mtu_info, mtu); ++ + if (!sock_owned_by_user(sk)) + tcp_v6_mtu_reduced(sk); + else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, diff --git a/queue-5.13/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch b/queue-5.13/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch new file mode 100644 index 00000000000..2db3e59c50f --- /dev/null +++ b/queue-5.13/kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch @@ -0,0 +1,54 @@ +From d952cfaf0cffdbbb0433c67206b645131f17ca5f Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 14 Jul 2021 13:23:49 +0900 +Subject: kbuild: do not suppress Kconfig prompts for silent build + +From: Masahiro Yamada + +commit d952cfaf0cffdbbb0433c67206b645131f17ca5f upstream. + +When a new CONFIG option is available, Kbuild shows a prompt to get +the user input. + + $ make + [ snip ] + Core Scheduling for SMT (SCHED_CORE) [N/y/?] (NEW) + +This is the only interactive place in the build process. + +Commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build") +suppressed Kconfig prompts as well because syncconfig is invoked by +the 'cmd' macro. You cannot notice the fact that Kconfig is waiting +for the user input. + +Use 'kecho' to show the equivalent short log without suppressing stdout +from sub-make. + +Fixes: 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build") +Reported-by: Tetsuo Handa +Signed-off-by: Masahiro Yamada +Tested-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -721,11 +721,12 @@ $(KCONFIG_CONFIG): + # This exploits the 'multi-target pattern rule' trick. + # The syncconfig should be executed only once to make all the targets. + # (Note: use the grouped target '&:' when we bump to GNU Make 4.3) +-quiet_cmd_syncconfig = SYNC $@ +- cmd_syncconfig = $(MAKE) -f $(srctree)/Makefile syncconfig +- ++# ++# Do not use $(call cmd,...) here. That would suppress prompts from syncconfig, ++# so you cannot notice that Kconfig is waiting for the user input. + %/config/auto.conf %/config/auto.conf.cmd %/generated/autoconf.h: $(KCONFIG_CONFIG) +- +$(call cmd,syncconfig) ++ $(Q)$(kecho) " SYNC $@" ++ $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig + else # !may-sync-config + # External modules and some install targets need include/generated/autoconf.h + # and include/config/auto.conf but do not care if they are up-to-date. diff --git a/queue-5.13/mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch b/queue-5.13/mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch new file mode 100644 index 00000000000..2a3b0f73503 --- /dev/null +++ b/queue-5.13/mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch @@ -0,0 +1,42 @@ +From c34269041185dad1bab7a34f42ef9fab967a1684 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Thu, 8 Jul 2021 21:17:10 +0800 +Subject: mt76: mt7921: continue to probe driver when fw already downloaded + +From: Aaron Ma + +commit c34269041185dad1bab7a34f42ef9fab967a1684 upstream. + +When reboot system, no power cycles, firmware is already downloaded, +return -EIO will break driver as error: +mt7921e: probe of 0000:03:00.0 failed with error -5 + +Skip firmware download and continue to probe. + +Signed-off-by: Aaron Ma +Fixes: 1c099ab44727c ("mt76: mt7921: add MCU support") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -921,7 +921,7 @@ static int mt7921_load_firmware(struct m + ret = mt76_get_field(dev, MT_CONN_ON_MISC, MT_TOP_MISC2_FW_N9_RDY); + if (ret) { + dev_dbg(dev->mt76.dev, "Firmware is already download\n"); +- return -EIO; ++ goto fw_loaded; + } + + ret = mt7921_load_patch(dev); +@@ -939,6 +939,7 @@ static int mt7921_load_firmware(struct m + return -EIO; + } + ++fw_loaded: + mt76_queue_tx_cleanup(dev, dev->mt76.q_mcu[MT_MCUQ_FWDL], false); + + #ifdef CONFIG_PM diff --git a/queue-5.13/perf-test-bpf-free-obj_buf.patch b/queue-5.13/perf-test-bpf-free-obj_buf.patch new file mode 100644 index 00000000000..17076c0b99a --- /dev/null +++ b/queue-5.13/perf-test-bpf-free-obj_buf.patch @@ -0,0 +1,52 @@ +From 937654ce497fb6e977a8c52baee5f7d9616302d9 Mon Sep 17 00:00:00 2001 +From: Riccardo Mancini +Date: Thu, 15 Jul 2021 18:07:24 +0200 +Subject: perf test bpf: Free obj_buf + +From: Riccardo Mancini + +commit 937654ce497fb6e977a8c52baee5f7d9616302d9 upstream. + +ASan reports some memory leaks when running: + + # perf test "42: BPF filter" + +The first of these leaks is caused by obj_buf never being deallocated in +__test__bpf. + +This patch adds the missing free. + +Signed-off-by: