From: Sasha Levin Date: Sun, 24 Jul 2022 03:30:02 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.10.133~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ba5301400e57f269fe6c760a74c26a590d5f424d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/be2net-fix-buffer-overflow-in-be_get_module_eeprom.patch b/queue-4.19/be2net-fix-buffer-overflow-in-be_get_module_eeprom.patch new file mode 100644 index 00000000000..e933aa32060 --- /dev/null +++ b/queue-4.19/be2net-fix-buffer-overflow-in-be_get_module_eeprom.patch @@ -0,0 +1,144 @@ +From bf163ce0dd30fda3d9de84f0e9b41f956d60f9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jul 2022 11:51:34 +0300 +Subject: be2net: Fix buffer overflow in be_get_module_eeprom + +From: Hristo Venev + +[ Upstream commit d7241f679a59cfe27f92cb5c6272cb429fb1f7ec ] + +be_cmd_read_port_transceiver_data assumes that it is given a buffer that +is at least PAGE_DATA_LEN long, or twice that if the module supports SFF +8472. However, this is not always the case. + +Fix this by passing the desired offset and length to +be_cmd_read_port_transceiver_data so that we only copy the bytes once. + +Fixes: e36edd9d26cf ("be2net: add ethtool "-m" option support") +Signed-off-by: Hristo Venev +Link: https://lore.kernel.org/r/20220716085134.6095-1-hristo@venev.name +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 10 +++--- + drivers/net/ethernet/emulex/benet/be_cmds.h | 2 +- + .../net/ethernet/emulex/benet/be_ethtool.c | 31 ++++++++++++------- + 3 files changed, 25 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 1e9d882c04ef..a4a448d97451 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -2291,7 +2291,7 @@ int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, u32 *state) + + /* Uses sync mcc */ + int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, +- u8 page_num, u8 *data) ++ u8 page_num, u32 off, u32 len, u8 *data) + { + struct be_dma_mem cmd; + struct be_mcc_wrb *wrb; +@@ -2325,10 +2325,10 @@ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, + req->port = cpu_to_le32(adapter->hba_port_num); + req->page_num = cpu_to_le32(page_num); + status = be_mcc_notify_wait(adapter); +- if (!status) { ++ if (!status && len > 0) { + struct be_cmd_resp_port_type *resp = cmd.va; + +- memcpy(data, resp->page_data, PAGE_DATA_LEN); ++ memcpy(data, resp->page_data + off, len); + } + err: + mutex_unlock(&adapter->mcc_lock); +@@ -2419,7 +2419,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapter) + int status; + + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, +- page_data); ++ 0, PAGE_DATA_LEN, page_data); + if (!status) { + switch (adapter->phy.interface_type) { + case PHY_TYPE_QSFP: +@@ -2444,7 +2444,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter) + int status; + + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, +- page_data); ++ 0, PAGE_DATA_LEN, page_data); + if (!status) { + strlcpy(adapter->phy.vendor_name, page_data + + SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1); +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethernet/emulex/benet/be_cmds.h +index e8b43cf44b6f..f6f9c51a7d47 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.h ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.h +@@ -2431,7 +2431,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapter, u8 port_num, u8 beacon, + int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, + u32 *state); + int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, +- u8 page_num, u8 *data); ++ u8 page_num, u32 off, u32 len, u8 *data); + int be_cmd_query_cable_type(struct be_adapter *adapter); + int be_cmd_query_sfp_info(struct be_adapter *adapter); + int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *cmd, +diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c +index d1905d50c26c..1c1ac3488da2 100644 +--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c ++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c +@@ -1342,7 +1342,7 @@ static int be_get_module_info(struct net_device *netdev, + return -EOPNOTSUPP; + + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, +- page_data); ++ 0, PAGE_DATA_LEN, page_data); + if (!status) { + if (!page_data[SFP_PLUS_SFF_8472_COMP]) { + modinfo->type = ETH_MODULE_SFF_8079; +@@ -1360,25 +1360,32 @@ static int be_get_module_eeprom(struct net_device *netdev, + { + struct be_adapter *adapter = netdev_priv(netdev); + int status; ++ u32 begin, end; + + if (!check_privilege(adapter, MAX_PRIVILEGES)) + return -EOPNOTSUPP; + +- status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, +- data); +- if (status) +- goto err; ++ begin = eeprom->offset; ++ end = eeprom->offset + eeprom->len; ++ ++ if (begin < PAGE_DATA_LEN) { ++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin, ++ min_t(u32, end, PAGE_DATA_LEN) - begin, ++ data); ++ if (status) ++ goto err; ++ ++ data += PAGE_DATA_LEN - begin; ++ begin = PAGE_DATA_LEN; ++ } + +- if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) { +- status = be_cmd_read_port_transceiver_data(adapter, +- TR_PAGE_A2, +- data + +- PAGE_DATA_LEN); ++ if (end > PAGE_DATA_LEN) { ++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2, ++ begin - PAGE_DATA_LEN, ++ end - begin, data); + if (status) + goto err; + } +- if (eeprom->offset) +- memcpy(data, data + eeprom->offset, eeprom->len); + err: + return be_cmd_status(status); + } +-- +2.35.1 + diff --git a/queue-4.19/i2c-cadence-change-large-transfer-count-reset-logic-.patch b/queue-4.19/i2c-cadence-change-large-transfer-count-reset-logic-.patch new file mode 100644 index 00000000000..a8bee52b425 --- /dev/null +++ b/queue-4.19/i2c-cadence-change-large-transfer-count-reset-logic-.patch @@ -0,0 +1,111 @@ +From 469a094b7c692e215a3c0dcf82a5a97c41f1aa9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 17:29:19 -0600 +Subject: i2c: cadence: Change large transfer count reset logic to be + unconditional + +From: Robert Hancock + +[ Upstream commit 4ca8ca873d454635c20d508261bfc0081af75cf8 ] + +Problems were observed on the Xilinx ZynqMP platform with large I2C reads. +When a read of 277 bytes was performed, the controller NAKed the transfer +after only 252 bytes were transferred and returned an ENXIO error on the +transfer. + +There is some code in cdns_i2c_master_isr to handle this case by resetting +the transfer count in the controller before it reaches 0, to allow larger +transfers to work, but it was conditional on the CDNS_I2C_BROKEN_HOLD_BIT +quirk being set on the controller, and ZynqMP uses the r1p14 version of +the core where this quirk is not being set. The requirement to do this to +support larger reads seems like an inherently required workaround due to +the core only having an 8-bit transfer size register, so it does not +appear that this should be conditional on the broken HOLD bit quirk which +is used elsewhere in the driver. + +Remove the dependency on the CDNS_I2C_BROKEN_HOLD_BIT for this transfer +size reset logic to fix this problem. + +Fixes: 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq Ultrascale+ MPSoC") +Signed-off-by: Robert Hancock +Reviewed-by: Shubhrajyoti Datta +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 30 +++++------------------------- + 1 file changed, 5 insertions(+), 25 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 273f57e277b3..512c61d31fe5 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -203,9 +203,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *id, bool hold_wrkaround) + */ + static irqreturn_t cdns_i2c_isr(int irq, void *ptr) + { +- unsigned int isr_status, avail_bytes, updatetx; ++ unsigned int isr_status, avail_bytes; + unsigned int bytes_to_send; +- bool hold_quirk; ++ bool updatetx; + struct cdns_i2c *id = ptr; + /* Signal completion only after everything is updated */ + int done_flag = 0; +@@ -224,11 +224,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) + * Check if transfer size register needs to be updated again for a + * large data receive operation. + */ +- updatetx = 0; +- if (id->recv_count > id->curr_recv_count) +- updatetx = 1; +- +- hold_quirk = (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx; ++ updatetx = id->recv_count > id->curr_recv_count; + + /* When