From 21a57251ac3ded2b1efb0802ce78b6d7130c79fb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 31 Jul 2022 12:12:30 +0200 Subject: [PATCH] fix up duplicate 5.15.y patches --- ...ve-a-broken-and-needless-ifdef-condi.patch | 56 -------- ...-bits-on-rx-descriptor-rather-than-e.patch | 46 ------- ...not-setup-vlan-for-loopback-vsi.patch-1510 | 44 ------ ...null-ptr-deref-bug-for-ip6_ptr.patch-17245 | 102 -------------- ...-memleak-in-ipv6_renew_options.patch-12523 | 110 --------------- ...he-context-from-the-list-in-tls_devi.patch | 51 ------- ...-tcp-src-and-dst-port-tc-filters.patch-781 | 70 ---------- ...change-pingpong-threshold-to-3.patch-30941 | 91 ------------ ...prevent-cpacf-trng-invocations-in-in.patch | 130 ------------------ ...-warning-in-scsi_alloc_sgtables.patch-8274 | 106 -------------- ...p-fw-fault-watchdog-work-item-during.patch | 46 ------- ...ld-reference-returned-by-of_parse_ph.patch | 61 -------- queue-5.15/series | 23 ---- ...round-sysctl_tcp_adv_win_scale.patch-19790 | 36 ----- ...race-around-sysctl_tcp_app_win.patch-22294 | 36 ----- ...ace-around-sysctl_tcp_challenge_ack_.patch | 36 ----- ...ata-race-around-sysctl_tcp_frto.patch-3670 | 36 ----- ...ace-around-sysctl_tcp_limit_output_b.patch | 36 ----- ...-race-around-sysctl_tcp_min_tso_segs.patch | 9 +- ...round-sysctl_tcp_nometrics_save.patch-5497 | 36 ----- ...-races-around-sysctl_tcp_dsack.patch-17026 | 45 ------ ...und-sysctl_tcp_moderate_rcvbuf.patch-32656 | 50 ------- ...es-around-sysctl_tcp_no_ssthresh_met.patch | 63 --------- ...he-race-between-refill-work-and-clos.patch | 19 +-- ...missing-locking-in-add_watch_to_obje.patch | 120 ---------------- ...eue-fix-missing-rcu-annotation.patch-18505 | 40 ------ 26 files changed, 9 insertions(+), 1489 deletions(-) delete mode 100644 queue-5.15/asm-generic-remove-a-broken-and-needless-ifdef-condi.patch delete mode 100644 queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-e.patch delete mode 100644 queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch-1510 delete mode 100644 queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch-17245 delete mode 100644 queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch-12523 delete mode 100644 queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_devi.patch delete mode 100644 queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch-781 delete mode 100644 queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch-30941 delete mode 100644 queue-5.15/s390-archrandom-prevent-cpacf-trng-invocations-in-in.patch delete mode 100644 queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch-8274 delete mode 100644 queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during.patch delete mode 100644 queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch-19790 delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch-22294 delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_.patch delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch-3670 delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_b.patch delete mode 100644 queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch-5497 delete mode 100644 queue-5.15/tcp-fix-data-races-around-sysctl_tcp_dsack.patch-17026 delete mode 100644 queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch-32656 delete mode 100644 queue-5.15/tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_met.patch delete mode 100644 queue-5.15/watch_queue-fix-missing-locking-in-add_watch_to_obje.patch delete mode 100644 queue-5.15/watch_queue-fix-missing-rcu-annotation.patch-18505 diff --git a/queue-5.15/asm-generic-remove-a-broken-and-needless-ifdef-condi.patch b/queue-5.15/asm-generic-remove-a-broken-and-needless-ifdef-condi.patch deleted file mode 100644 index ad69d7f43f9..00000000000 --- a/queue-5.15/asm-generic-remove-a-broken-and-needless-ifdef-condi.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ba9e2ef98d7b71254487dcca7051b49ea764e93b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 13:07:11 +0200 -Subject: asm-generic: remove a broken and needless ifdef conditional - -From: Lukas Bulwahn - -[ Upstream commit e2a619ca0b38f2114347b7078b8a67d72d457a3d ] - -Commit 527701eda5f1 ("lib: Add a generic version of devmem_is_allowed()") -introduces the config symbol GENERIC_LIB_DEVMEM_IS_ALLOWED, but then -falsely refers to CONFIG_GENERIC_DEVMEM_IS_ALLOWED (note the missing LIB -in the reference) in ./include/asm-generic/io.h. - -Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs: - -GENERIC_DEVMEM_IS_ALLOWED -Referencing files: include/asm-generic/io.h - -The actual fix, though, is simply to not to make this function declaration -dependent on any kernel config. For architectures that intend to use -the generic version, the arch's 'select GENERIC_LIB_DEVMEM_IS_ALLOWED' will -lead to picking the function definition, and for other architectures, this -function is simply defined elsewhere. - -The wrong '#ifndef' on a non-existing config symbol also always had the -same effect (although more by mistake than by intent). So, there is no -functional change. - -Remove this broken and needless ifdef conditional. - -Fixes: 527701eda5f1 ("lib: Add a generic version of devmem_is_allowed()") -Signed-off-by: Lukas Bulwahn -Signed-off-by: Arnd Bergmann -Signed-off-by: Sasha Levin ---- - include/asm-generic/io.h | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h -index 7ce93aaf69f8..98954dda5734 100644 ---- a/include/asm-generic/io.h -+++ b/include/asm-generic/io.h -@@ -1125,9 +1125,7 @@ static inline void memcpy_toio(volatile void __iomem *addr, const void *buffer, - } - #endif - --#ifndef CONFIG_GENERIC_DEVMEM_IS_ALLOWED - extern int devmem_is_allowed(unsigned long pfn); --#endif - - #endif /* __KERNEL__ */ - --- -2.35.1 - diff --git a/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-e.patch b/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-e.patch deleted file mode 100644 index cded44bb873..00000000000 --- a/queue-5.15/ice-check-dd-eof-bits-on-rx-descriptor-rather-than-e.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9df4f4593611ea640dfab3ff20f6ee5a5dd41485 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 12:20:42 +0200 -Subject: ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) - -From: Maciej Fijalkowski - -[ Upstream commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e ] - -Tx side sets EOP and RS bits on descriptors to indicate that a -particular descriptor is the last one and needs to generate an irq when -it was sent. These bits should not be checked on completion path -regardless whether it's the Tx or the Rx. DD bit serves this purpose and -it indicates that a particular descriptor is either for Rx or was -successfully Txed. EOF is also set as loopback test does not xmit -fragmented frames. - -Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead -of EOP and RS pair. - -Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") -Signed-off-by: Maciej Fijalkowski -Tested-by: George Kuruvinakunnel -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c -index 982db894754f..9b9c2b885486 100644 ---- a/drivers/net/ethernet/intel/ice/ice_ethtool.c -+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c -@@ -651,7 +651,8 @@ static int ice_lbtest_receive_frames(struct ice_ring *rx_ring) - rx_desc = ICE_RX_DESC(rx_ring, i); - - if (!(rx_desc->wb.status_error0 & -- cpu_to_le16(ICE_TX_DESC_CMD_EOP | ICE_TX_DESC_CMD_RS))) -+ (cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_DD_S)) | -+ cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_EOF_S))))) - continue; - - rx_buf = &rx_ring->rx_buf[i]; --- -2.35.1 - diff --git a/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch-1510 b/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch-1510 deleted file mode 100644 index 4dc6c5b56ac..00000000000 --- a/queue-5.15/ice-do-not-setup-vlan-for-loopback-vsi.patch-1510 +++ /dev/null @@ -1,44 +0,0 @@ -From ef5016a05107a9ae75d07a6689f3e249bcbf0772 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 12:20:43 +0200 -Subject: ice: do not setup vlan for loopback VSI - -From: Maciej Fijalkowski - -[ Upstream commit cc019545a238518fa9da1e2a889f6e1bb1005a63 ] - -Currently loopback test is failiing due to the error returned from -ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI. - -Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") -Signed-off-by: Maciej Fijalkowski -Tested-by: George Kuruvinakunnel -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/ice/ice_main.