Riccardo Mancini +Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'") +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com +[ Added missing stdlib.h include ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/bpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -276,6 +277,7 @@ static int __test__bpf(int idx) + } + + out: ++ free(obj_buf); + bpf__clear(); + return ret; + } diff --git a/queue-5.13/series b/queue-5.13/series index 6135c837084..d33c7596691 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -132,3 +132,25 @@ net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch net-fddi-fix-uaf-in-fza_probe.patch dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch +kbuild-do-not-suppress-kconfig-prompts-for-silent-build.patch +vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch +vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch +vboxsf-add-vboxsf__sf_handle-helpers.patch +vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch +arm-dts-aspeed-fix-ast2600-machines-line-names.patch +arm-dts-tacoma-add-phase-corrections-for-emmc.patch +arm-dts-everest-add-phase-corrections-for-emmc.patch +tcp-consistently-disable-header-prediction-for-mptcp.patch +tcp-annotate-data-races-around-tp-mtu_info.patch +tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch +ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch +tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch +tools-bpf-fix-error-in-make-c-tools-bpf_install.patch +bpftool-properly-close-va_list-ap-by-va_end-on-error.patch +bpf-track-subprog-poke-descriptors-correctly-and-fix-use-after-free.patch +perf-test-bpf-free-obj_buf.patch +drm-panel-nt35510-do-not-fail-if-dsi-read-fails.patch +firmware-arm_scmi-avoid-padding-in-sensor-message-structure.patch +udp-annotate-data-races-around-unix_sk-sk-gso_size.patch +udp-properly-flush-normal-packet-at-gro-time.patch +mt76-mt7921-continue-to-probe-driver-when-fw-already-downloaded.patch diff --git a/queue-5.13/tcp-annotate-data-races-around-tp-mtu_info.patch b/queue-5.13/tcp-annotate-data-races-around-tp-mtu_info.patch new file mode 100644 index 00000000000..3255a797e96 --- /dev/null +++ b/queue-5.13/tcp-annotate-data-races-around-tp-mtu_info.patch @@ -0,0 +1,62 @@ +From 561022acb1ce62e50f7a8258687a21b84282a4cb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 2 Jul 2021 13:09:03 -0700 +Subject: tcp: annotate data races around tp->mtu_info + +From: Eric Dumazet + +commit 561022acb1ce62e50f7a8258687a21b84282a4cb upstream. + +While tp->mtu_info is read while socket is owned, the write +sides happen from err handlers (tcp_v[46]_mtu_reduced) +which only own the socket spinlock. + +Fixes: 563d34d05786 ("tcp: dont drop MTU reduction indications") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -342,7 +342,7 @@ void tcp_v4_mtu_reduced(struct sock *sk) + + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; +- mtu = tcp_sk(sk)->mtu_info; ++ mtu = READ_ONCE(tcp_sk(sk)->mtu_info); + dst = inet_csk_update_pmtu(sk, mtu); + if (!dst) + return; +@@ -546,7 +546,7 @@ int tcp_v4_err(struct sk_buff *skb, u32 + if (sk->sk_state == TCP_LISTEN) + goto out; + +- tp->mtu_info = info; ++ WRITE_ONCE(tp->mtu_info, info); + if (!sock_owned_by_user(sk)) { + tcp_v4_mtu_reduced(sk); + } else { +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -352,7 +352,7 @@ static void tcp_v6_mtu_reduced(struct so + if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) + return; + +- dst = inet6_csk_update_pmtu(sk, tcp_sk(sk)->mtu_info); ++ dst = inet6_csk_update_pmtu(sk, READ_ONCE(tcp_sk(sk)->mtu_info)); + if (!dst) + return; + +@@ -443,7 +443,7 @@ static int tcp_v6_err(struct sk_buff *sk + if (!ip6_sk_accept_pmtu(sk)) + goto out; + +- tp->mtu_info = ntohl(info); ++ WRITE_ONCE(tp->mtu_info, ntohl(info)); + if (!sock_owned_by_user(sk)) + tcp_v6_mtu_reduced(sk); + else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, diff --git a/queue-5.13/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch b/queue-5.13/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch new file mode 100644 index 00000000000..5ff04ac6173 --- /dev/null +++ b/queue-5.13/tcp-call-sk_wmem_schedule-before-sk_mem_charge-in-zerocopy-path.patch @@ -0,0 +1,43 @@ +From 358ed624207012f03318235017ac6fb41f8af592 Mon Sep 17 00:00:00 2001 +From: Talal Ahmad +Date: Fri, 9 Jul 2021 11:43:06 -0400 +Subject: tcp: call sk_wmem_schedule before sk_mem_charge in zerocopy path + +From: Talal