From 376419606c9483bcb901fde451890d0874d312ba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 30 Jul 2022 17:34:43 +0200 Subject: [PATCH] 5.15-stable patches added patches: ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch ice-do-not-setup-vlan-for-loopback-vsi.patch ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch net-ping6-fix-memleak-in-ipv6_renew_options.patch net-tls-remove-the-context-from-the-list-in-tls_device_down.patch octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch revert-tcp-change-pingpong-threshold-to-3.patch scsi-core-fix-warning-in-scsi_alloc_sgtables.patch scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch --- ...-on-rx-descriptor-rather-than-eop-rs.patch | 41 +++++++ ...e-do-not-setup-vlan-for-loopback-vsi.patch | 39 +++++++ ...fix-a-null-ptr-deref-bug-for-ip6_ptr.patch | 97 ++++++++++++++++ ...g6-fix-memleak-in-ipv6_renew_options.patch | 105 ++++++++++++++++++ ...ext-from-the-list-in-tls_device_down.patch | 46 ++++++++ ...-udp-tcp-src-and-dst-port-tc-filters.patch | 65 +++++++++++ ...t-tcp-change-pingpong-threshold-to-3.patch | 84 ++++++++++++++ ...e-fix-warning-in-scsi_alloc_sgtables.patch | 101 +++++++++++++++++ ...dog-work-item-during-system-shutdown.patch | 40 +++++++ ...ference-returned-by-of_parse_phandle.patch | 56 ++++++++++ queue-5.15/series | 13 +++ ...round-sysctl_tcp_challenge_ack_limit.patch | 31 ++++++ ...around-sysctl_tcp_limit_output_bytes.patch | 31 ++++++ ...es-around-sysctl_tcp_moderate_rcvbuf.patch | 43 +++++++ 14 files changed, 792 insertions(+) create mode 100644 queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch create mode 100644 queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch create mode 100644 queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch create mode 100644 queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch create mode 100644 queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch create mode 100644 queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch create mode 100644 queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch create mode 100644 queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch create mode 100644 queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch create mode 100644 queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch create mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch create mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch create mode 100644 queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch diff --git a/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch b/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch new file mode 100644 index 00000000000..914f4b64ee9 --- /dev/null +++ b/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch @@ -0,0 +1,41 @@ +From 283d736ff7c7e96ac5b32c6c0de40372f8eb171e Mon Sep 17 00:00:00 2001 +From: Maciej Fijalkowski +Date: Thu, 7 Jul 2022 12:20:42 +0200 +Subject: ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) + +From: Maciej Fijalkowski + +commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e upstream. + +Tx side sets EOP and RS bits on descriptors to indicate that a +particular descriptor is the last one and needs to generate an irq when +it was sent. These bits should not be checked on completion path +regardless whether it's the Tx or the Rx. DD bit serves this purpose and +it indicates that a particular descriptor is either for Rx or was +successfully Txed. EOF is also set as loopback test does not xmit +fragmented frames. + +Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead +of EOP and RS pair. + +Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") +Signed-off-by: Maciej Fijalkowski +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -651,7 +651,8 @@ static int ice_lbtest_receive_frames(str + rx_desc = ICE_RX_DESC(rx_ring, i); + + if (!