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c -index 188abf36a5b2..b9d45c7dbef1 100644 ---- a/drivers/net/ethernet/intel/ice/ice_main.c -+++ b/drivers/net/ethernet/intel/ice/ice_main.c -@@ -5481,10 +5481,12 @@ int ice_vsi_cfg(struct ice_vsi *vsi) - if (vsi->netdev) { - ice_set_rx_mode(vsi->netdev); - -- err = ice_vsi_vlan_setup(vsi); -+ if (vsi->type != ICE_VSI_LB) { -+ err = ice_vsi_vlan_setup(vsi); - -- if (err) -- return err; -+ if (err) -+ return err; -+ } - } - ice_vsi_cfg_dcb_rings(vsi); - --- -2.35.1 - diff --git a/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch-17245 b/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch-17245 deleted file mode 100644 index 095ff7243a3..00000000000 --- a/queue-5.15/ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch-17245 +++ /dev/null @@ -1,102 +0,0 @@ -From 71714997e0c6d4b2bbdcaae339b2498d17d1c689 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 09:33:07 +0800 -Subject: ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr - -From: Ziyang Xuan - -[ Upstream commit 85f0173df35e5462d89947135a6a5599c6c3ef6f ] - -Change net device's MTU to smaller than IPV6_MIN_MTU or unregister -device while matching route. That may trigger null-ptr-deref bug -for ip6_ptr probability as following. - -========================================================= -BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 -Read of size 4 at addr 0000000000000308 by task ping6/263 - -CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 -Call trace: - dump_backtrace+0x1a8/0x230 - show_stack+0x20/0x70 - dump_stack_lvl+0x68/0x84 - print_report+0xc4/0x120 - kasan_report+0x84/0x120 - __asan_load4+0x94/0xd0 - find_match.part.0+0x70/0x134 - __find_rr_leaf+0x408/0x470 - fib6_table_lookup+0x264/0x540 - ip6_pol_route+0xf4/0x260 - ip6_pol_route_output+0x58/0x70 - fib6_rule_lookup+0x1a8/0x330 - ip6_route_output_flags_noref+0xd8/0x1a0 - ip6_route_output_flags+0x58/0x160 - ip6_dst_lookup_tail+0x5b4/0x85c - ip6_dst_lookup_flow+0x98/0x120 - rawv6_sendmsg+0x49c/0xc70 - inet_sendmsg+0x68/0x94 - -Reproducer as following: -Firstly, prepare conditions: -$ip netns add ns1 -$ip netns add ns2 -$ip link add veth1 type veth peer name veth2 -$ip link set veth1 netns ns1 -$ip link set veth2 netns ns2 -$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 -$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 -$ip netns exec ns1 ifconfig veth1 up -$ip netns exec ns2 ifconfig veth2 up -$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 -$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 - -Secondly, execute the following two commands in two ssh windows -respectively: -$ip netns exec ns1 sh -$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done - -$ip netns exec ns1 sh -$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done - -It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, -then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. - - cpu0 cpu1 -fib6_table_lookup -__find_rr_leaf - addrconf_notify [ NETDEV_CHANGEMTU ] - addrconf_ifdown - RCU_INIT_POINTER(dev->ip6_ptr, NULL) -find_match -ip6_ignore_linkdown - -So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to -fix the null-ptr-deref bug. - -Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev") -Signed-off-by: Ziyang Xuan -Reviewed-by: David Ahern -Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/addrconf.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/net/addrconf.h b/include/net/addrconf.h -index 59940e230b78..53627afab104 100644 ---- a/include/net/addrconf.h -+++ b/include/net/addrconf.h -@@ -403,6 +403,9 @@ static inline bool ip6_ignore_linkdown(const struct net_device *dev) - { - const struct inet6_dev *idev = __in6_dev_get(dev); - -+ if (unlikely(!idev)) -+ return true; -+ - return !!idev->cnf.ignore_routes_with_linkdown; - } - --- -2.35.1 - diff --git a/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch-12523 b/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch-12523 deleted file mode 100644 index 263df0a0335..00000000000 --- a/queue-5.15/net-ping6-fix-memleak-in-ipv6_renew_options.patch-12523 +++ /dev/null @@ -1,110 +0,0 @@ -From 85b30d6c4b4c5891b9c1df8e41f2e0e08f4360f8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 27 Jul 2022 18:22:20 -0700 -Subject: net: ping6: Fix memleak in ipv6_renew_options(). - -From: Kuniyuki Iwashima - -[ Upstream commit e27326009a3d247b831eda38878c777f6f4eb3d1 ] - -When we close ping6 sockets, some resources are left unfreed because -pingv6_prot is missing sk->sk_prot->destroy(). As reported by -syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. - - struct ipv6_sr_hdr *hdr; - char data[24] = {0}; - int fd; - - hdr = (struct ipv6_sr_hdr *)data; - hdr->hdrlen = 2; - hdr->type = IPV6_SRCRT_TYPE_4; - - fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); - setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); - close(fd); - -To fix memory leaks, let's add a destroy function. - -Note the socket() syscall checks if the GID is within the range of -net.ipv4.ping_group_range. The default value is [1, 0] so that no -GID meets the condition (1 <= GID <= 0). Thus, the local DoS does -not succeed until we change the default value. However, at least -Ubuntu/Fedora/RHEL loosen it. - - $ cat /usr/lib/sysctl.d/50-default.conf - ... - -net.ipv4.ping_group_range = 0 2147483647 - -Also, there could be another path reported with these options, and -some of them require CAP_NET_RAW. - - setsockopt - IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) - IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) - IPV6_HOPOPTS (inet6_sk(sk)->opt) - IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) - IPV6_RTHDR (inet6_sk(sk)->opt) - IPV6_DSTOPTS (inet6_sk(sk)->opt) - IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) - - getsockopt - IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) - -For the record, I left a different splat with syzbot's one. - - unreferenced object 0xffff888006270c60 (size 96): - comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) - hex dump (first 32 bytes): - 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - backtrace: - [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554) - [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715) - [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) - [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) - [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262) - [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) - [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) - -[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176 - -Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") -Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com -Reported-by: Ayushman Dutta -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: David Ahern -Reviewed-by: Eric Dumazet -Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/ping.