From: Greg Kroah-Hartman Date: Mon, 15 Jul 2024 11:36:16 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.19.318~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f7aedad6e5c7f9689ce94a149892ada186c040b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-processor_idle-fix-invalid-comparison-with-insertion-sort-for-latency.patch fix-userfaultfd_api-to-return-einval-as-expected.patch libceph-fix-race-between-delayed_work-and-ceph_monc_stop.patch misc-fastrpc-avoid-updating-pd-type-for-capability-request.patch misc-fastrpc-copy-the-complete-capability-structure-to-user.patch misc-fastrpc-fix-dsp-capabilities-request.patch wireguard-allowedips-avoid-unaligned-64-bit-memory-accesses.patch wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch wireguard-selftests-use-acpi-off-instead-of-no-acpi-for-recent-qemu.patch wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch --- diff --git a/queue-6.1/acpi-processor_idle-fix-invalid-comparison-with-insertion-sort-for-latency.patch b/queue-6.1/acpi-processor_idle-fix-invalid-comparison-with-insertion-sort-for-latency.patch new file mode 100644 index 00000000000..fdec16182c2 --- /dev/null +++ b/queue-6.1/acpi-processor_idle-fix-invalid-comparison-with-insertion-sort-for-latency.patch @@ -0,0 +1,99 @@ +From 233323f9b9f828cd7cd5145ad811c1990b692542 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Tue, 2 Jul 2024 04:56:39 +0800 +Subject: ACPI: processor_idle: Fix invalid comparison with insertion sort for latency + +From: Kuan-Wei Chiu + +commit 233323f9b9f828cd7cd5145ad811c1990b692542 upstream. + +The acpi_cst_latency_cmp() comparison function currently used for +sorting C-state latencies does not satisfy transitivity, causing +incorrect sorting results. + +Specifically, if there are two valid acpi_processor_cx elements A and B +and one invalid element C, it may occur that A < B, A = C, and B = C. +Sorting algorithms assume that if A < B and A = C, then C < B, leading +to incorrect ordering. + +Given the small size of the array (<=8), we replace the library sort +function with a simple insertion sort that properly ignores invalid +elements and sorts valid ones based on latency. This change ensures +correct ordering of the C-state latencies. + +Fixes: 65ea8f2c6e23 ("ACPI: processor idle: Fix up C-state latency if not ordered") +Reported-by: Julian Sikorski +Closes: https://lore.kernel.org/lkml/70674dc7-5586-4183-8953-8095567e73df@gmail.com +Signed-off-by: Kuan-Wei Chiu +Tested-by: Julian Sikorski +Cc: All applicable +Link: https://patch.msgid.link/20240701205639.117194-1-visitorckw@gmail.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 37 ++++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -16,7 +16,6 @@ + #include + #include + #include /* need_resched() */ +-#include + #include + #include + #include +@@ -388,25 +387,24 @@ static void acpi_processor_power_verify_ + return; + } + +-static int acpi_cst_latency_cmp(const void *a, const void *b) ++static void acpi_cst_latency_sort(struct acpi_processor_cx *states, size_t length) + { +- const struct acpi_processor_cx *x = a, *y = b; ++ int i, j, k; + +- if (!(x->valid && y->valid)) +- return 0; +- if (x->latency > y->latency) +- return 1; +- if (x->latency < y->latency) +- return -1; +- return 0; +-} +-static void acpi_cst_latency_swap(void *a, void *b, int n) +-{ +- struct acpi_processor_cx *x = a, *y = b; ++ for (i = 1; i < length; i++) { ++ if (!states[i].valid) ++ continue; + +- if (!