Ahmad + +commit 358ed624207012f03318235017ac6fb41f8af592 upstream. + +sk_wmem_schedule makes sure that sk_forward_alloc has enough +bytes for charging that is going to be done by sk_mem_charge. + +In the transmit zerocopy path, there is sk_mem_charge but there was +no call to sk_wmem_schedule. This change adds that call. + +Without this call to sk_wmem_schedule, sk_forward_alloc can go +negetive which is a bug because sk_forward_alloc is a per-socket +space that has been forward charged so this can't be negative. + +Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY") +Signed-off-by: Talal Ahmad +Reviewed-by: Willem de Bruijn +Reviewed-by: Wei Wang +Reviewed-by: Soheil Hassas Yeganeh +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1375,6 +1375,9 @@ new_segment: + } + pfrag->offset += copy; + } else { ++ if (!sk_wmem_schedule(sk, copy)) ++ goto wait_for_space; ++ + err = skb_zerocopy_iter_stream(sk, skb, msg, copy, uarg); + if (err == -EMSGSIZE || err == -EEXIST) { + tcp_mark_push(tp, skb); diff --git a/queue-5.13/tcp-consistently-disable-header-prediction-for-mptcp.patch b/queue-5.13/tcp-consistently-disable-header-prediction-for-mptcp.patch new file mode 100644 index 00000000000..25688449e21 --- /dev/null +++ b/queue-5.13/tcp-consistently-disable-header-prediction-for-mptcp.patch @@ -0,0 +1,43 @@ +From 71158bb1f2d2da61385c58fc1114e1a1c19984ba Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 30 Jun 2021 13:42:13 +0200 +Subject: tcp: consistently disable header prediction for mptcp + +From: Paolo Abeni + +commit 71158bb1f2d2da61385c58fc1114e1a1c19984ba upstream. + +The MPTCP receive path is hooked only into the TCP slow-path. +The DSS presence allows plain MPTCP traffic to hit that +consistently. + +Since commit e1ff9e82e2ea ("net: mptcp: improve fallback to TCP"), +when an MPTCP socket falls back to TCP, it can hit the TCP receive +fast-path, and delay or stop triggering the event notification. + +Address the issue explicitly disabling the header prediction +for MPTCP sockets. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/200 +Fixes: e1ff9e82e2ea ("net: mptcp: improve fallback to TCP") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -682,6 +682,10 @@ static inline u32 __tcp_set_rto(const st + + static inline void __tcp_fast_path_on(struct tcp_sock *tp, u32 snd_wnd) + { ++ /* mptcp hooks are only on the slow path */ ++ if (sk_is_mptcp((struct sock *)tp)) ++ return; ++ + tp->pred_flags = htonl((tp->tcp_header_len << 26) | + ntohl(TCP_FLAG_ACK) | + snd_wnd); diff --git a/queue-5.13/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch b/queue-5.13/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch new file mode 100644 index 00000000000..8e3b1751090 --- /dev/null +++ b/queue-5.13/tcp-fix-tcp_init_transfer-to-not-reset-icsk_ca_initialized.patch @@ -0,0 +1,67 @@ +From be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Tue, 6 Jul 2021 07:19:12 +0800 +Subject: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized + +From: Nguyen Dinh Phi + +commit be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc upstream. + +This commit fixes a bug (found by syzkaller) that could cause spurious +double-initializations for congestion control modules, which could cause +memory leaks or other problems for congestion control modules (like CDG) +that allocate memory in their init functions. + +The buggy scenario constructed by syzkaller was something like: + +(1) create a TCP socket +(2) initiate a TFO connect via sendto() +(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), + which calls: + tcp_set_congestion_control() -> + tcp_reinit_congestion_control() -> + tcp_init_congestion_control() +(4) receive ACK, connection is established, call tcp_init_transfer(), + set icsk_ca_initialized=0 (without first calling cc->release()), + call tcp_init_congestion_control() again. + +Note that in this sequence tcp_init_congestion_control() is called +twice without a cc->release() call in between. Thus, for CC modules +that allocate memory in their init() function, e.g, CDG, a memory leak +may occur. The syzkaller tool managed to find a reproducer that +triggered such a leak in CDG. + +The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init +congestion control if not initialized already") +introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in +tcp_init_transfer(), missing the possibility for a sequence like the +one above, where a