From f97502ef1403233912ffbf9b6114fe77c4bb2489 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 09:55:15 +0200 Subject: [PATCH] 5.10-stable patches added patches: misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch mptcp-fix-null-pointer-in-can_accept_new_subflow.patch mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch mptcp-sockopt-fix-getting-ipv6_v6only.patch --- ...ts-remaining-after-request_irq-error.patch | 51 ++++++++ ...ing-irq_type-after-request_irq-error.patch | 54 +++++++++ ...-irq_type-to-convey-the-correct-type.patch | 65 +++++++++++ ...ll-pointer-in-can_accept_new_subflow.patch | 96 +++++++++++++++ ...joinackhmacfailure-for-hmac-failures.patch | 51 ++++++++ ...ptcp-sockopt-fix-getting-ipv6_v6only.patch | 110 ++++++++++++++++++ queue-5.10/series | 6 + 7 files changed, 433 insertions(+) create mode 100644 queue-5.10/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch create mode 100644 queue-5.10/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch create mode 100644 queue-5.10/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch create mode 100644 queue-5.10/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch create mode 100644 queue-5.10/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch create mode 100644 queue-5.10/mptcp-sockopt-fix-getting-ipv6_v6only.patch diff --git a/queue-5.10/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch b/queue-5.10/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch new file mode 100644 index 0000000000..c22acb0037 --- /dev/null +++ b/queue-5.10/misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch @@ -0,0 +1,51 @@ +From f6cb7828c8e17520d4f5afb416515d3fae1af9a9 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:48 +0900 +Subject: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit f6cb7828c8e17520d4f5afb416515d3fae1af9a9 upstream. + +After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), +the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs +have been released. + +However, some requested IRQs remain unreleased, so there are still +/proc/irq/* entries remaining, and this results in WARN() with the +following message: + + remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0' + WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c + +To solve this issue, set the number of remaining IRQs to test->num_irqs, +and release IRQs in advance by calling pci_endpoint_test_release_irq(). + +Cc: stable@vger.kernel.org +Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20250225110252.28866-3-hayashi.kunihiko@socionext.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -263,6 +263,9 @@ fail: + break; + } + ++ test->num_irqs = i; ++ pci_endpoint_test_release_irq(test); ++ + return false; + } + diff --git a/queue-5.10/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch b/queue-5.10/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch new file mode 100644 index 0000000000..ea4de67a1f --- /dev/null +++ b/queue-5.10/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch @@ -0,0 +1,54 @@ +From 919d14603dab6a9cf03ebbeb2cfa556df48737c8 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:49 +0900 +Subject: misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream. + +There are two variables that indicate the interrupt type to be used +in the next test execution, global "irq_type" and "test->irq_type". + +The former is referenced from pci_endpoint_test_get_irq() to preserve +the current type for ioctl(PCITEST_GET_IRQTYPE). + +In the pci_endpoint_test_request_irq(), since this global variable +is referenced when an error occurs, the unintended error message is +displayed. + +For example, after running "pcitest -i 2", the following message +shows "MSI 3" even if the current IRQ type becomes "MSI-X": + + pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3 + SET IRQ TYPE TO MSI-X: NOT OKAY + +Fix this issue by using "test->irq_type" instead of global "irq_type". + +Cc: stable@vger.kernel.org +Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -246,7 +246,7 @@ static bool pci_endpoint_test_request_ir + return true; + + fail: +- switch (irq_type) { ++ switch (test->irq_type) { + case IRQ_TYPE_LEGACY: + dev_err(dev, "Failed to request IRQ %d for Legacy\n", + pci_irq_vector(pdev, i)); diff --git a/queue-5.10/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch b/queue-5.10/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch new file mode 100644 index 0000000000..9c1bab4b87 --- /dev/null +++ b/queue-5.10/misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch @@ -0,0 +1,65 @@ +From baaef0a274cfb75f9b50eab3ef93205e604f662c Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:50 +0900 +Subject: misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit baaef0a274cfb75f9b50eab3ef93205e604f662c upstream. + +There are two variables that indicate the interrupt type to be used +in the next test execution, "irq_type" as global and "test->irq_type". + +The global is referenced from pci_endpoint_test_get_irq() to preserve +the current type for ioctl(PCITEST_GET_IRQTYPE). + +The type set in this function isn't reflected in the global "irq_type", +so ioctl(PCITEST_GET_IRQTYPE) returns the previous type. + +As a result, the wrong type is displayed in old