(x->valid && y->valid)) +- return; +- swap(x->latency, y->latency); ++ for (j = i - 1, k = i; j >= 0; j--) { ++ if (!states[j].valid) ++ continue; ++ ++ if (states[j].latency > states[k].latency) ++ swap(states[j].latency, states[k].latency); ++ ++ k = j; ++ } ++ } + } + + static int acpi_processor_power_verify(struct acpi_processor *pr) +@@ -451,10 +449,7 @@ static int acpi_processor_power_verify(s + + if (buggy_latency) { + pr_notice("FW issue: working around C-state latencies out of order\n"); +- sort(&pr->power.states[1], max_cstate, +- sizeof(struct acpi_processor_cx), +- acpi_cst_latency_cmp, +- acpi_cst_latency_swap); ++ acpi_cst_latency_sort(&pr->power.states[1], max_cstate); + } + + lapic_timer_propagate_broadcast(pr); diff --git a/queue-6.1/fix-userfaultfd_api-to-return-einval-as-expected.patch b/queue-6.1/fix-userfaultfd_api-to-return-einval-as-expected.patch new file mode 100644 index 00000000000..dd912b0082f --- /dev/null +++ b/queue-6.1/fix-userfaultfd_api-to-return-einval-as-expected.patch @@ -0,0 +1,65 @@ +From 1723f04caacb32cadc4e063725d836a0c4450694 Mon Sep 17 00:00:00 2001 +From: Audra Mitchell +Date: Wed, 26 Jun 2024 09:05:11 -0400 +Subject: Fix userfaultfd_api to return EINVAL as expected + +From: Audra Mitchell + +commit 1723f04caacb32cadc4e063725d836a0c4450694 upstream. + +Currently if we request a feature that is not set in the Kernel config we +fail silently and return all the available features. However, the man +page indicates we should return an EINVAL. + +We need to fix this issue since we can end up with a Kernel warning should +a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with +the config not set with this feature. + + [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660 + [ 200.820738] Modules linked in: + [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8 + [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022 + [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660 + +Link: https://lkml.kernel.org/r/20240626130513.120193-1-audra@redhat.com +Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") +Signed-off-by: Audra Mitchell +Cc: Al Viro +Cc: Andrea Arcangeli +Cc: Christian Brauner +Cc: Jan Kara +Cc: Mike Rapoport +Cc: Peter Xu +Cc: Rafael Aquini +Cc: Shaohua Li +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/userfaultfd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -1968,7 +1968,7 @@ static int userfaultfd_api(struct userfa + goto out; + features = uffdio_api.features; + ret = -EINVAL; +- if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) ++ if (uffdio_api.api != UFFD_API) + goto err_out; + ret = -EPERM; + if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) +@@ -1985,6 +1985,11 @@ static int userfaultfd_api(struct userfa + #ifndef CONFIG_PTE_MARKER_UFFD_WP + uffdio_api.features &= ~UFFD_FEATURE_WP_HUGETLBFS_SHMEM; + #endif ++ ++ ret = -EINVAL; ++ if (features & ~uffdio_api.features) ++ goto err_out; ++ + uffdio_api.ioctls = UFFD_API_IOCTLS; + ret = -EFAULT; + if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) diff --git a/queue-6.1/libceph-fix-race-between-delayed_work-and-ceph_monc_stop.patch b/queue-6.1/libceph-fix-race-between-delayed_work-and-ceph_monc_stop.patch new file mode 100644 index 00000000000..9aa406480b6 --- /dev/null +++ b/queue-6.1/libceph-fix-race-between-delayed_work-and-ceph_monc_stop.patch @@ -0,0 +1,86 @@ +From 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 8 Jul 2024 22:37:29 +0200 +Subject: libceph: fix race between delayed_work() and ceph_monc_stop() + +From: Ilya Dryomov + +commit 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 upstream. + +The way the delayed work is handled in ceph_monc_stop() is prone to +races with mon_fault() and possibly also finish_hunting(). Both of +these can requeue the delayed work which wouldn't be canceled by any of +the following code in case that happens after cancel_delayed_work_sync() +runs -- __close_session() doesn't mess with the delayed work in order +to avoid interfering with the hunting interval logic. This part was +missed in commit b5d91704f53e ("libceph: behave in mon_fault() if +cur_mon < 0") and use-after-free can still ensue on monc and objects +that hang off of it, with monc->auth and monc->monmap being +particularly susceptible to quickly being reused. + +To fix this: + +- clear monc->cur_mon and monc->hunting as part of closing the session + in ceph_monc_stop() +- bail from delayed_work() if monc->cur_mon is cleared, similar to how + it's done in mon_fault() and finish_hunting() (based on monc->hunting) +- call cancel_delayed_work_sync() after the session is closed + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/66857 +Signed-off-by: Ilya Dryomov +Reviewed-by: Xiubo Li +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/mon_client.