process could call setsockopt(TCP_CONGESTION) in +state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), +which would call tcp_init_congestion_control(). It did not intend to +reset any initialization that the user had already explicitly made; +it just missed the possibility of that particular sequence (which +syzkaller managed to find). + +Fixes: 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") +Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com +Signed-off-by: Nguyen Dinh Phi +Acked-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5921,8 +5921,8 @@ void tcp_init_transfer(struct sock *sk, + tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk)); + tp->snd_cwnd_stamp = tcp_jiffies32; + +- icsk->icsk_ca_initialized = 0; + bpf_skops_established(sk, bpf_op, skb); ++ /* Initialize congestion control unless BPF initialized it already: */ + if (!icsk->icsk_ca_initialized) + tcp_init_congestion_control(sk); + tcp_init_buffer_space(sk); diff --git a/queue-5.13/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch b/queue-5.13/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch new file mode 100644 index 00000000000..e0db7269b34 --- /dev/null +++ b/queue-5.13/tools-bpf-fix-error-in-make-c-tools-bpf_install.patch @@ -0,0 +1,53 @@ +From 1d719254c139fb62fb8056fb496b6fd007e71550 Mon Sep 17 00:00:00 2001 +From: Wei Li +Date: Mon, 28 Jun 2021 11:04:09 +0800 +Subject: tools: bpf: Fix error in 'make -C tools/ bpf_install' + +From: Wei Li + +commit 1d719254c139fb62fb8056fb496b6fd007e71550 upstream. + +make[2]: *** No rule to make target 'install'. Stop. +make[1]: *** [Makefile:122: runqslower_install] Error 2 +make: *** [Makefile:116: bpf_install] Error 2 + +There is no rule for target 'install' in tools/bpf/runqslower/Makefile, +and there is no need to install it, so just remove 'runqslower_install'. + +Fixes: 9c01546d26d2 ("tools/bpf: Add runqslower tool to tools/bpf") +Signed-off-by: Wei Li +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210628030409.3459095-1-liwei391@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/Makefile | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/tools/bpf/Makefile ++++ b/tools/bpf/Makefile +@@ -97,7 +97,7 @@ clean: bpftool_clean runqslower_clean re + $(Q)$(RM) -- $(OUTPUT)FEATURE-DUMP.bpf + $(Q)$(RM) -r -- $(OUTPUT)feature + +-install: $(PROGS) bpftool_install runqslower_install ++install: $(PROGS) bpftool_install + $(call QUIET_INSTALL, bpf_jit_disasm) + $(Q)$(INSTALL) -m 0755 -d $(DESTDIR)$(prefix)/bin + $(Q)$(INSTALL) $(OUTPUT)bpf_jit_disasm $(DESTDIR)$(prefix)/bin/bpf_jit_disasm +@@ -118,9 +118,6 @@ bpftool_clean: + runqslower: + $(call descend,runqslower) + +-runqslower_install: +- $(call descend,runqslower,install) +- + runqslower_clean: + $(call descend,runqslower,clean) + +@@ -131,5 +128,5 @@ resolve_btfids_clean: + $(call descend,resolve_btfids,clean) + + .PHONY: all install clean bpftool bpftool_install bpftool_clean \ +- runqslower runqslower_install runqslower_clean \ ++ runqslower runqslower_clean \ + resolve_btfids resolve_btfids_clean diff --git a/queue-5.13/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch b/queue-5.13/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch new file mode 100644 index 00000000000..5100661dd3e --- /dev/null +++ b/queue-5.13/udp-annotate-data-races-around-unix_sk-sk-gso_size.patch @@ -0,0 +1,96 @@ +From 18a419bad63b7f68a1979e28459782518e7b6bbe Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 30 Jun 2021 09:42:44 -0700 +Subject: udp: annotate data races around unix_sk(sk)->gso_size + +From: Eric Dumazet + +commit 18a419bad63b7f68a1979e28459782518e7b6bbe upstream. + +Accesses to unix_sk(sk)->gso_size are lockless. +Add READ_ONCE()/WRITE_ONCE() around them. + +BUG: KCSAN: data-race in udp_lib_setsockopt / udpv6_sendmsg + +write to 0xffff88812d78f47c of 2 bytes by task 10849 on cpu 1: + udp_lib_setsockopt+0x3b3/0x710 net/ipv4/udp.c:2696 + udpv6_setsockopt+0x63/0x90 net/ipv6/udp.c:1630 + sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3265 + __sys_setsockopt+0x18f/0x200 net/socket.c:2104 + __do_sys_setsockopt net/socket.c:2115 [inline] + __se_sys_setsockopt net/socket.c:2112 [inline] + __x64_sys_setsockopt+0x62/0x70 net/socket.c:2112 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88812d78f47c of 2 bytes by task 10852 on cpu 0: + udpv6_sendmsg+0x161/0x16b0 net/ipv6/udp.c:1299 + inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2337 + ___sys_sendmsg net/socket.c:2391 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2477 + __do_sys_sendmmsg net/socket.c:2506 [inline] + __se_sys_sendmmsg net/socket.c:2503 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2503 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0x0005 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 10852 Comm: syz-executor.0 Not tainted 5.13.