--- /dev/null
+From d2346e2836318a227057ed41061114cbebee5d2a Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 Jul 2024 18:07:35 -0500
+Subject: cifs: fix setting SecurityFlags to true
+
+From: Steve French <stfrench@microsoft.com>
+
+commit d2346e2836318a227057ed41061114cbebee5d2a upstream.
+
+If you try to set /proc/fs/cifs/SecurityFlags to 1 it
+will set them to CIFSSEC_MUST_NTLMV2 which no longer is
+relevant (the less secure ones like lanman have been removed
+from cifs.ko) and is also missing some flags (like for
+signing and encryption) and can even cause mount to fail,
+so change this to set it to Kerberos in this case.
+
+Also change the description of the SecurityFlags to remove mention
+of flags which are no longer supported.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/cifs/usage.rst | 34 +++++++++----------------------
+ fs/smb/client/cifsglob.h | 4 +--
+ 2 files changed, 12 insertions(+), 26 deletions(-)
+
+--- a/Documentation/admin-guide/cifs/usage.rst
++++ b/Documentation/admin-guide/cifs/usage.rst
+@@ -722,40 +722,26 @@ Configuration pseudo-files:
+ ======================= =======================================================
+ SecurityFlags Flags which control security negotiation and
+ also packet signing. Authentication (may/must)
+- flags (e.g. for NTLM and/or NTLMv2) may be combined with
++ flags (e.g. for NTLMv2) may be combined with
+ the signing flags. Specifying two different password
+ hashing mechanisms (as "must use") on the other hand
+ does not make much sense. Default flags are::
+
+- 0x07007
++ 0x00C5
+
+- (NTLM, NTLMv2 and packet signing allowed). The maximum
+- allowable flags if you want to allow mounts to servers
+- using weaker password hashes is 0x37037 (lanman,
+- plaintext, ntlm, ntlmv2, signing allowed). Some
+- SecurityFlags require the corresponding menuconfig
+- options to be enabled. Enabling plaintext
+- authentication currently requires also enabling
+- lanman authentication in the security flags
+- because the cifs module only supports sending
+- laintext passwords using the older lanman dialect
+- form of the session setup SMB. (e.g. for authentication
+- using plain text passwords, set the SecurityFlags
+- to 0x30030)::
++ (NTLMv2 and packet signing allowed). Some SecurityFlags
++ may require enabling a corresponding menuconfig option.
+
+ may use packet signing 0x00001
+ must use packet signing 0x01001
+- may use NTLM (most common password hash) 0x00002
+- must use NTLM 0x02002
+ may use NTLMv2 0x00004
+ must use NTLMv2 0x04004
+- may use Kerberos security 0x00008
+- must use Kerberos 0x08008
+- may use lanman (weak) password hash 0x00010
+- must use lanman password hash 0x10010
+- may use plaintext passwords 0x00020
+- must use plaintext passwords 0x20020
+- (reserved for future packet encryption) 0x00040
++ may use Kerberos security (krb5) 0x00008
++ must use Kerberos 0x08008
++ may use NTLMSSP 0x00080
++ must use NTLMSSP 0x80080
++ seal (packet encryption) 0x00040
++ must seal (not implemented yet) 0x40040
+
+ cifsFYI If set to non-zero value, additional debug information
+ will be logged to the system error log. This field
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1837,8 +1837,8 @@ require use of the stronger protocol */
+ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
+ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
+
+-#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
+-#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
++#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
++#define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
+ #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
+ /*
+ *****************************************************************
--- /dev/null
+From 2feab2492deb2f14f9675dd6388e9e2bf669c27a Mon Sep 17 00:00:00 2001
+From: Josh Don <joshdon@google.com>
+Date: Thu, 20 Jun 2024 14:44:50 -0700
+Subject: Revert "sched/fair: Make sure to try to detach at least one movable task"
+
+From: Josh Don <joshdon@google.com>
+
+commit 2feab2492deb2f14f9675dd6388e9e2bf669c27a upstream.
+
+This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.
+
+b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if
+all tasks examined to that point were pinned. The goal of the patch was
+to make it more likely to be able to detach a task buried in a long list
+of pinned tasks. However, this has the unfortunate side effect of
+creating an O(n) iteration in detach_tasks(), as we now must fully
+iterate every task on a cpu if all or most are pinned. Since this load
+balance code is done with rq lock held, and often in softirq context, it
+is very easy to trigger hard lockups. We observed such hard lockups with
+a user who affined O(10k) threads to a single cpu.
+
+When I discussed this with Vincent he initially suggested that we keep
+the limit on the number of tasks to detach, but increase the number of
+tasks we can search. However, after some back and forth on the mailing
+list, he recommended we instead revert the original patch, as it seems
+likely no one was actually getting hit by the original issue.
+
+Fixes: b0defa7ae03e ("sched/fair: Make sure to try to detach at least one movable task")
+Signed-off-by: Josh Don <joshdon@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lore.kernel.org/r/20240620214450.316280-1-joshdon@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -8479,12 +8479,8 @@ static int detach_tasks(struct lb_env *e
+ break;
+
+ env->loop++;
+- /*
+- * We've more or less seen every task there is, call it quits
+- * unless we haven't found any movable task yet.
+- */
+- if (env->loop > env->loop_max &&
+- !(env->flags & LBF_ALL_PINNED))
++ /* We've more or less seen every task there is, call it quits */
++ if (env->loop > env->loop_max)
+ break;
+
+ /* take a breather every nr_migrate tasks */
+@@ -10623,9 +10619,7 @@ more_balance:
+
+ if (env.flags & LBF_NEED_BREAK) {
+ env.flags &= ~LBF_NEED_BREAK;
+- /* Stop if we tried all running tasks */
+- if (env.loop < busiest->nr_running)
+- goto more_balance;
++ goto more_balance;
+ }
+
+ /*
octeontx2-af-extend-rss-supported-offload-types.patch
octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch
octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch
+cifs-fix-setting-securityflags-to-true.patch
+revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch
+tcp-use-signed-arithmetic-in-tcp_rtx_probe0_timed_out.patch
--- /dev/null
+From 36534d3c54537bf098224a32dc31397793d4594d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 7 Jun 2024 12:56:52 +0000
+Subject: tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 36534d3c54537bf098224a32dc31397793d4594d upstream.
+
+Due to timer wheel implementation, a timer will usually fire
+after its schedule.
+
+For instance, for HZ=1000, a timeout between 512ms and 4s
+has a granularity of 64ms.
+For this range of values, the extra delay could be up to 63ms.
+
+For TCP, this means that tp->rcv_tstamp may be after
+inet_csk(sk)->icsk_timeout whenever the timer interrupt
+finally triggers, if one packet came during the extra delay.
+
+We need to make sure tcp_rtx_probe0_timed_out() handles this case.
+
+Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Menglong Dong <imagedong@tencent.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -446,8 +446,13 @@ static bool tcp_rtx_probe0_timed_out(con
+ {
+ const struct tcp_sock *tp = tcp_sk(sk);
+ const int timeout = TCP_RTO_MAX * 2;
+- u32 rcv_delta, rtx_delta;
++ u32 rtx_delta;
++ s32 rcv_delta;
+
++ /* Note: timer interrupt might have been delayed by at least one jiffy,
++ * and tp->rcv_tstamp might very well have been written recently.
++ * rcv_delta can thus be negative.
++ */
+ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp;
+ if (rcv_delta <= timeout)
+ return false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
