--- /dev/null
+From d2346e2836318a227057ed41061114cbebee5d2a Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 Jul 2024 18:07:35 -0500
+Subject: cifs: fix setting SecurityFlags to true
+
+From: Steve French <stfrench@microsoft.com>
+
+commit d2346e2836318a227057ed41061114cbebee5d2a upstream.
+
+If you try to set /proc/fs/cifs/SecurityFlags to 1 it
+will set them to CIFSSEC_MUST_NTLMV2 which no longer is
+relevant (the less secure ones like lanman have been removed
+from cifs.ko) and is also missing some flags (like for
+signing and encryption) and can even cause mount to fail,
+so change this to set it to Kerberos in this case.
+
+Also change the description of the SecurityFlags to remove mention
+of flags which are no longer supported.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/cifs/usage.rst | 34 +++++++++----------------------
+ fs/smb/client/cifsglob.h | 4 +--
+ 2 files changed, 12 insertions(+), 26 deletions(-)
+
+--- a/Documentation/admin-guide/cifs/usage.rst
++++ b/Documentation/admin-guide/cifs/usage.rst
+@@ -722,40 +722,26 @@ Configuration pseudo-files:
+ ======================= =======================================================
+ SecurityFlags Flags which control security negotiation and
+ also packet signing. Authentication (may/must)
+- flags (e.g. for NTLM and/or NTLMv2) may be combined with
++ flags (e.g. for NTLMv2) may be combined with
+ the signing flags. Specifying two different password
+ hashing mechanisms (as "must use") on the other hand
+ does not make much sense. Default flags are::
+
+- 0x07007
++ 0x00C5
+
+- (NTLM, NTLMv2 and packet signing allowed). The maximum
+- allowable flags if you want to allow mounts to servers
+- using weaker password hashes is 0x37037 (lanman,
+- plaintext, ntlm, ntlmv2, signing allowed). Some
+- SecurityFlags require the corresponding menuconfig
+- options to be enabled. Enabling plaintext
+- authentication currently requires also enabling
+- lanman authentication in the security flags
+- because the cifs module only supports sending
+- laintext passwords using the older lanman dialect
+- form of the session setup SMB. (e.g. for authentication
+- using plain text passwords, set the SecurityFlags
+- to 0x30030)::
++ (NTLMv2 and packet signing allowed). Some SecurityFlags
++ may require enabling a corresponding menuconfig option.
+
+ may use packet signing 0x00001
+ must use packet signing 0x01001
+- may use NTLM (most common password hash) 0x00002
+- must use NTLM 0x02002
+ may use NTLMv2 0x00004
+ must use NTLMv2 0x04004
+- may use Kerberos security 0x00008
+- must use Kerberos 0x08008
+- may use lanman (weak) password hash 0x00010
+- must use lanman password hash 0x10010
+- may use plaintext passwords 0x00020
+- must use plaintext passwords 0x20020
+- (reserved for future packet encryption) 0x00040
++ may use Kerberos security (krb5) 0x00008
++ must use Kerberos 0x08008
++ may use NTLMSSP 0x00080
++ must use NTLMSSP 0x80080
++ seal (packet encryption) 0x00040
++ must seal (not implemented yet) 0x40040
+
+ cifsFYI If set to non-zero value, additional debug information
+ will be logged to the system error log. This field
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1939,8 +1939,8 @@ require use of the stronger protocol */
+ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
+ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
+
+-#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
+-#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
++#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
++#define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
+ #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
+ /*
+ *****************************************************************
--- /dev/null
+From 2feab2492deb2f14f9675dd6388e9e2bf669c27a Mon Sep 17 00:00:00 2001
+From: Josh Don <joshdon@google.com>
+Date: Thu, 20 Jun 2024 14:44:50 -0700
+Subject: Revert "sched/fair: Make sure to try to detach at least one movable task"
+
+From: Josh Don <joshdon@google.com>
+
+commit 2feab2492deb2f14f9675dd6388e9e2bf669c27a upstream.
+
+This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.
+
+b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if
+all tasks examined to that point were pinned. The goal of the patch was
+to make it more likely to be able to detach a task buried in a long list
+of pinned tasks. However, this has the unfortunate side effect of
+creating an O(n) iteration in detach_tasks(), as we now must fully
+iterate every task on a cpu if all or most are pinned. Since this load
+balance code is done with rq lock held, and often in softirq context, it
+is very easy to trigger hard lockups. We observed such hard lockups with
+a user who affined O(10k) threads to a single cpu.
+
+When I discussed this with Vincent he initially suggested that we keep
+the limit on the number of tasks to detach, but increase the number of
+tasks we can search. However, after some back and forth on the mailing
+list, he recommended we instead revert the original patch, as it seems
+likely no one was actually getting hit by the original issue.