(rx_desc->wb.status_error0 & +- cpu_to_le16(ICE_TX_DESC_CMD_EOP | ICE_TX_DESC_CMD_RS))) ++ (cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_DD_S)) | ++ cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_EOF_S))))) + continue; + + rx_buf = &rx_ring->rx_buf[i]; diff --git a/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch b/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch new file mode 100644 index 00000000000..6fef000eda8 --- /dev/null +++ b/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch @@ -0,0 +1,39 @@ +From cc019545a238518fa9da1e2a889f6e1bb1005a63 Mon Sep 17 00:00:00 2001 +From: Maciej Fijalkowski +Date: Thu, 7 Jul 2022 12:20:43 +0200 +Subject: ice: do not setup vlan for loopback VSI + +From: Maciej Fijalkowski + +commit cc019545a238518fa9da1e2a889f6e1bb1005a63 upstream. + +Currently loopback test is failiing due to the error returned from +ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI. + +Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") +Signed-off-by: Maciej Fijalkowski +Tested-by: George Kuruvinakunnel +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5481,10 +5481,12 @@ int ice_vsi_cfg(struct ice_vsi *vsi) + if (vsi->netdev) { + ice_set_rx_mode(vsi->netdev); + +- err = ice_vsi_vlan_setup(vsi); ++ if (vsi->type != ICE_VSI_LB) { ++ err = ice_vsi_vlan_setup(vsi); + +- if (err) +- return err; ++ if (err) ++ return err; ++ } + } + ice_vsi_cfg_dcb_rings(vsi); + diff --git a/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch b/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch new file mode 100644 index 00000000000..72932cdb4be --- /dev/null +++ b/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch @@ -0,0 +1,97 @@ +From 85f0173df35e5462d89947135a6a5599c6c3ef6f Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Thu, 28 Jul 2022 09:33:07 +0800 +Subject: ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr + +From: Ziyang Xuan + +commit 85f0173df35e5462d89947135a6a5599c6c3ef6f upstream. + +Change net device's MTU to smaller than IPV6_MIN_MTU or unregister +device while matching route. That may trigger null-ptr-deref bug +for ip6_ptr probability as following. + +========================================================= +BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 +Read of size 4 at addr 0000000000000308 by task ping6/263 + +CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 +Call trace: + dump_backtrace+0x1a8/0x230 + show_stack+0x20/0x70 + dump_stack_lvl+0x68/0x84 + print_report+0xc4/0x120 + kasan_report+0x84/0x120 + __asan_load4+0x94/0xd0 + find_match.part.0+0x70/0x134 + __find_rr_leaf+0x408/0x470 + fib6_table_lookup+0x264/0x540 + ip6_pol_route+0xf4/0x260 + ip6_pol_route_output+0x58/0x70 + fib6_rule_lookup+0x1a8/0x330 + ip6_route_output_flags_noref+0xd8/0x1a0 + ip6_route_output_flags+0x58/0x160 + ip6_dst_lookup_tail+0x5b4/0x85c + ip6_dst_lookup_flow+0x98/0x120 + rawv6_sendmsg+0x49c/0xc70 + inet_sendmsg+0x68/0x94 + +Reproducer as following: +Firstly, prepare conditions: +$ip netns add ns1 +$ip netns add ns2 +$ip link add veth1 type veth peer name veth2 +$ip link set veth1 netns ns1 +$ip link set veth2 netns ns2 +$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 +$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 +$ip netns exec ns1 ifconfig veth1 up +$ip netns exec ns2 ifconfig veth2 up +$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 +$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 + +Secondly, execute the following two commands in two ssh windows +respectively: +$ip netns exec ns1 sh +$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done + +$ip netns exec ns1 sh +$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done + +It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, +then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. + + cpu0 cpu1 +fib6_table_lookup +__find_rr_leaf + addrconf_notify [ NETDEV_CHANGEMTU ] + addrconf_ifdown + RCU_INIT_POINTER(dev->ip6_ptr, NULL) +find_match +ip6_ignore_linkdown + +So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to +fix the null-ptr-deref bug. + +Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev") +Signed-off-by: Ziyang Xuan +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -403,6 +403,9 @@ static inline bool ip6_ignore_linkdown(c + { + const struct inet6_dev *idev = __in6_dev_get(dev); + ++ if (unlikely(!idev)) ++ return true; ++ + return !!idev->cnf.ignore_routes_with_linkdown; + } + diff --git a/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch b/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch new file mode 100644 index 00000000000..abeeddd8f2b --- /dev/null +++ b/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch @@ -0,0 +1,105 @@ +From e27326009a3d247b831eda38878c777f6f4eb3d1 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 27 Jul 2022 18:22:20 -0700 +Subject: net: ping6: Fix memleak in ipv6_renew_options(). + +From: Kuniyuki Iwashima + +commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream. + +When we close ping6 sockets, some resources are left unfreed because +pingv6_prot is missing sk->sk_prot->destroy(). As reported by +syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. + + struct ipv6_sr_hdr *hdr; + char data[24] = {0}; + int fd; + + hdr = (struct ipv6_sr_hdr *)data; + hdr->hdrlen = 2; + hdr->type = IPV6_SRCRT_TYPE_4; + + fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); + setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); + close(fd); + +To fix memory leaks, let's add a destroy function. + +Note the socket() syscall checks if the GID is within the range of +net.ipv4.ping_group_range. The default value is [1, 0] so that no +GID meets the condition (1 <= GID <= 0). Thus, the local DoS does +not succeed until we change the default value. However, at least +Ubuntu/Fedora/RHEL loosen it. + + $ cat /usr/lib/sysctl.d/50-default.conf + ... + -net.ipv4.ping_group_range = 0 2147483647 + +Also, there could be another path reported with these options, and +some of them require CAP_NET_RAW. + + setsockopt + IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) + IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) + IPV6_HOPOPTS (inet6_sk(sk)->opt) + IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) + IPV6_RTHDR (inet6_sk(sk)->opt) + IPV6_DSTOPTS (inet6_sk(sk)->opt) + IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) + + getsockopt + IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) + +For the record, I left a different splat with syzbot's one. + + unreferenced object 0xffff888006270c60 (size 96): + comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) + hex dump (first 32 bytes): + 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554) + [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715) + [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) + [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) + [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262) + [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176 + +Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") +Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com +Reported-by: Ayushman Dutta +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ping.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -22,6 +22,11 @@ + #include + #include + ++static void ping_v6_destroy(struct sock *sk) ++{ ++ inet6_destroy_sock(sk); ++} ++ + /* Compatibility glue so we can support IPv6 when it's compiled as a module */ + static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, + int *addr_len) +@@ -166,6 +171,7 @@ struct proto pingv6_prot = { + .owner = THIS_MODULE, + .init = ping_init_sock, + .close = ping_close, ++ .destroy = ping_v6_destroy, + .connect = ip6_datagram_connect_v6_only, + .disconnect = __udp_disconnect, + .setsockopt = ipv6_setsockopt, diff --git a/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch b/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch new file mode 100644 index 00000000000..6a614993093 --- /dev/null +++ b/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_device_down.patch @@ -0,0 +1,46 @@ +From f6336724a4d4220c89a4ec38bca84b03b178b1a3 Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Thu, 21 Jul 2022 12:11:27 +0300 +Subject: net/tls: Remove the context from the list in tls_device_down + +From: Maxim Mikityanskiy + +commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 upstream. + +tls_device_down takes a reference on all contexts it's going to move to +the degraded state (software fallback). If sk_destruct runs afterwards, +it can reduce the reference counter back to 1 and return early without +destroying the context. Then tls_device_down will release the reference +it took and call tls_device_free_ctx. However, the context will still +stay in tls_device_down_list forever. The list will contain an item, +memory for which is released, making a memory corruption possible. + +Fix the above bug by properly removing the context from all lists before +any call to tls_device_free_ctx. + +Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -1351,8 +1351,13 @@ static int tls_device_down(struct net_de + * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW. + * Now release the ref taken