From 0a1117a938986ef62d0819b67fddbbc3f8082f52 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 31 Jul 2022 20:44:30 -0400 Subject: [PATCH] Fixes for 5.18 Signed-off-by: Sasha Levin --- ...-9216-1-fix-max_dma_address-overflow.patch | 52 +++++++++++++++++++ queue-5.18/series | 2 + ...es-around-sysctl_tcp_workaround_sign.patch | 45 ++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 queue-5.18/arm-9216-1-fix-max_dma_address-overflow.patch create mode 100644 queue-5.18/tcp-fix-data-races-around-sysctl_tcp_workaround_sign.patch diff --git a/queue-5.18/arm-9216-1-fix-max_dma_address-overflow.patch b/queue-5.18/arm-9216-1-fix-max_dma_address-overflow.patch new file mode 100644 index 00000000000..8c72346c157 --- /dev/null +++ b/queue-5.18/arm-9216-1-fix-max_dma_address-overflow.patch @@ -0,0 +1,52 @@ +From b0a3462f7c73927b8c36cf8e08649f57eb36c4dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 17:33:21 +0100 +Subject: ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow + +From: Florian Fainelli + +[ Upstream commit fb0fd3469ead5b937293c213daa1f589b4b7ce46 ] + +Commit 26f09e9b3a06 ("mm/memblock: add memblock memory allocation apis") +added a check to determine whether arm_dma_zone_size is exceeding the +amount of kernel virtual address space available between the upper 4GB +virtual address limit and PAGE_OFFSET in order to provide a suitable +definition of MAX_DMA_ADDRESS that should fit within the 32-bit virtual +address space. The quantity used for comparison was off by a missing +trailing 0, leading to MAX_DMA_ADDRESS to be overflowing a 32-bit +quantity. + +This was caught thanks to CONFIG_DEBUG_VIRTUAL on the bcm2711 platform +where we define a dma_zone_size of 1GB and we have a PAGE_OFFSET value +of 0xc000_0000 (CONFIG_VMSPLIT_3G) leading to MAX_DMA_ADDRESS being +0x1_0000_0000 which overflows the unsigned long type used throughout +__pa() and then __virt_addr_valid(). Because the virtual address passed +to __virt_addr_valid() would now be 0, the function would loudly warn +and flood the kernel log, thus making the platform unable to boot +properly. + +Fixes: 26f09e9b3a06 ("mm/memblock: add memblock memory allocation apis") +Signed-off-by: Florian Fainelli +Reviewed-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/dma.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/include/asm/dma.h b/arch/arm/include/asm/dma.h +index a81dda65c576..45180a2cc47c 100644 +--- a/arch/arm/include/asm/dma.h ++++ b/arch/arm/include/asm/dma.h +@@ -10,7 +10,7 @@ + #else + #define MAX_DMA_ADDRESS ({ \ + extern phys_addr_t arm_dma_zone_size; \ +- arm_dma_zone_size && arm_dma_zone_size < (0x10000000 - PAGE_OFFSET) ? \ ++ arm_dma_zone_size && arm_dma_zone_size < (0x100000000ULL - PAGE_OFFSET) ? \ + (PAGE_OFFSET + arm_dma_zone_size) : 0xffffffffUL; }) + #endif + +-- +2.35.1 + diff --git a/queue-5.18/series b/queue-5.18/series index 62ed97294cb..184070915b8 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -78,3 +78,5 @@ net-funeth-fix-fun_xdp_tx-and-xdp-packet-reclaim.patch stmmac-dwmac-mediatek-fix-resource-leak-in-probe.patch mm-hmm-fault-non-owner-device-private-entries.patch page_alloc-fix-invalid-watermark-check-on-a-negative-value.patch +tcp-fix-data-races-around-sysctl_tcp_workaround_sign.patch +arm-9216-1-fix-max_dma_address-overflow.patch diff --git a/queue-5.18/tcp-fix-data-races-around-sysctl_tcp_workaround_sign.patch b/queue-5.18/tcp-fix-data-races-around-sysctl_tcp_workaround_sign.patch new file mode 100644 index 00000000000..72a8b223077 --- /dev/null +++ b/queue-5.18/tcp-fix-data-races-around-sysctl_tcp_workaround_sign.patch @@ -0,0 +1,45 @@ +From 0dc2368eb13ec7fb35968c417518ef685d689711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 09:50:19 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_workaround_signed_windows. + +From: Kuniyuki Iwashima + +[ Upstream commit 0f1e4d06591d0a7907c71f7b6d1c79f8a4de8098 ] + +While reading sysctl_tcp_workaround_signed_windows, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 15d99e02baba ("[TCP]: sysctl to allow TCP window > 32767 sans wscale") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 66836b8bd46f..a7f0a1f0c2a3 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -227,7 +227,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, + * which we interpret as a sign the remote TCP is not + * misinterpreting the window field as a signed quantity. + */ +- if (sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows) ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows)) + (*rcv_wnd) = min(space, MAX_TCP_WINDOW); + else + (*rcv_wnd) = min_t(u32, space, U16_MAX); +@@ -282,7 +282,7 @@ static u16 tcp_select_window(struct sock *sk) + * scaled window. + */ + if (!tp->rx_opt.rcv_wscale && +- sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows) ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows)) + new_win = min(new_win, MAX_TCP_WINDOW); + else + new_win = min(new_win, (65535U << tp->rx_opt.rcv_wscale)); +-- +2.35.1 + -- 2.47.3