From efbd3463ff49faa4393c8a362d15b7494a7b6957 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 23 Jul 2023 21:25:10 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++++++++++++++++++ ...heck-debug_objects_enabled-before-re.patch | 74 ++++++++ ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 ++++ ...warn-about-invalid-left-right-margin.patch | 43 +++++ ...ix-igb_down-hung-on-surprise-removal.patch | 89 +++++++++ ...on-t-drop-packet-from-non-root-netns.patch | 50 +++++ ...uption-for-raid456-when-reshape-rest.patch | 60 ++++++ ...event-soft-lockup-while-flush-writes.patch | 79 ++++++++ ...mum-limit-of-allocated-index-in-nbd_.patch | 41 ++++ ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 ++++++++ ...ipv6-check-return-value-of-pskb_trim.patch | 39 ++++ ...limit-of-tcp_linger2-with-tcp_fin_ti.patch | 73 ++++++++ ...les-can-t-schedule-in-nft_chain_vali.patch | 64 +++++++ ...les-fix-spurious-set-element-inserti.patch | 49 +++++ ...amd_pinconf_set-for-all-config-optio.patch | 108 +++++++++++ ...ure-timer-id-search-loop-limit-is-va.patch | 115 ++++++++++++ ...-the-lookup-process-failing-to-get-s.patch | 113 +++++++++++ ...-balance-task-to-its-current-running.patch | 96 ++++++++++ queue-4.19/series | 25 +++ .../spi-bcm63xx-fix-max-prepend-length.patch | 47 +++++ ...data-races-around-fastopenq.max_qlen.patch | 77 ++++++++ ...-data-races-around-rskq_defer_accept.patch | 53 ++++++ ...nnotate-data-races-around-tp-linger2.patch | 52 +++++ ...e-data-races-around-tp-notsent_lowat.patch | 64 +++++++ ...mvm-avoid-baid-size-integer-overflow.patch | 47 +++++ ...ix-wstringop-overflow-warning-in-ioc.patch | 71 +++++++ 26 files changed, 1824 insertions(+) create mode 100644 queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch create mode 100644 queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch create mode 100644 queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch create mode 100644 queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch create mode 100644 queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch create mode 100644 queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch create mode 100644 queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch create mode 100644 queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch diff --git a/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..7569c7a2f4a --- /dev/null +++ b/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 2c488883c37e2823eef1b80cae4edf8e97997e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index 9b5eeff72fd37..39a0e768adc39 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -44,7 +44,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -92,7 +97,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -113,7 +118,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -356,7 +361,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -422,7 +427,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -525,7 +530,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -571,7 +576,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -597,7 +602,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 7d4f89b7cb841..08da78b59f0b9 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -66,11 +66,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch b/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch new file mode 100644 index 00000000000..e8a1d10593c --- /dev/null +++ b/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch @@ -0,0 +1,74 @@ +From 233f69239c9aa2b9be0322933feb055562d8f437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:19:02 +0900 +Subject: debugobjects: Recheck debug_objects_enabled before reporting + +From: Tetsuo Handa + +[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] + +syzbot is reporting false a positive ODEBUG message immediately after +ODEBUG was disabled due to OOM. + + [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled + [ 1062.886755][ T5171] ------------[ cut here ]------------ + [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 + + CPU 0 [ T5171] CPU 1 [T22911] + -------------- -------------- + debug_object_assert_init() { + if (!debug_objects_enabled) + return; + db = get_bucket(addr); + lookup_object_or_alloc() { + debug_objects_enabled = 0; + return NULL; + } + debug_objects_oom() { + pr_warn("Out of memory. ODEBUG disabled\n"); + // all buckets get emptied here, and + } + lookup_object_or_alloc(addr, db, descr, false, true) { + // this bucket is already empty. + return ERR_PTR(-ENOENT); + } + // Emits false positive warning. + debug_print_object(&o, "assert_init"); + } + +Recheck debug_object_enabled in debug_print_object() to avoid that. + +Reported-by: syzbot +Suggested-by: Thomas Gleixner +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp +Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 5f23d896df55a..62d095fd0c52a 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -371,6 +371,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) + struct debug_obj_descr *descr = obj->descr; + static int limit; + ++ /* ++ * Don't report if lookup_object_or_alloc() by the current thread ++ * failed because lookup_object_or_alloc()/debug_objects_oom() by a ++ * concurrent thread turned off debug_objects_enabled and cleared ++ * the hash buckets. ++ */ ++ if (!debug_objects_enabled) ++ return; ++ + if (limit < 5 && descr != descr_test) { + void *hint = descr->debug_hint ? + descr->debug_hint(obj->object) : NULL; +-- +2.39.2 + diff --git a/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..5f7e9d8e903 --- /dev/null +++ b/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From d95706927c87029a0dd3db53f6b360d5e0fc788a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index f8e83a9519189..593c390e98629 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1744,6 +1744,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..ddfec6a5be9 --- /dev/null +++ b/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From 579bc81ba8cb2dd46b633e39130cee0e0828597b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index c4eb8661f7516..8ec260ed9a6f6 