version of "pcitest" +as follows: + + - Result of running "pcitest -i 0" + + SET IRQ TYPE TO LEGACY: OKAY + + - Result of running "pcitest -I" + + GET IRQ TYPE: MSI + +Whereas running the new version of "pcitest" in kselftest results in an +error as follows: + + # RUN pci_ep_basic.LEGACY_IRQ_TEST ... + # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Expected 0 (0) == ret (1) + # pci_endpoint_test.c:104:LEGACY_IRQ_TEST:Can't get Legacy IRQ type + +Fix this issue by propagating the current type to the global "irq_type". + +Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") +Signed-off-by: Kunihiko Hayashi +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Niklas Cassel +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250225110252.28866-5-hayashi.kunihiko@socionext.com +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -718,6 +718,7 @@ static bool pci_endpoint_test_set_irq(st + if (!pci_endpoint_test_request_irq(test)) + goto err; + ++ irq_type = test->irq_type; + return true; + + err: diff --git a/queue-5.10/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch b/queue-5.10/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch new file mode 100644 index 0000000000..0494574b7a --- /dev/null +++ b/queue-5.10/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch @@ -0,0 +1,96 @@ +From 443041deb5ef6a1289a99ed95015ec7442f141dc Mon Sep 17 00:00:00 2001 +From: Gang Yan +Date: Fri, 28 Mar 2025 15:27:16 +0100 +Subject: mptcp: fix NULL pointer in can_accept_new_subflow + +From: Gang Yan + +commit 443041deb5ef6a1289a99ed95015ec7442f141dc upstream. + +When testing valkey benchmark tool with MPTCP, the kernel panics in +'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. + +Call trace: + + mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) + subflow_syn_recv_sock (./net/mptcp/subflow.c:854) + tcp_check_req (./net/ipv4/tcp_minisocks.c:863) + tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) + ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) + ip_local_deliver_finish (./net/ipv4/ip_input.c:234) + ip_local_deliver (./net/ipv4/ip_input.c:254) + ip_rcv_finish (./net/ipv4/ip_input.c:449) + ... + +According to the debug log, the same req received two SYN-ACK in a very +short time, very likely because the client retransmits the syn ack due +to multiple reasons. + +Even if the packets are transmitted with a relevant time interval, they +can be processed by the server on different CPUs concurrently). The +'subflow_req->msk' ownership is transferred to the subflow the first, +and there will be a risk of a null pointer dereference here. + +This patch fixes this issue by moving the 'subflow_req->msk' under the +`own_req == true` conditional. + +Note that the !msk check in subflow_hmac_valid() can be dropped, because +the same check already exists under the own_req mpj branch where the +code has been moved to. + +Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") +Cc: stable@vger.kernel.org +Suggested-by: Paolo Abeni +Signed-off-by: Gang Yan +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-1-34161a482a7f@kernel.org +Signed-off-by: Jakub Kicinski +[ Conflict in subflow.c because commit 74c7dfbee3e1 ("mptcp: consolidate + in_opt sub-options fields in a bitmask") is not in this version. The + conflict is in the context, and the modification can still be applied. + Note that subflow_add_reset_reason() is not needed here, because the + related feature is not supported in this version. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -454,8 +454,6 @@ static bool subflow_hmac_valid(const str + + subflow_req = mptcp_subflow_rsk(req); + msk = subflow_req->msk; +- if (!msk) +- return false; + + subflow_generate_hmac(msk->remote_key, msk->local_key, + subflow_req->remote_nonce, +@@ -578,11 +576,8 @@ static struct sock *subflow_syn_recv_soc + fallback = true; + } else if (subflow_req->mp_join) { + mptcp_get_options(skb, &mp_opt); +- if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) || +- !mptcp_can_accept_new_subflow(subflow_req->msk)) { +- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); ++ if (!mp_opt.mp_join) + fallback = true; +- } + } + + create_child: +@@ -636,6 +631,12 @@ create_child: + if (!owner) + goto dispose_child; + ++ if (!subflow_hmac_valid(req, &mp_opt) || ++ !mptcp_can_accept_new_subflow(subflow_req->msk)) { ++ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); ++ goto dispose_child; ++ } ++ + /* move the msk reference ownership to the subflow */ + subflow_req->msk = NULL; + ctx->conn = (struct sock *)owner; diff --git a/queue-5.10/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch b/queue-5.10/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch new file mode 100644 index 0000000000..54aa63f10b --- /dev/null +++ b/queue-5.10/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch @@ -0,0 +1,51 @@ +From 21c02e8272bc95ba0dd44943665c669029b42760 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 7 Apr 2025 20:26:32 +0200 +Subject: mptcp: only inc MPJoinAckHMacFailure for HMAC failures + +From: Matthieu Baerts (NGI0) + +commit 21c02e8272bc95ba0dd44943665c669029b42760 upstream. + +Recently, during a debugging session using local MPTCP connections, I +noticed MPJoinAckHMacFailure was not zero on the server side. The +counter was in fact incremented when the PM rejected new subflows, +because the 'subflow' limit was reached. + +The fix is easy, simply dissociating the two cases: only the HMAC +validation check should increase MPTCP_MIB_JOINACKMAC counter. + +Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250407-net-mptcp-hmac-failure-mib-v1-1-3c9ecd0a3a50@kernel.org +Signed-off-by: Jakub Kicinski +[ No conflicts, but subflow_add_reset_reason() is not needed is this + version: the related feature is not supported in this version. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -631,12 +631,14 @@ create_child: + if (!owner) + goto dispose_child; + +- if (!subflow_hmac_valid(req, &mp_opt) || +- !mptcp_can_accept_new_subflow(subflow_req->msk)) { ++ if (!subflow_hmac_valid(req, &mp_opt)) { + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); + goto dispose_child; + } + ++ if (!mptcp_can_accept_new_subflow(owner)) ++ goto dispose_child; ++ + /* move the msk reference ownership to the subflow */ + subflow_req->msk = NULL; + ctx->conn = (struct sock *)owner; diff --git a/queue-5.10/mptcp-sockopt-fix-getting-ipv6_v6only.patch b/queue-5.10/mptcp-sockopt-fix-getting-ipv6_v6only.patch new file mode 100644 index 0000000000..24b8cde49d --- /dev/null +++ b/queue-5.10/mptcp-sockopt-fix-getting-ipv6_v6only.patch @@ -0,0 +1,110 @@ +From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 14 Mar 2025 21:11:32 +0100 +Subject: mptcp: sockopt: fix getting IPV6_V6ONLY + +From: Matthieu Baerts (NGI0) + +commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream. + +When adding a socket option support in MPTCP, both the get and set parts +are supposed to be implemented. + +IPV6_V6ONLY support for the setsockopt part has been added a while ago, +but it looks like the get part got forgotten. It should have been +present as a way to verify a setting has been set as expected, and not +to act differently from TCP or any other socket types. + +Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want +to check the default value, before doing extra actions. On Linux, the +default value is 0, but this can be changed with the net.ipv6.bindv6only +sysctl knob. On Windows, it is set to 1 by default. So supporting the +get part, like for all other socket options, is important. + +Everything was in place to expose it, just the last step was missing. +Only new code is added to cover this specific getsockopt(), that seems +safe. + +Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org +Signed-off-by: Paolo Abeni +[ Conflicts in sockopt.c in the context, because commit 0abdde82b163 + ("mptcp: move sockopt function into a new file") is not in this + release. The modifications can still be done in protocol.c without + difficulties. A particularity is that the mptcp_put_int_option() + helper is required, and imported from newer versions without taking + the extra features introduced with them in commit 2c9e77659a0c + ("mptcp: add TCP_INQ cmsg support") and commit 3b1e21eb60e8 ("mptcp: + getsockopt: add support for IP_TOS"). ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2395,6 +2395,49 @@ static int mptcp_setsockopt(struct sock + return -EOPNOTSUPP; + } + ++static int mptcp_put_int_option(struct mptcp_sock *msk, char __user *optval, ++ int __user *optlen, int val) ++{ ++ int len; ++ ++ if (get_user(len, optlen)) ++ return -EFAULT; ++ if (len < 0) ++ return -EINVAL; ++ ++ if (len < sizeof(int) && len > 0 && val >= 0 && val <= 255) { ++ unsigned char ucval = (unsigned char)val; ++ ++ len = 1; ++ if (put_user(len, optlen)) ++ return -EFAULT; ++ if (copy_to_user(optval, &ucval, 1)) ++ return -EFAULT; ++ } else { ++ len = min_t(unsigned int, len, sizeof(int)); ++ if (put_user(len, optlen)) ++ return -EFAULT; ++ if (copy_to_user(optval, &val, len)) ++ return -EFAULT; ++ } ++ ++ return 0; ++} ++ ++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname, ++ char __user *optval, int __user *optlen) ++{ ++ struct sock *sk = (void *)msk; ++ ++ switch (optname) { ++ case IPV6_V6ONLY: ++ return mptcp_put_int_option(msk, optval, optlen, ++ sk->sk_ipv6only); ++ } ++ ++ return -EOPNOTSUPP; ++} ++ + static int mptcp_getsockopt(struct sock *sk, int level, int optname, + char __user *optval, int __user *option) + { +@@ -2415,6 +2458,8 @@ static int mptcp_getsockopt(struct sock + if (ssk) + return tcp_getsockopt(ssk, level, optname, optval, option); + ++ if (level == SOL_IPV6) ++ return mptcp_getsockopt_v6(msk, optname, optval, option); + return -EOPNOTSUPP; + } + diff --git a/queue-5.10/series b/queue-5.10/series index 59a11d9513..033df57628 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -142,3 +142,9 @@ drm-sti-remove-duplicate-object-names.patch cpufreq-reference-count-policy-in-cpufreq_update_limits.patch kbuild-add-fno-builtin-wcslen.patch tcp-dccp-don-t-use-timer_pending-in-reqsk_queue_unlink.patch +mptcp-fix-null-pointer-in-can_accept_new_subflow.patch +mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch +mptcp-sockopt-fix-getting-ipv6_v6only.patch +misc-pci_endpoint_test-avoid-issue-of-interrupts-remaining-after-request_irq-error.patch +misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch +misc-pci_endpoint_test-fix-irq_type-to-convey-the-correct-type.patch -- 2.47.3