receiving, handle data interrupt and completion interrupt */ + if (id->p_recv_buf && +@@ -251,7 +247,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) + id->recv_count--; + id->curr_recv_count--; + +- if (cdns_is_holdquirk(id, hold_quirk)) ++ if (cdns_is_holdquirk(id, updatetx)) + break; + } + +@@ -262,7 +258,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) + * maintain transfer size non-zero while performing a large + * receive operation. + */ +- if (cdns_is_holdquirk(id, hold_quirk)) { ++ if (cdns_is_holdquirk(id, updatetx)) { + /* wait while fifo is full */ + while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) != + (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH)) +@@ -284,22 +280,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) + CDNS_I2C_XFER_SIZE_OFFSET); + id->curr_recv_count = id->recv_count; + } +- } else if (id->recv_count && !hold_quirk && +- !id->curr_recv_count) { +- +- /* Set the slave address in address register*/ +- cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK, +- CDNS_I2C_ADDR_OFFSET); +- +- if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) { +- cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE, +- CDNS_I2C_XFER_SIZE_OFFSET); +- id->curr_recv_count = CDNS_I2C_TRANSFER_SIZE; +- } else { +- cdns_i2c_writereg(id->recv_count, +- CDNS_I2C_XFER_SIZE_OFFSET); +- id->curr_recv_count = id->recv_count; +- } + } + + /* Clear hold (if not repeated start) and signal completion */ +-- +2.35.1 + diff --git a/queue-4.19/igmp-fix-a-data-race-around-sysctl_igmp_max_membersh.patch b/queue-4.19/igmp-fix-a-data-race-around-sysctl_igmp_max_membersh.patch new file mode 100644 index 00000000000..40eedc1292e --- /dev/null +++ b/queue-4.19/igmp-fix-a-data-race-around-sysctl_igmp_max_membersh.patch @@ -0,0 +1,36 @@ +From 69676f74f5550533c4929cfbfbbccb36d01d891a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:42 -0700 +Subject: igmp: Fix a data-race around sysctl_igmp_max_memberships. + +From: Kuniyuki Iwashima + +[ Upstream commit 6305d821e3b9b5379d348528e5b5faf316383bc2 ] + +While reading sysctl_igmp_max_memberships, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 957e1170a8a3..b831825f234f 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2212,7 +2212,7 @@ static int __ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr, + count++; + } + err = -ENOBUFS; +- if (count >= net->ipv4.sysctl_igmp_max_memberships) ++ if (count >= READ_ONCE(net->ipv4.sysctl_igmp_max_memberships)) + goto done; + iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL); + if (!iml) +-- +2.35.1 + diff --git a/queue-4.19/igmp-fix-data-races-around-sysctl_igmp_llm_reports.patch b/queue-4.19/igmp-fix-data-races-around-sysctl_igmp_llm_reports.patch new file mode 100644 index 00000000000..09bb9c24810 --- /dev/null +++ b/queue-4.19/igmp-fix-data-races-around-sysctl_igmp_llm_reports.patch @@ -0,0 +1,110 @@ +From d3c46be3759c3914d5f16674f8304d78e512d7a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:41 -0700 +Subject: igmp: Fix data-races around sysctl_igmp_llm_reports. + +From: Kuniyuki Iwashima + +[ Upstream commit f6da2267e71106474fbc0943dc24928b9cb79119 ] + +While reading sysctl_igmp_llm_reports, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +This test can be packed into a helper, so such changes will be in the +follow-up series after net is merged into net-next. + + if (ipv4_is_local_multicast(pmc->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + +Fixes: df2cf4a78e48 ("IGMP: Inhibit reports for local multicast groups") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index ee179e08dd20..957e1170a8a3 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -471,7 +471,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + + if (pmc->multiaddr == IGMP_ALL_HOSTS) + return skb; +- if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) ++ if (ipv4_is_local_multicast(pmc->multiaddr) && ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + return skb; + + mtu = READ_ONCE(dev->mtu); +@@ -597,7 +598,7 @@ static int igmpv3_send_report(struct in_device *in_dev, struct ip_mc_list *pmc) + if (pmc->multiaddr == IGMP_ALL_HOSTS) + continue; + if (ipv4_is_local_multicast(pmc->multiaddr) && +- !net->ipv4.sysctl_igmp_llm_reports) ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + continue; + spin_lock_bh(&pmc->lock); + if (pmc->sfcount[MCAST_EXCLUDE]) +@@ -740,7 +741,8 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, + if (type == IGMPV3_HOST_MEMBERSHIP_REPORT) + return igmpv3_send_report(in_dev, pmc); + +- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) ++ if (ipv4_is_local_multicast(group) && ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + return 0; + + if (type == IGMP_HOST_LEAVE_MESSAGE) +@@ -924,7 +926,8 @@ static bool igmp_heard_report(struct in_device *in_dev, __be32 group) + + if (group == IGMP_ALL_HOSTS) + return false; +- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) ++ if (ipv4_is_local_multicast(group) && ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + return false; + + rcu_read_lock(); +@@ -1049,7 +1052,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb, + if (im->multiaddr == IGMP_ALL_HOSTS) + continue; + if (ipv4_is_local_multicast(im->multiaddr) && +- !net->ipv4.sysctl_igmp_llm_reports) ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + continue; + spin_lock_bh(&im->lock); + if (im->tm_running) +@@ -1299,7 +1302,8 @@ static void igmp_group_dropped(struct ip_mc_list *im) + #ifdef CONFIG_IP_MULTICAST + if (im->multiaddr == IGMP_ALL_HOSTS) + return; +- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) ++ if (ipv4_is_local_multicast(im->multiaddr) && ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + return; + + reporter = im->reporter; +@@ -1336,7 +1340,8 @@ static void igmp_group_added(struct ip_mc_list *im) + #ifdef CONFIG_IP_MULTICAST + if (im->multiaddr == IGMP_ALL_HOSTS) + return; +- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) ++ if (ipv4_is_local_multicast(im->multiaddr) && ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + return; + + if (in_dev->dead) +@@ -1657,7 +1662,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_dev) + if (im->multiaddr == IGMP_ALL_HOSTS) + continue; + if (ipv4_is_local_multicast(im->multiaddr) && +- !net->ipv4.sysctl_igmp_llm_reports) ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) + continue; + + /* a failover is happening and switches +-- +2.35.1 + diff --git a/queue-4.19/ip-fix-a-data-race-around-sysctl_fwmark_reflect.patch b/queue-4.19/ip-fix-a-data-race-around-sysctl_fwmark_reflect.patch new file mode 100644 index 00000000000..609341e86bc --- /dev/null +++ b/queue-4.19/ip-fix-a-data-race-around-sysctl_fwmark_reflect.patch @@ -0,0 +1,36 @@ +From 27f7f15a9d682b539e0cdeb654aadf43e501456f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:51:57 -0700 +Subject: ip: Fix a data-race around sysctl_fwmark_reflect. + +From: Kuniyuki Iwashima + +[ Upstream commit 85d0b4dbd74b95cc492b1f4e34497d3f894f5d9a ] + +While reading sysctl_fwmark_reflect, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 471463bfe6f9..0f820e68bd8f 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -341,7 +341,7 @@ void ipfrag_init(void); + void ip_static_sysctl_init(void); + + #define IP4_REPLY_MARK(net, mark) \ +- ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0) ++ (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0) + + static inline bool ip_is_fragment(const struct iphdr *iph) + { +-- +2.35.1 + diff --git a/queue-4.19/ip-fix-data-races-around-sysctl_ip_fwd_use_pmtu.patch b/queue-4.19/ip-fix-data-races-around-sysctl_ip_fwd_use_pmtu.patch new file mode 100644 index 00000000000..28b20a3123f --- /dev/null +++ b/queue-4.19/ip-fix-data-races-around-sysctl_ip_fwd_use_pmtu.patch @@ -0,0 +1,50 @@ +From 671c51c18de913278a476d583666a50454248e54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:51:53 -0700 +Subject: ip: Fix data-races around sysctl_ip_fwd_use_pmtu. + +From: Kuniyuki Iwashima + +[ Upstream commit 60c158dc7b1f0558f6cadd5b50d0386da0000d50 ] + +While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: f87c10a8aa1e ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + net/ipv4/route.