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -601,10 +601,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..cd1d107835f --- /dev/null +++ b/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From d31c957cc8ca0a46d225cbe69724ba5a83276a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 6f9d563deb6ba..be51179089852 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9059,6 +9059,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..2ae40426913 --- /dev/null +++ b/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From 3be5e9a7e94dd56e5d1ec735d5f11d991fd11606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 82cb93f66b9bd..f9e801cc50f5e 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -162,9 +162,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..dfb8b2d7957 --- /dev/null +++ b/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From 8c977d8f9a4252e9b335230eb09b5cc3f52e6db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 2e23a898fc978..6b074c2202d5a 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4639,11 +4639,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..f2b33679d76 --- /dev/null +++ b/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From 1028f0b7c80c5262aa6683b18d6334476dd55f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index d46056b07c079..bee694be20132 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -942,6 +942,7 @@ static void flush_pending_writes(struct r10conf *conf) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1127,6 +1128,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch new file mode 100644 index 00000000000..83da249fff2 --- /dev/null +++ b/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch @@ -0,0 +1,41 @@ +From 7acd50017017a72aa1c54911c3e2fd8386dc3c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 20:21:59 +0800 +Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add + +From: Zhong Jinghua + +[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] + +If the index allocated by idr_alloc greater than MINORMASK >> part_shift, +the device number will overflow, resulting in failure to create a block +device. + +Fix it by imiting the size of the max allocation. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 28024248a7b53..5a07964a1e676 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1646,7 +1646,8 @@ static int nbd_dev_add(int index) + if (err == -ENOSPC) + err = -EEXIST; + } else { +- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); ++ err = idr_alloc(&nbd_index_idr, nbd, 0, ++ (MINORMASK >> part_shift) + 1, GFP_KERNEL); + if (err >= 0) + index = err; + } +-- +2.39.2 + diff --git a/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..f22db08d7b4 --- /dev/null +++ b/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 4b1ceed57aa791f16d3264dae3b1a75703df6675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index c245629a38c76..6cb98760bc84e 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -67,23 +67,37 @@ + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..096de135394 --- /dev/null +++ b/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 4f1ea261d5545d222edbe3ee226f6423f76ff7e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 45c304b51b2b7..aa8ada354a399 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -960,7 +960,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch b/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch new file mode 100644 index 00000000000..fa550b7fb0f --- /dev/null +++ b/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch @@ -0,0 +1,73 @@ +From b1ff776eeefc168d9e591f6d3c7d58f3c7ac80f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 16:06:16 +0800 +Subject: net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX + +From: Cambda Zhu + +[ Upstream commit f0628c524fd188c3f9418e12478dfdfadacba815 ] + +This patch changes the behavior of TCP_LINGER2 about its limit. The +sysctl_tcp_fin_timeout used to be the limit of TCP_LINGER2 but now it's +only the default value. A new macro named TCP_FIN_TIMEOUT_MAX is added +as the limit of TCP_LINGER2, which is 2 minutes. + +Since TCP_LINGER2 used sysctl_tcp_fin_timeout as the default value +and the limit in the past, the system administrator cannot set the +default value for most of sockets and let some sockets have a greater +timeout. It might be a mistake that let the sysctl to be the limit of +the TCP_LINGER2. Maybe we can add a new sysctl to set the max of +TCP_LINGER2, but FIN-WAIT-2 timeout is usually no need to be too long +and 2 minutes are legal considering TCP specs. + +Changes in v3: +- Remove the new socket option and change the TCP_LINGER2 behavior so + that the timeout can be set to value between sysctl_tcp_fin_timeout + and 2 minutes. + +Changes in v2: +- Add int overflow check for the new socket option. + +Changes in v1: +- Add a new socket option to set timeout greater than + sysctl_tcp_fin_timeout. + +Signed-off-by: Cambda Zhu +Signed-off-by: David S. Miller +Stable-dep-of: 9df5335ca974 ("tcp: annotate data-races around tp->linger2") +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 81300a04b5808..22cca858f2678 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -128,6 +128,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + * to combine FIN-WAIT-2 timeout with + * TIME-WAIT timer. + */ ++#define TCP_FIN_TIMEOUT_MAX (120 * HZ) /* max TCP_LINGER2 value (two minutes) */ + + #define TCP_DELACK_MAX ((unsigned)(HZ/5)) /* maximal time to delay before sending an ACK */ + #if HZ >= 100 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cb96775fc86f6..9f3cdcbbb7590 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3001,8 +3001,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_LINGER2: + if (val < 0) + tp->linger2 = -1; +- else if (val > net->ipv4.sysctl_tcp_fin_timeout / HZ) +- tp->linger2 = 0; ++ else if (val > TCP_FIN_TIMEOUT_MAX / HZ) ++ tp->linger2 = TCP_FIN_TIMEOUT_MAX; + else + tp->linger2 = val * HZ; + break; +-- +2.39.2 + diff --git a/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..c27fe0b50ff --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 