From: Sasha Levin Date: Sun, 7 Jul 2024 14:53:24 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.6.38~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6762e215caf02c533c8851589f827c4eeaeea4ef;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch b/queue-5.10/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch new file mode 100644 index 00000000000..dc11633a7f1 --- /dev/null +++ b/queue-5.10/bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch @@ -0,0 +1,79 @@ +From 5113ab840dc5280ac757e0fc4e3c79d7be5dead2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 14:55:55 +0100 +Subject: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() + +From: Sam Sun + +[ Upstream commit e271ff53807e8f2c628758290f0e499dbe51cb3d ] + +In function bond_option_arp_ip_targets_set(), if newval->string is an +empty string, newval->string+1 will point to the byte after the +string, causing an out-of-bound read. + +BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 +Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 +CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:364 [inline] + print_report+0xc1/0x5e0 mm/kasan/report.c:475 + kasan_report+0xbe/0xf0 mm/kasan/report.c:588 + strlen+0x7d/0xa0 lib/string.c:418 + __fortify_strlen include/linux/fortify-string.h:210 [inline] + in4_pton+0xa3/0x3f0 net/core/utils.c:130 + bond_option_arp_ip_targets_set+0xc2/0x910 +drivers/net/bonding/bond_options.c:1201 + __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 + __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 + bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 + bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 + dev_attr_store+0x54/0x80 drivers/base/core.c:2366 + sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 + kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 + call_write_iter include/linux/fs.h:2020 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x96a/0xd80 fs/read_write.c:584 + ksys_write+0x122/0x250 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +---[ end trace ]--- + +Fix it by adding a check of string length before using it. + +Fixes: f9de11a16594 ("bonding: add ip checks when store ip target") +Signed-off-by: Yue Sun +Signed-off-by: Simon Horman +Acked-by: Jay Vosburgh +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20240702-bond-oob-v6-1-2dfdba195c19@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index fe55c81608daa..fa0bf77870d43 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1100,9 +1100,9 @@ static int bond_option_arp_ip_targets_set(struct bonding *bond, + __be32 target; + + if (newval->string) { +- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) { +- netdev_err(bond->dev, "invalid ARP target %pI4 specified\n", +- &target); ++ if (strlen(newval->string) < 1 || ++ !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) { ++ netdev_err(bond->dev, "invalid ARP target specified\n"); + return ret; + } + if (newval->string[0] == '+') +-- +2.43.0 + diff --git a/queue-5.10/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch b/queue-5.10/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch new file mode 100644 index 00000000000..d83f9911f54 --- /dev/null +++ b/queue-5.10/inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch @@ -0,0 +1,117 @@ +From e0452cd972539772d8b9712355acb1278902d491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 18:16:49 +0900 +Subject: inet_diag: Initialize pad field in struct inet_diag_req_v2 + +From: Shigeru Yoshida + +[ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ] + +KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw +sockets uses the pad field in struct inet_diag_req_v2 for the +underlying protocol. This field corresponds to the sdiag_raw_protocol +field in struct inet_diag_req_raw. + +inet_diag_get_exact_compat() converts inet_diag_req to +inet_diag_req_v2, but leaves the pad field uninitialized. So the issue +occurs when raw_lookup() accesses the sdiag_raw_protocol field. + +Fix this by initializing the pad field in +inet_diag_get_exact_compat(). Also, do the same fix in +inet_diag_dump_compat() to avoid the similar issue in the future. + +[1] +BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline] +BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 + raw_lookup net/ipv4/raw_diag.c:49 [inline] + raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 + raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 + inet_diag_cmd_exact+0x7d9/0x980 + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] + inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 + netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] + netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 + netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x332/0x3d0 net/socket.c:745 + ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 + __sys_sendmsg net/socket.c:2668 [inline] + __do_sys_sendmsg net/socket.c:2677 [inline] + __se_sys_sendmsg net/socket.c:2675 [inline] + __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 + x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was stored to memory at: + raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71 + raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 + inet_diag_cmd_exact+0x7d9/0x980 + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] + inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 + sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 + netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] + netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 + netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x332/0x3d0 net/socket.c:745 + ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 + ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 + __sys_sendmsg net/socket.c:2668 [inline] + __do_sys_sendmsg net/socket.c:2677 [inline] + __se_sys_sendmsg net/socket.c:2675 [inline] + __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 + x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Local variable req.i created at: + inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline] + inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426 + sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 + +CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 + +Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets") +Reported-by: syzkaller +Signed-off-by: Shigeru Yoshida +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_diag.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index 27a5a7d66d184..b9df76f6571cd 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -1275,6 +1275,7 @@ static int inet_diag_dump_compat(struct sk_buff *skb, + req.sdiag_family = AF_UNSPEC; /* compatibility */ + req.sdiag_protocol = inet_diag_type2proto(cb->nlh->nlmsg_type); + req.idiag_ext = rc->idiag_ext; ++ req.pad = 0; + req.idiag_states = rc->idiag_states; + req.id = rc->id; + +@@ -1290,6 +1291,7 @@ static int inet_diag_get_exact_compat(struct sk_buff *in_skb, + req.sdiag_family = rc->idiag_family; + req.sdiag_protocol = inet_diag_type2proto(nlh->nlmsg_type); + req.idiag_ext = rc->idiag_ext; ++ req.pad = 0; + req.idiag_states = rc->idiag_states; + req.id = rc->id; + +-- +2.43.0 + diff --git a/queue-5.10/selftests-fix-oom-in-msg_zerocopy-selftest.patch b/queue-5.10/selftests-fix-oom-in-msg_zerocopy-selftest.patch new file mode 100644 index 00000000000..bf5bc7effa7 --- /dev/null +++ b/queue-5.10/selftests-fix-oom-in-msg_zerocopy-selftest.patch @@ -0,0 +1,101 @@ +From 5c979c710784499d0fb3ef0d4d4ce97e92416fd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 22:53:48 +0000 +Subject: selftests: fix OOM in msg_zerocopy selftest + +From: Zijian Zhang + +[ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ] + +In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg +on a socket with MSG_ZEROCOPY flag, and it will recv the notifications +until the socket is not writable. Typically, it will start the receiving +process after around 30+ sendmsgs. However, as the introduction of commit +dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is +always writable and does not get any chance to run recv notifications. +The selftest always exits with OUT_OF_MEMORY because the memory used by +opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a +different value to trigger OOM on older kernels too. + +Thus, we introduce "cfg_notification_limit" to force sender to receive +notifications after some number of sendmsgs. + +Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") +Signed-off-by: Zijian Zhang +Signed-off-by: Xiaochun Lu +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/msg_zerocopy.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c +index bdc03a2097e85..926556febc83c 100644 +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -85,6 +85,7 @@ static bool cfg_rx; + static int cfg_runtime_ms = 4200; + static int cfg_verbose; + static int cfg_waittime_ms = 500; ++static int cfg_notification_limit = 32; + static bool cfg_zerocopy; + + static socklen_t cfg_alen; +@@ -95,6 +96,7 @@ static char payload[IP_MAXPACKET]; + static long packets, bytes, completions, expected_completions; + static int zerocopied = -1; + static uint32_t next_completion; ++static uint32_t sends_since_notify; + + static unsigned long gettimeofday_ms(void) + { +@@ -208,6 +210,7 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy, int domain) + error(1, errno, "send"); + if (cfg_verbose && ret != len) + fprintf(stderr, "send: ret=%u != %u\n", ret, len); ++ sends_since_notify++; + + if (len) { + packets++; +@@ -460,6 +463,7 @@ static bool do_recv_completion(int fd, int domain) + static void do_recv_completions(int fd, int