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index d1a4efedbc03..471463bfe6f9 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -402,7 +402,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, + struct net *net = dev_net(dst->dev); + unsigned int mtu; + +- if (net->ipv4.sysctl_ip_fwd_use_pmtu || ++ if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || + ip_mtu_locked(dst) || + !forwarding) + return dst_mtu(dst); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d7f17581df7d..57e2316529d0 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1419,7 +1419,7 @@ u32 ip_mtu_from_fib_result(struct fib_result *res, __be32 daddr) + struct net_device *dev = nh->nh_dev; + u32 mtu = 0; + +- if (dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu || ++ if (READ_ONCE(dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu) || + fi->fib_metrics->metrics[RTAX_LOCK - 1] & (1 << RTAX_MTU)) + mtu = fi->fib_mtu; + +-- +2.35.1 + diff --git a/queue-4.19/ip-fix-data-races-around-sysctl_ip_nonlocal_bind.patch b/queue-4.19/ip-fix-data-races-around-sysctl_ip_nonlocal_bind.patch new file mode 100644 index 00000000000..833f3976baf --- /dev/null +++ b/queue-4.19/ip-fix-data-races-around-sysctl_ip_nonlocal_bind.patch @@ -0,0 +1,50 @@ +From c0f51f7cbe2a7480181270867d8d951c1e398463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:51:55 -0700 +Subject: ip: Fix data-races around sysctl_ip_nonlocal_bind. + +From: Kuniyuki Iwashima + +[ Upstream commit 289d3b21fb0bfc94c4e98f10635bba1824e5f83c ] + +While reading sysctl_ip_nonlocal_bind, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/inet_sock.h | 2 +- + net/sctp/protocol.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index a80fd0ac4563..e3d943813ff8 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -357,7 +357,7 @@ static inline bool inet_get_convert_csum(struct sock *sk) + static inline bool inet_can_nonlocal_bind(struct net *net, + struct inet_sock *inet) + { +- return net->ipv4.sysctl_ip_nonlocal_bind || ++ return READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind) || + inet->freebind || inet->transparent; + } + +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 7207a9769f1a..8db8209c5b61 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -373,7 +373,7 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp) + if (addr->v4.sin_addr.s_addr != htonl(INADDR_ANY) && + ret != RTN_LOCAL && + !sp->inet.freebind && +- !net->ipv4.sysctl_ip_nonlocal_bind) ++ !READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind)) + return 0; + + if (ipv6_only_sock(sctp_opt2sk(sp))) +-- +2.35.1 + diff --git a/queue-4.19/net-stmmac-fix-dma-queue-left-shift-overflow-issue.patch b/queue-4.19/net-stmmac-fix-dma-queue-left-shift-overflow-issue.patch new file mode 100644 index 00000000000..c8f2d9d515b --- /dev/null +++ b/queue-4.19/net-stmmac-fix-dma-queue-left-shift-overflow-issue.patch @@ -0,0 +1,82 @@ +From 23e15610d779e75d1fe8f5cad74bec111a052915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 15:47:01 +0800 +Subject: net: stmmac: fix dma queue left shift overflow issue + +From: Junxiao Chang + +[ Upstream commit 613b065ca32e90209024ec4a6bb5ca887ee70980 ] + +When queue number is > 4, left shift overflows due to 32 bits +integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. + +If CONFIG_UBSAN is enabled, kernel dumps below warning: +[ 10.363842] ================================================================== +[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ +linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 +[ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' +[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg +[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 +[ 10.363958] Call Trace: +[ 10.363960] +[ 10.363963] dump_stack_lvl+0x4a/0x5f +[ 10.363971] dump_stack+0x10/0x12 +[ 10.363974] ubsan_epilogue+0x9/0x45 +[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e +[ 10.363979] ? wake_up_klogd+0x4a/0x50 +[ 10.363983] ? vprintk_emit+0x8f/0x240 +[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] +[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] +[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] +[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] +[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 +[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] +[ 10.364042] stmmac_open+0x39e/0x920 [stmmac] +[ 10.364050] __dev_open+0xf0/0x1a0 +[ 10.364054] __dev_change_flags+0x188/0x1f0 +[ 10.364057] dev_change_flags+0x26/0x60 +[ 10.364059] do_setlink+0x908/0xc40 +[ 10.364062] ? do_setlink+0xb10/0xc40 +[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 +[ 10.364068] __rtnl_newlink+0x597/0xa10 +[ 10.364072] ? __nla_reserve+0x41/0x50 +[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 +[ 10.364079] ? pskb_expand_head+0x75/0x310 +[ 10.364082] ? nla_reserve_64bit+0x21/0x40 +[ 10.364086] ? skb_free_head+0x65/0x80 +[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 +[ 10.364094] ? __cond_resched+0x19/0x30 +[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 +[ 10.364100] rtnl_newlink+0x49/0x70 + +This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue +mapping warning. + +Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 +Reported-by: Cedric Wassenaar +Signed-off-by: Junxiao Chang +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index bc8871e7351f..00b6af0b2f3a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -222,6 +222,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) + if (queue == 0 || queue == 4) { + value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK; + value |= MTL_RXQ_DMA_Q04MDMACH(chan); ++ } else if (queue > 4) { ++ value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4); ++ value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4); + } else { + value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue); + value |= MTL_RXQ_DMA_QXMDMACH(chan, queue); +-- +2.35.1 + diff --git a/queue-4.19/net-tls-fix-race-in-tls-device-down-flow.patch b/queue-4.19/net-tls-fix-race-in-tls-device-down-flow.patch new file mode 100644 index 00000000000..5b0b77d2edd --- /dev/null +++ b/queue-4.19/net-tls-fix-race-in-tls-device-down-flow.patch @@ -0,0 +1,72 @@ +From 572016ab29279c28a122fea07b264ec2ab4d99a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 11:42:16 +0300 +Subject: net/tls: Fix race in TLS device down flow + +From: Tariq Toukan + +[ Upstream commit f08d8c1bb97c48f24a82afaa2fd8c140f8d3da8b ] + +Socket destruction flow and tls_device_down function sync against each +other using tls_device_lock and the context refcount, to guarantee the +device resources are freed via tls_dev_del() by the end of +tls_device_down. + +In the following unfortunate flow, this won't happen: +- refcount is decreased to zero in tls_device_sk_destruct. +- tls_device_down starts, skips the context as refcount is zero, going + all the way until it flushes the gc work, and returns without freeing + the device resources. +- only then, tls_device_queue_ctx_destruction is called, queues the gc + work and frees the context's device resources. + +Solve it by decreasing the refcount in the socket's destruction flow +under the tls_device_lock, for perfect synchronization. This does not +slow down the common likely destructor flow, in which both the refcount +is decreased and the spinlock is acquired, anyway. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Reviewed-by: Maxim Mikityanskiy +Signed-off-by: Tariq Toukan +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tls/tls_device.