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index 6ac88fe24a8e..135e3a060caa 100644 ---- a/net/ipv6/ping.c -+++ b/net/ipv6/ping.c -@@ -22,6 +22,11 @@ - #include - #include - -+static void ping_v6_destroy(struct sock *sk) -+{ -+ inet6_destroy_sock(sk); -+} -+ - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ - static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, - int *addr_len) -@@ -166,6 +171,7 @@ struct proto pingv6_prot = { - .owner = THIS_MODULE, - .init = ping_init_sock, - .close = ping_close, -+ .destroy = ping_v6_destroy, - .connect = ip6_datagram_connect_v6_only, - .disconnect = __udp_disconnect, - .setsockopt = ipv6_setsockopt, --- -2.35.1 - diff --git a/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_devi.patch b/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_devi.patch deleted file mode 100644 index c2a48110a8a..00000000000 --- a/queue-5.15/net-tls-remove-the-context-from-the-list-in-tls_devi.patch +++ /dev/null @@ -1,51 +0,0 @@ -From e1bf6422281150d1b6fb11cbaeb4d17c644404c8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 12:11:27 +0300 -Subject: net/tls: Remove the context from the list in tls_device_down - -From: Maxim Mikityanskiy - -[ Upstream commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 ] - -tls_device_down takes a reference on all contexts it's going to move to -the degraded state (software fallback). If sk_destruct runs afterwards, -it can reduce the reference counter back to 1 and return early without -destroying the context. Then tls_device_down will release the reference -it took and call tls_device_free_ctx. However, the context will still -stay in tls_device_down_list forever. The list will contain an item, -memory for which is released, making a memory corruption possible. - -Fix the above bug by properly removing the context from all lists before -any call to tls_device_free_ctx. - -Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down") -Signed-off-by: Maxim Mikityanskiy -Reviewed-by: Tariq Toukan -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/tls/tls_device.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c -index 4e33150cfb9e..cf75969375cf 100644 ---- a/net/tls/tls_device.c -+++ b/net/tls/tls_device.c -@@ -1351,8 +1351,13 @@ static int tls_device_down(struct net_device *netdev) - * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW. - * Now release the ref taken above. - */ -- if (refcount_dec_and_test(&ctx->refcount)) -+ if (refcount_dec_and_test(&ctx->refcount)) { -+ /* sk_destruct ran after tls_device_down took a ref, and -+ * it returned early. Complete the destruction here. -+ */ -+ list_del(&ctx->list); - tls_device_free_ctx(ctx); -+ } - } - - up_write(&device_offload_lock); --- -2.35.1 - diff --git a/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch-781 b/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch-781 deleted file mode 100644 index b21427a58ed..00000000000 --- a/queue-5.15/octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch-781 +++ /dev/null @@ -1,70 +0,0 @@ -From c2604438cc7c262202cdf9f88f33229a28bcddb2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 24 Jul 2022 13:51:14 +0530 -Subject: octeontx2-pf: Fix UDP/TCP src and dst port tc filters - -From: Subbaraya Sundeep - -[ Upstream commit 59e1be6f83b928a04189bbf3ab683a1fc6248db3 ] - -Check the mask for non-zero value before installing tc filters -for L4 source and destination ports. Otherwise installing a -filter for source port installs destination port too and -vice-versa. - -Fixes: 1d4d9e42c240 ("octeontx2-pf: Add tc flower hardware offload on ingress traffic") -Signed-off-by: Subbaraya Sundeep -Signed-off-by: Sunil Goutham -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - .../ethernet/marvell/octeontx2/nic/otx2_tc.c | 30 +++++++++++-------- - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c -index ff569e261be4..75388a65f349 100644 ---- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c -+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c -@@ -605,21 +605,27 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node, - - flow_spec->dport = match.key->dst; - flow_mask->dport = match.mask->dst; -- if (ip_proto == IPPROTO_UDP) -- req->features |= BIT_ULL(NPC_DPORT_UDP); -- else if (ip_proto == IPPROTO_TCP) -- req->features |= BIT_ULL(NPC_DPORT_TCP); -- else if (ip_proto == IPPROTO_SCTP) -- req->features |= BIT_ULL(NPC_DPORT_SCTP); -+ -+ if (flow_mask->dport) { -+ if (ip_proto == IPPROTO_UDP) -+ req->features |= BIT_ULL(NPC_DPORT_UDP); -+ else if (ip_proto == IPPROTO_TCP) -+ req->features |= BIT_ULL(NPC_DPORT_TCP); -+ else if (ip_proto == IPPROTO_SCTP) -+ req->features |= BIT_ULL(NPC_DPORT_SCTP); -+ } - - flow_spec->sport = match.key->src; - flow_mask->sport = match.mask->src; -- if (ip_proto == IPPROTO_UDP) -- req->features |= BIT_ULL(NPC_SPORT_UDP); -- else if (ip_proto == IPPROTO_TCP) -- req->features |= BIT_ULL(NPC_SPORT_TCP); -- else if (ip_proto == IPPROTO_SCTP) -- req->features |= BIT_ULL(NPC_SPORT_SCTP); -+ -+ if (flow_mask->sport) { -+ if (ip_proto == IPPROTO_UDP) -+ req->features |= BIT_ULL(NPC_SPORT_UDP); -+ else if (ip_proto == IPPROTO_TCP) -+ req->features |= BIT_ULL(NPC_SPORT_TCP); -+ else if (ip_proto == IPPROTO_SCTP) -+ req->features |= BIT_ULL(NPC_SPORT_SCTP); -+ } - } - - return otx2_tc_parse_actions(nic, &rule->action, req, f, node); --- -2.35.1 - diff --git a/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch-30941 b/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch-30941 deleted file mode 100644 index 3a7a54f19c4..00000000000 --- a/queue-5.15/revert-tcp-change-pingpong-threshold-to-3.patch-30941 +++ /dev/null @@ -1,91 +0,0 @@ -From 8f85722e7d52d3f218ef18d54b8a84fb170f4f22 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 20:44:04 +0000 -Subject: Revert "tcp: change pingpong threshold to 3" - -From: Wei Wang - -[ Upstream commit 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 ] - -This reverts commit 4a41f453bedfd5e9cd040bad509d9da49feb3e2c. - -This to-be-reverted commit was meant to apply a stricter rule for the -stack to enter pingpong mode. However, the condition used to check for -interactive session "before(tp->lsndtime, icsk->icsk_ack.lrcvtime)" is -jiffy based and might be too coarse, which delays the stack entering -pingpong mode. -We revert this patch so that we no longer use the above condition to -determine interactive session, and also reduce pingpong threshold to 1. - -Fixes: 4a41f453bedf ("tcp: change pingpong threshold to 3") -Reported-by: LemmyHuang -Suggested-by: Neal Cardwell -Signed-off-by: Wei Wang -Acked-by: Neal Cardwell -Reviewed-by: Eric Dumazet -Link: https://lore.kernel.org/r/20220721204404.388396-1-weiwan@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/inet_connection_sock.h | 10 +--------- - net/ipv4/tcp_output.c | 15 ++++++--------- - 2 files changed, 7 insertions(+), 18 deletions(-) - -diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h -index fa6a87246a7b..695ed45841f0 100644 ---- a/include/net/inet_connection_sock.h -+++ b/include/net/inet_connection_sock.h -@@ -315,7 +315,7 @@ void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, - - struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); - --#define TCP_PINGPONG_THRESH 3 -+#define TCP_PINGPONG_THRESH 1 - - static inline void inet_csk_enter_pingpong_mode(struct sock *sk) - { -@@ -332,14 +332,6 @@ static inline bool inet_csk_in_pingpong_mode(struct sock *sk) - return inet_csk(sk)->icsk_ack.pingpong >= TCP_PINGPONG_THRESH; - } - --static inline void inet_csk_inc_pingpong_cnt(struct sock *sk) --{ -- struct inet_connection_sock *icsk = inet_csk(sk); -- -- if (icsk->icsk_ack.pingpong < U8_MAX) -- icsk->icsk_ack.pingpong++; --} -- - static inline bool inet_csk_has_ulp(struct sock *sk) - { - return inet_sk(sk)->is_icsk && !!inet_csk(sk)->icsk_ulp_ops; -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 3a84553fb4ed..51f31311fdb6 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -167,16 +167,13 @@ static void tcp_event_data_sent(struct tcp_sock *tp, - if (tcp_packets_in_flight(tp) == 0) - tcp_ca_event(sk, CA_EVENT_TX_START); - -- /* If this is the first data packet sent in response to the -- * previous received data, -- * and it is a reply for ato after last received packet, -- * increase pingpong count. -- */ -- if (before(tp->lsndtime, icsk->icsk_ack.lrcvtime) && -- (u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato) -- inet_csk_inc_pingpong_cnt(sk); -- - tp->lsndtime = now; -+ -+ /* If it is a reply for ato after last received -+ * packet, enter pingpong mode. -+ */ -+ if ((u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato) -+ inet_csk_enter_pingpong_mode(sk); - } - - /* Account for an ACK we sent. */ --- -2.35.1 - diff --git a/queue-5.15/s390-archrandom-prevent-cpacf-trng-invocations-in-in.patch b/queue-5.15/s390-archrandom-prevent-cpacf-trng-invocations-in-in.patch deleted file mode 100644 index df750997bd3..00000000000 --- a/queue-5.15/s390-archrandom-prevent-cpacf-trng-invocations-in-in.