above. + */ +- if (refcount_dec_and_test(&ctx->refcount)) ++ if (refcount_dec_and_test(&ctx->refcount)) { ++ /* sk_destruct ran after tls_device_down took a ref, and ++ * it returned early. Complete the destruction here. ++ */ ++ list_del(&ctx->list); + tls_device_free_ctx(ctx); ++ } + } + + up_write(&device_offload_lock); diff --git a/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch b/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch new file mode 100644 index 00000000000..19b9a82d546 --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch @@ -0,0 +1,65 @@ +From 59e1be6f83b928a04189bbf3ab683a1fc6248db3 Mon Sep 17 00:00:00 2001 +From: Subbaraya Sundeep +Date: Sun, 24 Jul 2022 13:51:14 +0530 +Subject: octeontx2-pf: Fix UDP/TCP src and dst port tc filters + +From: Subbaraya Sundeep + +commit 59e1be6f83b928a04189bbf3ab683a1fc6248db3 upstream. + +Check the mask for non-zero value before installing tc filters +for L4 source and destination ports. Otherwise installing a +filter for source port installs destination port too and +vice-versa. + +Fixes: 1d4d9e42c240 ("octeontx2-pf: Add tc flower hardware offload on ingress traffic") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 30 +++++++++++-------- + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c +@@ -571,21 +571,27 @@ static int otx2_tc_prepare_flow(struct o + + flow_spec->dport = match.key->dst; + flow_mask->dport = match.mask->dst; +- if (ip_proto == IPPROTO_UDP) +- req->features |= BIT_ULL(NPC_DPORT_UDP); +- else if (ip_proto == IPPROTO_TCP) +- req->features |= BIT_ULL(NPC_DPORT_TCP); +- else if (ip_proto == IPPROTO_SCTP) +- req->features |= BIT_ULL(NPC_DPORT_SCTP); ++ ++ if (flow_mask->dport) { ++ if (ip_proto == IPPROTO_UDP) ++ req->features |= BIT_ULL(NPC_DPORT_UDP); ++ else if (ip_proto == IPPROTO_TCP) ++ req->features |= BIT_ULL(NPC_DPORT_TCP); ++ else if (ip_proto == IPPROTO_SCTP) ++ req->features |= BIT_ULL(NPC_DPORT_SCTP); ++ } + + flow_spec->sport = match.key->src; + flow_mask->sport = match.mask->src; +- if (ip_proto == IPPROTO_UDP) +- req->features |= BIT_ULL(NPC_SPORT_UDP); +- else if (ip_proto == IPPROTO_TCP) +- req->features |= BIT_ULL(NPC_SPORT_TCP); +- else if (ip_proto == IPPROTO_SCTP) +- req->features |= BIT_ULL(NPC_SPORT_SCTP); ++ ++ if (flow_mask->sport) { ++ if (ip_proto == IPPROTO_UDP) ++ req->features |= BIT_ULL(NPC_SPORT_UDP); ++ else if (ip_proto == IPPROTO_TCP) ++ req->features |= BIT_ULL(NPC_SPORT_TCP); ++ else if (ip_proto == IPPROTO_SCTP) ++ req->features |= BIT_ULL(NPC_SPORT_SCTP); ++ } + } + + return otx2_tc_parse_actions(nic, &rule->action, req, f, node); diff --git a/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch b/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch new file mode 100644 index 00000000000..b178678a00a --- /dev/null +++ b/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch @@ -0,0 +1,84 @@ +From 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 Mon Sep 17 00:00:00 2001 +From: Wei Wang +Date: Thu, 21 Jul 2022 20:44:04 +0000 +Subject: Revert "tcp: change pingpong threshold to 3" + +From: Wei Wang + +commit 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 upstream. + +This reverts commit 4a41f453bedfd5e9cd040bad509d9da49feb3e2c. + +This to-be-reverted commit was meant to apply a stricter rule for the +stack to enter pingpong mode. However, the condition used to check for +interactive session "before(tp->lsndtime, icsk->icsk_ack.lrcvtime)" is +jiffy based and might be too coarse, which delays the stack entering +pingpong mode. +We revert this patch so that we no longer use the above condition to +determine interactive session, and also reduce pingpong threshold to 1. + +Fixes: 4a41f453bedf ("tcp: change pingpong threshold to 3") +Reported-by: LemmyHuang +Suggested-by: Neal Cardwell +Signed-off-by: Wei Wang +Acked-by: Neal Cardwell +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220721204404.388396-1-weiwan@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_connection_sock.h | 10 +--------- + net/ipv4/tcp_output.c | 15 ++++++--------- + 2 files changed, 7 insertions(+), 18 deletions(-) + +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -315,7 +315,7 @@ void inet_csk_update_fastreuse(struct in + + struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); + +-#define TCP_PINGPONG_THRESH 3 ++#define TCP_PINGPONG_THRESH 1 + + static