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 6 +++--- + net/ipv6/udp.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1102,7 +1102,7 @@ int udp_sendmsg(struct sock *sk, struct + } + + ipcm_init_sk(&ipc, inet); +- ipc.gso_size = up->gso_size; ++ ipc.gso_size = READ_ONCE(up->gso_size); + + if (msg->msg_controllen) { + err = udp_cmsg_send(sk, msg, &ipc.gso_size); +@@ -2695,7 +2695,7 @@ int udp_lib_setsockopt(struct sock *sk, + case UDP_SEGMENT: + if (val < 0 || val > USHRT_MAX) + return -EINVAL; +- up->gso_size = val; ++ WRITE_ONCE(up->gso_size, val); + break; + + case UDP_GRO: +@@ -2790,7 +2790,7 @@ int udp_lib_getsockopt(struct sock *sk, + break; + + case UDP_SEGMENT: +- val = up->gso_size; ++ val = READ_ONCE(up->gso_size); + break; + + case UDP_GRO: +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1296,7 +1296,7 @@ int udpv6_sendmsg(struct sock *sk, struc + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); + + ipcm6_init(&ipc6); +- ipc6.gso_size = up->gso_size; ++ ipc6.gso_size = READ_ONCE(up->gso_size); + ipc6.sockc.tsflags = sk->sk_tsflags; + ipc6.sockc.mark = sk->sk_mark; + diff --git a/queue-5.13/udp-properly-flush-normal-packet-at-gro-time.patch b/queue-5.13/udp-properly-flush-normal-packet-at-gro-time.patch new file mode 100644 index 00000000000..1e06da34a86 --- /dev/null +++ b/queue-5.13/udp-properly-flush-normal-packet-at-gro-time.patch @@ -0,0 +1,41 @@ +From b43c8909be52f2baca8884f967b418a88424494a Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Sat, 3 Jul 2021 00:38:43 +0200 +Subject: udp: properly flush normal packet at GRO time + +From: Paolo Abeni + +commit b43c8909be52f2baca8884f967b418a88424494a upstream. + +If an UDP packet enters the GRO engine but is not eligible +for aggregation and is not targeting an UDP tunnel, +udp_gro_receive() will not set the flush bit, and packet +could delayed till the next napi flush. + +Fix the issue ensuring non GROed packets traverse +skb_gro_flush_final(). + +Reported-and-tested-by: Matthias Treydte +Fixes: 18f25dc39990 ("udp: skip L4 aggregation for UDP tunnel packets") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_offload.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -525,8 +525,10 @@ struct sk_buff *udp_gro_receive(struct l + + if ((!sk && (skb->dev->features & NETIF_F_GRO_UDP_FWD)) || + (sk && udp_sk(sk)->gro_enabled) || NAPI_GRO_CB(skb)->is_flist) +- pp = call_gro_receive(udp_gro_receive_segment, head, skb); +- return pp; ++ return call_gro_receive(udp_gro_receive_segment, head, skb); ++ ++ /* no GRO, be sure flush the current packet */ ++ goto out; + } + + if (NAPI_GRO_CB(skb)->encap_mark || diff --git a/queue-5.13/vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch b/queue-5.13/vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch new file mode 100644 index 00000000000..f0f5fbcc156 --- /dev/null +++ b/queue-5.13/vboxsf-add-support-for-the-atomic_open-directory-inode-op.patch @@ -0,0 +1,120 @@ +From 52dfd86aa568e433b24357bb5fc725560f1e22d8 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 21 Jan 2021 12:54:18 +0100 +Subject: vboxsf: Add support for the atomic_open directory-inode op + +From: Hans de Goede + +commit 52dfd86aa568e433b24357bb5fc725560f1e22d8 upstream. + +Opening a new file is done in 2 steps on regular filesystems: + +1. Call the create inode-op on the parent-dir to create an inode +to hold the meta-data related to the file. +2. Call the open file-op to get a handle for the file. + +vboxsf however does not really use disk-backed inodes because it +is based on passing through file-related system-calls through to +the hypervisor. So both steps translate to an open(2) call being +passed through to the hypervisor. With the handle returned by +the first call immediately being closed again. + +Making 2 open calls for a single open(..., O_CREATE, ...) calls +has 2 problems: + +a) It is not really efficient. +b) It actually breaks some apps. + +An example of b) is doing a git clone inside a vboxsf mount. +When git clone tries to create a tempfile to store