519800f3b9e064d6eec3b22116785effa817ba10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f25b6337f150a..115bc79ec9055 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2602,8 +2602,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -2627,6 +2625,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..868adf8b9e3 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 976b926cc5c9ddd0dd5caf4c7b577052477d78eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 16405e71a6780..f25b6337f150a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7248,6 +7248,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..9b216e957f3 --- /dev/null +++ b/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From c6a53f20f6bffc5450fcb9e1b763e8c839407eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index d5f5661de13c6..c140ee16fe7c8 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -190,18 +190,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -686,7 +674,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -776,6 +764,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..1d7b8e95a2c --- /dev/null +++ b/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From deabead3b46d4d115d9fd90afe2b7dbebe10919a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 660d78c9af6c8..6a55b30ae742b 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -127,7 +127,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 1234868b3b03e..8768ce2c4bf52 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -159,25 +159,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..75611e500a9 --- /dev/null +++ b/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From 0891c3b57a9ceed9c4e331ce92a2edea7581fc11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 5a272d09b8248..c6d670cd872f0 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -579,20 +579,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -601,7 +589,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index fedd19c22b392..88c5069b5d20c 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..10c3af2ae82 --- /dev/null +++ b/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 29445fe25db278af2e1f337c9529eeae5d380b35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index eb67f42fb96ba..09f82c84474b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -8721,7 +8721,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = sched_nr_migrate_break, + .cpus = cpus, +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 4fdd3db05ba..fb8c9dbbe5d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -190,3 +190,28 @@ perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.pat fuse-revalidate-don-t-invalidate-if-interrupted.patch can-bcm-fix-uaf-in-bcm_proc_show.patch ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +debugobjects-recheck-debug_objects_enabled-before-re.patch +nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch diff --git a/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch b/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..6138009c47d --- /dev/null +++ b/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 05d73b5b40011e55975b3dbf8e12a4af4bc43847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index bfe5754768f97..cc6ec3fb5bfdf 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -134,7 +134,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..a4b0f0d61b7 --- /dev/null +++ b/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From c6189e65ece39fd095d8e0458ccd06c8f3fde811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 621ab5a7fb8fa..0d63a428e6f9c 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -460,7 +460,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 373bf3d3be592..00648a478c6a5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3554,7 +3554,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index f726591de7c7a..f7bb78b443fa9 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -276,6 +276,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -288,10 +289,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..1961d19d871 --- /dev/null +++ b/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From d86223ba68246e87777a5988576f296dc862d1ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 4711963413a49..853a33bf8863e 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3009,9 +3009,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -3406,8 +3406,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch b/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..1e8d8c4071d --- /dev/null +++ b/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From e94e0409f44504d34b6f41dc533d8c1ae777761e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 9f3cdcbbb7590..4711963413a49 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3000,11 +3000,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3401,7 +3401,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..fb325041f30 --- /dev/null +++ b/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From f3ce1b988ff336ba962b41f0b9a23603d714b5de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 22cca858f2678..c6c48409e7b42 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1883,7 +1883,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + /* @wake is one when sk_stream_write_space() calls us. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 853a33bf8863e..373bf3d3be592 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3099,7 +3099,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -3569,7 +3569,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..3e182aa876b --- /dev/null +++ b/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From 7fa7b97844f258140628a39210c44fd2dd1b7c21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 373ace38edab7..83883ce7f55dc 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2237,7 +2237,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..42aaf2a63a3 --- /dev/null +++ b/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From eec6c0631c177e946a67d88280585b6f80934407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 76a80a41615be..a57f54bc0e1a7 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + -- 2.47.3