+
+Fixes: b0defa7ae03e ("sched/fair: Make sure to try to detach at least one movable task")
+Signed-off-by: Josh Don <joshdon@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lore.kernel.org/r/20240620214450.316280-1-joshdon@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -8977,12 +8977,8 @@ static int detach_tasks(struct lb_env *e
+ break;
+
+ env->loop++;
+- /*
+- * We've more or less seen every task there is, call it quits
+- * unless we haven't found any movable task yet.
+- */
+- if (env->loop > env->loop_max &&
+- !(env->flags & LBF_ALL_PINNED))
++ /* We've more or less seen every task there is, call it quits */
++ if (env->loop > env->loop_max)
+ break;
+
+ /* take a breather every nr_migrate tasks */
+@@ -11259,9 +11255,7 @@ more_balance:
+
+ if (env.flags & LBF_NEED_BREAK) {
+ env.flags &= ~LBF_NEED_BREAK;
+- /* Stop if we tried all running tasks */
+- if (env.loop < busiest->nr_running)
+- goto more_balance;
++ goto more_balance;
+ }
+
+ /*
octeontx2-af-fix-detection-of-ip-layer.patch
octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch
octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch
+cifs-fix-setting-securityflags-to-true.patch
+revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch
+tcp-use-signed-arithmetic-in-tcp_rtx_probe0_timed_out.patch
+tcp-avoid-too-many-retransmit-packets.patch
--- /dev/null
+From 97a9063518f198ec0adb2ecb89789de342bb8283 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 10 Jul 2024 00:14:01 +0000
+Subject: tcp: avoid too many retransmit packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 97a9063518f198ec0adb2ecb89789de342bb8283 upstream.
+
+If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
+retracted its window to zero, tcp_retransmit_timer() can
+retransmit a packet every two jiffies (2 ms for HZ=1000),
+for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
+
+The fix is to make sure tcp_rtx_probe0_timed_out() takes
+icsk->icsk_user_timeout into account.
+
+Before blamed commit, the socket would not timeout after
+icsk->icsk_user_timeout, but would use standard exponential
+backoff for the retransmits.
+
+Also worth noting that before commit e89688e3e978 ("net: tcp:
+fix unexcepted socket die when snd_wnd is 0"), the issue
+would last 2 minutes instead of 4.
+
+Fixes: b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Jon Maxwell <jmaxwell37@gmail.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240710001402.2758273-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -457,16 +457,28 @@ static void tcp_fastopen_synack_timer(st
+ static bool tcp_rtx_probe0_timed_out(const struct sock *sk,
+ const struct sk_buff *skb)
+ {
++ const struct inet_connection_sock *icsk = inet_csk(sk);
++ u32 user_timeout = READ_ONCE(icsk->icsk_user_timeout);
+ const struct tcp_sock *tp = tcp_sk(sk);
+- const int timeout = TCP_RTO_MAX * 2;
++ int timeout = TCP_RTO_MAX * 2;
+ u32 rtx_delta;
+ s32 rcv_delta;
+
++ if (user_timeout) {
++ /* If user application specified a TCP_USER_TIMEOUT,
++ * it does not want win 0 packets to 'reset the timer'
++ * while retransmits are not making progress.
++ */
++ if (rtx_delta > user_timeout)
++ return true;
++ timeout = min_t(u32, timeout, msecs_to_jiffies(user_timeout));
++ }
++
+ /* Note: timer interrupt might have been delayed by at least one jiffy,
+ * and tp->rcv_tstamp might very well have been written recently.
+ * rcv_delta can thus be negative.
+ */
+- rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp;
++ rcv_delta = icsk->icsk_timeout - tp->rcv_tstamp;
+ if (rcv_delta <= timeout)
+ return false;
+
--- /dev/null
+From 36534d3c54537bf098224a32dc31397793d4594d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 7 Jun 2024 12:56:52 +0000
+Subject: tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 36534d3c54537bf098224a32dc31397793d4594d upstream.
+
+Due to timer wheel implementation, a timer will usually fire
+after its schedule.
+
+For instance, for HZ=1000, a timeout between 512ms and 4s
+has a granularity of 64ms.
+For this range of values, the extra delay could be up to 63ms.
+
+For TCP, this means that tp->rcv_tstamp may be after
+inet_csk(sk)->icsk_timeout whenever the timer interrupt
+finally triggers, if one packet came during the extra delay.
+
+We need to make sure tcp_rtx_probe0_timed_out() handles this case.
+
+Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Menglong Dong <imagedong@tencent.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -459,8 +459,13 @@ static bool tcp_rtx_probe0_timed_out(con
+ {
+ const struct tcp_sock *tp = tcp_sk(sk);
+ const int timeout = TCP_RTO_MAX * 2;
+- u32 rcv_delta, rtx_delta;
++ u32 rtx_delta;
++ s32 rcv_delta;
+
++ /* Note: timer interrupt might have been delayed by at least one jiffy,
++ * and tp->rcv_tstamp might very well have been written recently.
++ * rcv_delta can thus be negative.
++ */
+ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp;
+ if (rcv_delta <= timeout)
+ return false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