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 9b15aec0a530a3401f9c95b7cbfa9863e92f1217 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Jul 2022 15:17:21 +0200 -Subject: s390/archrandom: prevent CPACF trng invocations in interrupt context - -From: Harald Freudenberger - -[ Upstream commit 918e75f77af7d2e049bb70469ec0a2c12782d96a ] - -This patch slightly reworks the s390 arch_get_random_seed_{int,long} -implementation: Make sure the CPACF trng instruction is never -called in any interrupt context. This is done by adding an -additional condition in_task(). - -Justification: - -There are some constrains to satisfy for the invocation of the -arch_get_random_seed_{int,long}() functions: -- They should provide good random data during kernel initialization. -- They should not be called in interrupt context as the TRNG - instruction is relatively heavy weight and may for example - make some network loads cause to timeout and buck. - -However, it was not clear what kind of interrupt context is exactly -encountered during kernel init or network traffic eventually calling -arch_get_random_seed_long(). - -After some days of investigations it is clear that the s390 -start_kernel function is not running in any interrupt context and -so the trng is called: - -Jul 11 18:33:39 t35lp54 kernel: [<00000001064e90ca>] arch_get_random_seed_long.part.0+0x32/0x70 -Jul 11 18:33:39 t35lp54 kernel: [<000000010715f246>] random_init+0xf6/0x238 -Jul 11 18:33:39 t35lp54 kernel: [<000000010712545c>] start_kernel+0x4a4/0x628 -Jul 11 18:33:39 t35lp54 kernel: [<000000010590402a>] startup_continue+0x2a/0x40 - -The condition in_task() is true and the CPACF trng provides random data -during kernel startup. - -The network traffic however, is more difficult. A typical call stack -looks like this: - -Jul 06 17:37:07 t35lp54 kernel: [<000000008b5600fc>] extract_entropy.constprop.0+0x23c/0x240 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b560136>] crng_reseed+0x36/0xd8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b5604b8>] crng_make_state+0x78/0x340 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b5607e0>] _get_random_bytes+0x60/0xf8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b56108a>] get_random_u32+0xda/0x248 -Jul 06 17:37:07 t35lp54 kernel: [<000000008aefe7a8>] kfence_guarded_alloc+0x48/0x4b8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008aeff35e>] __kfence_alloc+0x18e/0x1b8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008aef7f10>] __kmalloc_node_track_caller+0x368/0x4d8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b611eac>] kmalloc_reserve+0x44/0xa0 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b611f98>] __alloc_skb+0x90/0x178 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b6120dc>] __napi_alloc_skb+0x5c/0x118 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f06b4>] qeth_extract_skb+0x13c/0x680 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f6526>] qeth_poll+0x256/0x3f8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b63d76e>] __napi_poll.constprop.0+0x46/0x2f8 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b63dbec>] net_rx_action+0x1cc/0x408 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b937302>] __do_softirq+0x132/0x6b0 -Jul 06 17:37:07 t35lp54 kernel: [<000000008abf46ce>] __irq_exit_rcu+0x13e/0x170 -Jul 06 17:37:07 t35lp54 kernel: [<000000008abf531a>] irq_exit_rcu+0x22/0x50 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b922506>] do_io_irq+0xe6/0x198 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b935826>] io_int_handler+0xd6/0x110 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b9358a6>] psw_idle_exit+0x0/0xa -Jul 06 17:37:07 t35lp54 kernel: ([<000000008ab9c59a>] arch_cpu_idle+0x52/0xe0) -Jul 06 17:37:07 t35lp54 kernel: [<000000008b933cfe>] default_idle_call+0x6e/0xd0 -Jul 06 17:37:07 t35lp54 kernel: [<000000008ac59f4e>] do_idle+0xf6/0x1b0 -Jul 06 17:37:07 t35lp54 kernel: [<000000008ac5a28e>] cpu_startup_entry+0x36/0x40 -Jul 06 17:37:07 t35lp54 kernel: [<000000008abb0d90>] smp_start_secondary+0x148/0x158 -Jul 06 17:37:07 t35lp54 kernel: [<000000008b935b9e>] restart_int_handler+0x6e/0x90 - -which confirms that the call is in softirq context. So in_task() covers exactly -the cases where we want to have CPACF trng called: not in nmi, not in hard irq, -not in soft irq but in normal task context and during kernel init. - -Signed-off-by: Harald Freudenberger -Acked-by: Jason A. Donenfeld -Reviewed-by: Juergen Christ -Link: https://lore.kernel.org/r/20220713131721.257907-1-freude@linux.ibm.com -Fixes: e4f74400308c ("s390/archrandom: simplify back to earlier design and initialize earlier") -[agordeev@linux.ibm.com changed desc, added Fixes and Link, removed -stable] -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - arch/s390/include/asm/archrandom.h | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/arch/s390/include/asm/archrandom.h b/arch/s390/include/asm/archrandom.h -index 2c6e1c6ecbe7..4120c428dc37 100644 ---- a/arch/s390/include/asm/archrandom.h -+++ b/arch/s390/include/asm/archrandom.h -@@ -2,7 +2,7 @@ - /* - * Kernel interface for the s390 arch_random_* functions - * -- * Copyright IBM Corp. 2017, 2020 -+ * Copyright IBM Corp. 2017, 2022 - * - * Author: Harald Freudenberger - * -@@ -14,6 +14,7 @@ - #ifdef CONFIG_ARCH_RANDOM - - #include -+#include - #include - #include - -@@ -32,7 +33,8 @@ static inline bool __must_check arch_get_random_int(unsigned int *v) - - static inline bool __must_check arch_get_random_seed_long(unsigned long *v) - { -- if (static_branch_likely(&s390_arch_random_available)) { -+ if (static_branch_likely(&s390_arch_random_available) && -+ in_task()) { - cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); - atomic64_add(sizeof(*v), &s390_arch_random_counter); - return true; -@@ -42,7 +44,8 @@ static inline bool __must_check arch_get_random_seed_long(unsigned long *v) - - static inline bool __must_check arch_get_random_seed_int(unsigned int *v) - { -- if (static_branch_likely(&s390_arch_random_available)) { -+ if (static_branch_likely(&s390_arch_random_available) && -+ in_task()) { - cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); - atomic64_add(sizeof(*v), &s390_arch_random_counter); - return true; --- -2.35.1 - diff --git a/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch-8274 b/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch-8274 deleted file mode 100644 index ea488f3036b..00000000000 --- a/queue-5.15/scsi-core-fix-warning-in-scsi_alloc_sgtables.patch-8274 +++ /dev/null @@ -1,106 +0,0 @@ -From 2852775159d84567f50f76f5f682f72d328646ce Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 10:51:20 +0800 -Subject: scsi: core: Fix warning in scsi_alloc_sgtables() - -From: Jason Yan - -[ Upstream commit d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 ] - -As explained in SG_IO howto[1]: - -"If iovec_count is non-zero then 'dxfer_len' should be equal to the sum of -iov_len lengths. If not, the minimum of the two is the transfer length." - -When iovec_count is non-zero and dxfer_len is zero, the sg_io() just -genarated a null bio, and finally caused a warning below. To fix it, skip -generating a bio for this request if dxfer_len is zero. - -[1] https://tldp.org/HOWTO/SCSI-Generic-HOWTO/x198.html - -WARNING: CPU: 2 PID: 3643 at drivers/scsi/scsi_lib.c:1032 scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 -Modules linked in: - -CPU: 2 PID: 3643 Comm: syz-executor397 Not tainted -5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0 -Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-204/01/2014 -RIP: 0010:scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 -Code: e7 fc 31 ff 44 89 f6 e8 c1 4e e7 fc 45 85 f6 0f 84 1a f5 ff ff e8 -93 4c e7 fc 83 c5 01 0f b7 ed e9 0f f5 ff ff e8 83 4c e7 fc <0f> 0b 41 - bc 0a 00 00 00 e9 2b fb ff ff 41 bc 09 00 00 00 e9 