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 228e3ce48d43..b290eb3ae155 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -110,13 +110,16 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx) + unsigned long flags; + + spin_lock_irqsave(&tls_device_lock, flags); ++ if (unlikely(!refcount_dec_and_test(&ctx->refcount))) ++ goto unlock; ++ + list_move_tail(&ctx->list, &tls_device_gc_list); + + /* schedule_work inside the spinlock + * to make sure tls_device_down waits for that work. + */ + schedule_work(&tls_device_gc_work); +- ++unlock: + spin_unlock_irqrestore(&tls_device_lock, flags); + } + +@@ -214,8 +217,7 @@ void tls_device_sk_destruct(struct sock *sk) + clean_acked_data_disable(inet_csk(sk)); + } + +- if (refcount_dec_and_test(&tls_ctx->refcount)) +- tls_device_queue_ctx_destruction(tls_ctx); ++ tls_device_queue_ctx_destruction(tls_ctx); + } + EXPORT_SYMBOL(tls_device_sk_destruct); + +-- +2.35.1 + diff --git a/queue-4.19/perf-core-fix-data-race-between-perf_event_set_outpu.patch b/queue-4.19/perf-core-fix-data-race-between-perf_event_set_outpu.patch new file mode 100644 index 00000000000..a59e35152aa --- /dev/null +++ b/queue-4.19/perf-core-fix-data-race-between-perf_event_set_outpu.patch @@ -0,0 +1,167 @@ +From 1d7d0c7f615c72ba028e444ff06c83a499bd96f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 15:07:26 +0200 +Subject: perf/core: Fix data race between perf_event_set_output() and + perf_mmap_close() + +From: Peter Zijlstra + +[ Upstream commit 68e3c69803dada336893640110cb87221bb01dcf ] + +Yang Jihing reported a race between perf_event_set_output() and +perf_mmap_close(): + + CPU1 CPU2 + + perf_mmap_close(e2) + if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 + detach_rest = true + + ioctl(e1, IOC_SET_OUTPUT, e2) + perf_event_set_output(e1, e2) + + ... + list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) + ring_buffer_attach(e, NULL); + // e1 isn't yet added and + // therefore not detached + + ring_buffer_attach(e1, e2->rb) + list_add_rcu(&e1->rb_entry, + &e2->rb->event_list) + +After this; e1 is attached to an unmapped rb and a subsequent +perf_mmap() will loop forever more: + + again: + mutex_lock(&e->mmap_mutex); + if (event->rb) { + ... + if (!atomic_inc_not_zero(&e->rb->mmap_count)) { + ... + mutex_unlock(&e->mmap_mutex); + goto again; + } + } + +The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach +in perf_event_set_output() holds e1->mmap_mutex. As such there is no +serialization to avoid this race. + +Change perf_event_set_output() to take both e1->mmap_mutex and +e2->mmap_mutex to alleviate that problem. Additionally, have the loop +in perf_mmap() detach the rb directly, this avoids having to wait for +the concurrent perf_mmap_close() to get around to doing it to make +progress. + +Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole") +Reported-by: Yang Jihong +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Yang Jihong +Link: https://lkml.kernel.org/r/YsQ3jm2GR38SW7uD@worktop.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 45 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 88dd1398ae88..ba66ea3ca705 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5719,10 +5719,10 @@ static int perf_mmap(struct file *file, struct vm_area_struct *vma) + + if (!atomic_inc_not_zero(&event->rb->mmap_count)) { + /* +- * Raced against perf_mmap_close() through +- * perf_event_set_output(). Try again, hope for better +- * luck. ++ * Raced against perf_mmap_close(); remove the ++ * event and try again. + */ ++ ring_buffer_attach(event, NULL); + mutex_unlock(&event->mmap_mutex); + goto again; + } +@@ -10396,14 +10396,25 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr, + goto out; + } + ++static void mutex_lock_double(struct mutex *a, struct mutex *b) ++{ ++ if (b < a) ++ swap(a, b); ++ ++ mutex_lock(a); ++ mutex_lock_nested(b, SINGLE_DEPTH_NESTING); ++} ++ + static int + perf_event_set_output(struct perf_event *event, struct perf_event *output_event) + { + struct ring_buffer *rb = NULL; + int ret = -EINVAL; + +- if (!output_event) ++ if (!output_event) { ++ mutex_lock(&event->mmap_mutex); + goto set; ++ } + + /* don't allow circular references */ + if (event == output_event) +@@ -10441,8 +10452,15 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) + event->pmu != output_event->pmu) + goto out; + ++ /* ++ * Hold both mmap_mutex to serialize against perf_mmap_close(). Since ++ * output_event is already on rb->event_list, and the list iteration ++ * restarts after every removal, it is guaranteed this new event is ++ * observed *OR* if output_event is already removed, it's guaranteed we ++ * observe !rb->mmap_count. ++ */ ++ mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex); + set: +- mutex_lock(&event->mmap_mutex); + /* Can't redirect output if we've got an active mmap() */ + if (atomic_read(&event->mmap_count)) + goto unlock; +@@ -10452,6 +10470,12 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) + rb = ring_buffer_get(output_event); + if (!rb) + goto unlock; ++ ++ /* did we race against perf_mmap_close() */ ++ if (!atomic_read(&rb->mmap_count)) { ++ ring_buffer_put(rb); ++ goto unlock; ++ } + } + + ring_buffer_attach(event, rb); +@@ -10459,20 +10483,13 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event) + ret = 0; + unlock: + mutex_unlock(&event->mmap_mutex); ++ if (output_event) ++ mutex_unlock(&output_event->mmap_mutex); + + out: + return ret; + } + +-static void mutex_lock_double(struct mutex *a, struct mutex *b) +-{ +- if (b < a) +- swap(a, b); +- +- mutex_lock(a); +- mutex_lock_nested(b, SINGLE_DEPTH_NESTING); +-} +- + static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id) + { + bool nmi_safe = false; +-- +2.35.1 + diff --git a/queue-4.19/pinctrl-ralink-check-for-null-return-of-devm_kcalloc.patch b/queue-4.19/pinctrl-ralink-check-for-null-return-of-devm_kcalloc.patch new file mode 100644 index 00000000000..c22b41e105b --- /dev/null +++ b/queue-4.19/pinctrl-ralink-check-for-null-return-of-devm_kcalloc.patch @@ -0,0 +1,43 @@ +From 7e9f9a07c95bb9ff919427900b100af0d37114a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Jul 2022 23:49:22 +0800 +Subject: pinctrl: ralink: Check for null return of devm_kcalloc + +From: William Dean + +[ Upstream commit c3b821e8e406d5650e587b7ac624ac24e9b780a8 ] + +Because of the possible failure of the allocation, data->domains might +be NULL pointer and will cause the dereference of the NULL pointer +later. +Therefore, it might be better to check it and directly return -ENOMEM +without releasing data manually if fails, because the comment of the +devm_kmalloc() says "Memory allocated with this function is +automatically freed on driver detach.". + +Fixes: a86854d0c599b ("treewide: devm_kzalloc() -> devm_kcalloc()") +Reported-by: Hacash Robot +Signed-off-by: William Dean +Link: https://lore.kernel.org/r/20220710154922.2610876-1-williamsukatube@163.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c +index ad811c0438cc..031526cb1b21 100644 +--- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c ++++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c +@@ -267,6 +267,8 @@ static int rt2880_pinmux_pins(struct rt2880_priv *p) + p->func[i]->pin_count, + sizeof(int), + GFP_KERNEL); ++ if (!p->func[i]->pins) ++ return -ENOMEM; + for (j = 0; j < p->func[i]->pin_count; j++) + p->func[i]->pins[j] = p->func[i]->pin_first + j; + +-- +2.35.1 + diff --git a/queue-4.19/power-reset-arm-versatile-fix-refcount-leak-in-versa.patch b/queue-4.19/power-reset-arm-versatile-fix-refcount-leak-in-versa.patch new file mode 100644 index 00000000000..bea93042e13 --- /dev/null +++ b/queue-4.19/power-reset-arm-versatile-fix-refcount-leak-in-versa.patch @@ -0,0 +1,38 @@ +From 8dcfaf78f44e74032ebeb2f7b63dbc843a07ff60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:10:09 +0400 +Subject: power/reset: arm-versatile: Fix refcount leak in + versatile_reboot_probe + +From: Miaoqian Lin + +[ Upstream commit 80192eff64eee9b3bc0594a47381937b94b9d65a ] + +of_find_matching_node_and_match() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 0e545f57b708 ("power: reset: driver for the Versatile syscon reboot") +Signed-off-by: Miaoqian Lin +Reviewed-by: Linus Walleij +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/arm-versatile-reboot.