From: Greg Kroah-Hartman Date: Mon, 15 Jul 2024 08:41:33 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v4.19.318~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21b5525f57ad643190673252a602663feeaad1ea;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: cifs-fix-setting-securityflags-to-true.patch revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch --- diff --git a/queue-6.9/cifs-fix-setting-securityflags-to-true.patch b/queue-6.9/cifs-fix-setting-securityflags-to-true.patch new file mode 100644 index 00000000000..c85c92a3d73 --- /dev/null +++ b/queue-6.9/cifs-fix-setting-securityflags-to-true.patch @@ -0,0 +1,94 @@ +From d2346e2836318a227057ed41061114cbebee5d2a Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 9 Jul 2024 18:07:35 -0500 +Subject: cifs: fix setting SecurityFlags to true + +From: Steve French + +commit d2346e2836318a227057ed41061114cbebee5d2a upstream. + +If you try to set /proc/fs/cifs/SecurityFlags to 1 it +will set them to CIFSSEC_MUST_NTLMV2 which no longer is +relevant (the less secure ones like lanman have been removed +from cifs.ko) and is also missing some flags (like for +signing and encryption) and can even cause mount to fail, +so change this to set it to Kerberos in this case. + +Also change the description of the SecurityFlags to remove mention +of flags which are no longer supported. + +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cifs/usage.rst | 34 +++++++++---------------------- + fs/smb/client/cifsglob.h | 4 +-- + 2 files changed, 12 insertions(+), 26 deletions(-) + +--- a/Documentation/admin-guide/cifs/usage.rst ++++ b/Documentation/admin-guide/cifs/usage.rst +@@ -723,40 +723,26 @@ Configuration pseudo-files: + ======================= ======================================================= + SecurityFlags Flags which control security negotiation and + also packet signing. Authentication (may/must) +- flags (e.g. for NTLM and/or NTLMv2) may be combined with ++ flags (e.g. for NTLMv2) may be combined with + the signing flags. Specifying two different password + hashing mechanisms (as "must use") on the other hand + does not make much sense. Default flags are:: + +- 0x07007 ++ 0x00C5 + +- (NTLM, NTLMv2 and packet signing allowed). The maximum +- allowable flags if you want to allow mounts to servers +- using weaker password hashes is 0x37037 (lanman, +- plaintext, ntlm, ntlmv2, signing allowed). Some +- SecurityFlags require the corresponding menuconfig +- options to be enabled. Enabling plaintext +- authentication currently requires also enabling +- lanman authentication in the security flags +- because the cifs module only supports sending +- laintext passwords using the older lanman dialect +- form of the session setup SMB. (e.g. for authentication +- using plain text passwords, set the SecurityFlags +- to 0x30030):: ++ (NTLMv2 and packet signing allowed). Some SecurityFlags ++ may require enabling a corresponding menuconfig option. + + may use packet signing 0x00001 + must use packet signing 0x01001 +- may use NTLM (most common password hash) 0x00002 +- must use NTLM 0x02002 + may use NTLMv2 0x00004 + must use NTLMv2 0x04004 +- may use Kerberos security 0x00008 +- must use Kerberos 0x08008 +- may use lanman (weak) password hash 0x00010 +- must use lanman password hash 0x10010 +- may use plaintext passwords 0x00020 +- must use plaintext passwords 0x20020 +- (reserved for future packet encryption) 0x00040 ++ may use Kerberos security (krb5) 0x00008 ++ must use Kerberos 0x08008 ++ may use NTLMSSP 0x00080 ++ must use NTLMSSP 0x80080 ++ seal (packet encryption) 0x00040 ++ must seal (not implemented yet) 0x40040 + + cifsFYI If set to non-zero value, additional debug information + will be logged to the system error log. This field +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -1938,8 +1938,8 @@ require use of the stronger protocol */ + #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ + #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ + +-#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) +-#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2) ++#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL) ++#define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL) + #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) + /* + ***************************************************************** diff --git a/queue-6.9/revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch b/queue-6.9/revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch new file mode 100644 index 00000000000..cadaf630034 --- /dev/null +++ b/queue-6.9/revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch @@ -0,0 +1,65 @@ +From 2feab2492deb2f14f9675dd6388e9e2bf669c27a Mon Sep 17 00:00:00 2001 +From: Josh Don +Date: Thu, 20 Jun 2024 14:44:50 -0700 +Subject: Revert "sched/fair: Make sure to try to detach at least one movable task" + +From: Josh Don + +commit 2feab2492deb2f14f9675dd6388e9e2bf669c27a upstream. + +This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06. + +b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if +all tasks examined to that point were pinned. The goal of the patch was +to make it more likely to be able to detach a task buried in a long list +of pinned tasks. However, this has the unfortunate side effect of +creating an O(n) iteration in detach_tasks(), as we now must fully +iterate every task on a cpu if all or most are pinned. Since this load +balance code is done with rq lock held, and often in softirq context, it +is very easy to trigger hard lockups. We observed such hard lockups with +a user who affined O(10k) threads to a single cpu. + +When I discussed this with Vincent he initially suggested that we keep +the limit on the number of tasks to detach, but increase the number of +tasks we can search. However, after some back and forth on the mailing +list, he recommended we instead revert the original patch, as it seems +likely no one was actually getting hit by the original issue. + +Fixes: b0defa7ae03e ("sched/fair: Make sure to try to detach at least one movable task") +Signed-off-by: Josh Don +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20240620214450.316280-1-joshdon@google.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/fair.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -9106,12 +9106,8 @@ static int detach_tasks(struct lb_env *e + break; + + env->loop++; +- /* +- * We've more or less seen every task there is, call it quits +- * unless we haven't found any movable task yet. +- */ +- if (env->loop > env->loop_max && +- !(env->flags & LBF_ALL_PINNED)) ++ /* We've more or less seen every task there is, call it quits */ ++ if (env->loop > env->loop_max) + break; + + /* take a breather every nr_migrate tasks */ +@@ -11363,9 +11359,7 @@ more_balance: + + if (env.flags & LBF_NEED_BREAK) { + env.flags &= ~LBF_NEED_BREAK; +- /* Stop if we tried all running tasks */ +- if (env.loop < busiest->nr_running) +- goto more_balance; ++ goto more_balance; + } + + /* diff --git a/queue-6.9/series b/queue-6.9/series index 9f71ae2996d..1701decaee5 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -62,3 +62,5 @@ octeontx2-af-fix-a-issue-with-cpt_lf_alloc-mailbox.patch octeontx2-af-fix-detection-of-ip-layer.patch octeontx2-af-fix-issue-with-ipv6-ext-match-for-rss.patch octeontx2-af-fix-issue-with-ipv4-match-for-rss.patch +cifs-fix-setting-securityflags-to-true.patch +revert-sched-fair-make-sure-to-try-to-detach-at-least-one-movable-task.patch