inline void inet_csk_enter_pingpong_mode(struct sock *sk) + { +@@ -332,14 +332,6 @@ static inline bool inet_csk_in_pingpong_ + return inet_csk(sk)->icsk_ack.pingpong >= TCP_PINGPONG_THRESH; + } + +-static inline void inet_csk_inc_pingpong_cnt(struct sock *sk) +-{ +- struct inet_connection_sock *icsk = inet_csk(sk); +- +- if (icsk->icsk_ack.pingpong < U8_MAX) +- icsk->icsk_ack.pingpong++; +-} +- + static inline bool inet_csk_has_ulp(struct sock *sk) + { + return inet_sk(sk)->is_icsk && !!inet_csk(sk)->icsk_ulp_ops; +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -167,16 +167,13 @@ static void tcp_event_data_sent(struct t + if (tcp_packets_in_flight(tp) == 0) + tcp_ca_event(sk, CA_EVENT_TX_START); + +- /* If this is the first data packet sent in response to the +- * previous received data, +- * and it is a reply for ato after last received packet, +- * increase pingpong count. +- */ +- if (before(tp->lsndtime, icsk->icsk_ack.lrcvtime) && +- (u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato) +- inet_csk_inc_pingpong_cnt(sk); +- + tp->lsndtime = now; ++ ++ /* If it is a reply for ato after last received ++ * packet, enter pingpong mode. ++ */ ++ if ((u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato) ++ inet_csk_enter_pingpong_mode(sk); + } + + /* Account for an ACK we sent. */ diff --git a/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch b/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch new file mode 100644 index 00000000000..146f711b374 --- /dev/null +++ b/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch @@ -0,0 +1,101 @@ +From d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 Mon Sep 17 00:00:00 2001 +From: Jason Yan +Date: Wed, 20 Jul 2022 10:51:20 +0800 +Subject: scsi: core: Fix warning in scsi_alloc_sgtables() + +From: Jason Yan + +commit d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 upstream. + +As explained in SG_IO howto[1]: + +"If iovec_count is non-zero then 'dxfer_len' should be equal to the sum of +iov_len lengths. If not, the minimum of the two is the transfer length." + +When iovec_count is non-zero and dxfer_len is zero, the sg_io() just +genarated a null bio, and finally caused a warning below. To fix it, skip +generating a bio for this request if dxfer_len is zero. + +[1] https://tldp.org/HOWTO/SCSI-Generic-HOWTO/x198.html + +WARNING: CPU: 2 PID: 3643 at drivers/scsi/scsi_lib.c:1032 scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 +Modules linked in: + +CPU: 2 PID: 3643 Comm: syz-executor397 Not tainted +5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-204/01/2014 +RIP: 0010:scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 +Code: e7 fc 31 ff 44 89 f6 e8 c1 4e e7 fc 45 85 f6 0f 84 1a f5 ff ff e8 +93 4c e7 fc 83 c5 01 0f b7 ed e9 0f f5 ff ff e8 83 4c e7 fc <0f> 0b 41 + bc 0a 00 00 00 e9 2b fb ff ff 41 bc 09 00 00 00 e9 20 fb +RSP: 0018:ffffc90000d07558 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88801bfc96a0 RCX: 0000000000000000 +RDX: ffff88801c876000 RSI: ffffffff849060bd RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffffff849055b9 R11: 0000000000000000 R12: ffff888012b8c000 +R13: ffff88801bfc9580 R14: 0000000000000000 R15: ffff88801432c000 +FS: 00007effdec8e700(0000) GS:ffff88802cc00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007effdec6d718 CR3: 00000000206d6000 CR4: 0000000000150ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1219 [inline] + scsi_prepare_cmd drivers/scsi/scsi_lib.c:1614 [inline] + scsi_queue_rq+0x283e/0x3630 drivers/scsi/scsi_lib.c:1730 + blk_mq_dispatch_rq_list+0x6ea/0x22e0 block/blk-mq.c:1851 + __blk_mq_sched_dispatch_requests+0x20b/0x410 block/blk-mq-sched.c:299 + blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:332 + __blk_mq_run_hw_queue+0xf9/0x350 block/blk-mq.c:1968 + __blk_mq_delay_run_hw_queue+0x5b6/0x6c0 block/blk-mq.c:2045 + blk_mq_run_hw_queue+0x30f/0x480 block/blk-mq.c:2096 + blk_mq_sched_insert_request+0x340/0x440 block/blk-mq-sched.c:451 + blk_execute_rq+0xcc/0x340 block/blk-mq.c:1231 + sg_io+0x67c/0x1210 drivers/scsi/scsi_ioctl.c:485 + scsi_ioctl_sg_io drivers/scsi/scsi_ioctl.c:866 [inline] + scsi_ioctl+0xa66/0x1560 drivers/scsi/scsi_ioctl.c:921 + sd_ioctl+0x199/0x2a0 drivers/scsi/sd.c:1576 + blkdev_ioctl+0x37a/0x800 block/ioctl.c:588 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl fs/ioctl.c:860 