the pak +files which is downloading the following happens: + +1. vboxsf_dir_mkfile() gets called with a mode of 0444 and succeeds. +2. vboxsf_file_open() gets called with file->f_flags containing +O_RDWR. When the host is a Linux machine this fails because doing +a open(..., O_RDWR) on a file which exists and has mode 0444 results +in an -EPERM error. + +Other network-filesystems and fuse avoid the problem of needing to +pass 2 open() calls to the other side by using the atomic_open +directory-inode op. + +This commit fixes git clone not working inside a vboxsf mount, +by adding support for the atomic_open directory-inode op. +As an added bonus this should also make opening new files faster. + +The atomic_open implementation is modelled after the atomic_open +implementations from the 9p and fuse code. + +Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") +Reported-by: Ludovic Pouzenc +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + fs/vboxsf/dir.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +--- a/fs/vboxsf/dir.c ++++ b/fs/vboxsf/dir.c +@@ -308,6 +308,53 @@ static int vboxsf_dir_mkdir(struct user_ + return vboxsf_dir_create(parent, dentry, mode, true, true, NULL); + } + ++static int vboxsf_dir_atomic_open(struct inode *parent, struct dentry *dentry, ++ struct file *file, unsigned int flags, umode_t mode) ++{ ++ struct vboxsf_sbi *sbi = VBOXSF_SBI(parent->i_sb); ++ struct vboxsf_handle *sf_handle; ++ struct dentry *res = NULL; ++ u64 handle; ++ int err; ++ ++ if (d_in_lookup(dentry)) { ++ res = vboxsf_dir_lookup(parent, dentry, 0); ++ if (IS_ERR(res)) ++ return PTR_ERR(res); ++ ++ if (res) ++ dentry = res; ++ } ++ ++ /* Only creates */ ++ if (!(flags & O_CREAT) || d_really_is_positive(dentry)) ++ return finish_no_open(file, res); ++ ++ err = vboxsf_dir_create(parent, dentry, mode, false, flags & O_EXCL, &handle); ++ if (err) ++ goto out; ++ ++ sf_handle = vboxsf_create_sf_handle(d_inode(dentry), handle, SHFL_CF_ACCESS_READWRITE); ++ if (IS_ERR(sf_handle)) { ++ vboxsf_close(sbi->root, handle); ++ err = PTR_ERR(sf_handle); ++ goto out; ++ } ++ ++ err = finish_open(file, dentry, generic_file_open); ++ if (err) { ++ /* This also closes the handle passed to vboxsf_create_sf_handle() */ ++ vboxsf_release_sf_handle(d_inode(dentry), sf_handle); ++ goto out; ++ } ++ ++ file->private_data = sf_handle; ++ file->f_mode |= FMODE_CREATED; ++out: ++ dput(res); ++ return err; ++} ++ + static int vboxsf_dir_unlink(struct inode *parent, struct dentry *dentry) + { + struct vboxsf_sbi *sbi = VBOXSF_SBI(parent->i_sb); +@@ -428,6 +475,7 @@ const struct inode_operations vboxsf_dir + .lookup = vboxsf_dir_lookup, + .create = vboxsf_dir_mkfile, + .mkdir = vboxsf_dir_mkdir, ++ .atomic_open = vboxsf_dir_atomic_open, + .rmdir = vboxsf_dir_unlink, + .unlink = vboxsf_dir_unlink, + .rename = vboxsf_dir_rename, diff --git a/queue-5.13/vboxsf-add-vboxsf__sf_handle-helpers.patch b/queue-5.13/vboxsf-add-vboxsf__sf_handle-helpers.patch new file mode 100644 index 00000000000..6b3046450ac --- /dev/null +++ b/queue-5.13/vboxsf-add-vboxsf__sf_handle-helpers.patch @@ -0,0 +1,156 @@ +From 02f840f90764f22f5c898901849bdbf0cee752ba Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 21 Jan 2021 10:55:03 +0100 +Subject: vboxsf: Add vboxsf_[create|release]_sf_handle() helpers + +From: Hans de Goede + +commit 02f840f90764f22f5c898901849bdbf0cee752ba upstream. + +Factor out the code to create / release a struct vboxsf_handle into +2 new helper functions. + +This is a preparation patch for adding atomic_open support. + +Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + fs/vboxsf/file.c | 71 ++++++++++++++++++++++++++++++++--------------------- + fs/vboxsf/vfsmod.h | 7 +++++ + 2 files changed, 51 insertions(+), 27 deletions(-) + +--- a/fs/vboxsf/file.c ++++ b/fs/vboxsf/file.c +@@ -20,17 +20,39 @@ struct vboxsf_handle { + struct list_head head; + }; + +-static int vboxsf_file_open(struct inode *inode, struct file *file) ++struct vboxsf_handle *vboxsf_create_sf_handle(struct inode *inode, ++ u64 handle, u32 access_flags) + { + struct vboxsf_inode *sf_i = VBOXSF_I(inode); +- struct shfl_createparms params = {}; + struct vboxsf_handle *sf_handle; +- u32 access_flags = 0; +- int err; + + sf_handle = kmalloc(sizeof(*sf_handle), GFP_KERNEL); + if (!sf_handle) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); ++ ++ /* the host may have given us different attr then requested */ ++ sf_i->force_restat = 1; ++ ++ /* init our handle struct and add it to the inode's handles list */ ++ sf_handle->handle = handle; ++ sf_handle->root = VBOXSF_SBI(inode->i_sb)->root; ++ sf_handle->access_flags = access_flags; ++ kref_init(&sf_handle->refcount); ++ ++ mutex_lock(&sf_i->handle_list_mutex); ++ list_add(&sf_handle->head, &sf_i->handle_list); ++ mutex_unlock(&sf_i->handle_list_mutex); ++ ++ return sf_handle; ++} ++ ++static int vboxsf_file_open(struct inode *inode, struct file *file) ++{ ++ struct vboxsf_sbi *sbi = VBOXSF_SBI(inode->i_sb); ++ struct shfl_createparms params = {}; ++ struct vboxsf_handle *sf_handle; ++ u32 access_flags = 0; ++ int err; + + /* + * We check the value of params.handle afterwards to find out if +@@ -83,23 +105,14 @@ static int vboxsf_file_open(struct inode + err = vboxsf_create_at_dentry(file_dentry(file), ¶ms); + if (err == 0 && params.handle == SHFL_HANDLE_NIL) + err = (params.result == SHFL_FILE_EXISTS) ? -EEXIST : -ENOENT; +- if (err) { +- kfree(sf_handle); ++ if (err) + return err; +- } + +- /* the host may have given us different attr then requested */ +- sf_i->force_restat = 1; +- +- /* init our handle struct and add it to the inode's handles list */ +- sf_handle->handle = params.handle; +- sf_handle->root = VBOXSF_SBI(inode->i_sb)->root; +- sf_handle->access_flags = access_flags; +- kref_init(&sf_handle->refcount); +- +- mutex_lock(&sf_i->handle_list_mutex); +- list_add(&sf_handle->head, &sf_i->handle_list); +- mutex_unlock(&sf_i->handle_list_mutex); ++ sf_handle = vboxsf_create_sf_handle(inode, params.handle, access_flags); ++ if (IS_ERR(sf_handle)) { ++ vboxsf_close(sbi->root, params.handle); ++ return PTR_ERR(sf_handle); ++ } + + file->private_data = sf_handle; + return 0; +@@ -114,22 +127,26 @@ static void vboxsf_handle_release(struct + kfree(sf_handle); + } + +-static int vboxsf_file_release(struct inode *inode, struct file *file) ++void vboxsf_release_sf_handle(struct inode *inode, struct vboxsf_handle *sf_handle) + { + struct vboxsf_inode *sf_i = VBOXSF_I(inode); +- struct vboxsf_handle *sf_handle = file->private_data; + ++ mutex_lock(&sf_i->handle_list_mutex); ++ list_del(&sf_handle->head); ++ mutex_unlock(&sf_i->handle_list_mutex); ++ ++ kref_put(&sf_handle->refcount, vboxsf_handle_release); ++} ++ ++static int vboxsf_file_release(struct inode *inode, struct file *file) ++{ + /* + * When a file is closed on our (the guest) side, we want any subsequent + * accesses done on the host side to see all changes done from our side. + */ + filemap_write_and_wait(inode->i_mapping); + +- mutex_lock(&sf_i->handle_list_mutex); +- list_del(&sf_handle->head); +- mutex_unlock(&sf_i->handle_list_mutex); +- +- kref_put(&sf_handle->refcount, vboxsf_handle_release); ++ vboxsf_release_sf_handle(inode, file->private_data); + return 0; + } + +--- a/fs/vboxsf/vfsmod.h ++++ b/fs/vboxsf/vfsmod.h +@@ -18,6 +18,8 @@ + #define VBOXSF_SBI(sb) ((struct vboxsf_sbi *)(sb)->s_fs_info) + #define VBOXSF_I(i) container_of(i, struct vboxsf_inode, vfs_inode) + ++struct vboxsf_handle; ++ + struct vboxsf_options { + unsigned long ttl; + kuid_t uid; +@@ -80,6 +82,11 @@ extern const struct file_operations vbox + extern const struct address_space_operations vboxsf_reg_aops; + extern const struct dentry_operations vboxsf_dentry_ops; + ++/* from file.c */ ++struct vboxsf_handle *vboxsf_create_sf_handle(struct inode *inode, ++ u64 handle, u32 access_flags); ++void vboxsf_release_sf_handle(struct inode *inode, struct vboxsf_handle *sf_handle); ++ + /* from utils.c */ + struct inode *vboxsf_new_inode(struct super_block *sb); + int vboxsf_init_inode(struct vboxsf_sbi *sbi, struct inode *inode, diff --git a/queue-5.13/vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch b/queue-5.13/vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch new file mode 100644 index 00000000000..cc8e9da3f62 --- /dev/null +++ b/queue-5.13/vboxsf-honor-excl-flag-to-the-dir-inode-create-op.patch @@ -0,0 +1,72 @@ +From cc3ddee97cff034cea4d095de4a484c92a219bf5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 21 Jan 2021 10:08:59 +0100 +Subject: vboxsf: Honor excl flag to the dir-inode create op + +From: Hans de Goede + +commit cc3ddee97cff034cea4d095de4a484c92a219bf5 upstream. + +Honor the excl flag to the dir-inode create op, instead of behaving +as if it is always set. + +Note the old behavior still worked most of the time since a non-exclusive +open only calls the create op, if there is a race and the file is created +between the dentry lookup and the calling of the create call. + +While at it change the type of the is_dir parameter to the +vboxsf_dir_create() helper from an int to a bool, to be consistent with +the use of bool for the excl parameter. + +Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + fs/vboxsf/dir.