20 fb -RSP: 0018:ffffc90000d07558 EFLAGS: 00010293 -RAX: 0000000000000000 RBX: ffff88801bfc96a0 RCX: 0000000000000000 -RDX: ffff88801c876000 RSI: ffffffff849060bd RDI: 0000000000000003 -RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 -R10: ffffffff849055b9 R11: 0000000000000000 R12: ffff888012b8c000 -R13: ffff88801bfc9580 R14: 0000000000000000 R15: ffff88801432c000 -FS: 00007effdec8e700(0000) GS:ffff88802cc00000(0000) -knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007effdec6d718 CR3: 00000000206d6000 CR4: 0000000000150ee0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1219 [inline] - scsi_prepare_cmd drivers/scsi/scsi_lib.c:1614 [inline] - scsi_queue_rq+0x283e/0x3630 drivers/scsi/scsi_lib.c:1730 - blk_mq_dispatch_rq_list+0x6ea/0x22e0 block/blk-mq.c:1851 - __blk_mq_sched_dispatch_requests+0x20b/0x410 block/blk-mq-sched.c:299 - blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:332 - __blk_mq_run_hw_queue+0xf9/0x350 block/blk-mq.c:1968 - __blk_mq_delay_run_hw_queue+0x5b6/0x6c0 block/blk-mq.c:2045 - blk_mq_run_hw_queue+0x30f/0x480 block/blk-mq.c:2096 - blk_mq_sched_insert_request+0x340/0x440 block/blk-mq-sched.c:451 - blk_execute_rq+0xcc/0x340 block/blk-mq.c:1231 - sg_io+0x67c/0x1210 drivers/scsi/scsi_ioctl.c:485 - scsi_ioctl_sg_io drivers/scsi/scsi_ioctl.c:866 [inline] - scsi_ioctl+0xa66/0x1560 drivers/scsi/scsi_ioctl.c:921 - sd_ioctl+0x199/0x2a0 drivers/scsi/sd.c:1576 - blkdev_ioctl+0x37a/0x800 block/ioctl.c:588 - vfs_ioctl fs/ioctl.c:51 [inline] - __do_sys_ioctl fs/ioctl.c:874 [inline] - __se_sys_ioctl fs/ioctl.c:860 [inline] - __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x44/0xae -RIP: 0033:0x7effdecdc5d9 -Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 -f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 -f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007effdec8e2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 -RAX: ffffffffffffffda RBX: 00007effded664c0 RCX: 00007effdecdc5d9 -RDX: 0000000020002300 RSI: 0000000000002285 RDI: 0000000000000004 -RBP: 00007effded34034 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 -R13: 00007effded34054 R14: 2f30656c69662f2e R15: 00007effded664c8 - -Link: https://lore.kernel.org/r/20220720025120.3226770-1-yanaijie@huawei.com -Fixes: 25636e282fe9 ("block: fix SG_IO vector request data length handling") -Reported-by: syzbot+d44b35ecfb807e5af0b5@syzkaller.appspotmail.com -Reviewed-by: Christoph Hellwig -Reviewed-by: Bart Van Assche -Signed-off-by: Jason Yan -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/scsi_ioctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/scsi_ioctl.c b/drivers/scsi/scsi_ioctl.c -index a06c61f22742..6e2f82152b4a 100644 ---- a/drivers/scsi/scsi_ioctl.c -+++ b/drivers/scsi/scsi_ioctl.c -@@ -457,7 +457,7 @@ static int sg_io(struct scsi_device *sdev, struct gendisk *disk, - goto out_free_cdb; - - ret = 0; -- if (hdr->iovec_count) { -+ if (hdr->iovec_count && hdr->dxfer_len) { - struct iov_iter i; - struct iovec *iov = NULL; - --- -2.35.1 - diff --git a/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during.patch b/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during.patch deleted file mode 100644 index 1982a7227b1..00000000000 --- a/queue-5.15/scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b4d21334619c4ef06ef1832f7db1b552e104b4d9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 10:24:48 -0400 -Subject: scsi: mpt3sas: Stop fw fault watchdog work item during system - shutdown - -From: David Jeffery - -[ Upstream commit 0fde22c5420ed258ee538a760291c2f3935f6a01 ] - -During system shutdown or reboot, mpt3sas will reset the firmware back to -ready state. However, the driver leaves running a watchdog work item -intended to keep the firmware in operational state. This causes a second, -unneeded reset on shutdown and moves the firmware back to operational -instead of in ready state as intended. And if the mpt3sas_fwfault_debug -module parameter is set, this extra reset also panics the system. - -mpt3sas's scsih_shutdown needs to stop the watchdog before resetting the -firmware back to ready state. - -Link: https://lore.kernel.org/r/20220722142448.6289-1-djeffery@redhat.com -Fixes: fae21608c31c ("scsi: mpt3sas: Transition IOC to Ready state during shutdown") -Tested-by: Laurence Oberman -Acked-by: Sreekanth Reddy -Signed-off-by: David Jeffery -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/mpt3sas/mpt3sas_scsih.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -index af275ac42795..5351959fbaba 100644 ---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c -+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -@@ -11386,6 +11386,7 @@ scsih_shutdown(struct pci_dev *pdev) - _scsih_ir_shutdown(ioc); - _scsih_nvme_shutdown(ioc); - mpt3sas_base_mask_interrupts(ioc); -+ mpt3sas_base_stop_watchdog(ioc); - ioc->shost_recovery = 1; - mpt3sas_base_make_ioc_ready(ioc, SOFT_RESET); - ioc->shost_recovery = 0; --- -2.35.1 - diff --git a/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch b/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch deleted file mode 100644 index 610596a21ec..00000000000 --- a/queue-5.15/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch +++ /dev/null @@ -1,61 +0,0 @@ -From b30e11a395cf847b4266f0f0971244256bc61cd9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 15:15:29 +0800 -Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle() - -From: Liang He - -[ Upstream commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 ] - -In ufshcd_populate_vreg(), we should hold the reference returned by -of_parse_phandle() and then use it to call of_node_put() for refcount -balance. - -Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com -Fixes: aa4976130934 ("ufs: Add regulator enable support") -Reviewed-by: Bart Van Assche -Signed-off-by: Liang He -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c -index 87975d1a21c8..adc302b1a57a 100644 ---- a/drivers/scsi/ufs/ufshcd-pltfrm.c -+++ b/drivers/scsi/ufs/ufshcd-pltfrm.c -@@ -107,9 +107,20 @@ static int ufshcd_parse_clock_info(struct ufs_hba *hba) - return ret; - } - -+static bool phandle_exists(const struct device_node *np, -+ const char *phandle_name, int index) -+{ -+ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index); -+ -+ if (parse_np) -+ of_node_put(parse_np); -+ -+ return parse_np != NULL; -+} -+ - #define MAX_PROP_SIZE 32 - static int ufshcd_populate_vreg(struct device *dev, const char *name, -- struct ufs_vreg **out_vreg) -+ struct ufs_vreg **out_vreg) - { - char prop_name[MAX_PROP_SIZE]; - struct ufs_vreg *vreg = NULL; -@@ -121,7 +132,7 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name, - } - - snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); -- if (!of_parse_phandle(np, prop_name, 0)) { -+ if (!phandle_exists(np, prop_name, 0)) { - dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", - __func__, prop_name); - goto out; --- -2.35.1 - diff --git a/queue-5.15/series b/queue-5.15/series index 7c2be9da69b..854edccf239 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -31,25 +31,12 @@ net-ping6-fix-memleak-in-ipv6_renew_options.patch ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch net-tls-remove-the-context-from-the-list-in-tls_device_down.patch igmp-fix-data-races-around-sysctl_igmp_qrv.patch -s390-archrandom-prevent-cpacf-trng-invocations-in-in.patch net-pcs-xpcs-propagate-xpcs_read-error-to-xpcs_get_s.patch net-sungem_phy-add-of_node_put-for-reference-returne.patch -tcp-fix-data-races-around-sysctl_tcp_dsack.patch-17026 -tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch-22294 -tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch-19790 -tcp-fix-a-data-race-around-sysctl_tcp_frto.patch-3670 -tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch-5497 -tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_met.patch -tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch-32656 -tcp-fix-a-data-race-around-sysctl_tcp_limit_output_b.patch -tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_.patch tcp-fix-a-data-race-around-sysctl_tcp_min_tso_segs.patch