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1085,13 +1085,19 @@ static void delayed_work(struct work_str + struct ceph_mon_client *monc = + container_of(work, struct ceph_mon_client, delayed_work.work); + +- dout("monc delayed_work\n"); + mutex_lock(&monc->mutex); ++ dout("%s mon%d\n", __func__, monc->cur_mon); ++ if (monc->cur_mon < 0) { ++ goto out; ++ } ++ + if (monc->hunting) { + dout("%s continuing hunt\n", __func__); + reopen_session(monc); + } else { + int is_auth = ceph_auth_is_authenticated(monc->auth); ++ ++ dout("%s is_authed %d\n", __func__, is_auth); + if (ceph_con_keepalive_expired(&monc->con, + CEPH_MONC_PING_TIMEOUT)) { + dout("monc keepalive timeout\n"); +@@ -1116,6 +1122,8 @@ static void delayed_work(struct work_str + } + } + __schedule_delayed(monc); ++ ++out: + mutex_unlock(&monc->mutex); + } + +@@ -1232,13 +1240,15 @@ EXPORT_SYMBOL(ceph_monc_init); + void ceph_monc_stop(struct ceph_mon_client *monc) + { + dout("stop\n"); +- cancel_delayed_work_sync(&monc->delayed_work); + + mutex_lock(&monc->mutex); + __close_session(monc); ++ monc->hunting = false; + monc->cur_mon = -1; + mutex_unlock(&monc->mutex); + ++ cancel_delayed_work_sync(&monc->delayed_work); ++ + /* + * flush msgr queue before we destroy ourselves to ensure that: + * - any work that references our embedded con is finished. diff --git a/queue-6.1/misc-fastrpc-avoid-updating-pd-type-for-capability-request.patch b/queue-6.1/misc-fastrpc-avoid-updating-pd-type-for-capability-request.patch new file mode 100644 index 00000000000..1ab9d5da42f --- /dev/null +++ b/queue-6.1/misc-fastrpc-avoid-updating-pd-type-for-capability-request.patch @@ -0,0 +1,39 @@ +From bfb6b07d2a30ffe98864d8cfc31fc00470063025 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 28 Jun 2024 12:44:58 +0100 +Subject: misc: fastrpc: Avoid updating PD type for capability request + +From: Ekansh Gupta + +commit bfb6b07d2a30ffe98864d8cfc31fc00470063025 upstream. + +When user is requesting for DSP capability, the process pd type is +getting updated to USER_PD which is incorrect as DSP will assume the +process which is making the request is a user PD and this will never +get updated back to the original value. The actual PD type should not +be updated for capability request and it should be serviced by the +respective PD on DSP side. Don't change process's PD type for DSP +capability request. + +Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities") +Cc: stable +Signed-off-by: Ekansh Gupta +Reviewed-by: Caleb Connolly +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240628114501.14310-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1523,7 +1523,6 @@ static int fastrpc_get_info_from_dsp(str + args[1].ptr = (u64)(uintptr_t)&dsp_attr_buf[1]; + args[1].length = dsp_attr_buf_len * sizeof(u32); + args[1].fd = -1; +- fl->pd = USER_PD; + + return fastrpc_internal_invoke(fl, true, FASTRPC_DSP_UTILITIES_HANDLE, + FASTRPC_SCALARS(0, 1, 1), args); diff --git a/queue-6.1/misc-fastrpc-copy-the-complete-capability-structure-to-user.patch b/queue-6.1/misc-fastrpc-copy-the-complete-capability-structure-to-user.patch new file mode 100644 index 00000000000..a0feee83a1a --- /dev/null +++ b/queue-6.1/misc-fastrpc-copy-the-complete-capability-structure-to-user.patch @@ -0,0 +1,41 @@ +From e7f0be3f09c6e955dc8009129862b562d8b64513 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 28 Jun 2024 12:44:57 +0100 +Subject: misc: fastrpc: Copy the complete capability structure to user + +From: Ekansh Gupta + +commit e7f0be3f09c6e955dc8009129862b562d8b64513 upstream. + +User is passing capability ioctl structure(argp) to get DSP +capabilities. This argp is copied to a local structure to get domain +and attribute_id information. After getting the capability, only +capability value is getting copied to user argp which will not be +useful if the use is trying to get the capability by checking the +capability member of fastrpc_ioctl_capability structure. Copy the +complete capability structure so that user can get the capability +value from the expected member of the structure. + +Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities") +Cc: stable +Signed-off-by: Ekansh Gupta +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Caleb Connolly +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20240628114501.14310-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1603,7 +1603,7 @@ static int fastrpc_get_dsp_info(struct f + if (err) + return err; + +- if (copy_to_user(argp, &cap.capability, sizeof(cap.capability))) ++ if (copy_to_user(argp, &cap, sizeof(cap))) + return -EFAULT; + + return 0; diff --git a/queue-6.1/misc-fastrpc-fix-dsp-capabilities-request.patch b/queue-6.1/misc-fastrpc-fix-dsp-capabilities-request.patch new file mode 100644 index 00000000000..ed0ec374485 --- /dev/null +++ b/queue-6.1/misc-fastrpc-fix-dsp-capabilities-request.patch @@ -0,0 +1,67 @@ +From 4cb7915f0a35e2fcc4be60b912c4be35cd830957 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 28 Jun 2024 12:44:56 +0100 +Subject: misc: fastrpc: Fix DSP capabilities request + +From: Ekansh Gupta + +commit 4cb7915f0a35e2fcc4be60b912c4be35cd830957 upstream. + +The DSP capability request call expects 2 arguments. First is the +information about the total number of attributes to be copied from +DSP and second is the information about the buffer where the DSP +needs to copy the information. The current design is passing the +information about the size to be copied from DSP which would be +considered as a bad argument to the call by DSP causing a failure +suggesting the same. The second argument carries the information +about the buffer where the DSP needs to copy the capability +information and the size to be copied. As the first entry of +capability attribute is getting skipped, same should also be +considered while sending the information to DSP. Add changes to +pass proper arguments to DSP. + +Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities") +Cc: stable +Signed-off-by: Ekansh Gupta +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Caleb Connolly +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20240628114501.14310-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1509,14 +1509,19 @@ static int fastrpc_get_info_from_dsp(str + { + struct fastrpc_invoke_args args[2] = { 0 }; + +- /* Capability filled in userspace */ ++ /* ++ * Capability filled in userspace. This carries the information ++ * about the remoteproc support which is fetched from the remoteproc ++ * sysfs node by userspace. ++ */ + dsp_attr_buf[0] = 0; ++ dsp_attr_buf_len -= 1; + + args[0].ptr = (u64)(uintptr_t)&dsp_attr_buf_len; + args[0].length = sizeof(dsp_attr_buf_len); + args[0].fd = -1; + args[1].ptr = (u64)(uintptr_t)&dsp_attr_buf[1]; +- args[1].length = dsp_attr_buf_len; ++ args[1].length = dsp_attr_buf_len * sizeof(u32); + args[1].fd = -1; + fl->pd = USER_PD; + +@@ -1546,7 +1551,7 @@ static int fastrpc_get_info_from_kernel( + if (!dsp_attributes) + return -ENOMEM; + +- err = fastrpc_get_info_from_dsp(fl, dsp_attributes, FASTRPC_MAX_DSP_ATTRIBUTES_LEN); ++ err = fastrpc_get_info_from_dsp(fl, dsp_attributes, FASTRPC_MAX_DSP_ATTRIBUTES); + if (err == DSP_UNSUPPORTED_API) { + dev_info(&cctx->rpdev->dev, + "Warning: DSP capabilities not supported on domain: %d\n", domain); diff --git a/queue-6.1/series b/queue-6.1/series index be542d79d7d..2ea1aaf354b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -67,3 +67,13 @@ platform-x86-toshiba_acpi-fix-array-out-of-bounds-access.patch alsa-hda-realtek-add-quirk-for-clevo-v50tu.patch alsa-hda-realtek-enable-mute-led-on-hp-250-g7.patch alsa-hda-realtek-limit-mic-boost-on-vaio-pro-px.patch +fix-userfaultfd_api-to-return-einval-as-expected.patch +libceph-fix-race-between-delayed_work-and-ceph_monc_stop.patch +acpi-processor_idle-fix-invalid-comparison-with-insertion-sort-for-latency.patch +wireguard-selftests-use-acpi-off-instead-of-no-acpi-for-recent-qemu.patch +wireguard-allowedips-avoid-unaligned-64-bit-memory-accesses.patch +wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch +wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch +misc-fastrpc-fix-dsp-capabilities-request.patch +misc-fastrpc-avoid-updating-pd-type-for-capability-request.patch +misc-fastrpc-copy-the-complete-capability-structure-to-user.patch diff --git a/queue-6.1/wireguard-allowedips-avoid-unaligned-64-bit-memory-accesses.patch b/queue-6.1/wireguard-allowedips-avoid-unaligned-64-bit-memory-accesses.patch new file mode 100644 index 00000000000..c7d7f7cd931 --- /dev/null +++ b/queue-6.1/wireguard-allowedips-avoid-unaligned-64-bit-memory-accesses.patch @@ -0,0 +1,44 @@ +From 948f991c62a4018fb81d85804eeab3029c6209f8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 4 Jul 2024 17:45:15 +0200 +Subject: wireguard: allowedips: avoid unaligned 64-bit memory accesses + +From: Helge Deller + +commit 948f991c62a4018fb81d85804eeab3029c6209f8 upstream. + +On the parisc platform, the kernel issues kernel warnings because +swap_endian() tries to load a 128-bit IPv6 address from an unaligned +memory location: + + Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df) + Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc) + +Avoid such unaligned memory accesses by instead using the +get_unaligned_be64() helper macro. + +Signed-off-by: Helge Deller +[Jason: replace src[8] in original patch with src+8] +Cc: stable@vger.kernel.org +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20240704154517.1572127-3-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/allowedips.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireguard/allowedips.c ++++ b/drivers/net/wireguard/allowedips.c +@@ -15,8 +15,8 @@ static void swap_endian(u8 *dst, const u + if (bits == 32) { + *(u32 *)dst = be32_to_cpu(*(const __be32 *)src); + } else if (bits == 128) { +- ((u64 *)dst)[0] = be64_to_cpu(((const __be64 *)src)[0]); +- ((u64 *)dst)[1] = be64_to_cpu(((const __be64 *)src)[1]); ++ ((u64 *)dst)[0] = get_unaligned_be64(src); ++ ((u64 *)dst)[1] = get_unaligned_be64(src + 8); + } + } + diff --git a/queue-6.1/wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch b/queue-6.1/wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch new file mode 100644 index 00000000000..37de034fd24 --- /dev/null +++ b/queue-6.1/wireguard-queueing-annotate-intentional-data-race-in-cpu-round-robin.patch @@ -0,0 +1,73 @@ +From 2fe3d6d2053c57f2eae5e85ca1656d185ebbe4e8 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 4 Jul 2024 17:45:16 +0200 +Subject: wireguard: queueing: annotate intentional data race in cpu round robin + +From: Jason A. Donenfeld + +commit 2fe3d6d2053c57f2eae5e85ca1656d185ebbe4e8 upstream. + +KCSAN reports a race in the CPU round robin function, which, as the +comment points out, is intentional: + + BUG: KCSAN: data-race in wg_packet_send_staged_packets / wg_packet_send_staged_packets + + read to 0xffff88811254eb28 of 4 bytes by task 3160 on cpu 1: + wg_cpumask_next_online drivers/net/wireguard/queueing.h:127 [inline] + wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:173 [inline] + wg_packet_create_data drivers/net/wireguard/send.c:320 [inline] + wg_packet_send_staged_packets+0x60e/0xac0 drivers/net/wireguard/send.c:388 + wg_packet_send_keepalive+0xe2/0x100 drivers/net/wireguard/send.c:239 + wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline] + wg_packet_handshake_receive_worker+0x449/0x5f0 