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/vboxsf/dir.c ++++ b/fs/vboxsf/dir.c +@@ -253,7 +253,7 @@ static int vboxsf_dir_instantiate(struct + } + + static int vboxsf_dir_create(struct inode *parent, struct dentry *dentry, +- umode_t mode, int is_dir) ++ umode_t mode, bool is_dir, bool excl) + { + struct vboxsf_inode *sf_parent_i = VBOXSF_I(parent); + struct vboxsf_sbi *sbi = VBOXSF_SBI(parent->i_sb); +@@ -261,10 +261,12 @@ static int vboxsf_dir_create(struct inod + int err; + + params.handle = SHFL_HANDLE_NIL; +- params.create_flags = SHFL_CF_ACT_CREATE_IF_NEW | +- SHFL_CF_ACT_FAIL_IF_EXISTS | +- SHFL_CF_ACCESS_READWRITE | +- (is_dir ? SHFL_CF_DIRECTORY : 0); ++ params.create_flags = SHFL_CF_ACT_CREATE_IF_NEW | SHFL_CF_ACCESS_READWRITE; ++ if (is_dir) ++ params.create_flags |= SHFL_CF_DIRECTORY; ++ if (excl) ++ params.create_flags |= SHFL_CF_ACT_FAIL_IF_EXISTS; ++ + params.info.attr.mode = (mode & 0777) | + (is_dir ? SHFL_TYPE_DIRECTORY : SHFL_TYPE_FILE); + params.info.attr.additional = SHFLFSOBJATTRADD_NOTHING; +@@ -292,14 +294,14 @@ static int vboxsf_dir_mkfile(struct user + struct inode *parent, struct dentry *dentry, + umode_t mode, bool excl) + { +- return vboxsf_dir_create(parent, dentry, mode, 0); ++ return vboxsf_dir_create(parent, dentry, mode, false, excl); + } + + static int vboxsf_dir_mkdir(struct user_namespace *mnt_userns, + struct inode *parent, struct dentry *dentry, + umode_t mode) + { +- return vboxsf_dir_create(parent, dentry, mode, 1); ++ return vboxsf_dir_create(parent, dentry, mode, true, true); + } + + static int vboxsf_dir_unlink(struct inode *parent, struct dentry *dentry) diff --git a/queue-5.13/vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch b/queue-5.13/vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch new file mode 100644 index 00000000000..f79a1937d51 --- /dev/null +++ b/queue-5.13/vboxsf-make-vboxsf_dir_create-return-the-handle-for-the-created-file.patch @@ -0,0 +1,72 @@ +From ab0c29687bc7a890d1a86ac376b0b0fd78b2d9b6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 21 Jan 2021 10:22:27 +0100 +Subject: vboxsf: Make vboxsf_dir_create() return the handle for the created file + +From: Hans de Goede + +commit ab0c29687bc7a890d1a86ac376b0b0fd78b2d9b6 upstream. + +Make vboxsf_dir_create() optionally return the vboxsf-handle for +the created file. This is a preparation patch for adding atomic_open +support. + +Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + fs/vboxsf/dir.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/fs/vboxsf/dir.c ++++ b/fs/vboxsf/dir.c +@@ -253,7 +253,7 @@ static int vboxsf_dir_instantiate(struct + } + + static int vboxsf_dir_create(struct inode *parent, struct dentry *dentry, +- umode_t mode, bool is_dir, bool excl) ++ umode_t mode, bool is_dir, bool excl, u64 *handle_ret) + { + struct vboxsf_inode *sf_parent_i = VBOXSF_I(parent); + struct vboxsf_sbi *sbi = VBOXSF_SBI(parent->i_sb); +@@ -278,30 +278,34 @@ static int vboxsf_dir_create(struct inod + if (params.result != SHFL_FILE_CREATED) + return -EPERM; + +- vboxsf_close(sbi->root, params.handle); +- + err = vboxsf_dir_instantiate(parent, dentry, ¶ms.info); + if (err) +- return err; ++ goto out; + + /* parent directory access/change time changed */ + sf_parent_i->force_restat = 1; + +- return 0; ++out: ++ if (err == 0 && handle_ret) ++ *handle_ret = params.handle; ++ else ++ vboxsf_close(sbi->root, params.handle); ++ ++ return err; + } + + static int vboxsf_dir_mkfile(struct user_namespace *mnt_userns, + struct inode *parent, struct dentry *dentry, + umode_t mode, bool excl) + { +- return vboxsf_dir_create(parent, dentry, mode, false, excl); ++ return vboxsf_dir_create(parent, dentry, mode, false, excl, NULL); + } + + static int vboxsf_dir_mkdir(struct user_namespace *mnt_userns, + struct inode *parent, struct dentry *dentry, + umode_t mode) + { +- return vboxsf_dir_create(parent, dentry, mode, true, true); ++ return vboxsf_dir_create(parent, dentry, mode, true, true, NULL); + } + + static int vboxsf_dir_unlink(struct inode *parent, struct dentry *dentry) -- 2.47.3