domain) + { + while (do_recv_completion(fd, domain)) {} ++ sends_since_notify = 0; + } + + /* Wait for all remaining completions on the errqueue */ +@@ -549,6 +553,9 @@ static void do_tx(int domain, int type, int protocol) + else + do_sendmsg(fd, &msg, cfg_zerocopy, domain); + ++ if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit) ++ do_recv_completions(fd, domain); ++ + while (!do_poll(fd, POLLOUT)) { + if (cfg_zerocopy) + do_recv_completions(fd, domain); +@@ -708,7 +715,7 @@ static void parse_opts(int argc, char **argv) + + cfg_payload_len = max_payload_len; + +- while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) { ++ while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) { + switch (c) { + case '4': + if (cfg_family != PF_UNSPEC) +@@ -736,6 +743,9 @@ static void parse_opts(int argc, char **argv) + if (cfg_ifindex == 0) + error(1, errno, "invalid iface: %s", optarg); + break; ++ case 'l': ++ cfg_notification_limit = strtoul(optarg, NULL, 0); ++ break; + case 'm': + cfg_cork_mixed = true; + break; +-- +2.43.0 + diff --git a/queue-5.10/selftests-make-order-checking-verbose-in-msg_zerocop.patch b/queue-5.10/selftests-make-order-checking-verbose-in-msg_zerocop.patch new file mode 100644 index 00000000000..90305fe567e --- /dev/null +++ b/queue-5.10/selftests-make-order-checking-verbose-in-msg_zerocop.patch @@ -0,0 +1,40 @@ +From 4b17ac4dffa7192c3a0d2498031124b973f2a9ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 22:53:49 +0000 +Subject: selftests: make order checking verbose in msg_zerocopy selftest + +From: Zijian Zhang + +[ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ] + +We find that when lock debugging is on, notifications may not come in +order. Thus, we have order checking outputs managed by cfg_verbose, to +avoid too many outputs in this case. + +Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") +Signed-off-by: Zijian Zhang +Signed-off-by: Xiaochun Lu +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/msg_zerocopy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c +index 926556febc83c..7ea5fb28c93db 100644 +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -438,7 +438,7 @@ static bool do_recv_completion(int fd, int domain) + /* Detect notification gaps. These should not happen often, if at all. + * Gaps can occur due to drops, reordering and retransmissions. + */ +- if (lo != next_completion) ++ if (cfg_verbose && lo != next_completion) + fprintf(stderr, "gap: %u..%u does not append to %u\n", + lo, hi, next_completion); + next_completion = hi + 1; +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index ccf59a4e82b..9077d5a66f9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -27,3 +27,10 @@ bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch jffs2-fix-potential-illegal-address-access-in-jffs2_.patch s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch s390-pkey-wipe-sensitive-data-on-failure.patch +upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch +tcp_metrics-validate-source-addr-length.patch +wifi-wilc1000-fix-ies_len-type-in-connect-path.patch +bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch +selftests-fix-oom-in-msg_zerocopy-selftest.patch +selftests-make-order-checking-verbose-in-msg_zerocop.patch +inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch diff --git a/queue-5.10/tcp_metrics-validate-source-addr-length.patch b/queue-5.10/tcp_metrics-validate-source-addr-length.patch new file mode 100644 index 00000000000..f1bb55fce69 --- /dev/null +++ b/queue-5.10/tcp_metrics-validate-source-addr-length.patch @@ -0,0 +1,38 @@ +From 8897c419107b59b2ce50ed7cff274f164b2c4ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 14:25:00 -0700 +Subject: tcp_metrics: validate source addr length + +From: Jakub Kicinski + +[ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ] + +I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 +is at least 4 bytes long, and the policy doesn't have an entry +for this attribute at all (neither does it for IPv6 but v6 is +manually validated). + +Reviewed-by: Eric Dumazet +Fixes: 3e7013ddf55a ("tcp: metrics: Allow selective get/del of tcp-metrics based on src IP") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index f823a15b973c4..95b5ac082a2f4 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -619,6 +619,7 @@ static const struct nla_policy tcp_metrics_nl_policy[TCP_METRICS_ATTR_MAX + 1] = + [TCP_METRICS_ATTR_ADDR_IPV4] = { .type = NLA_U32, }, + [TCP_METRICS_ATTR_ADDR_IPV6] = { .type = NLA_BINARY, + .len = sizeof(struct in6_addr), }, ++ [TCP_METRICS_ATTR_SADDR_IPV4] = { .type = NLA_U32, }, + /* Following attributes are not received for GET/DEL, + * we keep them for reference + */ +-- +2.43.0 + diff --git a/queue-5.10/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch b/queue-5.10/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch new file mode 100644 index 00000000000..67855748083 --- /dev/null +++ b/queue-5.10/upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch @@ -0,0 +1,70 @@ +From 367496c53b9c4a9ca35cd041f6ae99472f408e94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 22:42:27 -0400 +Subject: UPSTREAM: tcp: fix DSACK undo in fast recovery to call + tcp_try_to_open() + +From: Neal Cardwell + +[ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ] + +In some production workloads we noticed that connections could +sometimes close extremely prematurely with ETIMEDOUT after +transmitting only 1 TLP and RTO retransmission (when we would normally +expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection +closes with ETIMEDOUT). + +From tracing we determined that these workloads can suffer from a +scenario where in fast recovery, after some retransmits, a DSACK undo +can happen at a point where the scoreboard is totally clear (we have +retrans_out == sacked_out == lost_out == 0). In such cases, calling +tcp_try_keep_open() means that we do not execute any code path that +clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can +remain erroneously set to the start time of the undone fast recovery, +even after the fast recovery is undone. If minutes or hours elapse, +and then a TLP/RTO/RTO sequence occurs, then the start_ts value in +retransmits_timed_out() (which is from tp->retrans_stamp) will be +erroneously ancient (left over from the fast recovery undone via +DSACKs). Thus this ancient tp->retrans_stamp value can cause the +connection to die very prematurely with ETIMEDOUT via +tcp_write_err(). + +The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to +call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures +that if no retransmits are in flight at the time of DSACK undo in fast +recovery then we properly zero retrans_stamp. Note that calling +tcp_try_to_open() is more consistent with other loss recovery +behavior, since normal fast recovery (CA_Recovery) and RTO recovery +(CA_Loss) both normally end when tp->snd_una meets or exceeds +tp->high_seq and then in tcp_fastretrans_alert() the "default" switch +case executes tcp_try_to_open(). Also note that by inspection this +change to call tcp_try_to_open() implies at least one other nice bug +fix, where now an ECE-marked DSACK that causes an undo will properly +invoke tcp_enter_cwr() rather than ignoring the ECE mark. + +Fixes: c7d9d6a185a7 ("tcp: undo on DSACK during recovery") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 512f8dc051c61..604ff1b04c3ef 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2993,7 +2993,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + return; + + if (tcp_try_undo_dsack(sk)) +- tcp_try_keep_open(sk); ++ tcp_try_to_open(sk, flag); + + tcp_identify_packet_loss(sk, ack_flag); + if (icsk->icsk_ca_state != TCP_CA_Recovery) { +-- +2.43.0 + diff --git a/queue-5.10/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch b/queue-5.10/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch new file mode 100644 index 00000000000..ff923136baf --- /dev/null +++ b/queue-5.10/wifi-wilc1000-fix-ies_len-type-in-connect-path.patch @@ -0,0 +1,51 @@ +From 5e93ae6ae9a7065ccb8256828d532a4645f25876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 18:23:20 +0200 +Subject: wifi: wilc1000: fix ies_len type in connect path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jozef Hopko + +[ Upstream commit 39ab8fff623053a50951b659e5f6b72343d7d78c ] + +Commit 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +made sure that the IEs data was manipulated under the relevant RCU section. +Unfortunately, while doing so, the commit brought a faulty implicit cast +from int to u8 on the ies_len variable, making the parsing fail to be +performed correctly if the IEs block is larger than 255 bytes. This failure +can be observed with Access Points appending a lot of IEs TLVs in their +beacon frames (reproduced with a Pixel phone acting as an Access Point, +which brough 273 bytes of IE data in my testing environment). + +Fix IEs parsing by removing this undesired implicit cast. + +Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +Signed-off-by: Jozef Hopko +Signed-off-by: Alexis Lothoré +Acked-by: Ajay Singh +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240701-wilc_fix_ies_data-v1-1-7486cbacf98a@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index 457386f9de990..3f167bf4eef35 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -364,7 +364,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct ieee80211_p2p_noa_attr noa_attr; + const struct cfg80211_bss_ies *ies; + struct wilc_join_bss_param *param; +- u8 rates_len = 0, ies_len; ++ u8 rates_len = 0; ++ int ies_len; + int ret; + + param = kzalloc(sizeof(*param), GFP_KERNEL); +-- +2.43.0 +