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/reset/arm-versatile-reboot.c +index 06d34ab47df5..8022c782f6ff 100644 +--- a/drivers/power/reset/arm-versatile-reboot.c ++++ b/drivers/power/reset/arm-versatile-reboot.c +@@ -150,6 +150,7 @@ static int __init versatile_reboot_probe(void) + versatile_reboot_type = (enum versatile_reboot)reboot_id->data; + + syscon_regmap = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(syscon_regmap)) + return PTR_ERR(syscon_regmap); + +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 7345481d99d..393536c5045 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,2 +1,32 @@ riscv-add-as-options-for-modules-with-assembly-compontents.patch xen-gntdev-ignore-failure-to-unmap-invalid_grant_handle.patch +xfrm-xfrm_policy-fix-a-possible-double-xfrm_pols_put.patch +power-reset-arm-versatile-fix-refcount-leak-in-versa.patch +pinctrl-ralink-check-for-null-return-of-devm_kcalloc.patch +perf-core-fix-data-race-between-perf_event_set_outpu.patch +ip-fix-data-races-around-sysctl_ip_fwd_use_pmtu.patch +ip-fix-data-races-around-sysctl_ip_nonlocal_bind.patch +ip-fix-a-data-race-around-sysctl_fwmark_reflect.patch +tcp-dccp-fix-a-data-race-around-sysctl_tcp_fwmark_ac.patch +tcp-fix-data-races-around-sysctl_tcp_mtu_probing.patch +tcp-fix-a-data-race-around-sysctl_tcp_probe_threshol.patch +tcp-fix-a-data-race-around-sysctl_tcp_probe_interval.patch +i2c-cadence-change-large-transfer-count-reset-logic-.patch +net-stmmac-fix-dma-queue-left-shift-overflow-issue.patch +net-tls-fix-race-in-tls-device-down-flow.patch +igmp-fix-data-races-around-sysctl_igmp_llm_reports.patch +igmp-fix-a-data-race-around-sysctl_igmp_max_membersh.patch +tcp-fix-data-races-around-sysctl_tcp_reordering.patch +tcp-fix-data-races-around-some-timeout-sysctl-knobs.patch +tcp-fix-a-data-race-around-sysctl_tcp_notsent_lowat.patch +tcp-fix-a-data-race-around-sysctl_tcp_tw_reuse.patch +tcp-fix-data-races-around-sysctl_tcp_fastopen.patch +be2net-fix-buffer-overflow-in-be_get_module_eeprom.patch +tcp-fix-a-data-race-around-sysctl_tcp_early_retrans.patch +tcp-fix-data-races-around-sysctl_tcp_recovery.patch +tcp-fix-a-data-race-around-sysctl_tcp_thin_linear_ti.patch +tcp-fix-data-races-around-sysctl_tcp_slow_start_afte.patch +tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch +tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch +tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch +tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch diff --git a/queue-4.19/tcp-dccp-fix-a-data-race-around-sysctl_tcp_fwmark_ac.patch b/queue-4.19/tcp-dccp-fix-a-data-race-around-sysctl_tcp_fwmark_ac.patch new file mode 100644 index 00000000000..446c8444f9e --- /dev/null +++ b/queue-4.19/tcp-dccp-fix-a-data-race-around-sysctl_tcp_fwmark_ac.patch @@ -0,0 +1,37 @@ +From 1a884e332592b08bdb6bb33c1dadb154f91194a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:51:58 -0700 +Subject: tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. + +From: Kuniyuki Iwashima + +[ Upstream commit 1a0008f9df59451d0a17806c1ee1a19857032fa8 ] + +While reading sysctl_tcp_fwmark_accept, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/inet_sock.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index e3d943813ff8..d5552ff1d361 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -111,7 +111,8 @@ static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) + + static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff *skb) + { +- if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept) ++ if (!sk->sk_mark && ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) + return skb->mark; + + return sk->sk_mark; +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_early_retrans.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_early_retrans.patch new file mode 100644 index 00000000000..c2e6a73f894 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_early_retrans.patch @@ -0,0 +1,36 @@ +From b97b0fd5899c708bf6b80909857fb41a63a98f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:45 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_early_retrans. + +From: Kuniyuki Iwashima + +[ Upstream commit 52e65865deb6a36718a463030500f16530eaab74 ] + +While reading sysctl_tcp_early_retrans, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: eed530b6c676 ("tcp: early retransmit") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3d5ea169e905..8dcb9484a20c 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2454,7 +2454,7 @@ bool tcp_schedule_loss_probe(struct sock *sk, bool advancing_rto) + if (tp->fastopen_rsk) + return false; + +- early_retrans = sock_net(sk)->ipv4.sysctl_tcp_early_retrans; ++ early_retrans = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_early_retrans); + /* Schedule a loss probe in 2*RTT for SACK capable connections + * not in loss recovery, that are either limited by cwnd or application. + */ +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_notsent_lowat.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_notsent_lowat.patch new file mode 100644 index 00000000000..ddffeb7dfc2 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_notsent_lowat.patch @@ -0,0 +1,36 @@ +From 428deae105783ed7e3305baea336feee90f5657e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:51 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_notsent_lowat. + +From: Kuniyuki Iwashima + +[ Upstream commit 55be873695ed8912eb77ff46d1d1cadf028bd0f3 ] + +While reading sysctl_tcp_notsent_lowat, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index f92b93cf074c..9b1bf1567861 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1876,7 +1876,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat; ++ return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + static inline bool tcp_stream_memory_free(const struct sock *sk) +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_interval.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_interval.patch new file mode 100644 index 00000000000..78672298f98 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_interval.patch @@ -0,0 +1,36 @@ +From 33021d4c52d04b32424d67d3f36619427cb0f5ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:52:05 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_probe_interval. + +From: Kuniyuki Iwashima + +[ Upstream commit 2a85388f1d94a9f8b5a529118a2c5eaa0520d85c ] + +While reading sysctl_tcp_probe_interval, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 05cbc0db03e8 ("ipv4: Create probe timer for tcp PMTU as per RFC4821") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 0e0f7803cf4e..33f9a486661c 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2030,7 +2030,7 @@ static inline void tcp_mtu_check_reprobe(struct sock *sk) + u32 interval; + s32 delta; + +- interval = net->ipv4.sysctl_tcp_probe_interval; ++ interval = READ_ONCE(net->ipv4.sysctl_tcp_probe_interval); + delta = tcp_jiffies32 - icsk->icsk_mtup.probe_timestamp; + if (unlikely(delta >= interval * HZ)) { + int mss = tcp_current_mss(sk); +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_threshol.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_threshol.patch new file mode 100644 index 00000000000..d5ca9ef4fba --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_probe_threshol.patch @@ -0,0 +1,36 @@ +From eb78dc2094031163c219f578a2af4ede3cdde6a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:52:04 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_probe_threshold. + +From: Kuniyuki Iwashima + +[ Upstream commit 92c0aa4175474483d6cf373314343d4e624e882a ] + +While reading sysctl_tcp_probe_threshold, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 6b58e0a5f32d ("ipv4: Use binary search to choose tcp PMTU probe_size") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 02a7799c4b72..0e0f7803cf4e 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2112,7 +2112,7 @@ static int tcp_mtu_probe(struct sock *sk) + * probing process by not resetting search range to its orignal. + */ + if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) || +- interval < net->ipv4.sysctl_tcp_probe_threshold) { ++ interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) { + /* Check whether enough time has elaplased for + * another round of probing. + */ +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch new file mode 100644 index 00000000000..7e2ade4f6a4 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch @@ -0,0 +1,36 @@ +From 7ef9bde41c911049bd3832503310e23db1f082bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:49 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_retrans_collapse. + +From: Kuniyuki Iwashima + +[ Upstream commit 1a63cb91f0c2fcdeced6d6edee8d1d886583d139 ] + +While reading sysctl_tcp_retrans_collapse, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3b416dfb8aff..13d9e8570ce5 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2816,7 +2816,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to, + struct sk_buff *skb = to, *tmp; + bool first = true; + +- if (!sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse) ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse)) + return; + if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN) + return; +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch new file mode 100644 index 00000000000..fe4c7722ec8 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch @@ -0,0 +1,36 @@ +From b3468517266a6d83477f7287be4883a47fd57fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:51 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_rfc1337. + +From: Kuniyuki Iwashima + +[ Upstream commit 0b484c91911e758e53656d570de58c2ed81ec6f2 ] + +While reading sysctl_tcp_rfc1337, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_minisocks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index c79cb949da66..0fc238d79b03 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -179,7 +179,7 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb, + * Oh well... nobody has a sufficient solution to this + * protocol bug yet. + */ +- if (twsk_net(tw)->ipv4.sysctl_tcp_rfc1337 == 0) { ++ if (!READ_ONCE(twsk_net(tw)->ipv4.sysctl_tcp_rfc1337)) { + kill: + inet_twsk_deschedule_put(tw); + return TCP_TW_SUCCESS; +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch new file mode 100644 index 00000000000..8d50e04766d --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch @@ -0,0 +1,36 @@ +From a1da6a99fc84c4084e6d0e5b05f42c83a49c814e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:50 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_stdurg. + +From: Kuniyuki Iwashima + +[ Upstream commit 4e08ed41cb1194009fc1a916a59ce3ed4afd77cd ] + +While reading sysctl_tcp_stdurg, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 731c4d220905..3b63e05c3486 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5292,7 +5292,7 @@ static void tcp_check_urg(struct sock *sk, const struct tcphdr *th) + struct tcp_sock *tp = tcp_sk(sk); + u32 ptr = ntohs(th->urg_ptr); + +- if (ptr && !sock_net(sk)->ipv4.sysctl_tcp_stdurg) ++ if (ptr && !READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_stdurg)) + ptr--; + ptr += ntohl(th->seq); + +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_thin_linear_ti.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_thin_linear_ti.patch new file mode 100644 index 00000000000..b95aa1fb8d9 --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_thin_linear_ti.patch @@ -0,0 +1,36 @@ +From fca30f9457f62a0b975ab8b6663c91c54d9cac9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:47 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. + +From: Kuniyuki Iwashima + +[ Upstream commit 7c6f2a86ca590d5187a073d987e9599985fb1c7c ] + +While reading sysctl_tcp_thin_linear_timeouts, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: 36e31b0af587 ("net: TCP thin linear timeouts") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index e905fff09fea..84069db0423a 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -545,7 +545,7 @@ void tcp_retransmit_timer(struct sock *sk) + * linear-timeout retransmissions into a black hole + */ + if (sk->sk_state == TCP_ESTABLISHED && +- (tp->thin_lto || net->ipv4.sysctl_tcp_thin_linear_timeouts) && ++ (tp->thin_lto || READ_ONCE(net->ipv4.sysctl_tcp_thin_linear_timeouts)) && + tcp_stream_is_thin(tp) && + icsk->icsk_retransmits <= TCP_THIN_LINEAR_RETRIES) { + icsk->icsk_backoff = 0; +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_tw_reuse.patch b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_tw_reuse.patch new file mode 100644 index 00000000000..65cbd61b24e --- /dev/null +++ b/queue-4.19/tcp-fix-a-data-race-around-sysctl_tcp_tw_reuse.patch @@ -0,0 +1,39 @@ +From 060f749a41b636cd428fab22097cb881782a31a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:52 -0700 +Subject: tcp: Fix a data-race around sysctl_tcp_tw_reuse. + +From: Kuniyuki Iwashima + +[ Upstream commit cbfc6495586a3f09f6f07d9fb3c7cafe807e3c55 ] + +While reading sysctl_tcp_tw_reuse, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 2719c60f285b..ddc1af8731e3 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -110,10 +110,10 @@ static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb) + + int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + { ++ int reuse = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse); + const struct inet_timewait_sock *tw = inet_twsk(sktw); + const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); + struct tcp_sock *tp = tcp_sk(sk); +- int reuse = sock_net(sk)->ipv4.sysctl_tcp_tw_reuse; + + if (reuse == 2) { + /* Still does not detect *everything* that goes through +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-some-timeout-sysctl-knobs.patch b/queue-4.19/tcp-fix-data-races-around-some-timeout-sysctl-knobs.patch new file mode 100644 index 00000000000..9e80cdcf7ca --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-some-timeout-sysctl-knobs.patch @@ -0,0 +1,120 @@ +From eb1694a78238e86be346c523eb412e4ae31b3aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:50 -0700 +Subject: tcp: Fix data-races around some timeout sysctl knobs. + +From: Kuniyuki Iwashima + +[ Upstream commit 39e24435a776e9de5c6dd188836cf2523547804b ] + +While reading these sysctl knobs, they can be changed concurrently. +Thus, we need to add READ_ONCE() to their readers. + + - tcp_retries1 + - tcp_retries2 + - tcp_orphan_retries + - tcp_fin_timeout + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 3 ++- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_output.c | 2 +- + net/ipv4/tcp_timer.c | 10 +++++----- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 5c5807ed66ee..f92b93cf074c 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1430,7 +1430,8 @@ static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) + + static inline int tcp_fin_time(const struct sock *sk) + { +- int fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout; ++ int fin_timeout = tcp_sk(sk)->linger2 ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout); + const int rto = inet_csk(sk)->icsk_rto; + + if (fin_timeout < (rto << 2) - (rto >> 1)) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b1b121d5076c..0f89d0f2c21f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3386,7 +3386,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + case TCP_LINGER2: + val = tp->linger2; + if (val >= 0) +- val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ; ++ val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: + val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 33f9a486661c..3d5ea169e905 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3776,7 +3776,7 @@ void tcp_send_probe0(struct sock *sk) + } + + if (err <= 0) { +- if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2) ++ if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2)) + icsk->icsk_backoff++; + icsk->icsk_probes_out++; + probe_max = TCP_RTO_MAX; +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 5d761333ffc4..e905fff09fea 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -124,7 +124,7 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset) + */ + static int tcp_orphan_retries(struct sock *sk, bool alive) + { +- int retries = sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be zero. */ ++ int retries = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); /* May be zero. */ + + /* We know from an ICMP that something is wrong. */ + if (sk->sk_err_soft && !alive) +@@ -226,7 +226,7 @@ static int tcp_write_timeout(struct sock *sk) + retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; + expired = icsk->icsk_retransmits >= retry_until; + } else { +- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) { ++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) { + /* Black hole detection */ + tcp_mtu_probing(icsk, sk); + +@@ -235,7 +235,7 @@ static int tcp_write_timeout(struct sock *sk) + sk_rethink_txhash(sk); + } + +- retry_until = net->ipv4.sysctl_tcp_retries2; ++ retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2); + if (sock_flag(sk, SOCK_DEAD)) { + const bool alive = icsk->icsk_rto < TCP_RTO_MAX; + +@@ -362,7 +362,7 @@ static void tcp_probe_timer(struct sock *sk) + (s32)(tcp_time_stamp(tp) - start_ts) > icsk->icsk_user_timeout) + goto abort; + +- max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2; ++ max_probes = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2); + if (sock_flag(sk, SOCK_DEAD)) { + const bool alive = inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_MAX; + +@@ -556,7 +556,7 @@ void tcp_retransmit_timer(struct sock *sk) + } + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, + tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX); +- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0)) ++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + 1, 0)) + __sk_dst_reset(sk); + + out:; +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_fastopen.