tcp-fix-a-data-race-around-sysctl_tcp_min_rtt_wlen.patch tcp-fix-a-data-race-around-sysctl_tcp_autocorking.patch tcp-fix-a-data-race-around-sysctl_tcp_invalid_rateli.patch -asm-generic-remove-a-broken-and-needless-ifdef-condi.patch -revert-tcp-change-pingpong-threshold-to-3.patch-30941 -net-tls-remove-the-context-from-the-list-in-tls_devi.patch documentation-fix-sctp_wmem-in-ip-sysctl.rst.patch macsec-fix-null-deref-in-macsec_add_rxsa.patch macsec-fix-error-message-in-macsec_add_rxsa-and-_txs.patch @@ -67,18 +54,8 @@ ipv4-fix-data-races-around-sysctl_fib_notify_on_flag.patch i40e-fix-interface-init-with-msi-interrupts-no-msi-x.patch sctp-fix-sleep-in-atomic-context-bug-in-timer-handle.patch octeontx2-pf-cn10k-fix-egress-ratelimit-configuratio.patch -octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch-781 netfilter-nf_queue-do-not-allow-packet-truncation-be.patch -ice-check-dd-eof-bits-on-rx-descriptor-rather-than-e.patch -ice-do-not-setup-vlan-for-loopback-vsi.patch-1510 -scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during.patch -scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch -scsi-core-fix-warning-in-scsi_alloc_sgtables.patch-8274 virtio-net-fix-the-race-between-refill-work-and-clos.patch perf-symbol-correct-address-for-bss-symbols.patch sfc-disable-softirqs-for-ptp-tx.patch sctp-leave-the-err-path-free-in-sctp_stream_init-to-.patch -watch_queue-fix-missing-rcu-annotation.patch-18505 -watch_queue-fix-missing-locking-in-add_watch_to_obje.patch -net-ping6-fix-memleak-in-ipv6_renew_options.patch-12523 -ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch-17245 diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch-19790 b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch-19790 deleted file mode 100644 index 5682d6afd8b..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_adv_win_scale.patch-19790 +++ /dev/null @@ -1,36 +0,0 @@ -From 2c2c4964d511d85932c83e2cc5ff64cb8ae5c52e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:14 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_adv_win_scale. - -From: Kuniyuki Iwashima - -[ Upstream commit 36eeee75ef0157e42fb6593dcc65daab289b559e ] - -While reading sysctl_tcp_adv_win_scale, it can be changed concurrently. -Thus, we need to add READ_ONCE() to its reader. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 8ce8aafeef0f..76b0d7f2b967 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1406,7 +1406,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, - - static inline int tcp_win_from_space(const struct sock *sk, int space) - { -- int tcp_adv_win_scale = sock_net(sk)->ipv4.sysctl_tcp_adv_win_scale; -+ int tcp_adv_win_scale = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_adv_win_scale); - - return tcp_adv_win_scale <= 0 ? - (space>>(-tcp_adv_win_scale)) : --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch-22294 b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch-22294 deleted file mode 100644 index 826d08214fa..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_app_win.patch-22294 +++ /dev/null @@ -1,36 +0,0 @@ -From 01d0355715b3e8b0718bc8922ecd294148810b21 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:13 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_app_win. - -From: Kuniyuki Iwashima - -[ Upstream commit 02ca527ac5581cf56749db9fd03d854e842253dd ] - -While reading sysctl_tcp_app_win, it can be changed concurrently. -Thus, we need to add READ_ONCE() to its reader. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index e066c527a723..1c940517f5f5 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -526,7 +526,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb, - */ - static void tcp_init_buffer_space(struct sock *sk) - { -- int tcp_app_win = sock_net(sk)->ipv4.sysctl_tcp_app_win; -+ int tcp_app_win = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_app_win); - struct tcp_sock *tp = tcp_sk(sk); - int maxwin; - --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_.patch b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_.patch deleted file mode 100644 index 45b3be56b20..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 820771349c258fcb893ad8ff9992b0cc1d27de45 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:21 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. - -From: Kuniyuki Iwashima - -[ Upstream commit db3815a2fa691da145cfbe834584f31ad75df9ff ] - -While reading sysctl_tcp_challenge_ack_limit, it can be changed -concurrently. Thus, we need to add READ_ONCE() to its reader. - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 426f8fe02850..a5357ebfbcc0 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3622,7 +3622,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - /* Then check host-wide RFC 5961 rate limit. */ - now = jiffies / HZ; - if (now != challenge_timestamp) { -- u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit; -+ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); - u32 half = (ack_limit + 1) >> 1; - - challenge_timestamp = now; --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch-3670 b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch-3670 deleted file mode 100644 index 425c0d5417d..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_frto.patch-3670 +++ /dev/null @@ -1,36 +0,0 @@ -From 64fd28e6e558585b066d00ac8cd29d08a2eb58b1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:15 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_frto. - -From: Kuniyuki Iwashima - -[ Upstream commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 ] - -While reading sysctl_tcp_frto, it can be changed concurrently. -Thus, we need to add READ_ONCE() to its reader. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 1c940517f5f5..b9fd51826aea 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -2167,7 +2167,7 @@ void tcp_enter_loss(struct sock *sk) - * loss recovery is underway except recurring timeout(s) on - * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing - */ -- tp->frto = net->ipv4.sysctl_tcp_frto && -+ tp->frto = READ_ONCE(net->ipv4.sysctl_tcp_frto) && - (new_recovery || icsk->icsk_retransmits) && - !inet_csk(sk)->icsk_mtup.probe_size; - } --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_b.patch b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_b.patch deleted file mode 100644 index 7eb9b1a1f30..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_limit_output_b.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 68b671415407d91c1e4a99211604b999304afc85 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:20 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. - -From: Kuniyuki Iwashima - -[ Upstream commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 ] - -While reading sysctl_tcp_limit_output_bytes, it can be changed -concurrently. Thus, we need to add READ_ONCE() to its reader. - -Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_output.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index caf9283f9b0f..8b6d89bb2d36 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -2506,7 +2506,7 @@ static bool tcp_small_queue_check(struct sock *sk, const struct sk_buff *skb, - sk->sk_pacing_rate >> READ_ONCE(sk->sk_pacing_shift)); - if (sk->sk_pacing_status == SK_PACING_NONE) - limit = min_t(unsigned long, limit, -- sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes); -+ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes)); - limit <<= factor; - - if (static_branch_unlikely(&tcp_tx_delay_enabled) && --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_min_tso_segs.patch b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_min_tso_segs.patch index ea295f817e6..212d8a7903e 100644 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_min_tso_segs.patch +++ b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_min_tso_segs.patch @@ -15,14 +15,12 @@ Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - net/ipv4/tcp_output.c | 2 +- + net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 8b6d89bb2d36..3a84553fb4ed 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c -@@ -1989,7 +1989,7 @@ static u32 tcp_tso_segs(struct sock *sk, unsigned int mss_now) +@@ -1986,7 +1986,7 @@ static u32 tcp_tso_segs(struct sock *sk, min_tso = ca_ops->min_tso_segs ? ca_ops->min_tso_segs(sk) : @@ -31,6 +29,3 @@ index 8b6d89bb2d36..3a84553fb4ed 100644 tso_segs = tcp_tso_autosize(sk, mss_now, min_tso); return min_t(u32, tso_segs, sk->sk_gso_max_segs); --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch-5497 b/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch-5497 deleted file mode 100644 index 4afa21db9c3..00000000000 --- a/queue-5.15/tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch-5497 +++ /dev/null @@ -1,36 +0,0 @@ -From 72a1d5ff658140f598f89c99c368e997e4dd6ae7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:16 -0700 -Subject: tcp: Fix a data-race around sysctl_tcp_nometrics_save. - -From: Kuniyuki Iwashima - -[ Upstream commit 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 ] - -While reading sysctl_tcp_nometrics_save, it can be changed concurrently. -Thus, we need to add READ_ONCE() to its reader. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_metrics.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c -index a501150deaa3..9dcc418a26f2 100644 ---- a/net/ipv4/tcp_metrics.c -+++ b/net/ipv4/tcp_metrics.c -@@ -329,7 +329,7 @@ void tcp_update_metrics(struct sock *sk) - int m; - - sk_dst_confirm(sk); -- if (net->ipv4.sysctl_tcp_nometrics_save || !dst) -+ if (READ_ONCE(net->ipv4.sysctl_tcp_nometrics_save) || !dst) - return; - - rcu_read_lock(); --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_dsack.patch-17026 b/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_dsack.patch-17026 deleted file mode 100644 index 40a87e6f997..00000000000 --- a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_dsack.patch-17026 +++ /dev/null @@ -1,45 +0,0 @@ -From f9e076cbb094b959e6e2304894fff853a915d812 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:12 -0700 -Subject: tcp: Fix data-races around sysctl_tcp_dsack. - -From: Kuniyuki Iwashima - -[ Upstream commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d ] - -While reading sysctl_tcp_dsack, it can be changed concurrently. -Thus, we need to add READ_ONCE() to its readers. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 2d21d8bf3b8c..e066c527a723 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -4419,7 +4419,7 @@ static void tcp_dsack_set(struct sock *sk, u32 seq, u32 end_seq) - { - struct tcp_sock *tp = tcp_sk(sk); - -- if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { -+ if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { - int mib_idx; - - if (before(seq, tp->rcv_nxt)) -@@ -4466,7 +4466,7 @@ static void tcp_send_dupack(struct sock *sk, const struct sk_buff *skb) - NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOST); - tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); - -- if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { -+ if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { - u32 end_seq = TCP_SKB_CB(skb)->end_seq; - - tcp_rcv_spurious_retrans(sk, skb); --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch-32656 b/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch-32656 deleted file mode 100644 index 50ac547020a..00000000000 --- a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch-32656 +++ /dev/null @@ -1,50 +0,0 @@ -From b3a4a46c8114c2565fd8b6758f66f760b12588da Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:18 -0700 -Subject: tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. - -From: Kuniyuki Iwashima - -[ Upstream commit 780476488844e070580bfc9e3bc7832ec1cea883 ] - -While reading sysctl_tcp_moderate_rcvbuf, it can be changed -concurrently. Thus, we need to add READ_ONCE() to its readers. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 2 +- - net/mptcp/protocol.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index b9fd51826aea..426f8fe02850 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -716,7 +716,7 @@ void tcp_rcv_space_adjust(struct sock *sk) - * - */ - -- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf && -+ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) && - !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { - int rcvmem, rcvbuf; - u64 rcvwin, grow; -diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c -index d6def23b8cba..01ede89e3c46 100644 ---- a/net/mptcp/protocol.c -+++ b/net/mptcp/protocol.c -@@ -1881,7 +1881,7 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied) - if (msk->rcvq_space.copied <= msk->rcvq_space.space) - goto new_measure; - -- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf && -+ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) && - !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) { - int rcvmem, rcvbuf; - u64 rcvwin, grow; --- -2.35.1 - diff --git a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_met.patch b/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_met.patch deleted file mode 100644 index 4a6d2362441..00000000000 --- a/queue-5.15/tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_met.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 6b07ef9a9ac13f3e43fb3b713c23345768eb51d6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 09:50:17 -0700 -Subject: tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save. - -From: Kuniyuki Iwashima - -[ Upstream commit ab1ba21b523ab496b1a4a8e396333b24b0a18f9a ] - -While reading sysctl_tcp_no_ssthresh_metrics_save, it can be changed -concurrently. Thus, we need to add READ_ONCE() to its readers. - -Fixes: 65e6d90168f3 ("net-tcp: Disable TCP ssthresh metrics cache by default") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_metrics.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c -index 9dcc418a26f2..d58e672be31c 100644 ---- a/net/ipv4/tcp_metrics.c -+++ b/net/ipv4/tcp_metrics.c -@@ -385,7 +385,7 @@ void tcp_update_metrics(struct sock *sk) - - if (tcp_in_initial_slowstart(tp)) { - /* Slow start still did not finish. */ -- if (!net->ipv4.sysctl_tcp_no_ssthresh_metrics_save && -+ if (!READ_ONCE(net->ipv4.sysctl_tcp_no_ssthresh_metrics_save) && - !tcp_metric_locked(tm, TCP_METRIC_SSTHRESH)) { - val = tcp_metric_get(tm, TCP_METRIC_SSTHRESH); - if (val && (tcp_snd_cwnd(tp) >> 1) > val) -@@ -401,7 +401,7 @@ void tcp_update_metrics(struct sock *sk) - } else if (!tcp_in_slow_start(tp) && - icsk->icsk_ca_state == TCP_CA_Open) { - /* Cong. avoidance phase, cwnd is reliable. */ -- if (!net->ipv4.sysctl_tcp_no_ssthresh_metrics_save && -+ if (!READ_ONCE(net->ipv4.sysctl_tcp_no_ssthresh_metrics_save) && - !tcp_metric_locked(tm, TCP_METRIC_SSTHRESH)) - tcp_metric_set(tm, TCP_METRIC_SSTHRESH, - max(tcp_snd_cwnd(tp) >> 1, tp->snd_ssthresh)); -@@ -418,7 +418,7 @@ void tcp_update_metrics(struct sock *sk) - tcp_metric_set(tm, TCP_METRIC_CWND, - (val + tp->snd_ssthresh) >> 1); - } -- if (!net->ipv4.sysctl_tcp_no_ssthresh_metrics_save && -+ if (!READ_ONCE(net->ipv4.sysctl_tcp_no_ssthresh_metrics_save) && - !tcp_metric_locked(tm, TCP_METRIC_SSTHRESH)) { - val = tcp_metric_get(tm, TCP_METRIC_SSTHRESH); - if (val && tp->snd_ssthresh > val) -@@ -463,7 +463,7 @@ void tcp_init_metrics(struct sock *sk) - if (tcp_metric_locked(tm, TCP_METRIC_CWND)) - tp->snd_cwnd_clamp = tcp_metric_get(tm, TCP_METRIC_CWND); - -- val = net->ipv4.sysctl_tcp_no_ssthresh_metrics_save ? -+ val = READ_ONCE(net->ipv4.sysctl_tcp_no_ssthresh_metrics_save) ? - 0 : tcp_metric_get(tm, TCP_METRIC_SSTHRESH); - if (val) { - tp->snd_ssthresh = val; --- -2.35.1 - diff --git a/queue-5.15/virtio-net-fix-the-race-between-refill-work-and-clos.patch b/queue-5.15/virtio-net-fix-the-race-between-refill-work-and-clos.patch index c5cbfa00963..99d207f5d09 100644 --- a/queue-5.15/virtio-net-fix-the-race-between-refill-work-and-clos.patch +++ b/queue-5.15/virtio-net-fix-the-race-between-refill-work-and-clos.patch @@ -51,11 +51,9 @@ Reviewed-by: Xuan Zhuo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - drivers/net/virtio_net.c | 37 ++++++++++++++++++++++++++++++++++--- + drivers/net/virtio_net.c | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 