From: Greg Kroah-Hartman Date: Tue, 16 Jun 2026 09:53:18 +0000 (+0530) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a2603ec9f7ec8197e01d52280e0eeed61056c0f;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: debugobjects-do-not-fill_pool-if-pi_blocked_on.patch debugobjects-don-t-call-fill_pool-in-early-boot-hardirq-context.patch vsock-virtio-fix-potential-unbounded-skb-queue.patch vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch --- diff --git a/queue-7.0/debugobjects-do-not-fill_pool-if-pi_blocked_on.patch b/queue-7.0/debugobjects-do-not-fill_pool-if-pi_blocked_on.patch new file mode 100644 index 0000000000..e4950068d2 --- /dev/null +++ b/queue-7.0/debugobjects-do-not-fill_pool-if-pi_blocked_on.patch @@ -0,0 +1,63 @@ +From 5f41161059fd0f1bbf18c90f3180e38cc45a14eb Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Mon, 11 May 2026 18:53:05 -0300 +Subject: debugobjects: Do not fill_pool() if pi_blocked_on + +From: Helen Koike + +commit 5f41161059fd0f1bbf18c90f3180e38cc45a14eb upstream. + +On RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which +asserts if current::pi_blocked_on is set, because a task can obviously only +block on one lock as otherwise the priority inheritenace chain gets +corrupted. + +Prevent this by expanding the conditional to take current::pi_blocked_on +into account. + +Fixes: 4bedcc28469a ("debugobjects: Make them PREEMPT_RT aware") +Reported-by: syzbot+b8ca586b9fc235f0c0df@syzkaller.appspotmail.com +Signed-off-by: Helen Koike +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20260511215359.3351259-1-koike@igalia.com +Closes: https://syzkaller.appspot.com/bug?extid=b8ca586b9fc235f0c0df +Signed-off-by: Greg Kroah-Hartman +--- + lib/debugobjects.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -711,6 +711,15 @@ static struct debug_obj *lookup_object_o + return NULL; + } + ++static inline bool debug_objects_is_pi_blocked_on(void) ++{ ++#ifdef CONFIG_RT_MUTEXES ++ return current->pi_blocked_on != NULL; ++#else ++ return false; ++#endif ++} ++ + static void debug_objects_fill_pool(void) + { + if (!static_branch_likely(&obj_cache_enabled)) +@@ -727,11 +736,12 @@ static void debug_objects_fill_pool(void + + /* + * On RT enabled kernels the pool refill must happen in preemptible +- * context -- for !RT kernels we rely on the fact that spinlock_t and +- * raw_spinlock_t are basically the same type and this lock-type +- * inversion works just fine. ++ * context and not enqueued on an rt_mutex -- for !RT kernels we rely ++ * on the fact that spinlock_t and raw_spinlock_t are basically the ++ * same type and this lock-type inversion works just fine. + */ +- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible() || system_state < SYSTEM_SCHEDULING) { ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING || ++ (preemptible() && !debug_objects_is_pi_blocked_on())) { + /* + * Annotate away the spinlock_t inside raw_spinlock_t warning + * by temporarily raising the wait-type to LD_WAIT_CONFIG, matching diff --git a/queue-7.0/debugobjects-don-t-call-fill_pool-in-early-boot-hardirq-context.patch b/queue-7.0/debugobjects-don-t-call-fill_pool-in-early-boot-hardirq-context.patch new file mode 100644 index 0000000000..0deb87825e --- /dev/null +++ b/queue-7.0/debugobjects-don-t-call-fill_pool-in-early-boot-hardirq-context.patch @@ -0,0 +1,102 @@ +From 0d046ae106255cba5eb83b23f78ee93f3620247d Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Fri, 5 Jun 2026 13:30:38 -0400 +Subject: debugobjects: Don't call fill_pool() in early boot hardirq context + +From: Waiman Long + +commit 0d046ae106255cba5eb83b23f78ee93f3620247d upstream. + +When booting a debug PREEMPT_RT kernel on an ARM64 system, a "inconsistent +{HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage" lockdep warning message was +reported to the console. + +During early boot, interrupts are enabled before the scheduler is +enabled. In this window (before SYSTEM_SCHEDULING is set) interrupts can +fire and in the hard interrupt context handler attempt to fill the pool + +This can lead to a deadlock when the interrupt occurred when the interrupt +hits a region which holds a lock that is required to be taken in the +allocation path. + +Add a new can_fill_pool() helper and reorder the exception rule and forbid +this scenario by excluding allocations from hard interrupt context. + +Fixes: 06e0ae988f6e ("debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING") +Suggested-by: Sebastian Andrzej Siewior +Suggested-by: Thomas Gleixner +Signed-off-by: Waiman Long +Signed-off-by: Thomas Gleixner +Reviewed-by: Sebastian Andrzej Siewior +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260605173038.495075-1-longman@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/debugobjects.c | 46 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 37 insertions(+), 9 deletions(-) + +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -720,6 +720,41 @@ static inline bool debug_objects_is_pi_b + #endif + } + ++static inline bool can_fill_pool(void) ++{ ++ /* ++ * On !RT enabled kernels there are no restrictions and spinlock_t and ++ * raw_spinlock_t are the same types. ++ */ ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) ++ return true; ++ ++ /* ++ * On RT enabled kernels, the task must not be blocked on a lock as ++ * that could corrupt the PI state when blocking on a lock in the ++ * allocation path. ++ */ ++ if (debug_objects_is_pi_blocked_on()) ++ return false; ++ ++ /* ++ * On RT enabled kernels the pool refill should happen in preemptible ++ * context. ++ */ ++ if (preemptible()) ++ return true; ++ ++ /* ++ * Though during system boot before scheduling is set up, preemption is ++ * disabled and the pool can get exhausted. Before scheduling is active ++ * a task cannot be blocked on a sleeping lock, but it might hold a lock ++ * and if interrupted then hard interrupt context might run into a lock ++ * inversion. So exclude hard interrupt context from allocations before ++ * scheduling is active. ++ */ ++ return system_state < SYSTEM_SCHEDULING && !in_hardirq(); ++} ++ + static void debug_objects_fill_pool(void) + { + if (!static_branch_likely(&obj_cache_enabled)) +@@ -734,18 +769,11 @@ static void debug_objects_fill_pool(void + if (likely(!pool_should_refill(&pool_global))) + return; + +- /* +- * On RT enabled kernels the pool refill must happen in preemptible +- * context and not enqueued on an rt_mutex -- for !RT kernels we rely +- * on the fact that spinlock_t and raw_spinlock_t are basically the +- * same type and this lock-type inversion works just fine. +- */ +- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || system_state < SYSTEM_SCHEDULING || +- (preemptible() && !debug_objects_is_pi_blocked_on())) { ++ if (can_fill_pool()) { + /* + * Annotate away the spinlock_t inside raw_spinlock_t warning + * by temporarily raising the wait-type to LD_WAIT_CONFIG, matching +- * the preemptible() condition above. ++ * the preemptible() condition in can_fill_pool(). + */ + static DEFINE_WAIT_OVERRIDE_MAP(fill_pool_map, LD_WAIT_CONFIG); + lock_map_acquire_try(&fill_pool_map); diff --git a/queue-7.0/series b/queue-7.0/series index 68cd24d87e..88600d7df4 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -367,3 +367,7 @@ wifi-mac80211-tests-mark-ht-check-strict.patch rdma-umem-fix-kernel-doc-warnings.patch rdma-move-dma-block-iterator-logic-into-dedicated-files.patch rdma-umem-fix-truncation-for-block-sizes-4g.patch +vsock-virtio-fix-potential-unbounded-skb-queue.patch +vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch +debugobjects-do-not-fill_pool-if-pi_blocked_on.patch +debugobjects-don-t-call-fill_pool-in-early-boot-hardirq-context.patch diff --git a/queue-7.0/vsock-virtio-fix-potential-unbounded-skb-queue.patch b/queue-7.0/vsock-virtio-fix-potential-unbounded-skb-queue.patch new file mode 100644 index 0000000000..b3fbe6700b --- /dev/null +++ b/queue-7.0/vsock-virtio-fix-potential-unbounded-skb-queue.patch @@ -0,0 +1,55 @@ +From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 30 Apr 2026 12:26:52 +0000 +Subject: vsock/virtio: fix potential unbounded skb queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream. + +virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. + +virtio_transport_recv_enqueue() skips coalescing for packets +with VIRTIO_VSOCK_SEQ_EOM. + +If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, +a very large number of packets can be queued +because vvs->rx_bytes stays at 0. + +Fix this by estimating the skb metadata size: + + (Number of skbs in the queue) * SKB_TRUESIZE(0) + +Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") +Signed-off-by: Eric Dumazet +Cc: Arseniy Krasnov +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Xuan Zhuo +Cc: "Eugenio Pérez" +Cc: virtualization@lists.linux.dev +Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -425,7 +425,9 @@ static int virtio_transport_send_pkt_inf + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- if (vvs->buf_used + len > vvs->buf_alloc) ++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); ++ ++ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len; diff --git a/queue-7.0/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch b/queue-7.0/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch new file mode 100644 index 0000000000..84ddefe59d --- /dev/null +++ b/queue-7.0/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch @@ -0,0 +1,66 @@ +From c6087c5aaad6d1b8be1a1a641e0a422218ade911 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 18 May 2026 11:06:56 +0200 +Subject: vsock/virtio: fix skb overhead accounting to preserve full buf_alloc + +From: Stefano Garzarella + +commit c6087c5aaad6d1b8be1a1a641e0a422218ade911 upstream. + +After commit 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb +queue"), virtio_transport_inc_rx_pkt() subtracts per-skb overhead from +buf_alloc when checking whether a new packet fits. This reduces the +effective receive buffer below what the user configured via +SO_VM_SOCKETS_BUFFER_SIZE, causing legitimate data packets to be +silently dropped and applications that rely on the full buffer size +to deadlock. + +Also, the reduced space is not communicated to the remote peer, so +its credit calculation accounts more credit than the receiver will +actually accept, causing data loss (there is no retransmission). + +With this approach we currently have failures in +tools/testing/vsock/vsock_test.c. Test 18 sometimes fails, while +test 22 always fails in this way: + 18 - SOCK_STREAM MSG_ZEROCOPY...hash mismatch + + 22 - SOCK_STREAM virtio credit update + SO_RCVLOWAT...send failed: + Resource temporarily unavailable + +Fix by allowing at most `buf_alloc * 2` as the total budget for payload +plus skb overhead in virtio_transport_inc_rx_pkt(), similar to how +SO_RCVBUF is doubled to reserve space for sk_buff metadata. +This preserves the full buf_alloc for payload under normal operation, +while still bounding the skb queue growth. + +With this patch, all tests in tools/testing/vsock/vsock_test.c are +now passing again. + +Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260518090656.134588-3-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -427,7 +427,14 @@ static bool virtio_transport_inc_rx_pkt( + { + u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); + +- if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) ++ /* Allow at most buf_alloc * 2 total budget (payload + overhead), ++ * similar to how SO_RCVBUF is doubled to reserve space for sk_buff ++ * metadata. Check payload against buf_alloc to be sure the other ++ * peer is respecting the credit, and sk_buff overhead to bound ++ * queue growth. ++ */ ++ if ((u64)vvs->buf_used + len > vvs->buf_alloc || ++ skb_overhead > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len;