drivers/net/wireguard/receive.c:213 + process_one_work kernel/workqueue.c:3248 [inline] + process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3329 + worker_thread+0x526/0x720 kernel/workqueue.c:3409 + kthread+0x1d1/0x210 kernel/kthread.c:389 + ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + write to 0xffff88811254eb28 of 4 bytes by task 3158 on cpu 0: + wg_cpumask_next_online drivers/net/wireguard/queueing.h:130 [inline] + wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:173 [inline] + wg_packet_create_data drivers/net/wireguard/send.c:320 [inline] + wg_packet_send_staged_packets+0x6e5/0xac0 drivers/net/wireguard/send.c:388 + wg_packet_send_keepalive+0xe2/0x100 drivers/net/wireguard/send.c:239 + wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline] + wg_packet_handshake_receive_worker+0x449/0x5f0 drivers/net/wireguard/receive.c:213 + process_one_work kernel/workqueue.c:3248 [inline] + process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3329 + worker_thread+0x526/0x720 kernel/workqueue.c:3409 + kthread+0x1d1/0x210 kernel/kthread.c:389 + ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + value changed: 0xffffffff -> 0x00000000 + +Mark this race as intentional by using READ/WRITE_ONCE(). + +Cc: stable@vger.kernel.org +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20240704154517.1572127-4-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/queueing.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireguard/queueing.h ++++ b/drivers/net/wireguard/queueing.h +@@ -124,10 +124,10 @@ static inline int wg_cpumask_choose_onli + */ + static inline int wg_cpumask_next_online(int *last_cpu) + { +- int cpu = cpumask_next(*last_cpu, cpu_online_mask); ++ int cpu = cpumask_next(READ_ONCE(*last_cpu), cpu_online_mask); + if (cpu >= nr_cpu_ids) + cpu = cpumask_first(cpu_online_mask); +- *last_cpu = cpu; ++ WRITE_ONCE(*last_cpu, cpu); + return cpu; + } + diff --git a/queue-6.1/wireguard-selftests-use-acpi-off-instead-of-no-acpi-for-recent-qemu.patch b/queue-6.1/wireguard-selftests-use-acpi-off-instead-of-no-acpi-for-recent-qemu.patch new file mode 100644 index 00000000000..a92ec5f84d6 --- /dev/null +++ b/queue-6.1/wireguard-selftests-use-acpi-off-instead-of-no-acpi-for-recent-qemu.patch @@ -0,0 +1,53 @@ +From 2cb489eb8dfc291060516df313ff31f4f9f3d794 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 4 Jul 2024 17:45:14 +0200 +Subject: wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU + +From: Jason A. Donenfeld + +commit 2cb489eb8dfc291060516df313ff31f4f9f3d794 upstream. + +QEMU 9.0 removed -no-acpi, in favor of machine properties, so update the +Makefile to use the correct QEMU invocation. + +Cc: stable@vger.kernel.org +Fixes: b83fdcd9fb8a ("wireguard: selftests: use microvm on x86") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20240704154517.1572127-2-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/wireguard/qemu/Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/wireguard/qemu/Makefile b/tools/testing/selftests/wireguard/qemu/Makefile +index e95bd56b332f..35856b11c143 100644 +--- a/tools/testing/selftests/wireguard/qemu/Makefile ++++ b/tools/testing/selftests/wireguard/qemu/Makefile +@@ -109,9 +109,9 @@ KERNEL_ARCH := x86_64 + KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage + QEMU_VPORT_RESULT := virtio-serial-device + ifeq ($(HOST_ARCH),$(ARCH)) +-QEMU_MACHINE := -cpu host -machine microvm,accel=kvm,pit=off,pic=off,rtc=off -no-acpi ++QEMU_MACHINE := -cpu host -machine microvm,accel=kvm,pit=off,pic=off,rtc=off,acpi=off + else +-QEMU_MACHINE := -cpu max -machine microvm -no-acpi ++QEMU_MACHINE := -cpu max -machine microvm,acpi=off + endif + else ifeq ($(ARCH),i686) + CHOST := i686-linux-musl +@@ -120,9 +120,9 @@ KERNEL_ARCH := x86 + KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage + QEMU_VPORT_RESULT := virtio-serial-device + ifeq ($(subst x86_64,i686,$(HOST_ARCH)),$(ARCH)) +-QEMU_MACHINE := -cpu host -machine microvm,accel=kvm,pit=off,pic=off,rtc=off -no-acpi ++QEMU_MACHINE := -cpu host -machine microvm,accel=kvm,pit=off,pic=off,rtc=off,acpi=off + else +-QEMU_MACHINE := -cpu coreduo -machine microvm -no-acpi ++QEMU_MACHINE := -cpu coreduo -machine microvm,acpi=off + endif + else ifeq ($(ARCH),mips64) + CHOST := mips64-linux-musl +-- +2.45.2 + diff --git a/queue-6.1/wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch b/queue-6.1/wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch new file mode 100644 index 00000000000..29eeb3827ca --- /dev/null +++ b/queue-6.1/wireguard-send-annotate-intentional-data-race-in-checking-empty-queue.patch @@ -0,0 +1,82 @@ +From 381a7d453fa2ac5f854a154d3c9b1bbb90c4f94f Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 4 Jul 2024 17:45:17 +0200 +Subject: wireguard: send: annotate intentional data race in checking empty queue + +From: Jason A. Donenfeld + +commit 381a7d453fa2ac5f854a154d3c9b1bbb90c4f94f upstream. + +KCSAN reports a race in wg_packet_send_keepalive, which is intentional: + + BUG: KCSAN: data-race in wg_packet_send_keepalive / wg_packet_send_staged_packets + + write to 0xffff88814cd91280 of 8 bytes by task 3194 on cpu 0: + __skb_queue_head_init include/linux/skbuff.h:2162 [inline] + skb_queue_splice_init include/linux/skbuff.h:2248 [inline] + wg_packet_send_staged_packets+0xe5/0xad0 drivers/net/wireguard/send.c:351 + wg_xmit+0x5b8/0x660 drivers/net/wireguard/device.c:218 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3564 + __dev_queue_xmit+0xeff/0x1d80 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1592 + neigh_output include/net/neighbour.h:542 [inline] + ip6_finish_output2+0xa66/0xce0 net/ipv6/ip6_output.c:137 + ip6_finish_output+0x1a5/0x490 net/ipv6/ip6_output.c:222 + NF_HOOK_COND include/linux/netfilter.h:303 [inline] + ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:243 + dst_output include/net/dst.h:451 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ndisc_send_skb+0x4a2/0x670 net/ipv6/ndisc.c:509 + ndisc_send_rs+0x3ab/0x3e0 net/ipv6/ndisc.c:719 + addrconf_dad_completed+0x640/0x8e0 net/ipv6/addrconf.c:4295 + addrconf_dad_work+0x891/0xbc0 + process_one_work kernel/workqueue.c:2633 [inline] + process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706 + worker_thread+0x525/0x730 kernel/workqueue.c:2787 + kthread+0x1d7/0x210 kernel/kthread.c:388 + ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 + + read to 0xffff88814cd91280 of 8 bytes by task 3202 on cpu 1: + skb_queue_empty include/linux/skbuff.h:1798 [inline] + wg_packet_send_keepalive+0x20/0x100 drivers/net/wireguard/send.c:225 + wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline] + wg_packet_handshake_receive_worker+0x445/0x5e0 drivers/net/wireguard/receive.c:213 + process_one_work kernel/workqueue.c:2633 [inline] + process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706 + worker_thread+0x525/0x730 kernel/workqueue.c:2787 + kthread+0x1d7/0x210 kernel/kthread.c:388 + ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 + + value changed: 0xffff888148fef200 -> 0xffff88814cd91280 + +Mark this race as intentional by using the skb_queue_empty_lockless() +function rather than skb_queue_empty(), which uses READ_ONCE() +internally to annotate the race. + +Cc: stable@vger.kernel.org +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20240704154517.1572127-5-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/send.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireguard/send.c ++++ b/drivers/net/wireguard/send.c +@@ -222,7 +222,7 @@ void wg_packet_send_keepalive(struct wg_ + { + struct sk_buff *skb; + +- if (skb_queue_empty(&peer->staged_packet_queue)) { ++ if (skb_queue_empty_lockless(&peer->staged_packet_queue)) { + skb = alloc_skb(DATA_PACKET_HEAD_ROOM + MESSAGE_MINIMUM_LENGTH, + GFP_ATOMIC); + if (unlikely(!skb))