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7effdecdc5d9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007effdec8e2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007effded664c0 RCX: 00007effdecdc5d9 +RDX: 0000000020002300 RSI: 0000000000002285 RDI: 0000000000000004 +RBP: 00007effded34034 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 +R13: 00007effded34054 R14: 2f30656c69662f2e R15: 00007effded664c8 + +Link: https://lore.kernel.org/r/20220720025120.3226770-1-yanaijie@huawei.com +Fixes: 25636e282fe9 ("block: fix SG_IO vector request data length handling") +Reported-by: syzbot+d44b35ecfb807e5af0b5@syzkaller.appspotmail.com +Reviewed-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_ioctl.c ++++ b/drivers/scsi/scsi_ioctl.c +@@ -457,7 +457,7 @@ static int sg_io(struct scsi_device *sde + goto out_free_cdb; + + ret = 0; +- if (hdr->iovec_count) { ++ if (hdr->iovec_count && hdr->dxfer_len) { + struct iov_iter i; + struct iovec *iov = NULL; + diff --git a/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch b/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch new file mode 100644 index 00000000000..dc70675bc8b --- /dev/null +++ b/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch @@ -0,0 +1,40 @@ +From 0fde22c5420ed258ee538a760291c2f3935f6a01 Mon Sep 17 00:00:00 2001 +From: David Jeffery +Date: Fri, 22 Jul 2022 10:24:48 -0400 +Subject: scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown + +From: David Jeffery + +commit 0fde22c5420ed258ee538a760291c2f3935f6a01 upstream. + +During system shutdown or reboot, mpt3sas will reset the firmware back to +ready state. However, the driver leaves running a watchdog work item +intended to keep the firmware in operational state. This causes a second, +unneeded reset on shutdown and moves the firmware back to operational +instead of in ready state as intended. And if the mpt3sas_fwfault_debug +module parameter is set, this extra reset also panics the system. + +mpt3sas's scsih_shutdown needs to stop the watchdog before resetting the +firmware back to ready state. + +Link: https://lore.kernel.org/r/20220722142448.6289-1-djeffery@redhat.com +Fixes: fae21608c31c ("scsi: mpt3sas: Transition IOC to Ready state during shutdown") +Tested-by: Laurence Oberman +Acked-by: Sreekanth Reddy +Signed-off-by: David Jeffery +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -11386,6 +11386,7 @@ scsih_shutdown(struct pci_dev *pdev) + _scsih_ir_shutdown(ioc); + _scsih_nvme_shutdown(ioc); + mpt3sas_base_mask_interrupts(ioc); ++ mpt3sas_base_stop_watchdog(ioc); + ioc->shost_recovery = 1; + mpt3sas_base_make_ioc_ready(ioc, SOFT_RESET); + ioc->shost_recovery = 0; diff --git a/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch b/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch new file mode 100644 index 00000000000..80eb01fe64b --- /dev/null +++ b/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch @@ -0,0 +1,56 @@ +From a3435afba87dc6cd83f5595e7607f3c40f93ef01 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Tue, 19 Jul 2022 15:15:29 +0800 +Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle() + +From: Liang He + +commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream. + +In ufshcd_populate_vreg(), we should hold the reference returned by +of_parse_phandle() and then use it to call of_node_put() for refcount +balance. + +Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com +Fixes: aa4976130934 ("ufs: Add regulator enable support") +Reviewed-by: Bart Van Assche +Signed-off-by: Liang He +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c +@@ -107,9 +107,20 @@ out: + return ret; + } + ++static bool phandle_exists(const struct device_node *np, ++ const char *phandle_name, int index) ++{ ++ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index); ++ ++ if (parse_np) ++ of_node_put(parse_np); ++ ++ return parse_np != NULL; ++} ++ + #define MAX_PROP_SIZE 32 + static int ufshcd_populate_vreg(struct device *dev, const char *name, +- struct ufs_vreg **out_vreg) ++ struct ufs_vreg **out_vreg) + { + char prop_name[MAX_PROP_SIZE]; + struct ufs_vreg *vreg = NULL; +@@ -121,7 +132,7 @@ static int ufshcd_populate_vreg(struct d + } + + snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); +- if (!of_parse_phandle(np, prop_name, 0)) { ++ if (!phandle_exists(np, prop_name, 0)) { + dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", + __func__, prop_name); + goto