318c681ad63e..53cefad2a79d 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -213,9 +213,15 @@ struct virtnet_info { @@ -75,7 +73,7 @@ index 318c681ad63e..53cefad2a79d 100644 /* Work struct for config space updates */ struct work_struct config_work; -@@ -319,6 +325,20 @@ static struct page *get_a_page(struct receive_queue *rq, gfp_t gfp_mask) +@@ -319,6 +325,20 @@ static struct page *get_a_page(struct re return p; } @@ -96,7 +94,7 @@ index 318c681ad63e..53cefad2a79d 100644 static void virtqueue_napi_schedule(struct napi_struct *napi, struct virtqueue *vq) { -@@ -1454,8 +1474,12 @@ static int virtnet_receive(struct receive_queue *rq, int budget, +@@ -1454,8 +1474,12 @@ static int virtnet_receive(struct receiv } if (rq->vq->num_free > min((unsigned int)budget, virtqueue_get_vring_size(rq->vq)) / 2) { @@ -111,7 +109,7 @@ index 318c681ad63e..53cefad2a79d 100644 } u64_stats_update_begin(&rq->stats.syncp); -@@ -1578,6 +1602,8 @@ static int virtnet_open(struct net_device *dev) +@@ -1578,6 +1602,8 @@ static int virtnet_open(struct net_devic struct virtnet_info *vi = netdev_priv(dev); int i, err; @@ -120,7 +118,7 @@ index 318c681ad63e..53cefad2a79d 100644 for (i = 0; i < vi->max_queue_pairs; i++) { if (i < vi->curr_queue_pairs) /* Make sure we have some buffers: if oom use wq. */ -@@ -1958,6 +1984,8 @@ static int virtnet_close(struct net_device *dev) +@@ -1958,6 +1984,8 @@ static int virtnet_close(struct net_devi struct virtnet_info *vi = netdev_priv(dev); int i; @@ -129,7 +127,7 @@ index 318c681ad63e..53cefad2a79d 100644 /* Make sure refill_work doesn't re-enable napi! */ cancel_delayed_work_sync(&vi->refill); -@@ -2455,6 +2483,8 @@ static int virtnet_restore_up(struct virtio_device *vdev) +@@ -2455,6 +2483,8 @@ static int virtnet_restore_up(struct vir virtio_device_ready(vdev); @@ -138,7 +136,7 @@ index 318c681ad63e..53cefad2a79d 100644 if (netif_running(vi->dev)) { err = virtnet_open(vi->dev); if (err) -@@ -3162,6 +3192,7 @@ static int virtnet_probe(struct virtio_device *vdev) +@@ -3162,6 +3192,7 @@ static int virtnet_probe(struct virtio_d vdev->priv = vi; INIT_WORK(&vi->config_work, virtnet_config_changed_work); @@ -146,6 +144,3 @@ index 318c681ad63e..53cefad2a79d 100644 /* If we can receive ANY GSO packets, we must allocate large ones. */ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || --- -2.35.1 - diff --git a/queue-5.15/watch_queue-fix-missing-locking-in-add_watch_to_obje.patch b/queue-5.15/watch_queue-fix-missing-locking-in-add_watch_to_obje.patch deleted file mode 100644 index 492ab3c769c..00000000000 --- a/queue-5.15/watch_queue-fix-missing-locking-in-add_watch_to_obje.patch +++ /dev/null @@ -1,120 +0,0 @@ -From bfe5eaf5aac9d468598ad292627d44632264d877 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 10:31:12 +0100 -Subject: watch_queue: Fix missing locking in add_watch_to_object() - -From: Linus Torvalds - -[ Upstream commit e64ab2dbd882933b65cd82ff6235d705ad65dbb6 ] - -If a watch is being added to a queue, it needs to guard against -interference from addition of a new watch, manual removal of a watch and -removal of a watch due to some other queue being destroyed. - -KEYCTL_WATCH_KEY guards against this for the same {key,queue} pair by -holding the key->sem writelocked and by holding refs on both the key and -the queue - but that doesn't prevent interaction from other {key,queue} -pairs. - -While add_watch_to_object() does take the spinlock on the event queue, -it doesn't take the lock on the source's watch list. The assumption was -that the caller would prevent that (say by taking key->sem) - but that -doesn't prevent interference from the destruction of another queue. - -Fix this by locking the watcher list in add_watch_to_object(). - -Fixes: c73be61cede5 ("pipe: Add general notification queue support") -Reported-by: syzbot+03d7b43290037d1f87ca@syzkaller.appspotmail.com -Signed-off-by: David Howells -cc: keyrings@vger.kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/watch_queue.c | 58 +++++++++++++++++++++++++++----------------- - 1 file changed, 36 insertions(+), 22 deletions(-) - -diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c -index 7019d337ce86..1059ef6c3711 100644 ---- a/kernel/watch_queue.c -+++ b/kernel/watch_queue.c -@@ -457,6 +457,33 @@ void init_watch(struct watch *watch, struct watch_queue *wqueue) - rcu_assign_pointer(watch->queue, wqueue); - } - -+static int add_one_watch(struct watch *watch, struct watch_list *wlist, struct watch_queue *wqueue) -+{ -+ const struct cred *cred; -+ struct watch *w; -+ -+ hlist_for_each_entry(w, &wlist->watchers, list_node) { -+ struct watch_queue *wq = rcu_access_pointer(w->queue); -+ if (wqueue == wq && watch->id == w->id) -+ return -EBUSY; -+ } -+ -+ cred = current_cred(); -+ if (atomic_inc_return(&cred->user->nr_watches) > task_rlimit(current, RLIMIT_NOFILE)) { -+ atomic_dec(&cred->user->nr_watches); -+ return -EAGAIN; -+ } -+ -+ watch->cred = get_cred(cred); -+ rcu_assign_pointer(watch->watch_list, wlist); -+ -+ kref_get(&wqueue->usage); -+ kref_get(&watch->usage); -+ hlist_add_head(&watch->queue_node, &wqueue->watches); -+ hlist_add_head_rcu(&watch->list_node, &wlist->watchers); -+ return 0; -+} -+ - /** - * add_watch_to_object - Add a watch on an object to a watch list - * @watch: The watch to add -@@ -471,34 +498,21 @@ void init_watch(struct watch *watch, struct watch_queue *wqueue) - */ - int add_watch_to_object(struct watch *watch, struct watch_list *wlist) - { -- struct watch_queue *wqueue = rcu_access_pointer(watch->queue); -- struct watch *w; -- -- hlist_for_each_entry(w, &wlist->watchers, list_node) { -- struct watch_queue *wq = rcu_access_pointer(w->queue); -- if (wqueue == wq && watch->id == w->id) -- return -EBUSY; -- } -- -- watch->cred = get_current_cred(); -- rcu_assign_pointer(watch->watch_list, wlist); -+ struct watch_queue *wqueue; -+ int ret = -ENOENT; - -- if (atomic_inc_return(&watch->cred->user->nr_watches) > -- task_rlimit(current, RLIMIT_NOFILE)) { -- atomic_dec(&watch->cred->user->nr_watches); -- put_cred(watch->cred); -- return -EAGAIN; -- } -+ rcu_read_lock(); - -+ wqueue = rcu_access_pointer(watch->queue); - if (lock_wqueue(wqueue)) { -- kref_get(&wqueue->usage); -- kref_get(&watch->usage); -- hlist_add_head(&watch->queue_node, &wqueue->watches); -+ spin_lock(&wlist->lock); -+ ret = add_one_watch(watch, wlist, wqueue); -+ spin_unlock(&wlist->lock); - unlock_wqueue(wqueue); - } - -- hlist_add_head_rcu(&watch->list_node, &wlist->watchers); -- return 0; -+ rcu_read_unlock(); -+ return ret; - } - EXPORT_SYMBOL(add_watch_to_object); - --- -2.35.1 - diff --git a/queue-5.15/watch_queue-fix-missing-rcu-annotation.patch-18505 b/queue-5.15/watch_queue-fix-missing-rcu-annotation.patch-18505 deleted file mode 100644 index b8929605c43..00000000000 --- a/queue-5.15/watch_queue-fix-missing-rcu-annotation.patch-18505 +++ /dev/null @@ -1,40 +0,0 @@ -From efb849e71a853a285d2b1728572cb644e20913e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 10:31:06 +0100 -Subject: watch_queue: Fix missing rcu annotation - -From: David Howells - -[ Upstream commit e0339f036ef4beb9b20f0b6532a1e0ece7f594c6 ] - -Since __post_watch_notification() walks wlist->watchers with only the -RCU read lock held, we need to use RCU methods to add to the list (we -already use RCU methods to remove from the list). - -Fix add_watch_to_object() to use hlist_add_head_rcu() instead of -hlist_add_head() for that list. - -Fixes: c73be61cede5 ("pipe: Add general notification queue support") -Signed-off-by: David Howells -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/watch_queue.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c -index debebcd2664e..7019d337ce86 100644 ---- a/kernel/watch_queue.c -+++ b/kernel/watch_queue.c -@@ -497,7 +497,7 @@ int add_watch_to_object(struct watch *watch, struct watch_list *wlist) - unlock_wqueue(wqueue); - } - -- hlist_add_head(&watch->list_node, &wlist->watchers); -+ hlist_add_head_rcu(&watch->list_node, &wlist->watchers); - return 0; - } - EXPORT_SYMBOL(add_watch_to_object); --- -2.35.1 - -- 2.47.3