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_fastopen.patch new file mode 100644 index 00000000000..acf290cb352 --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_fastopen.patch @@ -0,0 +1,85 @@ +From b95cd86f15d1693151efebb1eed98f084e29717c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:54 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_fastopen. + +From: Kuniyuki Iwashima + +[ Upstream commit 5a54213318c43f4009ae158347aa6016e3b9b55a ] + +While reading sysctl_tcp_fastopen, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 2100c8d2d9db ("net-tcp: Fast Open base") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 6 ++++-- + net/ipv4/tcp_fastopen.c | 4 ++-- + 3 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index dadd42a07c07..229519001cc3 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -218,7 +218,7 @@ int inet_listen(struct socket *sock, int backlog) + * because the socket was in TCP_LISTEN state previously but + * was shutdown() rather than close(). + */ +- tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; ++ tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); + if ((tcp_fastopen & TFO_SERVER_WO_SOCKOPT1) && + (tcp_fastopen & TFO_SERVER_ENABLE) && + !inet_csk(sk)->icsk_accept_queue.fastopenq.max_qlen) { +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0f89d0f2c21f..7acc0d07f148 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1160,7 +1160,8 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, + struct sockaddr *uaddr = msg->msg_name; + int err, flags; + +- if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) || ++ if (!(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & ++ TFO_CLIENT_ENABLE) || + (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) && + uaddr->sa_family == AF_UNSPEC)) + return -EOPNOTSUPP; +@@ -3056,7 +3057,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_FASTOPEN_CONNECT: + if (val > 1 || val < 0) { + err = -EINVAL; +- } else if (net->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) { ++ } else if (READ_ONCE(net->ipv4.sysctl_tcp_fastopen) & ++ TFO_CLIENT_ENABLE) { + if (sk->sk_state == TCP_CLOSE) + tp->fastopen_connect = val; + else +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 119d2c2f3b04..f726591de7c7 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -313,7 +313,7 @@ static bool tcp_fastopen_no_cookie(const struct sock *sk, + const struct dst_entry *dst, + int flag) + { +- return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) || ++ return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) || + tcp_sk(sk)->fastopen_no_cookie || + (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE)); + } +@@ -328,7 +328,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, + const struct dst_entry *dst) + { + bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1; +- int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; ++ int tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); + struct tcp_fastopen_cookie valid_foc = { .len = -1 }; + struct sock *child; + +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch new file mode 100644 index 00000000000..1d9b4383ace --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch @@ -0,0 +1,45 @@ +From deebcc6a315db986f861d68cbc81055078e7acb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:53 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_max_reordering. + +From: Kuniyuki Iwashima + +[ Upstream commit a11e5b3e7a59fde1a90b0eaeaa82320495cf8cae ] + +While reading sysctl_tcp_max_reordering, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: dca145ffaa8d ("tcp: allow for bigger reordering level") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 3b63e05c3486..26f0994da31b 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -893,7 +893,7 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq, + tp->undo_marker ? tp->undo_retrans : 0); + #endif + tp->reordering = min_t(u32, (metric + mss - 1) / mss, +- sock_net(sk)->ipv4.sysctl_tcp_max_reordering); ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); + } + + /* This exciting event is worth to be remembered. 8) */ +@@ -1878,7 +1878,7 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend) + return; + + tp->reordering = min_t(u32, tp->packets_out + addend, +- sock_net(sk)->ipv4.sysctl_tcp_max_reordering); ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); + tp->reord_seen++; + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER); + } +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_mtu_probing.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_mtu_probing.patch new file mode 100644 index 00000000000..15b61789a95 --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_mtu_probing.patch @@ -0,0 +1,50 @@ +From 7bfdbe02ccade10d7c57867634ccfb972d63cfb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 13:52:00 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_mtu_probing. + +From: Kuniyuki Iwashima + +[ Upstream commit f47d00e077e7d61baf69e46dde3210c886360207 ] + +While reading sysctl_tcp_mtu_probing, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 5d424d5a674f ("[TCP]: MTU probing") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + net/ipv4/tcp_timer.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 25dbdb27a571..02a7799c4b72 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1523,7 +1523,7 @@ void tcp_mtup_init(struct sock *sk) + struct inet_connection_sock *icsk = inet_csk(sk); + struct net *net = sock_net(sk); + +- icsk->icsk_mtup.enabled = net->ipv4.sysctl_tcp_mtu_probing > 1; ++ icsk->icsk_mtup.enabled = READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) > 1; + icsk->icsk_mtup.search_high = tp->rx_opt.mss_clamp + sizeof(struct tcphdr) + + icsk->icsk_af_ops->net_header_len; + icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_base_mss); +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index d071ed6b8b9a..5d761333ffc4 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -144,7 +144,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk) + int mss; + + /* Black hole detection */ +- if (!net->ipv4.sysctl_tcp_mtu_probing) ++ if (!READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing)) + return; + + if (!icsk->icsk_mtup.enabled) { +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_recovery.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_recovery.patch new file mode 100644 index 00000000000..ff28bd8975b --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_recovery.patch @@ -0,0 +1,62 @@ +From 836c822b2c31de19ac22d46049442f302c0854c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:46 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_recovery. + +From: Kuniyuki Iwashima + +[ Upstream commit e7d2ef837e14a971a05f60ea08c47f3fed1a36e4 ] + +While reading sysctl_tcp_recovery, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 4f41b1c58a32 ("tcp: use RACK to detect losses") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 3 ++- + net/ipv4/tcp_recovery.c | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index afe195e03a95..731c4d220905 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1938,7 +1938,8 @@ static inline void tcp_init_undo(struct tcp_sock *tp) + + static bool tcp_is_rack(const struct sock *sk) + { +- return sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION; ++ return READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & ++ TCP_RACK_LOSS_DETECTION; + } + + /* If we detect SACK reneging, forget all SACK information +diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c +index 0d96decba13d..61969bb9395c 100644 +--- a/net/ipv4/tcp_recovery.c ++++ b/net/ipv4/tcp_recovery.c +@@ -33,7 +33,8 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk) + return 0; + + if (tp->sacked_out >= tp->reordering && +- !(sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_NO_DUPTHRESH)) ++ !(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & ++ TCP_RACK_NO_DUPTHRESH)) + return 0; + } + +@@ -203,7 +204,8 @@ void tcp_rack_update_reo_wnd(struct sock *sk, struct rate_sample *rs) + { + struct tcp_sock *tp = tcp_sk(sk); + +- if (sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_STATIC_REO_WND || ++ if ((READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & ++ TCP_RACK_STATIC_REO_WND) || + !rs->prior_delivered) + return; + +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_reordering.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_reordering.patch new file mode 100644 index 00000000000..68e3e29bb41 --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_reordering.patch @@ -0,0 +1,89 @@ +From 4f7e2a7cdc29f062e3d189315ba419b0e85dea16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:49 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_reordering. + +From: Kuniyuki Iwashima + +[ Upstream commit 46778cd16e6a5ad1b2e3a91f6c057c907379418e ] + +While reading sysctl_tcp_reordering, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_input.c | 10 +++++++--- + net/ipv4/tcp_metrics.c | 3 ++- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f7795488b0ad..b1b121d5076c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -436,7 +436,7 @@ void tcp_init_sock(struct sock *sk) + tp->snd_cwnd_clamp = ~0; + tp->mss_cache = TCP_MSS_DEFAULT; + +- tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering; ++ tp->reordering = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering); + tcp_assign_congestion_control(sk); + + tp->tsoffset = 0; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 92f5068c7680..afe195e03a95 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1982,6 +1982,7 @@ void tcp_enter_loss(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + struct net *net = sock_net(sk); + bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery; ++ u8 reordering; + + tcp_timeout_mark_lost(sk); + +@@ -2002,10 +2003,12 @@ void tcp_enter_loss(struct sock *sk) + /* Timeout in disordered state after receiving substantial DUPACKs + * suggests that the degree of reordering is over-estimated. + */ ++ reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering); + if (icsk->icsk_ca_state <= TCP_CA_Disorder && +- tp->sacked_out >= net->ipv4.sysctl_tcp_reordering) ++ tp->sacked_out >= reordering) + tp->reordering = min_t(unsigned int, tp->reordering, +- net->ipv4.sysctl_tcp_reordering); ++ reordering); ++ + tcp_set_ca_state(sk, TCP_CA_Loss); + tp->high_seq = tp->snd_nxt; + tcp_ecn_queue_cwr(tp); +@@ -3303,7 +3306,8 @@ static inline bool tcp_may_raise_cwnd(const struct sock *sk, const int flag) + * new SACK or ECE mark may first advance cwnd here and later reduce + * cwnd in tcp_fastretrans_alert() based on more states. + */ +- if (tcp_sk(sk)->reordering > sock_net(sk)->ipv4.sysctl_tcp_reordering) ++ if (tcp_sk(sk)->reordering > ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering)) + return flag & FLAG_FORWARD_PROGRESS; + + return flag & FLAG_DATA_ACKED; +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 03b51cdcc731..61843c6d7a47 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -425,7 +425,8 @@ void tcp_update_metrics(struct sock *sk) + if (!tcp_metric_locked(tm, TCP_METRIC_REORDERING)) { + val = tcp_metric_get(tm, TCP_METRIC_REORDERING); + if (val < tp->reordering && +- tp->reordering != net->ipv4.sysctl_tcp_reordering) ++ tp->reordering != ++ READ_ONCE(net->ipv4.sysctl_tcp_reordering)) + tcp_metric_set(tm, TCP_METRIC_REORDERING, + tp->reordering); + } +-- +2.35.1 + diff --git a/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_slow_start_afte.patch b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_slow_start_afte.patch new file mode 100644 index 00000000000..f47836da817 --- /dev/null +++ b/queue-4.19/tcp-fix-data-races-around-sysctl_tcp_slow_start_afte.patch @@ -0,0 +1,52 @@ +From 1e6812bdd08c98ff6daa9a8a8769c8215570ebe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:26:48 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. + +From: Kuniyuki Iwashima + +[ Upstream commit 4845b5713ab18a1bb6e31d1fbb4d600240b8b691 ] + +While reading sysctl_tcp_slow_start_after_idle, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its readers. + +Fixes: 35089bb203f4 ("[TCP]: Add tcp_slow_start_after_idle sysctl.") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 4 ++-- + net/ipv4/tcp_output.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 9b1bf1567861..d28fa78dedb5 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1339,8 +1339,8 @@ static inline void tcp_slow_start_after_idle_check(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + s32 delta; + +- if (!sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle || tp->packets_out || +- ca_ops->cong_control) ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) || ++ tp->packets_out || ca_ops->cong_control) + return; + delta = tcp_jiffies32 - tp->lsndtime; + if (delta > inet_csk(sk)->icsk_rto) +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 8dcb9484a20c..3b416dfb8aff 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1658,7 +1658,7 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) + if (tp->packets_out > tp->snd_cwnd_used) + tp->snd_cwnd_used = tp->packets_out; + +- if (sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle && ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) && + (s32)(tcp_jiffies32 - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto && + !ca_ops->cong_control) + tcp_cwnd_application_limited(sk); +-- +2.35.1 + diff --git a/queue-4.19/xfrm-xfrm_policy-fix-a-possible-double-xfrm_pols_put.patch b/queue-4.19/xfrm-xfrm_policy-fix-a-possible-double-xfrm_pols_put.patch new file mode 100644 index 00000000000..d38a0baa1c6 --- /dev/null +++ b/queue-4.19/xfrm-xfrm_policy-fix-a-possible-double-xfrm_pols_put.patch @@ -0,0 +1,58 @@ +From 2b9092c3c6f73d031acdd51e3b24e9116d1f91c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 14:46:25 +0800 +Subject: xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in + xfrm_bundle_lookup() + +From: Hangyu Hua + +[ Upstream commit f85daf0e725358be78dfd208dea5fd665d8cb901 ] + +xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of +pols[0]. This refcount can be dropped in xfrm_expand_policies() when +xfrm_expand_policies() return error. pols[0]'s refcount is balanced in +here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with +num_pols == 1 to drop this refcount when xfrm_expand_policies() return +error. + +This patch also fix an illegal address access. pols[0] will save a error +point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve +an illegal address in xfrm_bundle_lookup's error path. + +Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path. + +Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows") +Signed-off-by: Hangyu Hua +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index bb1c94e20e82..3582f77bab6a 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1697,8 +1697,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, + *num_xfrms = 0; + return 0; + } +- if (IS_ERR(pols[0])) ++ if (IS_ERR(pols[0])) { ++ *num_pols = 0; + return PTR_ERR(pols[0]); ++ } + + *num_xfrms = pols[0]->xfrm_nr; + +@@ -1713,6 +1715,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family, + if (pols[1]) { + if (IS_ERR(pols[1])) { + xfrm_pols_put(pols, *num_pols); ++ *num_pols = 0; + return PTR_ERR(pols[1]); + } + (*num_pols)++; +-- +2.35.1 +