out; diff --git a/queue-5.15/series b/queue-5.15/series index e4fd7e1eb9c..879cde6f8bc 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -17,3 +17,16 @@ tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch tcp-fix-a-data-race-around-sysctl_tcp_frto.patch tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_metrics_save.patch +ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch +ice-do-not-setup-vlan-for-loopback-vsi.patch +scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch +revert-tcp-change-pingpong-threshold-to-3.patch +octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch +tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch +tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch +tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch +scsi-core-fix-warning-in-scsi_alloc_sgtables.patch +scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch +net-ping6-fix-memleak-in-ipv6_renew_options.patch +ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch +net-tls-remove-the-context-from-the-list-in-tls_device_down.patch diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch new file mode 100644 index 00000000000..d66f708f6ae --- /dev/null +++ b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch @@ -0,0 +1,31 @@ +From db3815a2fa691da145cfbe834584f31ad75df9ff Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:21 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. + +From: Kuniyuki Iwashima + +commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream. + +While reading sysctl_tcp_challenge_ack_limit, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3622,7 +3622,7 @@ static void tcp_send_challenge_ack(struc + /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; + if (now != challenge_timestamp) { +- u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit; ++ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); + u32 half = (ack_limit + 1) >> 1; + + challenge_timestamp = now; diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch new file mode 100644 index 00000000000..2f9a849db9e --- /dev/null +++ b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch @@ -0,0 +1,31 @@ +From 9fb90193fbd66b4c5409ef729fd081861f8b6351 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:20 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. + +From: Kuniyuki Iwashima + +commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 upstream. + +While reading sysctl_tcp_limit_output_bytes, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2503,7 +2503,7 @@ static bool tcp_small_queue_check(struct + sk->sk_pacing_rate >> READ_ONCE(sk->sk_pacing_shift)); + if (sk->sk_pacing_status == SK_PACING_NONE) + limit = min_t(unsigned long, limit, +- sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes); ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes)); + limit <<= factor; + + if (static_branch_unlikely(&tcp_tx_delay_enabled) && diff --git a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch b/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch new file mode 100644 index 00000000000..71868d06fce --- /dev/null +++ b/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch @@ -0,0 +1,43 @@ +From 780476488844e070580bfc9e3bc7832ec1cea883 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 20 Jul 2022 09:50:18 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. + +From: Kuniyuki Iwashima + +commit 780476488844e070580bfc9e3bc7832ec1cea883 upstream. + +While reading sysctl_tcp_moderate_rcvbuf, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + net/mptcp/protocol.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -716,7 +716,7 @@ void tcp_rcv_space_adjust(struct sock *s + * + */ + +- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf && ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) && + !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { + int rcvmem, rcvbuf; + u64 rcvwin, grow; +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1881,7 +1881,7 @@ static void mptcp_rcv_space_adjust(struc + if (msk->rcvq_space.copied <= msk->rcvq_space.space) + goto new_measure; + +- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf && ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) && + !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { + int rcvmem, rcvbuf; + u64 rcvwin, grow; -- 2.47.3